definition"assume_Spec R = guarded_spec_body AssumeError R" definition exec_spec_monad:: "('s ==> exit_status c_exntype) ==> ((exit_status c_exntype ==> exit_status c_exntype) ==> 's ==> 's) ==> ('s ==> 't) ==> ('s ==> 'b) ==> ('b ==> (exit_status, 'a, 't) exn_monad) ==> (('a ==> 'a) ==> 's ==> 's) ==> ('s,'p,strictc_errortype) com"where "exec_spec_monad get_x upd_x st args f res ≡ Guard Fail {s. succeeds (f (args s)) (st s)} (Seq (assume_Spec {(s0, s1). ∃x t s. reaches (f (args s0)) (st s0) x t ∧ t = st s ∧ (case x of Exn e ==> s1 = upd_x (λ_. Nonlocal e) s | Result r ==> s1 = upd_x (λ_. Return) (res (λ_. r) s))}) (Cond {s. is_local (get_x s)} SKIP THROW))"
lemma terminates_Guard': assumes c: "s∈g ==> Γ⊨c↓(Normal s)" shows"Γ⊨Guard f g c↓(Normal s)" proof (cases "s ∈ g") case True from True c [OF True] show ?thesis by (rule terminates.Guard) next case False thenshow ?thesis by (rule terminates.GuardFault) qed
(* Our corres rule converting from the deeply-embedded SIMPL to a shallow embedding. *) definition
L1corres :: "bool ==> ('p ==> ('s, 'p, strictc_errortype) com option) ==> 's L1_monad ==> ('s, 'p, strictc_errortype) com ==> bool" where "L1corres check_term Γ ≡ λA C. ∀s. succeeds A s ⟶ ((∀t. Γ ⊨⟨C, Normal s⟩==> t ⟶ (case t of Normal s' ==> reaches A s (Result ()) s' | Abrupt s' ==> reaches A s (Exn ()) s' | Fault e ==> e ∈ {AssumeError, StackOverflow} | _ ==> False)) ∧ (check_term ⟶ Γ ⊨ C ↓ Normal s))"
definition
L1corres' :: "bool ==> ('p ==> ('s, 'p, strictc_errortype) com option) ==> ('s ==> bool) ==> 's L1_monad ==> ('s, 'p, strictc_errortype) com ==> bool" where "L1corres' check_term Γ P ≡ λA C. ∀s. (P s) ∧ succeeds A s ⟶ ((∀t. Γ ⊨⟨C, Normal s⟩==> t ⟶ (case t of Normal s' ==> reaches A s (Result ()) s' | Abrupt s' ==> reaches A s (Exn ()) s' | Fault e ==> e ∈ {AssumeError, StackOverflow} | _ ==> False)) ∧ (check_term ⟶ Γ ⊨ C ↓ Normal s))"
lemma L1corres_top [corres_top]: "L1corres ct P ⊤ C" by (auto simp add: L1corres_def)
lemma L1corres_le_trans[corres_le_trans]: "L1corres ct Γ A C ==> A ≤ A' ==> L1corres ct Γ A' C" apply (auto simp add: L1corres_def)
subgoal using le_succeedsD le_reachesD by (fastforce split: xstate.splits )
subgoal using le_succeedsD le_reachesD by (fastforce split: xstate.splits simp add: ) done
lemma L1corres_guard_DynCom: "[∧s. s ∈ g ==> L1corres ct Γ (B s) (B' s)]==> L1corres ct Γ (L1_seq (L1_guard (λs. s ∈ g)) (gets B 🍋 (λb. b))) (Guard f g (DynCom B'))" apply (clarsimp simp: L1corres_def L1_defs) apply (force elim!: exec_Normal_elim_cases
intro: terminates.intros
split: xstate.splits
simp add: succeeds_bind reaches_bind) done
lemma L1corres'_guard_DynCom_conseq: assumes conseq: "∧s. P s ==> g s ==> s ∈ g'" assumes corres: "∧s. P s ==> g s ==> L1corres' ct Γ (λs. P s ∧ g s) (B s) (B' s)" shows"L1corres' ct Γ P (L1_seq (L1_guard g) (gets B 🍋 (λb. b))) (Guard f g' (DynCom B'))" using conseq corres apply (clarsimp simp: L1corres'_def L1_defs) apply (force elim!: exec_Normal_elim_cases
intro: terminates.intros
split: xstate.splits
simp add: succeeds_bind reaches_bind)
done
lemma L1corres'_guard_DynCom: "[∧s. P s ==> s ∈ g ==> L1corres' ct Γ (λs. P s ∧ s ∈ g) (B s) (B' s)]==> L1corres' ct Γ P (L1_seq (L1_guard (λs. s ∈ g)) (gets B 🍋 (λb. b))) (Guard f g (DynCom B'))" apply (rule L1corres'_guard_DynCom_conseq [where B=B]) apply simp apply simp done
lemma L1corres'_DynCom: assumes corres_f: "∧s. P s ==> L1corres' ct Γ P (g s) (f s)" shows"L1corres' ct Γ P (gets g 🍋 (λb. b)) (DynCom f)" using corres_f apply (clarsimp simp: L1corres'_def L1_defs) apply (force elim!: exec_Normal_elim_cases
intro: terminates.intros
split: xstate.splits
simp add: succeeds_bind reaches_bind) done
lemma L1corres'_DynCom_fix_state: assumes corres_f: "∧s. P s ==> L1corres' ct Γ (λs'. P s' ∧ s' = s) (g s) (f s)" shows"L1corres' ct Γ P (gets g 🍋 (λb. b)) (DynCom f)" using corres_f apply (clarsimp simp: L1corres'_def L1_defs) apply (force elim!: exec_Normal_elim_cases
intro: terminates.intros
split: xstate.splits
simp add: succeeds_bind reaches_bind) done
lemma L1corres'_guard': "[ L1corres' ct Γ (λs. P s ∧ s ∈ g) B B' ]==> L1corres' ct Γ P (L1_seq (L1_guard (λs. s ∈ g)) B) (Guard f g B')" apply (clarsimp simp: L1corres'_def L1_defs) apply (erule_tac x=s in allE) apply (rule conjI) apply clarsimp apply (erule exec_Normal_elim_cases)
subgoal by (auto simp: succeeds_bind reaches_bind split: xstate.splits)
subgoal by (auto simp: succeeds_bind reaches_bind split: xstate.splits)
subgoal by (auto simp: succeeds_bind intro: terminates.intros) done
lemma L1corres'_guarded: "[ L1corres' ct Γ (λs. P s ∧ s ∈ g) B B' ]==> L1corres' ct Γ P (L1_guarded (λs. s ∈ g) B) (Guard f g B')" unfolding L1_guarded_def by (rule L1corres'_guard')
lemma L1corres'_Guard_maybe_guard: "L1corres' ct Γ P B (Guard f g B') ==> L1corres' ct Γ P B (maybe_guard f g B')" apply (simp add: L1corres'_def maybe_guard_def) by (meson exec.Guard iso_tuple_UNIV_I terminates_Normal_elim_cases(2))
lemma L1corres_Guard_maybe_guard: "L1corres ct Γ B (Guard f g B') ==> L1corres ct Γ B (maybe_guard f g B')" apply (simp add: L1corres_def maybe_guard_def) by (meson exec.Guard iso_tuple_UNIV_I terminates_Normal_elim_cases(2))
lemma L1corres'_guarded_DynCom_conseq: assumes conseq: "∧s. P s ==> g s ==> s ∈ g'" assumes corres_B: "∧s. P s ==> g s ==> L1corres' ct Γ (λs. P s ∧ g s) (B s) (B' s)" shows"L1corres' ct Γ P (L1_guarded g (gets B 🍋 (λb. b))) (maybe_guard f g' (DynCom B'))" apply (rule L1corres'_Guard_maybe_guard) unfolding L1_guarded_def L1_set_to_pred_def using corres_B by (simp add: L1corres'_guard_DynCom_conseq [OF conseq])
lemma L1corres'_guarded_DynCom: assumes corres_B: "∧s. P s ==> s ∈ g ==> L1corres' ct Γ (λs. P s ∧ s ∈ g) (B s) (B' s)" shows"L1corres' ct Γ P (L1_guarded (L1_set_to_pred g) (gets B 🍋 (λb. b))) (maybe_guard f g (DynCom B'))" apply (rule L1corres'_guarded_DynCom_conseq [where B=B]) apply simp using corres_B apply simp done
lemma L1corres'_conseq: assumes corres_Q: "L1corres' ct Γ Q B B'" assumes conseq: "∧s. P s ==> Q s" shows"L1corres' ct Γ P B B'" using conseq corres_Q by (auto simp add: L1corres'_def)
lemma L1corres_guarded_DynCom_conseq: assumes conseq: "∧s. g s ==> s ∈ g'" assumes corres_B: "∧s. g s ==> L1corres ct Γ (B s) (B' s)" shows"L1corres ct Γ (L1_guarded g (gets B 🍋 (λb. b))) (maybe_guard f g' (DynCom B'))" using corres_B unfolding L1corres_to_L1corres' thm L1corres'_guarded_DynCom apply - apply (rule L1corres'_guarded_DynCom_conseq [where B=B ]) using conseq apply simp apply (rule L1corres'_conseq [where Q = "⊤"]) apply (simp) apply simp done
lemma L1corres_guarded_DynCom: assumes corres_B: "∧s. s ∈ g ==> L1corres ct Γ (B s) (B' s)" shows"L1corres ct Γ (L1_guarded (L1_set_to_pred g) (gets B 🍋 (λb. b))) (maybe_guard f g (DynCom B'))" using corres_B unfolding L1corres_to_L1corres' apply - apply (rule L1corres'_guarded_DynCom [where B=B ]) apply (rule L1corres'_conseq [where Q = "⊤"]) apply simp apply simp done
lemma L1corres_guarded: assumes B: "L1corres ct Γ B B'" shows"L1corres ct Γ (L1_guarded g B) B'" using B by (auto simp add: L1corres_def L1_guarded_def L1_seq_def L1_guard_def
succeeds_bind reaches_bind split: xstate.splits)
lemma L1corres_guarded_DynCom_conseq1: assumes corres_B: "∧s. g s ==> L1corres ct Γ (B s) (Guard f {s'. s ∈ g'} (B' s))" shows"L1corres ct Γ (L1_guarded g (gets B 🍋 (λb. b))) (Guard f g' (DynCom B'))" using corres_B apply (simp add: L1corres_def L1_guarded_def L1_seq_def L1_guard_def) apply (auto simp add: succeeds_bind reaches_bind split: xstate.splits )
subgoal by (fastforce elim!: exec_Normal_elim_cases intro: exec.intros simp add: exec_Guard)
subgoal by (fastforce elim!: exec_Normal_elim_cases intro: exec.intros simp add: exec_Guard)
subgoal by (fastforce elim!: exec_Normal_elim_cases intro: exec.intros simp add: exec_Guard)
subgoal by (fastforce elim!: exec_Normal_elim_cases intro: exec.intros simp add: exec_Guard)
subgoal for s apply (cases "s ∈ g'") apply (fastforce elim!: terminates_Normal_elim_cases
elim: terminates.GuardFault intro: terminates.intros)+ done done
lemma L1corres_guarded_DynCom_conseq2: assumes corres_B: "∧s. g s ==> L1corres ct Γ (B s) (Guard f {s'. s ∈ g'} (B' s))" shows"L1corres ct Γ (L1_guarded g (gets B 🍋 (λb. b))) (maybe_guard f g' (DynCom B'))" apply (rule L1corres_Guard_maybe_guard) using corres_B by (rule L1corres_guarded_DynCom_conseq1)
(* Wrapper for calling un-translated functions. *) definition "L1_call_simpl check_term Gamma proc = do {s ← get_state; assert (check_term ⟶ Gamma ⊨ Call proc ↓ Normal s); xs ← select {t. Gamma ⊨⟨Call proc, Normal s⟩==> t}; case xs :: (_, strictc_errortype) xstate of Normal s ==> set_state s | Abrupt s ==> do {set_state s; throw () } | Fault ft ==> if ft ∈ {AssumeError, StackOverflow} then bot else fail | Stuck ==> fail }"
definition
refines_simpl :: "bool ==> ('p ==> ('s, 'p, strictc_errortype) com option) ==> ('s, 'p, strictc_errortype) com ==> (('e::default, 'a, 't) spec_monad) ==> 's ==> 't ==> (('s, strictc_errortype) xstate ==> (('e, 'a) exception_or_result * 't) ==> bool) ==> bool"where "refines_simpl ct Γ c m s t R ≡ succeeds m t ⟶ ((∀s'. Γ ⊨⟨c, Normal s⟩==> s' ⟶ (s' ∈ {Fault AssumeError, Fault StackOverflow} ∨ (∃r t'. reaches m t r t' ∧ R s' (r, t')))) ∧ (ct ⟶ Γ ⊨ c ↓ Normal s))"
lemma refines_simplI: assumes termi: "succeeds m t ==> ct ==> Γ ⊨ c ↓ Normal s" assumes sim: "∧s'. succeeds m t ==> Γ ⊨⟨c, Normal s⟩==> s' ==> s' ∉ {Fault AssumeError, Fault StackOverflow} ==>∃r t'. reaches m t r t' ∧ R s' (r, t')" shows"refines_simpl ct Γ c m s t R" using termi sim unfolding refines_simpl_def by blast
definition
rel_L1 :: "('s, strictc_errortype) xstate ==> ('e, 'a) xval × 's ==> bool"where "rel_L1 ≡ λs (r, t). (case s of Normal s' ==> (∃x. r = Result x) ∧ t = s' | Abrupt s' ==> (∃x. r = Exn x) ∧ t = s' | Fault e ==> False | Stuck ==> False)"
lemma rel_L1_unit: "rel_L1 = (λs (r, t). (case s of Normal s' ==> r = Result () ∧ t = s' | Abrupt s' ==> r = Exn () ∧ t = s' | Fault e ==> False | Stuck ==> False))" by (auto simp add: rel_L1_def split: xstate.splits)
lemma rel_L1_conv [simp]: "rel_L1 (Normal s) (r, t) = ((∃x. r = Result x) ∧ t = s)" "rel_L1 (Abrupt s) (r, t) = ((∃x. r = Exn x) ∧ t = s)" "rel_L1 (Fault e) x = False" "rel_L1 Stuck x = False" by (auto simp add: rel_L1_def)
lemma refines_simpl_rel_L1I: assumes termi: "succeeds m t ==> ct ==> Γ ⊨ c ↓ Normal s" assumes sim_Normal: "∧s'. succeeds m t ==> Γ ⊨⟨c, Normal s⟩==> Normal s' ==>∃r. reaches m t (Result r) s'" assumes sim_Abrupt: "∧s'. succeeds m t ==> Γ ⊨⟨c, Normal s⟩==> Abrupt s' ==>∃r. reaches m t (Exn r) s'" assumes sim_Fault: "∧e. succeeds m t ==> Γ ⊨⟨c, Normal s⟩==> Fault e ==> e ∈ {AssumeError, StackOverflow}" assumes sim_Stuck: "succeeds m t ==> Γ ⊨⟨c, Normal s⟩==> Stuck ==> False" shows"refines_simpl ct Γ c m s t rel_L1" apply (rule refines_simplI [OF termi], assumption, assumption) apply (simp add: rel_L1_def)
subgoal for s' using sim_Normal sim_Abrupt sim_Fault sim_Stuck apply (cases s') apply (fastforce split: prod.splits sum.splits)+ done done
lemma L1corres_refines_simpl: "L1corres ct Γ m c ==> refines_simpl ct Γ c m s s rel_L1" apply (clarsimp simp add: L1corres_def refines_simpl_def rel_L1_def split: xstate.splits prod.splits sum.splits) by (smt (verit) Inl_Inr_False xstate.distinct(1) xstate.inject(1) xstate.inject(2))
lemma refines_simpl_L1corres: assumes"∧s. refines_simpl ct Γ c m s s rel_L1" shows"L1corres ct Γ m c" using assms apply (force simp add: L1corres_def refines_simpl_def rel_L1_def split: xstate.splits prod.splits sum.splits) done
theorem L1corres_refines_simpl_conv: "L1corres ct Γ m c ⟷ (∀s. refines_simpl ct Γ c m s s rel_L1)" using L1corres_refines_simpl refines_simpl_L1corres by metis
lemma refines_simpl_DynCom: "refines_simpl ct Γ (c s) m s t R ==> refines_simpl ct Γ (DynCom c) m s t R" by (auto simp add: refines_simpl_def terminates.DynCom elim: exec_Normal_elim_cases(12))
lemma refines_simpl_StackOverflow: assumes c: "s ∈ g ==> refines_simpl ct Γ c m s t R" shows"refines_simpl ct Γ (Guard StackOverflow g c) m s t R" using c by (auto simp add: refines_simpl_def elim: exec_Normal_elim_cases intro: terminates.intros)
lemma refines_simpl_rel_L1_bind: fixes m1:: "('e, 'a, 's) exn_monad" fixes m2:: "'a ==> ('e, 'b, 's) exn_monad" assumes c1: "refines_simpl ct Γ c1 m1 s s rel_L1" assumes c2: "∧r s'. succeeds m1 s ==> Γ ⊨⟨c1, Normal s⟩==> Normal s' ==> reaches m1 s (Result r) s' ==> refines_simpl ct Γ c2 (m2 r) s' s' rel_L1" shows"refines_simpl ct Γ (c1;;c2) (m1 >>= m2) s s rel_L1" proof (rule refines_simpl_rel_L1I) assume nofail: "succeeds (m1 >>= m2) s" assume ct: "ct" from nofail have nofail_m1: "succeeds m1 s" by (simp add: succeeds_bind) with ct c1 have term_c1: "Γ⊨c1 ↓ Normal s" by (simp add: refines_simpl_def) then show"Γ⊨c1;;c2 ↓ Normal s" proof (rule terminates.intros, intro allI impI) fix s' assume exec_c1: "Γ⊨⟨c1,Normal s⟩==> s'" show"Γ⊨c2 ↓ s'" proof (cases s') case (Normal s1) with exec_c1 c1 nofail_m1 term_c1 ct obtain r where sim1: "reaches m1 s (Result r) s1" by (force simp add: rel_L1_def refines_simpl_def) from c2 [OF nofail_m1 exec_c1 [simplified Normal] this] have"refines_simpl ct Γ c2 (m2 r) s1 s1 rel_L1" . with ct Normal nofail sim1 show ?thesis by (simp add: refines_simpl_def reaches_bind succeeds_bind) qed simp_all qed next fix s' assume nofail: "succeeds (m1 >>= m2) s" from nofail have nofail_m1: "succeeds m1 s" by (simp add: succeeds_bind) assume exec: "Γ⊨⟨c1;;c2,Normal s⟩==> Normal s'" thenshow"∃r. reaches (m1 >>= m2) s (Result r) s'" proof (cases) case (1 s1) hence exec_c1: "Γ⊨⟨c1,Normal s⟩==> s1"and
exec_c2: "Γ⊨⟨c2, s1⟩==> Normal s'" . from exec_c2 obtain s1' where s1': "s1 = Normal s1'" by (meson Normal_resultE) from exec_c1 c1 nofail_m1 obtain r1 where sim1: "reaches m1 s (Result r1) s1'" by (metis (no_types, lifting) empty_iff insertE rel_L1_conv(1) s1' refines_simpl_def xstate.simps(7))
from c2 [OF nofail_m1 exec_c1[simplified s1'] sim1] have"refines_simpl ct Γ c2 (m2 r1) s1' s1' rel_L1" . with nofail exec_c2 obtain r2 where"reaches (m2 r1) s1' (Result r2) s'" by (smt (verit) empty_iff insertE rel_L1_conv(1) s1' sim1 refines_simpl_def succeeds_bind
reaches_bind xstate.simps(7)) with sim1 nofail show ?thesis by (fastforce simp add: reaches_bind succeeds_bind) qed next fix s' assume nofail: "succeeds (m1 >>= m2) s" from nofail have nofail_m1: "succeeds m1 s" by (simp add: succeeds_bind) assume exec: "Γ⊨⟨c1;;c2,Normal s⟩==> Abrupt s'" thenshow"∃r. reaches (m1 >>= m2) s (Exn r) s'" proof (cases) case (1 s1) hence exec_c1: "Γ⊨⟨c1,Normal s⟩==> s1"and
exec_c2: "Γ⊨⟨c2,s1⟩==> Abrupt s'" .
show ?thesis proof (cases s1) case (Normal s1') with exec_c1 c1 nofail_m1 obtain r1 where sim1: "reaches m1 s (Result r1) s1'" by (metis (no_types, lifting) empty_iff insertE rel_L1_conv(1) refines_simpl_def xstate.simps(7)) from c2 [OF nofail_m1 exec_c1[simplified Normal] sim1] have"refines_simpl ct Γ c2 (m2 r1) s1' s1' rel_L1" . with nofail exec_c2 sim1 obtain r2 where"reaches (m2 r1) s1' (Exn r2) s'" by (smt (verit) Normal empty_iff insertE rel_L1_conv(2) refines_simpl_def succeeds_bind xstate.simps(11)) with sim1 nofail show ?thesis by (fastforce simp add: reaches_bind succeeds_bind) next case (Abrupt s1') with exec_c1 c1 nofail_m1 obtain r1 where sim1: "reaches m1 s (Exn r1) s1'" by (metis (no_types, lifting) empty_iff insertE rel_L1_conv(2) refines_simpl_def xstate.distinct(7)) from Abrupt exec_c2 have"s' = s1'" by (meson Abrupt_end xstate.inject(2)) with nofail show ?thesis apply (clarsimp simp add: reaches_bind succeeds_bind Exn_def) using sim1 by fastforce next case (Fault x) with exec_c2 show ?thesis by (meson Fault_end xstate.distinct(7)) next case Stuck with exec_c2 show ?thesis using noStuck_startD' by blast qed qed next fix e assume nofail: "succeeds (m1 >>= m2) s" from nofail have nofail_m1: "succeeds m1 s" by (simp add: succeeds_bind) assume exec: "Γ⊨⟨c1;;c2,Normal s⟩==> Fault e" thenshow"e ∈ {AssumeError, StackOverflow}" proof (cases) case (1 s1) hence exec_c1: "Γ⊨⟨c1,Normal s⟩==> s1"and
exec_c2: "Γ⊨⟨c2,s1⟩==> Fault e" . show ?thesis proof (cases s1) case (Normal s1') with exec_c1 c1 nofail_m1 obtain r1 where sim1: "reaches m1 s (Result r1) s1'" by (metis (no_types, lifting) empty_iff insertE rel_L1_conv(1) refines_simpl_def xstate.simps(7)) from c2 [OF nofail_m1 exec_c1[simplified Normal] sim1] have"refines_simpl ct Γ c2 (m2 r1) s1' s1' rel_L1" .
with nofail exec_c2 sim1 show"e ∈ {AssumeError, StackOverflow}" by (metis (no_types, lifting) Normal insert_iff rel_L1_conv(3) refines_simpl_def singleton_iff
succeeds_bind xstate.inject(3)) next case (Abrupt s1') with exec_c2 show ?thesis by (metis Abrupt_end xstate.distinct(7)) next case (Fault x) with exec_c2 c1 exec_c1 show ?thesis by (metis exec_Normal_elim_cases(1) insert_iff nofail_m1 rel_L1_conv(3) refines_simpl_def singleton_iff xstate.inject(3)) next case Stuck with exec_c2 show ?thesis using noStuck_startD' by blast qed qed next assume nofail: "succeeds (m1 >>= m2) s" from nofail have nofail_m1: "succeeds m1 s" by (simp add: succeeds_bind) assume exec: "Γ⊨⟨c1;;c2,Normal s⟩==> Stuck" thenshow False proof (cases) case (1 s1) hence exec_c1: "Γ⊨⟨c1,Normal s⟩==> s1"and
exec_c2: "Γ⊨⟨c2,s1⟩==> Stuck" . show ?thesis proof (cases s1) case (Normal s1') with exec_c1 c1 nofail_m1 obtain r1 where sim1: "reaches m1 s (Result r1) s1'" by (metis (no_types, lifting) empty_iff insertE rel_L1_conv(1) refines_simpl_def xstate.simps(7)) from c2 [OF nofail_m1 exec_c1[simplified Normal] sim1] have"refines_simpl ct Γ c2 (m2 r1) s1' s1' rel_L1" . with nofail exec_c2 sim1 show False by (metis Normal insertE rel_L1_conv(4) refines_simpl_def singletonD succeeds_bind xstate.simps(15)) next case (Abrupt s1') with exec_c2 show ?thesis by (metis Abrupt_end xstate.distinct(10)) next case (Fault x) with exec_c2 show ?thesis by (metis Fault_end isFault_simps(4) not_isFault_iff) next case Stuck with exec_c2 c1 exec_c1 show ?thesis by (metis insert_iff nofail_m1 rel_L1_conv(4) refines_simpl_def singletonD xstate.simps(15)) qed qed qed
lemma refines_simpl_rel_L1_catch: assumes L: "refines_simpl ct Γ L' L s s rel_L1" assumes R: "∧s. refines_simpl ct Γ R' R s s rel_L1" shows"refines_simpl ct Γ (Catch L' R') (L1_catch L R) s s rel_L1" proof (rule refines_simpl_rel_L1I) assume nofault: "succeeds (L1_catch L R) s" assume ct: "ct" show"Γ⊨TRY L' CATCH R' END ↓ Normal s" proof (rule terminates.intros, safe) show"Γ⊨L' ↓ Normal s" using nofault ct L by (simp add: refines_simpl_def L1_catch_def rel_L1_def succeeds_catch) next fix s' assume" Γ⊨⟨L',Normal s⟩==> Abrupt s'" thenshow"Γ⊨R' ↓ Normal s'" using nofault ct L R by (fastforce simp add: refines_simpl_def L1_catch_def rel_L1_def succeeds_catch) qed next fix s' assume nofault: "succeeds (L1_catch L R) s" assume exec: "Γ⊨⟨TRY L' CATCH R' END,Normal s⟩==> Normal s'" thenshow"∃r. reaches (L1_catch L R) s (Result r) s'" proof (cases) case (1 s1) hence exec_L': "Γ⊨⟨L',Normal s⟩==> Abrupt s1"and
exec_R': "Γ⊨⟨R',Normal s1⟩==> Normal s'". from nofault L R exec_L' obtain
nofault_L: "succeeds L s"and
nofault_R: "succeeds R s1" by (smt (verit, best) L1_defs(5) case_xval_simps(1) insertE refines_simpl_def
rel_L1_conv(2) singletonD succeeds_catch xstate.simps(11)) from nofault_L exec_L' L obtain r1 where r1: "reaches L s (Exn r1) s1" by (metis (no_types, lifting) insertE rel_L1_conv(2) refines_simpl_def
singletonD xstate.distinct(7)) from r1 exec_R' R obtain r2 where"reaches R s1 (Result r2) s'" by (metis (no_types, lifting) insertE nofault_R rel_L1_conv(1)
refines_simpl_def singletonD xstate.simps(7)) with r1 nofault show ?thesis by (fastforce simp add: reaches_catch succeeds_catch L1_defs ) next case2 have exec_L': "Γ⊨⟨L',Normal s⟩==> Normal s'"by fact from nofault L R exec_L' obtain
nofault_L: "succeeds L s" by (simp add: L1_defs(5) succeeds_catch) with L exec_L' obtain r1 where"reaches L s (Result r1) s'" by (metis (no_types, lifting) insertE rel_L1_conv(1) refines_simpl_def singletonD xstate.distinct(3)) thenshow ?thesis using nofault by (fastforce simp add: L1_catch_def succeeds_catch reaches_catch) qed next fix s' assume nofault: "succeeds (L1_catch L R) s" assume exec: "Γ⊨⟨TRY L' CATCH R' END,Normal s⟩==> Abrupt s'" thenshow"∃r. reaches (L1_catch L R) s (Exn r) s'" proof (cases) case (1 s1) hence exec_L': "Γ⊨⟨L',Normal s⟩==> Abrupt s1"and
exec_R': "Γ⊨⟨R',Normal s1⟩==> Abrupt s'" . from nofault L R exec_L' obtain
nofault_L: "succeeds L s"and
nofault_R: "succeeds R s1" by (fastforce simp add: L1_catch_def refines_simpl_def reaches_catch succeeds_catch)
from nofault_L exec_L' L obtain r1 where r1: "reaches L s (Exn r1) s1" by (metis (no_types, lifting) insertE rel_L1_conv(2) refines_simpl_def
singletonD xstate.distinct(7)) from nofault_R r1 exec_R' R obtain r2 where"reaches R s1 (Exn r2) s'" by (metis (no_types, lifting) empty_iff insertE rel_L1_conv(2) refines_simpl_def xstate.distinct(7)) with r1 nofault show ?thesis by (fastforce simp add: L1_catch_def succeeds_catch reaches_catch) next case2 thenshow ?thesis by simp qed next fix e assume nofault: "succeeds (L1_catch L R) s" assume exec: "Γ⊨⟨TRY L' CATCH R' END,Normal s⟩==> Fault e" thenshow"e ∈ {AssumeError, StackOverflow}" proof (cases) case (1 s1) hence exec_L': "Γ⊨⟨L',Normal s⟩==> Abrupt s1"and
exec_R': "Γ⊨⟨R',Normal s1⟩==> Fault e" . from nofault L R exec_L' obtain
nofault_L: "succeeds L s"and
nofault_R: "succeeds R s1" by (fastforce simp add: L1_catch_def refines_simpl_def reaches_catch succeeds_catch) from nofault_L exec_L' L obtain r1 where r1: "reaches L s (Exn r1) s1" by (metis (no_types, lifting) insertE rel_L1_conv(2) refines_simpl_def
singletonD xstate.distinct(7)) from nofault_R r1 exec_R' R show ?thesis by (metis insert_iff rel_L1_conv(3) refines_simpl_def singletonD xstate.inject(3)) next case2 have exec_L': "Γ⊨⟨L',Normal s⟩==> Fault e"by fact from nofault L R exec_L' obtain
nofault_L: "succeeds L s" by (simp add: L1_defs(5) succeeds_catch) with L exec_L' show ?thesis by (metis insertCI insertE rel_L1_conv(3) refines_simpl_def singleton_iff xstate.inject(3)) qed next assume nofault: "succeeds (L1_catch L R) s" assume exec: "Γ⊨⟨TRY L' CATCH R' END,Normal s⟩==> Stuck" thenshow False proof (cases) case (1 s1) hence exec_L': "Γ⊨⟨L',Normal s⟩==> Abrupt s1"and
exec_R': "Γ⊨⟨R',Normal s1⟩==> Stuck" . from nofault L R exec_L' obtain
nofault_L: "succeeds L s"and
nofault_R: "succeeds R s1" by (fastforce simp add: L1_catch_def refines_simpl_def reaches_catch succeeds_catch)
from nofault_R exec_R' R show ?thesis by (metis empty_iff insertE rel_L1_conv(4) refines_simpl_def xstate.distinct(11)) next case2 have exec_L': "Γ⊨⟨L',Normal s⟩==> Stuck"by fact from nofault L R exec_L' obtain
nofault_L: "succeeds L s" by (simp add: L1_defs(5) succeeds_catch) with L exec_L' show ?thesis by (metis insertE rel_L1_conv(4) refines_simpl_def singletonD xstate.distinct(11)) qed qed
lemma refines_simpl_rel_L1_on_exit': fixes m:: "'s L1_monad" assumes m_c: "refines_simpl ct Γ c m s s rel_L1" shows"refines_simpl ct Γ (On_Exit c (Basic cleanup)) (on_exit m {(s,t). t = cleanup s}) s s rel_L1" unfolding on_exit_catch_conv apply (simp add: On_Exit_def) apply (rule refines_simpl_rel_L1_bind) apply (simp add: L1_catch_def [symmetric]) apply (rule refines_simpl_rel_L1_catch [OF m_c]) apply (rule refines_simpl_cleanup_throw [simplified]) apply (rule refines_simpl_cleanup [simplified]) done
lemma refines_simpl_rel_L1_on_exit: fixes m:: "'s L1_monad" assumes m_c: "refines_simpl ct Γ c m s s rel_L1" shows"refines_simpl ct Γ (On_Exit c (com.Spec cleanup)) (on_exit m cleanup) s s rel_L1" apply (simp add: on_exit_catch_conv On_Exit_def) apply (rule refines_simpl_rel_L1_bind) apply (simp add: L1_catch_def [symmetric]) apply (rule refines_simpl_rel_L1_catch [OF m_c]) apply (rule refines_simpl_spec_cleanup_throw [simplified]) apply (rule refines_simpl_spec_cleanup [simplified]) done
named_theorems L1corres_with_fresh_stack_ptr
context stack_heap_state begin lemma refines_simpl_rel_L1_with_fresh_stack_ptr: fixes m:: "'a::mem_type ptr ==> 's L1_monad" assumes c_m: "∧p s. refines_simpl ct Γ (c p) (m p) s s rel_L1" shows"refines_simpl ct Γ (With_Fresh_Stack_Ptr n I c) (with_fresh_stack_ptr n I m) s s rel_L1" apply (simp add: with_fresh_stack_ptr_def With_Fresh_Stack_Ptr_def) apply (rule refines_simpl_StackOverflow) apply (rule refines_simpl_DynCom) apply (rule refines_simpl_rel_L1_bind)
subgoal apply (rule refines_simpl_rel_L1I)
subgoal by (simp add: terminates.Spec)
subgoal for s' apply (erule exec_Normal_elim_cases)
subgoal for t by (auto simp add: succeeds_assume_result_and_state) by auto
subgoal for s' by (meson exec_Normal_elim_cases(7) xstate.distinct(9) xstate.simps(5))
subgoal for e by (meson exec_Normal_elim_cases(7) xstate.distinct(11) xstate.simps(7))
subgoal apply (erule exec_Normal_elim_cases) using Ex_list_of_length by auto blast done apply (rule refines_simpl_DynCom) apply (clarsimp) apply (simp add: stack_allocs_allocated_ptrs) apply (rule refines_simpl_rel_L1_on_exit[OF c_m]) done
lemma L1corres_with_fresh_stack_ptr[L1corres_with_fresh_stack_ptr]: fixes m:: "'a::mem_type ptr ==> 's L1_monad" assumes c_m: "∧p. L1corres ct Γ (m p) (c p)" shows"L1corres ct Γ (with_fresh_stack_ptr n I m) (With_Fresh_Stack_Ptr n I c)" apply (rule refines_simpl_L1corres) apply (rule refines_simpl_rel_L1_with_fresh_stack_ptr) apply (rule L1corres_refines_simpl) apply (rule c_m) done end
lemma L1corres_exec_spec_monad: assumes l: "lense get_x upd_x" shows"L1corres ct Γ (L1_exec_spec_monad upd_x st args f res) (exec_spec_monad get_x upd_x st args f res)" proof - from l interpret l: lense get_x upd_x . show ?thesis proof (clarsimp simp add: L1corres_def; safe) fix s t assume succeeds: "succeeds (L1_exec_spec_monad upd_x st args f res) s" assume exec: "Γ⊨⟨exec_spec_monad get_x upd_x st args f res,Normal s⟩==> t" show"case t of Normal x ==> reaches (L1_exec_spec_monad upd_x st args f res) s (Result ()) x | Abrupt x ==> reaches (L1_exec_spec_monad upd_x st args f res) s (Exn ()) x | Fault e ==> e ∈ {AssumeError, StackOverflow} | Stuck ==> False" proof - from succeeds exec show ?thesis apply (simp add: L1_exec_spec_monad_def exec_spec_monad_def) apply (erule exec_Normal_elim_cases)
subgoal apply (auto simp add: succeeds_bind succeeds_bind_handle) apply (erule exec_Normal_elim_cases) apply (simp add: assume_Spec_def guarded_spec_body_def) apply (erule exec_Normal_elim_cases)
subgoal for s' apply auto apply (erule exec_Normal_elim_cases)
subgoal for b x1 s1 t1 apply clarsimp
subgoal for x2 s2 apply (erule allE [where x="x2"]) apply (erule allE [where x="s2"]) apply (clarsimp simp add: reaches_exec_abstract) apply (fastforce split: xval_splits
simp add: default_option_def L1_exec_spec_monad_def reaches_bind
L1_modify_def L1_seq_def L1_throw_def
case_exception_or_result_iff succeeds_bind
reaches_exec_abstract reaches_bind_handle succeeds_bind succeeds_bind_handle
elim!: exec_Normal_elim_cases) done done
subgoal by clarsimp done
subgoal apply clarsimp apply (erule exec_Normal_elim_cases) apply (auto simp add: L1_exec_spec_monad_def reaches_bind ) done done
subgoal by (auto simp add: succeeds_bind succeeds_bind_handle) done qed next fix s assume succeeds: "succeeds (L1_exec_spec_monad upd_x st args f res) s" assume"ct" show"Γ⊨exec_spec_monad get_x upd_x st args f res ↓ Normal s" proof - from succeeds show ?thesis apply (auto simp add: L1_exec_spec_monad_def exec_spec_monad_def succeeds_bind_handle succeeds_bind reaches_exec_abstract) apply (rule terminates.intros)
subgoal by blast apply (rule terminates.intros)
subgoal apply (simp add: assume_Spec_def guarded_spec_body_def) apply (rule terminates_Guard') apply (rule terminates.intros) done
subgoal apply (clarsimp simp add: assume_Spec_def guarded_spec_body_def)
apply (erule exec_Normal_elim_cases)
subgoal apply (auto split: xval_splits) by (metis (lifting) Abrupt Fault Stuck terminates.CondFalse terminates.CondTrue
terminates.Throw terminates_Skip' terminates_elim_cases(1))
subgoal by (auto) done done qed qed qed
(* Unfolding rules to run prior to L1 translation. *)
named_theorems L1unfold (* L1 postprocessing rules, used by ExceptionRewrite and SimplConv. *)
named_theorems L1except
lemma signed_bounds_one_to_nat: "n <s 1 ==> 0 ≤s n ==> unat n = 0" by (metis signed.leD unat_1_0 unat_gt_0 unsigned_eq_0_iff word_msb_0 word_sle_msb_le)
lemma signed_bounds_to_nat_boundsF: "n <s numeral B ==> 0 ≤s n ==> unat n < numeral B" by (metis linorder_not_less of_nat_numeral signed.leD unat_less_helper word_msb_0 word_sle_msb_le)
lemma word_bounds_to_nat_boundsF: "(n::'a::len word) < numeral B ==> unat n < numeral B" by (simp add: unat_less_helper)
lemma word_bounds_one_to_nat: "(n::'a::len word) < 1 ==> unat n = 0" by (simp add: unat_less_helper)
*) thm monotone_def lemma monotone_guard': "(∧s. monotone R (≤) (λf. C f s)) ==> monotone R (≥) (λf. guard (C f))" apply (auto simp add: monotone_def guard_def assert_def) apply (rule mono_bind) apply (auto simp add: le_fun_def ) done
lemma monotone_guard'': "(monotone R (fun_ord (≤)) (λf s. C f s)) ==> monotone R (≥) (λf. guard (C f))" apply (auto simp add: monotone_def guard_def assert_def) apply (rule mono_bind) apply (auto simp add: le_fun_def fun_ord_def) done
lemma monotone_L1_guard': "(∧s. monotone R (≤) (λf. C f s)) ==> monotone R (≥) (λf. L1_guard (C f))" unfolding L1_guard_def by (rule monotone_guard')
lemma monotone_L1_guard'': "(monotone R (fun_ord (≤)) (λf s. C f s)) ==> monotone R (≥) (λf. L1_guard (C f))" unfolding L1_guard_def by (rule monotone_guard'')
lemma monotone_L1_guarded_ge' [partial_function_mono ]: (* FIXME *) assumes mono_X [partial_function_mono]: "(∧s. monotone R (≤) (λf. C f s))""monotone R (≥) X" shows"monotone R (≥) (λf. (L1_guarded (C f) (X f)))" unfolding L1_guarded_def apply (rule partial_function_mono monotone_L1_guard')+ done (* lemmamonotone_L1_guarded_ge''[partial_function_mono]: assumesmono_X[partial_function_mono]:"(monotoneR(fun_ord(\<le>))(\<lambda>fs.Cfs))""monotoneR(\<ge>)X" shows"monotoneR(\<ge>) (\<lambda>f.(L1_guarded(Cf)(Xf)))" unfoldingL1_guarded_def apply(rulepartial_function_monomonotone_L1_guard'')+ done
*) (* lemmamonotone_L1_guarded_ge[partial_function_mono]: assumesmono_X[partial_function_mono]:"monotoneR(\<le>)C""monotoneR(\<ge>)X" shows"monotoneR(\<ge>) (\<lambda>f.(L1_guarded(Cf)(Xf)))" unfoldingL1_guarded_def apply(rulepartial_function_monomonotone_L1_guard')+ done
*) lemma L1_guarded_mono [monad_mono_intros]: assumes [monad_mono_intros]:"f ≤ g"shows"L1_guarded c f ≤ L1_guarded c g" unfolding L1_defs L1_guarded_def by (intro monad_mono_intros le_funI order.refl)
lemma monotone_L1_while_le [partial_function_mono]: assumes mono_B: "monotone R (≤) (λf. B f)" shows"monotone R (≤) (λf. L1_while C (B f))" unfolding L1_defs apply (rule partial_function_mono) apply (rule mono_B) done
lemma monotone_L1_while_ge [partial_function_mono]: assumes mono_B: "monotone R (≥) (λf. B f)" shows"monotone R (≥) (λf. L1_while C (B f))" unfolding L1_defs apply (rule partial_function_mono) apply (rule mono_B) done
lemma L1_while_mono [monad_mono_intros]: assumes [monad_mono_intros]:"f ≤ g"shows"L1_while c f ≤ L1_while c g" unfolding L1_defs by (intro monad_mono_intros le_funI)
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.
