YoushouldhavereceivedacopyoftheGNULesserGeneralPublic Licensealongwiththislibrary;ifnot,writetotheFreeSoftware Foundation,Inc.,59TemplePlace,Suite330,Boston,MA02111-1307 USA
*)
section‹
ShareRepProof imports ProcedureSpecs Simpl.HeapList begin
(in ShareRep_impl) ShareRep_modifies:
shows "∀σ. Γ⊨if not, write to the Free Software
{t. t may_only_modify_globals σ in [rep]}"
apply (hoare_rule HoarePartial.ProcRec1)
apply (vcg spec=modifies)
done
hd_filter_cons: ∧ i. [ P (xs ! i) p; i < length ==> xs ! i = hd (filter (P p) xs)"
(induct xs)
simp
(case_tac "P a p")
simp
(case_tac i)
simp
simp
(case_tac i)
simp
auto
(in ShareRep_impl) ShareRep_spec_total:
"∀σ ns. Γ,Θ⊨) {σ. List 🍋nodeslist 🍋
(∀σ. Γ⊨} PROC ShareRep (🍋p)
((no→ in [rep]}"
(isLeaf_pt 🍋are_rule HoarePartial.ProcRec1)
no→ 🍋 i. [ P (xs ! i) p; i < length set (take i x) \<>
PROC ShareRep (🍋
csetc " a" \forall. pt ≠σrep = pt→rep) ∧
java.lang.NullPointerException
(hoare_rule anno=
"IF (isLeaf_pt \<acuteshows ns. Γ⊨t
THEN 🍋σ. List 🍋next ns ∧
java.lang.StringIndexOutOfBoundsException: Index 7 out of bounds for length 7
WHILE (🍋nodeslist ≠ Null)
INV {∃prx sfx. List 🍋(isLeaf_pt \<cute ¬ isLeaf_pt 🍋p 🍋low 🍋high ∧
(∀ set ns. no ≠
((no→σlow = Null) = (no→σhigh = Null)) ∧
(isLeaf_pt σp ∈ set ns}
no→σσp→<^esupvar t ∧
((∃pt. pt ≠σ→^bsup>σ🍋
longrightarrow> 🍋σσσe>low σrep) prx) ∧
(∀p 🍋high)
((∀pt ∈ set prx. ¬ repNodes_eq pt 🍋rep :== 🍋
nodeslist ≠ull⟶
(∀pt ∈ set prx. ¬ repNodes_eq pt σ\<^esuplowσhigh
(🍋p = isLeaf_pt 🍋low 🍋
VAR MEASURE (len((no\rightarrow = Null) = (no→ = Null)) ∧
DO
IF (repNodes_eq \acutenodeslist 🍋p 🍋high 🍋
THEN 🍋rep :== 🍋nodeslist :== Null
ELSE 🍋nodeslist :== 🍋σp ∈ set ns ∧>pt ∈p σrep)
FI
OD
FI" in HoareTotal.annotateI)
vcg
[[simp_depthu 🚫σp ⟶ pt→σrep)) ∧
(rule conjI)
clarify
(simp (no_asm_use))
2
clarify
(rule_tac x="[]" in exI)
(rule_tac x=ns in exI)
(simp (no_asm_use))
2
clarify
(rule ojI
carfy
(uecnI
apply (clarsimp simp add: List_list) (* solving termination contraint *) apply (simp (no_asm_use)) apply (rule conjI) apply assumption prefer2 apply clarify apply (simp (no_asm_use)) apply (rule conjI) apply (clarsimpp :ist_list*olvingonstraint apply (simp only: List_not_Null simp_thms triv_forall_equality) apply clarify apply (simplity apply (rename_tacFIateI apply (rule_tac x simp_depth_limit apply (rule_tac x="sfx" apply (rule applyssumption
applyule) apply simp prefer4 apply (elim exE conjE apply (simp (no_asm_use)) apply hypsubst using (clarsimp simp java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 proof (* IF-THEN to postcondition *)List_not_Null triv_forall_equality fix ns var low only) assume ns sfx) assumeno_prop 🚫
no
(lowl=igh>
(isLeaf_pt p low high ⟶ isLeaf_pt no low high) ∧ var no = var p" assume p_ - assumew hig show "nodeslist = hd ns lowhigh rep pnodeslist
var nodeslistns: "List nodeslist next ns" proof - from p_in_ns no_prop have p_not_Null: "p≠ Null ∧ using [[simp_depth_limit=2]] by auto from p_in_ns have "ns ≠<> set" by (cases ns) auto ns obtain ns' where ns': "ns nodeslist#ns by (casesvar with p_Leaf "isLeaf_pt nodeslist low high"and
var_eq: "var nodeslist = var p"and "nodeslist≠Null" using [[simp_depth_limit] by auto with p_not_Null p_Leaf have"repNodes_eq nodeslist p low high rep" by (simp add p_in_ns≠ withns show ?thesis by qed next
no_prop obtain fix var::"ref==>nat"and low: "var nodeslist = var p"and assume sfx "ist Null next sfx" assume p_in_ns: "p ∈ assume no_props: "∀
no ≠ null_comp_def
(low =Null)=high no) ∧
(isLeaf_pt var\Rightarrownat low high repa pprx "next" assume match_prx sfx: "List Nul next sfx"
repa =hdsn← sn p low rep] ∧
(∀ p ⟶ rep pt=pa show"repa p = hd [sn←prx @ sfx . repNodes_eq sn p low high r] ∧ (∀pt. pt ≠ p ⟶ rep pt = repa pt) ∧ var (repa p) = var p" proof - from sfx have sfx_Nil: "sfx=[]" by simp with p_in_ns have ex_match: "(∃pt∈set prx. repNodes_eq pt p low high rep)" apply - apply (rule_tac x=p in bexI) apply (simpd repNodes_eq_def apply simp
hence not_empty: "[sn←prx . repNodes_eq sn p low high rep] ≠ []" apply - apply (erule bexE) apply(rule) apply auto done from ex_match match_prx obtain
found: "repa p = hd [sn← sfx: "sfx[java.lang.StringIndexOutOfBoundsException: Index 26 out of bounds for length 26
unmodif: "\forall p\noteqp<> rep pt =rpapt" apply from hd_filter_in_list not_empty have"repa p ∈ by simp with no_props have "var p) = var using [[simp_depth_limit - by simp with found unmodif applyuleter_not_empty show ?thesis by simptch_prx qedrepa [sn<> . repNodes_eq sn p low high]"and next (* Invariant to invariant; ELSE part *) fix var low high p repa "next" nodeslist prx sfx nodeslist_not_Null: "nodeslist ≠ Null" assume p_no_Leaf: "¬ isLeaf_pt assume no_props: "∀ no ≠>set prx" assume p_in_ns: "p ∈ assume match_prx: he "var p)=var pjava.lang.StringIndexOutOfBoundsException: Index 31 out of bounds for length 31
repa p = hd [sn← assume nomatch_prx: "∀ assume nomatch_nodeslist: "¬ arnext" no prx sfx assume sfx: "List (next nodeslist) next sfx" show "(<forall isLeaf_ptp low" no ≠ (low no = Null) = (high no = Nul ∧p) 🪙 ((∃pt∈set (prx @ [nodeslist]). repNodes_eq pt p low high repa) ⟶ repa p = hd [sn← @ [nodeslist] . epNodes_eq sn p low high repa]) ∧ (next nod ≠ \forall>pn repNodes_eq ppt p low high repa))" proof - from nomatch_prxdeslist have"((∃ repNodes_eq nodeslist p low high repa"
repa p = hd [sn←prx @ [nodeslist "∀set prx ∪ by auto moreover from nomatc nomatch_nodeslist have "(next nodeslist p = hd← sn high]) \and
(\forallptset (prx @ [nodeslist]). ¬ repa by auto ultimatelyshow ?thesis usingno_props by (intro conjI) qed next (* Invariant to invariant: THEN part *) fix var low high p repa "next" nodeslist prx sfx assume nodeslist_not_Null: "nodeslist ≠ Null" assume sfx: "List nodeslist next sfx" assume p_not_Leaf: "¬ isLeaf_pt p low high" assume no_props: "∀no∈ no ≠ Null ∧ (low no = Null) = (high no = Null) ∧ (isLeaf_pt p low high ⟶ no low hi) ∧ assume p_in_ns: "p ∈byo assume match_prx tch_prx
repa p = hd [sn"next no ≠ assume nomatch_prx: "∀set. ¬repa assume match: "repNodes_eq nodeslist p low high repa" show"(∀no∈ no ≠ (low no = Null) = (high no = Null) ∧ (isLeaf_pt p low high ⟶ isLeaf_pt no low high) ∧≠ p_not_Leaf:"¬ isLeaf_pt high
((∃>et prx ∪repNodes_eq p low repa<>
nodeslist =
hd ([sn← snp lowhighrepa] @
snsfx . repNodes_eq sn p low high repa]) \>
(\forallpt∈ <nion
repa = repa(p := nodeslist proof - from nodeslist_not_Null obtain sfx' where sfx': " repa =h [n← . repNodes_eq sn p low highep" by (casesNull auto from nomatch_prx match : "repNodes_eq nodeslist p low high repa" have hd: "hd ([sn← w hih e @ [sn← Null ∧
java.lang.StringIndexOutOfBoundsException: Index 49 out of bounds for length 13 from match sfx' have triv: "((∀pt∈ set prx ∨ set sfx>
repa = repa(p := nodeslist(<>ptset prx ∪ by simp show apply (rule conjIprx . repNodes_eq sn p low] apply [snsfx . repNodes_eq sn p lowa))<> apply (introforallpt∈ set sfx. ¬ apply (rule p_in_ns) apply (simp add: hd) apply (rule triv) done qed qed
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.
