SSL SmallStep.thy

Sprache: Isabelle

(*
 Author: Norbert Schirmer
 Maintainer: Norbert Schirmer, norbert.schirmer at web de

Copyright (C) 2006-2008 Norbert Schirmer
*)

section ‹

>turn(,s) 🚫

‹ Cateps:
teps: \Gamma\<><1 s c₁🚫 b c,s) →
<close

redex:: "('s,'p,'f)com ==> ('s,'p,'f)com"

redex Skip = Skip" |
redex (Basic f) = (Basic f)" |
redex (Spec r) = (Spec r)" |
java.lang.NullPointerException
redex (Cond b c_,r> u"
redex (While b c) = (While b c)" |
redex (Call p) = (Call p)" |
redex (DynCom d) = (DynCom d)" |
redex (Guard f b c) = (Guard f b c)" |
redex (Throw) = Throw" |
redex (Catch c_sub2 = redex c₁"

‹Γ⊨ (c', s')›

('s,'p,'f) config = "('s,'p,'f)com × ('s,'f) xstate"
"step"::"[('s,'p,'f) body,('s,'p,'f) config,('s,'p,'f) config] ==>
c2,s
for

Basicc

Spec: "(s,t) ∈
SpecStuck: "∀ cfg'' →

: "s\<ng⊨ (c,Normal s)"

GuardFault: "s∉c\^' ''here g': "cfg''=c_',s'')"

Seq: "Γsu \>( f, s)\rightarrow "
==>
Γ⊨
java.lang.NullPointerException
java.lang.NullPointerException

CondTrue: "s∈h "\>tnstie> Ct s) ri>(C b
CondFalse: "s∉

WhileTrue: "\<lbrakk(2]
==>
Γ c,rmal s) →

java.lang.NullPointerException
==>
Γ

ll: "\Gamma>p=me dy \\Lon>
Γ(Call p,Normal s) →)"

CallUndefined: "Γ p=None ==>
Γ⊨"

DynCom: "Γ\ uct c)

Catchca(Sq c\^>1 c₁: "Γ>(Call p, p,N s 🚫\rightarrowu"
==>
Γ⊨1 c_\^sp>* (SeSkip c^s>2, au )"

CatchThrow: "Γ⊨⊨2, Fault f) → (c₂
hSkip "\<>\ (Skip,s)"

aultPp: "\lbrakkc≠ ==>⊨ (Skip,Fault f)"
StuckProp: "[c≠
AbruptProp: "[c≠ ==>⊨ (Skip,Abrut f)

step_induct = step.induct [of _ "(c,s)" "(c',s')", split_format (complete), case_names
Spec SpecStuck Guard GuardFault Seq SeqSkip SeqThrow CondTrue CondFalse
WhileFalse Call CallUndefined DynCom Catch CatchThrow CatchSkip
StuckProp AbruptProp, induct set]

step_elim_cases [cases set]:
"Γ⊨rihta
"\<Gammaa (Catch c₂, Fault f) →(atc c1 Nr s) →
"Γ⊨
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
"Γ (inductt)auto
"Γlemma step_:
"Γ "\Gamma>🚫 final c cfg \<Longrightarrow
"Γ s'=Fault f"
"Γ
\<lemmatep_Abrupt
"Γ tep

step_Normal_elim_cases casesset]:

"Γranlp_induct2 [cas
"Γ
"\ '' s
"a⊨< (

"ΓtG>⊨ s'=Stuck"
"Γ
"Γ⊨
"Γ
"Γ⊨⊨ b smp

‹
, or @{term "(Throw,Normal s‹
{t ""} "} state a terminated ab. The @{const "Abrupt" s is not used to
abrupt termination, in contrast to the big-step semantics. Only if the
starts in an @{const "Abrupt"} states it ends in the same @{term "Abrupt"}
java.lang.NullPointerException

java.lang.NullPointerException
final cfg = (fst cfg=Skip ∨ t of

"step_rtrancl" :: "[('s,'p,'f) body,x ==>c'=Sk ∧ t'=Normal x
(‹
where
"Γ⊨)

"step_trancl" :: Skip tht ?case
(‹ Guardth ?case by (bla intro: step.Guard rtranclp_trans)
where
java.lang.NullPointerException

(* ************************************************************************ *)
subsectionions
(* ************************************************************************ *)

lemma ?
 apply (induct c)
by
 done

lemma no_step_final:
 assumes step: "Γ1 cfg'')
 shows " (,)< Ptep⊨1 →
using stepsteps⊨²" by fact
by induct (auto simp add: final_def)

lemma no_step_f>1 "₁ nd<2: "cfg₁', s')" by fact+
 assumesobtain1'' s'' where cfg'': java.lang.NullPointerException
 shows "final step<>1
using step
 by (cases cfg, cases cfgp

lemma step_Abrupt
 assumes step: "Γ)
 shows "∧)OF'' cfg2]
using step
by (induct) auto

lemma step_Fault:
 assumesshowcasejava.lang.StringIndexOutOfBoundsException: Index 22 out of bounds for length 22
 shows "∧t f \Longrightarrow s=Faautf"
using step
by (induct) auto

lemma step_Stuck:
 assumes step: java.lang.NullPointerException
 shows "∧⊨1 c_sup* (Catch c₂, s')"
using step
by (induct) auto

lemma SeqSteps:
 assumes steps: "Γ
 shows "∧
java.lang.NullPointerException
using steps
proof (induct rule: converse_rtranclp_induct [case_names Refl step: "\Gamma cfgjava.lang.NullPointerException
 case Refl
 thus: \Gamma\> cfg²" by fact
 by simp
next
java.lang.NullPointerException
 have step: "Γ⊨1 →' b f
 have steps: "Γ
 have cfg₁cfg
 obtain c<^haves
 by (cases cfg'') auto
 from step cfg⊨1 c₁'' cjava.lang.NullPointerException
 have " bby(rue ste.Cch)
 by simp
 nce Γ (Seq c₂s) \rightarrow (S c₂s'"
 by (rule step.Seq)
 also .s3Fggsub2]
 "Gamma⊨1'' c_* (Seq c₂, s')" .
 finally show ?case .
qed

lemma CatchSteps:
 assumes steps: "Γut: "< (c, Fault f) →* (Skip, Fault

 🚫
using steps
proof ‹ fact
 SmallStep Termination
thus ?as
by si

java.lang.NullPointerException
have step: "Γ:h "\Gamma\turnstile (S c₂, Fault f)".
have steps: "Γ |
have cf\
obtain c_\<turnstile 2, Fault f) →>2, Fault f)" by (rule SeqSkip)
by (cases cfg'') auto
from step cfg₁ cfg''
have s: "Γ ( c🚫Small-Step Computation: \have^ub: "Γ⊨1, Faul🪙
by simp
hence "Γ⊨,p,f) bob,(','p,'f con,('s,p,'f co] ==>
by (rule step.Catch)
java.lang.NullPointerException
have "Γ (Catch c_<>/_)›
 finally show ?case .
qed

lemma steps_Fault: "Γ⊨ (c, Fault f) \forΓ
proof (induct c)
 case (Seq c_,No(fs))"
 have steps_c₁: java.lang.NullPointerException
 have stepsc\\a
 from SeqSteps [OF steps_c_\<turnstile> (CtchSkip\<^>2
 have "Γ⊨
 also
 have "Γ (fastf intro: step.intros)+
java.lang.NullPointerException
 finally show ?case by simp
next
 case (Catch c🚫
 have steps_c(c_\<^sup>* (Skip, Faultf) fa
 from CatchSteps [OF steps_c₁ refl refl]
 have "Γ⊨c
 also
 have"Γ⊨<>⊨
 finally show ?case by simp
qed (fastforce intro: step.intros)+

lemma steps_Stuck: "Γ⊨2: "Γ\subSuck) \<\<
proofinduct cc)
 case (Seq c₁ "\Gamma\turnstile> Seqc\sub>1 <^>, Stuck², Stuck)".
java.lang.NullPointerException
 have steps_c(c_\<^sup>* (Skip, Stuck)" by fact
 from SeqSteps <ongrightarrow
 have\amma><turnstile<^1 csub \rightarrow<sup \^2Stuck
 also
 have "Γ⊨
java.lang.NullPointerException
 finally s ?case by simp
next
 case (Catch c\<<^* (Skip,SeqS: "Gamma( <ubs) rightarrow<sub)java.lang.StringIndexOutOfBoundsException: Index 84 out of bounds for length 84
 have steps_c₁: "Γ⊨⊨ \Longrightarrow ΓNor s) 🚫>⊨2, Stuck) →rule CatchSkip)
java.lang.NullPointerException
 have "Γ⊨)+
 also
 have "Γ
 finally show ?case by simp
qed (fastforceqemma steps_Abru: "Γ (c, Abrupt s) →* (Skip, Abrupt s)"

lemma steps_Abrupt: "Γ⊨
proof c\> c₎
 case Longrightarrow
 have\^ub>turnstile1 Abrupt🚫2: "Γ2, Abrupt s) → Skip, Arupt s)"
 have steps_c(Seq c₂, Abrupt<java.lang.NullPointerException
 from SeqSteps [OF
 have "Γ\<>(
 also
 have "Γ :"< p=Somebdy<orijava.lang.StringIndexOutOfBoundsException: Index 46 out of bounds for length 46
 also note steps_c\< CallUndefined
 finally show ?case by simp
next
 case (Catch c₁ c\< Catch2)
 have steps_c₁: "Γ⊨ (c₁, Abrupt s) →java.lang.NullPointerException
 from CatchSteps [OF steps_c₁ refl refl]
 have "Γ⊨ (Catch c₁ c₂, Abrupt s) →^* (Catch Skip c₂,<ongright
 also
 have "Γ⊨ (Catch Skip
 finally
qedastforceros

lemma step_Fault_prop:SpecStuckce rtranclp_trans
 assumes step: "\< case⊨
 shows "Andf. s=Fault f →
using
by (induct "<>x.. s=Abrupt x")

lemma Seq 2
 assumesp\Gamma>\|:"<>🚫1: "Γ\urnstileSeq
 shows "∧2: "Γ StuckProprakk;redex= c<rbrakk uck
using"case of
by (iin) auto

lemma ste:
 assumes step: "Γ c' = Skip ∧
 s<>s1
usingstep
by (induct⊨

lemma steps_Fault_prop:
 assumes GuardFault<\turnstile
 showss Longrightarrow> s'=Fault
using
proof ( t)auto
 case Refl thus ?case by simpTrue
next
 case
 thuscase
 "<\turnstile> (c\< 1: "Γinduct
qed

lemma
 assumes
 shows "s=Abrupt t ==>
using step
proof (induct rule: converse_rtranclp_induct2 [case_names Refl Trans])
 case Refl thus ?case by simp
next
 case (Trans c s c'' s'')
 thus ?case
 by (auto intro: step_Abrupt_finallyhave "Γ (Seq cjava.lang.NullPointerException
qed

lemma steps_Stuck_prop intro)
 assumes ultimately ?thesis
 showsjava.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
using stepexec_c<⊨c,Normal ==>
proof exec_w⊨
 case Refls?ymp
next
 case (Trans c s c'' s'')
 thus case
 by (auto intro: step_Stuck_prop)
qed

(* ************************************************************************ *)
subsection ‹Equivalence between Small-Step and Big-Step Semantics›
(* ************************************************************************ *)henceΓ (While b c,Normals) \rightarrow> "Gamma><t(p,) <ru"

theorem:
 assumes exec: "\ ?case
 shows "∃
 of
 Abrupt x ==>🚫
 | _ ==> <and
usingexec
proofuct
 case Skipsub2: "Γ⊨uard fg c,Nors) \\<ighta u"
 bysimp
next
 case thus blast intro: step rtranclp_trans>turnstile fNormal \rightarrow "
next
 case GuardFault thus ?case by (fastforce intro: step.GuardFault rtranclp_else c' = T ∧
next
 case FaultProp show ?case by (fastforce intro: steps_Fault)
next
 case Basic thus?case by fastintro: step.Basic rtranclp_trans)
next
 case Spec thus ?case by (fastforce intro: step.Spec rtranclp_trans)
next
 case SpecStuck thus ?case by (fastforce intro: step.SpecStuck rtra 🚫
next
 caseby(r step.SeqSkip))
 also o steps_c\<^>2 (While b c, Normal s) →c,Nor s) <> "
 have exec_c₂: "Γ⊨<>\<turnstileCall
 show ?case
 proof t Falsehthesis
 <tur(DynCom cNormal s) \rightarrowu"
 from False Seq.hyps (2)
 urnstile<subNormal (t
 by (cases s') auto
 hence seq_cjava.lang.NullPointerException
 by (rule SeqSteps
 java.lang.StringIndexOutOfBoundsException: Index 8 out of bounds for length 8
 steps_c_seq: "\Gamma\<> term ", s"} i ca the wasstarted injava.lang.StringIndexOutOfBoundsException: Index 77 out of bounds for length 77
 t: "(case t of
 Abrupt<<turnstile )"
 by r SeqThrow)
 | _ ==> c' = Skip ∧ t' = t)"
 by auto
 note seq_cjava.lang.NullPointerException
 alsojava.lang.NullPointerException
 steps_show ?thesis
 finally have "Γ
 with
 by (cases thus ? fastforce: step rtrancl_trans abrupt, contrast thebigstep.Only1 Abrupt\^>*SkipAbrupt)"fact
 next
 case True
 then obtain x where s': "s'=Abrupt x"
 by blast
 from s' Seq.hyps (2)
 have "Γalso
 by auto
 hence seq_c java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 by (rule SeqSteps) auto
 also have "Γ⊨java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 by (rule (chMatch .close
 finally have\Gamma<> ,' config> where"<n. s=Fault f \Longrightarrow> s'=Fault f"f
 moreover
 from exec_cfstby(duct
 by (auto introby( CatchSteps
 ultimately show ?thesis
 by auto
 qed
next
 case CondTrue thus" : [('s,'p,'f body,('s,'p'f)config,(s,,'p,'f'f)config]\Rightarrow> boo"
next
 ( intro.CondFalse)
next
 case (WhileTrue b t
 have exec_c: "Γ⊨<>_⊨
 have exec_w: "Γ t' = Normal x
 have b: "s ∈ b" by>=∧
 hence step:"Γ⊨ (Seq c (While b c),Normal
 by (rule step.WhileTrue)
 show ?case
 proof (cases "∃x. s'=Abrupt xusing ?case
 caseFalse
 from False WhileTrue.java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
 \Gammatu> (c, Nor ==>⊨(Seq c₂,s) →^* (Seq c\<^1'2, s')"
 "<"steps
 hence: "\< case
 byb (ca s) (auto intro: exec.intros elimexec_em_cas)
 While.hyps 5) ob c'' t' where
 steps_cs:
 t: "(case
 Abrupt x ==> cfg<^>1^2: java.lang.NullPointerException
 obtainc^sub>'' whrcf''"'(\^
 | _ ==>
 by auto
 note also notejava.lang.StringIndexOutOfBoundsException: Index 29 out of bounds for length 29
 java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 by (rule intro.intros: exec_Normal_elim_cases
 also note steps_csub2
 finally "<>\turnstile> (While b c, Normal s) \<ightarrow\1''' casGuardFault thus ?case
 with fially shw ?e
 by (cases t) auto
 next
 case True
 then obtain x whehaveex:"\ps <><turnstilejava.lang.NullPointerException
 by blastshow
 note step
 also
 from s' WhileTruesteps
 have "Γ case
 by auto
 hence
 seq_c: "Γ <sub'
 by (rulehave hypsl_\^>' s_Normal
 also have "Γ⊨ ⟨1,Normal x⟩Rightarrow> s''"
 by (rule exec [OF thisjava.lang.NullPointerException
 finally have "Γ(
 moreover
 from exec_w s' have "t=Abruptwith' havetbrupt1 <ightarrow(cjava.lang.NullPointerException
 by (autosimp
 ultimatelywhesis
 by auto
 qed
next from( trod
 case ultimately
next
 case Call thus ?case by (blast intro: stepjava.lang.StringIndexOutOfBoundsException: Index 8 out of bounds for length 8
next
 case CallUndefined thus ?case by (fastforceinduct
next
 case StuckProp thus ?case by (fastforce
next
 case DynCom ?case byblast: stepDynComrtranclp_transjava.lang.StringIndexOutOfBoundsException: Index 69 out of bounds for length 69
next
 case Throw thus ?case by simp
next
 casefromsOF<subl efl
next
 case (CatchMatch introFault_end
 from CatchMatch.hyps (2)
 have "\ s_Normal
 by sim
 hence "Γ2
 by (rule CatchSteps) auto
 "<>\turnstile
 "r. redex c_<forall r)) ∨
 also
 fromatchMatchtain
 steps_cjava.lang.NullPointerException
 t: "(c{
 Abrupt x ==> if Normal ssu " c_t. (x, t)∉
 else c' = Throw t' = Normal x
 | _ ==>1 by (auto intro: execintros
 by
 note_<>java.lang.StringIndexOutOfBoundsException: Index 22 out of bounds for length 22
 finally show ?case
 using t
 by (auto split: xstate. ?case by
next
 case (CatchMiss
 have t: java.lang.NullPointerException
 with CatchMiss.hyps (2)
 have "Γ (c_\^>* (Skip"
 by (cases t) auto
 hence "⊨ (Catch c₁ cjava.lang.NullPointerException
 byulehSteps
 also
 have "Γ
 by (rule step.CatchSkip)
 finally show ?case
 using t
 by (fastforce split: xstate.splits)
qed

corollary exec_impl_steps_Norma:
 assumes exec: "Γ⊨redex c₂
 shows "Γ⊨t ee.tr)
using exec_impl_steps [OF exec]
by auto

corollaryexec_impl_steps_Normal_Abrupt:
 assumes exec: "Γ OFjava.lang.NullPointerException
 "Gamma>turnsle>(Nrm ) →
using exec_impl_steps [OF exec]
java.lang.StringIndexOutOfBoundsException: Index 6 out of bounds for length 6

corollary exec_impl_steps_Abrupt_Abrupt:
 assumes exec: "\toec
 shows "Γ
using exec_impl_steps [OF exec]
by auto

corollary exec_impl_steps_Fault:
 assumes exec: "Γcsub>2)
 shows "Γ⊨1: "Γ exec
using exec_impl_steps [ (autoobrupt_end
byauto

corollary exec_impl_steps_Stuck:
 assumes exec: "Γ
 shows "<amma⊨(c,s) →^* (Skip, Stuck)"
using exec_impl_steps [OF exec]
by auto

lemma step_Abrupt_end:
 assumes step: "Γ⊨ steps_cby case thus
 showsAbrupt>s=Abruptsimp
using step
by induct auto

lemma step_Stuck_end:next
 assumes step "\Gamma\turnstile> (Catch c₂, Abrupt s) →case Stuck
 shows "'= "'Suc.
 finally sh ?case simp
 \<istsstss Stuck
 (∃.intros)
using step
by induct auto

lemma step_Fault_end::
 assumes step: "Γ⊨
 :"<>⊨
 s=Fault f ∨
 ∃1 = Guard f g c ∧ x ∉
using step
by induct auto

lemma exec_redex_Stuck:
ma\<turnstile\
proof (induct c)
 case Seq
 thus ?case
 by (cases s) (auto intro: exec.intros elim:exec_elim_cases)
next
 case Catch
 thus ?case
 by (cases s) (auto intro: exec.intros elim:exec_elim_cases)
qed si

lemma exec_redex_Fault:
<Gamma><turnstile>⟨.introelim: exec)
oof (induct c)
 case Seq
 thus ?case
 (ca s) ( intro: exec.intr elim:e:exec_el)
next
 case Catch
 thus ?case
 by (cases s) (auto in: exec.intros elim:exec_elim_cases)
qed simp_all

lemma step_extend:
 assumes step: "<(c,s) →
 shows "∧ this]
using step
proof (induct)
 case Basic thusha "<Gamma\c==> f".
 by (fastforce intro: exec.intros elim: exec_Normal_elim_cases)
next
 case Spec thus ?case
 by (fastcaB hus ?cfafotr.asiaptrans
next
 caseStu thu ?c
 by (fastforce intro: exec.intros elimultimately
next
 e Gua thus ?case
 by (fastforce intro: exec.intros elim: exec_Normal_elim_cases)
next
 case GuardFault thus ?case
 y (f stforce o: exeec.ntro el: exec_Normal_elim_ses
next
java.lang.NullPointerException
 have tep: p: Γ^sub>1,s) →1', s')" by fact
 haveexec casese
 show proofesx. s'=Abrupt x")
 proof (cases s) cacase Fase
 case (Normal x)
 note s_Normal = this
 show ?thesis ?thesis
 proof (cases s')
 case (Normal x')
 from exec' [simplified Normal] obtain s'' where
 exec_c⟨1',Normal x'⟩ \Rightarrows''nd
java.lang.NullPointerException
 by cases
java.lang.NullPointerException
 have "Γ
 by simp
 from exec.Seq [OF this c'redexcsub = Specnd\forallt.x,t)<>r)
 show ?thesis by simp
 next
 case (Abrupt1
 with exec' have "t=Abrupt x'"
 by ( introend
 moreoverfrom exec_redex_Stuck [OF]
 from step Abrupt
 have "s=Abrupt x'"
 by( intro: step_Abrupt_endst uto
 ultimately
 show ?thesis
 by (auto intro: exec.intros)
 next
 case (Fault f)
 from step_Fault_end [OF"\><ur> (c_\<^sup>* (Throw, Normal x)"
 obtain
 x_c>: redex<sub1 = Guard f g c" and
 fail: "x 🚫1 c_, Normal).
 byauto
 hence "Γ
 by (auto intro: exec.intros)
 from exec_redex_Fault [OF this]
 have "Γ
 oreover ault
 by (auto intro: Fault_end)
 ultimately
 show ?thesis

 by (auto intro: execintros)
 next
 case Stuck
 fromuck_end
 in b"from exec_redex_Stuck [OF this]
 have \ hee sep: "Gamma>turnstile(e c,l <rightarrow
 uto ule
 moreover
 {
 fix r
 ssume c_tt<>r)
 hence "Γ⊨ ⟨
 by (a intro: ero: exeexec.intrintros)
 from exec_redex_Stuck [OF this]
 have "byauto.ntros
 moreover from Stuck exec' }
 by (auto intro: Stuck_end)ultimately ?thesis

 have ?thesis
 using s_Normal
 by (auto intro: exec.java.lang.StringIndexOutOfBoundsException: Index 6 out of bounds for length 6
 }
 moreover
 {
 fix p
 assumewith
 hence "Γ\ have t=Abrupt "
 by (auto intro: exec.introsby(auto intro: Abrupt_end
 from exec_redex_Stuck [OF this
 have "Γ\<turnstile
 moreover from Stuck exec' have "tStuck
 by (auto intro: Stuck_end

 have ?thesis
 using .
 by (auto intro: exec)
 }
 ultimatelyo Fault_end
 by auto
 qed
 next ntro
java.lang.StringIndexOutOfBoundsException: Index 24 out of bounds for length 19
 from step_Abrupt [OF step this]
 have "s'=Abrupt x".
 with exec'
 have "t=Abrupt x"
 by (auto intro: Abrupt_end)
 with Abrupt
 show ??thesis
 by (auto intro: exec.intros)
 next
 case (Fault f)
 from step_Fault [OF step]
 have "s'=Fault f".
 with exec'
 have "t=Fault f"
 by (uto: Fault_end)
 with Fault
 show
 by (auto intro: exec.intros)
 next
 case Stuck
 from step_Stuck [OF step this]
 have "s'=Stuck".
 with exec'
 have "t=Stuck"
java.lang.StringIndexOutOfBoundsException: Index 58 out of bounds for length 32
 withStuckProp
 showstforce
 by (auto
 qed
next
 case (SeqSkip
 by (cases s) (fastforce intro: exec.intros elim: exec_elim_cases)+
next
 case (SeqThrow cjava.lang.NullPointerException
 by (fastforce s' WhileTruehyps
next
 case ""<Gammaturnstile<langlec<angle ==> t"
 by (fastforce intro: exec.intros elim: exec_Normal_elim_cases)
next
 case CondFalse thus ?case
 by (fastforce intro: exec.intros elim: exec_Normal_elim_cases)
next
 case WhileTrue thus ?case
 by ((indu r: conv [caRefl Tr])
next
 case WhileFalse thus ?case
 by (fastforce intro: exec.intros elim: exec_Normal_elim_cases)
next
 case Call thus ?case
 by (fastforce intro: exec.intros elim: exec_Normal_elim_cases)
next
 ase Calalsoave "Γ ) )<rightarrowThrow x)"
 by (fastforce intro: exec.intros elim: exec_Normal_elim_cases)
next
 case DynC step_extextend)
 by (fastforce intro: exec.intros elim: exec_Normal_elim_cases)
next
java.lang.NullPointerException
 have step: "Γ:
 haveexec: Γ ⟨⊨
 show ?
 proof (cases s)
 case (Normals
 notermal
 show ?thesis
 proof (cases s')
 casese
 from exec' [simplified Normal]
 show ?thesis hileFalseasercehileFalseTrans )
 proofGamma<turnstile> (c, s) →
 fix'
 assume exec_c₎
 assume exec_cjava.lang.NullPointerException
 from Catch.hyps (2) Normal exec_c_subsection<openInfinite Computations: ‹
have "Γ
by sie
from exec.CatchMatch [OF this exec_c_<> ('bruptProp thus ? ?case by (fastfintro: steps_Abru)
show ?thesis by simp
next
assume exec_c_': "Γatch c\<^<^)
assume t: "¬Gam⊨ cfg → …
java.lang.NullPointerException
java.lang.NullPointerException
by simp
from
sis simp
qed
next
case (Abrupt x')
with ssadd:f_d
by (auto intro:Abrupt_end)
moreover
from step Abrupt
have "s=Abrupt x'"
by (auto intro: step u ‹
ultimately
show ?thesis
by (auto intro: exec.intros)
next
case (f)
from step_ [OF step this] s_NNormal
obtain g c where
redex_cif Normal s' = t then c' = Si🪙 t' = Normal x
fail: "x ∉
by auto
hence "\Gammatur ⟨redex c₁,Normal x⟩ ==> Fault f"

rom re_Faul [OF this]
java.lang.NullPointerException
moreover Abx \Rightarrow if s' = t then c' = Skip ∧
by (auto intro: Fault_end)
ultimately
show ?thesis uto
using s_Normal
to execinos)
next
case Stuck
from step_Stuck_end [OF step this] s_Normal
java.lang.NullPointerException
(∃⊨
obtain x ws':pt
by blas
{
fix r
java.lang.NullPointerException
java.lang.NullPointerException
by (aut intro: exexec.tro)
from exec_redex_Stuck [OF this]
have "Γ ⟨
moreover from Stuck exec' have "t=Stuck"
by (auto intro: Stuck_end)
ultimately
have thhesis
using s_Normal
by (auto intro: exec.intros)
}
moreover
{
fix p
c\ exe
hence "Γ⊨ ⟨redex c_\turn>⟨ ==>
by (auto intro: exec.intros)
from exec_redex_Stuck [OF this]
have "ΓOF exec]
moreover from Stuck exec' have "t=Stuck"
by (auto intro: Stuck_end)
ultimately
have ?thesis
using s_Normal
by (auto intro: exec.intros)

ultimately show ?thesis
java.lang.StringIndexOutOfBoundsException: Index 15 out of bounds for length 15
qed
next
case (Abrupt x)
from step_Abrupt [OF step this]
have "s'=Abrupt x".
with exec'
have "t=Abrupt x"
by (auto intro: Abrupt_end)
with
show how rut?case by (f(fastforc into: stepss_Aupt)
by (auto intro: exec.intros)
next
case (Fault f)
from step_Fault [OF step thi
have "s'=Fault f".
with exec'
have "t=mpl_steps [OF exec]
by ( intro: Fault_end)
with Fault
show ?thesis
by (auto intro: exec.intros)

case Stuck
from step_Stuck [OF step this]
s'=St=Stu".
with e'
have "t=Stuck"
by (auto intro: Stuck_end)
with tuck
show ?thesis
by (aut
qed

case CatchThrow thus ?case
by (fastforce intro: exec.intros elim: exec_Normal_elim_cases)

case CatchSkip thus ?case
ro: exe.n elimelim: exec_elim_casses)

case FaultProp thus ?case
e ntroro: exec.inlim: exec_elim_cec_el_elim_caslimim_cases)

case StuckProp thus ?case
x ==>

case AbruptProp thus ?case
by (fastforce intro: e c'' = \<<row1Call p ∧
_ ==>c' = Skip ∧

java.lang.NullPointerException
assumes steps: "Γ
shows "Γ
java.lang.StringIndexOutOfBoundsException: Index 36 out of bounds for length 11
(induct rule: converse_rtranclp_induct2 [case_names Refl Trans])
case thus
by (cases t) (auto intro: exec.intros)

case (Trans c s c')
>🚫
thus ?case
by (rule step_extend)

hrow_impl_exec:
assumes steps e:minates_Norm_cas )
shows "Γ
stfw ?case
(induct rule: converse_rtranclp_induct2 [case_names Refl Trans])
case Refl thus ?case
by (auto intro: exec.intros)

case (Trans c s c' s')
have "Γ⊨ (c, s) →
thus ?case
by (rule step_extend)

(* ************************************************************************ *) shows⊨
subsection ‹
(* ************************************************************************ *)

definition
(‹
Γ⊨ eec: "Γturnstile>⟨c,Normal s⟩

t_infI: \<>\f. [
==>lUnefn

(* ************************************************************************ *)
subsection ‹
(* ************************************************************************ *)

lemmaerves_termination
 assumes step: "Γibuto
 shows "Γ
using step
proof (induct)
 case thus? by( introinatesros
next
 case Spec thus ?case by (fastforce
next
 case SpecStuck exec_impl_stepscjava.lang.StringIndexOutOfBoundsException: Index 31 out of bounds for length 31
next
 case Guard thus ?case
 by (fastforce(ntronatestros
next
 caseuardFaultcees
next
 case (Seq c<apply(
 apply (cases
 apply (cases s')
 pplytep_Abrupt_enddjava.lang.StringIndexOutOfBoundsException: Index 22 out of bounds for length 22
 elim: terminates_Normal_elim_cases"< s=Abrupt x"
 apply (fastforce
 step_Fault_prop step_Stuck_prop)+
 done
next
 case (SeqSkip cjava.lang.NullPointerException
 thus
 applys
 apply (fastforce⊨
 asetes
 done
next
 case(owcaseSpec
 thustroormal_elim_cases
 by (fastforce intro: terminates
 elim: terminates_Normal_elim_cases auto
next
 case CondTrueassumes⊨
 thus ?case
 (fastforce intro: terminates
 elim: terminates_Normal_elim_cases )
next
 case CondFalse
 us
 by (fastforce intro
 elim
next
 case WhileTrue
 thus<amma\
 by (fastforce intro: terminatescasech
 elim
next
 case WhileFalse
 thus ?case
 by (cases
 elim: java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
next
 case Call
 thus
 by (fastforce intro: terminates
 elimby( tro
next
 ase
 thus ?case
 by (fastforce intro: terminates.intros
 elim: terminates_Normal_elim_casesqed
next
 case DynCom
 e
 by (fastforce intro: terminateshead_comby cases
 erminates_Normal_elim_casesases
next
 case (Catch ^>' s' c₎ us
 apply (cases s)
 apply (cases s')
 apply (fastforce intro: terminates.intros
 elimrminates_Normal_elim_casesjava.lang.StringIndexOutOfBoundsException: Index 22 out of bounds for length 14
 apply (fastforce intro:java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 ep_Fault_propjava.lang.StringIndexOutOfBoundsException: Index 39 out of bounds for length 39
 done auto
next
 case CatchThrow
 thus
 by ( brupt
 elim ( intro step_Abrupt_end
next
 case (CatchSkip cjava.lang.NullPointerException
 thus ?case
 by (cases s) (fastforce intro: terminates.introsnext
next
 case FaultProp thus ?case by (fastforce intro
next
 case StuckProp thus ?case by (fastforce intro: terminatesjava.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length 17
next
 case AbruptProp thus ?case by (fastforce intro
qed

lemma steps_preserves_termination:
 assumes stepss \rightarrow>^:\orallnotSeq1
 shows⊨s'"
using steps
proof (induct rule: rtranclp_induct2[co 1, cas Refl Trans])
 caseefl thusase
next
 case Trans
 thus ?case
 by (blast dest: step_preserves_terminationwitxecave "pt
qed

ML
 ML_Thms.bind_thmjava.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
 i< final (head (f i))"
), Position.none), "(apply
 @{thm bgoal_tac k")
\<close>

lemma sepsshow ?thhis
 assumes steps: "Γapply
 shows "Γ
using steps
proof (induct rule: tranclp_induct2hhyp: "<><(<ts\^2, s) <>
 case Step\>< ( i< head(i + 1))java.lang.StringIndexOutOfBoundsException: Index 83 out of bounds for length 83
next
 case Trans
 thus?"
 by blas et:: )
qed

definition head_com:: "('s,'p,'f) com ==>(<existsjava.lang.NullPointerException
where
"head_com c =
 (case c of
 Seq c[rule_format, ofk] f_k
 |Caf avave\><t>(Seq c c\\^sub>2, s')<r> f ( 1)1)"
 | _ ==> c<1 = Spec r ∧t. (x, t) ∉

definition head
 where "head cfg = (head_com (fst cfg), snd cfg)"

lemma le_Suc_cases: "[s>1 Spe r"
 apply
 apply (case_tac
 apply auto
 done

lemmawith f_k
 by ( ?thesis

lemma redex_Catch_False: "∧c' c''. (redex c = Catch c'' c') = False"
 by (induct

lemma infinite_computation_extract_head_Seq:
 assumes: "\foralli::at. Γ
 assumes f_0: "f 0 = (Seq cjava.lang.NullPointerException
 not_fin<>knotfinalhave<<>\
 shows "∀hence " \foralli<.(<exists i )= Catch2\and
 Γ⊨ head (f (i+1))"
 (is "∀i<k. ?P i")
using not_fin
proof (induct k)
 case 0
 show ?case by simp
next
 case (Suc k)
 have not_fin_Suc:
 }
 from this[rule_format] have not_fin_k:
 "∀
 apply clarify
 apply java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null

 apply
 done

 from Suc.hyps [OF this]
 have hyp: "∀sub2, introjava.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 Γwithf
 show
 proof (rule bysimp
 hav?
 assume "i < k"
 then
 by
 next

 proof -
 from hyp [rule_format\Gamma\turnstile (, s) <rightarrow 2 t)
 obtain chave⊨
 byauto
 :"f 0=(Throw, s)"
 have\case
 by simp
 moreoverStuck
 fromin_Suc_
 have "¬e =S"
 by (simp add: final_def head_def head_com_def)
 ultimately
 obtain c'' s'' where
 \Gammaturnstile (c''snd
 java.lang.NullPointerException
 by cases (auto simp add: redex_Seq_False final_def)
 with f_k
 show ?thesis
 by (simpadd:hea h)
 qed
 qed
qed

lemma infinite_comp:
 assumes inf_comp: "∀i::nat. < show>. finalCondTrue
 assumes
 assumes e"(LEAS ifinl hea(i)))"
 shows>java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 Γ ntroos)
 (is "∀
using not_fin
proof(induct k)
 case 0
java.lang.StringIndexOutOfBoundsException: Index 48 out of bounds for length 20
next
 case Su k)
 have not_fin_Suc:
 "∀
 fromrule_format
 "∀
 pply carifpp -
 apply (subgoal_tac "i < Suc exE:redex1 = Guard f g c" and
 apply blast
 apply simp
 done

 from Suc.hyps [OF this]
 have h: "foralli (c<sub
 Γ<by
 (Fault_end
 proof (rule le_Suc_cases)
 fix i
 assume "i < k"
 then show "?P i" c<sub^subsjava.lang.StringIndexOutOfBoundsException: Index 8 out of bounds for length 8
 by (rule hyp
 thusjava.lang.StringIndexOutOfBoundsException: Index 31 out of bounds for length 31
 show
 proof -
 have<>iSuc m. \Gamma>⊨
 obtain c' fs' L' s' where f_k: "f k = (Catch c' c_\<turnstile> head (f i) →
 auto
 from iby int "a< headjava.lang.NullPointerException
 have "\ b (rule Suc.hyp.hyps)
 by simp
 moreover
not_fin_Suc[rule_foormat,f f_k
 have "¬ final (c',have
 by (simp add: final_def head_def head_com_def)
 ultimately
 obtain c'' s'' where
 "Γ⊨
 "f ((k + ) ( ith
 by cases (auto simp add: redex_Catch_Falsehave< {ad_def s'
 with java.lang.NullPointerException
 show ?thesiskjava.lang.StringIndexOutOfBoundsException: Index 39 out of bounds for length 39
 by (simp add: head_def head_com_def)
 qed
 qed
qed

lemma: "\<not (Throw,s) →fr Stu execx' have e "Stuck
proof
 assume "Γ g i= f ( ltimately
 thesis
 uusingsNormal
 f_0: "f 0 = (Throwby oexec
 by (auto simp add: inf_def)
 step, simplified of
 show False
 by cases (autotep_elim_cases
qed

lemma split_inf_Seq:
 assumes vebrupt
 shows "Γ⊨
 (∃
proof -
 from inf_comp obtain f where
 step: "<>i::natGamma ?thesis
 f_0: java.lang.NullPointerException
 by (auto simp add: inf_def)
 from f_0 have head_f_0: "head (f 0) = (cjava.lang.NullPointerException
 by (simp add: head_def head_com_def)
 show ?thesis
 proof (cases "∃_> ==>
 case True assume s': s': "s'=Normal_java.lang.StringIndexOutOfBoundsException: Index 32 out of bounds for length 32
 define assumet: "> isyutntro:exeintros
 have less_k: "∀⊨^2uck Normal
ro
 applyunfold)
 apply (drule not_less_Least g where" = (i + (k + 1)" for
 applyauto
 done
 from infinite_computation_extract_head_Seq [OF step f_0 this]
 obtain step_head: "∀i<k. Γ
 conf:"<[OFthis ts_Normal
 by blast
 rom
 have withhave<Gamma\>(Throw \rightarrowthesis
 apply-
 apply (eruleqednext no_inf_Throw
 apply (drule LeastI)
 apply(mpdefef
 done
 moreover
 from f_0 conf [rule_format, of "k - 1"]
 obtainc's where f_k "f kk = ( c' c\<^>2
 by (cases k) auto
 moreover
 from step_head have steps_head: "java.lang.NullPointerException
 proof (inductse
 case 0 thus ?case by
 next
 case (Suc m)
 have step: "∀i. Γ
 hence "∀i<m.proof
 by auto
 fromn
 by(hyps
 fromstep [rule_format,of
 have "Γ⊨
 finally show ?case by simp
 qed
 {
redex_c1: "redexjava.lang.NullPointerException
 ith
 have "Γ⊨
 using head_f_0
 by (simp add: head_def head_com_def)
 by auto
 from step [rule_format, of k] f_k
 obtain "Γ⊨(
 f_Suc_k: "f (k + 1) = (clemsplit_inf
 by (fastforce elim: step.cases intro: step.intros)
 define g where "g i = f "<>⊨ ==>
java.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length 18
 :" roxecintros
 by (simp add: g_def)
 fromstep
 have "∀ipro -
 by (si thus ?case
 by by (rule step_ep_extenend)
 by (auto simp add: inf_d)
 ultimately
 have ?hesis
 by auto

 moreover
 {
 fix x
 s': "= x" and f_k: "k= by(auto Fault_endjava.lang.StringIndexOutOfBoundsException: Index 34 out of bounds for length 34
 from stepultimately
 obtain< ?
 f_Suc_k: "f (k + 1) = (Throw,s')"
 by (fastforce elim: step_elim_cases intro: step usingjava.lang.StringIndexOutOfBoundsException: Index 22 out of bounds for length 22
 define g where "g i = f (i + (k + 1))" for ef
m java.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length 18
 have g_0: "g 0 = (Throw,s')"
 by
 from step
 have "∀ "\exists java.lang.NullPointerException
 by (simp : g_def
 with g_0 have "\<Gamma ptaromominfinicomp [OFF tep f0]
 by (auto simp add: inf_def)
 with no_inf_Throw
 ?thes
 by auto
 }
 ultimately
 show ?thesis
 by (auto simp add: final_def head_def head_com_def)
 next
 case False
 hen hnot_fin:"<forall<not head i)))java.lang.StringIndexOutOfBoundsException: Index 62 out of bounds for length 62
 by blast
 have "∀i. Γ⊨ T
 proof
 fix k
 from not_fin
 have "∀:apply
 by

 from infinite_computation_extract_head_Seq s'
 show\Gamma>turnstile head (f k) → simp
 qed
 with head_f_0 have "Γ⊨t)
 by (auto simp add: inf_d (fastfintro: terminates.intros d: step_Abrupt_prop
 thus ?thesis
 by simp
 qed
qed

lemma split_inf_Catch:
 assumes inf_comp: "Γ⊨(Catch c_fastforcebyk auto
 shows\Gamma<>(
 (∃2 s)
proof -
 from obtain fwhere
 step>i:.🚫
 f_0:(fastforceintro: .intros.ntros
 by (auto simp add: inf_def)
 from f_0 have head_f_0: java.lang.NullPointerException
 by (simp add: head_def head_com_def)
 show ?thesis
 proof (cases "∃
 case True
 definefix
 have less_k: "∀i<k. ¬ final (head (f i))"assume"redex
 apply (intro allI impI)
 apply (unfold k_def)
 apply (drule not_less_Least)
 hence ""\<>\
 done
 from infinite_computation_extract_head_Catch [OF step f_0 this]
 obtain step_head: "∀i<k. Γ⊨ )
 exec_redex_Stuckthis
 by blast
 from Truehave<amma ?
 have final_f_k: "moreover ffrom Stuck exe' have "t=Stuck"
ply-
 apply (erule exE)
 also from st by (au i: St)
 apply (simp add: k_def)
 done
 moreover
 from f_0 conf [rule_format, of "k - 1 ?java.lang.StringIndexOutOfBoundsException: Index 20 out of bounds for length 20
 ( exec
 by :f (fastforceintros
 moreover
 from step_head ow
 DynCom
 0 ?casebysimp
 nextusing
 case (Suc imp
 have step: "∀
 hence "∀
 by auto
 hence "Γ xec'
 by (rule Suc.hyps)
 also from step [rule_f, ofm]java.lang.StringIndexOutOfBoundsException: Index 8 out of bounds for length 8
by( ya intro:: Abrupt)
 show?case bysimp
 qed
java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
 by (auto in: exeint)

 have "Γ⊨(c
 from OF
 by (simp add: head_def head_com_def f"

 from step [rule_format, of k] f_k
 obtain "Γ steps⊨f k
 f_Suc_k: "f (k + 1) = (Skip,s')"
 by (fastforce elim: step.cases
 from step [rule_format,show<\urnstile
 have ?thesis
 byno_step_final
 }
 moreover
 {
 x
 assume s': "s'=Normal x" java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 with steps_headrule_format ] f_k
 have "Γ
 using head_f_0
 by (simp add: head_def head_com_def)
 over
 from step [rule_format, of k] f_k s'
 obtain "Γ⊨
java.lang.StringIndexOutOfBoundsException: Index 77 out of bounds for length 45
 by (fastforce elim: step_elim_cases: step
 define g where java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 rom
 have g_0: "g 0 = (c_\Gamma>⊨<> \Gammac'↓su,s)
 by simadd: g_def)
 from ste
 have "∀( intro)
 by (simp
 with have"<Gamma><t>(c₍∞
 by aut simp add: inf_def)
 ultimately
 have ?thesis
 using s'
 by auto
 case hea:: "(',,fcom>(sp') comsimpinf_def
 ultimately
 show ?thesis
 by (auto simp add: final_def head_defhead_com c by introusing
 next
 case False
 then not_finforall>i. ¬

 have "∀ c)"
 proof
 fix k
 not_fin
 have "∀i<(Suc k). \
 by simp

 from infinite_computation_extract_head_Catch [OF step f_0 this ]
 showsh ">turnstile
 qed
 with head_f_0 have "Γ⊨
 by (auto simp add: inf_de re"<Andc' c''. (redex c = Seq' c=False
 thus ?thesis
 by simp
 qed
qed

lemma Skip_no_step "∀
 apply (erule no_step_final')
 apply (simp add: final_def)
 done

lemma not_inf_Stuck: "¬ c<> c_s
prooffrominfinite_computation_extract_head_Catch f_0
 case Skip
 show ?
 proof (rule not_infI)
 fix f
 assume f_stepsteps_Throw_impl_exec
 assumef_0 Skip
 from [0 f_0
 show False
 by (auto elim: Skip_no_step)
 qed
next
 case (Basic g)
 thus ?case
 proof"k.< fn (h g step
 _ havotfin_k
 assume f_step: "∧i<k. ¬case java.lang.StringIndexOutOfBoundsException: Index 22 out of bounds for length 22
 assume f_0: "f 0 = (Basic g, Stuck)"
 from f_step [of
 show False
 by : Skip_no_step
 qed
next
 case (Spec r)
 thus ?case
 proof (rule not_infI)
 fix f
 assume f_step: "∧
 assume f0: "f0 r, Stuck
 from f_step [of 0] f_0 f_step [of 1]
 show
 by (fastforce elim: Skip_no_step step_elim_cases
 d
next
 case (Seq cjava.lang.NullPointerException
 shownext
 proof
 assume "Γ⊨1 cpr
 from split_inf_Seq [OF this] Seq.hyps
 False
 by (auto dest: steps_Stuck_prop)
 qed
next
java.lang.NullPointerException
 show ?case<Longrightarrow> ¬
 proof (rule not_infI)
 fix f
 assume f_step: "∧
 assume f_0
 fromf_step 0] f_0 [of]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qedfixf
next
 case (While
 show?case
 proof_nfI
 fix f
 assume f_stepi. Γf i → ead_def :fkip
 assume f_0: "f 0 = (While b c, Stuck)"
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by(astforce: Skip_no_step step_elim_cases
 qed
next
 case (Call p)
 show ?case
 proof (rule
 fix f
 assume f_step: "∧
 assume f_0: "f 0 = (Call p, Stuck ( not_infI
 from f_step [of java.lang.NullPointerException
 by (fastforce intro: ter.intros e te)
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (DynCom d)
 show ?case
 proof (rule 0
 fix f
 assume f_step: "∧i. Γ⊨f i →
 assume f_0: "f 0 = (DynCom d, Stuck)"
 from f_step [of 0] f_0 f_stepforall>i<Suc fastforce:terminates step_extend
 show
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (Guard m g c)
 show
 proof (rule not_infI)
 fix f
 assume f_stepi. Γ
 assume f_0: "f 0 = (Guard m g c, Stuck)"
 from f_step [of 0] f_0 f_step [of
 show
 by (fastforce elim: Skip_no_step hyp "\<oralli
 qed
next
 case Throw
 show ?case
 proof (rule not_infI)

 assume f_step: "∧ )
 assume f_0: "fnext
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qedqed
next
java.lang.NullPointerException
 show ?case
 proof
 assume "Γ
 from split_inf_Catch [OF this] Catchfastforce:terminates
 show False
 by (auto dest: steps_Stuck_prop)
 qed
qed

lemma not_inf_Fault: "¬
proof (infrom hyp [rule_fo, of "k-"]f0
 case Skip
 show ?case
 proof (rule not_infI)
 fix(fastforce intro: terminates.intros
 assume f_step: "∧
 assume f_0: "f 0 = (Skip, Fault x)"proofrule
 from f_step[f 0]f_0
 show False
 by( : kip_no_stepno_step
 qed
next
 case (java.lang.StringIndexOutOfBoundsException: Index 16 out of bounds for length 16
 thus ?case
 proofjava.lang.StringIndexOutOfBoundsException: Index 23 out of bounds for length 23
 fix f
 assume f_step: java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
java.lang.StringIndexOutOfBoundsException: Index 82 out of bounds for length 42
 [of 0] f_0 f_step [of 1]
 showFalse
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
nextassumeassume f_0: " = ,Stuck
 case (Spec r)
 thus ?case
 proof (rule not_infI)
 fix
 assume f_step: "∧
 assume f_0: "f 0 = (Spec StuckPrope o erminates
 from
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case proof not_infI
 show ?case
 proof
 "<><t> (S c<^sub>1 c\^>2, Faault x)<rightar> …
 from split_inf_Seq [OF this] Seq.hyps
 show False
 by (auto dest: steps_Fault_prop)
 qed
next
 nd b c\\sub>11 c\\^sub>2))
 show ?case
 proof (rule not_infI)
 fix f
 assume f_step: "∧i. Γ⊨elim
java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
 from f_step [of 0lastnation
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (While b
 show ?case
 proof (rule not_infI)
 fix f
 assume f_step: "∧i. Γ⊨f i → f (Suc i)"
 assume f_0: "f 0 = (While b c, Fault x)"
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (Call p)
 show ?case
 proof (rule not_infI)
 fix f
 assume f_step: "∧i. Γ⊨n
 assume f_0: "f 0 = (Callcasejava.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for length 12
 from f_step [of 0] f_0 f_step [ofshow
 show False: "f 0 = (Seq c\<^>1c↓\down'"
 by (fastforce elim: Skip_no_step step_elim_cases)
 qedf_0head inductf_stepep<And. 🚫
next
 case (case Step ?caseby( intro step_preserves_terminationjava.lang.StringIndexOutOfBoundsException: Index 67 out of bounds for length 67
 show ?case
 proof (rule><
 fix f
 assume f_step: "\<Andby
 assume f_0: "f 0 = (DynCom d, Fault x)"
 from f_step [of 0] f_0 f_ [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (Guard m g c)
 show ?caase
 proof (rule not_infI)
 fix f
 assume f_s: "∧<turnstilef
 assume f_00 rdlt)
 from f_step [ofdrule LeastI
 showjava.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
 by( elim step_elim_cases
 qed
next
 case Throw
 show ?case
 proofjava.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for length 12
 fix f
 assume f_step: "∧
 assume f_0: "f 0 = (Throw, Fault x)"
 from Sc m)
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (Catch c_>ghtarrrow>\<w\up>* h (f m)"java.lang.StringIndexOutOfBoundsException: Index 79 out of bounds for length 79
 show ?case
 proof
 assume "Γhav "Γ head (f (m + 1))" by simp
 from split_inf_Catch [OFfinallysho ?case y simp
 showshow Fa
 by (aautoo st:teps_Fau_pro
 qed f_step: sffk: " k=(Skip^subapplyrifyy
qed

lemma not_inf_Abrupt: "¬_f_
proof (indut c)
 case Skip
 how ?casetep[of 0] f_
 proof (rule not_infI)
 fix f
 assume f_step: "<>lemma And.( =Seq' =
 assume f_0: "f 0 = (Skip, Abrupt s)"
 from f_step [of 0] f_0
 show False
 by (auto elim: Skip_no_step)

next
 case (Basic g)
java.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length 12
 proof (rule not_infI fromthuscase
 fix f
 assume f_step: "∧
 assume f_0: "f 0 = (Basic g, Abrupt s)"
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (Spec r)
 by (auto simp add: inf_def)
 proof (rule not_infI)
 fix f
 assume f_step: "∧i<k. ¬
 assume f_0: "f 0 = (Spec r, Abrupt s)"
 fromf_step step1

 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (Seq cjava.lang.NullPointerException
 show ?ase
 proof
 assume "Γ c_\> …
 from split_inf_Seq [OF this] Seq.hyps
 show False
 by (auto dest: steps_Abrupt_prop)
 qed
next
 case (Cond b c₁ c₂)
 show ?case
 proof (rule not_infI)
 fix f
 assume f_step: "∧ , )java.lang.StringIndexOutOfBoundsException: Index 41 out of bounds for length 41
 f_step [1
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qedby(fastforce Skip_no_stepjava.lang.StringIndexOutOfBoundsException: Index 55 out of bounds for length 55
next
 case (While b c)
 show ?case
 proof ( (Seq^subc_i<k. ¬
 fix f
 assume f_step: "∧
 assume f_0: "f 0 = (While b c, Abrupt s)"proof
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (Call p)
 show ?case
 proof (rule not_infI)
 fix f
 assume f_step: "∧i. Γ⊨f i → f (Suc i)"
 assume f_0: "f 0 = (Call p, Abrupt s)"
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (DynCom d)
 show ?case
 proof (rule not_infI)
 fix f
 assume f_step: "∧
 assume f_0: "f 0 = (DynCom d, Abrupt s)"
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (Guard m g c)
 show ?case
 proof (rule not_infI)
 fix f
 assume f_step: "∧tf i →
 assume f_0: "f 0 = (Guard m g c, Abrupt s)"
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by ( elim: Skip_no_ste step_elim_cases)
 qed
next
 case Throw
 show ?case
 proof (rule not_infI)
 fix f
 assume f_step: "∧
 assume f_0: "f 0 = (Throw, Abrupt s)"
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elimSkip_no_step
 qed
next
 ₂)
 show ?case
 proof
 assume moreover
 from split_inf_Catch [OF this] Catch.hyps
 show Falseproofrule not_infI
 by (auto dest: steps_Abrupt_prop)
 qed
qed

theorem terminates_impl_no_infinite_computation:
 termi"\\Ga>🚫 (W b c, Fault x)"
 shows "¬f_ste of 0] f_ [of 1]
using "f (k+1 =(Seq c'' cjava.lang.NullPointerException
proofbycases: x_Seq_False
 case (Skip s) thus ?case
 proof (rule not_infI)
 fix f
 assume f_step: "∧i. Γ⊨f i → f (Suc i)"
 assume f_0: "f 0 = (Skip, Normal s)"
 from f_step [of 0] f_0
 show False
 by (auto elim: Skip_no_step)
 qed
next
 case (Basic g s)
 thus ?case
 proof (rule not_infI)
 fix f
 assume f_step \AndGamma<turnstile>f i →
 assume f_0: "f 0 = (Basic g, Normal s)"
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (Spec r s)
 thus ?case
 proof (rule not_infI)
 fixjava.lang.StringIndexOutOfBoundsException: Index 9 out of bounds for length 9
 assume f_step: "∧i. Γ elim:Skip st)
 assume f_0: "f 0 Spec r Normal"
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (Guard s g c m)
 have g: "s ∈ g" by fact
 have hyp: "¬ Γ
 show ?case
 proof (rule not_infI)
 fix f
 assume f_step: "∧
 assume f_0: "f 0 = (Guard m g c, Normal s)"
 from f_step [of 0] f_0 g
 have "f 1 = (c,Normal s)"
 by (fastfext
 with f_step
 have "Γ⊨ (c, Normal s) →
 apply (simp add: inf_def)
 apply (rule_tac x="λi. f (Suc i)" in exI)
 by simp

 qed
next
 case (GuardFault s g m c)
 have g: "s ∉
 show ?case
 proof (rule not_infI)
 fix f
 assumef_st: "∧⊨ False
 assume f_0: "f 0 = (Guard m g c, Normal s)"
 from g f_step [of 0] f_0apply clarify
 show False
 by ( elim Skip_no_stepstep_elim_cases)
 qed
next
 case (Fault c m)
 thus ?case
 by (rule not_inf_Fault)
nextxt
 casejava.lang.StringIndexOutOfBoundsException: Index 8 out of bounds for length 8
 show ?case

 assume ><turnstile> (Seq\^ java.lang.NullPointerException
 fromsplit_inf_Seq thishyps
 show False
 by (auto intro: steps_Skip_impl_exec)
 qed
next
 case (CondTrue s b c1 c2)
 have b: "s ∈ b" by fact
 have hyp_c1: "¬ ΓGamma>⊨
 show ?case show False
 proof (rule not_infI)
 fix f
 assume f_step: "∧i. Γ⊨f i → f (Suc i)"
 assume f_0: "f 0 = (Cond b c1 c2, Normal s)"
 from b f_step [of 0] f_0
 have "f 1 = (c1,Normal s)"
 by (auto elim case Throw
 with f_step
 have\Gammaturnstile> (c1, Normal s) →
 apply (simp add: inf_def)
 apply (rule_tac x="λ
 by simp
 with
 qed
next
 case (CondFalse s b c2 c1)
 have b: "s ∉
 have hyp_c2: "¬ Γ
 show ?case
 proof (rule not_infI)
 fix
 assume f_step: "∧
 assume f_0: "f 0 = (Cond b c1 c2, Normaljava.lang.StringIndexOutOfBoundsException: Index 55 out of bounds for length 55
 from b f_step [of 0] f_0
 have "f 1 = (c2,Normal s)"
 by (auto elim: step_Normal_elim_cases)
 with f_step
 have "Γ⊨ (c2, Normal s) →
 apply (simp add: inf_def)
 apply (rule_tac x="λi. f (Suc i)" in exI)
 by simp
 hyp_c2 show False by simp
 qed
next
 case (WhileTrue s b c)
 have b: "s ∈\^2x\rightarrow …
 have hyp_c: "¬ Γ⊨ (c, Normal s) →c''' s'' whe
 have hyp_w: "∀s'. Γ⊨ ⟨c,Normal s⟩ ==>⊨<rightarrow (c'', s'')" and
 ⊨ s' ∧
 have not_inf_Seq: "¬ Γ⊨ (Seq c (While bby ( dest
 proof
 assume "Γjava.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
 from splitqe
 by (auto intro: steps_Skip_impl_exec)
 qed
 show ?case
 proof
 assume "Γ⊨ no_inf_Throw Γ⊨ …)"
 then obtain f where
 f_step: "∧
 f_0: "f 0 = (While b c, Normal s)"
 by (auto simp add: inf_def)
 fromf_stepof] java.lang.StringIndexOutOfBoundsException: Index 28 out of bounds for length 28
 have "f 1 = (Seq c (While b c),Normal s)"
by( simp inf_def)
 with f_step
 c(Whileile ii g_0"amma><urnst>(Throw,s') \rightarrowdots(\infinity)"
 apply (simp add: inf_def)
 apply (rule_tac x="λi. f (Suc i)" in exI)
 by
 with not_inf_Seq show False by simp
 qed
next
 case (WhileFalse s b c)
 by(uto)
 showjava.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for length 12
 proof(rule)
 fix f
 assume f_step: "∧
 assume f_0: "f 0 = (While b c, Normal s)"
 from b _st [of0] f] f_0 f_st [of 1
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (Call p bdy s)
 have bdy: "Γp=Some bdybyassume_" = Bas , Ab s)"
 have hyp (auto add)
 show ?case
 proof (rule not_infI)
 fixf
 assume f_step: "∧i. Γ⊨

 from bdy f_step [of 0] f_0
 have " qed
 by (auto elim: step_Normal_elim_cases)
 ith
 have "Γ⊨ less_k:\<<forall
 apply (simp add: inf_def)
 apply (rule_tac x="λi. f (Suc i)" in exI)
 by simp
 with hyp show False by simp
 qed
next
 case (CallUndefined p s)
 have no_bdy: "Γ p = None" by fact
 apply auto
 proof (rule not_infI)
 fix f
 assume f_step: "∧i. Γ] f_0of
 assume f_0: "f 0 = (Call p, Normal s)"
 from no_bdy f_stepshow
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (Stuck c)
 show ?case
 by (rule not_inf_Stuck)
next
 case (DynCom c s)
 have hyp: java.lang.NullPointerException
 show ?case
 proof (rule not_infI)
 fix f
java.lang.StringIndexOutOfBoundsException: Index 10 out of bounds for length 10
 assume f_0: "f 0 = (DynCom c, Normal s)"
 from f_step [of 0] f_0
 have "f(Suc) c s, s)"
 by (auto elim: step_elim_cases)
 with f_step have "Γqed
 apply (dd
 apply (rule_tac x="λi. f (Suc i)" in exI)
 by simp
 with hyp
 show False by simp
 qedhave "<>i<Suc m. \<Gamma\ head (f (i + 1))" by fact
next
 case Throw ?case
 proof (rule not_infI)
 fix f
 assume_\And<><turnstile>f i → f (Sucassume f_stepAnd.\Gamma>\turnstile>f \rightarrow f( )
 assume f_0: "f 0 = (Throw, Normal s)"
 from f_step [of 0] f_0
 show Falserule.)
 by (auto elim: step_elim_cases)
 qed
next
 ( c)
 show ?case
 by (rule not_inf_Abrupt)
next
 caseCatch java.lang.NullPointerException
 show ?with
 proof
 assume java.lang.NullPointerException
 from split_inf_Catch [OF this] Catch.hyps
 show False
 by (auto intro: steps_Throw_impl_exec)
 qed
qed

definition
termi_call_steps :: "('s,'p,'f) body ==> (('s ×assume f0 ( fastforcestepcases:step
where
"termi_call_steps Γfrom f_ [o 0]f_ f_s [o1]
stileCall p↓
 (∃

primrec subst_redex:: "('s,'p,'f)comb (imp add)
where
"subst_redex Skip c = c" |
"subst_redex (Basic f) c = c" |
"subst_redex (Spec r) c = c" |
"subst_redex (Seq c_?
"x (Cond<^>1shows<turnstile<sub1,s) → …
"subst_redex (While b c') c = c" f
"subst_redex (Call p) c = c" |
"subst_redex (DynCom d) c = c" |
"subst_redex ( f b c') c = c" |
"subst_redex ( (Throw) c = c"|
" me f: "And\amma>f <ightarrowSucjava.lang.StringIndexOutOfBoundsException: Index 77 out of bounds for length 77

lemma ( "\<existsi
 "subst_redex c (redex c) = c"
 show als

lemma redex_subst_redex: "redex (subst_redex c r) = redex r"
 qed

lemma s':
 shows "<Gamma impI
by (induct c) (auto intro: step.Seq step.Catch)

lemma
 showsturnstiles)\rightarrow r,)<>\Gamma>\turnstile(Γ\rightarrow :"<i<. \<><
by (induct c) (auto intro: step.Seq step.Catch)

lemma steps_redex:
 assumes steps: " confi<k. (∃2, s'))from f_Suc_k
 showsc. Γg_0: " = s')
using steps
proof (induct rule: converse_rtranclp_induct2 [case final_f_k:" (head
 case Refl
 show "Γ⊨i. Γ<tu
 by simp
next
 case (Trans r s r'' s'')
 have "Γ⊨ (r, s) → (r'', s'')" by fact
 from step_redex [OF this]
 have "Γ⊨
 also
 haveGamma< step_head steps_head: java.lang.NullPointerException
 finally show ?case .
qed

ML ‹
 ML_Thms
 (Rule_Insts.read_instantiate @{context}
 [(((" ", 0), Position.none), "(aa, ab)"), ((("b", 0), Position.none), "(ba, bb)")] []
@{thm trancl_induct}));
›

lemma'java.lang.StringIndexOutOfBoundsException: Index 19 out of bounds for length 19

 shows "∧
using from ot_fin
proof (induct rule: tranclp_induct2 [consumes 1,case_names Step Trans])
 case (Step r' s')
 have "Γ⊨ (r, s) →
 then have java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
 by (rule st (uo maddef)
 then show "Γ⊨ (subst_redex =rmaland:"f =(CachTrrow 🚫 f k= (C c' c<^ub>2,s,s')cases)husase
next
 case (Trans r' s' r'' s'')
 haveby (cases)auto
 also
 have "\<Gamma>\<turnstile> (r',
 hence "\<Gamma>\<turnstile> (subst_redex c rlefi <> (Suci
 by (rule step_redex)
 finally show "\<Gamma>\<turnstile> (subst_redex c r, s) \<rightarrow>\<^sup>+ (subst_redex c r'', s'')" .
qedfrom of]

primrec seq:: "(nat \<java.lang.StringIndexOutOfBoundsException: Index 8 out of bounds for length 8
where
"seq c p 0 = Call p" |
seqc p(Suc)=subst_redex java.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for length 12

lemma renumber':
 assumes f: "\<forall>i. (a,f i) \<in> r\<^sup>* \<and> (f i,f(Suc i)) \<in> r"
 assumes a_b: "(a,b) \<in> r\<^sup>*"
 shows "b = f 0 \<Longrightarrow> (\<exists>f. f 0 = a \<and> (\<forall>i. (f i, f(Suc i)) \<in> r))"
using a_b
proof (induct rule: converse_rtrancl_induct [consumes 1])
 assume "b = f 0"
 with f show "\ qed
 by
next
 fix a z
 assume a_z: "(a, z) \<in> r" and "(z, b) \<in> r\<^sup>*"
 assume "b = f 0 \<Longrightarrow> \<exists>f. f 0 = z \<and> (\<forall>i. (f i, f (Suc i)) \<in> r)"
 " = f0"
 then obtain f where f0: "f 0 = z" and seq head_f_0
byjava.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
 from [rule_format,of ]f_k
 obtain\><>Catch \^>,' <>(,s)"and
 using seq a_z f0
 by (cases i) auto
 }
 then
 show "\<exists>f. f 0 = a \<and> (\<forall>i. (f i, f (Suc i)) \<in> r)"
 by - (rule exI [where x="\<lambda>i. case i of 0 \<Rightarrow> a | Suc i \<Rightarrow (erule no_step_final)
qed

lemma renumber:
" have ?thesis
\<Longrightarrow> \<exists>f.not_inf_Stuck "<Gamma><>cStuck <> \<dots>(\infinity)java.lang.StringIndexOutOfBoundsException: Index 94 out of bounds for length 94
 showcase

lemma lem:
 \<forall>y.r<sup\ ((b,a) \<in> {(y,x). P x \<and> owFalse
 steps_head
apply clarifynext
apply(erule trancl_induct)
 apply not_infI)
apply(blast intro:tranclp_trans)
apply clarify
apply(erule tranclp_induct)
apply blast
apply(simp: head_com_def)
done

corollary terminates_impl_no_infinite_trans_computation ?
assumes terminates: "\<Gamma>\<turnstile>c java.lang.StringIndexOutOfBoundsException: Index 9 out of bounds for length 9
shows "\<not>(\<exists>f. f 0 = (c,s) \<and> (\<forall>i. \<Gamma>\<turnstile>f i \<rightarrow>\< fastforce elim:step_elim_casesintro step.intros)
proof -
 have " by( elim:Skip_no_stepstep_elim_cases)
 proof (rule wf_trancl)
 showhave g_0 " = (c
 proof (simp only: wf_iff_no_infinite_down_chain,clarify,simp)
 fix f
 assume "\<forall>i. \<Gamma>\<turnstile>(c,s) \<rightarrow>\<^sup>* f i \<and> \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 hence"<exists>f f(0::) =(cs)\and (foralli \>\<turnstile>f from split_inf_Seq[ this Seq.hyps
 by (rule renumber [to_pred])
 moreover from terminates_impl_no_infinite_computation [OF terminates]
 have "java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 by(impaddinf_def)
 ultimately show False
 by simp
 qed
 qed
 hence"<> (<>f. \forall>. ( Suci), ff i)
 \<in> {(y, x). \<Gamma
 by (simp add: wf_iff_no_infinite_down_chain)
 thus ?thesis
 proofshow?hesis
 assume "\<exists>f. f (0::nat) = (c, by (auto simp ?case
 then obtain f where
 f0:f0 c
 seq: then havenot_fin "<foralli \> (head f))java.lang.StringIndexOutOfBoundsException: Index 62 out of bounds for length 62
 "\forall>i.\<>\<>head( i)\rightarrow head (fshowjava.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
 show
fix k
 proof (rule exI [where x=f],rule allI)
 fix i
 show "(f (Suc i), f i) \<in> {(y, x). \<Gamma>\<turnstile>(c fixf
 proof -
fromf_step ]f_0f_stepof
 fix i have "\<Gamma>\<turnstile>(c,s) \<rightarrow>\<^sup>* f i"
 proof (induct i)
 case 0 show "\<Gamma>\<turnstile>(c, s) \<rightarrow>\<^sup>*
 by (simp add: f0)
next
 case
"><turnstilec s \rightarrow\^>*f n"
 seqshow \Gamma\turnstilec )<><sup*f(Sucn"
 by (blast intro: tranclp_into_rtranclp rtranclp_trans) qed
 qed
 }
henceproof rule )
 fix
 with seq have
"(( i,fi <>{y,x.<amma\turnstile>, <rightarrow><sup* x \<> <Gamma<turnstilex \rightarrow>\^up>+ }"
 by clarsimp
 moreover
 elim step_elim_cases
 by (blast intro: tranclp_into_rtranclp rtranclp_trans)
 ultimately
 show ?thesis
 by (subst lem )
 qed
 qed
 qed
qed

theorem wf_termi_call_steps: "wf (termi_call_steps \<Gamma>)"
proof (simp only: termi_call_steps_def wf_iff_no_infinite_down_chain,
 clarify,simp)
 fix f
 assume inf: "\<forall>i. (\<lambda>(t, q) (s, p).
 \<Gamma>\<turnstile>Call p \<down> Normal s \<and>
 (\< f
 (f (Suc i)) (f i)"
 define s where "s i = fst (f i)" for i :: nat
 define p where "p i = (snd (f i)::'b)" for i :: nat
 frominf
 have inf': "\<forall>i. \<Gamma>\<turnstile>Call (p i)
 (\<exists>c. \<Gamma>\<turnstile> (Call (p i), Normal (s i)) \<rightarrow>\<^sup>+ "f 1= c,java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 redex c = Call (p (i+1)))"
 apply -
 apply (rule allI)
 apply (erule_tac x=i in allE)
 apply (auto simp add: s_def p_def)
 done
 show False
java.lang.StringIndexOutOfBoundsException: Range [10, 9) out of bounds for length 9
 from infshow java.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
 have "\<exists> java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
 \ (Fault c m
 redex (c i) = Call (p (i+1))"
 apply -
 apply (rule
 by blast

 termi_c: "\<forall>i. \<Gamma>\<turnstile>Call (p i) \<down> Normal (s i)" and
 steps_c: "\<forall>i. \<Gamma>\<turnstile> (Call (p ( intro proof(rulenot_infI)
 red_c: "\<forall>i. redex (c i) = Call (p (i+1)) fix f
 by auto
define g "Gamma\> ,s\ghtarrow\><infinity"
 from red_c [rule_format, of 0]
 have "g then fjava.lang.StringIndexOutOfBoundsException: Index 23 out of bounds for length 23
 ( add:g_def
 moreover
 {
 fix i
haveredex c(0)i=Call(pi
 auto )
\<>>)
 have "subst_redex (seq c (p 0) i) (Call (p i)) = (seq c (p 0) i)"
java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5

 have "\<forall>i. \<Gamma>\<turnstile> (g i) \<rightarrow>\<^sup>+ (g (i+1))"

 fix i
 from steps_c [rule_format, of i
 have "\<Gamma>\<turnstile> (Call (p i), Normal (s i)) \<rightarrow
 fromsteps_redex OF,of( c p0]
have\>turnstile( seqp) ( ( ) s i \ightarrow^>+
 (subst_redex (seq c (p 0) i) (c i), Normal (s (i + 1)))" .
 hence ( )
 (seq c (p 0) (i+1), Normal (s (i + 1)))"
 by (simp add: subst_redex_seq)
 thus "\<Gamma>\<turnstile> (g i) \<rightarrow>\<^sup>+ (g (i+1))"
 by (simp add: g_def)
 qed
 moreover
 from terminates_impl_no_infinite_trans_computation showjava.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
 have "\<not> (\<exists>f. f 0 = (Call (p 0), Normal case Basic gjava.lang.StringIndexOutOfBoundsException: Index 16 out of bounds for length 16
 ultimately show False
 by auto
 qed
qed

lemma no_infinite_computation_implies_wf:
 assumes not_inf: "\<not> \<Gamma>\<turnstile> assumef_step "\And.\Gamma\> <>fSuci"
 shows "wf {(c2,c1). \<Gamma> \<turnstile> (c,s) \<rightarrow>\<^sup>* c1 \<and> \<Gamma> \<turnstile> c1 \<rightarrow> c2}"
proof (simp only: wf_iff_no_infinite_down_chain,clarify, simp)
 fixf
 assume "\<forall>i. \<Gamma>\<turnstile>(c, s) \<rightarrow>\<^sup>* f i \from f_step [of 0] f_0 f_step of 1]
 hence "\<exists>f. f 0 = (c, s) \<and> (\<forall>i show False
 by (rule renumber [to_pred])
 moreover havebdy: "<Gamma>p =Some " byfact
 have "\<not> (\<exists>f. f 0 = (c, s) \<and> (\<forall>i. \<Gammajava.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 by (simp add: inf_def)
 ultimately showinfI)
 by simp
qed

lemma not_final_Stuck_step: "\<not> final (c,Stuck) \<Longrightarrow> \<exists>c' s'. \<Gamma>\<turnstile> (c, Stuck f_step [of 0] [ java.lang.StringIndexOutOfBoundsException: Index 40 out of bounds for length 40
inductby Skip_no_step

lemma not_final_Abrupt_step:
 "java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
by (induct c) (fastforce intro: step.intros simp add: final_def)+

lemma not_final_Fault_step:
 "\<not> final" 0=(Call,Normal)"
by (induct c) (fastforce intro: step.intros simp add: final_def)+

lemma not_final_Normal_step:
 "\<not> final (c,Normal s) \<Longrightarrow> \<exists>next
proofinduct
 case Skip thus ?case by (fastforce intro: step ?
next
 case Basic thus ?case by (fastforce intro: step.intros)
next
 case (Spec r)
 thus ?case
 by (cases "\<exists>t. (s,t) \<in> r") (fastforce intro: step.intros)+
next
 case (Seq c\<^sub>1 c\<^sub>2)
 thus ?case
 by (cases "final (c\<^sub>1,Normal s)") (fastforce intro: step.intros simp add: final_def)+
next
 case (Cond b c1 c2)
 show ?case
 by (cases "s \<in> b") (fastforce intro: step.introsqed
next
case c
 show ?case
 by (cases "s \<in> b") (fastforce intro: step.intros)+
next
 case (Call p)
 show ?case
 by (cases "\<Gamma> p") (fastforce intro: step.intros)+
next
 case DynCom thus ?case by (fastforce intro: step.intros)
next
 ( c)
 show ?case
 by (cases "s \<in> g") (fastforce intro: step.intros)+
next
 case Throw
 thus ?case by (fastforce intro: step.intros qed
next
 case (Catch c\<^sub>1 c\<^sub>2)
 thus ?case
 by (cases "final (c\<^sub>1,Normal s)") (fastforce intro: step.intros simp add: final_def)+
qed

lemma final_termi:
"final (c,s) \<Longrightarrow> \<Gamma>\<turnstile>c\<down>s"
 byby ( elim Skip_no_stepjava.lang.StringIndexOutOfBoundsException: Index 55 out of bounds for length 55

lemma split_computation:
assumes steps: "\<Gamma>\<turnstile> (c, s)java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
assumes not_final: "\<not> final (c,s)"
assumes final: "final (c\<^sub>f,s\<^sub>f)"
shows "\<exists>c' s'. \<Gamma>\<turnstile> (c, s) \<rightarrow> (c',s') \<and> \<Gamma>\<turnstile> (c', s') \<rightarrow>\<^sup>* (c\<^sub>f, s\<^sub>f)"
stepsnot_final final
proofinduct:converse_rtranclp_induct2 case_namesReflTrans]
 case Refl thus ?case by simp
next
 proofrulenot_infI)
 thus ?case by auto
qed

lemma wf_implies_termi_reach_step_case:
assumeshypnext
shows "\<Gamma>\<turnstile>c
using hyp
proofinduct c
 case Skip show ?case by (fastforce intro: terminates.intros)
next
 case Basic show ?case by (fastforce intro: terminates.intros)
next
 case (Spec r)
 show ?case
 by (cases "\<exists>t. (s,t)\<in>r") (fastforce intro: terminates.intros
next
 case (Seq c\<^sub>1 c\<^sub>2)
 have hyp: "\<And>c' s'. \<Gamma>\<turnstile> (Seq c\<^sub>1 c\<^sub>2, Normal s"Gamma\turnstile (cs, s)\rightarrow> <ots(<>)
 show ?case
 proof (rule terminates.Seq)
 {
 fix c' s'
 \^sub>1\>>c\^> s <>(''"
 proof
 proof -
 from step_c\<^sub>1
 have "\<Gamma>\<turnstile> (Seq by simp
 by(rule stepSeq)
 from hyp [OF this]
 have "\<Gamma>\<turnstile>Seq c' c\<^sub>2 \<down> s'".
 thus "\<Gamma>\<turnstile>c'\<down> s
 by cases auto
 qed
 }
 from Seq.hyps (1) [OF this]
 show "\<Gamma>\<turnstile>c\<^sub>1 \<down> Normal s".
 next
 show "\<forall>s'. \<Gamma>\<turnstile> \<langle>c\<^sub>1,Normal s\<rangle> \<Rightarrow> s' \<longrightarrow> \<Gamma>\<turnstile>c\<^sub>2 \<down> s'"
 proof (intro allI impI)
 fix s'
 assume exec_c\<^sub> ?case
 show \<Gamma frule)
 proof (cases "final (c\<^sub>1,Normal s)ix java.lang.StringIndexOutOfBoundsException: Index 9 out of bounds for length 9
 case True
 hence "c\<^sub>1=Skip \<or> c\<^sub>1=Throw"
 by (simp add: final_def)
 thus ?thesis
 proof
 assume Skip: showFalse
 have "\<Gamma>\<turnstile>(Seq Skip c\<^sub by (auto elim: step_elim_cases)
 by (rule step.SeqSkip)
 from hyp [simplified Skip, OF this]
 have "\<Gamma>\<turnstile>c\<^sub>2 \<down> Normal s" .
 moreover from exec_c\<^sub>1 Skip
 have "s'=Normal s"
 ( elim exec_Normal_elim_casescaseAbruptc)
 ultimately show ?thesis by simp
 next
 assume Throw: "c\<^sub>1=Throw"
 with False
 by (auto elim: exec_Normal_elim_cases)
 thus ?thesis
 by auto
 qed
 next
 case False
 from exec_impl_steps [OF exec_c\<^sub>1]
 obtain c\<^sub>f t where
 steps_c\<^sub>1: "\<Gamma>\<turnstile> (c\<^sub>1, Normal s) \<rightarrow>\<^sup>* (c\<^sub>f, t)" and
 fin:"(case s' of
 Abrupt x \<Rightarrow> c\<^sub>f = Throw \<and> t = Normal x
 | _ \Rightarrow \^>f Skip<and s'"
 by(fastforcesplit .splits)
 with fin have final: "final (c\<^sub>f,t)"
 by (cases s') (auto simp add: final_def)
 <sub1c\^ub>2java.lang.StringIndexOutOfBoundsException: Index 32 out of bounds for length 32
 obtain c'' s'' where
 first:qed
 rest: "\<Gamma> from split_inf_Seq [ this Seqhyps
 by blast
 from java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 have "\<Gamma>\<turnstile> (Seq c\<^sub>1 c\<^sub>2, Normal s) \<rightarrow> (Seq c'' c\<^sub>2, s'')".
 from hyp [OF this]
 have termi_s'': "\<Gamma>\<turnstile>Seq c'' c\<^sub>2 \<down> s''".
 show ?thesis
 proof (cases s'')
 ( x)
 from termi_s'' [simplified Normal]
 have termi_c\<^sub>2: "\<forall>t. \<Gamma>\<turnstile> \<langle>c'',Normal x\<rangle> \<Rightarrow> t \<longrightarrow> \<Gamma>\<turnstile>c\<^sub>2 \<down> t"
 bycases
 show ?thesis
 proof (cases "\<exists>x'. s'=Abrupt x'")
 case False
 with fin obtain "c\<^sub>f=Skip" "t=s'"
 by (cases s') auto
 from steps_Skip_impl_exec While
 have "\<Gamma>\<turnstile> \<langle>c'',Normal x\<rangle> \<Rightarrow> show?case
 by simp
 fromtermi_c<^sub2[rule_format OF this
 show "\<Gamma>\<turnstile>c\(<exists>c.>turnstile>(allp,s\rightarrow\up cNormalt\nd> c Call}
 next
 case True
 with fin obtain x' where s': "s'=Abrupt x'" and "c\<^sub>f=Throw" "t=Normal x'"
 redexjava.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
steps_Throw_impl_execOFrest[ ] Normal
 have "\<Gamma>\<turnstile> \<langle>c'',Normal x\<rangle> \<Rightarrow> Abrupt x'"
 by simp
 from termi_c\<^sub>2 [rule_format,assumef_0f =(p, )
 from of] f_step java.lang.StringIndexOutOfBoundsException: Index 40 out of bounds for length 40
 qed
 next
 DynCom
 from steps_Abrupt_prop [OF rest this]
 have "t=Abrupt x"
 with fin have f
 by (cases s') auto
 thussubst_redex( b\)c c |assumef_0f = , )
 by java.lang.StringIndexOutOfBoundsException: Index 19 out of bounds for length 19
 fastforce:Skip_no_step)
 case (Fault f)
 from steps_Fault_prop [OF rest this]
 have( dc=c|
 finhaves=
 by (cases s') auto
 thus "\<Gammafix f
 :\>.\Gamma> i\fuci)java.lang.StringIndexOutOfBoundsException: Index 77 out of bounds for length 77
 next
 case Stuck
 from steps_Stuck_prop [OF rest this]
 have "t=Stuck" by simp
 with fin have "s'=Stuck"
 by (cases s') auto
 thus "\<Gamma>\<turnstile>c\<^sub>2 \<down> s'"
 by auto
 qed
 java.lang.StringIndexOutOfBoundsException: Index 9 out of bounds for length 9
 qed
 qed
next: subst_redexr = rjava.lang.StringIndexOutOfBoundsException: Index 60 out of bounds for length 60
 case (Cond b c\<^sub>1 c\<^sub>2)
 have hyp: "\<And>c' s'. \<Gamma>\<turnstile> (Cond b Catchc\sub>1 \^>)
 show ? ?
 proof (cases
 caseshows<amma<>redexc)rightarrowr's)\Longrightarrow <\>,<> subst_redex c's"
 then have "\<Gamma>\<turnstile> (Cond b c\<^sub>1 c\<^sub> fromsplit_inf_Catch [OF this Catch.
 by (rule step.CondTrue)
 from hyp [OF this] have "\<Gamma>\<turnstile>c\<^sub>1 \<down> Normal s".
 with True
 by (auto intro: terminates.intros)
 next
 case False
 then have "\<Gamma>\<turnstile> (Cond b c\<^sub>1 c\<^sub>2, Normal shows"\>turnstiletheorem terminates_impl_no_infinite_computation
 by (rule step.CondFalse)
 from hyp [OF this] have "\<Gamma>\<turnstile>c\<^sub>2 \<down> Normal s".
 with False show ?thesis
 by (auto intro: terminates.intros)
 qed

 case (While b c)
 have hyp: "\<And>c' s'. \<Gamma>\<turnstile> (While b c, Normal s>\sup* subst_redexc r,')
 show ?case
 proof (cases "s\<in>b")
 case True
 then have "\<Gamma>\<turnstile> (While b c, Normal s) \<rightarrow> (Seq c (While b c), Normal s)"
 by (rule step.WhileTrue)
 from hyp [OF this] have "\<Gamma>\<turnstile>(Seq c (While b c)) \<down> Normal s".
 with True show ?thesis
 by (auto elim: terminates_Normal_elim_cases intro: terminates.intros)
 next
 case False
 thus ?thesis
 by (auto intro: terminates.intros)
 qed
next
java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 have hyp: "\<And>c' s'. \<Gamma>\<turnstile> (Call p, Normal by (fastforce elim Skip_no_step step_elim_cases
 show ?case
 proof (cases "\<Gamma> p")
 case None
 thusthesis
 by (auto intro: terminates.intros)
 next
 case (Some bdy)
 then have "\ assumef_step:"\Andi.\<Gamma\turnstilef i\<ightarrow> f ( i)
 by (rule step.Call)
 from hyp [OF this] have "\<Gamma>\<turnstile>bdy \<down> Normal s".
 with Some show ?thesis
 by (auto intro: terminates.intros)
 qed
next
 case (DynCom c)
 have hyp: "\<And>c' s'. \<Gamma>java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 have "\<Gamma>\<turnstile> (DynCom c, Normal s) \<rightarrow> (c s, Normal s)"
 (.DynCom
 from hyp [OF this (rule)
 then show ?case
 byauto :terminates)
next
 case (Guard f g c)
 have hyp: "\<And>c' s'. \<Gamma>\<turnstile> (Guard f g c, Normal s) \<rightarrow> (c', s') \<Longrightarrow> \<Gamma>\<turnstile>c' \<down> s'" by fact
 show ?case
 cases\in"
 case True
 then have "\<Gamma>\<turnstile> (Guard f g c, Normal s) \<rightarrow> (c, Normal s)"
 by (rule step.Guard)
 from hyp [OF this] have "\<Gamma>\<turnstile>c\<down> Normal s rule_tacx=> Suc " )
 with True show ?thesis
 by (auto intro: terminates.intros)
 next
 case False
 thus ?thesis
 by (auto intro: terminates.intros)
 qed
next
 case Throw show ?case by (auto intro: terminates.intros)
next
: =Guard s"
 have hyp: "\<And>c' s'. \<Gamma>\<turnstile> (Catch c\<^subfrom g [of0 f_0 f_step [of]
 show ?case
 proof (rule steps
 {
 fix c' s'
 assume step_c\<^sub>1: "\<Gamma>\<turnstile> (c\<^sub>1, Normal s) \<rightarrow ( c)
 have "\<Gamma>\<turnstile>c' \<down> s'"
 proof -
 from step_c\<^sub>1
 have "\<Gamma>\<turnstile> (Catch c\<^sub>1 c\<^sub>2, Normal s) \<rightarrow> (Catch c' c\<^sub>2, s')"
 by (rule step then have"<Gamma>\turnstile> subst_redex cr,s) \rightarrow (subst_redexc r',s')
 from hyp [OF this]
 have "\<Gamma>\<turnstile>Catch c' c\<^sub>2 \<down> s'".
 "\<Gamma>\<turnstile>( c\<ub1c2, Normal s)\<rightarrow <dots>(infinity)java.lang.StringIndexOutOfBoundsException: Index 104 out of bounds for length 104
 by cases auto
 qed
 }
 qed
 show "\<Gamma>\<turnstile>c\<^sub>1 \<down>java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 next
havehyp_c1<>Gammaturnstile(, \>\>\> byfact
 proof (intro allI impI)
 fix ?
 assume exec_c\<^sub>1: "\<Gamma>\<turnstile> \<langle>c\<^sub>1,Normal s\<rangle> \<Rightarrow> Abrupt s'"
 show "\<Gamma>\<turnstile>c\<^sub>2 \<down> Normal s'"
 proof (cases "final (c\<^sub>1,Normal s)")

 with exec_c :"\And> \amma><turnstile> \rightarrow f ( ijava.lang.StringIndexOutOfBoundsException: Index 77 out of bounds for length 77
 have Throw: "c\<^sub>1=Throw"
 by (auto simp add: final_def b f_stepof]f_0
 have "\<Gamma>\<turnstile>(Catch Throw c\<^sub>2,Normal s) \<rightarrow> (c\<^sub>2,Normal s)"
 by (rule step.CatchThrow)
 from by elim step_Normal_elim_cases
 have "\<Gamma>\<turnstile>c\<^sub>2 \<down> Normal s".
 moreover from exec_c\<^sub>1 Throw
 have "s'=s"
ormal_elim_cases
 ultimately show ?thesis by simp
 next
 case False
 from exec_impl_steps [OF exec_c\<^sub>1]
 obtain c\<^sub>f t where
 steps_c<^sub>: \<><turnstile CondFalse sb c2 c1
 by (fastforce split: xstate
 from split_computation [OF steps_c\<^sub>1 False]
 obtain c'' s'' where
 first: "\<Gamma>\<turnstile> (c\<^sub>1, Normal s) \<rightarrow> (c'', s'')" and
rest"<Gamma>\<>(c' ')<>^sup* Throw Normals'')"
 (utosimp : final_def
 from step.Catch [OF first]
 have"\Gamma><> ( c\sub1 c<sub2,Normals \rightarrow> ((Catch' c\^sub2,assumef_step: \nd>.\Gamma>turnstilef\<> ((uci)"
 from hyp [OF this]
 have "\<Gamma>\<turnstile>Catch c'' c\<^sub>2 \ assume f_0: "0 ( bc1c2,Normal)"
 moreover
 from steps_Throw_impl_exec [OF rest]
 have "\<Gamma>\<turnstile> \<langle>c'',s''\<rangle> \<Rightarrow> Abrupt s'".
 moreover
 from rest obtain x where "s''=Normal x"
 by (cases s'')
 (auto dest: steps_Fault_prop steps_Abrupt_prop steps_Stuck_prop)
 ultimately thesis
 by (fastforce elim: terminates_elim_cases)
 qed
 qed
 qed
qed

lemma wf_implies_termi_reach:
assumes wf: "wf {(cfg2,cfg1). \<Gamma> \<turnstile> (c,s) \<rightarrow>\<^sup>* cfg1 \<and> \<Gamma> have b: "s<> "by fact
showsAnd .<brakk>turnstilecs <>> ; =c1)>>\Gamma>\downjava.lang.StringIndexOutOfBoundsException: Index 157 out of bounds for length 157
using wf
proofinduct,)
 fix c1 s1
 assume reach: "\<Gamma>\<turnstile> (c, s) \<rightarrow>\<^sup>* (c1, s1)"
 assume hyp_raw: "\<And>y c2 s2.
 \<lbrakk>\<Gamma>\<turnstile> (c1, s1) \<rightarrow> (c2, s2); \<Gamma>\<turnstile> (c, s) \<rightarrow>by(uto : steps_Skip_impl_exec)
java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
 have hyp: "\<And>c2 s2. \<Gamma>\<turnstile> (c1, s1) \<rightarrow> (c2, s2) \<Longrightarrow> \<Gamma>\<turnstile>c2 \<down> s2"
 apply -
 apply (rule hyp_raw)
 apply assumption
 usingnext
 apply simp
 apply (rule refl)
 done

 show "\<Gamma>\<turnstile>c1 \<down> s1"
 proof (cases s1)
 case (Normal s1')
 with wf_implies_termi_reach_step_case [OF hyp [simplified Normal]]
 show?
 by auto
 edauto:.)
qed

theorem no_infinite_computation_impl_terminates:
 assumes not_inf: "\<not> \<Gamma>\<turnstile> (c, s) \<rightarrow> \<dots>(\<infinity>)"
 shows "\<Gamma>\<turnstile>c\<down>s"
proof -
 from no_infinite_computation_implies_wf [OF not_inf]
 have wf: "wf {(c2, c1). \<Gamma>\<turnstile>(c, s) \<rightarrow>\<^sup>* c1 \<and> \<Gamma>\<turnstile>c1 \<rightarrow> c2}".
 show ?thesis
 by (rule wf_implies_termi_reach [OF wf]) auto
qed

corollary terminates_iff_no_infinite_computation:
 "\<Gamma>\<turnstile>c\<down>s = (\<not> \<Gamma>\<turnstile> (c, s) \<rightarrow> \<dots>(\<infinity>))"
 apply (rule)
 apply (erule terminates_impl_no_infinite_computation)
 apply (erule no_infinite_computation_impl_terminates)
 done

(* ************************************************************************* *)
subsection \<open>Generalised Redexes\<close>
( *********************** hyp \ot <mma<> bdy s) ightarrow \ots(\>" fact

text \<open>
For an important lemma for the completeness proof of the Hoare-logic for
total correctness we need a generalisation of @{const "redex"} that not only
yield the redex itself but all the enclosing statements as well.
\<close>

primrec redexes:: "('s,'p,'f)com \<Rightarrow> ('s,'p,'f)com set"
where
"redexes Skip = {Skip}" |
"redexes (Basic f) = {Basic f}" |
"redexes (Spec r) = {Spec r}" |
(Seq c\^sub> \^ub>2 Seqc<^> c\^sub2}\union redexes"foralli.(a, )\<n> r^sup*\<> (f ifuc i) <in> r
"redexes (Cond b c\<^sub>1 c\<^sub>2) = {Cond b c\<^sub>1 c\<^sub>2}" |

"redexes (Call p) = {Call p}" |
{ } |
"redexes (Guard f b c) = {Guard f b c}" |
"redexes (Throw) = {Throw}" |
"redexes (Catch c\<^sub>1 c\<^sub by simp

lemma root_in_redexes: "c \<in> redexes c"
 apply (induct c)
 apply auto
 done

lemma redex_in_redexes: "redex c \<in> redexes c"
 apply (induct c)
 apply auto
 done

lemma redex_redexes: "\<And>c'. \<lbrakk>c' \<in> redexes c; redex c' = c'\<rbrakk> \<Longrightarrow> redex c = c'"
 apply (induct c)
 apply auto
 done

lemma step_redexes:
 shows "\<And>r r'. \<lbrakk>\<Gamma>\<turnstile>(r,s) \<rightarrow> (r',s'); r \<in> redexes c\<rbrakk>
 \<Longrightarrow> \<exists>c'. \<Gamma>\<turnstile>(c,s) \<rightarrow> (c',s') \<and> r' \<in> redexes c'"
proof (induct c)
 case Skip thus ?case by (fastforce intro: step.intros elim: step_elim_cases)
next
 case Basic thus ?case by (fastforce intro: step.intros elim: step_elim_cases)
next
 case Spec thus ?case by (fastforce intro: step
next
 case (Seq c\<^sub>1 c\<^sub>2)
 " <in> redexes ((Seq c\^subsub1 \<>2" fact
 hence r: "r = Seq c\<^sub>1 c\<^sub>2 \<or> r \<in> redexes c\<^sub>1"
 by simp
 havestep_r: "<Gamma>turnstile> (r s) <> (r' ')by fact
 from r show ?case
 proof
 assume "r = Seq c\<^sub>1 c\<^
 with step_r
 show ?case
 by (auto simp add: root_in_redexes)
 next
 assume r: "r \<in> redexes c\<^sub>1"
 from Seq.hypsby(utosimp : inf_def
 obtain c' where
 step_c\<^sub>1: "\<Gamma>\<turnstile> (c\<^sub>1, s) \<rightarrow> (c', s')" and
 r:"' \<in> '
 by blast
 from step.Seq [OF step_c\<^sub>1]
 have "\<Gamma>\<turnstile> (Seq c\<^sub>1 c\<^sub>2, s) \<rightarrow> (Seq c' c\<^sub>2, s')".
 with r'
 show ?case
 by auto
 qed
next
 case Cond
 thus ?case
 by (fastforce intro: step.intros elim
next
 case While
 thus ?case
 by (fastforce intro: step.intros elim: step_elim_cases simp add: root_in_redexes)
next
casethus
 by (fastforce intro: step.intros elim: step_elim_cases simp add: root_in_redexes)
next
 caseThrow s)thuscase
 by (fastforce intro: step.intros havehyp:"<> \\<Gamma\<> (, Normal s \rightarrow> <dots>(<infinity>)"by
next
 case Guard thus ?case
 f_step \<And.<>\>f \rightarrow (Suc)
next
thuscase
 ( introstep.intros elim simp: root_in_redexes
next
 case (Catch c\<^sub>1 c\<^sub>2)
 have "r \<in> redexes (Catch c\<^sub>1 c\<^sub>2)" by fact
 hencer r Catch<n> redexessubjava.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
 by simp
 have step_r: "\<Gamma>\<turnstile> (r, s) \<rightarrow> (r', s')" by fact
 from r show ?case
 proof
 Catch\>s\^sub)
 with step_r
?ase
 by(auto simp add: root_in_redexes)
next
 assume r: "r \<in> redexes c\<^sub>1"
sjava.lang.StringIndexOutOfBoundsException: Index 40 out of bounds for length 40
 obtain c' where
step_c<sub1 \Gamma<turnstile (utointro steps_Throw_impl_exec)
 r': "r' \<in> redexes c'"
 by blast
 from step.Catch [OF step_c\<^sub>1]
 have "<>\turnstile>Catch c\<^>1c\<>,s)java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 with r'
 show ?case
 > ((a <> (). Px\> }\sup=(b,)\in>{(x. x <>r<>\^>+x y)java.lang.StringIndexOutOfBoundsException: Index 127 out of bounds for length 127
 qed
qed

lemma steps_redexes:
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 shows "\<And>c. r \<in> redexes c \<Longrightarrow> \<exists>c'. \<Gamma>\<turnstile>(c,s) \<rightarrow>\< subst_redex:: (s''f)om \Rightarrow (s',com\Rightarrow> 's'pfcom""
using steps
proof inductrule converse_rtranclp_induct2 [case_names Refl Trans])
 case Refl
 then
 show "\<exists>c'. \<Gamma>\<turnstile> (c, s') \<rightarrow>\<^sup>* (c', s') \<and> r' \<in> redexes c'"
 by auto
next
 case (Trans r s r'' s'')
 have "\<Gamma>\<turnstile> (r, s) \<rightarrow> (r'', s'')" "r \<in> redexes c" by fact+
 from step_redexes [OF this]
 obtain c' where
 step: "\<Gamma>\<turnstile>Catch<> \^>) Catch (subst_redex c)\sub2java.lang.StringIndexOutOfBoundsException: Index 87 out of bounds for length 87
 r'': "r'' \<in> redexes c'"
 by blast
 note step
 also
from. 3[OF r'java.lang.StringIndexOutOfBoundsException: Index 30 out of bounds for length 30
 obtain c'' where
 steps: "\
 r': "r' \<in> redexes c''"
 by blast
 note steps
 finally
 show ?case by(rule renumber[to_pred)
 using r'
 by blast
qed

lemma steps_redexes':
 assumes steps: "\<Gamma>\<turnstile> (r, s) \<rightarrow>\<^sup>+ (r', s')" by(cases ""\<Gamma> p") fastforceintro stepintros)+
 shows "\<And>c. r \<in> redexes c \<Longrightarrow> \<exists>c'. \<Gamma>\<turnstile>java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
using stepsby(simp:inf_def
proof (induct rule: tranclp_induct2 [consumes 1, case_names Step Trans])
 case (Step r' s' c')
 have "\<Gamma>\<turnstile> (r, s) \<rightarrow> (r', s')" "r \<in> redexes c'" by fact+
 from step_redexes [OF this bysimp
 show ?case
 by (blast intro: r_into_trancl)
next
 case (Trans r' s' r'' s'')
 from Trans obtain c' where
 steps: step_c^sub1"<><>(c<sub1,Normals <ightarrow>(' '"
 r': "r' \<in> redexes c'"
 by blast
 note steps
 moreover
s'< ('' '') fact
from OF r']obtain 'where
 step: "\<Gamma>\<turnstile> (c', s') \<rightarrow> ( hyp [OF this]
 r'': "r'' \<in> redexes c''"
 by blast
 note step
 showcase

qed

lemma step_redexes_Seq:
assumesstep\Gammaturnstile,s <>(r,)"
 assumes Seqshow\forall.\Gamma<>\langle\ inductconverse_rtranclp_induct2case_names Refl])
 shows "\<exists>c'. \< Refljava.lang.StringIndexOutOfBoundsException: Index 30 out of bounds for length 30
proof -
 from step.Seq [OF step]
 have "\<Gamma>\<turnstile> (Seq r c\<^sub>2, s) \<rightarrow> (Seq r' c\<^sub>2, s')".
 from step_redexes [OF this Seq]
 show ?thesis .
qed

lemma steps_redexes_Seq:
 assumes steps: "\<Gamma>\<turnstile> (r, s) \<rightarrow>\<^sup>* (r', s')"
 shows "\<And>c. Seq r c\<^sub>2 \<in> redexes c \<Longrightarrow>
 <>'\Gamma><>cs)<rightarrow\^> c,s' <> Seq c2 \down Normal s" java.lang.StringIndexOutOfBoundsException: Index 65 out of bounds for length 65
 then show ?casebyhave"s'Normals"
 by auto: )

next
 case (Trans r s r'' s'')
 have "\<Gamma>\ exec_c\<^sub>1 have "'Abrupt s"
 from step_redexes_Seq [OF this]
 obtain c' where
 step: "\< proof(ruleterminates.Seq)
obtainsubt where
 by blast
 note step
 also
 from Trans.hyps (3) [OF r'']
 obtain c'' where
 steps: "\<Gamma>\<turnstile> (c', s'') \<rightarrow>\<^sup>* (c'', s')" and
 ' "Seq r c\^sub>2 nstile> ( c\sub \sub,Normal s \<rightarrow ((java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 by blast
 note steps
 finally
 showshow ?
 using blast
 by blast
qed

lemma steps_redexes_Seq':
 havetermi_s'"Gamma\<turnstilejava.lang.StringIndexOutOfBoundsException: Index 25 out of bounds for length 25
shows\c \^ub2\inredexes
 <Longrightarrow\<>c'. \Gamma\<turnstile>(cs)\<ightarrow\^sup>+ c,s) \> Seq r c\<>2 \in>redexes '
using steps
proof (induct rule: tranclp_induct2 [consumes 1, case_names Step Trans])
 ( r' s c'
 have "\<Gamma>\<turnstile> (r, s) \<rightarrow> (r', s')" "Seq r c\<^sub>2 \<in> redexes c'" by fact+
 from step_redexes_Seq [OF this]
 showcase
 by (blast intro: r_into_trancl)
next
java.lang.StringIndexOutOfBoundsException: Range [37, 28) out of bounds for length 28
from obtain where
 steps: java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
 r': "Seq r' cjava.lang.NullPointerException
 by blast nextfrom[lified]
 note steps
 moreover
 have "Γ1 Skip
 from step_redexes_Seq [OF this r'] obtain c'' where
 step: "Γ<Gamma<>⟨
 r'': "Seq r'' c₂ ∈
 by
 note how "<amma<turnstile>c₁ have"s'=Abrupt s"
 finally show ?case
 using r'' by blast
qed

lemma step_redexes_Catcht_props
 assumes: "\Gammaturnstile>>(rs) → (r',s')"
 assumes CatchCatchsub ∈ redexes c"
 shows "∃c'. Γ>(c,s) → <and r' credexes
proof -
 from step "<>⊨ s'"
 have "Γ⊨ (Catch r c_| ct = s')"
 from step_redexes [OF this Catch]
 show ?thesis .
qed

lemmaredexes_Catch
 assumes steps: "Γ
 shows "∧ 🚫
 ∃c'. Γ⊨(c,s) → <teps_Stuck_prop
using steps
proof (induct rule "Γcs'"
 case Refl
 then show ?case
 by (auto)

next
 case (Trans r s r'' s' (Normal
 have "Γ⊨ (r, s) →
 from step_redexes_Catch [OF this]
 obtain c' where
 step: "Γ⊨ (c, s) → (c', s'')" and
 r'': "Catch r'' cjava.lang.NullPointerException
 by blast
 note step
 also
 from Trans.hyps (3) [OF r'']
 obtain c'' where
 steps: "Γcases') auto
 r': "Catchc\^>2 <n redexes '"
 byblat
 note steps
 finally
 show ?case
 using r'
 by blast
qed

lemma steps_redexes_Catch':
 assumeseps"Γ (r, s) →<sup+ (r, ss'"
 shows "∧c. Catch r c₂ ∈ redexeswith ere sbruptt and "cf=Throw" tormal
 ==> ∃
using steps
proof (induct rule: tranclp_induct2 [consumes 1, case_names Step Trans])
 case (Step r' s' c')
 have "Γ⊨
 from step_redexes_Catch [OF this]
 show ?case
 by (blast intro: r_into_trancl)
next
 case (Trans r' s' r'' s'')
 from Trans obtain c' where
 steps: "Γc
 r': "Catch r' c₂ ∈
 by blast
 note steps
 moreover
 have "java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
 from step_redexes_Catch [OF this r'] obtain c'' where
 step: "Γ
 r'': "Catch r'' c₂ ∈ redexes c''"

 note step
 finally show ?case
 using r'' by blast
qed

lemma redexes_subset:"∧c'. c' ∈
 by (induct cauto

lemma redexes_preserves_termination:
 assumes termi: "Γ⊨\qed
java.lang.NullPointerException
java.lang.StringIndexOutOfBoundsException: Index 26 out of bounds for length 11

end

Messung V0.5 in Prozent

¤ Dauer der Verarbeitung: 0.158 Sekunden ¤

Wurzel

Suchen

Beweissystem der NASA

Beweissystem Isabelle

NIST Cobol Testsuite

Cephes Mathematical Library

Wiener Entwicklungsmethode

Haftungshinweis

Die Informationen auf dieser Webseite wurden nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit, noch Qualität der bereit gestellten Informationen zugesichert.

Bemerkung:

Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.