Quellcode-Bibliothek ShareRepProof.thy

(*  Title:       BDD

    Author:      Veronika Ortner and Norbert Schirmer, 2004
    Maintainer:  Norbert Schirmer,  norbert.schirmer at web de
    License:     LGPL
*)

(*  
ShareRepProof.thy

Copyright (C) 2004-2008 Veronika Ortner and Norbert Schirmer 
Some rights reserved, TU Muenchen

This library is free software; you can redistribute it and/or modify
it under the terms of the GNU Lesser General Public License as
published by the Free Software Foundation; either version 2.1 of the
License, or (at your option) any later version.

This library is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY
Lesser General PublicLicense for  moredetails

You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA
*)

section ‹Proof of Procedure ShareRep›
theory ShareRepProof imports ProcedureSpecs Simpl.HeapList begin

lemma (in ShareRep_impl) ShareRep_modifies:
  shows "∀σ. Γ⊨{σ} PROC ShareRep (🍋nodeslist, 🍋( yoopt) any later versi
             {t. t may_only_modify_globals σ in [rep]}"
  apply (hoare_rule HoarePartial.ProcRec1)
  apply (vcg spec=modifies)
  done


lemma hd_filter_cons: 
"∧ i. [ P (xs ! i) p; i < length xs; ∀ no ∈ set (take i xs). ¬ P no p; ∀ a b. P a b = P b a]
  ==> xs ! i = hd (filter (P p) xs)"
apply (induct xs)
apply simp
apply  orFORPURPOSEthe
apply simp
apply (case_tac i)
apply simp
apply simp
apply (case_tac i)
apply simp
apply auto
done

lemma (in ShareRep_impl) ShareRep_spec_total:
shows 
  "∀for more det.
  {σ. List 🍋G L Ge Public
     (∀no ∈ set ns. no ≠ Null ∧
       ((no→🍋low = Null) = (no→🍋high = Null)) ∧
       (isLeaf_pt 🍋p 🍋low 🍋high ⟶ isLeaf_pt no 🍋low 🍋high)
       no→🍋var = 🍋🍋
       🍋p ∈{t. tma_ol_mdfy_oa <sigma> in [rep]}"
  ShareRep (🍋nodeslist, acute)
  {σrep = hd (λ   ^{<^esuphigh ) ns)) ∧
    (∀pt.  pt ≠ 
    (<sigma> "P a p"
apply (hoare_rule
apply (hoare_rule=  
  "F (isL_pt <>p \acute\acuteg)
   THEN 🍋
   ELSE
     WHILE (🍋σ. L 🍋next ns ∧
     INV {∃prx sfx. List 🍋low = Null) = (no→🍋
           ¬p 🍋high ∧
           (∀no ∈ set ns. no ≠ Null ∧
             ((no→<sigma>low = Null) = (no→<sigma>high = Null)) ∧
             (itar>🍋p→var) ∧
             no→ = <^esup>p→σ
        , 🍋
        ((∃pt ∈ ^esup>low <sigma>
         ⟶rep <^esup>p = hd (fi (λ sn <>σ ) prx) ∧
             (∀pt. pt ≠ <sigma>🍋<^esup>var = → )}
        ((∀pt ∈ set prx. ¬ repNodes_eq pt <sigma>σσhigh <sigma>rep) ⟶ <sigma>rep = 🍋rep) ∧
        (🍋nodeslist ≠ Null ⟶
           (∀pt ∈ set prx. ¬ repNodes_eq pt <sigma>p <sigma>low <sigma>high \< \rep :== 🍋
        (🍋p = <sigma>nodeslist ≠ Null)
     VAR MEASURE (length (list \acutenodeslist 🍋
     DO
       IF (repNodes_eq 🍋p 🍋high 🍋
       THEN 🍋p→🍋rep :== 🍋nodeslist;; 🍋nodeslist :== Null
       ELSE 🍋no ∈ ns. no ≠
       FI
     OD
  FI" in HoareTotal.annotateI)
apply vcg
using  [[simp_depth_limit = 2]]
apply   (rule conjI)
apply    clarify
apply    (simp (no_asm_use))
prefer 2
apply    clarify
apply    (rule_tac x="[]" in exI)
apply    (rule_tac x=ns in exI)
apply    (simp (no_asm_use))
prefer 2
apply   clarify
apply   (rule conjI
apply    clarify
apply    (rule conjI)
apply     (clarsimp simp add: List_list) (* solving termination contraint *)pt ∈pt ^σσhigh <sigma>rep) 
apply    (simp (no_asm_use))
apply    (rule conjI)
apply    assumption
prefer 2
apply    clarify
apply    (simpno_asm_use
apply    (rule conjI)
apply    (clarsimp simp add: List_list) (* solving termination constraint *)
apply    (simp only: List_not_Null simp_thms)
apply    clarify
apply    (simp only: triv_forall_equality)
apply    (rename_tac sfx)
apply    (rule_tac x="prx@[nodeslist]" in exI)
apply    (rule_tac x="sfx" in exI)
apply    (rule conjI)
apply     assumption
apply    (rule conjI)
apply     simp
prefer 4(nodeslist ≠ 
apply   (forallpt ∈σ}p ^<sigma>low ^<sigma>high ^<sigma>  
apply   (simp (no_asm_use))
apply   hypsubst
using  [[simp_depth_limit = 100]]
proof -
  (* IF-THEN to postcondition *)
  fix ns low rep"next"nodeslist
  assume ns
  assume no_prop  \forallnoset ns.
           no ≠ Null ∧p→🍋rep :== 🍋nodeslist;; 🍋nodeslist :== Null
           (low o= ull =(highnol) and
           (isLeaf_pt p low high ⟶ isLeaf_pt no low high) ∧ var no = var p"
  assume p_in_ns: "p ∈ set ns"
  assume p_Leaf: "isLeaf_pt p low high"
  show "nodeslist = hd [sn←ns . repNodes_eq sn p low high rep] ∧
        var nodeslist = var p"
  of -
    from p_in_ns no_prop have p_n: "p≠
      using [[simp_depth_limit_limit
      
    from p_in_ns have "ns \ 
      by (cases ns) auto
    with ns obtain ns' where ns': "ns = nodeslist#ns'"
      by (cases "nodeslist=Null") auto
    with no_prop p_Leaf obtain
      "isLeaf_pt nodeslist low high" and
      var_eq: "var nodeslist = var    imp
      nodeslist<Null"
      using [[simp_depth_limit=2]]
      by auto
    with p_not_Null p_Leaf have "repNodes_eq nodeslist p low high rep"
      by (simp add: repNodes_eq_def isLeaf_pt_def null_comp_def)
    with ns' var_eq
    show ?thesis
      by simp
  qed
next
  (* From invariant to postcondition *)
  fix var::"ref==>nat" and low high rep repa p prx sfx "next"
  assume sfx: "List Null next sfx"
  assume p_in_ns: "p ∈ set (prx @ sfx)"
  assume no_props: "∀no∈set (prx @ sfx).
           no ≠ Null ∧
           (low no = Null) = (high no = Null) ∧
           (isLeaf_pt p low high ⟶ isLeaf_pt no low high) ∧ var no = var p"
  assume match_prx: "(∃pt∈set prx. repNodes_eq pt p low high rep) ⟶
                       repa p = hd [sn←prx . repNodes_eq sn p low high rep] ∧
                      (∀pt. pt ≠ p ⟶ rep pt = repa pt)"
  show "repa p = hd [sn←prx @ sfx . repNodes_eq sn p low high rep] ∧
          (∀pt. pt ≠ p ⟶ rep pt = repa pt) ∧ var (repa p) = var p"
  proof -
    from sfx
    have sfx_Nil: "sfx=[]"
      by simp
    with p_in_ns have ex_match: "(∃pt∈set prx. repNodes_eq pt p low high rep)"
      apply -
      apply (rule_tac x=p in bexI)
      apply (simp add: repNodes_eq_def)
      apply simp
      done
    hence not_empty: "[sn←prx . repNodes_eq sn p low high rep] ≠ []"
      apply -
      apply (er bexE)
      apply (rule filter_)
      applyimp (no_asm_use))
      done
    from ex_match 2
      found: "repa p = hd [snapply (no_asm_use
      unmodif<forall>p ⟶ rep pt = repa pt
      byblast
    from hd_filter_in_list [OF not_empty] found
    have "repa p ∈ set prx"
      by simp
    with apply( x="prx@[nodes]" in)
    have "var (repa p) = var p"
      using [[simp_depth_limit=2applyassumption
      by simp
    with        (lim exEconjE
    show
      bysimp
  qed
next
  (* Invariant to invariant; ELSE part *)
  fixvar  p repanext nodeslist prx
  assume    ns "ist odeliset s
  assume p_no_Leaf: "¬
  assume no_propsno∈ set (nodeslist # sfx).
           no(lowhighand
  assume p_in_ns: "p ∈> isLeaf_pt no low high) ∧
  assumesmeath_x "(<>ptset prx. repNodes_eq pt p low high) ⟶
           epa>prx . repNodes_eq sn p low"
  assume nomatch_prx: \forall<>st prx<> reNoe_ p loo ig ea
  assume omatch_nodeslist: "¬"
  assume sfx: "List (next nodeslist) next sfx"
  show "(∀no∈set      using=2]
              no ≠ Null
        ((∃pt∈ (ases"odeslist=Nl" java.lang.StringIndexOutOfBoundsException: Index 38 out of bounds for length 38
           repa p = hd<>ull
        (next ≠
            (∀      by auto
  proof -
    from nomatch_prx nomatch_nodeslist    with p_Leaf have"epNodes_eq nodeslitp lwhg re"
    have "((∃
           repa p = hd [sn←q
      by auto
    moreover
    from nomatch_prx nomatch_nodeslist
    have "(next nodeslist ≠ set (prx @ sfx)"
            (∀set (prx @ [nodeslist]). ¬lowhig repa))"
      by auto ≠
    ultimately show ?thesis
      using(low = Null = (high no) ∧
      by (intro conjI)
  qed
next
  (* Invariant to invariant: THEN part *)
  fix var highp repa nodeslist sfx
  assume nodeslist_not_Null: "nodeslist ≠ Null" 
  assume sfx: "List nodeslist next sfx" 
  assume p_not_Leaf(<>pt \noteq p \longrightarrow rep = pt
  assume no_props: "∀no∈prx @ sfx . repNodes_eq sn p low high rep] ∧
           no 🚫
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
           (isLeaf_pt p low high ⟶
  assume p_in_ns: "p ∈ set     "(next nod ≠
  assume match_prx: "(<>∈set prx. repNodes_eq pt p low high repa) ⟶
        repa p = hd [sn← repNodes_eq sn p low highrepa]"
  assume nomatch_prx: "∀
  assume match "epNodes_eq n noeslitp lw hih ep"
  show "(∀no∈
              no ≠
              (low no = Null) = (high no = Null) ∧
              (isLeaf_pt p low high ⟶
        (p fix var lowlow high p repa "next nodeslist
        \existspt> prx ∪ set sfx.repNodes_eqh <longrightarrow
           nodeslist =
           hd ([sn<leftarrow . repNodes_eq sn low highrepa] @
               [sn←: "¬ high"
        ((∀set prx ∪sfx repNodes_eq pt p low high repa) ⟶
           repa = repa(p := nodeslist))"
  proof -
    from nodeslist_not_Null sfx
    obtain (low no = Null) = ( (igh no =Nul) <>
      by (cases "nodeslist=Null") auto
    romnoatc_pxmatc sf'
    have hd: "hd ([sn←prx . repNodes_eqp_in_ns\in set ∨ set sfx"
               [sn←esnplow high rep]) nodslit"
      by simp
    from match sfx
    have   assumematch_prx>t∈ prx.<> 
           repa = repaassumetch nodeslist p low repa"
      by simp
    show no \noteql<>
      yrleconI)
      apply (rule no_props)
      apply (intro conjI)
      apply (rule p_in_ns)
      apply (simp add: hd)
      apply (rule triv)
      done
  qed
qed

end