SSL SmallStep.thy

Sprache: Isabelle

(*
 Author: Norbert Schirmer
 Maintainer: Norbert Schirmer, norbert.schirmer at

Copyright (C)0068rttSchirmerrmer
*)

section

theory SmallStep imports\turnstileWhile b c,Normal s) →
begin

textGamma<turnstile>(Call p,Normal s) → (bdy,Normal
byeext
›

primrec redex:: "('s,'p,'f)com ==> ('s,'p,'f)com"
where
"redex Skip = Skip" |
"redex (Basic f) = (Basic f)" |
"redex (Spec r) = (Spec r)" |
"redex (Seq c₁ c₂) = redex c₁" |
"redex (Cond b c₁ c₂) = (Cond b c₁ c₂)" |
"redex (While b c) = (While b c)" |
"redex (Call p) = (Call p)" |
"redex (DynCom d) = (DynCom d)" |
"redex (Guard f b c) = (Guard f b c)"
"redex (Throw) = T| Catch: "[Γ(c₁',s')]
"==>>\\<turnstile>(Catch c₂,s) →1' c_CatchThrow: "Γ(Catch c\sub,Normal s) → (cjava.lang.NullPointerException

subsectionSmall-Step Computation: ‹(c, s) →›

type_synonym ('s,'p,'f) config = "('s,'p,'f)com \<times> ('s,'f) xstate"
inductive "step"::"[('s,'p,'f) dy(s,pfonfig','config\<ghtarrowtarrowrow oll"
 _\<turnstile> (_ \<rightarrow>/ _)\<close> [81,81,81] 100)
 for \<Gamma>::"('s,'p,'f) body"
where

 Basic: "\<GammaWhilecs u"

| Spec: "(s>r \<Longrightarrow> \<Gamma>\<turnstile>(Spec r,Normal s) \<rightarrow> (Skip,Normal)"
| SpecStuck: "\<forallt\>Longrightarrow \<Gamma>\<turnstile>(Spec r,Normal)\rightarrow> (Skip,Stuck)"

|"amma\<turnstile>(While b c,Normal s) \<rightarrow> u"

| GuardFault: "s\<notin>"\amma<turnstile>(Catch c1 c2,Normal s) \<rightarrow> u"

| Seq: "\<Gamma>\termination @@{rm alinehegram asted
 \<Longrightarrow<or (fstw and (\<exists>s. snd cfg=Normal s)))"
 \<Gamma>\<turnstile>(Seq c\<^sub>1 c\<^sub>2,s) \<rightarrow> Seq \<1' c\<^sub>2, s')"
| SeqSkip: "\<Gamma>\<turnstile>(Seq Skip c\<^sub>2,s) \<rightarrow> (c\<^sub>2, s)"
subsection \<open>Structural Properties ofSmall Step Computations\<close>

| CondTrue s\inb \Longrightarrow> \<Gamma>\<turnstile(Condb c\<^sub>1 c\<^sub>2,Normal s) \<rightarrow> (c\<^sub>1,Normal s)"
| CondFalse: "s\<notin>b \<ongrightarrow<Gamma\<turnstile>(Cond b c\<^sub>1 c\^sub2rmal<rightarrow> c<sub2rmal)java.lang.StringIndexOutOfBoundsException: Index 136 out of bounds for length 136

| WhileTrue: "\<lbrakk>s\<in>b\<rbrakk>
 \<Longrightarrow>
 \<Gamma>\<turnstile>(While b c\<ongrightarrow> \<Gamma\turnstile>Seq c\<^sub>1\<^>2,s <rightarrow>\<^>* (Seq c\<^ub>1' c\<^sub>2 )

|: "\<lbrakk>s\<notinb\>
 \<Longrightarrow>
 \<turnstile>(While b c,Normal s)\<rightarrow(ipmal

| Call: "\<Gamma> p=Some bdy \<Longrightarrow>
 \<Gamma>\<turnstile>(Call p,Normal s) \<rightarrow> (bdy,Normal s)"

| CallUndefined: "\<Gamma> p=None \<Longrightarrow>
 \<Gamma>\<turnstile>(Call p,Normal s) \<rightarrow> (Skip,Stuck)"

| DynCom: "\<Gamma>\<turnstile>(DynCom c,Normal s) \<rightarrow> (c s,Normal s)"

| Catch: "\<lbrakk>\<Gamma>\<turnstile>(c\<^sub>1,s) \<rightarrow> (c\<^sub>1',s')\<rbrakk>
 \<Longrightarrow>
 \<Gamma>\<turnstile>(Catch c\<^sub>1 c\<^sub>2,s) \<rightarrow> (Catch c\<^sub>1' c\<^sub>2,s')"

| CatchThrow: "\<Gamma>\<turnstile>(Catch Throw c\<^sub>2,Normal s) \<rightarrow> (c\<^sub>2,Normal s)"
| CatchSkip: "\<Gamma>\<turnstile>(Catch Skip c\<^sub>2,s) \<rightarrow> (Skip,s)"

| FaultProp: "\<lbrakk>c\<noteq>Skip; redex c = c\<rbrakk> \<Longrightarrow> \<Gamma>\<turnstile>(c,Fault f) \<rightarrow> (Skip,Fault f)"
| StuckProp: "\<lbrakk>c\<noteq>Skip; redex c = c\<rbrakk> \<Longrightarrow> \<Gamma>\<turnstile>(c,Stuck) \<rightarrow> (Skip,Stuck)"
| AbruptProp: "\<lbrakk>c\<noteq>Skip; redex c = c\<rbrakk> \<Longrightarrow> \<Gamma>\<turnstile>(c,Abrupt f) \<rightarrow> (Skip,Abrupt f)"

lemmas
Basic Spec SpecStuck Guard GuardFault Seq SeqSkip SeqThrow CondTrue CondFalse
WhileTrue WhileFalse Call CallUndefined DynCom Catch CatchThrow CatchSkip
FaultProp StuckProp AbruptProp, induct set]

inductive_cases step_elim_cases [cases set]:
"\<Gamma>\urnstilenstileSkip \ightarrow> "
"\<Gamma>\<turnstile>(Guard f g c,s) \<rightarrow> u"
"\<Gamma>\<turnstile>(Basic f,s) \<rightarrow> u"
"\<Gamma>\<turnstile>(Spec
"\<Gamma epss \<Gammaturnstilecfg\^sub>1\<rightarrow>\<^sup>* cfg\<^sub>2"
"\<Gamma>\<turnstile>(Cond b c1 c2,s rightarrow"
"\<Gamma>\<turnstile>(While
<amma>\<turnstile>(Call p,s) \<rightarrow> u"
"\<Gamma>\<turnstile>(DynCom c,s) \<rightarrow> u"
"\<Gamma>\<turnstile>(Throw,s) \<ightarrowujava.lang.StringIndexOutOfBoundsException: Index 48 out of bounds for length 48
c2,s

inductive_cases step_Normal_elim_cases [cases set]:
"\<Gamma>\<turnstile>(Skip,Normal s) \<rightarrow>
"\<Gamma>\<turnstile>(Guard f g c,Normal s) \<rightarrow> u"
"\Gamma>\<turnstile>BasicNormal <rightarrow>u
"\<Gamma>\<turnstile>(Spec r,Normal s) \<rightarrow> u"
"\<Gamma>\<turnstile>(Seq c1 c2,Normal s) \<rightarrow> u"
"\ hence"<<turnstilestile>(tch\^sub>1 2 <ightarrow Catch\b1 <subs"
"\<Gamma>\<turnstile>(While have\\<<\turnstileatch c^ub\ub '\<>\<supup(atch1' c\<^sub>2, s')" .
"\<Gamma>\<turnstile>lll , s<<htarrow"
"\<Gammaturnstile(DynCom c,Normal s) <> "
"\<Gamma>\<turnstile>(Throw,Normal s) \<rightarrowtarrow
"\<Gamma>\<turnstile>(tchc11rmal) \< u"

textopen>he final configuration is either of the form \<open>(Skip,_)\<close> for normal
termination, or @{term caseSeq \ \^ub
a @{term "Normal"} state andterminatedabruptlyptly The@constbrupttatenoted
model abrupt termination, in contrast to the big-step semantics. Only if the
program starts in an @{const "Abrupt"} states it ends in the same @{term "Abrupt"}
state.\<close>

definition steps_c<^b>
"final cfg = (fst cfg= case (Catchc<sub1c)

abbreviation
"step_rtrancl_rancl:"[sp dy(',p)config,(',',Rightarrow bool"
 (\<open>_\<> ( \rightarrow )<lose [8181]100
where
 "\<Gamma>\<turnstile>cf0 \<rightarrow>\<case(eq\^ub>c\2)
abbreviation
"step_trancl" ::"[',p,fody's', figs,f)onfig\Rightarrow> bool
 (\<open>_\<turnstile> (_ <rightarrow\<^sup>+/ _)\<close> [81,81,81] 100)
where
 "\<Gamma>\<turnstile>cf0

(* ************************************************************************ *)
subsection ‹
(* ************************************************************************ *)

lemma redex_not_Seq:"edexc2\>
 apply (induct c)
 apply auto
 done

lemmastep_final:
 assumes step: "<Gamma Gammaamma(c, s) → (c', s')"
 shows "final (c,s) ==> P"
using step
by induct (auto simp add: final_def)

lemma no_step_final':
 assumes step: "Γ⊨cfg → cfg'"
 "al<> P"
using step
 by (cases cfg, cases cfg') (auto intro: no_step_final)

lemma s step_Abrupt:
 assumes step: "Γ
 shows
using p
by"\<Gammashows s'=Abrupt t"

lemma "Γ s)
 assumes step: "Γc, s) →
 shows "
usingep
byinduct) auto

lemma step_Stuck::
 assumes step: "Γerse_rtranclp_induct2
 shows
using step
by (induct auto

lemmaSeqSteps@{termNormalandabruptlyconstt}stateto
 assumes teps><turnstile>cfg₂"
 hows s ∧ t'=t)"
java.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for length 12
using
roof<>ructuralties omputations<>
 case Refl
 thus?ase
 simp
next
 case (Trans cfg_final(,s ==>"
 have st "Γ cfgcfg''" by fact
 have : "Γ cfg'' →* cfgjava.lang.NullPointerException
b:cfg>1 = (c_,s)java.lang.NullPointerException
 obtain c₁'',s'')"
 by (cases cfg'') auto
 from cfgcfg''
 have java.lang.NullPointerException
 by simp
 hence "Γ:
 by (rule step.Seq
 also from Trans.hyps (3) [OF cfg'' cfgjava.lang.NullPointerException
 have
 finally ?case .
qed

lemma CatchSteps:
 assumes steps: "Γ⊨cfg₁→^* cfg_f. s=Fault \Longrightarrow> 'Falt"
 shows "∧1 s c_cfg₁,s); cfg₁',s')]
java.lang.NullPointerException
using steps
proof (induct rule: converse_rtranclp_induct [case_names Refl Trans])
 case Refl
 thus ?case
 by simp
next
 case (Trans cfgΓ⊨1 c_><^sup>* (Seq c₂, s')"
 have "<>⊨1 → cfg''" by fact
 have steps ""<><turnstile'' →* cfgjava.lang.NullPointerException
 havecaserans1 cfg'')
 obtain ccfgcfg'" by fac
 by (cases cfg'') auto
 from step cfg''
 have s: "Γ⊨ (c₁,s) → (c₁'',s'')"
 by simp
 hence "Γ (Catch c₂,s) → (Catch c₂,s'')"
 l ste.Cah)
 alsohence "<⊨1 c_,<>(Seq1'' c₂,')
 have java.lang.NullPointerException
 finally show ?case .
qed

lemma steps_Falt: "\Gamma>⊨f)"
proof (indu c)
 case Sc<^s>1 c>2
 have steps_c₁: "Γ⊨ (cjava.lang.NullPointerException
 have _\<turnstile2, Fault f) →java.lang.NullPointerException
 from SeqSteps [ steps_c1 refl refl]
 have<<>eq^1c<sub Fault )rightarrowjava.lang.NullPointerException
 also
 have java.lang.NullPointerException
java.lang.NullPointerException
 finally how ? ?casby s
next
 case (Catch c₂)
 have steps_c\<^ub12]
 "Gamma⊨1'' c<(\java.lang.StringIndexOutOfBoundsException: Index 3 out of bounds for length 3
 have
 also
 have "Γah Skip \sub, Fault f) → (Skip, Fault f)" by (rule CatchSkip)
 finally show ?case by simp
qedtforce

lemma steps_Stuck: "Γ🚫1: "Γ⊨1, Fault f) → "by ct
proof (induct c)
 case (Seq c\<^have
java.lang.NullPointerException
 have steps_c_\<turnstile> (c<^>2, tuck) →^sup>* (Skip, Stuck)" by fact
 GuardFaultnotinLongrightarrow>turnstile , )\ induct
 have<><turnstile(Seq \^sub c\sub2 Stuck) →* (Seq Skip cjava.lang.NullPointerException
 also
 have "Γ2: "Γ⊨2, Stuck) →
 also note steps_c_<><turnstile> (Seq^subc_sub>>2 Stuck
 finally show ?case by simp
next
 case (Catchhow
 have steps_csub>1: "Γ⊨ (c₁, Stuck) →^, SeqSkip: "<Gammaturnstile(eq \^>2s\rightarrow(<>,
 from OFjava.lang.NullPointerException
 have "ΓCondTrue">\Longrightarrow<>turnstile
 also
 have "Γ (Catch Skip c(Skip, Stuck)" by (letchSkipjava.lang.StringIndexOutOfBoundsException: Index 107 out of bounds for length 107
 finally show ?case by simp
qed (fastforce intro: step.intros

lemmapt⊨java.lang.NullPointerException
proof
 e (Seq₂)
 <1 "><> (\^>1 Abr \>^sup> (SSk, Abrs) by
 have steps_c_\<turnstile> (c_\<^sup>*(Skip, Abupt by fact
 from SeqSteps [OF steps_c₁ refl refl]
 have "Γ⊨1 cs) →
 also
 have "Γebd Longrigh>
 also note steps_c₂
 finally show ?case by simp
next
java.lang.NullPointerException
 steps_c\<>:f
java.lang.NullPointerException
 have "Γ

 have
 finally show ?case by simp
qedastforceintros

lemma
 assumes step: "\<Gamma
 shows ∧
using step
by ((induct)auto

lemma step_Abrupt_prop:
 assumes step: "java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
 shows "∧
using showcc
by

lemma step_Stuck_prop:
 assumes step: "<><turnstile
 shows "s=Stuck ==> s=Stuck"
using"Γ+ cf1he "<Gamma>( \^> c<ub,Normal) \ightarrow><sup( Skipsub t"
by (inductalso

lemmaps_Fault_propl_op:
 assumes step: "Γ
 shows "s=Fault f ==>
using step
proof (induct rule: converse_rtran [case_names Refl Trans])
 case Refl thus ?case by s
next
 case (Trans c s c'' s'')
 thus ?case
 by (auto intro: step_Fault_prop)
qed

lemma steps_Abrl
 assumes step: "Γ
 "=Abru t \LongrightarrowA t"
using
proof( rule: converse_rtranclp_induct2
 case "\<Gamma\"
next
 case (Trans c s c'' s'')
 thus?
 by (auto
qed

lemmasteps_Stuck_prop
 assumes step: "ΓL>P"
 shows "s=Stuck ==> (au simp add: final_def)
usingusing exec_impl [OF eeu o_s':
proof (induct rule: converse_rtranclp_indu
 case Refl thus ?case by simp
next
 case (Trans c s c'' s'')
 thus ?ca?case
 by (auto
qed

(* ************************************************************************ *)
subsection \openalence been ll-Step and B-Ss =Stuck or>
(* ************************************************************************ *)

theorem exec_impl_steps:
 assumes exec: "Γ f <Longrightarrow
 shows
 of
 Abrupt x ==>f. = ==>
 _<Rightarrow<>exec_redex_Stuck
using exec
)
 casecase
 by
next
 se
next" h "'=
 case GuardFault thus ?case by(r.exsub1 = Specwith exec
java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 4
ault_end
next
 case Basic( s ep>< c
next
 case Spec thus ?case case CondTrueedex_Stuck
next
 caseSpecStuck ?Seq
next
 aseSeq
 have exec_c_\<turnstilejava.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for length 12
 c
 show
 proof (cases "\<exists
 case False
 from False Seq.hyps (2)
 have "Γ⊨
 eflbyfastforcetroses
 henceCatch> c₂ t)
 by (rule SeqSteps
 romtain
 steps_c_ormal
 t: "(case t of
 Abrptx\> tte ' ki
 else c' = Throw ∧fr
 | _ ==>
 by auto
java.lang.NullPointerException
 also have "Γ (Seq Skip c₂, s') → "\Gamma>\<turnstile t"
 also note steps_c "s=Stuck \<>
 finally have "Γ⊨s])
 with t False show ?thesis
 by (cases tfromCatchMatchissub2] s_Normalcase
 next
 case True
 then obtainsub1'"\<>\ ==>
 by blast
 from s' S.hyps (2)
 have "Γhyps (2 exec_c
 by auto "<Gamma>⊨
 hence seq_q_c<^1:"><turnstile> (Seq c<sub1 cjava.lang.NullPointerException
 by (rule SeqSteps) auto
 also <>' <><turnstile>(c,s) →
 by (rule SeqThrow)
 finally have "ΓAbrupt x<Rightarrow> if s then 'ip \and> t=t el c'=Throw ∧
 moreover
java.lang.NullPointerException
 byby (auto cse
 ultimately show ?thesis
 by auto
 qed
next
 case CondTrue thus ?case (Faut f)
next
 case CondFalse thus ?case by (blast intro: step.CondFalse rtranclp_trans)
next
 case (WhileTrue s b s' t)
 fail: "< g"
 have exec_w: "Γ
 have b:java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 hence step: "Γ⊨
 by (rule step.WhileTrue)
 show ?case
 ultimately
 case False
hileTruehyps (3)
 have "Γ.intros f
 by (cases s') auto
 hence seq_c: "Γ
 by (rule SeqSteps) auto
 from WhileTrue.hyps (5) obtain c' t' where
 steps_c
 t: "(
 tro step_Fault this

 | _ (( intro)
 by auto ?thesis
 te
 also(ceim_cases
 by
 also note aultProp
 by introntrosxec_elim_cases
 with t False
 by (cases t) auto
 next
 case True
 then obtain x where s': "s'=Abrupt x"
 by blast

 also
 from . (3)
 have "\<Gamma >,s∠
 by auto
 hence
 seq_c: "
 by (rule uctconverse_rtranclp_induct2java.lang.StringIndexOutOfBoundsException: Index 70 out of bounds for length 70
 o ">turnst> (SeqThro (While b c, x →
 by (rule yute)p_)
 finally have "Γ
 moreover
 from '"<⊨(c,s) \rightarroww>\uphro,Nal t
 by (auto intro: Abrupt_end)
 ultimately show ?thesi
 by auto
 qed
next
 caseWh thus ?case by (fastforce intro: step.W rt c s s'
next
 case Call thus ?case by (blast intro: step s''
next
 case CallUndefined thus ?case by (fastforce intro: step.CallUndefined rtranclp_trans)
next
 case StuckProp thus ?case by (fastforce intro: steps_Stuck)
next
 case DynCom thus ?case by (blast intro: step.DynCom rtranclp_trans)
next
 case Throw thus ?case by simp
ext
 caseAbrProps ?case by ( (ffastforce ce intropAbruupt)
next
 se ChMh c\^b> s ' \<^2 "not isAbr t"
 from CatchMatch.hyps (2)
 have "Γ⊨ (c from)Normal1' s_Normal
 by simp
 hence "Γ
 show ?thesiby m
 also have "<
 by (ruleubsectionEquivalencebetween Termination and the Absence of Infinite Computations›
 also
 from CatchMatch.hypscase )
 steps_c₂fromep_Fault_end_Normal
 t: "(case t of
 Abrupt x ==>= Skp <>t' = t
 else c' = Throw ∧
 | _ ==> g"
 by auto
 note steps_c"\Gamma>🚫
 finally show ?case
 using t
 by (auto split: xstate.splits)
next
java.lang.NullPointerException
 have t: "¬
 with CatchMiss.hyps (2)
 have \><turnstile<^subormal rightarrowsup* (Skip, "
 by (cases t) auto
 hence "Γ
 by (rule CatchSteps) auto
 also
 have "Γ
 by (rule step.CatchSkip)
 finally show ?case
 using t
 by (fastforce split: xstate.splits)
qed

corollary exec_impl_steps_Normal:
 assumes exec: "Γ
 shows "Γ⊨(c,s) →>\urnstile> (Seq c (While b c), Normal s) → ie bc) Normal x)"
using exec_impl_steps [OF execthis
by auto

corollary exec_impl_steps_Normal_Abrupt:
 assumes?thesis
 shows "Γ
using exec_erm
by auto

corollaryexec_impl_steps_Abrupt_Abrupt:
 assumes exec: "Γ<urnstilec,Abrupt t⟩ Abrupt t"
 shows "Γ
using exec_impl_steps [OF
by autond

corollary exec_impl_steps_Fault
 exec
 shows "\ y
using exec_impl_steps [OF exec]
by auto

corollary exec_ S thus ?case by (ast intro: terminat s o bu us ( (tf e ino: sstpsupt)
 assumes exec: "Γ
 shows
usingps
by auto

lemma step_Abrupt_end:case
 assumes s'ck(le c^' sexec
 "s'AbwSt

by indun

lemma
 assumes step: "\step_Fault_propntros_ses
 "s'Str in: xec.inte: exec_elim_c)
 s=Stuck ∨2 s)
 (∃ e elc' = Thrand> t' = Normal x
 (∃p x. redex cΓ p = None)"
using step
by induct autoxec>

lemma step_Fault_end:
 assumes step: java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
 defined
 s=Fault f ∨
 (∃esbrptAbrupt:
using step
by induct auto

lemma redex_Stuck:
"Γstep_preserves_termination
proof (induct
 case Seq
 thus ?case
 Basic case fastforce.ros
next
 case Catch
 thus
 by (cases s) (auto intro: exec.intros elim:exec_elim_cases)
qed

lemmat:
"Γ⊨::terintstr st
proof Gua thus ?case by (fastforce intro: terminates.intros)
 case Seq
 thus ?case
 by (cases s) o i:exeits e:exm_cses
next
 case Catch
 thus ?case
 by (cases s) (auto intro: exec.introsapply s_Abrun:
qed simp_all

lemma step_extend:
 assumes step: "Γ⊨\^
 shows "by (cses sfastforce ntro
using s ?case
proof (induct)
 case Bac thha
 by (fastforce intro: exec.intros elim: exec_Normal_elim_cases)
next
 case Sp thus ?case
 by (fastforce int exec.intros elim: exec_Norm)
next
 case SpecSt uto

next
 case Guard thus ?case
 by (fastforce intro: exec.intros elius steps
next
 case GuardFault thus ?case
 by (fastforce intro: exec.intros
next
java.lang.NullPointerException
 have step: "Γ⊨ .hm", S.split_rule @{cont}
 have exec': "\)) thus
 show ?case
 proof (cases s)
 case (Normal x)
 note s_Normal = this
 show ?thesis
 proofjava.lang.StringIndexOutOfBoundsException: Index 20 out of bounds for length 20
 case (Normal x')
 thus
 ase
 exec_cjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 bycases
 from Seq.hyps elimtes_Normal_elim_caseses
 have "ΓCat c₂ thus ??case
 by simp
 from exec.Seq [OF this exec_cstep_extend
 show ?thesis by (iduct)
 next
 case (Abrupt x')
 with exe head:: ('s,'p,'f config step step_Stuck_pr)+
 by(aintro:Abrupt_en
 moreover
 from step Abrupt
 heAbr x'"
 byauto:step_Abrupt_end)
 ultimately
 show ?
 by (auto introexec
 next
 case (Fault f)
al
 obtain java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 redex_c notemaljava.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 fail:
 by auto<sub': "Γ
 hence "<exec_c\case_names
 by (autojava.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 from exec_redex_Fault
 have " ‹
 moreover from Fault exec' have "t=Fault f"
 byjava.lang.StringIndexOutOfBoundsException: Index 16 out of bounds for length 16
 ultimately
 owesississ
 using s_Normal
 by (auto intro: exec.intros)
 next
 case Stuck \>turnstilehead( irightarrow (f ( )java.lang.StringIndexOutOfBoundsException: Index 83 out of bounds for length 83
 byastt step_preserves_termination
 have "(\<exists>r.
 \exists>p. redex c\ = Call p \<and> \<Gamma> p
|Catchfrom have ammaturnstileSeq'c pecr
umeredexc^1 = Spec r" and "(\<forall>t. (x, t) \<notin> r)fromexec_redex_Stuckthis
 hence "\<Gamma>\<turnstile> \<langle>
fix
 [ this]
 have "\<Gamma>\<urnstile <langle>\<^sub>1Normal<>Rightarrow .
 moreover from Stuck exec' have "t=Stuck"
 by (auto intro: Stuck_end_)
 ultimately
 have?sis
 using s_Normal
 by (auto intro: exec.intros)

 moreover
 {
 fix p
 assume "\<
 hence "\<Gamma>\<turnstile> \<langle>redex c\<^sub>1,Normal x\<rangle> from_ormat n_k
 ( intro: execintros)
 from exec_redex_Stuck [OF this]
 have "\<Gamma>\<turnstile> \<langle>c\<^sub> simp
 moreover from Stuck exec' have "t=Stuck"
 by (auto intro: Stuck_end)
 imately
 have ?thesis
 using s_Normal
 by (auto intro: exec.intros)

 ultimately show
 by auto
 qed
 next
 case (Abrupt x c''L s'where f_k: "k=tch c<^java.lang.StringIndexOutOfBoundsException: Index 59 out of bounds for length 32
 from step_Abrupt [OF step this]
 have "s=Abrupt.
 with by(orcee exec.tros elim:java.lang.StringIndexOutOfBoundsException: Index 60 out of bounds for length 60
 tFalse thus ?case
 by applysimp
 with Abrupt
 show ?thesis
 by(autointro: exec.intros)
 (fastforce intro.trosmc_Normal_elim_casescases
 aultf
 from step_Fault [OF step this]
 aveallUndefinedhuscase
'
 have "t=Fault f"
 by (uto java.lang.StringIndexOutOfBoundsException: Index 19 out of bounds for length 15
 with Fault
 show ?thesis
 by (auto intro: exec.intros)
 next
 case Stuck
 from step_Stuck [OF step this]
 have "s'=Stuck".
 with exec'
have"Stucktuckjava.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length 18
 by (auto intro: Stuck_end)
 with Stuck
 show ?thesis
 by (auto intro: exec.intros)
 qed
next
 caseby simp d:ead_defhead_com_def
 by
next
 case (SeqThrow c\<^sub>2 s t) thus ?case
 by (fastforce intro: exec.intros elim: exec_elim_cases)+
next
 case CondTrue thus ?case
 by (fastforce intro execros elimm c_Normal_elim_cases
next
 case CondFalse thus ?case
 bystforcentroo:exec.osexec_Normal_elim_cases
next
 caseuctk
 by (fastforce introfrominfinite_computation_extract_head_Seq
next
 casecase (Sucjava.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
 by this[rule_format] haverue
next
 case Call thus ?case
 by (fastforce intro: exec.intros elim: exec_Normal_elim_cases)
next
 case CallUndefined thus ?case
 byyp\<>i<k. (\<exists>c i ) Catchc^ done
next
 case DynCom thus ?case
 by (fastforce intro: exec.intros elim: exec_Normal_elim_cases)
next
case(Catch\<^sub>1 s c\<>1' s
 have step: "\<(<exists> thusseeby
 have exec': "\<Gamma>\<turnstile> \<langle>Catch c\<^sub>1' c
 show ?case
 proof (cases s)
 case (Normal x)
 note s_Normal = this
 show ?thesis
 proof (casessjava.lang.StringIndexOutOfBoundsException: Index 20 out of bounds for length 20
 case (Normal x')
 from exec' [simplified Normal]
 show"f (k+ 1)(chith
 proof (cases)
fixs'
 assumeexec_c<sub1': "\<Gamma>\<turnstile> \<langle>c\<^sub>1',Normal x'\<rangle> \<Rightarrow> Abrupt s''"
 have g_0: "g 0= c<sub ngNormal
 from Catch.hyps (2) Normal from [of 0, simplified f_0] step[ 1]
 have" '=t java.lang.StringIndexOutOfBoundsException: Index 23 out of bounds for length 23
 by simp
 from exec.CatchMatch [OF this exec_c\<^sub>2]step\foralli. \< ?
 show
 next
 assume exec_c<1': "\<Gamma>\<turnstile> \<langle>c\<^sub>1',Normal x'\<rangle <> t"
 t: \>isAbrtrooexectross
 atch) Normalc1Normal
 <\<turnstile> \<langle>c\<^sub>1,Normal x<> \ t"
 by by (simp add: g_def)
[F his s_Normal
 show ?rom True
 qed
 nextwithno_inf_Throw
 case (Abrupt x')
 withstforce intro: execntroslimjava.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
 by (auto intro:Abrupt_end)
 moreover
 from step Abrupt
 have "s=Abrupt x'"
 by ( byblast
 ultimately
 show ?thesis
 proof
 next
 case (Fault f)
 from step_Fault_end [OF step this] s_Normal
 obtain g c where
 \^redex csub1 = Guard):ecntros
 fail: "x \<notin> g"
 byto
 hence "\<Gamma>\<turnstile> \<langle>redex c\<^sub>1,Normal x\<rangle> \<java.lang.StringIndexOutOfBoundsException: Index 3 out of bounds for length 3
tro:.ctros
 from exec_redex_Fault [OF this] step
 have "\<Gamma>\<turnstile> \<langle>c\<^sub>1,Normal x\<ranglebythuse
 Infinite Computations: \<open>\<Gamma><
 auto introFault_end)
 ultimately
 show ?thesis
 s_Normal
 by (auto intro: exec.intros)
 next
 case Stuck
 from step_Stuck_end [OF step this] s_Normal
 have(>.redexc\1 rapplydrule not_less_Least
 \<exists>rom finite_computation_extract_head_Catchmputation_extract_head_CatchFp his
 byesis
 moreover
 {
 fix r
 assume "redex c\<^sub>1 = Spec r" and "(\<forall>t. (x, t) \<notin> r)"

 by (auto intro: exec.intros)
 fromexec_redex_Stuck[OFthis
 have "\<Gamma>\<turnstile>java.lang.StringIndexOutOfBoundsException: Index 7 out of bounds for length 7
 moreover from case (eqSkip c\
 by (auto intro: (:byases)
 ultimately
 have ?thesis
 usingstep: "\<forall>i:nat <Gamma\<turnstile>f i \ fastforceintro .intros exec.intros
 by (auto intro: exec.intros)
 }
 moreover
 {
 fixp
 assume java.lang.StringIndexOutOfBoundsException: Index 22 out of bounds for length 4
 hence\amma\<>\ \>Normalx\ RightarrowStuck
 by (auto intro: exec.intros)
 from exec_redex_Stuck[ this]
 have "\<>\<case
 moreover romtuckckxecbySuc
 yautointro:Stuck_end)
 ultimately
 have?thesis
 using s_Normal
 auto introexec
 }
 ow ?thesis
 by auto
 qed
 next
 case (Abrupt x)
 from step_Abrupt [OF step this]
 havefastforce intro:terminates.intros step_extend
 with xecjava.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
 have "t=Abrupt x"
 y (utontroro Abrupt_endt_end)
 withith Abrupt
 show ?thesis
 autoo introtroecintrosros
 next

 from step_Fault [ step this]
 have "s'=Fault f"
 with exec'
 have "t=Fault f"
java.lang.StringIndexOutOfBoundsException: Index 44 out of bounds for length 32
 with Fault
 showhave\<Gamma\urnstile>(\^>1) \,s)"
 by (auto intro: exec.intros)
 next
 case Stuck
 from step_Stuck [OF step this]
 have destt tep_preserves_termination
 with exec'
 have "t=Stuck"
 yover
 with Stuck
 show ?thesis
 by (auto intro: exec.intros)
 qed
next steps_preserves_termination:
 case CatchThrow thus ?case
 by (fastforce intro: exec.intros elim: exec_Normal_elim_cases)
next
 case CatchSkip thus ? (induct rule: tranclp_induct2fromstep
 by (fastforce intro: exec.intros elim: exec_elim_cases)
next
 case FaultProp thus ?case
 by (fastforce intro: exec.intros elim: exec_elim_cases)
next
 case d_com(''p')com\ (s,,'f comdefinition(autosimp addadd:inf_def)
 (fastforceintro execintrosusingsjava.lang.StringIndexOutOfBoundsException: Index 17 out of bounds for length 16
next
 case y
 by (fastforce intro: exec.intros elim: exec_elim_cases)
qed

theorem steps_Skip_impl_exec:
 assumes steps: "\<Gammathenhave not_fin: \forall>i <>final ( ()"
 "Gamma\<turnstile\< show <Gamma\turnstile> applyclarifyarify
using steps
proof (induct rule: converse_rtranclp_induct2 [case_names Refl Trans])
 case Refl thus ?case
 by (cases t) (auto intro: exec.intros)
next
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 have "\<Gamma>\<turnstile> (c, s) \<rightarrow> (c',done
 thus ?case
 by ( step_extend)
qed

theorem steps_Throw_impl_exec:
 mes\<>\<turnstile>(c,s\<^sup>*Throw f_step[ 0 f_0
 shows "\<Gamma>\<turnstile>\<langle>c,s\<rangle> \<Rightarrow> Abrupt t"
steps
proof (induct rule: converse_rtranclp_induct2 [case_names Refl Trans])
 case Refl thus?case
 by (auto intro: exec.intros)
next
 case (Trans c s c' s')
 have "\<Gamma>\<turnstile> (c, by (fastforceelim: Skip_no_step step_elim_cases)
 thus ?case
 by (rule step_extend)
qed

(* ************************************************************************ *)
subsection\alse
(* ************************************************************************ *)

definition1
(‹ (Seq c₂, Stuck) →
Γ⊨show Fal

not_infI: "[⊨2)
==>
by (auto simp add: inf_def)

(* ************************************************************************ *)
subsection [of f_step 1
(* ************************************************************************ *)

lemma b c)
 assumes step: "Γ (rule not_infI))
 shows "Γ: "∧⊨ f (Suc by ( add: head_d head_)assumef_0: "0tuck
using
proof (induct)
 by (astforce elimSkip_no_stepstep_elim_cases)
next
 case Spec thusse qed
next
 case SpecStuck thus ?case by (fastforce intro: terminates not_fin "<>i<k. \not final (head (f i))"
next
 case Guard thus case
 bystforceterminates :terminates_Normal_elim_cases
next
 case GuardFault thus ?case by (fastforce intro: terminates
next
 case (Seq cjava.lang.NullPointerException
 apply (cases s)
 apply (cases s')
 apply(fastforce:.intros
 elim: terminates_Normal_elim_cases)
 apply (fastforce intro: terminates qed
 step_Fault_prop step_Stuck_prop)+
 done
next
 case (SeqSkip: "∧
 thus ?case
 apply (cases s)
 apply (fastforce intro: terminates.intros exec.intros
 elim: terminates_Normal_elim_cases )+
 done
next
java.lang.NullPointerException
 thus ?case
 fin: t.int exe Γ"
 elim: terminates_Normal_elim_cases )
next
 case CondTrue
 thus ?case
 by (fastforce intro: terminates.intros exec.intros
 elim: terminates_Normal_elim_cases
next
 case CondFalse
 thus ?case
 by (fastforce intro: terminates qed
 elim: terminates_Normal_elim_cases )
next
 case WhileTrue

 by ( intro .intros

next
 case WhileFalse
 thus ?case
 by show "? k"
 elim: terminates_Normal_elim_cases )
next
 case Calle
 thuscase
 by (fastforceintro.intros
 elim: terminates_Normal_elim_cases )
next
 case CallUndefined [0 f_0
 thusc ss _stepp:"\by (auto elime: Skipno)
 by (fastforce intro: terminates.intros
 elim: terminates_Normal_elim_cases )
next
 case DynCom
 thus ?case
 by (fastforce intr (rule not_infI)
 elim: terminates_Normal_elim_cases )
next
java.lang.NullPointerException
apply (cases s)
 apply (cases s')
 apply (fastforce intro: terminates.intros step_extend
 elim: terminates_Normal_elim_cases)
 apply (fastforce intro: terminates.intros dest: step_Abrupt_prop
 step_Fault_prop step_Stuck_prop)+
 done
nextf_0: "f 0=Throw
 case CatchThrow
s?se
 by (fastforce intro: terminates.intros exec.intros
 elim: terminates_Normal_elim_cases )
nextf_comp<>🚫
 case (CatchSkip c<^show
 thus ume0 Call)"
 by (cases s) (fastforce intro: terminates.intros)+ f_step of0f_0 f_f_step [of 1]
next
 case FaultProp thus ?case by (ff f
next
 case t thus ?case by (fastforce introterm.intros)
next
 case AbruptProp thus ?case by (fastforce intro: terminates.intros)
qed

lemma"urnstile\htarrow><>"
 assumes steps: "Γ⊨
 shows "Γ⊨
using steps
proof (induct rule: rtranclp_induct2 [consumes 1, case_names Refl Trans])
 case Refl thus ?case .
next
 case Trans
 thus ?case
 by (b dest: step_preserves_termi)
qed

java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
 ML_Thms.bind_thm ("tranclp_induct2", Split_Rule.split_rule @{context}
 (Rule_Insts.read_instantiate @{context}
 [((("a", 0), Position.none), "(aa,ab)"), ((("b", 0), Position.none), "(ba,bb)")] []
 @{thm tranclp_induct}));
\<close>

lemma steps_preserves_termination':
 assumes steps: "Γ2, s)"
 shows Γs ==>⊨
using steps
proof (induf_step: "> \amma🚫i. final
 case thus blast:step_preserves_termination)
next
 case Trans
 thusjava.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for length 12
 by (blast dest: step_preserves_termination)
qed

definitionhead_com"s,f)com \<Rightarrow sho ?c
wheref
head_com
 (case c of
 Seqapp F
 | Catch c [rule_format, of " by(: Skip_no_step
 | _==>

definition head"><> h ( 0 \rightarrowrro>\<\<
 where "head =head_com cfg cfg

lemma le_Suc_cases: "[\<And
ifyy
ly
 apply auto
 done

lemmaq_False:s<>c c''rec Seq c'' c' = F"
 by (induct c) auto

lemma redex_Catch_False: "∧
 by (induct c) auto

lemmainfinite_computation_extract_head_Seq:
assumesinf_comp: "forall
 assumes f_0: java.lang.NullPointerException
 assumes not_fin: "∀ final f_step
 shows "∀ x
 Γ⊨head (f i) → head (f (i+
 (is "∀
using?
proof (induct<⊨2, Abrupt s) <rightarrow(∞
 case 0
 show simp
next
 case (Suce
 have not_fin_Suc:
 "∀i<Suc k. ¬ final (head (f i))" by fact
 from this[rule_format java.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
 "∀ final (head (f i))"
 apply clarify
 apply (subgoal_tac "i < Suc k")
 apply blast
 apply simp
 done

 from Suc.hyps [OF this]
 show
 byauto
 show ?case
 proof (rule le_Suc_cases)
 fix i
 assume "i < k"
 then
 rule
 next
 show "?P k"
 proof -
 fromfastforceo_step
 obtain c' fs' L' s' where f_k: java.lang.NullPointerException
 by (cases k) auto
 from inf_comp [rule_format, of k] f_k
 have "Γ⊨ : Skip_no_stepqed
 by simp1 cjava.lang.NullPointerException
 moreover
 from not_fin_Suc [rule_format, of
 have "¬
 by (simp add: final_def head_def head_com_def)
 ultimately
 obtain c'' s'' where
 "Γ⊨(c', s') → (c'', f_0(While)
 ( ) Seq'c^>, s'')"
 by cases (auto simp add: redex_Seqfinal_def)
 with f_k
 show ?thesis
 by (simp add: head_def head_com_def)
 qed
 qed
qed

lemma infinite_computation_extract_head_Catch:
 assumes inf_comp: "∀:"<>i. \<>\
 assumes f_0: "f 0 = (Catch c>turnstile> f (Sucjava.lang.StringIndexOutOfBoundsException: Index 77 out of bounds for length 77
 assumes not_fin: "∀
 shows "∀i<k. (<exists
 Γ=(Spec, Normal s)java.lang.StringIndexOutOfBoundsException: Index 42 out of bounds for length 42
 (is "∀
using no
proof (induct k)
 case 0
 show ?case by simp
t
 case (Suc k)
 have not_fin_Suc:
 "∀
 from this[rule_format] have not_fin_k:
 epi. Γf i →False
 apply
 fastforce:Skip_no_step step_elim_cases)
 apply blast
 apply simp
 ne

 from Suc.hyps [OF this]
 have hyp: "∀ \<Gamma\ c1c\<^^sub :" (gc,Fault
 🚫
 show ?case
 proof (rule le_Suc_casesqed
 fix
 assume "i < k"
 then show "<Gamma>\<rnstilenstile
 by (rule hyp [rule_format])
 next
 show "?P k"
 proof -
 from hyp [rule_format, of "k - 1"] f_0
 obtain c' fs' fix f
 by (cases k) auto
 from inf_comp [rule_format, of k] f_k
 have "Γ
 simp
 moreover
 from not_fin_Suc [rule_format, of k
 have "¬ final (c',s')"with
 by (simp add: final_def head_def head_com_def)
 ultimately
 obtain c where
 "Γ(c', s') →
 ΓWhile b c ↓ ¬
 by cases (auto simp add: redex_Catch_False final_def)+
 with f_k
 show ?thesis
 by (simp add: head_def head_com_def)
 qed
 qed
qed

lemma no_inf_T: "¬(Throw,s) →(∞
proof
 assume "Γi. Γ c)
 then obtain f where
 step [rule_format]: "∀f_step]f_0
 f_0: "f 0 = (Throw, s)"
 by autoaddinf_def
 from step [of 0, simplified f_0eq c (While >f withhave<amma\
 show False
 by cases (auto elim: step_elim_cases f_stepof f_0
qed

lemma split_inf_Seq:
 assumes inf_comp ?case
 shows java.lang.NullPointerException
 (∃
proof -
 from inf_comp obtain f where
 step: "∀i::nat. Γjava.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for length 12
 f_0 Some" by faa f_0:" ic s
 by( simp: inf_def
 from f_0 have head_f_0: "head (f 0) = (c_{not_infI})
 by (simp add: head_def head_com_def)
 show ?thesis
 proof (cases "∃i. final (head (f i
 case True
 define k where "k = (LEAST i. final (hwit f_step
 have less: 🚫
 apply (intro allI impI)
 apply (unfold k_def)
 apply (drule not_less_Least)
 autoo
 done
 from infinite_computation_extract_head_Seq [OF step f_0 this]
 obtain step_head: "∀
 conf: java.lang.NullPointerException
 by blast
 from True
 have final_f_k: "final (head (next
 apply -
 apply erule
 apply (drule LeastI)
 apply (simp add: k_def)
 done
 moreover
 from f_0 conf [rule_format, of "k - 1"]
 obtain c' s' where f_k: "f k = (Seq c' c₂,s')"
have (Suc 0=(c s,Normal
 moreover
 from step_head have steps_head: "Γ⊨head (f 0) →simp a: inf_def)
 proof (induct k)
 case 0 thus ?case by simp
 next
 case (Suc m)
 have step: "\forall<><turnstile> head (f i) →
 hence( s) thuscase
 by auto
 hence "\assume fstep: "<>i. <amma\
 by ( Suchyps
 also from step [rule_format, of m]
 have "Γ
 finally show ?case by simp
 qed
 {
 assume f_k: "f k = (Catch cc^sub1 s c₂)
 steps_head
 have "Γ⊨(cb blast
 using head_f_0
 by (simp add: head_def head_com_def)
 moreover
 from step [rule_format, of k] f_k
 obtain "Γ
 f_Suc_k: "f (k + 1) = (c₂,s')"
 byfastforcestep :.intros
 from infinite_computation_extract_head_Seq[Fstepf_0 ]
 from f_Suc_k
 have g_0:head_f_0>⊨1,s) →)
 y(imp: g_def
java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 have ( b c\sub1 <>\
 by (simp add: g_def)
 with g_0 have "Γ:"i::nat. Γf i →
 f_step\>>fi<> ( i
 ultimately
 have
 by auto
 }
 moreover

 fix x
 assume s': not_infI
 from step [rule_format, of
 obtainGamma<>Seq
 f_Suc_k: "f (k + 1) = (Throw,s')"
 by (fastforce elim: step_elim_cases intro: step.intros)
 define g where "g i = f (i + (k + 1))" for
 fromf_Suc_k
 have g_0 "0(Throw,s')"
 by (simp add: g_def)
 from step
 have "∀\turnstile
 by (simp add: g_def)
 with g_0 have "Γ
 by (auto simp add: inf_def)
 by (cases k) auto
 have ?thesis "\<>\
 by auto

 ltimately
 show ?the
 by (auto simp add: final_def head_def head_com_def)
 next
 case False
 then have not_fin: "∀i. ¬Gamma⊨)<rightarrow (f (m + ))by
 by steps_redex:
 have "∀i. Γ⊨
 proof
 fix k
 romnt_finjava.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length 18
 sim add: head_def head_com_def)
 by simp

 from infinite_computation_extract_head_Seq [OF step f_0 this ]
 show "Γ⊨ head (f k) →
 qed
 with head_f_0 have "Γ⊨
 by at sp dd: inf_df)
 thus assums:"rmal f_k " k= Catc Throw🚫: head_def h)
 by simp

qed

lemma split_inf_Catch:
 assumes inf_comp: "Γ<>(Catch^>1 c₍Abrupt
 shows "Γ⊨1 for i
 (∃s'. Γ⊨
proof -
 from inf_comp obtain f where
i<\turnstilef i \<rightarrow> f (+ d
 f_0: "f 0 = (Catch c\<^sub>1 c\<^sub>2, s)"
 by (auto simp add: inf_def)
head_f_0head0 (^>,)
 by (simp add: head_def head_com_def)
 show ?thesis
 }
 case True
 define k where "k = (LEAST i. final (head (f i)))"
 have less_k: "\<forall>i<k. \<not> final (head (f i))"
 apply byblast
 apply (unfold k_def)
 apply (drule not_less_Least)
 apply auto
 done
 from not_fin
 obtain step_head: "\<forall>i<k. \<Gamma>\<turnstile> head (f i) \<rightarrow> head (f (i + 1))" and
 conf: "\<forall>i<k. (\<exists>c' s'. f (i + 1) = (Catch c' c\<^sub>2, s'))"
 by blast
 from True
 have final_f_k: "final (head (f k))"
 apply -
 apply (erule exE)
 apply( LeastI
 ( add k_def
 done
 moreover
 from f_0 conf [rule_format, of "k - 1"]
 obtain c' s' where f_k:" atch' c\\<^>2') case (Skip)hus ?java.lang.StringIndexOutOfBoundsException: Index 26 out of bounds for length 26
 by( k
 moreover
 from step_head have steps_head: "\<Gamma>\<turnstile>head (f 0) \<rightarrow>\<^sup>* head (f k)"
 proof (induct k)
 case 0 thus ?case by simp
 next
 case (Suc java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
 have step: "\<forall>i<Suc m. \<Gamma>" c p Suc i subst_redexjava.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for length 12
nce\><.\<>turnstile f i <>headf )"
 by auto
henceGamma<>headf )<>*head m"
 by (rule Suc.hyps)
 also from step [rule_format, of m]
 have "\<Gamma>\<turnstile> head (f m) \<rightarrow> head (f (m + 1))" by simp
 finally show ?case by simp
 qed
 blast
 by( elim: Skip_no_stepjava.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
 with steps_head
 have "\<Gamma>\<turnstile>(c\<^sub>1,s) \<rightarrow b= ff 0
 using
 by ( by iprover
 moreover
 step[rule_format of kk]f_k
obtain<>
 f_Suc_k: "f (k + 1) = (Skip,s')"
 by (fastforce elim: step.cases intro: step.intros)
 from step [rule_format, of "k+1", simplified f_Suc_k]
thesis
lemma:"<not> \<Gamma>turnstile(,

 moreover
 {
"<forall>y.\<^>+\^>+ ay <longrightarrow>P assume f_0: f , )"
ow
withjava.lang.StringIndexOutOfBoundsException: Index 21 out of bounds for length 21
 have "\<Gamma>\<turnstile>(c\<^sub>1,s) \<rightarrow rule not_infI)
 using head_f_0
 by ( add head_defhead_com_def)
 moreover
 from step [rule_format, of k] f_k s'
obtainf
 f_Suc_k: "f (k + 1) = (c\<^sub>2,s')"
(elim introstep.intros)
 define g where "g i = f (i + (k + 1))" for i
 from f_Suc_k
 haveg_0:g 0(
 by (simp add: g_def)
 from step
 have hence \exists>.f 0:nat ,s <>(<>.\Gamma
 ( add g_defjava.lang.StringIndexOutOfBoundsException: Index 28 out of bounds for length 28
0 "<>\turnstile(\^>2s') \rightarrow> <dots>(\infinity>)"
 by (auto show ?case
 ultimately
 have ?thesis
 using s'

 }
ultimately
 ?
byauto case


 then not_fin:"\forall>. \not final(head ( i)"
 by
vehead( ( False
 proofshow
 fixk
 from not_fin
 have"\>< k. <> (head f))
 by simp

 from
 show "\<Gamma>\<turnstile> head (f k) \<rightarrow> head (f (k + 1))" by simp
 qed
 with head_f_0 have "\<Gamma>\<turnstile>(c\<^sub>1,s) \<rightarrow> \<dots>(\<infinity>)"
 by (auto simp qed
 thus ?thesis
 by simp
java.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length 18
qed

lemma Skip_no_step
 ( no_step_final)
 apply (simp add: final_def)
 donefix

lemma not_inf_Stuck: "\<not> \<Gamma>\<turnstile>(c,Stuck) \<rightarrow> \<dots>(\<infinity>)"
proof (induct c)
 case Skip
 show ?case
 proof (rule not_infI)
 fix f
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: show ?ase
 from f_step [of 0] f_0
 show False
 by (auto elim: Skip_no_step)
 qed
next
case( g)
 thus ?case
 proof (rule not_infI)
?case
 assume f_step: "\<And>i. thus ?case
 assume f_0: "f 0 = Basicg,Stuck"
 [ ]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 rjava.lang.StringIndexOutOfBoundsException: Index 15 out of bounds for length 15
 thus ?case
proof ( not_infI)
 fix f
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: "f 0 = (Spec r, Stuck)"
 from case
 show False
 (fastforceelim: Skip_no_step )
 qed
next
 case (Seq c\<^sub>1 cby havehyp_c1 ">\>\<turnstile> 1, s) rightarrow \<dots(<nfinity>))" fact
 show ?case
 proof
 assume "\<Gamma>\<turnstile> (Seq c case Throw
 from split_inf_Seq [OF thisjava.lang.StringIndexOutOfBoundsException: Index 9 out of bounds for length 9
 show False
 by( dest steps_Stuck_prop)
 qed
next (auto: step_Normal_elim_cases)
 case (Cond b c\<^sub>1 c\<^sub>2)
 show ? "\<>\<turnstile> ( c\<^sub>1 c\^sub>2, Abrupts)) \<rightarrow> \<dots(\<infinity>)"
 proof (rule not_infI)
 fix f
 assume f_step: "\<And>i. \<Gamma>\<turnstile>
 assume f_0: "f 0 = (Cond b c\<^sub>1 c\<^sub>2, Stuck)"

 show False

 qed
next
 case ( f_0:f0 ( have<\turnstilec )\<i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: "f 0 = (While b assume:f0= Condbc1 ,Normal ()f)\ (,)<ammajava.lang.StringIndexOutOfBoundsException: Index 21 out of bounds for length 21
 proof )
 show False
 fastforce:Skip_no_step step_elim_cases
 qed
next
 ( p
 show ?case
 proof (rule not_infI)
 fixf
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: "f 0 = (Call p, Stuck)"
 from f_step [of 0] f_0 f_step [of 1]
 show False inf
 by fastforceelim: Skip_no_step)
 qed
next
case( djava.lang.StringIndexOutOfBoundsException: Index 17 out of bounds for length 17
 show ?case
 proof (rule not_infI)
 fix f
assume\>. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc java.lang.StringIndexOutOfBoundsException: Index 10 out of bounds for length 9
 assume f_0: "f 0 = (DynCom d, Stuck)"
 from f_step [of 0] f_0 f_step fastforceelimSkip_no_stepstep_elim_cases
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
nextfrom [ this show
 case (Guard m g where
 show
 )
fix
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: "f 0 = (Guard m g c, Stuck)"
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case Throw
 show ?case
 proof (rule not_infI)
 fix f
 f_step \>\Gammaturnstilef rightarrow>f )java.lang.StringIndexOutOfBoundsException: Index 77 out of bounds for length 77
 assume f_0: "f 0 =apply( add inf_def)
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
next
caseCatch^>1 <sub
 show ?case
 proof
 java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 from split_inf_Catch [OF this] Catch.hyps
 show False
 proof
 qed
qed

lemma from steps_redex'[ this, of "(eq c (p ) i)"]
proof "\<Gamma\<> (ubst_redex(seq c ( 0)i) (Call ( i),Normal(s i))\<ightarrow>\<sup+
 case Skip
 show ?case
 proofproof(ule not_infI
 fix f
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: "f 0 = (Skip, Fault x)"
 from f_step [of 0] f_0
 show False
 by (auto elim: Skip_no_step)
 qed
next
case( )
 thus ?case
 proof (rule not_infI)
 fix f
:"<And>i <Gamma>\turnstilef i\rightarrow> ( i)java.lang.StringIndexOutOfBoundsException: Index 77 out of bounds for length 77
 f
 from f_0 [
 show
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 ( r)
 thus ?case
_infI
 fix f
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: "f 0 = (Spec r, Fault x)"
 fromf_step[of0f_0f_stepof1]
 show False
 ( : Skip_no_stepstep_elim_cases
 qed
next
 case ( \^sub1 c\^sub>)
 show ?case
 proof
 assume "\<Gamma>\<turnstile> (Seq c\<^sub>1 c\<^sub>2, Fault x) \<rightarrow> \<dots>(\<infinity>)"
 from split_inf_Seq [OF this] Seq.hyps
 show False
 by (auto dest: steps_Fault_prop)
 qed
next
 case (Cond b c\<^sub>1 c\<^subproof ( c)
 showcase
 proof (rule not_infIjava.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 fix f
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: "f 0 = (Cond b c\<^sub>1 c\<^sub>2, Fault x)"
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 ( c)
 show ?case
 proof (rule not_infI)
 fix f
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: "f 0 = (While b c (Whileb )
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (Call p)
 show ?case
 proof (rule not_infI)
 fix f
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f assumef_step "\<>i. \Gamma\<turnstilef \<case( f )
 assume f_0: "f 0 = (Call p, Fault x)"
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
next
 case show False
 show ?case
 proof (rule not_infI)
 fix f
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: "f 0 = (DynCom d, Fault x)"
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (Guard m g c)
 show ?case
 proofjava.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 fix f
 assume f_step: "\<And>i. \<Gammaproof (induct rule converse_rtranclp_induct2 [ Refl Trans])
 assume f_0: "f 0 = (Guard m g c, Fault x)"
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next

 show ?case
 proof (rule not_infI)
 fix f
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: "f 0 = (Throw, Fault x)"
 from f_step [of 0] f_0 f_step [of 1]
 show False
java.lang.StringIndexOutOfBoundsException: Range [76, 55) out of bounds for length 55
 qed
next
 case (Catch c\<^sub>1 c\<^sub>2)
 show ?case assumestep_c\: "<Gamma\<turnstile> (c\, Normal )\<rightarrow c' s)"
 proof
 assume "\<Gamma>\<turnstile> (Catch c\<^sub>1 c\<^sub>2, Fault x) \<rightarrow> \<dots>(\<infinity>)"
 rule.)
 show False
java.lang.StringIndexOutOfBoundsException: Range [45, 38) out of bounds for length 38
 qed
qed

lemma not_inf_Abrupt: "\<not> \<Gamma>\<turnstile>(c,Abrupt s) \<rightarrow> \ proof(rulenot_infI)
proof (induct c)
 case Skip
 showcase
( )
 ix f
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: "f 0 = (Skip, Abrupt s)"
 from f_step [of 0] f_0
 show False
 by (auto elim: Skip_no_step)
 qed
next
 case (Basic g)
 thus ?case
 proof (rule not_infI)
 fix f
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0byauto:exec_Normal_elim_cases ( java.lang.StringIndexOutOfBoundsException: Index 17 out of bounds for length 17
 from f_step [of 0] f_0 f_step [of 1]
 show
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (Spec r)
 thus ?case
 proof (rule not_infI)
 fix f
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: "f 0 = (Spec r, Abrupt s)"
 from f_step _ <>c<subf= \<> t= s)
 show Falseby ( split: xstatesplits)
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
Seqc\^sub>1 c<^ub>2))
 show ?case
 proof
 assume "\<Gamma>\<turnstile> (Seq c\<^sub>1 c\<^sub>2, Abrupt s) \<rightarrow> \<dots>(\<infinity>)"
 fromsplit_inf_Seq[F ].
 show False
 by (auto dest: steps_Abrupt_prop)
 qed
next
 case (Cond b c\<^sub>1 c\<^sub>2)
 show ?case
 proof (rule not_infI)
 fix f
termi_call_steps::"(s'p,'f) body \<Rightarrow> (( \<> 'p) Normaljava.lang.StringIndexOutOfBoundsException: Index 25 out of bounds for length 25
 assume f_0: "fby cases
 fromromf_step [ 0] f_0 f_step [[of ]
 show False
 fastforceelim Skip_no_step )
 qed
next
 case( b c)
 java.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for length 12
 proof \^>2 rule_format,OF]
 fix<exists>.<\<turnstile(allp, )\<rightarrow\<^> (,Normal t \nd redexc = q)
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: "f 0 = (While b c, Abrupt s)"
 from f_step [of 0] f_0 f_step [of 1]
 show
 by (fastforce elim: Skip_no_step step_elim_cases)
qed
next
 case (Call p)
 show ?case
 proof (rule not_infI)
 fix f
 assume f_step: "\<And by simp
 assume f_0: "f 0 (Call p, Abrupts"
 from f_step[of 0]f_0 [of1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 casecase (DynCom d)
 show ?case

 fix
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 f_0: " 0 DynCom, Abrupt s)"
 from f_step [ by auto
 show False
 by( elim Skip_no_step step_elim_cases)
 qed
next
subst_redexDynCom) =c |
 with have "s'=aultf"
 proof (rule not_infI)
 fixf
_:"ndi.\<><fi \\> f(uc "
 assume f_0: "f 0 = (Guard m g c, Abrupt s)"
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by fastforceelim Skip_no_step)
 qed
next
 case Throw
 show ?case
 proof (rule not_infI)
 fix f
 assume f_step: "\ qed
 assume f_0: "f 0 = (Throw, Abrupt s)"
 from f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case( c\^sub1c<sub2)
 showcase

 "<amma><rnstile(redexc,)<>(r,')\<LongrightarrowGammaturnstile, \rightarrow (subst_redexc r's'
 split_inf_Catch[ this]Catchhyps
 show False
 by (auto dest: steps_Abrupt_prop)
 qed
java.lang.StringIndexOutOfBoundsException: Range [14, 3) out of bounds for length 3

theorem terminates_impl_no_infinite_computation
 assumes termi ( ) ((auto .Seq .Catch
 shows "\<not> \<Gamma>\<turnstile>(c,s) \<rightarrow> \<dots>(\<infinity>)"
using termi
proof (induct)
 case (Skip s) thus ?case
 proof (rule not_infI)
 fix f
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: "f 0 = (Skip, Normal s)"
 fromf_stepof0] f_0
 show False
 by (auto elim: Skip_no_step)
 qed
next
 case (Basic g s)
 thus ?case
 proof (rule not_infI)
 fix f
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: "f 0 = (Basic g, Normal s)"
 from f_step [of 0] f_0 f_step [of 1]
java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
 byfastforce :Skip_no_step)
 qed
next
 case (Spec r s)
 thus ?thesis
 proof (rule not_infI)
 fix f
 <>i <>\> <ightarrow f (Suc)
 assume f_0: "f 0 = (Spec r, Normal s)"
 from f_step [of 0] f_0 f_step [of 1]
 java.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
 by (fastforce elim
 qed
next
 case (Guard s g c m)
 have g: "s \<in> g" by fact
 have hyp: "\<not> \<Gamma>\<turnstile> (c, Normal s) \<rightarrow> \<dots>(\<infinity>)" by
 showruleDynCom
 proofrule not_infI
 fix f
 assume f_step (autointro .intros
 assume f_0: "f 0 = (Guard m g c, Normal s)"
 from f_step [of 0] f_0 g
 have "f 1 = (c,Normal s)"
 by ("[("a",0)Positionnone),"(a ))((("b" 0)),Position.proof( s<>
 with f_step
 have "\<Gamma>\<turnstile> (c, Normal s) \<rightarrow> \<dots>(\<infinity>)"
 apply (simp add: inf_def)
 apply =lambda. Suci) inexI)
 by simp
 with hyp show False ..
 qed
next
 case (GuardFault s g m c)
 have g: "s \<notin> g" by fact
 show ?case
 proof (rule not_infI)
 fix f
 assume
 assumef_0 "f0 ==(Guard m g c, Normal s)"
 fromf_stepof 0]f_0f_step 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 caseFault m)
 thus ?case
 proof
next
 case (Seq c\<^sub>1 s c\<^sub>2)
 show ?case
 proof
 assumeGamma<>(Seq<^> \^sub2 Normal <>\dots>(\<>)
 from split_inf_Seq [OF this] Seq.hyps
 show False
 by (auto intro: steps_Skip_impl_exec)
 qed
next
 case (CondTrue s b c1 c2)
 have b: "s \<in> b" by fact
 have : "\<ot> \<Gamma>\<turnstile> (c1, Normals) \\<<rightarrow \<<dots(\infinity)" fact
 showcase
 proof (rule not_infI)
 fix f
 assumef_step "<And>i.\<amma\turnstile>i\> fSuc)"
 assume f_0: "f 0 = (Cond b c1 c2, Normal s)"
 fromb [ 0 f_0
 have "f 1 = (c1,Normal s)"
 by auto: )
 with f_step
haveGamma<turnstile> (c1, Normal s) \<rightarrow> \<dots>(\<infinity>)"
 apply (simp add: inf_def)ormal_elim_cases)
 apply (rule_tac x="\<lambda>i. f (Suc i)" in exI)
 by simp
 with hyp_c1 show False by simp

next
 CondFalse s c2 c1c1)
java.lang.StringIndexOutOfBoundsException: Range [37, 32) out of bounds for length 32
 have hyp_c2: : \<Gamma>\turnstile c',s'')\rightarrow\*(Throw, s')"
 show ?case
 proof (rule not_infI)
 fix f
 f_step "\ndi \Gamma<turnstilef \rightarrow f (Sucuc ijava.lang.StringIndexOutOfBoundsException: Index 77 out of bounds for length 77
assume:" 0=(Condb c2, s)"
 from b f_step [of 0] f_0
 have "f 1 = (c2,Normal s)"
 by (auto elim: step_Normal_elim_cases)
 with f_step
 have "\<Gamma>\<turnstile> (c2, Normal s) \<rightarrow> \<dots>(\<infinity>)"
 apply (simp add: inf_def)
 apply (rule_tac x="\<lambda>i. f (Suc i)" in exI)
 by simp
 with hyp_c2 show False by simp
 qed
next
 case (WhileTrue s b c)
 have"s \in bb factfact
 have hyp_c: "\<not> \<Gamma>\<turnstile "\<>c1 s1 \<brakk>\<Gamma \<turnstile> (c,) \<ightarrow\<^sup* cfg1; cfg1(,s1\<rbrakk\<Longrightarrow <Gamma>\<turnstile>c1<down>s1"
 have hyp_w: "\<forall>s'. \<Gamma>\<turnstile> \<langle>c,Normal s\<rangle> \<Rightarrow> s' \<longrightarrow>
 \<Gamma>\<turnstile>While a_b
 have not_inf_Seq ( cfg1 simp
 proof
 assume "\<Gamma>\<turnstile> (Seq c (While b c), Normal s) \<rightarrow> \<dots>(\<infinity>)"
 from split_inf_Seq [OF this] hyp_c hyp_w show False
 (uto introsteps_Skip_impl_exec)
 qed
 show ?case
 proof
 assume "\<Gamma>\<turnstile> (While b c, Normal s) \<rightarrow> \<dots>(\<infinity>)"
 then obtain f where
 f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)" and
 f_0 f =( b ,Normal)
 by (auto simp add: inf_def)
 f_step [ 0 f_0
 have "f 1 = (Seq c (While b c),Normal s)"
 by (auto elim: step_Normal_elim_cases)
 with f_step
 have "\<Gamma>\<turnstile> (Seq c (While b c), Normal s) \<rightarrow> \<dots>(\<infinity>)"
 apply (simp add: inf_def)
 apply (rule_tac x="\<lambda> (auto intro terminatesintros
 by simp
 with not_inf_Seq show False by simp
 qed
next
 case (WhileFalse s b c)
 have b: "s \<notin> b" by fact
 show ?case
{
 fix f
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: "f 0 = (While b c, Normal s)"
 from b f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (Call p bdy s)
 have bdy: "\<Gamma> p = Some bdy" by fact
have:"\ <mma>\turnstile ( s <ightarrow>\ots(\infinity byjava.lang.StringIndexOutOfBoundsException: Index 100 out of bounds for length 100
 show ?case
 proof (rule not_infI)
 fix f
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: "f 0 = (Call p, Normal s)"
 from bdy f_step [of 0] f_0
 have "f 1 = (bdy,Normal s)"
 by (auto elim: step_Normal_elim_cases)
 withSeqc<sub1c<^>2)={ \sub><^> <> \>a )<n>r\sup>\andfif(i injava.lang.StringIndexOutOfBoundsException: Index 67 out of bounds for length 67
 have "\<Gamma>\<turnstile> (bdy, Normal s) \<rightarrow> \java.lang.StringIndexOutOfBoundsException: Range [62, 37) out of bounds for length 37
 apply (simp add:{DynComd"|
 apply (rule_tac x="\<lambda>i. f (Suc i)" in exI)
 java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 13
 with hyp show False by simp
 qed
next
 case (CallUndefined p s)
 have no_bdy: "\<Gamma> p = None" by fact
 show ?case
 proof (rule not_infI)
 fix f
 assume f_step: "\<java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 assume f_0: "f 0 = (Call p, Normal s)"
 from no_bdy f_step [of 0] f_0 f_step [of 1]
 show False
 by (fastforce elim: Skip_no_step step_elim_cases)
 qed
next
 case (Stuck c)
 show ?case
 by (rule not_inf_Stuck)
next
 case (DynCom c s)
 have hyp: "\<not> \<Gamma>\<turnstile> (c s, Normal s) \<rightarrow> \<dots>(\<infinity>)" by fact
 show ?case
 proof (rule not_infI)
 fix f
 assume f_step:haver \inredexes ( c<^> c<sub2)byfact
 assume f_0: step_r\<><turnstile,s) \rightarrow,s)"fact
 from f_step [of 0] f_0
 have "f (Suc 0) = (c s, Normal s)"
 by (auto
withhave\turnstile>c,Normal <ightarrow>\>\infinity
 apply (simp add: inf_def)
apply rule_tacx"lambdai. f Suci" exI
 by simp

 show False by simp
 qed
next
( s) ?java.lang.StringIndexOutOfBoundsException: Index 27 out of bounds for length 27
 proof (rule not_infI)
 fix f
 assume f_step: "\<And>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 assume f_0: "f 0 = (Throw) have "f = (dy (fastforce:stepintros step_elim_casessimpaddroot_in_redexes
 from f_step [of 0] f_0
 show
 by (auto elim: step_elim_cases)
 qed
next
 case (Abrupt c)
 show ?case
 by (rule not_inf_Abrupt)
next
caseCatchc\sub \<>2
 show ?case
 proof (auto
 assume "\<Gamma>\<turnstile> (Catch c\<^sub>1 c\<^sub>2, Normal s) \<rightarrow> \<dots>(\<infinity>)"

 show
byutointrosteps_Throw_impl_exec)
 qed
qed

definition
termi_call_steps :: "('s,'p,'f) body \<Rightarrow> (('s \<times> 'p) \<times> ('s \<times> 'p))set"
where
"termi_call_steps \<Gamma> =
{((t,q),(s,p)). \<Gamma>\<turnstile>Call p\<down>Normal s \<and>
 (\<exists>c. \<Gamma>\<turnstile>(Call p,Normal s) \<rightarrow>\<^sup>+ (c,Normal t) \<and> redex c = Call q)}"

primrec::"(,p,f)om <>(',p,f) \Rightarrow('s,p,,')com"
where
proof( : converse_rtranclp_induct2case_namesReflTrans)
"subst_redex (Basic f) c = c" |
"subst_redex (Spec r) c = c" |
"subst_redex (apply clarify
"subst_redex (Cond b c\<^sub>1 c\<^sub>2) c = c" |
"subst_redex (While b c') c = c" |
"subst_redex (Call p) c = c" |
"subst_redex (DynCom d) c = c" |
"subst_redex (Guard f b c') c = c" |
"subst_redex (Throw) c = c" |
"subst_redex (Catch c\^sub1 c\<sub2)c = Catch(subst_redexsubst_redex c\<^sub>1 c)) c<^sub>2""

lemma subst_redex_redex:
 "subst_redex c (redex c) = c"
 by (induct c) auto

lemma redex_subst_redex: "redex (subst_redex c r) = redex r"
 by (induct c) auto

lemma step_redex':
 shows "\<Gamma>\<turnstile>(redex c,s) \<rightarrow> (r',s') \<Longrightarrow> \<Gamma>\<turnstile>(c,s) \<rightarrow> (subst_redex c r',s')"
by (induct c) (auto intro: step.Seq step.Catch)

lemma step_redex:
 shows "\<Gamma>\< f_0:"f 0 (DynCom , s)"
by( ) (auto.Seq.Catch

lemma steps_redex:
teps"Gamma<> s)<>\^up' s)"
 shows "\<And>c. \<Gamma>\<turnstile>(subst_redex c r,s) \<rightarrow>\<^sup>* (subst_redex c r',s')"
using steps
proof (induct rule: converse_rtranclp_induct2 [case_names Refl Trans])
 case Refl
show"\Gamma\turnstile(subst_redex r, s'\<ightarrow>\sup* (subst_redex c r,s'
 bysimp
next
from f_step of0 f_0
 have "\<Gamma>\< \<forall>i by autoelimstep_elim_casesjava.lang.StringIndexOutOfBoundsException: Index 37 out of bounds for length 37
 from step_redex [OF this]
haveGammaturnstilesubst_redexc, rightarrowsubst_redexc r's'.
 also
 have "\<Gamma>\<turnstile> (subst_redex c r'', s'') \<rightarrow>\<^sup>* (subst_redex c r',proof
 finally show ?case .
qed

ML \<open>
 ML_Thms.bind_thm ("trancl_induct2", Split_Rulejava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 (Rule_Insts.read_instantiate @{context}
 [((a" ),.none),"(aa,)"),((b",0,.none,"ba, ))][]
thm)
\<close>

':
 assumes steps: "\<Gamma>\<turnstile> (r, s) \<rightarrow>\<^sup>+ (r"subst_redexSkip = |
 shows "\<And>c. \<Gamma>\<turnstile>(subst_redex c r,s) \<rightarrow>\<^sup>+ (subst_redex c r',s')"
using steps
proofqed
 case (Step r' s')
 have "\<Gamma>\<turnstile> (r, s) \<rightarrow> (r', s')" by fact
then have "\<Gamma><turnstile> (subst_redex c r, s \<rightarrow (subst_redex c r', s'"
 rule)
" (Catch c\<^sub> c\^sub>2 c = Catch (subst_redexc\sub> c c\^sub2"
next
 ( r' s' '' s')
 have "\<Gamma>\<turnstile> (subst_redex c r, s) \<rightarrow>\<^sup>+ (subst_redex c r', s')" by fact
 also
 have "\<Gamma>\<turnstile> (r', s') \<rightarrow> (r'', s'')" by fact
 hence<amma\<turnstile cr' s' \<rightarrow ((subst_redex cr', java.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length 18
 by (rule step_redex)
 finally show "\<Gamma>\<turnstile> (subst_redex c r, sjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
qed

primrec seq:: "(nat \<Rightarrow> ('s,'p,'f)com) \<Rightarrow> 'p \<Rightarrow> nat \<Rightarrow> ('s,'p,'f)com"
where
"seq c p 0 = Call p" |
"seq c p (Suc i) = subst_redex (seq c p i) (c i)"

lemma renumber':
 assumes f: "\<forall>i. (a,f i) \<in> r\<^sup>* \<and> (f i,f(Suc i)) \<in> r"
 assumes a_b: "(a,b) \<in> r\<^sup>*"
 java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
usinga_b
proof (from ]
 assume "b = f 0"
 with f show "\<exists>f. f 0 = b \<and> (\<forall>i. (f i, f (Suc i)) \<in> r)"
 by blast
next
 fix a z
 assume a_z: "(a, z) \<in> r" and "(z, b) \<in> r\<^sup>*"
assumeb=f0<Longrightarrow><>f z\and \foralli (, ( i) \inr"
 "b = f 0"
 then obtain f where f0: "f 0 = z" and seq\<close
 by iprover
 {
 fix i have "((\<lambda>i. case i of 0 \<Rightarrow> a | Suc i \<Rightarrow> f ibst_redexc 's'"

by (cases)auto
 }
 thenjava.lang.StringIndexOutOfBoundsException: Index 6 out of bounds for length 6
 show "\<exists>f. f 0 = a \<and> (\<forall>ext
 by - (rule exI [where x="\<lambda>i. case i of 0 \<Rightarrow> a | Suc i \<Rightarrow> f i"],simp)
qed

lemma renumber:
"\<forall>i. (a,f i) \<in> r\<^sup>* \<and> (f i,f(Suc i)) \<in> r
\<Longrightarrow> \<exists>f. f 0 = a \ blast: tranclp_into_rtranclprtranclp_trans
 by (blast dest:renumber')

lemma
"<orall>y.r\\<^sup>+a y \longrightarrow PP a \longrightarrow PP y
 \<Longrightarrow> ((b,a) \<in> {(y,x). P x \<and> r x y}\<^sup>+) = ((b,a) \<in> {(y,x). P x \<and> rproof(induct rule converse_rtrancl_induct [consumes 1)
apply(rule f "\existsf.. 0 = b <> (<oralli.(f i,, f ( i)) \<in> r)java.lang.StringIndexOutOfBoundsException: Index 81 out of bounds for length 81
apply clarify
apply(erule trancl_induct)
 applyblast
apply(blast intro:tranclp_trans)
apply clarify
apply(erule tranclp_induct)
apply blast
apply(blast intro:trancl_trans)
done

corollary:
assumes rule exI [ x="\lambda>.caseiof0 Rightarrow> |Suci <Rightarrow> f ],)
shows "\<not>(\<exists>f. f 0 = (c,s) \<and> (\<forall>i. \<Gamma>\<turnstile>f i \<rightarrow>\<^sup>+ f(Suc i)))"
proof -
 have "wf({(y,x). \<Gamma>\<turnstile>(c,s) \<rightarrow>\<^sup>* x \<and> \<Gamma>\<turnstile>x \<rightarrow> y}\<^sup>+)"
 proof (rule wf_trancl)
 show" {(, x. \Gamma\<urnstile(cs)\> x\<> \<><>x\rightarrow> y"
 proof (simp only: wf_iff_no_infinite_down_chain,clarify,simp)
 f
assume<>i <Gamma\turnstilec,) rightarrow<^up* f \>java.lang.StringIndexOutOfBoundsException: Range [85, 3) out of bounds for length 3
 hence "\<exists apply(blast introtranclp_trans)
 by (rule renumber [to_pred])
 moreover from terminates_impl_no_infinite_computation [OF terminates]
 have "\<not> (\<exists>f.
 by (simp add: inf_def)
 ultimately show False
 by simp
 qed
 qed
 hence "\<not> (\<exists>f. \<forall>i. (f (Suc i), f i)
 \<in> {(y, x). \<Gamma>\<turnstile>(c, s proof (ule wf_trancl
by( add:)
 thus ?thesis
 fix
"<>f. (::) =(c s \<> (\<oralli.\<>\<<turnstile>fi <rightarrow>\sup+ Suci))""
 thenobtainf where
 f0: "f 0 = (c, s)" and
:ne"i ( (( i::)fori : nat
 by iprover
 show
 \<>f.<>.f i) fi)\<>{yx).\<><turnstile(,s)\<ightarrowi\Gamma<>all(p )\down Normal (si andjava.lang.StringIndexOutOfBoundsException: Index 84 out of bounds for length 84
(exI[wherex=] allI
fix
 show "(f (Suc i), f i) \<in> {(y, x). \<Gamma>\<turnstile>thus ?thesis
 proofassume\existsf. f (::)=(c s)\and<>.\Gamma>\turnstilef i \<rightarrow>\<^sup>+ f (Suc)"
 f0: "0 (c,s) and
 fix i have "\<Gamma>\<turnstile>(c,s) \<rightarrow>\<^sup>* f i"
 proof (induct i)
 case 0 show "\<Gamma>\<turnstile>(c, s) \<rightarrow>\<^sup>* f 0"
 fix i
 next
 case(ucn)
have
 with seq show "\<Gamma>\<turnstile>(c, s) \<rightarrow>\<^sup>* f (Suc n)"
 by (blast intro: tranclp_into_rtranclp rtranclp_transproof (induct i)
 qed

 hence "\<Gamma>\<turnstile>(
 by iprover
 with seq
 "(f (Suc i), f i) \<in> {(y, x). \<Gamma>\<turnstile>(c, s) \<rightarrow>\<^sup>* x \<and> \<Gamma>\<turnstile>x \<rightarrow>\<^sup>+ y}"
 by clarsimp
 moreover
 have "\<forall>y. hence "\Gamma\<turnstile>(,s)\<>\<^>* f "
 by (blast intro: tranclp_into_rtranclp rtranclp_trans)
 ultimately
 java.lang.StringIndexOutOfBoundsException: Index 20 out of bounds for length 20
 (subst lem)
 qed
 qed
 qed
qed

theorem wf_termi_call_steps: "wf (termi_call_steps \<Gamma>)"
proof (simp only: termi_call_steps_def wf_iff_no_infinite_down_chain,
 clarify,simp)
 fix f
 assume inf: "\<forall>i. (\<lambda>(t, q) (s, p).
 \<Gamma>\<turnstile>Call p \<down> Normal s \<and>
 (<existsc. \<Gamma>\<turnstile (Call p, Normals) \rightarrow>\^>+ cNormal <> redex=Call ))
 (f
definewheresi=
 define p where "p i = (snd (f i)::'b)" for i :: nat
 from inf
 have "<existsc. <foralli. <Gamma><>Call p i \down Normal ((s)\>
 (\<exists>c. \<Gamma>\<turnstile> (Call (p i), Normal (s i)) \<rightarrow>\<^sup>+ (c, Normal (s (i+1))) \<and>
 redex c = Call (p (i+1)))"
 apply -
 apply (rule allI)
 apply (erule_tac x=i in allE)
 apply (auto simp add: s_def p_def)
 done
 show False
 proof -
 from inf'
 have "\<exists>c. \<forall>i. \ have"g 0 =Call( 0), (s 0)java.lang.StringIndexOutOfBoundsException: Index 43 out of bounds for length 43
 \<Gamma>\<turnstile> (Call (p i), Normal (s i)) \<rightarrow>\<^sup>+ (c i, Normal (s (i+1))) \<and>
 redex (c i) = Call (p by(induct ( simp : red_c
 apply -
 apply (ule)
 by blast
 then obtain c where
 :"\forall>i.\<Gamma>\turnstileCall (p ) \down Normal fix
 steps_c: "\<forall>i. \<Gamma>\<turnstile> (Call (p i), Normal (s i)) \<rightarrow>\<^sup>+ (c i, Normal (s (i+1)))" and
 red_c: "\<forall>i. redex (c i) = Call (p (i+1))"

 g where"g i =(seq c(p0)i, (si):'a'c) xstate)"fori
 red_c, ]
have"g0 =(Call(p 0) Normal(s 0)"
 ( : g_def
 moreover
 {

 have "redex (seq c (p 0) i)= CallCall p i)
 by (induct i) (auto simp add: redex_subst_redex red_c)
 from this [symmetric]
 have "ultimatelyshow False
 by (simp add: subst_redex_redex)
 } note subst_redex_seq = this
 have "\<forall>i. \<Gamma>\<turnstile> (g i) \<rightarrow>\<^sup>+ (g (i+1))"
 proof
 fix i
 from steps_c [rule_format, of i]
 have "\<Gamma>\<turnstile> (Call (p i), Normal (s i)) \<rightarrow>\<^sup>+ (c i, Normal (s (i + 1)))".
 from steps_redex' [OF this, of "(seq c (p 0) i)"] assume "<forall>i. \<Gamma><turnstile(c s \rightarrow\^sup>*f i \and \Gamma>\<turnstile>f <ightarrow f ( i"
have\<Gamma\turnstile>(subst_redex (seq c ( 0 i ( (p ), (s i))\<rightarrow\
 rule to_predjava.lang.StringIndexOutOfBoundsException: Index 32 out of bounds for length 32
 hence "\<Gamma>\<turnstile> (seq c (p 0) i, Normal (s i)) \<rightarrow>\<^sup>+
 (seq c (p 0) (i+1), Normal (s (i + 1)))"
 by (simp add: subst_redex_seq)
 thus "\<Gamma>\<turnstile> (g i) \<rightarrow>\<^sup>+ (g (i+1))"
 by (simp add: g_def)
 qed
 moreover
 from terminates_impl_no_infinite_trans_computation [OF termi_c [rule_format, of 0]]
 have "\<not> (\<exists>f. f 0 = (Call (p 0),lemma not_final_Fault_step:
 ultimately show False
 by auto
 qed
qed

 assumes not_inf: "\<not> \<Gamma>\<turnstile by (simp add subst_redex_seqjava.lang.StringIndexOutOfBoundsException: Index 38 out of bounds for length 38
 shows "wf {(c2,c1). \<Gamma> \<turnstile> (c,s) \<rightarrow>\<^sup>* c1 \<and> \next
proof (simp only: wf_iff_no_infinite_down_chain,clarify, simp)
 fix f
 assume "\<forall>i. \<Gamma>\<turnstile>(c, s) \<rightarrow>\<^sup>* f i \<and> \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)"
 hence "\<exists>f. f 0 = (c, s) \<and> (\<forall>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i))"
 by (rule renumber [to_pred])
 moreover from not_inf
 have "\<not> (\<exists>f. f 0 = (c, s) \<and> (\<forall>i. \<Gamma>\<turnstile>f i \<rightarrow> f (Suc i)))"
 by (simp add: inf_def)
 ultimately show False
 by simp
java.lang.StringIndexOutOfBoundsException: Index 3 out of bounds for length 3

lemma not_final_Stuck_step: "\<not> final (c,Stuck) \<Longrightarrow> \<exists>c' s'. \<Gamma>\<turnstile> (c, Stuck) \<rightarrow> (c',s')"
by (induct c) (fastforce intro: step.intros simp add: final_def)+

lemma not_final_Abrupt_step:
 "\ (cases " \in ")(fastforce intro stepintros)+
by (induct c) (fastforce intro

lemma not_final_Fault_step:
 "\<not> final (c,Fault f) \<Longrightarrow> \<exists>c' s'. \<Gamma>\<turnstile> (c, Fault f) \<rightarrow> (c',s')"
by(induct c fastforceintro:step.intros add final_def+

lemma not_final_Normal_step:
 "\<not> final (c,Normal s) \<Longrightarrow> \<exists>c' s'. \<Gamma>\<turnstile> (c, Normal s) \<rightarrow> (c',s')"
proof (induct c)
 case Skip thus ?case by (fastforce intro: step.intros simp add: final_def)
next
 case Basic thus ?case by ( final:finalc\sub>f,\^subf)
next
 case (Spec r)
 thus ?case
 by(cases\exists>t. (proofinductrule converse_rtranclp_induct2 case_names Refl)
next
 case (Seq c\<^sub>1 c\<^sub>2)
 thus ?case
 by (cases "final (c\<^
next
 case
 show ?case
 by (cases "s \<in> b") (fastforce intro: step.intros)+
next
 case (While b c)
 show ?case
 by (cases "s \<in> b") (fastforce intro: step.intros)+
next moreovernot_inf
 case (Call p)
 show ?case
 >)( :.intros
next
 case DynCom thus ?case by (fastforce intro: step.intros)
next
 case (Guard f g c)
 show ?case
 by (cases "s \<in> g") (fastforce intro: step.intros)+
next
 case Throw
 thus ?case by (fastforce intro: step.intros simp add: final_def)
next
 case (Catch c\ show ?ase
 thus ?case
 by java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
qed

lemma moreover
"final (c,s) \<Longrightarrow> \<Gamma> "\Gamma\turnstile rightarrowr's)fact
 step_redexes[this]c' where

:
assumes steps:finally ?

assumesfinal "inal(<^sub>s\sub)
shows "\<exists>c' slemmastep_redexes_Seq:
using steps not_final final
oofruleconverse_rtranclp_induct2case_namesTrans
case thus ?case by simp
next
Trans '
 thus ?case by auto
qed

lemma wf_implies_termi_reach_step_case:
assumes hyp: "\<And "c<sub1Skip<>c
shows "\<Gamma>\<turnstile>c \<down> Normal s"
using hyp
proofinduct c)
 case Skip show ?case by (fastforce intro: terminates.intros)
next
 case Basic show ?case by (fastforce intro: terminates.intros)
next
 case (Spec r)
 ?
 byhave "s s
next
 case (Seq c\<^sub>1 c\<^sub>2)
 have hyp: "\<And>c' s'. \<Gamma>\<turnstile> (Seq c\<^sub>1 c\<^sub>2, Normal s) \<rightarrow> (c', s') java.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for length 12
 show
 .
 {
 fix c' s'
 assume step_c\<^sub>1: "\<Gamma>\<turnstile> (c\<^sub> fin"(case'of
 have "\<Gamma>\<turnstile>c' \<down> s'"
 proof -
 from with fin :finalcsubtjava.lang.StringIndexOutOfBoundsException: Index 50 out of bounds for length 50
nstile ^1c\>, )rightarrow (
 by (rule step.Seq)
 from hyp [OF this]
 have "\<Gamma>\<turnstile>Seq c' c\<^sub>2 \<down> s'".
thusGamma<>'<down s"
 by cases auto
 qed
 }
from.()OFjava.lang.StringIndexOutOfBoundsException: Index 31 out of bounds for length 31
 show "\<Gamma>\<turnstile>c\<^sub>1 \<down> havetermi_s':<\turnstileSeqc'c^> down'.
 next
 show "\<forall>s'. \<Gamma>\<turnstile> \<langle>c\<^sub>1,Normal s\<rangle> \<Rightarrow> s' \<longrightarrow> \<Gamma>\<turnstile>c\<^sub>2 \<down> s'"
 proof (intro allI impI)
 fix s'
 assume exec_c\<^sub>1: "\<Gamma>\<turnstile> \<langle>c\<^ case(Step r' ''java.lang.StringIndexOutOfBoundsException: Index 22 out of bounds for length 22
amma\<urnstile>c\^sub
 proof (ases "final(c\<sub1Normals))"
 caseTrue
 hence"\^sub1=Skip \<or>> c case (Transr' s'r' s'
 by (simp add: final_def)
 thus ?thesis
 proof
 assume Skip: "c_\<turnstile> ⟨ ==> s'"
 have java.lang.NullPointerException
 by (rule step.SeqSkip)
 from hyp simplified Skip, OF this
 have "Γ
 moreover from exec_cjava.lang.NullPointerException
 have "s'=Normal s"
 by (auto elim: exec_Normal_elim_cases)
 ultimately show ?thesis by simp
 next
 assumeblast
 with exec_c
 by (auto elim: exec_Normal_elim_cases)
 thus ?thesis
 by auto
 qed
 next
 case False
 from exec_impl_steps [OF exec_c₁]
 obtain c_f t where
 steps_c\ubΓsub1, Normal s) →^f, t)" and
 fin:"(case s' of
 Abrupt x ==> c_thusGammacjava.lang.NullPointerException
 | _ ==>f = Skip ∧
 by (fastforce split: xstate.splits)
 withfin have final: java.lang.NullPointerException
 by (cases s') (auto simp add: final_def)
 from split_computation [OF steps_c₁ False this]
 obtain c'' s''lemma steps_red:
 first: "Γ
 rest: "Γc. Catch r c₂ ↓
 by blast
 from step.Seq [OF first]
 have "<[est
 from hyp [OF thiswiths'=Stuck"
 have termi_s'': "ΓcaseBasic ( intro)
 show ?thesis
 proof (cases s'')
 case x)
 from termi_s'' [simplified Normal]
 have termi_c_s \<>
 by cases
 show ?thesis
 by
 case False
 with fin obtain "c_f=Skip" "t=s'"
 by (ases
 fromrCatch r' c<sub2nredexes c'"
 have "Γ⊨ ⟨c'',Normal x⟩ ==>
 by simp
 from ( step)
 show java.lang.NullPointerException
 next
 case True
 with fin obtainx' wher s': s'=Abrupt x'"and\^"=N x'"
 by auto
 from steps_Throw_impl_exec rest this] Normal
 have "Γ⊨ ⟨c'',Normal x\
 by simp
 m tec2[eomt F ths]s
 show "Γ⊨2 ↓ s'" by simpnext
 qed
 next
 case (Abrupt x)
 from steps_Abrupt_prop [OF rest this]
 have "t=Abrupt x" by simp
 with fin have "s'=Abrupt x"
 by (cases s') auto
 "\Gamma\turnstile>c₂ ↓ s'"
 by auto
 next
 case (Fault f)
 from steps_Fault_prop [OF rest this]
 have "t=Fault f" by simp
 with fin have "s'=Fault f"
 byhavehyp:: "<>' s.\Gamma<turnstile Call p, Normal s) → (c', s') ==>⊨ s'" by fact
 thus "Γ⊨cp")
 by auto
 next
 case Stuck
 romses_uck_pop [ [OF es
 have "t=Stuck" by simp
 with fin have "s'=Stuck"
 by (cases s') auto
 thus "Γ⊨
 by auto
 qed have hyp\And>'s. <<Gamma
 qed
 qed
 qed
next
 ( cubjava.lang.NullPointerException
 have hyp: java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
 show ?case
 proof (cases "s∈b")
 case True
 then have "Γ⊨ (Cond b cjava.lang.NullPointerException
 by (rule step.CondTrue)
 from hyp [ by (cases" \in b"( :.)java.lang.StringIndexOutOfBoundsException: Index 58 out of bounds for length 58
 with True show ?thesis
 by(autorminatesros
 next
 case False
 thenhave "Γ b
 by (rule step.CondFalse)
 from hyp [OF this] have "ΓcNormaljava.lang.StringIndexOutOfBoundsException: Index 77 out of bounds for length 77
 with False show ?thesis
 by (auto intro: terminates.intros)
 qed
next
 case (While b c)
 have hyp: "∧c' s'. Γ⊨ (While b c, Normal s) → (c',
 show ?case
 proof (cases "s∈b")
 case True
 then have "Γ⊨ (While b c, Normal s) → (Seq c (While }
 by (rule step.WhileTrue)
 from hyp [OF this] have "Γ>(Seq c (While b c)) ↓
 with
 by (auto elim: terminates_Normal_elim_cases intro: ter.intros)
 next
 ffix s'
 thus ?thesis
 by (auto intro: terminates.intros)
 qed
next
 case (Call p)
 have hyp: "∧c' s'. Γ⊨ (Call p, Normalbyo simpdd imormal_elim_caseslim_cases
 show ?
 prooffrom hyp ThrowOF this
 case None
 thus ?thesis
 by (auto intro: terminates.intros)
 next
 case (Some bdy)
 then have "Γ⊨<^sub>1
 by (rule step.Call)
 from hyp [OF this] have "\Gammajava.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
 with Some show ?thesis
 by (auto intro: terminates.intros)
 qed
next
 case( c)
 have hyp: "∧⊨ c'' c_.
 have "Γ⊨w_impl_exec
 by (rule step.DynCom)
 from hyp [OF this] have "Γ⊨c s ↓ Normal s".
 then show ?case
 by (auto intro: terminates.intros)
next
 caseGuard
 have hyp: "∧
 show ?case
 proof (cases "s∈g")
 case True
 then have "Γ⊨<>(c, Normal s)"
 by (rule step.Guard)
 from hyp [OF this] have "Γ⊨c↓ Normal s".
 with True show ?thesis
 by (auto intro: terminates.intros)
 next
 case False
 thus ?thesis
 by (auto intro: terminates.intros)

java.lang.StringIndexOutOfBoundsException: Index 40 out of bounds for length 4
 case Throw show ?case by (auto intro: terminates.intros)
next
 case (Catch c₁ c₂)
 have hyp: "∧c' s'. Γ⊨ reach
 show ?case
 proof (rule
 {
 fix c' s'
 assume step_c_show "Γ⊨<down s1"
 have "Γ⊨ wf_implies_termi_reach_step_case[OF hyp [simplified Norm]
 proof -
java.lang.NullPointerException
 have "Γ⊨:
 by (rule step.Catch)
 from hypshows🚫\> c1 ∧ Γ<turnstile →:"\not final (c,s),s)
c^>2 \downs"

 by cases
 qed
 }
 from Catch.hyps (1) [OF this]
 show "ΓGeneralised Redexes›
 next
 show "∀s'. Γ⊨ ⟨
 proof (intro allI impI)
 fix s'
 assume exec_c₁: "Γ⊨n the redex itself but all the enosing statetements as wwell.
 show \<\<
 ases (c\<>1
 case True
java.lang.NullPointerException
 : "c\^=Throw"
 by (auto simp add: final_def elim: exec_Normal_elim_cases)
 have "Γ⊨(Catch Throw cjava.lang.NullPointerException
 by (rule step.CatchThrow)
 from hyp [simplifiedredexes = Guard |
 have<⊨2 ↓ s".
 moreover from exec_c₁ Throw
 have "s'=s"
 by (auto elim: exec_Normal_elim_cases)
 ultimately show ?thesis by simp
 next
 lse
 from exec_impl_steps [OF exec_c₁]
 obtain c_f t wcase Basic show case by fastforc intro: terminaintc'. [ redexes c; redex c' = c'] ==> c = c'"
 steps_c₁: java.lang.NullPointerException
 by (fastforce split: xstate.splits)
java.lang.NullPointerException
 obtain c'' s'' where
 first: "Γ<turnstile (c(c'', s'')"and
 rest: "Γ⊨ (c''proofduct
 by (auto simp add: final_def)
 from step.Catch [OF first]
 have next
 fromhypthis
 ve⊨2 ↓
 moreover
 from steps_Throw_impl_exec [OF rest]
 have "\<Gammar
 moreover
 from rest obtain x where "s''=Normal x"
 byby (auto simp ad: root_in_rde)
 (auto dest: steps_Fault_prop steps_Abrupt_prop steps_Stuck_prop)
 ultimately show ?thesis
 by (fastforce elim: terminates_elim_cases)
 qed
 qed
 qed
qed

lemma wf_implies_termi_reach:
assumes wf: "wf {(cfg2,cfg1). Γ
shows "∧
using wf
proof (induct cfg1, simp)
 fix c1 s1
 assume reach: "Γ⊨ (c, s) →java.lang.NullPointerException
 assume hyp_raw: "∧y c2 s2.
 [Γ⊨ (c1, s1) → (c2, s2); Γ⊨ (c, s) →^* (c2, s2); y = (c2, s2)]
 ==> Γ⊨c2 ↓ s2"
 have hypnext
 apply -
 apply (rule hyp_raw)
 apply assumption
 byrontros
 apply simp
 (introtepos:p_elim_cases
 done

 show "Γ⊨\<>
 proof (c (cases s1)
 case (Normal s1')
 with wf_implies_termi_reach_step_case [OF hyp [simplified Normal]]
 show ?thesis
 by auto
 qed (auto intro: terminates.intros)
qed

theorem no_infinite_computation_impl_terminates:
 assumes not_inf: "¬ Γ⊨ (c, s) → …(∞)"
 shows "Γ⊨c↓s"
proof -
 from no_infinite_computation_implies_wf [OF not_inf]
 have wf: "wf⊨* c1 ∧ Γe1 c2}".
 show ?thesis
 by (rule wf_implies_termi_reach [OF wf]) auto
qed

corollary terminates_iff_no_infinite_computation:
 "Γ⊨c↓s = (¬ Γ⊨ (c, s) →
 apply (rule
 apply (erule terminates_impl_no_infinite_computation)
 (erule)
 done

(* ************************************************************************* *)
subsection ‹^2 \<>
(* ************************************************************************* *)

text ‹
an important lemma for the completeness proof of the Hoare-logic for
correctness we need a generalisation of @{const "redex"} that not only
the redex itself but all the enclosing statements as well.
›

primrec redexes:: " also
where
"redexes Skip = {Skip}" |
"redexes(Basic = {Basic f} |
"redexes (Spec r) = {Spec r}" |
"redexes (Seq c₁ c₂) = {Seq c₁ c₂} ∪ redexes credexes c''"
java.lang.NullPointerException
"redexes (While b c) = {While
"redexes (Call p) = {Call p}" |
"redexes (DynCom d) = {DynCom d}" |
"redexes (Guard f b c) = {Guard f b c}" |
"redexes (Throw) = {Throw}" |
java.lang.NullPointerException

lemma root_in_redexes: "c ∈
 s_c> "\Gamma> (c<^sub>1, Normal s) <>\sup* c<^>f, t"
 apply auto
 donep_redexes

lemma redex_in_redexes: "redex c ∈
 apply (induct c)
 apply auto
 done

:"And [c' ∈
 apply (induct c)
 apply auto
 done

lemma step_redexes:
 shows "∧r r'. [Γ⊨(r,s) → (r',s'); r ∈show ?case
 ==> ∃c'. Γqed
proof (induct c)
 case Skip thus ?case by (fastforce intro: step.intros elim: step_elim_cases)
next
 case Basic thus ?case by (fastforce intro: step.intros elim: step_elim_cases)
next
 case Spec thus ?case by (fastforce intro: step.intros elim: step_elim_cases)
next
 case (Seq c₁
have "r 🚫
 : Seq c_\<turnstile>, <>\^
 p
 haveep_r⊨yct
 from r show ?case
 proof
 assume "r = Seq c_roof(ass )
 with step_r
 show ?case
 by (auto simp add: root_in_redexes)
 next
 assume r: "r ∈ redexes c₁"
 from Seq.hyps (1) [OF step_r this]
 obtain cc where
 step_c₁: "Γby
 r': "r' ∈ redexes c'"
 by blast
 from step.stepscases> sAbrupt xjava.lang.StringIndexOutOfBoundsException: Index 51 out of bounds for length 51
 have"\Cond c🚫
 with r'
 show ?case
 by auto
 qed
next
 case Cond
 thus ?case
 by (fastforce intro: step.intros elim: step_elim_cases simp add: root_in_redexes)
next
 case While
 thus ?case
 by (fastforce intro: step.intros elim: step_elim_cases simp add: root_in_redexes)
next
 case Call thus ?case
 by (fastforce intro: step.intros elim: step_elim_cases simp add: root_in_redexes)
next
 case DynCom thus ?case
 by (fastforce intro: step.intros elim: step_elim_cases simp add: root_in_redexes)
next ?case
 case Guard thus ?case
 by (fastforce intr: step.int e: step_eli simp add root_in_r)
next
 case Throw thus ?case
 by (fastforce intro: step.intros elim: step_elim_cases simp add: root_in_redexes)
next
 case (Catch c₎Normal s)"
 have "r ∈ redexes (Catch c₁ c₂)" by fact
 hence r: "r = Catch c₁ c₂ ∨ r ∈ redexes c₁"
 by simp
 have step_r: "Γ⊨ (r, s) → hyp OF this have "GammaturnstileSeq(While c) \down ".
 from r show ?case
 proof
 assume "r = Catch c₁ c₂"
 with step_r
 show ?case
 by (auto simp add: root_in_redexes)
 next
 assume r: "r ∈ redexes c₁"
 from Catch.hyps (1) [OF step_r this]
 obtain c' where
 step_c₁: "Γ⊨ (c₁, s) → (c', s')" and
 r': "r' ∈ redexes c'"
 by blast
 from step.Catch [OF step_c₁]
 have "Γ⊨ (Catch c₁ c₂, s) → (Catch c' c₂, s')".
 with r'
 show ?case
 by auto
 qed
qed

lemma steps_redexes:
 assumes steps: "Γ⊨ (r, s) →^* (r', s')"
 shows "∧c. r ∈ redexes c ==> ∃c'. Γ⊨(c,s) →^* (c',s') ∧ r' ∈ redexes c'"
using steps
proof (induct rule: converse_rtranclp_induct2 [case_names Refl Trans])
 case Refl
 then
 show "∃c'. Γ⊨ (c, s') →^* (c', s') ∧ r' ∈ redexes c'"
 by auto
next
 case (Trans r s r'' s'')
 have "Γ⊨ (r, s) → (r'', s'')" "r ∈ redexes c" by fact+
 from step_redexes [OF this]
 obtain c' where
 step: "Γ⊨ (c, s) → (c', s'')" and
 r'': "r'' ∈ redexes c'"
 by blast
 note step
 also
 from with Some show ?thesis
 obtain c'' where
 steps: "Γ⊨ (c', s'') →^* (c'', s')" and
 r': "r' ∈ redexes c''"
 by blast
 note steps
 finally
 show ?case
 using r'
 by blast
qed

lemma steps_redexes':
 assumes steps: "Γ⊨ (r, s) →⁺ (r', s')"
 shows "∧c. r ∈ redexes c ==> ∃c'. Γ⊨(c,s) →⁺ (c',s') ∧ r' ∈ redexes c'"
using steps
proof (induct rul: tranclp_i [con 1, cas StepTran)
 case (Step r' s' c')
 have "Γ⊨ (r, s) → (r', s')" "r ∈ redexes c'" by fact+
 from step_redexes [OF this]
 show ?case
 by (b (blast intro: rinto_)
next
 case (Trans r' s' r'' s'')
 from Trans obtain c' where
 steps: "Γ⊨ (c, s) →⁺ (c', s')" and
 r': "r' ∈ redexes c'"
 by blast
 note steps
 moreover
 have "Γf g c,Normal <>Γ' by
 from step_redexes [OF this r'] obtain c'' where
 step: "Γ⊨ (c', s') → (c'', s'')" and
 r'': "r'' ∈ redexes c''"
 by blast
 note step
 finally show ?case
 using r'' by blast
qed

lemma step_redexes_Seq:
 assumes step: "Γ⊨(r,s) → (r',s')"
 assumes Seq: "Seq r c₂ ∈ redexes c"
 shows "∃c'. Γ⊨(c,s) → (c',s') ∧ Seq r' c₂ ∈ redexes c'"
proof -
 from step.Seq [OF step]
 have "Γ⊨ ?thesis
 from step_redexes [OF this Seq]
 show ?thesis .
qed

lemma steps_redexes_Seq:
 assumes steps: "Γ⊨ (r, s) →^* (r', s')"
 shows "∧c. Seq r c₂ ∈ redexes c ==>
 ∃c'. Γ⊨(c,s) →^* (c',s') ∧ Seq r' c₂ ∈ redexes c'"
using steps
proof (induct rule: converse_rtranclp_induct2 [case_names Refl Trans])
 case Refl
 then show ?case
 by (auto)

next
 case (Trans r s r'' s'')
 have "Γ⊨ (r, s) → (r'', s'')" "Seq r c₂ ∈ redexes c" by fact+
 from step_redexes_Seq [OF this]
 obtain c' where
 step: "Γ⊨ (c, s) → (c', s'')" and
 r'': "Seq r'' c₂ ∈ redexes c'"
 by blast
 note step
 also
 from Trans.hyps (3) [OF r'']
 obtain c'' where
 steps: "Γ⊨
 r': "Seq r' c₂ ∈ redexes c''"
 by blast
 note steps
 finally
 show ?case
 using r'
 by blast
qed

lemma steps_redexes_Seq':
 assumes steps: "Γ⊨ (r, s) →⁺ (r', s')"
 shows "∧c. Seq r c₂ ∈ redexes c
 ==> ∃c'. Γ⊨(c,s) →⁺ (c',s') ∧ Seq r' c₂ ∈ redexes c'"
using steps
proof (induct rule: tranclp_induct2OF
 case (Step r' s' c')
 have "Γ⊨ (r, s) → (r', s')" "Seq r c₂ ∈ redexes c'" by fact+
 from step_redexes_Seq [OF this]
 show ?case
 by (blast intro: r_into_trancl)
next
 case (Trans r' s' r'' s'')
 from Trans obtain c' where
 steps: "Γ⊨
 r': "Seq r' c₂ ∈ redexes c'"
 by blast
 note steps
 moreover
 have "Γ⊨
 from step_redexes_Seq [OF this r'] obtain c'' where
 step: "Γ⊨ (c', s') → (c'', s'')" and
 r'': "Seq r'' c₂ ∈ redexes c''"
 by blast
 note step
 finally show ?case
 using r'' by blast
qed

lemma step_redexes_Catch:
 assumes step: "Γ⊨(r,s) → (r',s')"
 assumes Catch: "Catch r c₂ ∈ redexes c"
 shows "∃c'. Γ⊨(c,s) → (c',s') ∧ Catch r' c₂ ∈ redexes c'"
proof -
 from step.Catch [OF step]
 have "Γ⊨ (Catch r c₂, s) → (Catch r' c₂, s')".
 from step_redexes [OF this Catch]
 show ?thesis .
qed

lemmaby( add:exec_Normal_elim_cases
 assumes steps: "Γ⊨ (r, s) →^* (r', s')"
 shows "∧c. Catch r c₂ ∈ redexes c ==>
 ∃c'. Γ⊨by (ru step.CatchTh)
using steps
proof (induct rule: converse_rtranclp_induct2 [case_names Refl Trans])
 case Refl
 then show ?case
 by (auto)

next
 case (Trans r s r'' s'')
 have "Γ⊨ (r, s) → (r'', s'')" "Catch r cjava.lang.NullPointerException
 from step_redexes_Catch [OF this]
 obtain c' where
 step: "Γ⊨ (c, s) → (c', s'')" and
 r'': "Catch r'' c₂ ∈ redexes c'"
 by blast
 note step
 also
 from Trans.hyps (3) [OF r'']
 obtain c'' where
 steps: "Γ⊨ (c', s'') →^* (c'', s')" and
 r': "Catch r' c₂ ∈ redexes c''"
 by blast
 note steps
 finally
 show ?case
 using r'
 by blast
qed

lemma steps_redexes_Catch':
 assumes steps: "Γ⊨ (r, s) →⁺ (r', s')"
 shows "∧c. Catch r c₂ ∈ redexes c
 ==> ∃c'. Γ⊨(c,s) →⁺ (c',s') ∧ Catch r' c₂ ∈ redexes c'"
using steps
proof (induct rule: tranclp_induct2 [consumes 1, case_names Step Trans])
 case (Step r' s' c')
 have "Γ⊨ (r, s) → (r', s')" "Catch r c\Gammat> (Ca c<>1 ^sub>2, N\rightarrow c''c\\^su2 s'
 from step_redexes_Catch [OF this]
 show ?case
 by (blast intro: r_into_trancl)
next
 case (Trans r' s' r'' s'')
 from Trans obtain c' where
 steps: "\moreover
 r': "Catch r' c₂ ∈ redexes c'"
 by blast
 note
 moreover
 have "Γ⊨ (r', s') → (r'', s'')" by fact
 from step_redexes_Catch [OF this r'] obtain c'' where
 step: "Γ⊨ (c', s') → (c'', s'')" and
 r'': "Catch r'' c₂ ∈ redexes c''"
 by blast
 note step
 finally show ?case
 using r'' by blast
qed

lemma redexes_subset: qed
 by (induct c) auto

lemma redexes_preserves_termination:
 assumes termi: java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
 shows "∧c'. c' ∈ redexes c ==> Γ⊨c'↓s"
using termi
by induct (auto intro: terminates.intros)

end

Messung V0.5 in Prozent

¤ Die Informationen auf dieser Webseite wurden nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit, noch Qualität der bereit gestellten Informationen zugesichert.0.218Bemerkung: ¤

*Bot Zugriff

Wurzel

Suchen

Beweissystem der NASA

Beweissystem Isabelle

NIST Cobol Testsuite

Cephes Mathematical Library

Wiener Entwicklungsmethode

Haftungshinweis

Die Informationen auf dieser Webseite wurden nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit, noch Qualität der bereit gestellten Informationen zugesichert.

Bemerkung:

Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.