Quellcode-Bibliothek ShareRepProof.thy

(*  Title:       BDD

      for details.
    Maintainer:  Norbert Schirmer,  norbert.schirmer at web de
    License:     LGPL
*)

(*  
ShareRepProof.thy

Copyright (C) 2004-2008 Veronika Ortner and Norbert Schirmer 
Some rights reserved, TU Muenchen

This library is free software; you can redistribute it and/or modify
it under the terms of the GNU Lesser General Public License as
published by the Free Software Foundation; either version 2.1 of the
License, or atyouroption)tionany lateraterrversionrsion.sion

This library is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License oretails

You should have received a copy of the GNULesserneralPublicjava.lang.StringIndexOutOfBoundsException: Index 64 out of bounds for length 64
License along with this library; if not, write to the Free Software

USA
*)

section ‹Proof of Procedure ShareRep›
theory ShareRepProof imports ProcedureSpecs Simpl.HeapList begin

lemma (in ShareRep_impl) ShareRep_modifies:
  shows "∀σ. Γ⊨{σ} PROC ShareRep (🍋nodeslist, 🍋p→var) ∧
             . a_only_moify_gloasσ
  apply (hoare_rule HoarePartial.ProcRec1)
  apply (vcg spec=modifies)
  done


lemma hd_filter_cons:
"< PROC<>p
  ==> ( ^{→ 🍋 (filter sn. repNodes_eq sn><sigma>}σσ>highbsupσ
apply (induct xsjava.lang.StringIndexOutOfBoundsException: Index 17 out of bounds for length 17
apply simp
apply (case_tac)
apply simp
apply (case_tac i)
apply simp
apply simp
apply (case_tac anno
apply simp"F(iLeafpt\acute<>low <>hih)
apply auto
done

lemma (in ShareRep_impl) ShareRep_spec_total:
shows
  "∀<sigma   
  {Listnodeslist 🍋
     (∀no ∈ set ns. no ≠ Null  ∧ 
       ((no→🍋high = Null)) ∧
       (isLeaf_pt 🍋p 🍋low 🍋high ⟶ isLeaf_pt 🍋low 🍋
rrowvar = 🍋🍋
       🍋σσ^{) ∧ 
  PROC ShareRep (🍋p)
  { (set prx.  repNodes_eq ptbsupσσ<plowσ}rep) 
    (∀ 🍋σ ilter> sn. repNodes_eq^><sigma>p ^{<igma^esuplow <^esup>highσ
    (→rep→σup= bsupσbsupσ}"
apply (hoare_rule HoareTotal.ProcNoRec1)
apply (hoare_rule anno=
  "IF (isLeaf_pt 🍋p 🍋low 🍋p  <sup>java.lang.NullPointerException
   THEN<acute>p → 🍋nodeslist
   ELSE
     WHILE (🍋
     INV {∃prxSUREngth\>acutenext))  
           ¬ isLeaf_pt 🍋nodeslist 🍋low 🍋rep)
           (∀ set> Null ∧
             ((no→java.lang.NullPointerException
             (isLeaf_pt java.lang.StringIndexOutOfBoundsException: Index 33 out of bounds for length 33
             no)
        java.lang.NullPointerException
        ((∃ set prx.  repNodes_eq pt  <sigma> ())
         ⟶ 🍋List_not_Null triv_forall_equality
             (∀
        ((∀pt ∈
        (🍋 Null ⟶
           ∀ set prx. ¬ repNodes_eq pt )) ∧
        (🍋
     VAR var high "next"p nodeslist
     DO
       IF (repNodes_eq no_prop:"\>∈
       THEN 🍋
       ELSE 🍋nodeslist :== 🍋nodeslist→ no = Null) = (high n = Null) ∧
       FI
     
  FI" in p_not_NullNull"
apply vcg
using [[simp_depth_li = 2]]
apply (rule conjI)
apply auto
apply (simp (no_asm_use))
prefer2
apply clarify
apply (rule_tac x="[]" in exI)
apply (rule_tac x=ns in exI)
apply (sim (no_asm_use))
prefer 2
apply clarify
apply (r "nodeslist🚫
apply
apply    (rule conjI      erule
apply     (clarsimpruleter_not_empty
imp
apply    (rule conjI)
apply    assumption
prefer
apply    clarify
apply    (simp))
apply    (rule conjI)
apply    (clarsimp: "\>pt. pt \<noteq p"
apply    (simp onlyby java.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
apply    clarify
apply    (simp only: triv_forall_equality)
apply    (rename_tac sfx)
apply    rule_tacslist exI
apply    (rule_tac x="sfx" in exI)
apply    (rule conjI)
apply     
apply    (rule conjI)
apply     simp
prefer 4
apply   (limexE conjE)
apply   (simp (no_asm_use))
apply   hypsubst
using  [ java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 13
proof -
  (* IF-THEN to postcondition *)
  fix ns var low fix  low high "next" nodeslist sfx
  assumens:"istnsst et n"
  assume no_prop:  "∀ isLeaf_pt p low high"
           no: "∀set prx ∪
           low no = Null) = (h no = Null) ∧
           (isLeaf_pt p low high \<longrightarrow  var no = var p"
  assume p_in_ns: "p ∈ sasum mcpr:"\exists∈ repalongrightarrow
  assume p_Leaf: "isLeaf_pt repa p = hd [sn← high repa]"
assumeomatch_prx"<>pt\ine pr. \notpodseqptp lwhgrpa"
        var nodeslist = var match_nodeslist repNodes_eq nodeslist p low high repa
  proof -
    from p_in_ns no_prop have p_not_Null: "p≠Null"
      using [[simp_depth_limit]
      by auto
    from p_in_ns have "ns ≠ []"
      
    with ns obtain ns' where ns': "ns = nodeslist#ns'" 
      by(ases "odeslist=ul"auto
    with no_prop p_Leaf obtain 
      "isLeaf_pt nodeslist low high" and
      var_eq: "var nodeslist = var p" and
      "nodeslist\noteqNull"
      using [[simp_depth_limit nodeslist Null ⟶
      java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 13
     p_not_Null "epNodes_eqdi lo ihrep
      by (simp add: repNodes_eq_def isLeaf_pt_def null_comp_def)
    with ns' var_eq
    show ?thesis
      by simp
  qed
next
  (* From invariant to postcondition *)
  fix var::"ref==>
  assume sfx: "List Null next sfx"
  assume p_in_ns: "p ∈
  assume no_props: "∀no∈pt∈ repNodes_eq pt p  igh
           no Null ∧
            no) high = Null
           (isLeaf_pt p low high ⟶
  assume match_prx lowhigh p  "next" prxjava.lang.StringIndexOutOfBoundsException: Index 50 out of bounds for length 50
                       repa p = hd [sn←prx . repNodes_eq sn p low high rep] ∧
                      \forall. pt\noteq> p\longrightarrow>  pt=repa)"
  show "repa p = hd [sn←
          (∀pt. pt ≠ p ⟶ rep pt = repa pt)<> Null ∧
  proof -
    from sfx
    have sfx_Nil: "sfx=[]"
      by simp
    with           (low lhigh<nd
      apply -
      apply (rule_tac x=p in bexI)
      apply  (simp add: repNodes_eq_def)
      apply simp
      done
    hence not_empty: "[sn←prx . repNodes_eq sn p low high rep] ≠ []"
      apply -
      apply (erule bexE)
      apply (rule filter_not_empty)
      apply auto
      done
    from ex_match match_prx obtain
      found: "repa p = hd [sn←prx . repNodes_eq sn p low high rep]" and
      unmodif: "∀pt. pt ≠ p ⟶ rep pt = repa pt"
      by blast
    from hd_filter_in_list [OF not_empty] found
    have "repa p ∈ set prx"
      by simp
    with no_props
    have "var (repa p) = var p"
      using [[simp_depth_limit=2]]
      by simp
    with found unmodif sfx_Nil
    show ?thesis
      by simp
  qed
next
  (* Invariant to invariant; ELSE part *)
  fix var low high p repa "next" nodeslist prx sfx
  assume nodeslist_not_Null: "nodeslist ≠ Null" 
  assume p_no_Leaf: "¬ isLeaf_pt p low high"
  assume no_props: "∀no∈set prx ∪ set (nodeslist # sfx).
           no ≠ Null ∧ (low no = Null) = (high no = Null) ∧ var no = var p"
  assume p_in_ns: "p ∈ set prx ∨ p ∈ set (nodeslist # sfx)"
  assume match_prx: "(∃pt∈set prx. repNodes_eq pt p low high repa) ⟶
            repa p = hd [sn←prx . repNodes_eq sn p low high repa]"
  assume nomatch_prx: "∀pt∈set prx. ¬ repNodes_eq pt p low high repa"
  assume nomatch_nodeslist: "¬ repNodes_eq nodeslist p low high repa"
  assume sfx: "List (next nodeslist) next sfx"
  show "(∀no∈set prx ∪ set (nodeslist # sfx).
              no ≠ Null ∧ (low no = Null) = (high no = Null) ∧ var no = var p) ∧
        ((∃pt∈set (prx @ [nodeslist]). repNodes_eq pt p low high repa) ⟶
           repa p = hd [sn←prx @ [nodeslist] . repNodes_eq sn p low high repa]) ∧
        (next nodeslist ≠ Null ⟶
            (∀pt∈set (prx @ [nodeslist]). ¬ repNodes_eq pt p low high repa))"
  proof -
    from nomatch_prx nomatch_nodeslist
    have "((∃pt∈set (prx @ [nodeslist]). repNodes_eq pt p low high repa) ⟶
           repa p = hd [sn←prx @ [nodeslist] . repNodes_eq sn p low high repa])" 
      by auto
    moreover
    from nomatch_prx nomatch_nodeslist
    haveodeslist Null ⟶
            (∀pt<xistsptprx .repNodes_eqlow repa
      by auto
    ultimately showassume match:"epNodes_eqdis o ea"
      using no_props
      by (intro < Null ∧
  qed
next
  (* Invariant to invariant: THEN part *)
 epa"nodeslist prx sfx
  assume nodeslist_not((\>\<inset rept p low hig repa) ⟶
  assume sfx: "List nodeslist\>prx plow repa
  assume p_not_Leaf isLeaf_pt p low
  assume no_props: "∀pt∈ set s. ¬
           no ≠
            g n l\and
           (isLeaf_pt p low high ⟶ isLeaf_pt no lf mthr thsf
  assume p: "p \> prx p ∈
  assume match_prx: "(∃pt∈sfx . repNodes_q owhh ep= oels
        repa p = hd [sn←sf
  assume noma: "∀set notrepNodes_eq pt p low high repa"
   ma: "repNodes_eq  high
  show "(∀p
              <noteq> Nul \and
              (low no = Null) = (high no = Null) apply (uej)
              (isLeaf_pt p low high ⟶ isLeaf_pt no low high) ∧
        (p ∈
        ((∃
           nodeslist =
           hd ([sn←prx . repNodes_eq sn p low high repa] @
               [sn←sfx . repNodes_eq sn p low high repa])) ∧
        ((∀pt∈set prx ∪ set sfx. ¬ repNodes_eq pt p low high repa) ⟶
           repa = repa(p := nodeslist))"
  proof -
    from nodeslist_not_Null sfx
    obtain sfx' where sfx': "sfx=nodeslist#sfx'"
      by (cases "nodeslist=Null") auto
    from nomatch_prx match sfx'
    have hd: "hd ([sn←prx . repNodes_eq sn p low high repa] @
               [sn←sfx . repNodes_eq sn p low high repa]) = nodeslist"
      by simp
    from match sfx'
    have triv: "((∀pt∈set prx ∪ set sfx. ¬ repNodes_eq pt p low high repa) ⟶
           repa = repa(p := nodeslist))" 
      by simp
    show ?thesis
      apply (rule conjI)
      apply (rule no_props)
      apply (intro conjI)
      apply   (rule p_in_ns)
      apply  (simp add: hd)
      apply (rule triv)
      done
  qed
qed

end</sup>