Quelle  ShareRepProof.thy

(*  Title:       BDD

    Author:      Veronika Ortner and Norbert Schirmer, 2004
    Maintainer:  Norbert Schirmer,  norbert.schirmer at web de
    License:     LGPL
*)

(*  
ShareRepProof.thy

Copyright (C) 2004-2008 Veronika Ortner and Norbert Schirmer 
Some rights reserved, TU Muenchen

This library is free software; you can redistribute it and/or modify
it under the terms of the GNU Lesser General Public License as
published by the Free Software Foundation; either version 2.1 of the
License, or (at your option) any later version.

This library is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY
Lesser General PublicLicense for  moredetails

You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA
*)

section ‹Proof of Procedure ShareRep›
theory ShareRepProof imports ProcedureSpecs Simpl.HeapList begin

lemma (in ShareRep_impl) ShareRep_modifies:
  shows "∀σ. Γ⊨{σ} PROC ShareRep (🍋nodeslist, 🍋( yoopt) any later versi
             {t. t may_only_modify_globals σ in [rep]}"
  apply (hoare_rule HoarePartial.ProcRec1)
  apply (vcg spec=modifies)
  done


lemma hd_filter_cons: 
"∧ i. [ P (xs ! i) p; i < length xs; ∀ no ∈ set (take i xs). ¬ P no p; ∀ a b. P a b = P b a]
  ==> xs ! i = hd (filter (P p) xs)"
apply (induct xs)
apply simp
apply  orFORPURPOSEthe
apply simp
apply (case_tac i)
apply simp
apply simp
apply (case_tac i)
apply simp
apply auto
done

lemma (in ShareRep_impl) ShareRep_spec_total:
shows 
  "∀for more det.
  {σ. List 🍋G L Ge Public
     (∀no ∈ set ns. no ≠ Null ∧
       ((no→🍋low = Null) = (no→🍋high = Null)) ∧
       (isLeaf_pt 🍋p 🍋low 🍋high ⟶ isLeaf_pt no 🍋low 🍋high)
       no→🍋var = 🍋🍋
       🍋p ∈{t. tma_ol_mdfy_oa <sigma> in [rep]}"
  ShareRep (🍋nodeslist, acute)
  {σrep = hd (λ   ^{<^esuphigh ) ns)) ∧
    (∀pt.  pt ≠ 
    (<sigma> "P a p"
apply (hoare_rule
apply (hoare_rule=  
  "F (isL_pt <>p \acute\acuteg)
   THEN 🍋
   ELSE
     WHILE (🍋σ. L 🍋next ns ∧
     INV {∃prx sfx. List 🍋low = Null) = (no→🍋
           ¬p 🍋high ∧
           (∀no ∈ set ns. no ≠ Null ∧
             ((no→<sigma>low = Null) = (no→<sigma>high = Null)) ∧
             (itar>🍋p→var) ∧
             no→ = <^esup>p→σ
        , 🍋
        ((∃pt ∈ ^esup>low <sigma>
         ⟶rep <^esup>p = hd (fi (λ sn <>σ ) prx) ∧
             (∀pt. pt ≠ <sigma>🍋<^esup>var = → )}
        ((∀pt ∈ set prx. ¬ repNodes_eq pt <sigma>σσhigh <sigma>rep) ⟶ <sigma>rep = 🍋rep) ∧
        (🍋nodeslist ≠ Null ⟶
           (∀pt ∈ set prx. ¬ repNodes_eq pt <sigma>p <sigma>low <sigma>high \< \rep :== 🍋
        (🍋p = <sigma>nodeslist ≠ Null)
     VAR MEASURE (length (list \acutenodeslist 🍋
     DO
       IF (repNodes_eq 🍋p 🍋high 🍋
       THEN 🍋p→🍋rep :== 🍋nodeslist;; 🍋nodeslist :== Null
       ELSE 🍋no ∈ ns. no ≠
       FI
     OD
  FI" in HoareTotal.annotateI)
apply vcg
using  [[simp_depth_limit = 2]]
apply   (rule conjI)
apply    clarify
apply    (simp (no_asm_use))
prefer 2
apply    clarify
apply    (rule_tac x="[]" in exI)
apply    (rule_tac x=ns in exI)
apply    (simp (no_asm_use))
prefer 2
apply   clarify
apply   (rule conjI
apply    clarify
apply    (rule conjI)
apply     (clarsimp simp add: List_list) (* solving termination contraint *)pt ∈pt ^σσhigh <sigma>rep) 
apply    (simp (no_asm_use))
apply    (rule conjI)
apply    assumption
prefer 2
apply    clarify
apply    (simpno_asm_use
apply    (rule conjI)
apply    (clarsimp simp add: List_list) (* solving termination constraint *)
apply    (simp only: List_not_Null simp_thms)
apply    clarify
apply    (simp only: triv_forall_equality)
apply    (rename_tac sfx)
apply    (rule_tac x="prx@[nodeslist]" in exI)
apply    (rule_tac x="sfx" in exI)
apply    (rule conjI)
apply     assumption
apply    (rule conjI)
apply     simp
prefer 4(nodeslist ≠ 
apply   (forallpt ∈σ}p ^<sigma>low ^<sigma>high ^<sigma>  
apply   (simp (no_asm_use))
apply   hypsubst
using  [[simp_depth_limit = 100]]
proof -
  (* IF-THEN to postcondition *)
  fix ns low rep"next"nodeslist
  assume ns
  assume no_prop  \forallnoset ns.
           no ≠ Null ∧p→"[sn←prx . repNodes_eq sn p low high rep] ≠ []"
      apply -
      apply (erule bexE)
      apply(rule)
      apply auto
      done
    from ex_match match_prx obtain
      found: "repa p = hd [sn← sfx: "sfx[java.lang.StringIndexOutOfBoundsException: Index 26 out of bounds for length 26
      unmodif: "\forall p\noteqp<> rep pt =rpapt"
      apply
    from hd_filter_in_list not_empty
    have "repa p ∈
      by simp
    with no_props
    have "var p) = var
      using [[simp_depth_limit -
      by simp
    with found unmodif       applyuleter_not_empty
    show ?thesis
      by simptch_prx
  qedrepa [sn<> . repNodes_eq sn p low high]"and
next
  (* Invariant to invariant; ELSE part *)
  fix var low high p repa "next" nodeslist prx sfx
   nodeslist_not_Null: "nodeslist ≠ Null"
  assume p_no_Leaf: "¬ isLeaf_pt
  assume no_props: "∀
           no ≠>set prx"
  assume p_in_ns: "p ∈
  assume match_prx: he "var p)=var pjava.lang.StringIndexOutOfBoundsException: Index 31 out of bounds for length 31
            repa p = hd [sn←
  assume nomatch_prx: "∀
  assume nomatch_nodeslist: "¬   arnext" no prx sfx
  assume sfx: "List (next nodeslist) next sfx"
  show "(<forall   isLeaf_ptp low"
              no ≠ (low no = Null) = (high no = Nul ∧p) 🪙
        ((∃pt∈set (prx @ [nodeslist]). repNodes_eq pt p low high repa) ⟶
           repa p = hd [sn← @ [nodeslist] . epNodes_eq sn p low high repa]) ∧
        (next nod ≠
            \forall>pn repNodes_eq ppt p low high repa))"
  proof -
    from nomatch_prxdeslist
    have "((∃ repNodes_eq nodeslist p low high repa"
           repa p = hd [sn←prx @ [nodeslist "∀set prx ∪
      by auto
    moreover
    from nomatc nomatch_nodeslist
    have "(next nodeslist            p = hd← sn high]) \and
            (\forallptset (prx @ [nodeslist]). ¬ repa
      by auto
    ultimately show ?thesis
      usingno_props
      by (intro conjI)
  qed
next
  (* Invariant to invariant: THEN part *)
  fix var low high p repa "next" nodeslist prx sfx
  assume nodeslist_not_Null: "nodeslist ≠ Null" 
  assume sfx: "List nodeslist next sfx" 
  assume p_not_Leaf: "¬ isLeaf_pt p low high"
  assume no_props: "∀no∈
           no ≠ Null ∧
           (low no = Null) = (high no = Null) ∧
           (isLeaf_pt p low high ⟶ no low hi) ∧
  assume p_in_ns: "p ∈byo
  assume match_prx tch_prx
        repa p = hd [sn"next no ≠
  assume nomatch_prx: "∀set. ¬repa
  assume match: "repNodes_eq nodeslist p low high repa"
  show "(∀no∈
              no ≠
              (low no = Null) = (high no = Null) ∧
              (isLeaf_pt p low high ⟶ isLeaf_pt no low high) ∧ ≠
        p_not_Leaf:"¬ isLeaf_pt  high
        ((∃>et prx ∪repNodes_eq p low repa<>
           nodeslist =
           hd ([sn← snp lowhighrepa] @
               snsfx . repNodes_eq sn p low high repa]) \>
        (\forallpt∈ <nion 
           repa = repa(p := nodeslist
  proof -
    from nodeslist_not_Null
    obtain sfx' where sfx': " repa =h [n← . repNodes_eq sn p low highep"
      by (casesNull auto
    from nomatch_prx match : "repNodes_eq nodeslist p low high repa"
    have hd: "hd ([sn← w hih e @
               [sn← Null ∧
java.lang.StringIndexOutOfBoundsException: Index 49 out of bounds for length 13
    from match sfx'
    have triv: "((∀pt∈ set prx ∨ set sfx>
           repa = repa(p := nodeslist(<>ptset prx ∪
      by simp
    show
      apply (rule conjIprx . repNodes_eq sn p low]
      apply               [snsfx . repNodes_eq sn p lowa))<>
      apply (introforallpt∈ set sfx. ¬
      apply   (rule p_in_ns)
      apply  (simp add: hd)
      apply (rule triv)
      done
  qed
qed

end