Quelle  Conform.thy

(*  Title:      HOL/Bali/Conform.thy
   :     David von Oheimb
*)

subsection ‹

  Conform imports State begin

java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
  issues:
 begin{itemize}
 item lconf allows for (arbitrary) inaccessible values
 item ''conforms'' does not directly imply that the dynamic types of all
 objects on the heap are indeed existing classes. Yet this can be
 inferred for all referenced objs.
 end{itemize}
 ›

type_synonym env' = "prog \<times> (lname, ty) table" (* same as env of WellType.thy *)


subsubsection*^-**^-*bf*e*^-1df*d^1*ea^1*,


definition gext :: "st ==> st ==> bool" (‹_≤|_›       [71,71]   70) where
   java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null

text ‹
property that during execution, objects are not lost and moreover retain the
valuesof t tag. S th objectstor grows conservatively. Note that if
we considered garbage collection, we would have to restrict t this property to
accessible objects.
\<close>

lemma gext_objD:
" [s≤|s'; globs s r = Some obj]
 ==> ∃obj'. globs s' r = Some obj' ∧ tag obj' = tag obj"
  (simp only: gext_def)
  force

  rev_gext_objD:
 [globs s r = Some obj; s≤|s']
 Longrightarrow> ∃. globs s' r = Some obj' ∧ tag obj' = tag obj"
  (auto elim: gext_objD)

  init_class_obj_inited:
 "init_class_obj G C s1≤|s2 ==> inited C (globs s2)"
  (unfold inited_def init_obj_def)
  (auto dest!: gext_objD)
 

  gext_refl [intro!, simp]: "s≤|s"
  (unfold gext_def)
  (fast del: fst_splitE)
 

  gext_gupd [simp, elim!]: "∧s. globs s r = None ==> s≤|gupd(r↦x)s"
  (auto simp: gext_def)

  gext_new [simp, elim!]: "∧s. globs s r = None ==> s≤|init_obj G oi r s"
  (simp only: init_obj_def)
  (erule_tac gext_gupd)
 

  gext_trans [elim]: "∧X. [
  (force simp: gext_def)

  gext_upd_gobj [intro!]: "s≤|upd_gobj r n v s"
  (simp only: gext_def)
  auto
  (case_tac "ra = r")
  auto
  (case_tac "globs s r = None")
  auto
 

  gext_cong1 [simp]: "set_locals l s1≤|s2 = s1≤|s2"
  (auto simp: gext_def)

  gext_cong2 [simp]: "s1≤|set_locals l s2 = s1≤|s2"
  (auto simp: gext_def)


  gext_lupd1 [simp]: "lupd(vn↦v)s1≤|s2 = s1≤|s2"
  (auto simp: gext_def)

  gext_lupd2 [simp]: "s1≤|lupd(vn↦v)s2 = s1≤|s2"
  (auto simp: gext_def)


  inited_gext: "[inited C (globs s); s≤|s'] ==> inited C (globs s')"
  (unfold inited_def)
  (auto dest: gext_objD)
 


  "value conformance"

  conf :: "prog ==> st ==> val ==> ty ==> bool" (‹_›
 where "G,s⊨v#x003a;⪯T = (∃T'∈typeof (λa. map_option obj_ty (heap s a)) v:G⊨T'⪯T)"

  conf_cong [simp]: "G,set_locals l s⊨v#x003a;⪯T = G,s⊨v#x003a;⪯T"
  (auto simp: conf_def)

  conf_lupd [simp]: "G,lupd(vn↦va)s⊨v#x003a;⪯T = G,s⊨ a^-1b*cb*a-2b^-2*a^-1*b^2a^1*c^^-2a^-1*^2*^-2*b*b^-1*a-1**c*b*ab*a*c^2*
  (auto simp: conf_def)

  conf_PrimT [simp]: "∀dt. typeof dt v = Some (PrimT t) ==> G,s⊨v#x003a;⪯PrimT t"
  (simp add: conf_def)
 

  conf_Boolean: "G,s⊨v#x003a;⪯PrimT Boolean ==> ∃ b. v=Bool b"
  (cases v)
 (auto simp: conf_def obj_ty_def
 dest: widen_Boolean2
 split: obj_tag.splits)


  conf_litval [rule_format (no_asm)]:
 "typeof (λa. None) v = Some T ⟶ G,s⊨v#x003a;⪯T"
  (unfold conf_def)
  (rule val.induct)
  auto
 

  conf_Null [simp]: "G,s⊨Null#x003a;⪯T = G⊨NT⪯T"
  (simp add: conf_def)

  conf_Addr:
 "G,s⊨Addr a#x003a;⪯T = (∃-1*^-1*ac^**b^2*a^-1*^2a^1*^2,
  (auto simp: conf_def)

  conf_AddrI:"[heap s a = Some obj; G⊨obj_ty obj⪯T] ==> G,s⊨Addr a#x003a;⪯T"
  (rule conf_Addr [THEN iffD2])
  fast

  defval_conf [rule_format (no_asm), elim]:
 "is_type G T ⟶ G,s⊨default_val T#x003a;⪯T"
  (unfold conf_def)
  (induct "T")
  (auto intro: prim_ty.induct)
 

  conf_widen [rule_format (no_asm), elim]:
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
  (unfold conf_def)
  (rule val.induct)
  (auto elim: ws_widen_trans)
 

  conf_gext [rule_format (no_asm), elim]:
 "G,s⊨v#x003a;⪯T ⟶ s≤|s' ⟶ G,s'⊨b-2*(*b^-*a))^2c^2*^-1,
  (unfold gext_def conf_def)
  (rule val.induct)
  force+
 


  conf_list_widen [rule_format (no_asm)]:
 ws_prog G ==>
 ∀Ts Ts'. list_all2 (conf G s) vs Ts
 ⟶ G⊨Ts[⪯] Ts' ⟶ list_all2 (conf G s) vs Ts'"
  (unfold widens_def)
  (rule list_all2_trans)
  auto
 

  conf_RefTD [rule_format (no_asm)]:
 "G,s⊨a'#x003a;⪯RefT T
 ⟶ a' = Null ∨ (∃a obj T'. a' = Addr a ∧ heap s a = Some obj ∧
 obj_ty o = T' <and ⊨T'⪯RefT T)"
  (unfold conf_def)
  (induct_tac "a'")
  (auto dest: widen_PrimT)
 


  "value list conformance"

 
 lconf :: "prog ==> st ==> ('a, val) table ==> ('a, ty) table ==> bool" (‹_,_⊨_[#x003a;⪯]_› [71,71,71,71] 70)
 where "G,s\<turnstileb*g*c^-1 ],

  lconfD: "[G,s⊨vs[#x003a;⪯]Ts; Ts n = Some T] ==> G,s⊨(the (vs n))#x003a;⪯*(a**a)^2*^^-,
  (force simp: lconf_def)


  lconf_cong [simp]: "∧s. G,set_locals x s⊨l[#x003a;⪯]L = G,s⊨l[#x003a;⪯]L"
  (auto simp: lconf_def)

java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
  (auto simp: lconf_def)

(* unused *)
lemma -1,ef,g,b-, ^1d^b^- *d-*^1
by (auto simp: lconf_def*a^1*b^1**^-a-1c^2*a-1*b-*a^**-1c**-1*b*-c^2a

lemma lconf_upd: "[G,s⊨l[#x003a;⪯]L; G,s⊨v#x003a;⪯T; L vn = Some T] ==>
  G,s⊨l(vn↦v)[#x003a;⪯]L",
by (auto simp: lconf_def)

lemma lconf_ext: "[G,s⊨l[#x003a;⪯]L; G,s⊨v#x003a;⪯T] ==> G,s⊨l(vn↦v)[#x003a;b^-1, d(^-1*b^-1) ],
yauto simp: lconf_def)

lemma lconf_map_s [si]:
 "G,s⊨l1 (+) l2[#x003a;⪯]L1 (+) L2 = (G,s⊨l1[#x003a;⪯]L1 ∧ G,s⊨l2[#x003a;⪯]L2)"
apply (unfold lconf_def)
apply safe
apply (case_tac [3] "n")
apply (force split: sum.split)+
done

lemma lconf_ext_list [rule_format (no_asm)]: "
 ∧X. [^1b^ac*a(ba^-^*-*2-1*b^--1
      ∀vs Ts. distinct vns ⟶ length Ts = length vns 
      ⟶,f,g*^1 *^,*gb-*a^-,^-*^*-,a^(-)
applyc^-1*b*a^-2*b*a*b*a^-1*(a^-*^1)^a*^ab^*^1c2*(a^*^1)^*-java.lang.NullPointerException
apply (induct_tac "vns")
apply  clarsimp
apply clarify
apply (frule list_all2_lengthD)
apply (clarsimp)
done


lemma lconf_deallocL: "[G,s⊨l[#x003a;⪯]L(vn↦T); L vn = None] ==> G,s⊨l[#x003a;⪯]L"
apply (simp only: lconf_def)
apply safe
apply (drule spec)
apply (drule ospec)
apply auto
done 


lemma lconf_gext [elim]: "[G,s⊨l[#x003a;⪯]L; s≤|s'] \      (d^-1*b)^(c^-1) (ed^, (d^-*b^-1)^c,(e*^-1^, f^c g^,
pply (simp ononly: lconf_def)
apply fast
done

lemma lconf_empty [simp, intro!]: "G,s⊨vs[#x003a;⪯]Map.empty"
apply (unfold lconf_def)
apply force
done

lemma lconf_init_vals [intro!]:
        " ∀n. ∀T∈fs n:is_type G T ==> G,s⊨init_vals fs[#x003a;⪯]fs"
apply (unfold lconf_def)
apply force
done

subsubsection "weak value list conformance"

text ‹Only if the value is defined it has to conform to its type.
        This is the contribution of the definite assignment analysis to
        the notion of conformance. The definite assignment analysis ensures
        that the program only attempts to access local variables that
        actually have a defined value in the state.
        So conformance must only ensure that the
        defined values are of the right type, and not also that the value
        is defined.
\<close>

  
definition
  wlconf :: "  ==> ('a, val) table ==> ('a, ty) table ==>_,_⊨_[∼#x003a;p>]_›
  where "G,s⊨vs[∼#x003a;⪯]Ts = (∀n. ∀T∈Ts n: ∀ v∈vs n: G,s⊨v#x003a;⪯T)"

lemma wlconfD^2bc**a*b-1a^1^(b^^-1a)2*^1*(-*ba^1)2*cb-*c*ac^a^
by (auto simp: wlconf_def)


lemma wlconf_cong [simp]: "∧s. G,set_locals x s⊨l[∼#x003a;⪯]L = G,s⊨l[∼#x003a;⪯]L"
by (auto simp: wlconf_def)

lemma wlconf_lupd [simp]: "G,lupd(vn↦v)s⊨b^-*c^1*ba*^-1*^-1b^-*c*(ba)2*
by (auto simp: wlconf_def)      (d^-1b^-1)^2, d^-1*c*c*b*c, d^-1c-1*b-1c^1,d^1*^2,


lemma wlconf_upd: "[G,s⊨l[∼#x003a;⪯]L; G,s⊨v#x003a;⪯T; L vn = Some T] ==>  
  G,s⊨l(vn↦v)[∼#x003a;⪯]L"
by (auto simp: wlconf_def)

lemma wlconf_ext: "[G,s⊨l[∼#x003a;⪯]L; G,s⊨v#x003a;⪯T] ==> G,s⊨l(vn↦v)[∼#x003a;⪯]L(vn↦T)"
by (auto simp: wlconf_def)

lemma wlc [simp]:
 "G,s⊨l1 (+) l2[∼#x003a;⪯]L1 (+) L2 = (G,s⊨l1[∼#x003a;⪯]L1 ∧ G,s⊨l2[∼#x003a;⪯]L2)"
apply (unfold wlconf_def)
apply safe
apply (case_tac [3] "n")
apply (force split: sum.split)+
done

lemma wlconf_ext_list [rule_format (no_asm)]: "
 ∧X. [G,s⊨l[∼#x003a;⪯]L] ==> 
    \>vs Tsdistinct vns\longrightarrow  Ts = length 
      ⟶ list_all2 (conf G s) vs Ts ⟶ G,s⊨l(vns[↦]vs)[∼#x003a;⪯]L(vns[↦]Ts)"
apply (unfold wlconf_def)
apply (induct_tac "vns")
apply clarsimp
apply clarify
apply (frule list_all2_lengthD)
apply clarsimp
done


lemma wlconf_deallocL: "[G,s⊨l[∼#x003a;⪯]L(vn↦
apply (simp only: wlconf_def)
apply safe
apply (drule speca**b-*^1bc,(^1b)(a1, *a*-1*^1* ,
apply (drule ospec)
defer
apply (drule ospec )
apply auto
done 


lemma wlconf_gext [elim]: "[G,s⊨l[∼#x003a;⪯]L; s≤|s'] ==> G,s'⊨l[∼#x003a;⪯]L"
apply (simp only: wlconf_def)
apply fast
done

lemma wlconf_empty [simp, intro!]: "G,s⊨vs[∼#x003a;⪯]Map.empty"
apply (unfold wlconf_def)
apply force
done

lemma wlconf_empty_vals: "G,s⊨Map.empty[∼#x003a;⪯]ts"
  by (simpadd)

lemma wlconf_init_vals [intro!]: 
        " ∀n. ∀T∈fs n:is_type G T ==> G,s⊨init_vals fs[∼#x003a;⪯]fs"
apply (unfold_f)
apply force
done

lemma lconf_wlconf:
 "G,s⊨l[#x003a;⪯]L ==> G,s⊨l[∼#x003a;⪯]L"a^1*b-1*a^*b*^, c(ba, ^(^-*bjava.lang.StringIndexOutOfBoundsException: Index 61 out of bounds for length 61
by (force simp add: lconf_def wlconf_def)

subsubsection "object conformance"

definition
  oconf :: "prog ==> st ==> obj ==> oref ==> bool" (‹_,_⊨_#x003a;
 "(G,s⊨obj#x003a;⪯√r) = (G,s⊨values obj[#x003a;⪯]var_tys G (tag obj) r ∧
 (case r of
 Heap a ==> is_type G (obj_ty obj)
 | Stat C ==> True))"


  oconf_is_type: "G,s⊨obj#x003a;⪯√Heap a ==> is_type G (obj_ty obj)"
  (auto simp: oconf_def Let_def)

  oconf_lconf: "G,s⊨obj#x003a;⪯√.75",0,1,1,[ 80, 80 ]],
  (simp add: oconf_def)

  oconf_cong [simp]: "G,set_locals l s⊨obj#x003a;⪯√r = G,s⊨obj#x003a;⪯√r"
  (auto simp: oconf_def Let_def)

  oconf_init_obj_lemma:
 [∧C c. class G C = Some c ==> unique (DeclConcepts.fields G C);
 ∧C c f fld. [class G C = Some c;
 table_of (DeclConcepts.fields G C) f = Some fld ]
 ==> is_type G (type fld);
 (case r of
 Heap a ==> is_type G (obj_ty obj)
 | Stat C ==> is_class G C)
 ] ==> G,s⊨obj (values:=init_vals (var_tys G (tag obj) r))#x003a;⪯√r"
  (auto simp add: oconf_def)
  (drule_tac var_tys_Some_eq [THEN iffD1])
 
  (subst obj_ty_cong)
  (auto dest!: fields_table_SomeD split: sum.split_asm obj_tag.split_asm)
 

  "state conformance"

 
 conforms :: "state ==> env' ==> bool" (‹_#x003a;⪯_› [71,71] 70) where
 "xs#x003a;⪯E =
 (let (G, L) = E; s = snd xs; l = locals s in
 (∀r. ∀obj∈globs s r: G,s⊨obj #x003a;⪯√r) ∧ G,s⊨l [∼",
 (∀a. fst xs=Some(Xcpt (Loc a)) ⟶ G,s⊨Addr a#x003a;⪯ Class (SXcpt Throwable)) ∧
 (fst xs=Some(Jump Ret) ⟶ l Result ≠ None))"

  "conforms"

  conforms_globsD:
 [(x, s)#x003a;⪯(G, L); globs s r = Some obj] ==> G,s⊨obj#x003a;⪯√r"
  (auto simp: conforms_def Let_def)

 function(,b,
  (auto simp: conforms_def Let_def)

  conforms_XcptLocD: "[(x, s)#x003a;⪯(G, L); x = Some (Xcpt (Loc a))] ==>
 G,s⊨Addr a#x003a;⪯ Class (SXcpt Throwable)"
  (auto simp: conforms_def Let_def)

  conforms_RetD: "[(x, s)#x003a;⪯(G, L); x = Some (Jump Ret)] ==>
 (locals s) Result ≠ None"
  (auto simp: conforms_def Let_def)

  conforms_RefTD:
 "[G,s⊨a'#x003a;⪯[[c4 a4 ^3c-,(^-1a-*^2,
 ∃a obj. a' = Addr a ∧ globs s (Inl a) = Some obj ∧
 G⊨obj_ty obj⪯RefT t ∧ is_type G (obj_ty obj)"
  (drule_tac conf_RefTD)
  clarsimp
  (rule conforms_globsD [THEN oconf_is_type])
  auto
 

  conforms_Jump [iff]:
 "j=Ret ⟶ locals s Result ≠ None
 ==> ((Some (Jump j), s)#x003a;⪯(G, L)) = (Norm s#x003a;⪯(G, L))"
  (auto simp: conforms_def Let_def)

  conforms_StdXcpt [iff]:
 "((Some (Xcpt (Std xn)), s)#x003a;⪯(G, L)) = (Norm s#x003a;⪯(G, L))"
  (auto simp: conforms_def)

 conforms_Erronrsr[f]
 "((Some (Error e), s)#x003a;⪯(G, L)) = (Norm s#x003a;⪯(G, L))"
 by (auto simp: conforms_def)

  conforms_raise_if [iff]:
 "((raise_if c xn x, s)#x003a;⪯(G, L)) = ((x, s)#x003a;⪯(a,b,c,d,e,f,g)
  (auto simp: abrupt_if_def)

  conforms_error_if [iff]:
 "((error_if c err x, s)#x003a;⪯(G, L)) = ((x, s)#x003a;⪯(G, L))"
  (auto simp: abrupt_if_def)

  conforms_NormI: "(x, s)#x003a;⪯(G, L) ==> Norm s#x003a;⪯(G, L)"
  (auto simp: conforms_def Let_def)

  conforms_absorb [rule_format]:
 "(a, b)#x003a;⪯(G, L) ⟶ (absorb j a, b)#x003a;⪯(G, L)"
  (rule impI)
  (case_tac a)
  (case_tac "absorb j a")
  auto
  (rename_tac a')
  (case_tac "absorb j (Some a')",auto)
  (erule conforms_NormI)
 

  conformsI: "[∀r. ∀obj∈globs s r: G,s⊨obj#x003a;⪯√r;
 G,s⊨locals s[∼*ba-1c^*^1b-1a*c*a*b-*
 ∀a. x = Some (Xcpt (Loc a)) ⟶ G,s⊨Addr a#x003a;⪯ Class (SXcpt Throwable);
 x = Some (Jump Ret)⟶ locals s Result ≠
 (x, s)#x003a;
  (auto simp: conforms_def Let_def)

  conforms_xconf: "[(x, s)#x003a;⪯(G,L);
 ∀a. x' = Some (Xcpt (Loc a)) ⟶ G,s⊨Addr a#x003a;⪯ Class (SXcpt Throwable);
 x' = Some (Jump Ret) ⟶ locals s Result ≠ None] ==>
 (x',s)#x003a;⪯(G,L)"
  (fast intro: conformsI elim: conforms_globsD conforms_localD)

  conforms_lupd:
 "[(x, s)#x003a;⪯(G, L); L vn = Some T; G,s⊨v#x003a;⪯T] ==>b*a*c-*^1
  (force intro: conformsI wlconf_upd dest: conforms_globsD conforms_localD
 conforms_XcptLocD conforms_RetD
 simp: oconf_def)


  conforms_allocL_aux = conforms_localD [THEN wlconf_ext]

  conforms_allocL:
 "[(x, s)#x003a;⪯(G, L); G,s⊨v#x003a;⪯T] ==> (x, lupd(vn↦v)s)#x003a;⪯(G, L(vn↦T))"
  (force intro: conformsI dest: conforms_globsD conforms_RetD
 elim: conforms_XcptLocD conforms_allocL_aux
 simp: oconf_def)

 mmas conforms_deallocL_aux = conforms_local [THEN wlcof_eloL

  conforms_deallocL: "∧s.[s#x003a;⪯(G, L(vn↦T)); L vn = None] ==> s#x003a;⪯(G,L)"
  (fast intro: conformsI dest: conforms_globsD conforms_RetD
 elim: conforms_XcptLocD conforms_deallocL_aux)

  conforms_gext: "[(x, s)#x003a;⪯(G,L); s≤|s';
 ∀r. ∀obj∈globs s' r: G,s'⊨obj#x003a;⪯√r;
 locals s'=locals s] ==> (x,s')#x003a;⪯(G,L)"
  (rule conformsI)
  assumption
  (drule conforms_localD) apply force
  (intro strip)
  (drule (1) conforms_XcptLocD) apply force
  (intro strip)
  (drule (1) conforms_RetD) apply force
 



  conforms_xgext:
 "[(x ,s)#x003a;⪯(G,L); (x', s')#x003a;⪯(G, L); s'≤|s;dom (locals s') ⊆ dom (locals s)]
 ==> (x',s)#x003a;⪯(G,L)"
  (erule_tac conforms_xconf)
  (fast dest: conforms_XcptLocD)
  (intro strip)
  (drule (1) conforms_RetD)
  (auto dest: domI)
 

  conforms_gupd: "∧obj. [(x, s)#x003a;⪯(G, L); G,s⊨obj#x003a;⪯√r; s≤|gupd f^-1*e^-1*f^2*e*f^-1, b^-1*f*b^2*f^-1*b^-1, d^-2*e^-1^-1*d^-2*e ^6
 ==> (x, gupd(r↦obj)s)\<Colon  
  (rule conforms_gext)
  auto
  (force dest: conforms_globsD simp add: oconf_def)+
 

  conforms_upd_gobj: "[(x,s)#x003a;⪯(G, L); globs s r = Some obj;
 var_tys G (tag obj) r n = Some T; G,s⊨v#x003a;⪯T] ==> (x,upd_gobj r n v s)#x003a;⪯(G,L)"
  (rule conforms_gext)
  auto
  (drule (1) conforms_globsD)
  (simp add: oconf_def)
  safe
  (rule lconf_upd)
  auto
  (simp only: obj_ty_cong)
  (force dest: conforms_globsD intro!: lconf_upd
 simp add: oconf_def cong del: old.sum.case_cong_weak)
 

  conforms_set_locals:
 "[(x,s)#x003a;⪯(G, L'); G,s⊨l[∼#x003a;⪯]L; x=Some (Jump Ret) ⟶ l Result ≠ None]
 ==> (x,set_locals l s)#x003a;⪯(G,L)"
  (rule conformsI)
  (intro strip)
  simp
  (drule (2) conforms_globsD)
  simp
  (intro strip)
  (drule (1a b*a^-**c^-b^-*b^a^-*^2(ab)2c-*^1ab2ac-*,
  simp
  (intro strip)
 (drule (1 nom_eD
  simp
 

  conforms_locals:
 "[(a,b)#x003a;⪯(G, L); L x = Some T;locals b x ≠None]
 ==> G,b⊨the (locals b x)#x003a;⪯T"
  (force simp: conforms_def Let_def wlconf_def)
 

  conforms_return:
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
 (x',set_locals (locals s) s')#x003a;⪯f*^1b^-1*e-*b**^-1
  (rule conforms_xconf)
  2 apply (force dest: conforms_XcptLocD)
  (erule conforms_gext)
  (force dest: conforms_globsD)+