From 3af704040f4b0f2b6c8594528b4ed0d6b1fa0cdb Mon Sep 17 00:00:00 2001 From: Corey Lewis Date: Wed, 9 Aug 2023 19:38:38 +1000 Subject: [PATCH 1/3] lib/monads: move lifting/splitting section earlier in Nondet_VCG Signed-off-by: Corey Lewis --- lib/Monads/nondet/Nondet_VCG.thy | 438 +++++++++++++++---------------- 1 file changed, 219 insertions(+), 219 deletions(-) diff --git a/lib/Monads/nondet/Nondet_VCG.thy b/lib/Monads/nondet/Nondet_VCG.thy index 6cf3fa976e..ca1adeaa25 100644 --- a/lib/Monads/nondet/Nondet_VCG.thy +++ b/lib/Monads/nondet/Nondet_VCG.thy @@ -445,6 +445,225 @@ lemma liftE_validE[simp]: by (simp add: liftE_liftM validE_def hoare_liftM_subst o_def) +subsection \Operator lifting/splitting\ + +lemma hoare_vcg_if_split: + "\ P \ \Q\ f \S\; \P \ \R\ g \S\ \ \ \\s. (P \ Q s) \ (\P \ R s)\ if P then f else g \S\" + by simp + +lemma hoare_vcg_if_splitE: + "\ P \ \Q\ f \S\,\E\; \P \ \R\ g \S\,\E\ \ \ + \\s. (P \ Q s) \ (\P \ R s)\ if P then f else g \S\,\E\" + by simp + +lemma hoare_vcg_split_case_option: + "\ \x. x = None \ \P x\ f x \R x\; \x y. x = Some y \ \Q x y\ g x y \R x\ \ \ + \\s. (x = None \ P x s) \(\y. x = Some y \ Q x y s)\ + case x of None \ f x | Some y \ g x y + \R x\" + by (cases x; simp) + +lemma hoare_vcg_split_case_optionE: + "\ \x. x = None \ \P x\ f x \R x\,\E x\; \x y. x = Some y \ \Q x y\ g x y \R x\,\E x\ \ \ + \\s. (x = None \ P x s) \ (\y. x = Some y \ Q x y s)\ + case x of None \ f x | Some y \ g x y + \R x\, \E x\" + by (cases x; simp) + +lemma hoare_vcg_split_case_sum: + "\ \x a. x = Inl a \ \P x a\ f x a \R x\; \x b. x = Inr b \ \Q x b\ g x b \R x\ \ \ + \\s. (\a. x = Inl a \ P x a s) \ (\b. x = Inr b \ Q x b s) \ + case x of Inl a \ f x a | Inr b \ g x b + \R x\" + by (cases x; simp) + +lemmas hoare_vcg_precond_imp = hoare_weaken_pre (* FIXME lib: eliminate *) + +lemmas hoare_seq_ext = seq_ext[rotated] +lemmas hoare_vcg_seqE = seqE[rotated] + +lemma hoare_seq_ext_nobind: + "\ \B\ g \C\; \A\ f \\_. B\ \ \ \A\ do f; g od \C\" + by (fastforce simp: valid_def bind_def Let_def split_def) + +lemma hoare_seq_ext_nobindE: + "\ \B\ g \C\, \E\; \A\ f \\_. B\, \E\ \ \ \A\ doE f; g odE \C\, \E\" + by (fastforce simp: validE_def valid_def bindE_def bind_def throwError_def return_def lift_def + split: sum.splits) + +lemmas hoare_seq_ext_skip' = hoare_seq_ext[where B=C and C=C for C] + +lemma hoare_chain: + "\ \P\ f \Q\; \s. R s \ P s; \rv s. Q rv s \ S rv s \ \ \R\ f \S\" + by (wp_pre, rule hoare_post_imp) + +lemma validE_weaken: (* FIXME lib: eliminate in favour of hoare_chainE *) + "\ \P'\ A \Q'\,\E'\; \s. P s \ P' s; \rv s. Q' rv s \ Q rv s; \rv s. E' rv s \ E rv s \ \ + \P\ A \Q\,\E\" + by wp_pre (rule hoare_post_impErr) + +lemmas hoare_chainE = validE_weaken + +lemma hoare_vcg_conj_lift: + "\ \P\ f \Q\; \P'\ f \Q'\ \ \ \\s. P s \ P' s\ f \\rv s. Q rv s \ Q' rv s\" + unfolding valid_def + by fastforce + +\ \A variant which works nicely with subgoals that do not contain schematics\ +lemmas hoare_vcg_conj_lift_pre_fix = hoare_vcg_conj_lift[where P=R and P'=R for R, simplified] + +lemma hoare_vcg_conj_liftE1: + "\ \P\ f \Q\,-; \P'\ f \Q'\,\E\ \ \ \P and P'\ f \\rv s. Q rv s \ Q' rv s\,\E\" + unfolding valid_def validE_R_def validE_def + by (fastforce simp: split_def split: sum.splits) + +lemma hoare_vcg_disj_lift: + "\ \P\ f \Q\; \P'\ f \Q'\ \ \ \\s. P s \ P' s\ f \\rv s. Q rv s \ Q' rv s\" + unfolding valid_def + by fastforce + +lemma hoare_vcg_const_Ball_lift: + "\ \x. x \ S \ \P x\ f \Q x\ \ \ \\s. \x\S. P x s\ f \\rv s. \x\S. Q x rv s\" + by (fastforce simp: valid_def) + +lemma hoare_vcg_const_Ball_lift_R: + "\ \x. x \ S \ \P x\ f \Q x\,- \ \ \\s. \x \ S. P x s\ f \\rv s. \x \ S. Q x rv s\,-" + unfolding validE_R_def validE_def + by (rule hoare_strengthen_post) + (fastforce intro!: hoare_vcg_const_Ball_lift split: sum.splits)+ + +lemma hoare_vcg_all_lift: + "\ \x. \P x\ f \Q x\ \ \ \\s. \x. P x s\ f \\rv s. \x. Q x rv s\" + by (fastforce simp: valid_def) + +lemma hoare_vcg_all_lift_R: + "(\x. \P x\ f \Q x\, -) \ \\s. \x. P x s\ f \\rv s. \x. Q x rv s\, -" + by (rule hoare_vcg_const_Ball_lift_R[where S=UNIV, simplified]) + +lemma hoare_vcg_imp_lift: + "\ \P'\ f \\rv s. \ P rv s\; \Q'\ f \Q\ \ \ \\s. P' s \ Q' s\ f \\rv s. P rv s \ Q rv s\" + by (simp only: imp_conv_disj) (rule hoare_vcg_disj_lift) + +lemma hoare_vcg_imp_lift': + "\ \P'\ f \\rv s. \ P rv s\; \Q'\ f \Q\ \ \ \\s. \ P' s \ Q' s\ f \\rv s. P rv s \ Q rv s\" + by (wpsimp wp: hoare_vcg_imp_lift) + +lemma hoare_vcg_imp_conj_lift[wp_comb]: + "\ \P\ f \\rv s. Q rv s \ Q' rv s\; \P'\ f \\rv s. (Q rv s \ Q'' rv s) \ Q''' rv s\ \ \ + \P and P'\ f \\rv s. (Q rv s \ Q' rv s \ Q'' rv s) \ Q''' rv s\" + by (auto simp: valid_def) + +lemmas hoare_vcg_imp_conj_lift'[wp_unsafe] = hoare_vcg_imp_conj_lift[where Q'''="\\", simplified] + +lemma hoare_absorb_imp: + "\ P \ f \\rv s. Q rv s \ R rv s\ \ \ P \ f \\rv s. Q rv s \ R rv s\" + by (erule hoare_post_imp[rotated], blast) + +lemma hoare_weaken_imp: + "\ \rv s. Q rv s \ Q' rv s ; \P\ f \\rv s. Q' rv s \ R rv s\ \ + \ \P\ f \\rv s. Q rv s \ R rv s\" + by (clarsimp simp: valid_def split_def) + +lemma hoare_vcg_const_imp_lift: + "\ P \ \Q\ m \R\ \ \ \\s. P \ Q s\ m \\rv s. P \ R rv s\" + by (cases P, simp_all add: hoare_vcg_prop) + +lemma hoare_vcg_const_imp_lift_R: + "(P \ \Q\ m \R\,-) \ \\s. P \ Q s\ m \\rv s. P \ R rv s\,-" + by (fastforce simp: validE_R_def validE_def valid_def split_def split: sum.splits) + +lemma hoare_weak_lift_imp: + "\P'\ f \Q\ \ \\s. P \ P' s\ f \\rv s. P \ Q rv s\" + by (auto simp add: valid_def split_def) + +lemmas hoare_vcg_weaken_imp = hoare_weaken_imp (* FIXME lib: eliminate *) + +lemma hoare_vcg_ex_lift: + "\ \x. \P x\ f \Q x\ \ \ \\s. \x. P x s\ f \\rv s. \x. Q x rv s\" + by (clarsimp simp: valid_def, blast) + +lemma hoare_vcg_ex_lift_R1: + "(\x. \P x\ f \Q\, -) \ \\s. \x. P x s\ f \Q\, -" + by (fastforce simp: valid_def validE_R_def validE_def split: sum.splits) + +lemma hoare_liftP_ext: + assumes "\P x. m \\s. P (f s x)\" + shows "m \\s. P (f s)\" + unfolding valid_def + apply clarsimp + apply (erule subst[rotated, where P=P]) + apply (rule ext) + apply (drule use_valid, rule assms, rule refl) + apply simp + done + +(* for instantiations *) +lemma hoare_triv: "\P\f\Q\ \ \P\f\Q\" . +lemma hoare_trivE: "\P\ f \Q\,\E\ \ \P\ f \Q\,\E\" . +lemma hoare_trivE_R: "\P\ f \Q\,- \ \P\ f \Q\,-" . +lemma hoare_trivR_R: "\P\ f -,\E\ \ \P\ f -,\E\" . + +lemma hoare_vcg_E_conj: + "\ \P\ f -,\E\; \P'\ f \Q'\,\E'\ \ \ \\s. P s \ P' s\ f \Q'\, \\rv s. E rv s \ E' rv s\" + unfolding validE_def validE_E_def + by (rule hoare_post_imp[OF _ hoare_vcg_conj_lift]; simp split: sum.splits) + +lemma hoare_vcg_E_elim: + "\ \P\ f -,\E\; \P'\ f \Q\,- \ \ \\s. P s \ P' s\ f \Q\,\E\" + by (rule hoare_post_impErr[OF hoare_vcg_E_conj]) (simp add: validE_R_def)+ + +lemma hoare_vcg_R_conj: + "\ \P\ f \Q\,-; \P'\ f \Q'\,- \ \ \\s. P s \ P' s\ f \\rv s. Q rv s \ Q' rv s\,-" + unfolding validE_R_def validE_def + by (rule hoare_post_imp[OF _ hoare_vcg_conj_lift]; simp split: sum.splits) + +lemma hoare_lift_Pf_E_R: + "\ \x. \P x\ m \\_. P x\, -; \P. \\s. P (f s)\ m \\_ s. P (f s)\, - \ \ + \\s. P (f s) s\ m \\_ s. P (f s) s\, -" + by (fastforce simp: validE_R_def validE_def valid_def split: sum.splits) + +lemma hoare_lift_Pf_E_E: + "\ \x. \P x\ m -, \\_. P x\; \P. \\s. P (f s)\ m -, \\_ s. P (f s)\ \ \ + \\s. P (f s) s\ m -, \\_ s. P (f s) s\" + by (fastforce simp: validE_E_def validE_def valid_def split: sum.splits) + +lemma hoare_vcg_const_Ball_lift_E_E: + "(\x. x \ S \ \P x\ f -,\Q x\) \ \\s. \x \ S. P x s\ f -,\\rv s. \x \ S. Q x rv s\" + unfolding validE_E_def validE_def valid_def + by (fastforce split: sum.splits) + +lemma hoare_vcg_all_liftE_E: + "(\x. \P x\ f -, \Q x\) \ \\s. \x. P x s\ f -,\\rv s. \x. Q x rv s\" + by (rule hoare_vcg_const_Ball_lift_E_E[where S=UNIV, simplified]) + +lemma hoare_vcg_imp_liftE_E: + "\\P'\ f -, \\rv s. \ P rv s\; \Q'\ f -, \Q\\ \ + \\s. \ P' s \ Q' s\ f -, \\rv s. P rv s \ Q rv s\" + by (auto simp add: valid_def validE_E_def validE_def split_def split: sum.splits) + +lemma hoare_vcg_ex_liftE: + "\ \x. \P x\ f \Q x\,\E\ \ \ \\s. \x. P x s\ f \\rv s. \x. Q x rv s\,\E\" + by (fastforce simp: validE_def valid_def split: sum.splits) + +lemma hoare_vcg_ex_liftE_E: + "\ \x. \P x\ f -,\E x\ \ \ \\s. \x. P x s\ f -,\\rv s. \x. E x rv s\" + by (fastforce simp: validE_E_def validE_def valid_def split: sum.splits) + +lemma hoare_post_imp_R: + "\ \P\ f \Q'\,-; \rv s. Q' rv s \ Q rv s \ \ \P\ f \Q\,-" + unfolding validE_R_def + by (erule hoare_post_impErr) + +lemma hoare_post_imp_E: + "\ \P\ f -,\Q'\; \rv s. Q' rv s \ Q rv s \ \ \P\ f -,\Q\" + unfolding validE_E_def + by (rule hoare_post_impErr) + +lemma hoare_post_comb_imp_conj: + "\ \P'\ f \Q\; \P\ f \Q'\; \s. P s \ P' s \ \ \P\ f \\rv s. Q rv s \ Q' rv s\" + by (wpsimp wp: hoare_vcg_conj_lift) + + subsection \Weakest Precondition Rules\ lemma fail_wp: @@ -705,225 +924,6 @@ lemma select_throwError_wp: by (simp add: bind_def throwError_def return_def select_def validE_E_def validE_def valid_def) -subsection \Operator lifting/splitting\ - -lemma hoare_vcg_if_split: - "\ P \ \Q\ f \S\; \P \ \R\ g \S\ \ \ \\s. (P \ Q s) \ (\P \ R s)\ if P then f else g \S\" - by simp - -lemma hoare_vcg_if_splitE: - "\ P \ \Q\ f \S\,\E\; \P \ \R\ g \S\,\E\ \ \ - \\s. (P \ Q s) \ (\P \ R s)\ if P then f else g \S\,\E\" - by simp - -lemma hoare_vcg_split_case_option: - "\ \x. x = None \ \P x\ f x \R x\; \x y. x = Some y \ \Q x y\ g x y \R x\ \ \ - \\s. (x = None \ P x s) \(\y. x = Some y \ Q x y s)\ - case x of None \ f x | Some y \ g x y - \R x\" - by (cases x; simp) - -lemma hoare_vcg_split_case_optionE: - "\ \x. x = None \ \P x\ f x \R x\,\E x\; \x y. x = Some y \ \Q x y\ g x y \R x\,\E x\ \ \ - \\s. (x = None \ P x s) \ (\y. x = Some y \ Q x y s)\ - case x of None \ f x | Some y \ g x y - \R x\, \E x\" - by (cases x; simp) - -lemma hoare_vcg_split_case_sum: - "\ \x a. x = Inl a \ \P x a\ f x a \R x\; \x b. x = Inr b \ \Q x b\ g x b \R x\ \ \ - \\s. (\a. x = Inl a \ P x a s) \ (\b. x = Inr b \ Q x b s) \ - case x of Inl a \ f x a | Inr b \ g x b - \R x\" - by (cases x; simp) - -lemmas hoare_vcg_precond_imp = hoare_weaken_pre (* FIXME lib: eliminate *) - -lemmas hoare_seq_ext = seq_ext[rotated] -lemmas hoare_vcg_seqE = seqE[rotated] - -lemma hoare_seq_ext_nobind: - "\ \B\ g \C\; \A\ f \\_. B\ \ \ \A\ do f; g od \C\" - by (fastforce simp: valid_def bind_def Let_def split_def) - -lemma hoare_seq_ext_nobindE: - "\ \B\ g \C\, \E\; \A\ f \\_. B\, \E\ \ \ \A\ doE f; g odE \C\, \E\" - by (fastforce simp: validE_def valid_def bindE_def bind_def throwError_def return_def lift_def - split: sum.splits) - -lemmas hoare_seq_ext_skip' = hoare_seq_ext[where B=C and C=C for C] - -lemma hoare_chain: - "\ \P\ f \Q\; \s. R s \ P s; \rv s. Q rv s \ S rv s \ \ \R\ f \S\" - by (wp_pre, rule hoare_post_imp) - -lemma validE_weaken: (* FIXME lib: eliminate in favour of hoare_chainE *) - "\ \P'\ A \Q'\,\E'\; \s. P s \ P' s; \rv s. Q' rv s \ Q rv s; \rv s. E' rv s \ E rv s \ \ - \P\ A \Q\,\E\" - by wp_pre (rule hoare_post_impErr) - -lemmas hoare_chainE = validE_weaken - -lemma hoare_vcg_conj_lift: - "\ \P\ f \Q\; \P'\ f \Q'\ \ \ \\s. P s \ P' s\ f \\rv s. Q rv s \ Q' rv s\" - unfolding valid_def - by fastforce - -\ \A variant which works nicely with subgoals that do not contain schematics\ -lemmas hoare_vcg_conj_lift_pre_fix = hoare_vcg_conj_lift[where P=R and P'=R for R, simplified] - -lemma hoare_vcg_conj_liftE1: - "\ \P\ f \Q\,-; \P'\ f \Q'\,\E\ \ \ \P and P'\ f \\rv s. Q rv s \ Q' rv s\,\E\" - unfolding valid_def validE_R_def validE_def - by (fastforce simp: split_def split: sum.splits) - -lemma hoare_vcg_disj_lift: - "\ \P\ f \Q\; \P'\ f \Q'\ \ \ \\s. P s \ P' s\ f \\rv s. Q rv s \ Q' rv s\" - unfolding valid_def - by fastforce - -lemma hoare_vcg_const_Ball_lift: - "\ \x. x \ S \ \P x\ f \Q x\ \ \ \\s. \x\S. P x s\ f \\rv s. \x\S. Q x rv s\" - by (fastforce simp: valid_def) - -lemma hoare_vcg_const_Ball_lift_R: - "\ \x. x \ S \ \P x\ f \Q x\,- \ \ \\s. \x \ S. P x s\ f \\rv s. \x \ S. Q x rv s\,-" - unfolding validE_R_def validE_def - by (rule hoare_strengthen_post) - (fastforce intro!: hoare_vcg_const_Ball_lift split: sum.splits)+ - -lemma hoare_vcg_all_lift: - "\ \x. \P x\ f \Q x\ \ \ \\s. \x. P x s\ f \\rv s. \x. Q x rv s\" - by (fastforce simp: valid_def) - -lemma hoare_vcg_all_lift_R: - "(\x. \P x\ f \Q x\, -) \ \\s. \x. P x s\ f \\rv s. \x. Q x rv s\, -" - by (rule hoare_vcg_const_Ball_lift_R[where S=UNIV, simplified]) - -lemma hoare_vcg_imp_lift: - "\ \P'\ f \\rv s. \ P rv s\; \Q'\ f \Q\ \ \ \\s. P' s \ Q' s\ f \\rv s. P rv s \ Q rv s\" - by (simp only: imp_conv_disj) (rule hoare_vcg_disj_lift) - -lemma hoare_vcg_imp_lift': - "\ \P'\ f \\rv s. \ P rv s\; \Q'\ f \Q\ \ \ \\s. \ P' s \ Q' s\ f \\rv s. P rv s \ Q rv s\" - by (wpsimp wp: hoare_vcg_imp_lift) - -lemma hoare_vcg_imp_conj_lift[wp_comb]: - "\ \P\ f \\rv s. Q rv s \ Q' rv s\; \P'\ f \\rv s. (Q rv s \ Q'' rv s) \ Q''' rv s\ \ \ - \P and P'\ f \\rv s. (Q rv s \ Q' rv s \ Q'' rv s) \ Q''' rv s\" - by (auto simp: valid_def) - -lemmas hoare_vcg_imp_conj_lift'[wp_unsafe] = hoare_vcg_imp_conj_lift[where Q'''="\\", simplified] - -lemma hoare_absorb_imp: - "\ P \ f \\rv s. Q rv s \ R rv s\ \ \ P \ f \\rv s. Q rv s \ R rv s\" - by (erule hoare_post_imp[rotated], blast) - -lemma hoare_weaken_imp: - "\ \rv s. Q rv s \ Q' rv s ; \P\ f \\rv s. Q' rv s \ R rv s\ \ - \ \P\ f \\rv s. Q rv s \ R rv s\" - by (clarsimp simp: valid_def split_def) - -lemma hoare_vcg_const_imp_lift: - "\ P \ \Q\ m \R\ \ \ \\s. P \ Q s\ m \\rv s. P \ R rv s\" - by (cases P, simp_all add: hoare_vcg_prop) - -lemma hoare_vcg_const_imp_lift_R: - "(P \ \Q\ m \R\,-) \ \\s. P \ Q s\ m \\rv s. P \ R rv s\,-" - by (fastforce simp: validE_R_def validE_def valid_def split_def split: sum.splits) - -lemma hoare_weak_lift_imp: - "\P'\ f \Q\ \ \\s. P \ P' s\ f \\rv s. P \ Q rv s\" - by (auto simp add: valid_def split_def) - -lemmas hoare_vcg_weaken_imp = hoare_weaken_imp (* FIXME lib: eliminate *) - -lemma hoare_vcg_ex_lift: - "\ \x. \P x\ f \Q x\ \ \ \\s. \x. P x s\ f \\rv s. \x. Q x rv s\" - by (clarsimp simp: valid_def, blast) - -lemma hoare_vcg_ex_lift_R1: - "(\x. \P x\ f \Q\, -) \ \\s. \x. P x s\ f \Q\, -" - by (fastforce simp: valid_def validE_R_def validE_def split: sum.splits) - -lemma hoare_liftP_ext: - assumes "\P x. m \\s. P (f s x)\" - shows "m \\s. P (f s)\" - unfolding valid_def - apply clarsimp - apply (erule subst[rotated, where P=P]) - apply (rule ext) - apply (drule use_valid, rule assms, rule refl) - apply simp - done - -(* for instantiations *) -lemma hoare_triv: "\P\f\Q\ \ \P\f\Q\" . -lemma hoare_trivE: "\P\ f \Q\,\E\ \ \P\ f \Q\,\E\" . -lemma hoare_trivE_R: "\P\ f \Q\,- \ \P\ f \Q\,-" . -lemma hoare_trivR_R: "\P\ f -,\E\ \ \P\ f -,\E\" . - -lemma hoare_vcg_E_conj: - "\ \P\ f -,\E\; \P'\ f \Q'\,\E'\ \ \ \\s. P s \ P' s\ f \Q'\, \\rv s. E rv s \ E' rv s\" - unfolding validE_def validE_E_def - by (rule hoare_post_imp[OF _ hoare_vcg_conj_lift]; simp split: sum.splits) - -lemma hoare_vcg_E_elim: - "\ \P\ f -,\E\; \P'\ f \Q\,- \ \ \\s. P s \ P' s\ f \Q\,\E\" - by (rule hoare_post_impErr[OF hoare_vcg_E_conj]) (simp add: validE_R_def)+ - -lemma hoare_vcg_R_conj: - "\ \P\ f \Q\,-; \P'\ f \Q'\,- \ \ \\s. P s \ P' s\ f \\rv s. Q rv s \ Q' rv s\,-" - unfolding validE_R_def validE_def - by (rule hoare_post_imp[OF _ hoare_vcg_conj_lift]; simp split: sum.splits) - -lemma hoare_lift_Pf_E_R: - "\ \x. \P x\ m \\_. P x\, -; \P. \\s. P (f s)\ m \\_ s. P (f s)\, - \ \ - \\s. P (f s) s\ m \\_ s. P (f s) s\, -" - by (fastforce simp: validE_R_def validE_def valid_def split: sum.splits) - -lemma hoare_lift_Pf_E_E: - "\ \x. \P x\ m -, \\_. P x\; \P. \\s. P (f s)\ m -, \\_ s. P (f s)\ \ \ - \\s. P (f s) s\ m -, \\_ s. P (f s) s\" - by (fastforce simp: validE_E_def validE_def valid_def split: sum.splits) - -lemma hoare_vcg_const_Ball_lift_E_E: - "(\x. x \ S \ \P x\ f -,\Q x\) \ \\s. \x \ S. P x s\ f -,\\rv s. \x \ S. Q x rv s\" - unfolding validE_E_def validE_def valid_def - by (fastforce split: sum.splits) - -lemma hoare_vcg_all_liftE_E: - "(\x. \P x\ f -, \Q x\) \ \\s. \x. P x s\ f -,\\rv s. \x. Q x rv s\" - by (rule hoare_vcg_const_Ball_lift_E_E[where S=UNIV, simplified]) - -lemma hoare_vcg_imp_liftE_E: - "\\P'\ f -, \\rv s. \ P rv s\; \Q'\ f -, \Q\\ \ - \\s. \ P' s \ Q' s\ f -, \\rv s. P rv s \ Q rv s\" - by (auto simp add: valid_def validE_E_def validE_def split_def split: sum.splits) - -lemma hoare_vcg_ex_liftE: - "\ \x. \P x\ f \Q x\,\E\ \ \ \\s. \x. P x s\ f \\rv s. \x. Q x rv s\,\E\" - by (fastforce simp: validE_def valid_def split: sum.splits) - -lemma hoare_vcg_ex_liftE_E: - "\ \x. \P x\ f -,\E x\ \ \ \\s. \x. P x s\ f -,\\rv s. \x. E x rv s\" - by (fastforce simp: validE_E_def validE_def valid_def split: sum.splits) - -lemma hoare_post_imp_R: - "\ \P\ f \Q'\,-; \rv s. Q' rv s \ Q rv s \ \ \P\ f \Q\,-" - unfolding validE_R_def - by (erule hoare_post_impErr) - -lemma hoare_post_imp_E: - "\ \P\ f -,\Q'\; \rv s. Q' rv s \ Q rv s \ \ \P\ f -,\Q\" - unfolding validE_E_def - by (rule hoare_post_impErr) - -lemma hoare_post_comb_imp_conj: - "\ \P'\ f \Q\; \P\ f \Q'\; \s. P s \ P' s \ \ \P\ f \\rv s. Q rv s \ Q' rv s\" - by (wpsimp wp: hoare_vcg_conj_lift) - - subsection \Setting up the @{method wp} method\ lemma valid_is_triple: From 9a877c9bdd2d61b8d7e8c182541613a530d9b270 Mon Sep 17 00:00:00 2001 From: Corey Lewis Date: Wed, 9 Aug 2023 19:44:37 +1000 Subject: [PATCH 2/3] lib/monads: minor cleanup and restyle in nondet monad Signed-off-by: Corey Lewis --- lib/Monads/nondet/Nondet_More_VCG.thy | 8 -------- lib/Monads/nondet/Nondet_VCG.thy | 27 ++++++++++++--------------- 2 files changed, 12 insertions(+), 23 deletions(-) diff --git a/lib/Monads/nondet/Nondet_More_VCG.thy b/lib/Monads/nondet/Nondet_More_VCG.thy index 1c351cb303..eb4b261020 100644 --- a/lib/Monads/nondet/Nondet_More_VCG.thy +++ b/lib/Monads/nondet/Nondet_More_VCG.thy @@ -36,14 +36,6 @@ lemma hoare_pre_addE: apply (subst iff_conv_conj_imp) by(intro conjI impI; rule hoare_weaken_preE, assumption, clarsimp) -lemma hoare_disjI1: - "\R\ f \P\ \ \R\ f \\r s. P r s \ Q r s\" - by (erule hoare_post_imp [rotated]) simp - -lemma hoare_disjI2: - "\R\ f \Q\ \ \R\ f \\r s. P r s \ Q r s \" - by (rule hoare_post_imp [OF _ hoare_disjI1, where P1=Q], auto) - lemma hoare_name_pre_state: "\ \s. P s \ \(=) s\ f \Q\ \ \ \P\ f \Q\" by (clarsimp simp: valid_def) diff --git a/lib/Monads/nondet/Nondet_VCG.thy b/lib/Monads/nondet/Nondet_VCG.thy index ca1adeaa25..81be633ba4 100644 --- a/lib/Monads/nondet/Nondet_VCG.thy +++ b/lib/Monads/nondet/Nondet_VCG.thy @@ -31,16 +31,15 @@ text \This section defines a Hoare logic for partial correctness for the monad satisfy the postcondition. Note that if the computation returns the empty set, the triple is trivially valid. This means @{term "assert P"} does not require us to prove that @{term P} holds, but rather allows us - to assume @{term P}! Proving non-failure is done via separate predicate and - calculus (see below). -\ + to assume @{term P}! Proving non-failure is done via a separate predicate and + calculus (see Nondet_No_Fail).\ definition valid :: "('s \ bool) \ ('s,'a) nondet_monad \ ('a \ 's \ bool) \ bool" ("\_\/ _ /\_\") where "\P\ f \Q\ \ \s. P s \ (\(r,s') \ fst (f s). Q r s')" text \ We often reason about invariant predicates. The following provides shorthand syntax - that avoids repeating potentially long predicates. \ + that avoids repeating potentially long predicates.\ abbreviation (input) invariant :: "('s,'a) nondet_monad \ ('s \ bool) \ bool" ("_ \_\" [59,0] 60) where "invariant f P \ \P\ f \\_. P\" @@ -60,7 +59,7 @@ lemma validE_def2: text \ The following two instantiations are convenient to separate reasoning for exceptional and - normal case. \ + normal case.\ (* Narrator: they are in fact not convenient, and are now considered a mistake that should have been an abbreviation instead. *) definition validE_R :: (* FIXME lib: this should be an abbreviation *) @@ -96,7 +95,7 @@ lemma hoare_pre_imp: lemmas hoare_weaken_pre = hoare_pre_imp[rotated] lemma hoare_vcg_precond_impE: (* FIXME lib: eliminate in favour of hoare_weaken_preE *) - "\ \Q\ f \R\,\E\; \s. P s \ Q s \ \ \P\ f \R\,\E\" + "\ \Q\ f \R\,\E\; \s. P s \ Q s \ \ \P\ f \R\,\E\" by (fastforce simp add:validE_def2) lemmas hoare_weaken_preE = hoare_vcg_precond_impE @@ -420,11 +419,11 @@ lemma validE_R_validE: by (simp add: validE_R_def) lemma validE_validE_E: - "\P\ f \\\\,\E\ \ \P\ f -,\E\" + "\P\ f \\\\, \E\ \ \P\ f -, \E\" by (simp add: validE_E_def) lemma validE_E_validE: - "\P\ f -,\E\ \ \P\ f \\\\,\E\" + "\P\ f -, \E\ \ \P\ f \\\\, \E\" by (simp add: validE_E_def) @@ -458,7 +457,7 @@ lemma hoare_vcg_if_splitE: lemma hoare_vcg_split_case_option: "\ \x. x = None \ \P x\ f x \R x\; \x y. x = Some y \ \Q x y\ g x y \R x\ \ \ - \\s. (x = None \ P x s) \(\y. x = Some y \ Q x y s)\ + \\s. (x = None \ P x s) \ (\y. x = Some y \ Q x y s)\ case x of None \ f x | Some y \ g x y \R x\" by (cases x; simp) @@ -498,8 +497,8 @@ lemma hoare_chain: by (wp_pre, rule hoare_post_imp) lemma validE_weaken: (* FIXME lib: eliminate in favour of hoare_chainE *) - "\ \P'\ A \Q'\,\E'\; \s. P s \ P' s; \rv s. Q' rv s \ Q rv s; \rv s. E' rv s \ E rv s \ \ - \P\ A \Q\,\E\" + "\ \P'\ A \Q'\,\E'\; \s. P s \ P' s; \rv s. Q' rv s \ Q rv s; \rv s. E' rv s \ E rv s \ + \ \P\ A \Q\,\E\" by wp_pre (rule hoare_post_impErr) lemmas hoare_chainE = validE_weaken @@ -708,7 +707,7 @@ lemma returnOKE_R_wp: lemma liftE_wp: "\P\ f \Q\ \ \P\ liftE f \Q\,\E\" - by (clarsimp simp:valid_def validE_def2 liftE_def split_def Let_def bind_def return_def) + by simp lemma catch_wp: "\ \x. \E x\ handler x \Q\; \P\ f \Q\,\E\ \ \ \P\ catch f handler \Q\" @@ -759,8 +758,6 @@ lemma alternative_wp: using post_by_hoare[OF x] post_by_hoare[OF y] by fastforce -lemmas alternative_valid = alternative_wp[where P=P and P'=P for P, simplified] - lemma alternativeE_wp: assumes "\P\ f \Q\,\E\" assumes "\P'\ f' \Q\,\E\" @@ -791,7 +788,7 @@ lemma state_select_wp: by (clarsimp simp: state_select_def valid_def) lemma condition_wp: - "\ \Q\ A \P\; \R\ B \P\ \ \ \\s. if C s then Q s else R s\ condition C A B \P\" + "\ \Q\ A \P\; \R\ B \P\ \ \ \\s. if C s then Q s else R s\ condition C A B \P\" by (clarsimp simp: condition_def valid_def) lemma conditionE_wp: From b54525d8b40af754caedd73aacb40db6bfb19e87 Mon Sep 17 00:00:00 2001 From: Corey Lewis Date: Mon, 14 Aug 2023 21:08:23 +1000 Subject: [PATCH 3/3] refine: update for changes to nondet monad Signed-off-by: Corey Lewis --- proof/refine/AARCH64/Schedule_R.thy | 2 +- proof/refine/ARM/Schedule_R.thy | 2 +- proof/refine/ARM_HYP/Schedule_R.thy | 2 +- proof/refine/RISCV64/Schedule_R.thy | 2 +- proof/refine/X64/Schedule_R.thy | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/proof/refine/AARCH64/Schedule_R.thy b/proof/refine/AARCH64/Schedule_R.thy index 0ade5d66ca..ff63a9b42a 100644 --- a/proof/refine/AARCH64/Schedule_R.thy +++ b/proof/refine/AARCH64/Schedule_R.thy @@ -2314,7 +2314,7 @@ lemma schedule_invs': apply (wpsimp wp: scheduleChooseNewThread_invs' ssa_invs' chooseThread_invs_no_cicd' setSchedulerAction_invs' setSchedulerAction_direct switchToThread_tcb_in_cur_domain' switchToThread_ct_not_queued_2 - | wp hoare_disjI2[where Q="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] + | wp hoare_disjI2[where R="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] | wp hoare_drop_imp[where f="isHighestPrio d p" for d p] | simp only: obj_at'_activatable_st_tcb_at'[simplified comp_def] | strengthen invs'_invs_no_cicd diff --git a/proof/refine/ARM/Schedule_R.thy b/proof/refine/ARM/Schedule_R.thy index 02921fc419..8622fbfcf9 100644 --- a/proof/refine/ARM/Schedule_R.thy +++ b/proof/refine/ARM/Schedule_R.thy @@ -2153,7 +2153,7 @@ lemma schedule_invs': apply (wpsimp wp: scheduleChooseNewThread_invs' ssa_invs' chooseThread_invs_no_cicd' setSchedulerAction_invs' setSchedulerAction_direct switchToThread_tcb_in_cur_domain' switchToThread_ct_not_queued_2 - | wp hoare_disjI2[where Q="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] + | wp hoare_disjI2[where R="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] | wp hoare_drop_imp[where f="isHighestPrio d p" for d p] | simp only: obj_at'_activatable_st_tcb_at'[simplified comp_def] | strengthen invs'_invs_no_cicd diff --git a/proof/refine/ARM_HYP/Schedule_R.thy b/proof/refine/ARM_HYP/Schedule_R.thy index 9076942689..8be4b8e1e1 100644 --- a/proof/refine/ARM_HYP/Schedule_R.thy +++ b/proof/refine/ARM_HYP/Schedule_R.thy @@ -2279,7 +2279,7 @@ lemma schedule_invs': apply (wpsimp wp: scheduleChooseNewThread_invs' ssa_invs' chooseThread_invs_no_cicd' setSchedulerAction_invs' setSchedulerAction_direct switchToThread_tcb_in_cur_domain' switchToThread_ct_not_queued_2 - | wp hoare_disjI2[where Q="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] + | wp hoare_disjI2[where R="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] | wp hoare_drop_imp[where f="isHighestPrio d p" for d p] | simp only: obj_at'_activatable_st_tcb_at'[simplified comp_def] | strengthen invs'_invs_no_cicd diff --git a/proof/refine/RISCV64/Schedule_R.thy b/proof/refine/RISCV64/Schedule_R.thy index 4bc496808b..800d5399b9 100644 --- a/proof/refine/RISCV64/Schedule_R.thy +++ b/proof/refine/RISCV64/Schedule_R.thy @@ -2141,7 +2141,7 @@ lemma schedule_invs': apply (wpsimp wp: scheduleChooseNewThread_invs' ssa_invs' chooseThread_invs_no_cicd' setSchedulerAction_invs' setSchedulerAction_direct switchToThread_tcb_in_cur_domain' switchToThread_ct_not_queued_2 - | wp hoare_disjI2[where Q="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] + | wp hoare_disjI2[where R="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] | wp hoare_drop_imp[where f="isHighestPrio d p" for d p] | simp only: obj_at'_activatable_st_tcb_at'[simplified comp_def] | strengthen invs'_invs_no_cicd diff --git a/proof/refine/X64/Schedule_R.thy b/proof/refine/X64/Schedule_R.thy index a248f01710..b1eb3a6820 100644 --- a/proof/refine/X64/Schedule_R.thy +++ b/proof/refine/X64/Schedule_R.thy @@ -2144,7 +2144,7 @@ lemma schedule_invs': apply (wpsimp wp: scheduleChooseNewThread_invs' ssa_invs' chooseThread_invs_no_cicd' setSchedulerAction_invs' setSchedulerAction_direct switchToThread_tcb_in_cur_domain' switchToThread_ct_not_queued_2 - | wp hoare_disjI2[where Q="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] + | wp hoare_disjI2[where R="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] | wp hoare_drop_imp[where f="isHighestPrio d p" for d p] | simp only: obj_at'_activatable_st_tcb_at'[simplified comp_def] | strengthen invs'_invs_no_cicd