Hoare logic: if rule

df3b860b · MARCHE Claude · bb243268 · df3b860b · df3b860b · df3b860b
Commit df3b860b authored Oct 11, 2011 by MARCHE Claude
--- a/examples/hoare_logic/imp.why
+++ b/examples/hoare_logic/imp.why
@@ -163,10 +163,14 @@ lemma many_steps_seq:

 type fmla =
  | Fterm expr
+  | Fand fmla fmla
+  | Fnot fmla

 predicate eval_fmla (s:state) (f:fmla) =
  match f with
  | Fterm e -> eval_expr s e <> 0
+  | Fand f1 f2 ->  eval_fmla s f1 /\ eval_fmla s f2
+  | Fnot f ->  not (eval_fmla s f)
  end

 (* substitution *) 
@@ -186,11 +190,13 @@ lemma eval_subst_expr:
 function subst (f:fmla) (x:ident) (t:expr) : fmla =
  match f with
  | Fterm e -> Fterm (subst_expr e x t)
+  | Fand f1 f2 -> Fand (subst f1 x t) (subst f2 x t)
+  | Fnot f -> Fnot (subst f x t)
  end

 lemma eval_subst:
  forall s:state, f:fmla, x:ident, t:expr.
-    eval_fmla s (subst f x t) -> eval_fmla (IdMap.set s x (eval_expr s t)) f
+    eval_fmla s (subst f x t) <-> eval_fmla (IdMap.set s x (eval_expr s t)) f

 (* Hoare triples *)

@@ -201,6 +207,9 @@ predicate valid_triple (p:fmla) (i:stmt) (q:fmla) =

 (* Hoare logic rules *)

+lemma skip_rule:
+  forall q:fmla. valid_triple q Sskip q
+
 lemma assign_rule:
  forall q:fmla, x:ident, e:expr.
  valid_triple (subst q x e) (Sassign x e) q
@@ -210,6 +219,12 @@ lemma seq_rule:
  valid_triple p i1 r /\ valid_triple r i2 q ->
  valid_triple p (Sseq i1 i2) q

+lemma if_rule:
+  forall e:expr, p q:fmla, i1 i2:stmt.
+  valid_triple (Fand p (Fterm e)) i1 q /\
+  valid_triple (Fand p (Fnot (Fterm e))) i2 q ->
+  valid_triple p (Sif e i1 i2) q
+
 end



--- a/examples/hoare_logic/imp/imp_Imp_assign_rule_1.v
+++ b/examples/hoare_logic/imp/imp_Imp_assign_rule_1.v
@@ -4,9 +4,14 @@ Require Import ZArith.
 Require Import Rbase.
 Parameter ident : Type.

+Axiom ident_eq_dec : forall (i1:ident) (i2:ident), (i1 = i2) \/ ~ (i1 = i2).
+
 Parameter mk_ident: Z -> ident.


+Axiom mk_ident_inj : forall (i:Z) (j:Z), ((mk_ident i) = (mk_ident j)) ->
+  (i = j).
+
 Inductive operator  :=
  | Oplus : operator 
  | Ominus : operator 
@@ -110,12 +115,18 @@ Axiom many_steps_seq : forall (s1:(map ident Z)) (s3:(map ident Z)) (i1:stmt)
  Z), (many_steps s1 i1 s2 Sskip) /\ (many_steps s2 i2 s3 Sskip).

 Inductive fmla  :=
-  | Fterm : expr -> fmla .
+  | Fterm : expr -> fmla 
+  | Fand : fmla -> fmla -> fmla 
+  | Fnot : fmla -> fmla .

-Definition eval_fmla(s:(map ident Z)) (f:fmla): Prop :=
+Set Implicit Arguments.
+Fixpoint eval_fmla(s:(map ident Z)) (f:fmla) {struct f}: Prop :=
  match f with
  | (Fterm e) => ~ ((eval_expr s e) = 0%Z)
+  | (Fand f1 f2) => (eval_fmla s f1) /\ (eval_fmla s f2)
+  | (Fnot f1) => ~ (eval_fmla s f1)
  end.
+Unset Implicit Arguments.

 Parameter subst_expr: expr -> ident -> expr -> expr.

@@ -133,18 +144,24 @@ Axiom eval_subst_expr : forall (s:(map ident Z)) (e:expr) (x:ident) (t:expr),
  ((eval_expr s (subst_expr e x t)) = (eval_expr (set s x (eval_expr s t))
  e)).

-Definition subst(f:fmla) (x:ident) (t:expr): fmla :=
+Set Implicit Arguments.
+Fixpoint subst(f:fmla) (x:ident) (t:expr) {struct f}: fmla :=
  match f with
  | (Fterm e) => (Fterm (subst_expr e x t))
+  | (Fand f1 f2) => (Fand (subst f1 x t) (subst f2 x t))
+  | (Fnot f1) => (Fnot (subst f1 x t))
  end.
+Unset Implicit Arguments.

 Axiom eval_subst : forall (s:(map ident Z)) (f:fmla) (x:ident) (t:expr),
-  (eval_fmla s (subst f x t)) -> (eval_fmla (set s x (eval_expr s t)) f).
+  (eval_fmla s (subst f x t)) <-> (eval_fmla (set s x (eval_expr s t)) f).

 Definition valid_triple(p:fmla) (i:stmt) (q:fmla): Prop := forall (s:(map
  ident Z)), (eval_fmla s p) -> forall (sqt:(map ident Z)), (many_steps s i
  sqt Sskip) -> (eval_fmla sqt q).

+Axiom skip_rule : forall (q:fmla), (valid_triple q Sskip q).
+
 (* YOU MAY EDIT THE CONTEXT BELOW *)

 (* DO NOT EDIT BELOW *)
@@ -160,7 +177,7 @@ inversion H; subst.
 inversion H0; subst.
 (* normal case *)
 clear H Hred H0.
-apply eval_subst; auto.
+rewrite <- eval_subst; auto.

 (* absurd case *)
 inversion H1.

--- a/examples/hoare_logic/imp/imp_Imp_eval_subst_2.v
+++ b/examples/hoare_logic/imp/imp_Imp_eval_subst_2.v
@@ -4,9 +4,14 @@ Require Import ZArith.
 Require Import Rbase.
 Parameter ident : Type.

+Axiom ident_eq_dec : forall (i1:ident) (i2:ident), (i1 = i2) \/ ~ (i1 = i2).
+
 Parameter mk_ident: Z -> ident.


+Axiom mk_ident_inj : forall (i:Z) (j:Z), ((mk_ident i) = (mk_ident j)) ->
+  (i = j).
+
 Inductive operator  :=
  | Oplus : operator 
  | Ominus : operator 
@@ -100,17 +105,28 @@ Inductive many_steps : (map ident Z) -> stmt -> (map ident Z)
      ident Z)) (i1:stmt) (i2:stmt) (i3:stmt), (one_step s1 i1 s2 i2) ->
      ((many_steps s2 i2 s3 i3) -> (many_steps s1 i1 s3 i3)).

+Axiom many_steps_seq_rec : forall (s1:(map ident Z)) (s3:(map ident Z))
+  (i:stmt) (i3:stmt), (many_steps s1 i s3 i3) -> ((i3 = Sskip) ->
+  forall (i1:stmt) (i2:stmt), (i = (Sseq i1 i2)) -> exists s2:(map ident Z),
+  (many_steps s1 i1 s2 Sskip) /\ (many_steps s2 i2 s3 Sskip)).
+
 Axiom many_steps_seq : forall (s1:(map ident Z)) (s3:(map ident Z)) (i1:stmt)
  (i2:stmt), (many_steps s1 (Sseq i1 i2) s3 Sskip) -> exists s2:(map ident
  Z), (many_steps s1 i1 s2 Sskip) /\ (many_steps s2 i2 s3 Sskip).

 Inductive fmla  :=
-  | Fterm : expr -> fmla .
+  | Fterm : expr -> fmla 
+  | Fand : fmla -> fmla -> fmla 
+  | Fnot : fmla -> fmla .

-Definition eval_fmla(s:(map ident Z)) (f:fmla): Prop :=
+Set Implicit Arguments.
+Fixpoint eval_fmla(s:(map ident Z)) (f:fmla) {struct f}: Prop :=
  match f with
  | (Fterm e) => ~ ((eval_expr s e) = 0%Z)
+  | (Fand f1 f2) => (eval_fmla s f1) /\ (eval_fmla s f2)
+  | (Fnot f1) => ~ (eval_fmla s f1)
  end.
+Unset Implicit Arguments.

 Parameter subst_expr: expr -> ident -> expr -> expr.

@@ -128,21 +144,37 @@ Axiom eval_subst_expr : forall (s:(map ident Z)) (e:expr) (x:ident) (t:expr),
  ((eval_expr s (subst_expr e x t)) = (eval_expr (set s x (eval_expr s t))
  e)).

-Definition subst(f:fmla) (x:ident) (t:expr): fmla :=
+Set Implicit Arguments.
+Fixpoint subst(f:fmla) (x:ident) (t:expr) {struct f}: fmla :=
  match f with
  | (Fterm e) => (Fterm (subst_expr e x t))
+  | (Fand f1 f2) => (Fand (subst f1 x t) (subst f2 x t))
+  | (Fnot f1) => (Fnot (subst f1 x t))
  end.
+Unset Implicit Arguments.

 (* YOU MAY EDIT THE CONTEXT BELOW *)

 (* DO NOT EDIT BELOW *)

 Theorem eval_subst : forall (s:(map ident Z)) (f:fmla) (x:ident) (t:expr),
-  (eval_fmla s (subst f x t)) -> (eval_fmla (set s x (eval_expr s t)) f).
+  (eval_fmla s (subst f x t)) <-> (eval_fmla (set s x (eval_expr s t)) f).
 (* YOU MAY EDIT THE PROOF BELOW *)
-induction f; unfold eval_fmla, subst in *.
-intros x t H.
-rewrite <- eval_subst_expr; auto.
+induction f.
+unfold eval_fmla, subst in *.
+intros x t.
+rewrite <- eval_subst_expr; tauto.
+
+simpl.
+intros x t.
+rewrite IHf1.
+rewrite IHf2.
+tauto.
+
+simpl.
+intros x t.
+rewrite IHf.
+tauto.
 Qed.
 (* DO NOT EDIT BELOW *)


--- a/examples/hoare_logic/imp/why3session.xml
+++ b/examples/hoare_logic/imp/why3session.xml
@@ -326,21 +326,35 @@
   </goal>
   <goal
    name="eval_subst"
-    sum="75fe9028dd520dcb211e6cde21feb1a6"
+    sum="41c9426526820307330065d8ac78c17c"
    proved="true"
    expanded="false"
-    shape="aeval_fmlaasetV0V2aeval_exprV0V3V1Iaeval_fmlaV0asubstV1V2V3F">
+    shape="aeval_fmlaasetV0V2aeval_exprV0V3V1qaeval_fmlaV0asubstV1V2V3F">
    <proof
     prover="coq"
     timelimit="5"
     edited="imp_Imp_eval_subst_2.v"
     obsolete="false">
-     <result status="valid" time="0.66"/>
+     <result status="valid" time="0.53"/>
+    </proof>
+   </goal>
+   <goal
+    name="skip_rule"
+    sum="dfcd50b4105bd2ae7cd329453fdbc909"
+    proved="true"
+    expanded="false"
+    shape="avalid_tripleV0aSskipV0F">
+    <proof
+     prover="coq"
+     timelimit="3"
+     edited="imp_Imp_skip_rule_1.v"
+     obsolete="false">
+     <result status="valid" time="0.67"/>
    </proof>
   </goal>
   <goal
    name="assign_rule"
-    sum="12f9657b1c525075d56bcf69c77110b1"
+    sum="d492b0a1117c6083520f1a99f602c05b"
    proved="true"
    expanded="false"
    shape="avalid_tripleasubstV0V1V2aSassignV1V2V0F">
@@ -349,12 +363,12 @@
     timelimit="5"
     edited="imp_Imp_assign_rule_1.v"
     obsolete="false">
-     <result status="valid" time="0.74"/>
+     <result status="valid" time="0.55"/>
    </proof>
   </goal>
   <goal
    name="seq_rule"
-    sum="298c63994d40d9ae8da8b97a6309eed1"
+    sum="a5e519277ce236964d153818a92437e6"
    proved="true"
    expanded="false"
    shape="avalid_tripleV0aSseqV3V4V1Iavalid_tripleV2V4V1Aavalid_tripleV0V3V2F">
@@ -363,7 +377,7 @@
     timelimit="3"
     edited="imp_Imp_seq_rule_2.v"
     obsolete="false">
-     <result status="valid" time="0.54"/>
+     <result status="valid" time="0.51"/>
    </proof>
    <proof
     prover="z3"
@@ -373,6 +387,20 @@
     <result status="valid" time="0.07"/>
    </proof>
   </goal>
+   <goal
+    name="if_rule"
+    sum="72ad5869a02dbc44921cf038f2f2959e"
+    proved="true"
+    expanded="false"
+    shape="avalid_tripleV1aSifV0V3V4V2Iavalid_tripleaFandV1aFnotaFtermV0V4V2Aavalid_tripleaFandV1aFtermV0V3V2F">
+    <proof
+     prover="coq"
+     timelimit="3"
+     edited="imp_Imp_if_rule_1.v"
+     obsolete="false">
+     <result status="valid" time="0.51"/>
+    </proof>
+   </goal>
  </theory>
 </file>
 </why3session>