(* Isabelle/HOL formalization of FJEU with strings, the semantics, the base region type system, its soundness proof, string operation contexts and their interpretation *) (* This theory has been tested with Isabelle versions 2007 and 2009. *) theory RegionTypeSystems imports Main begin typedecl Var typedecl Class typedecl Method typedecl Field datatype Fjeu = FjNull | FjVar Var | FjNew Class | FjString string (*constructor for class String*) | FjLet Var Fjeu Fjeu | FjCond Var Var Fjeu Fjeu | FjIfinst Var Class Fjeu Fjeu | FjGet Var Field | FjGetQ Var Field | FjPut Var Field Var | FjPutQ Var Field Var | FjInvoke Var Method "Var list" typedecl Loc datatype Val = nullVal | locVal Loc datatype HeapObj = Obj Class "Field ~=> Val" | String string types Heap = "Loc ~=> HeapObj" types Store = "Var ~=> Val" constdefs defaultObj::"Class => HeapObj" "defaultObj C \ Obj C (\ f. Some nullVal)" constdefs stringObj::"string => HeapObj" "stringObj s \ String s" inductive_set mkStore::"(('a ~=> 'b) \ ('c list) \ ('a list) \ ('c ~=> 'b)) set" where mkStoreNull:"\t = (\ x . None) \ \ (s,[],[],t):mkStore" | mkStoreCons:"\(s,pars,args,r):mkStore; s y = Some v; t = r(x:=Some v) \ \ (s,x#pars,y#args,t):mkStore" lemma mkStore_determ[rule_format]: "(s, pars, args, t) : mkStore ==> \ tt . (s, pars, args, tt) : mkStore --> tt=t" apply (erule mkStore.induct) apply clarsimp apply (erule mkStore.cases, clarsimp) apply clarsimp apply clarify apply (erule thin_rl) apply (erule mkStore.cases, clarsimp) apply clarsimp done lemma mkStore_existsAux[rule_format]: "\ pars args . length pars = N --> length args = N --> (\ n . n < length args --> (\ v . s (args!n) = Some v)) --> (\ t . (s,pars,args,t):mkStore)" apply (induct N) apply clarsimp apply (rule, rule mkStoreNull) apply simp apply clarsimp apply (case_tac pars, clarsimp, clarsimp) apply (rename_tac p pars) apply (case_tac args, clarsimp, clarsimp) apply (rename_tac a args) apply (erule_tac x=pars in allE, clarsimp) apply (erule_tac x=args in allE, clarsimp) apply (erule impE) apply clarsimp apply (erule_tac x="Suc n" in allE, clarsimp) apply (erule exE) apply (erule_tac x=0 in allE, clarsimp) apply (rule, erule mkStoreCons) apply assumption apply simp done lemma mkStore_exists: "[| length pars = length args; \ n . n < length args --> (\ v . s (args!n) = Some v)|] ==> \ t . (s,pars,args,t):mkStore" apply (rule mkStore_existsAux) apply simp apply simp apply fast done lemma mkStore_length:"(s, pars, args, t) : mkStore ==> length pars = length args" apply (erule mkStore.induct) apply simp apply simp done lemma mkStore_dom_lookup[rule_format]: "(s, pars, args, t) : mkStore ==> \ n . n < length args --> (\ v . s (args!n) = Some v)" apply (erule mkStore.induct) apply simp apply clarsimp apply (case_tac n, clarsimp) apply clarsimp done consts subclassOf::"Class => Class => bool" mbody::"Class => Method ~=> (Var list \ Fjeu)" consts StringConcat::Method (* operational semantics *) inductive_set FjeuOpsem::"(Store \ Heap \ Fjeu \ Val \ Heap) set" where OpsemNull:"\v=nullVal; k=h\ \ (s,h,FjNull,v,k) : FjeuOpsem" | OpsemVar:"\ s x = Some v; k=h\ \ (s,h,FjVar x,v,k) : FjeuOpsem" | OpsemNew:"\ h a = None; v=locVal a; k=h(a:=Some (defaultObj C))\ \ (s,h,FjNew C,v,k) : FjeuOpsem" | OpsemString:"\ h a = None; v=locVal a; k=h(a:=Some (stringObj S))\ \ (s,h,FjString S,v,k) : FjeuOpsem" | OpsemLet:"\ (s,h,e1,v1,h1) : FjeuOpsem; (s(x:=Some v1),h1,e2,v,k) : FjeuOpsem\ \ (s,h,FjLet x e1 e2,v,k) : FjeuOpsem" | OpsemCond:"\ ((s,h,e1,v,k) : FjeuOpsem \ s x = s y) \ ((s,h,e2,v,k) : FjeuOpsem \ \ s x = s y)\ \ (s,h,FjCond x y e1 e2,v,k) : FjeuOpsem" | OpsemIf:"\ s x = Some (locVal a); h a = Some (Obj C F); ((s,h,e1,v,k) : FjeuOpsem \ subclassOf C E) \ ((s,h,e2,v,k) : FjeuOpsem \ \ subclassOf C E)\ \ (s,h,FjIfinst x E e1 e2,v,k) : FjeuOpsem" | OpsemGet:"\ s x = Some (locVal a); h a = Some (Obj C F); F f = Some v; k=h\ \ (s,h,FjGet x f,v,k) : FjeuOpsem" | OpsemGetQ:"\ s x = Some (locVal a); h a = Some (Obj C F); F f = Some v; k=h\ \ (s,h,FjGetQ x f,v,k) : FjeuOpsem" | OpsemPut:"\ s x = Some (locVal a); h a = Some (Obj C F); s y = Some v; G = F(f:=Some v); k=h(a:=Some (Obj C G))\ \ (s,h,FjPut x f y,v,k) : FjeuOpsem" | OpsemPutQ:"\ s x = Some (locVal a); h a = Some (Obj C F); s y = Some v; G = F(f:=Some v); k=h(a:=Some (Obj C G))\ \ (s,h,FjPutQ x f y,v,k) : FjeuOpsem" | OpsemStringConcat: "[| s x = Some(locVal Xa); h Xa = Some(String XString); s y = Some(locVal Ya); h Ya = Some(String YString); h a = None; case YString of [] => (k=h \ v = locVal Xa) | c#str => (v=locVal a \ k=h(a:=Some (stringObj (XString @ YString)))) |] ==> (s,h,FjInvoke x StringConcat [y],v,k) : FjeuOpsem" | OpsemInvoke:"\ m ~= StringConcat; s x = Some (locVal a); h a = Some(Obj C F); mbody C m = Some (pars,e); (s,pars,args,t):mkStore; (t, h, e,v,k):FjeuOpsem\ \ (s,h,FjInvoke x m args,v,k) : FjeuOpsem" inductive_cases NullOpsem[elim!]:"(s,h,FjNull,v,k):FjeuOpsem" inductive_cases VarOpsem[elim!]:"(s,h,FjVar x,v,k):FjeuOpsem" inductive_cases NewOpsem[elim!]:"(s,h,FjNew C,v,k):FjeuOpsem" inductive_cases StringOpsem[elim!]:"(s,h,FjString S,v,k):FjeuOpsem" inductive_cases GetOpsem[elim!]:"(s,h,FjGet x f,v,k):FjeuOpsem" inductive_cases GetQOpsem[elim!]:"(s,h,FjGetQ x f,v,k):FjeuOpsem" inductive_cases PutOpsem[elim!]:"(s,h,FjPut x f y,v,k):FjeuOpsem" inductive_cases PutQOpsem[elim!]:"(s,h,FjPutQ x f y,v,k):FjeuOpsem" inductive_cases IfOpsem[elim!]:"(s,h,FjIfinst x E e1 e2,v,k):FjeuOpsem" inductive_cases CondOpsem[elim!]:"(s,h,FjCond x y e1 e2,v,k):FjeuOpsem" inductive_cases InvokeOpsem[elim!]:"(s,h,FjInvoke x m args,v,k):FjeuOpsem" inductive_cases LetOpsem[elim!]:"(s,h,FjLet x e1 e2,v,k):FjeuOpsem" (* Region type environments *) typedecl Region datatype TP = stringTP "Region set" | objTP Class "Region set" constdefs subtypeOf::"TP => TP => bool" "subtypeOf \ \ \ (case \ of (stringTP R) => (case \ of stringTP S => (R \ S) | objTP D S => False) | (objTP C R) => (case \ of (stringTP S) => False | objTP D S => subclassOf C D \ R \ S))" axioms subclassOf_refl:"subclassOf C C" axioms subclassOf_trans:"[|subclassOf C D; subclassOf D E |] ==> subclassOf C E" lemma subtypeOf_refl:"subtypeOf \ \" apply (simp add: subtypeOf_def) apply (case_tac \, clarsimp) apply clarsimp apply (rule subclassOf_refl) done lemma subtypeOf_trans: "[|subtypeOf \ \; subtypeOf \ \ |] ==> subtypeOf \ \" apply (simp add: subtypeOf_def) apply (case_tac \, clarsimp) apply (case_tac \, clarsimp) apply (case_tac \, clarsimp) apply fast apply clarsimp apply clarsimp apply clarsimp apply (rename_tac C R) apply (case_tac \, clarsimp) apply clarsimp apply (rename_tac E T) apply (case_tac \, clarsimp) apply clarsimp apply (rename_tac D S) apply rule apply (erule subclassOf_trans) apply assumption apply fast done types VarEnv = "Var ~=> TP" types MethodTyping = "TP list \ TP" constdefs Meth_subtypeOf::"MethodTyping => MethodTyping => bool" "Meth_subtypeOf \ \ \ (case \ of (\s,\) => (case \ of (\s,\) => length \s = length \s \ (\ n . n < length \s --> subtypeOf (\s!n) (\s!n)) \ subtypeOf \ \))" lemma Meth_subtypeOf_trans: "[| Meth_subtypeOf \ \; Meth_subtypeOf \ \|] ==> Meth_subtypeOf \ \" apply (simp add: Meth_subtypeOf_def) apply clarsimp apply (rule, clarsimp) apply (erule_tac x=n in allE, clarsimp) apply (erule_tac x=n in allE, clarsimp) apply (erule subtypeOf_trans, assumption) apply (erule subtypeOf_trans, assumption) done consts fields :: "Class \ Field set" consts getview::"Class => Region => Field ~=> TP" axioms getviewObjTP:"getview C r f = Some \ ==> (\ D R . \= objTP D R)" consts setview::"Class => Region => Field ~=> TP" axioms setviewObjTP:"setview C r f = Some \ ==> (\ D R . \= objTP D R)" consts MethViews::"Class => Region => Method => (MethodTyping set)" constdefs argTypes::"VarEnv => Var list => TP list => bool" "argTypes \ args \s \ length args = length \s \ (\ n . n < length args --> \ (args!n) = Some (\s!n))" constdefs VarEnvSubtyping::"VarEnv => VarEnv => bool" "VarEnvSubtyping \ \ \ \ x \ . \ x = Some \ --> (\ \ . \ x = Some \ \ subtypeOf \ \)" consts LCS::"Class \ Class \ Class" axioms LCS1:"subclassOf C (LCS C D)" axioms LCS2:"subclassOf D (LCS C D)" axioms LCS3:"\subclassOf C E; subclassOf D E\ \ subclassOf (LCS C D) E" axioms subclassOf_antisymm: "\subclassOf C D; subclassOf D C\ \ C=D" consts is_meet_of ::"TP \ TP \ TP \ bool" primrec "is_meet_of (stringTP W) \ \ = (\ S R . \ = stringTP S \ \ = stringTP R \ S \ R \ W)" "is_meet_of (objTP E W) \ \ = (\ C S D R . \ = objTP C S \ \ = objTP D R \ S \ R \ W \ subclassOf C E \ subclassOf D E)" constdefs meet:: "TP \ TP \ TP \ bool" "meet \ \ \ \ is_meet_of \ \ \ \ (\ \ . is_meet_of \ \ \ \ subtypeOf \ \)" constdefs vee::"TP \ TP \ TP option" "vee \ \ \ case \ of stringTP S \ (case \ of stringTP R \ Some (stringTP (S \ R)) | objTP D R \ None) | objTP C S \ (case \ of stringTP R \ None | objTP D R \ Some (objTP (LCS C D) (S \ R)))" constdefs Meet::"TP set \ TP \ bool" "Meet X \ \ (\ \ \ . \:X \ \:X \ is_meet_of \ \ \) \ (\ \ . (\ \ \ . \:X \ \:X \ is_meet_of \ \ \) \ subtypeOf \ \)" consts is_join_of ::"TP \ TP \ TP \ bool" primrec "is_join_of (stringTP W) \ \ = (\ S R . \ = stringTP S \ \ = stringTP R \ W \ S \ R)" "is_join_of (objTP C W) \ \ = (\ S R . \ = objTP C S \ \ = objTP C R \ W \ S \ R)" constdefs join:: "TP \ TP \ TP \ bool" "join \ \ \ \ is_join_of \ \ \ \ (\ \ . is_join_of \ \ \ \ subtypeOf \ \)" constdefs wedge::"TP \ TP \ TP option" "wedge \ \ \ case \ of stringTP S \ (case \ of stringTP R \ Some (stringTP (S \ R)) | objTP D R \ None) | objTP C S \ (case \ of stringTP R \ None | objTP D R \ if C=D then Some (objTP C (S \ R)) else None)" constdefs Join::"TP set \ TP \ bool" "Join X \ \ (\ \ \ . \:X \ \:X \ is_join_of \ \ \) \ (\ \ . (\ \ \ . \:X \ \:X \ is_join_of \ \ \) \ subtypeOf \ \)" lemma "dom (\ x . None) = {}" by simp lemma "dom ((\ x. None)(x:=Some a)) = {x}" by simp types "MkStringCond_TP" = "string \ Region \ bool" types "ConcatCond_TP" = "Region set \ Region set \ Region \ bool" types "StringCond" = "MkStringCond_TP \ ConcatCond_TP" (* Region type system *) inductive_set FjeuTyping::"(VarEnv \ StringCond \ Fjeu \ TP) set" where TpNull:"\ \ = objTP C R \ \ (\,SC, FjNull,\):FjeuTyping" | TpVar:"\ \ x = Some \ \ \ (\,SC, FjVar x,\):FjeuTyping" | TpNew:"\ \ = objTP C {r}; \ f . f: fields C \ (\\. getview C r f = Some \)\ \ (\,SC, FjNew C,\):FjeuTyping" | TpString:"\ \ = stringTP {r}; (fst SC) S r\ \ (\,SC, FjString S,\):FjeuTyping" | TpLet:"\ (\,SC,e1,\):FjeuTyping; (\(x:=Some \),SC,e2,\):FjeuTyping \ \ (\,SC,FjLet x e1 e2,\):FjeuTyping" | TpIf:"\ \ x = Some (objTP C R); (\,SC,e1,\):FjeuTyping; (\,SC,e2,\):FjeuTyping \ \ (\,SC,FjIfinst x E e1 e2,\):FjeuTyping" | TpCond:"\ \ x = Some (objTP C R); \ y = Some (objTP D S); ((\(x:=Some (objTP C (R \ S))))(y:=Some (objTP D (R \ S))), SC,e1,\):FjeuTyping; (\,SC,e2,\):FjeuTyping \ \ (\,SC,FjCond x y e1 e2,\):FjeuTyping" | TpGet: "\ \ x = Some (objTP C R); f:fields C; Meet {\ . \ r . r:R \ getview C r f = Some \} \; \ r . r:R \ (\ \. getview C r f = Some \)\ \ (\,SC,FjGet x f,\):FjeuTyping" | TpGetQuant: "\ \ x = Some (objTP C R); f:fields C; \ r . r:R \ (\ \. getview C r f = Some \ \ subtypeOf \ \)\ \ (\,SC,FjGetQ x f,\):FjeuTyping" | TpPut: "\ \ x = Some (objTP C R); \ y = Some \; Join {\ . \ r . r:R \ setview C r f = Some \} \; f:fields C; \ r . r:R \ (\ \. setview C r f = Some \)\ \ (\,SC,FjPut x f y,\):FjeuTyping" | TpPutQuant: "\ \ x = Some (objTP C R); \ y = Some \; f:fields C; \ r . r:R \ (\ \. setview C r f = Some \ \ subtypeOf \ \)\ \ (\,SC,FjPutQ x f y,\):FjeuTyping" | TpStringConcat: "\ \ x = Some (stringTP Rx); \ y = Some (stringTP Ry); \ = (stringTP (Rx \ {r})); (snd SC) Rx Ry r\ \ (\,SC,FjInvoke x StringConcat [y],\):FjeuTyping" | TpInv: "\ m ~= StringConcat; \ x = Some (objTP C R); argTypes \ args \s; \ r . r:R --> (\ \ . \ : MethViews C r m \ Meth_subtypeOf \ (\s,\)) \ \ (\,SC,FjInvoke x m args,\):FjeuTyping" | TpSub: "\ (\,SC,e,\):FjeuTyping; subtypeOf \ \;VarEnvSubtyping \ \\ \ (\,SC,e,\):FjeuTyping" types HeapTyping = "Loc ~=> (Region \ (Class option))" lemma "subtypeOf (objTP D {r}) (objTP C R) ==> r:R \ subclassOf D C" apply (simp add: subtypeOf_def) done inductive_set wfVal::"(HeapTyping \ Val \ TP) set" where (*wfVal_Null:"\ = objTP C R \ (\,nullVal,\):wfVal"*) wfVal_Null:"(\,nullVal,\):wfVal" | wfVal_String:"\\ a = Some(r,None); \ = stringTP {r} \ \ (\,locVal a,\):wfVal" | wfVal_Loc:"\\ a = Some(r,Some C); \ = objTP C {r} \ \ (\,locVal a,\):wfVal" | wfVal_sub:"\ (\,v,\):wfVal; subtypeOf \ \ \ \ (\,v,\):wfVal" lemma wfValD:"(\,v,\):wfVal \ v = nullVal \ (\ a r. v = locVal a \ \ a = Some(r,None) \ subtypeOf (stringTP {r}) \) \ (\ a r C. v = locVal a \ \ a = Some(r,Some C) \ subtypeOf (objTP C {r}) \)" apply (erule wfVal.induct) apply clarsimp apply clarsimp apply (rule subtypeOf_refl) apply clarsimp apply (rule subtypeOf_refl) apply clarsimp apply (erule disjE, clarsimp) apply (erule subtypeOf_trans, assumption) apply clarsimp apply (drule subtypeOf_trans, assumption) apply simp done constdefs store_wf::"HeapTyping \ Store \ VarEnv \ bool" "store_wf \ s \ \ \ x \ . \ x = Some \ \ (\ v . s x = Some v \ (\,v,\):wfVal)" lemma storeD:"\ store_wf \ s \; \ x = Some \\ \ \ v . s x = Some v \ (\,v,\):wfVal" apply (simp add: store_wf_def) done types "PROP_TP" = "string \ Region \ bool" consts obj_wt::"PROP_TP \ HeapTyping \ HeapObj \ (Region \ (Class option)) \ bool" primrec "obj_wt P \ (String w) X = (\ r . X = (r,None) \ P w r)" "obj_wt P \ (Obj C F) X = (\ D r . X = (r,Some D) \ subclassOf C D \ (\ f . f :fields C \ (\ v \ . F f = Some v \ getview C r f = Some \ \ (\,v,\):wfVal)))" constdefs heap_wt::"Heap \ PROP_TP \ HeapTyping \ bool" "heap_wt h P \ \ \ l X . \ l = Some X \ (\ obj . h l = Some obj \ obj_wt P \ obj X)" lemma heapD: "\heap_wt h P \; \ l = Some X\ \ \ obj . h l = Some obj \ obj_wt P \ obj X" apply (simp add:heap_wt_def) apply (case_tac X, clarsimp) done (* Subtyping-rule-free version of the region type system, which is later shown to be complete with respect to the region type system *) inductive_set FjeuSD::"(VarEnv \ StringCond \ Fjeu \ TP) set" where SDNull:"\ subtypeOf (objTP C R) \\ \ (\,SC,FjNull,\):FjeuSD" | SDVar:"\ \ x = Some \; subtypeOf \ \ \ \ (\,SC,FjVar x,\):FjeuSD" | SDNew:"\ subtypeOf (objTP C {r}) \; \ f . f: fields C \ (\\. getview C r f = Some \)\ \ (\,SC,FjNew C,\):FjeuSD" | SDString:"\ subtypeOf (stringTP {r}) \; (fst SC) S r\ \ (\,SC,FjString S,\):FjeuSD" | SDLet:"\ (\,SC,e1,\):FjeuTyping; (\(x:=Some \),SC,e2,\):FjeuTyping; VarEnvSubtyping \ \; subtypeOf \ \ \ \ (\,SC,FjLet x e1 e2,\):FjeuSD" | SDIf:"\ \ x = Some (objTP C R); (\,SC,e1,\):FjeuTyping; (\,SC,e2,\):FjeuTyping; VarEnvSubtyping \ \; subtypeOf \ \\ \ (\,SC,FjIfinst x E e1 e2,\):FjeuSD" | SDCond:"\ \ x = Some (objTP C R); \ y = Some (objTP D S); ((\(x:=Some(objTP C (R \ S))))(y:=Some(objTP D (R \ S))), SC,e1,\):FjeuTyping; (\,SC,e2,\):FjeuTyping; VarEnvSubtyping \ \; subtypeOf \ \\ \ (\,SC,FjCond x y e1 e2,\):FjeuSD" | SDGet: "\ \ x = Some (objTP C R); f: fields C; \ r . r:R \ (\ \. getview C r f = Some \); Meet {\ . \ r . r:R \ getview C r f = Some \} \; VarEnvSubtyping \ \; subtypeOf \ \\ \ (\,SC,FjGet x f,\):FjeuSD" | SDGetQuant: "\ \ x = Some (objTP C R); f:fields C; \ r . r:R \ (\ \. getview C r f = Some \ \ subtypeOf \ \); VarEnvSubtyping \ \\ \ (\,SC,FjGetQ x f,\):FjeuSD" | SDPut: "\ \ x = Some (objTP C R); \ y = Some \; f:fields C; \ r . r:R \ (\ \. setview C r f = Some \); Join {\ . \ r . r:R \ setview C r f = Some \} \; subtypeOf \ \; VarEnvSubtyping \ \ \ \ (\,SC,FjPut x f y,\):FjeuSD" | SDPutQuant: "\ \ x = Some (objTP C R); \ y = Some \; f:fields C; \ r . r:R \ (\ \. setview C r f = Some \ \ subtypeOf \ \); subtypeOf \ \; VarEnvSubtyping \ \ \ \ (\,SC,FjPutQ x f y,\):FjeuSD" | SDConcat: "\ \ x = Some (stringTP Rx); \ y = Some (stringTP Ry); subtypeOf (stringTP (Rx \ {r})) \; VarEnvSubtyping \ \; (snd SC) Rx Ry r\ \ (\,SC, FjInvoke x StringConcat [y],\):FjeuSD" | SDInv: "\ m ~= StringConcat; \ x = Some (objTP C R); argTypes \ args \s; VarEnvSubtyping \ \; \ r . r:R --> (\ \ . \ : MethViews C r m \ Meth_subtypeOf \ (\s,\)) \ \ (\,SC,FjInvoke x m args,\):FjeuSD" inductive_cases TpSD_Null[elim!]:"(\,SC,FjNull,\):FjeuSD" inductive_cases TpSD_Var[elim!]:"(\,SC,FjVar x,\):FjeuSD" inductive_cases TpSD_New[elim!]:"(\,SC,FjNew C,\):FjeuSD" inductive_cases TpSD_String[elim!]:"(\,SC,FjString S,\):FjeuSD" inductive_cases TpSD_If[elim!]:"(\,SC,FjIfinst x C e1 e2,\):FjeuSD" inductive_cases TpSD_Cond[elim!]:"(\,SC,FjCond x y e1 e2,\):FjeuSD" inductive_cases TpSD_Let[elim!]:"(\,SC,FjLet x e1 e2,\):FjeuSD" inductive_cases TpSD_Get[elim!]:"(\,SC,FjGet x f,\):FjeuSD" inductive_cases TpSD_GetQ[elim!]:"(\,SC,FjGetQ x f,\):FjeuSD" inductive_cases TpSD_Put[elim!]:"(\,SC,FjPut x f y,\):FjeuSD" inductive_cases TpSD_PutQ[elim!]:"(\,SC,FjPutQ x f y,\):FjeuSD" (*inductive_cases TpSD_StringConcat[elim!]:"(\,FjInvoke x StringConcat [y],\):FjeuTypingSD" inductive_cases TpSD_Inv[elim!]:"(\,FjInvoke x m args,\):FjeuTypingSD" *) lemma Meet_subset: "\Meet X \; Meet Y \; Y \ X; Y\{}\ \ subtypeOf \ \" apply (simp add: Meet_def) apply clarsimp apply (subgoal_tac "\ y. y:Y", erule exE) apply (rotate_tac -2, erule_tac x=\ in allE, erule mp) apply clarsimp apply (erule_tac x=\' in allE, erule impE) apply fast apply (erule_tac x=\' in allE, erule mp) apply fast apply fast done lemma VarEnvSubtyping_refl:"VarEnvSubtyping \ \" apply (simp add: VarEnvSubtyping_def subtypeOf_refl) done lemma VarEnvSubtyping_trans:"[|VarEnvSubtyping \ \;VarEnvSubtyping \ \ |] ==> VarEnvSubtyping \ \" apply (simp add: VarEnvSubtyping_def, clarsimp) apply (erule_tac x=x in allE, clarsimp) apply (erule_tac x=x in allE, clarsimp) apply (erule subtypeOf_trans, assumption) done lemma VarEnvSubtypingD: "[| VarEnvSubtyping \ \; \ x = Some \ |] ==> \ \ . \ x = Some \ \ subtypeOf \ \" apply (simp only: VarEnvSubtyping_def) done lemma argTypes_VarEnvSub[rule_format]: "\ \s . (argTypes \ vars \s --> VarEnvSubtyping \ \ --> (\ \s . length \s = length \s \ argTypes \ vars \s \ (\ n . n < length \s --> subtypeOf (\s!n) (\s!n))))" apply (induct vars) apply (simp add: argTypes_def, clarsimp) apply (rename_tac x vars \s) apply (simp add: argTypes_def, clarsimp) apply (case_tac \s, clarsimp,clarsimp) apply (rename_tac x vars \ \s) apply (drule_tac x=x and \=\ in VarEnvSubtypingD) apply (erule_tac x=0 in allE, clarsimp) apply clarsimp apply (rename_tac \) apply (erule_tac x=\s in allE, clarsimp) apply (erule impE) apply clarsimp apply (erule_tac x="Suc n" in allE, clarsimp) apply clarsimp apply (rule_tac x="\#\s" in exI, clarsimp) apply (rule, clarsimp) apply (case_tac n, clarsimp) apply clarsimp apply (clarsimp) apply (case_tac n, clarsimp) apply clarsimp done lemma FjeuSD_subtyping[rule_format]: "\ \ \ \ \ . (\,SC,e,\):FjeuSD --> VarEnvSubtyping \ \ --> subtypeOf \ \ --> (\,SC,e,\):FjeuSD" apply (induct e) apply clarsimp apply (rule_tac C=C in SDNull) apply (erule subtypeOf_trans, assumption) apply clarsimp apply (drule VarEnvSubtypingD, assumption) apply clarsimp apply (erule SDVar) apply (erule subtypeOf_trans, erule subtypeOf_trans, assumption) apply clarsimp apply (rule SDNew) apply (erule subtypeOf_trans, assumption) apply assumption apply clarsimp apply (rule SDString) apply (erule subtypeOf_trans, assumption) apply assumption apply clarsimp apply (rule SDLet) apply assumption apply assumption apply (erule VarEnvSubtyping_trans, assumption) apply (erule subtypeOf_trans, assumption) apply clarsimp apply (erule SDCond) apply assumption apply assumption apply assumption apply (erule VarEnvSubtyping_trans, assumption) apply (erule subtypeOf_trans, assumption) apply clarsimp apply (erule SDIf) apply assumption apply assumption apply (erule VarEnvSubtyping_trans, assumption) apply (erule subtypeOf_trans, assumption) apply clarsimp apply (rename_tac x f \ \ \' C R \ \ \) apply (frule VarEnvSubtypingD, assumption) apply clarsimp apply (case_tac \', clarsimp) apply (simp add: subtypeOf_def) apply clarsimp apply (rename_tac D S) apply (rule_tac \=\' in SDGet) apply assumption apply assumption apply assumption apply assumption? apply (erule VarEnvSubtyping_trans) apply assumption apply (erule subtypeOf_trans, assumption) apply clarsimp apply (rename_tac x f \ \ \' C R \ \) apply (frule VarEnvSubtypingD, assumption) apply clarsimp apply (case_tac \', clarsimp) apply (simp add: subtypeOf_def) apply clarsimp apply (rename_tac D S) apply (rule_tac \=\' in SDGetQuant) apply assumption apply assumption? apply clarsimp apply (erule_tac x=r in allE, clarsimp) apply (erule subtypeOf_trans,assumption) apply (erule VarEnvSubtyping_trans) apply assumption apply clarsimp apply (rename_tac x f y \ \ \' C R \ \ \') apply (frule_tac x=x in VarEnvSubtypingD, assumption) apply clarsimp apply (case_tac \'', clarsimp) apply (simp add: subtypeOf_def) apply clarsimp apply (rename_tac D S) apply (frule_tac x=y in VarEnvSubtypingD, assumption) apply clarsimp apply (rule_tac \=\' in SDPut) apply assumption apply assumption apply assumption apply assumption apply assumption? apply (erule subtypeOf_trans, assumption) apply (erule VarEnvSubtyping_trans) apply assumption apply clarsimp apply (rename_tac x f y \ \ \' C R \ \ \') apply (frule_tac x=x in VarEnvSubtypingD, assumption) apply clarsimp apply (case_tac \'', clarsimp) apply (simp add: subtypeOf_def) apply clarsimp apply (rename_tac D S) apply (frule_tac x=y in VarEnvSubtypingD, assumption) apply clarsimp apply (rule_tac \=\' in SDPutQuant) apply assumption apply assumption apply assumption apply clarsimp apply (erule subtypeOf_trans,assumption) apply (erule VarEnvSubtyping_trans) apply assumption apply clarsimp apply (erule FjeuSD.cases) apply (simp_all) apply clarsimp apply (frule_tac x=x in VarEnvSubtypingD, assumption) apply clarsimp apply (case_tac \'') prefer 2 apply (simp add: subtypeOf_def) apply clarsimp apply (frule_tac x=y in VarEnvSubtypingD, assumption) apply clarsimp apply (case_tac \'') prefer 2 apply (simp add: subtypeOf_def) apply clarsimp apply (rule_tac r=r and \=\' in SDConcat) apply assumption apply assumption apply clarsimp apply (erule subtypeOf_trans,assumption) apply (erule VarEnvSubtyping_trans) apply assumption apply simp apply (frule_tac x=x in VarEnvSubtypingD, assumption) apply clarsimp apply (frule argTypes_VarEnvSub) apply assumption apply clarsimp apply (rename_tac \ \ m \' x C R args \s \ \ cond1 cond2 \' \s) apply (case_tac \', clarsimp) apply (simp add: subtypeOf_def) apply clarsimp apply (rename_tac D S) apply (erule_tac \=\' in SDInv) apply assumption apply assumption apply (erule VarEnvSubtyping_trans, assumption) apply clarsimp apply (erule_tac x=r in allE, clarsimp) apply (rule_tac x=a in exI, rule_tac x=b in exI,simp add: Meth_subtypeOf_def) apply clarsimp apply (erule subtypeOf_trans, assumption) done lemma FjeuSD_complete:"(\,SC,e,\):FjeuTyping ==> (\,SC,e,\):FjeuSD" apply (erule FjeuTyping.induct) apply clarsimp apply (rule_tac C=C in SDNull) apply (rule subtypeOf_refl) apply (erule SDVar) apply (rule subtypeOf_refl) apply (rule SDNew) apply clarsimp apply (rule subtypeOf_refl) apply assumption apply (rule SDString) apply clarsimp apply (rule subtypeOf_refl) apply assumption apply (rule SDLet) apply assumption apply assumption apply (rule VarEnvSubtyping_refl) apply (rule subtypeOf_refl) apply (erule SDIf) apply assumption apply assumption apply (rule VarEnvSubtyping_refl) apply (rule subtypeOf_refl) apply (erule SDCond) apply assumption apply assumption apply assumption apply (rule VarEnvSubtyping_refl) apply (rule subtypeOf_refl) apply (erule SDGet) apply assumption apply assumption apply assumption+ apply (rule VarEnvSubtyping_refl) apply (rule subtypeOf_refl) apply (erule SDGetQuant) apply assumption apply assumption? apply (rule VarEnvSubtyping_refl) apply clarsimp apply (erule SDPut) apply assumption apply assumption apply assumption apply assumption? apply (rule subtypeOf_refl) apply (rule VarEnvSubtyping_refl) apply clarsimp apply (erule SDPutQuant) apply assumption apply assumption apply assumption apply (rule subtypeOf_refl) apply (rule VarEnvSubtyping_refl) apply (erule_tac r=r in SDConcat) apply assumption apply clarsimp apply (rule subtypeOf_refl) apply (rule VarEnvSubtyping_refl) apply assumption apply (erule SDInv) apply assumption apply assumption apply (rule VarEnvSubtyping_refl) apply assumption apply (erule FjeuSD_subtyping) apply assumption apply assumption done constdefs HT_extends::"HeapTyping => HeapTyping => bool" "HT_extends \ \ \ \ a r \ . \ a = Some (r,\) --> \ a = Some (r,\)" lemma HT_extends_refl:"HT_extends \ \" apply (simp add: HT_extends_def subtypeOf_refl) done lemma HT_extends_trans: "[|HT_extends \ \; HT_extends \ \|] ==> HT_extends \ \" apply (simp add: HT_extends_def subtypeOf_trans) done lemma HT_extendsD:"[| HT_extends \ \;\ a = Some X|] ==> \ a = Some X" apply (simp add: HT_extends_def) apply (case_tac X, clarsimp) done lemma HT_extendsE:"[| HT_extends \ \;\ a = None|] ==> \ a = None" apply (simp add: HT_extends_def) apply (case_tac "\ a", assumption, clarsimp) apply (erule_tac x=a in allE, clarsimp) apply fast done lemma wfVal_HTextends[rule_format]: "(\,v,\):wfVal ==> \ \ . HT_extends \ \ --> (\,v,\):wfVal" apply (erule wfVal.induct) apply clarsimp apply (rule wfVal_Null) (*apply fastsimp*) apply clarsimp apply (drule HT_extendsD, assumption) apply (erule wfVal_String) apply simp apply clarsimp apply (drule HT_extendsD, assumption) apply (erule wfVal_Loc) apply simp apply clarsimp apply (erule_tac x=\ in allE, clarsimp) apply (erule wfVal_sub) apply assumption done lemma objwt_HTextends[rule_format]: "obj_wt P \ obj X ==> \ \ . HT_extends \ \ \ obj_wt P \ obj X" apply (case_tac obj,clarsimp) apply (rename_tac C F D r \ f) apply (erule_tac x=f in allE, clarsimp) apply (erule wfVal_HTextends, assumption) apply clarsimp done inductive_set mkEnv::"(Var list \ TP list \ VarEnv) set" where mkEnvNull:"\t = (\ x . None) \ \ ([],[],t):mkEnv" | mkEnvCons:"\(vars,\s,r):mkEnv; t = r(x:=Some \) \ \ (x#vars,\#\s,t):mkEnv" lemma mkEnv_existsAux[rule_format]: "\ vars \s . length vars = N --> length \s = N --> (\ t . (vars,\s,t):mkEnv)" apply (induct N) apply clarsimp apply (rule, rule mkEnvNull) apply simp apply clarsimp apply (case_tac \s, clarsimp, clarsimp) apply (rename_tac \ \s) apply (case_tac vars, clarsimp, clarsimp) apply (rename_tac x vars) apply (erule_tac x=vars in allE, clarsimp) apply (erule_tac x=\s in allE, clarsimp) apply (rule, erule mkEnvCons) apply simp done lemma mkEnv_exists: "length vars = length \s ==> \ t . (vars,\s,t):mkEnv" apply (rule mkEnv_existsAux) apply simp apply simp done lemma mkEnv_length:"(vars,\s, t) : mkEnv ==> length vars = length \s" apply (erule mkEnv.induct) apply simp apply simp done lemma mkEnv_dom[rule_format]: "(vars, \s, \) : mkEnv ==> \ x \ . \ x = Some \ --> x:set vars" apply (erule mkEnv.induct) apply clarsimp apply clarsimp done lemma Meth_subtypeOf_wfEnv[rule_format]: "\ \s vars \ \. Meth_subtypeOf (\s, \) (\s, \) --> distinct vars --> (vars, \s, \) : mkEnv --> (vars, \s, \) : mkEnv --> store_wf \ s \ --> store_wf \ s \" apply (induct \s) apply (simp add: Meth_subtypeOf_def, clarsimp) apply (erule mkEnv.cases, clarsimp) prefer 2 apply clarsimp apply (erule mkEnv.cases, clarsimp) apply clarsimp apply (simp add: Meth_subtypeOf_def, clarsimp) apply (erule mkEnv.cases, clarsimp, clarsimp) apply (erule mkEnv.cases, clarsimp, clarsimp) apply (rename_tac \s \ \ vars \s \ x \) apply (erule_tac x=\s in allE, clarsimp) apply (erule impE) apply clarsimp apply (erule_tac x="Suc n" in allE, clarsimp) apply (erule_tac x=vars in allE, erule impE, assumption) apply (case_tac "\ x") prefer 2 apply (drule mkEnv_dom, assumption) apply simp apply (erule_tac x=\ in allE, erule impE) apply assumption apply (erule_tac x=\ in allE, erule impE) apply assumption apply (erule impE) apply (simp add: store_wf_def) apply clarsimp apply (case_tac "x=xa", clarsimp) apply (erule_tac x=xa in allE, clarsimp) apply (simp add: store_wf_def) apply (erule_tac x=x in allE, clarsimp) apply (erule wfVal_sub) apply (erule_tac x=0 in allE, clarsimp) done lemma mkStore_mkEnv[rule_format]: "(\, pars, args, \) : mkStore ==> \ \s . argTypes \ args \s --> (pars, \s, \) : mkEnv" apply (erule mkStore.induct) apply clarsimp apply (simp add: argTypes_def) apply (rule mkEnvNull) apply simp apply clarsimp apply (simp add: argTypes_def) apply (case_tac \s, clarsimp) apply clarsimp apply (rename_tac s pars args r y v x \ \s) apply (erule_tac x=\s in allE, erule impE, clarsimp) apply (erule_tac x="Suc n" in allE, clarsimp) apply (erule mkEnvCons) apply (erule_tac x=0 in allE) apply rule apply simp done lemma mkStore_VarEnvSubtyping[rule_format]: "(\, pars, args, \) : mkStore ==> \ \' \' . (\', pars, args, \') : mkStore --> VarEnvSubtyping \ \' --> VarEnvSubtyping \ \'" apply (erule mkStore.induct) apply clarsimp apply (erule mkStore.cases, clarsimp) apply (simp add: VarEnvSubtyping_def) apply clarsimp apply clarsimp apply (erule mkStore.cases, clarsimp, clarsimp) apply (erule_tac x=sa in allE, erule_tac x=ra in allE, clarsimp) apply (simp add: VarEnvSubtyping_def) apply (erule_tac x=ya in allE, clarsimp) done lemma mkStore_mkEnv_sub[rule_format]: "(\', pars, args, \') : mkStore ==> \ \s \ \s . (pars, \s, \) : mkEnv --> argTypes \' args \s --> Meth_subtypeOf (\s, \) (\s, \) --> VarEnvSubtyping \' \" apply (erule mkStore.induct) apply clarsimp apply (erule mkEnv.cases, clarsimp) prefer 2 apply clarsimp apply (simp add: VarEnvSubtyping_def) apply clarsimp apply (erule mkEnv.cases, clarsimp, clarsimp) apply (rename_tac s args r y v \s vars \s \ x \) apply (erule_tac x=\s in allE, erule_tac x=\ in allE, clarsimp) apply (simp add: argTypes_def) apply (case_tac \s, clarsimp, clarsimp) apply (erule_tac x=list in allE, clarsimp) apply (erule impE) apply clarsimp apply (erule_tac x="Suc n" in allE, clarsimp) apply (erule impE) apply (simp add: Meth_subtypeOf_def, clarsimp) apply (rotate_tac -3, erule_tac x="Suc n" in allE, clarsimp) apply (simp add: VarEnvSubtyping_def Meth_subtypeOf_def, clarsimp) apply (erule_tac x=0 in allE, clarsimp) apply (erule_tac x=0 in allE, clarsimp) done constdefs Methods_welltyped::"StringCond \ bool" "Methods_welltyped SC \ (\ C r m \s \ pars e. (\s,\) : MethViews C r m --> mbody C m = Some (pars,e) --> (length pars = length \s \ distinct pars \ (\ \ . (pars,\s, \) : mkEnv --> (\, SC, e, \):FjeuTyping)))" constdefs StringCond_implies_Policy::"StringCond \ PROP_TP \ bool" "StringCond_implies_Policy SC P \ (\ w r . (fst SC) w r \ P w r) \ (\ R S t r s w1 w2. (snd SC) R S t \ r:R \ s:S \ P w1 r \ P w2 s \ P (w1 @ w2) t)" constdefs inter::"StringCond \ PROP_TP \ Store \ Heap \ Fjeu \ Val \ Heap \ bool" "inter SC P s h e v k \ StringCond_implies_Policy SC P \ (\ \ \ \ . (\,SC,e,\):FjeuTyping \ store_wf \ s \ \ heap_wt h P \ \ Methods_welltyped SC \ (\ \ . HT_extends \ \ \ heap_wt k P \ \ (\,v,\): wfVal))" (* axioms field_getr:"f \ fields C \ \ \. getview C r f = Some \" axioms field_putr:"f \ fields C \ \ \. setview C r f = Some \" *) lemma storewf_sub: "[|VarEnvSubtyping \ \; store_wf \ s \ |] ==> store_wf \ s \" apply (simp add: store_wf_def VarEnvSubtyping_def, clarsimp) apply (erule_tac x=x in allE, clarsimp) apply (erule_tac x=x in allE, clarsimp) apply (erule wfVal_sub) apply assumption done lemma ismeet_subtypeOf1: "is_meet_of \ \ \ \ subtypeOf \ \" apply (simp add: subtypeOf_def) apply (case_tac \, clarsimp) apply clarsimp done lemma ismeet_subtypeOf2: "is_meet_of \ \ \ \ subtypeOf \ \" apply (simp add: subtypeOf_def) apply (case_tac \, clarsimp) apply clarsimp done lemma isjoin_subtypeOf1: "is_join_of \ \ \ \ subtypeOf \ \" apply (simp add: subtypeOf_def) apply (case_tac \, clarsimp) apply clarsimp apply (rule subclassOf_refl) done lemma isjoin_subtypeOf2: "is_join_of \ \ \ \ subtypeOf \ \" apply (simp add: subtypeOf_def) apply (case_tac \, clarsimp) apply clarsimp apply (rule subclassOf_refl) done lemma Meet_D: "\ Meet {\. \r. r \ R \ getview D r f = Some \} \; getview D r f = Some \; r:R\ \ subtypeOf \ \" apply (simp add: Meet_def) apply clarsimp apply (erule_tac x=\ in allE, erule impE) apply (rule_tac x=r in exI, simp) apply (rotate_tac -1, erule_tac x=\ in allE, erule impE) apply (rule_tac x=r in exI, simp) apply (erule ismeet_subtypeOf1) done lemma Join_D: "\ Join {\. \r. r \ R \ setview D r f = Some \} \; setview D r f = Some \; r:R \ \ subtypeOf \ \" apply (simp add: Join_def) apply clarsimp apply (erule_tac x=\ in allE, erule impE) apply (rule_tac x=r in exI, simp) apply (rotate_tac -1, erule_tac x=\ in allE, erule impE) apply (rule_tac x=r in exI, simp) apply (erule isjoin_subtypeOf1) done axioms condition1:"[|getview D r f = Some \; subclassOf C D|] ==> EX \. getview C r f = Some \ & subtypeOf \ \" axioms condition2:"[|setview D r f = Some \; subclassOf C D |] ==> EX \. setview C r f = Some \ \ subtypeOf \ \" axioms condition3:"[| subtypeOf (objTP C R) (objTP D S); r:R; Dspec : MethViews D r m |] ==> \ Cspec . Cspec : MethViews C r m \ Meth_subtypeOf Cspec Dspec" axioms condition4:"[|setview D r f = Some \; getview D r f = Some \|] ==> subtypeOf \ \" axioms fields_sub:"subclassOf C D \ fields D \ fields C" lemma wfVal_Cond: "\(\, v, objTP D S) : wfVal; (\, v, objTP C R) \ wfVal\ \ (\, v, objTP C (R \ S)) \ wfVal" apply (drule wfValD) apply (drule wfValD) apply safe apply (rule wfVal_Null) apply clarsimp apply (simp add: subtypeOf_def) apply clarsimp apply clarsimp apply clarsimp apply (rule wfVal_sub) apply (erule wfVal_Loc) apply simp apply (simp add: subtypeOf_def) done lemma mkStore_wfEnv[rule_format]: "(s, pars, args, t) : mkStore ==> \ \ . store_wf \ s \ --> (\, pars, args, \) : mkStore --> store_wf \ t \" apply (erule mkStore.induct) apply clarsimp apply (erule mkStore.cases, clarsimp) apply (simp add: store_wf_def) apply clarsimp apply clarsimp apply (rotate_tac 1, erule mkStore.cases, clarsimp) apply clarsimp apply (erule_tac x=ra in allE, erule impE, assumption) apply (simp add: store_wf_def) apply (erule_tac x=ya in allE, clarsimp) done lemma SoundAux:"(s,h,e,v,k):FjeuOpsem \ inter SC P s h e v k" apply (erule FjeuOpsem.induct) apply (simp_all add: inter_def) (*Null*) apply clarsimp apply (drule FjeuSD_complete) apply clarsimp apply (rule_tac x=\ in exI, simp) apply rule apply (rule HT_extends_refl) apply (simp add: subtypeOf_def) apply (case_tac \, clarsimp, clarsimp) apply (rule wfVal_Null) (*apply fastsimp*) (*Var*) apply clarsimp apply (drule FjeuSD_complete) apply clarsimp apply (rule_tac x=\ in exI, simp) apply rule apply (rule HT_extends_refl) apply (drule_tac x=x in storeD, assumption) apply clarsimp apply (erule wfVal_sub) apply assumption (*New*) apply clarsimp apply (drule FjeuSD_complete) apply clarsimp apply (rule_tac x="\(a:=Some(r,Some C))" in exI) apply (subgoal_tac "HT_extends (\(a \ (r, Some C))) \", simp) prefer 2 apply (simp add: HT_extends_def, clarsimp) apply (drule heapD, assumption) apply clarsimp apply (subgoal_tac "(\(a:=Some (r, Some C)), locVal a, objTP C {r}) \ wfVal") prefer 2 apply (rule wfVal_Loc) apply fastsimp apply simp apply (simp (no_asm) only: heap_wt_def) apply (rule, clarsimp) apply (rule, clarsimp) apply (simp add: defaultObj_def) apply (rule,rule subclassOf_refl) apply clarsimp apply (erule_tac x=f in allE,clarsimp) (*apply (drule_tac r=r in field_getr) apply clarsimp*) apply (rule wfVal_Null) apply clarsimp apply (drule heapD,assumption) apply clarsimp apply (erule objwt_HTextends) apply assumption apply (erule wfVal_sub) apply assumption (*mkString*) apply clarsimp apply (drule FjeuSD_complete) apply clarsimp apply (rule_tac x="\(a:=Some(r,None))" in exI) apply (subgoal_tac "HT_extends (\(a \ (r, None))) \", simp) prefer 2 apply (simp add: HT_extends_def, clarsimp) apply (drule heapD, assumption) apply clarsimp apply (subgoal_tac "(\(a:=Some (r, None)), locVal a, stringTP {r}) \ wfVal") prefer 2 apply (rule wfVal_String) apply fastsimp apply simp apply (simp (no_asm) only: heap_wt_def) apply (rule, clarsimp) apply (rule, clarsimp) apply (simp add: stringObj_def) apply (simp add: StringCond_implies_Policy_def) apply clarsimp apply (drule heapD,assumption) apply clarsimp apply (erule objwt_HTextends) apply assumption apply (erule wfVal_sub) apply assumption (*Let*) apply clarsimp apply (drule FjeuSD_complete) apply clarsimp apply (erule_tac x=\ in allE, erule_tac x=\ in allE, clarsimp) apply (erule_tac x=\ in allE, erule impE) apply (erule storewf_sub) apply assumption apply clarsimp apply (erule_tac x="\(x:=Some \)" in allE, erule_tac x=\ in allE, clarsimp) apply (erule_tac x=\ in allE, erule impE) apply (simp (no_asm) add: store_wf_def) apply clarsimp apply (drule VarEnvSubtypingD) apply assumption apply clarsimp apply (drule storeD, assumption) apply clarsimp apply (rule wfVal_sub) apply (erule wfVal_HTextends) apply assumption apply assumption apply clarsimp apply (rule_tac x=\' in exI, simp) apply rule apply (erule HT_extends_trans) apply assumption apply (erule wfVal_sub) apply assumption (*Cond*) apply clarsimp apply (drule FjeuSD_complete) apply clarsimp apply (erule disjE) apply clarsimp apply (erule_tac x="\(x \ objTP C (R \ S), y \ objTP D (R \ S))" in allE, erule_tac x=\ in allE, clarsimp) apply (erule_tac x=\ in allE, erule impE) apply (subgoal_tac "store_wf \ s \") prefer 2 apply (erule storewf_sub) apply assumption apply (rotate_tac 1, erule thin_rl) apply (simp add: store_wf_def, clarsimp) apply (rule, clarsimp) apply (rule, clarsimp) apply clarsimp apply (subgoal_tac "\v. s y = Some v \ (\, v, objTP D S) \ wfVal") apply (erule_tac x=x in allE, erule_tac x="objTP C R" in allE, erule impE,assumption) apply clarsimp apply (erule wfVal_Cond) apply assumption apply (erule_tac x=y in allE, erule_tac x="objTP D S" in allE, erule mp) apply assumption apply clarsimp apply (subgoal_tac "\v. s y = Some v \ (\, v, objTP D S) \ wfVal") apply (erule_tac x=x in allE, erule_tac x="objTP C R" in allE, erule impE,assumption) apply clarsimp apply (subgoal_tac "R \ S = S \ R", clarsimp) apply (erule wfVal_Cond) apply assumption apply fast apply (erule_tac x=y in allE, erule_tac x="objTP D S" in allE, erule mp) apply assumption apply clarsimp apply (rule_tac x=\ in exI, simp) apply (erule wfVal_sub) apply assumption apply clarsimp apply (erule_tac x=\ in allE, erule_tac x=\ in allE, clarsimp) apply (erule_tac x=\ in allE, erule impE) apply (erule storewf_sub) apply assumption apply clarsimp apply (rule_tac x=\ in exI, simp) apply (erule wfVal_sub) apply assumption (*Ifinst*) apply clarsimp apply (drule FjeuSD_complete) apply clarsimp apply (erule disjE) apply clarsimp apply (erule_tac x=\ in allE, erule_tac x=\ in allE, clarsimp) apply (erule_tac x=\ in allE, erule impE) apply (erule storewf_sub) apply assumption apply clarsimp apply (rule_tac x=\ in exI, simp) apply (erule wfVal_sub) apply assumption apply clarsimp apply (erule_tac x=\ in allE, erule_tac x=\ in allE, clarsimp) apply (erule_tac x=\ in allE, erule impE) apply (erule storewf_sub) apply assumption apply clarsimp apply (rule_tac x=\ in exI, simp) apply (erule wfVal_sub) apply assumption (*Get*) apply clarsimp apply (drule FjeuSD_complete) apply clarsimp apply (rule_tac x=\ in exI, simp, rule, rule HT_extends_refl) apply (drule storewf_sub) apply assumption apply (rotate_tac -1) apply (rename_tac s x a h C F f v \ \ \ \ D R \) apply (drule storeD, assumption) apply clarsimp apply (drule wfValD) apply (erule disjE, clarsimp) apply (erule disjE, clarsimp) apply (simp add: subtypeOf_def) apply clarsimp apply (drule heapD, assumption) apply clarsimp apply (erule_tac x=r in allE, erule impE) apply (simp add: subtypeOf_def) apply clarsimp (*apply (frule_tac r=r in field_getr) apply (erule exE)*) apply (subgoal_tac "subclassOf C D") prefer 2 apply (erule subclassOf_trans) apply (simp add: subtypeOf_def) apply (erule_tac x=f in allE, erule impE) apply (drule_tac C=C and D=D in fields_sub) apply fast apply clarsimp apply (erule wfVal_sub) apply (rule_tac \=\ in subtypeOf_trans) apply (frule_tac C=C and D=D in condition1) apply assumption apply clarsimp apply (erule subtypeOf_trans) apply (erule Meet_D) apply assumption apply (simp add: subtypeOf_def) apply assumption (*GetQ*) apply clarsimp apply (drule FjeuSD_complete) apply clarsimp apply (rule_tac x=\ in exI, simp, rule, rule HT_extends_refl) apply (drule storewf_sub) apply assumption apply (rotate_tac -1) apply (rename_tac s x a h C F f v \ \ \ \ D R) apply (drule storeD, assumption) apply clarsimp apply (drule wfValD) apply (erule disjE, clarsimp) apply (erule disjE, clarsimp) apply (simp add: subtypeOf_def) apply clarsimp apply (rename_tac E) apply (drule heapD, assumption) apply clarsimp apply (erule_tac x=r in allE, erule impE) apply (simp add: subtypeOf_def) apply clarsimp (*apply (frule_tac r=r in field_getr) apply (erule exE)*) apply (subgoal_tac "subclassOf C D") prefer 2 apply (erule subclassOf_trans) apply (simp add: subtypeOf_def) apply (erule_tac x=f in allE, erule impE) apply (drule_tac C=C and D=D in fields_sub) apply fast apply clarsimp apply (erule wfVal_sub) apply (rule_tac \=\ in subtypeOf_trans) apply (frule_tac C=C and D=D in condition1) apply assumption apply clarsimp apply assumption (*Put*) apply clarsimp apply (drule FjeuSD_complete) apply clarsimp apply (rule_tac x=\ in exI, rule, rule HT_extends_refl) apply (frule_tac x=x in VarEnvSubtypingD) apply assumption apply clarsimp apply (frule_tac x=x in storeD) apply assumption apply clarsimp apply (frule_tac x=y in VarEnvSubtypingD) apply assumption apply clarsimp apply (frule_tac x=y in storeD) apply assumption apply clarsimp apply rule prefer 2 apply (erule wfVal_sub) apply (erule subtypeOf_trans) apply assumption apply (drule wfValD) apply (erule disjE, clarsimp) apply (erule disjE, clarsimp) apply (drule_tac \=\'' in subtypeOf_trans,assumption) apply (simp add: subtypeOf_def) apply clarsimp apply (rename_tac s x a h C F y w f \ \ \ \ D R \' \'' \''' r E) apply (erule_tac x=r in allE,erule impE) apply (drule_tac \=\'' in subtypeOf_trans, assumption) apply (simp add: subtypeOf_def) apply clarsimp (*apply (drule_tac r=r in field_putr) apply (erule exE)*) apply (simp add: heap_wt_def) apply (erule_tac x=a in allE, clarsimp) apply (erule_tac x=f in allE, erule impE, assumption) apply clarsimp (* apply (frule_tac x=y in VarEnvSubtypingD) apply assumption apply clarsimp apply (drule_tac x=y in storeD,assumption) apply clarsimp*) apply (drule_tac \=\'' in subtypeOf_trans,assumption) apply (erule wfVal_sub) apply (erule subtypeOf_trans) apply (rule subtypeOf_trans) apply (erule Join_D) apply assumption apply (simp add: subtypeOf_def) apply (drule_tac C=C in condition2) apply (erule subclassOf_trans) apply (simp add: subtypeOf_def) apply clarsimp apply (erule subtypeOf_trans) apply (erule condition4, assumption) (*PutQ*) apply clarsimp apply (drule FjeuSD_complete) apply clarsimp apply (rule_tac x=\ in exI, rule, rule HT_extends_refl) apply (frule_tac x=x in VarEnvSubtypingD) apply assumption apply clarsimp apply (frule_tac x=x in storeD) apply assumption apply clarsimp apply (frule_tac x=y in VarEnvSubtypingD) apply assumption apply clarsimp apply (frule_tac x=y in storeD) apply assumption apply clarsimp apply rule prefer 2 apply (erule wfVal_sub) apply (erule subtypeOf_trans) apply assumption apply (drule wfValD) apply (erule disjE, clarsimp) apply (erule disjE, clarsimp) apply (drule_tac \=\'' in subtypeOf_trans,assumption) apply (simp add: subtypeOf_def) apply clarsimp apply (rename_tac s x a h C F y w f \ \ \ \ D R \' \'' \''' r E) apply (erule_tac x=r in allE,erule impE) apply (drule_tac \=\'' in subtypeOf_trans, assumption) apply (simp add: subtypeOf_def) apply clarsimp (*apply (drule_tac r=r in field_putr) apply (erule exE)*) apply (simp add: heap_wt_def) apply (erule_tac x=a in allE, clarsimp) apply (erule_tac x=f in allE, erule impE, assumption) apply clarsimp (* apply (frule_tac x=y in VarEnvSubtypingD) apply assumption apply clarsimp apply (drule_tac x=y in storeD,assumption) apply clarsimp*) apply (drule_tac \=\'' in subtypeOf_trans,assumption) apply (erule wfVal_sub) apply (erule subtypeOf_trans) apply (erule_tac \=\ in subtypeOf_trans) apply (drule_tac C=C in condition2) apply (erule subclassOf_trans) apply (simp add: subtypeOf_def) apply clarsimp apply (erule subtypeOf_trans) apply (erule condition4, assumption) (*StringConcat*) apply clarsimp apply (drule FjeuSD_complete) apply (erule FjeuSD.cases) apply (simp_all) apply clarsimp apply (rename_tac s X h XString Y YString a k v \ \ x Rx y Ry r \' \' SC1 SC2) apply (frule VarEnvSubtypingD) apply assumption apply clarsimp apply (frule storewf_sub) apply assumption apply (case_tac YString, clarsimp) apply (rule_tac x=\ in exI) apply (rule, rule HT_extends_refl) apply rule apply (frule storeD) apply assumption apply assumption apply (drule_tac x=x in storeD) apply assumption apply clarsimp apply (erule wfVal_sub) apply (erule subtypeOf_trans) apply (rule subtypeOf_trans) prefer 2 apply assumption apply (simp add: subtypeOf_def) apply fast apply clarsimp apply (rename_tac chr chars) apply (rule_tac x="\(a:=Some(r,None))" in exI) apply (subgoal_tac "HT_extends (\(a \ (r, None))) \",simp) prefer 2 apply (simp add: HT_extends_def, clarsimp) apply (drule heapD) apply assumption apply clarsimp apply (subgoal_tac "(\(a:=Some (r, None)), locVal a, stringTP {r}) \ wfVal") prefer 2 apply (rule wfVal_String) apply fastsimp apply simp apply rule prefer 2 apply (erule wfVal_sub) apply (rule subtypeOf_trans) prefer 2 apply assumption apply (simp add: subtypeOf_def) apply (simp (no_asm) only: heap_wt_def) apply clarsimp apply rule apply clarsimp apply (simp add: stringObj_def) apply (simp add: StringCond_implies_Policy_def) apply clarsimp apply (erule_tac x=Rx in allE,erule_tac x=Ry in allE, erule_tac x=r in allE, clarsimp) apply (frule_tac \=\ and x=x in storeD, assumption) apply clarsimp apply (drule_tac v="locVal X" in wfValD) apply clarsimp apply (simp add: subtypeOf_def) apply clarsimp apply (rename_tac rx) apply (frule_tac \=\ and x=y in storeD, assumption) apply clarsimp apply (drule_tac v="locVal Y" in wfValD) apply clarsimp apply (simp add: subtypeOf_def) apply clarsimp apply (rename_tac ry) apply (erule_tac x=rx in allE, erule impE, assumption) apply (erule_tac x=ry in allE, erule impE, assumption) apply (erule_tac x=XString in allE, erule impE) apply (drule_tac l=X in heapD, assumption) apply clarsimp apply (erule_tac x="chr # chars" in allE, erule impE) apply (drule_tac l=Y in heapD, assumption) apply clarsimp apply assumption apply clarsimp apply (drule heapD,assumption) apply clarsimp apply (erule objwt_HTextends) apply assumption (*Invoke*) apply clarsimp apply (drule FjeuSD_complete) apply (erule FjeuSD.cases) apply (simp_all) apply clarsimp apply (frule VarEnvSubtypingD) apply assumption apply clarsimp apply (frule storewf_sub) apply assumption apply (rename_tac m \' x D R args \s \ \' SC1 SC2 \) apply (subgoal_tac "(\, locVal a, \) : wfVal") prefer 2 apply (drule storeD) apply assumption apply clarsimp apply (frule wfValD) apply (erule disjE, clarsimp) apply (erule disjE, clarsimp) apply (drule subtypeOf_trans,assumption) apply (simp add: subtypeOf_def) apply clarsimp apply (frule subtypeOf_trans,assumption) apply (frule_tac l=a in heapD) apply assumption apply clarsimp apply (erule_tac x=r in allE, erule impE) apply (simp add: subtypeOf_def) apply clarsimp apply (rename_tac E \s \) apply (subgoal_tac "\ \ . (\, pars, args, \):mkStore", erule exE) prefer 2 apply (rule mkStore_exists) apply (erule mkStore_length) apply (simp add: argTypes_def) apply clarsimp apply (simp add: VarEnvSubtyping_def) apply (erule_tac x=n in allE, clarsimp) apply (case_tac "\s ! n", clarsimp) apply (erule_tac x="args!n" in allE, clarsimp) apply (erule_tac x="args!n" in allE, clarsimp) apply (subgoal_tac "store_wf \ t \") prefer 2 apply (erule mkStore_wfEnv) apply assumption apply assumption apply (subgoal_tac "subtypeOf (objTP C {r}) (objTP D R)") prefer 2 apply (rule_tac \="objTP E {r}" in subtypeOf_trans) apply (simp add: subtypeOf_def) apply assumption apply (frule_tac C=C and D=D in condition3) apply fast apply assumption apply clarsimp apply (rename_tac \s \) apply (subgoal_tac "distinct pars") prefer 2 apply (simp add: Methods_welltyped_def) apply (subgoal_tac "(\, (SC1,SC2), e, \) : FjeuTyping") apply (erule_tac x=\ in allE, erule_tac x=\ in allE, clarsimp) apply (erule_tac x=\ in allE, clarsimp) apply (rule_tac x=\ in exI, simp) apply (erule wfVal_sub) apply (simp add: Meth_subtypeOf_def, clarsimp) apply (erule subtypeOf_trans) apply assumption apply (simp add: Methods_welltyped_def) apply (erule_tac x=C in allE, erule_tac x=r in allE, erule_tac x=m in allE) apply (erule_tac x=\s in allE, erule_tac x=\ in allE) apply clarsimp apply (subgoal_tac "\ \ . (pars, \s, \):mkEnv", erule exE) prefer 2 apply (erule mkEnv_exists) apply (erule_tac x=\ in allE, erule impE, assumption) apply (erule TpSub) apply (rule subtypeOf_refl) apply (subgoal_tac "\ \' . (\', pars, args, \') : mkStore") prefer 2 apply (rule mkStore_exists) apply (erule mkStore_length) apply clarsimp apply (simp add: argTypes_def) apply (erule exE) apply (rule VarEnvSubtyping_trans) apply (erule_tac \'=\' in mkStore_VarEnvSubtyping) apply assumption apply assumption apply (erule mkStore_mkEnv_sub) apply assumption apply assumption apply (erule Meth_subtypeOf_trans, assumption) done theorem Sound: "\ (\,SC,e,\):FjeuTyping ; store_wf \ s \; Methods_welltyped SC; StringCond_implies_Policy SC P; heap_wt h P \; (s,h,e,v,k) : FjeuOpsem \ \ \ \ . HT_extends \ \ \ heap_wt k P \ \ (\,v,\): wfVal" apply (drule_tac SC=SC and P=P in SoundAux) apply (simp add: inter_def) done constdefs mkSC::"PROP_TP \ StringCond" "mkSC P \ (P, \ R S t . \ r s w1 w2 . r:R \ s:S \ P w1 r \ P w2 s \ P (w1 @ w2) t)" lemma mkSCP_implies_P: "StringCond_implies_Policy (mkSC P) P" apply (simp add: StringCond_implies_Policy_def mkSC_def) done theorem SoundForPolicy: "\ (\,mkSC P,e,\):FjeuTyping ; store_wf \ s \; Methods_welltyped (mkSC P); heap_wt h P \; (s,h,e,v,k) : FjeuOpsem \ \ \ \ . HT_extends \ \ \ heap_wt k P \ \ (\,v,\): wfVal" apply (erule Sound) apply assumption+ apply (rule mkSCP_implies_P) apply assumption+ done (*Before we move to string operation contexts, let's first look at an easier type of policy: string tables. They map each region r to the set of allowed values for string objects in r. (Essentially, we have done all the work for string tables already.) *) types "StringTable" = "Region \ string set" (*Of course,this is essentially the same type as the type PROP_TP of policies, so we can easliy convert a table into a policy*) constdefs ST_2_PROP:: "StringTable \ PROP_TP" "ST_2_PROP \ \ \ w r . w : \ r" (*Also, we could easily define the syntactic conditions for the typing system explicitly: *) constdefs TableCond::"StringTable \ StringCond" "TableCond \ \ (\ w r . w \ \ r, \ R S t . \ r s w1 w2 . r:R \ s:S \ w1 : \ r \ w2 : \ s \ (w1 @ w2) : \ t)" (*Trivially, this results in the same conditions as going via policies:*) lemma TableCond_is_mkSC: "TableCond \ = mkSC (ST_2_PROP \)" apply (simp add: TableCond_def ST_2_PROP_def mkSC_def) done (*Here is the specialisation of the soundess-for-polies-theorem to string tables.*) theorem SoundForStringTables: "\ (\,TableCond \,e,\):FjeuTyping ; store_wf \ s \; Methods_welltyped (TableCond \); heap_wt h (ST_2_PROP \) \; (s,h,e,v,k) : FjeuOpsem \ \ \ \ . HT_extends \ \ \ heap_wt k (ST_2_PROP \) \ \ (\,v,\): wfVal" apply (insert TableCond_is_mkSC [of \]) apply (erule Sound) apply assumption+ apply clarsimp apply (rule mkSCP_implies_P) apply assumption+ done (*Let's now do stringopcontexts*) datatype StringOp = newstring string Region | concat Region Region Region | unknown "string set" Region types "StringOpCtxt" = "StringOp set" (*Can we define again a policy - of course! It's the least interpretation as given in the paper. In order to model the construction in Isabelle, we first define when an interpretation satisfies the 3 conditions.*) types "Interpretation" = "Region \ string set" constdefs Cond1 :: "StringOpCtxt \ Interpretation \ bool" "Cond1 \ interp \ \ w r . newstring w r : \ \ w : interp r" constdefs Cond2 :: "StringOpCtxt \ Interpretation \ bool" "Cond2 \ interp \ \ r s t. concat r s t : \ \ (\ w1 w2 . w1 : interp r \ w2 : interp s \ w1 @ w2 : interp t)" constdefs Cond3 :: "StringOpCtxt \ Interpretation \ bool" "Cond3 \ interp \ \ W r . unknown W r : \ \ W \ interp r" constdefs Inter_good::"StringOpCtxt \ Interpretation \ bool" "Inter_good \ interp \ Cond1 \ interp \ Cond2 \ interp \ Cond3 \ interp" (*We then define the interpretation of interest as the (pointwise) intersection of all good intepretations.*) constdefs LeastInter :: "StringOpCtxt \ Interpretation" "LeastInter \ \ \ r . { w . \ interp . Inter_good \ interp \ w : interp r}" (*Indeed, this interpretation is good itself*) lemma LeastInter_is_good: "Inter_good \ (LeastInter \)" apply (unfold Inter_good_def LeastInter_def) apply rule apply (simp add: Cond1_def) apply rule apply (simp add: Cond2_def) apply (simp add: Cond3_def) apply fast done constdefs SOC_2_PROP::"StringOpCtxt \ PROP_TP" "SOC_2_PROP \ \ \ w r . w : LeastInter \ r" (*In fact, ANY interpretation IS a policy -- again the types are essentially the same:*) constdefs interp_2_PROP::"Interpretation \ PROP_TP" "interp_2_PROP \ \ interp w r . w : interp r" lemma "SOC_2_PROP \ = interp_2_PROP (LeastInter \)" apply (simp add: SOC_2_PROP_def interp_2_PROP_def) done (*We may also generate the typing conditions for ANY intepretation:*) constdefs interp_2_SC::"Interpretation \ StringCond" "interp_2_SC interp \ (\ w r . w \ interp r, \ R S t . \ r s w1 w2 . r:R \ s:S \ w1 : interp r \ w2 : interp s \ (w1 @ w2) : interp t)" (*Note that these side conditions involve the INTERPRETATIONS. Again, this construction trivially yields the same conditions as going via policies:*) lemma interp_is_mkSC: "interp_2_SC interp = mkSC (interp_2_PROP interp)" apply (simp add: interp_2_SC_def interp_2_PROP_def mkSC_def) done (*Here is the specialisation of the soundness-for-policies theoremfor arbitrary intepretations - again the type side conditions are semantic*) theorem SoundForStringContext_semSCs: "\ (\,interp_2_SC interp,e,\):FjeuTyping ; store_wf \ s \; Methods_welltyped (interp_2_SC interp); heap_wt h (interp_2_PROP interp) \; (s,h,e,v,k) : FjeuOpsem \ \ \ \ . HT_extends \ \ \ heap_wt k (interp_2_PROP interp) \ \ (\,v,\): wfVal" apply (insert interp_is_mkSC) apply clarsimp apply (erule Sound) apply assumption+ apply (rule mkSCP_implies_P) apply assumption+ done (*What about the syntactic conditions given in the paper:*) constdefs StrCtxt_Conds::"StringOpCtxt \ StringCond" "StrCtxt_Conds \ \ (\ w r . newstring w r : \, \ R S t . \ r s. r:R \ s : S \ concat r s t : \)" (*They (of course) imply the least policy - because the latter is good*) lemma StrCtxt_Conds_imply_policy: "StringCond_implies_Policy (StrCtxt_Conds \) (SOC_2_PROP \)" apply (simp add: StringCond_implies_Policy_def) apply (simp add: SOC_2_PROP_def) apply (simp add: StrCtxt_Conds_def) apply (insert LeastInter_is_good [of \]) apply (simp add: Inter_good_def) apply rule apply (simp add: Cond1_def) apply clarsimp apply (simp add: Cond2_def) apply fast done theorem SoundForStringContext_syntSCs: "\ (\,StrCtxt_Conds \,e,\):FjeuTyping ; store_wf \ s \; Methods_welltyped (StrCtxt_Conds \); heap_wt h (SOC_2_PROP \) \; (s,h,e,v,k) : FjeuOpsem \ \ \ \ . HT_extends \ \ \ heap_wt k (SOC_2_PROP \) \ \ (\,v,\): wfVal" apply (erule Sound) apply assumption+ apply (rule StrCtxt_Conds_imply_policy) apply assumption+ done (*Of course, the trivial interpretation is also good.*) constdefs FullInter :: "StringOpCtxt \ Interpretation" "FullInter \ \ \ r . {w . True}" lemma FullInter_is_good: "Inter_good \ (FullInter \)" apply (simp add: Inter_good_def FullInter_def) apply rule apply (simp add: Cond1_def) apply rule apply (simp add: Cond2_def) apply (simp add: Cond3_def) done (*The crucial property of the least solution is that each set contains ONLY strings construcated by the three operations. I.e. we can track where components of COMPOSITE strings came from. In order to prove this, we show that simple fact that the above construction yields indeed the least GOOD solution w.r.t. pointwise inclusion.*) constdefs leq::"Interpretation \ Interpretation \ bool" "leq \ \ I J . \ r . I r \ J r" lemma Least_minimal_good: "(Inter_good \ interp) \ leq (LeastInter \) interp" apply (simp add:leq_def,clarsimp) apply (simp add: LeastInter_def) done (*From this, we show the following elimination result, which shows that Omega contains all information to destruct strings in the solution.*) lemma LeastElim: "w : LeastInter \ t \ newstring w t : \ \ (\ r s w1 w2 . concat r s t : \ \ w1: LeastInter \ r \ w2 : LeastInter \ s \ w = w1 @ w2) \ (\ W . unknown W t : \ \ w: W)" apply clarsimp apply (case_tac "\r s. StringOp.concat r s t \ \ \ (\w1. w1 \ LeastInter \ r \ (\w2. w2 \ LeastInter \ s \ w = w1 @ w2))", assumption) apply clarsimp apply (subgoal_tac "Inter_good \ (\ r . if r = t then (LeastInter \ r) - {w} else (LeastInter \ r))") apply (drule Least_minimal_good) apply (simp add: leq_def) apply (rotate_tac -1, erule_tac x=t in allE, clarsimp) apply fast apply (insert LeastInter_is_good [of \]) apply (simp add: Inter_good_def) apply (rule, simp add: Cond1_def, clarsimp) apply rule prefer 2 apply (simp add: Cond3_def) apply clarsimp apply fast apply (simp add: Cond2_def, clarsimp) apply fast done end