(* Author: Tobias Nipkow *) header "Hoare Logic" theory Hoare imports Big_Step begin subsection "Hoare Logic for Partial Correctness" types assn = "state \ bool" abbreviation state_subst :: "state \ aexp \ name \ state" ("_[_'/_]" [1000,0,0] 999) where "s[a/x] == s(x := aval a s)" inductive hoare :: "assn \ com \ assn \ bool" ("\ ({(1_)}/ (_)/ {(1_)})" 50) where Skip: "\ {P} SKIP {P}" | Assign: "\ {\s. P(s[a/x])} x::=a {P}" | Semi: "\ \ {P} c\<^isub>1 {Q}; \ {Q} c\<^isub>2 {R} \ \ \ {P} c\<^isub>1;c\<^isub>2 {R}" | If: "\ \ {\s. P s \ bval b s} c\<^isub>1 {Q}; \ {\s. P s \ \ bval b s} c\<^isub>2 {Q} \ \ \ {P} IF b THEN c\<^isub>1 ELSE c\<^isub>2 {Q}" | While: "\ {\s. P s \ bval b s} c {P} \ \ {P} WHILE b DO c {\s. P s \ \ bval b s}" | conseq: "\ \s. P' s \ P s; \ {P} c {Q}; \s. Q s \ Q' s \ \ \ {P'} c {Q'}" lemmas [simp] = hoare.Skip hoare.Assign hoare.Semi If lemmas [intro!] = hoare.Skip hoare.Assign hoare.Semi hoare.If lemma strengthen_pre: "\ \s. P' s \ P s; \ {P} c {Q} \ \ \ {P'} c {Q}" by (blast intro: conseq) lemma weaken_post: "\ \ {P} c {Q}; \s. Q s \ Q' s \ \ \ {P} c {Q'}" by (blast intro: conseq) text{* The assignment and While rule are awkward to use in actual proofs because their pre and postcondition are of a very special form and the actual goal would have to match this form exactly. Therefore we derive two variants with arbitrary pre and postconditions. *} lemma Assign': "\s. P s \ Q(s[a/x]) \ \ {P} x ::= a {Q}" by (simp add: strengthen_pre[OF _ Assign]) lemma While': assumes "\ {\s. P s \ bval b s} c {P}" and "\s. P s \ \ bval b s \ Q s" shows "\ {P} WHILE b DO c {Q}" by(rule weaken_post[OF While[OF assms(1)] assms(2)]) end