-
Notifications
You must be signed in to change notification settings - Fork 0
/
ITP_11_3.v
219 lines (199 loc) · 6.32 KB
/
ITP_11_3.v
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
Require Import Imp.
Require Import Maps.
Require Import Hoare.
(* Definitions from Hoare Logic Chapter II. *)
Inductive dcom : Type :=
| DCSkip : Assertion -> dcom
| DCSeq : dcom -> dcom -> dcom
| DCAsgn : string -> aexp -> Assertion -> dcom
| DCIf : bexp -> Assertion -> dcom -> Assertion -> dcom
-> Assertion -> dcom
| DCWhile : bexp -> Assertion -> dcom -> Assertion -> dcom
| DCPre : Assertion -> dcom -> dcom
| DCPost : dcom -> Assertion -> dcom.
Inductive decorated : Type :=
| Decorated : Assertion -> dcom -> decorated.
Delimit Scope default with default.
Notation "'SKIP' {{ P }}"
:= (DCSkip P)
(at level 10) : dcom_scope.
Notation "l '::=' a {{ P }}"
:= (DCAsgn l a P)
(at level 60, a at next level) : dcom_scope.
Notation "'WHILE' b 'DO' {{ Pbody }} d 'END' {{ Ppost }}"
:= (DCWhile b Pbody d Ppost)
(at level 80, right associativity) : dcom_scope.
Notation "'TEST' b 'THEN' {{ P }} d 'ELSE' {{ P' }} d' 'FI' {{ Q }}"
:= (DCIf b P d P' d' Q)
(at level 80, right associativity) : dcom_scope.
Notation "'->>' {{ P }} d"
:= (DCPre P d)
(at level 90, right associativity) : dcom_scope.
Notation "d '->>' {{ P }}"
:= (DCPost d P)
(at level 80, right associativity) : dcom_scope.
Notation " d ;; d' "
:= (DCSeq d d')
(at level 80, right associativity) : dcom_scope.
Notation "{{ P }} d"
:= (Decorated P d)
(at level 90) : dcom_scope.
Delimit Scope dcom_scope with dcom.
Open Scope dcom_scope.
Fixpoint extract (d : dcom) : com :=
match d with
| DCSkip _ => SKIP
| DCSeq d1 d2 => (extract d1 ;; extract d2)
| DCAsgn X a _ => X ::= a
| DCIf b _ d1 _ d2 _ => TEST b THEN extract d1 ELSE extract d2 FI
| DCWhile b _ d _ => WHILE b DO extract d END
| DCPre _ d => extract d
| DCPost d _ => extract d
end.
Definition extract_dec (dec : decorated) : com :=
match dec with
| Decorated P d => extract d
end.
Fixpoint post (d : dcom) : Assertion :=
match d with
| DCSkip P => P
| DCSeq d1 d2 => post d2
| DCAsgn X a Q => Q
| DCIf _ _ d1 _ d2 Q => Q
| DCWhile b Pbody c Ppost => Ppost
| DCPre _ d => post d
| DCPost c Q => Q
end.
Definition pre_dec (dec : decorated) : Assertion :=
match dec with
| Decorated P d => P
end.
Definition post_dec (dec : decorated) : Assertion :=
match dec with
| Decorated P d => post d
end.
Definition dec_correct (dec : decorated) :=
{{pre_dec dec}} (extract_dec dec) {{post_dec dec}}.
Fixpoint verification_conditions (P : Assertion) (d : dcom) : Prop :=
match d with
| DCSkip Q =>
(P ->> Q)
| DCSeq d1 d2 =>
verification_conditions P d1
/\ verification_conditions (post d1) d2
| DCAsgn X a Q =>
(P ->> Q [X !-> a])
| DCIf b P1 d1 P2 d2 Q =>
((fun st => P st /\ bassn b st) ->> P1)
/\ ((fun st => P st /\ ~(bassn b st)) ->> P2)
/\ (post d1 ->> Q) /\ (post d2 ->> Q)
/\ verification_conditions P1 d1
/\ verification_conditions P2 d2
| DCWhile b Pbody d Ppost =>
(* post d is the loop invariant and the initial
precondition *)
(P ->> post d)
/\ ((fun st => post d st /\ bassn b st) ->> Pbody)
/\ ((fun st => post d st /\ ~(bassn b st)) ->> Ppost)
/\ verification_conditions Pbody d
| DCPre P' d =>
(P ->> P') /\ verification_conditions P' d
| DCPost d Q =>
verification_conditions P d /\ (post d ->> Q)
end.
Theorem verification_correct : forall d P,
verification_conditions P d -> {{P}} (extract d) {{post d}}.
Proof.
induction d; intros P H; simpl in *.
- (* Skip *)
eapply hoare_consequence_pre.
apply hoare_skip.
assumption.
- (* Seq *)
destruct H as [H1 H2].
eapply hoare_seq.
apply IHd2. apply H2.
apply IHd1. apply H1.
- (* Asgn *)
eapply hoare_consequence_pre.
apply hoare_asgn.
assumption.
- (* If *)
destruct H as [HPre1 [HPre2 [Hd1 [Hd2 [HThen HElse]]]]].
apply IHd1 in HThen. clear IHd1.
apply IHd2 in HElse. clear IHd2.
apply hoare_if.
+ eapply hoare_consequence_post with (Q':=post d1); eauto.
eapply hoare_consequence_pre; eauto.
+ eapply hoare_consequence_post with (Q':=post d2); eauto.
eapply hoare_consequence_pre; eauto.
- (* While *)
destruct H as [Hpre [Hbody1 [Hpost1 Hd]]].
eapply hoare_consequence_pre; eauto.
eapply hoare_consequence_post; eauto.
apply hoare_while.
eapply hoare_consequence_pre; eauto.
- (* Pre *)
destruct H as [HP Hd].
eapply hoare_consequence_pre. apply IHd. apply Hd. assumption.
- (* Post *)
destruct H as [Hd HQ].
eapply hoare_consequence_post. apply IHd. apply Hd. assumption.
Qed.
Require Import Coq.Bool.Bool.
Require Import Coq.Arith.PeanoNat.
Import PeanoNat.Nat.
Require Import Coq.Arith.Compare_dec.
Require Import Lia.
Tactic Notation "verify" :=
apply verification_correct;
repeat split;
simpl; unfold assert_implies;
unfold bassn in *; unfold beval in *; unfold aeval in *;
unfold assn_sub; intros;
repeat rewrite t_update_eq;
repeat (rewrite t_update_neq; [| (intro X; inversion X)]);
simpl in *;
repeat match goal with [H : _ /\ _ |- _] => destruct H end;
repeat rewrite not_true_iff_false in *;
repeat rewrite not_false_iff_true in *;
repeat rewrite negb_true_iff in *;
repeat rewrite negb_false_iff in *;
repeat rewrite eqb_eq in *;
repeat rewrite eqb_neq in *;
repeat rewrite leb_iff in *;
repeat rewrite leb_iff_conv in *;
try subst;
repeat
match goal with
[st : state |- _] =>
match goal with
[H : st _ = _ |- _] => rewrite -> H in *; clear H
| [H : _ = st _ |- _] => rewrite <- H in *; clear H
end
end;
try eauto; try lia.
(*********************************************************************************************************
** Exercises
**********************************************************************************************************)
(* Exercise 1 *)
(* Consider the following informal program with a pre- and postcondition. *)
(*
{{ X = m }}
Y ::= 0;;
WHILE ~(X = 0) DO
X ::= X - 1;;
Y ::= Y + 1
END
{{ Y = m }}
*)
(* Translate this into a formal decorated program and prove it correct. *)
Definition slow_assignment_dec m : decorated.
(* Your task *)
Admitted.
Theorem slow_assignment_dec_correct : forall m,
dec_correct (slow_assignment_dec m).
Proof.
(* Your task *)
admit.
Admitted.