Theory TypeRel

(*  Title:      HOL/Bali/TypeRel.thy
    Author:     David von Oheimb
*)
subsection ‹The relations between Java types›

theory TypeRel imports Decl begin

text ‹
simplifications:
\begin{itemize}
\item subinterface, subclass and widening relation includes identity
\end{itemize}
improvements over Java Specification 1.0:
\begin{itemize}
\item narrowing reference conversion also in cases where the return types of a 
      pair of methods common to both types are in widening (rather identity) 
      relation
\item one could add similar constraints also for other cases
\end{itemize}
design issues:
\begin{itemize}
\item the type relations do not require is_type› for their arguments
\item the subint1 and subcls1 relations imply is_iface›/is_class›
      for their first arguments, which is required for their finiteness
\end{itemize}
›

(*subint1, in Decl.thy*)                     (* direct subinterface       *)
(*subint , by translation*)                  (* subinterface (+ identity) *)
(*subcls1, in Decl.thy*)                     (* direct subclass           *)
(*subcls , by translation*)                  (*        subclass           *)
(*subclseq, by translation*)                 (* subclass + identity       *)

definition
  implmt1 :: "prog  (qtname × qtname) set" ― ‹direct implementation›
  ― ‹direct implementation, cf. 8.1.3›
  where "implmt1 G = {(C,I). CObject  (cclass G C: Iset (superIfs c))}"


abbreviation
  subint1_syntax :: "prog => [qtname, qtname] => bool" ("__≺I1_"  [71,71,71] 70)
  where "GI ≺I1 J == (I,J)  subint1 G"

abbreviation
  subint_syntax :: "prog => [qtname, qtname] => bool" ("__≼I _"  [71,71,71] 70)
  where "GI ≼I J == (I,J) (subint1 G)*" ― ‹cf. 9.1.3›

abbreviation
  implmt1_syntax :: "prog => [qtname, qtname] => bool" ("__↝1_"  [71,71,71] 70)
  where "GC ↝1 I == (C,I)  implmt1 G"

notation (ASCII)
  subint1_syntax  ("_|-_<:I1_" [71,71,71] 70) and
  subint_syntax  ("_|-_<=:I _"[71,71,71] 70) and
  implmt1_syntax   ("_|-_~>1_"  [71,71,71] 70)


subsubsection "subclass and subinterface relations"

  (* direct subinterface in Decl.thy, cf. 9.1.3 *)
  (* direct subclass     in Decl.thy, cf. 8.1.3 *)

lemmas subcls_direct = subcls1I [THEN r_into_rtrancl]

lemma subcls_direct1:
 "class G C = Some c; C  Object;D=super c  GCC D"
apply (auto dest: subcls_direct)
done

lemma subcls1I1:
 "class G C = Some c; C  Object;D=super c  GCC1 D"
apply (auto dest: subcls1I)
done

lemma subcls_direct2:
 "class G C = Some c; C  Object;D=super c  GCC D"
apply (auto dest: subcls1I1)
done

lemma subclseq_trans: "GA C B; GB C C  GA C C"
by (blast intro: rtrancl_trans)

lemma subcls_trans: "GA C B; GB C C  GA C C"
by (blast intro: trancl_trans)

lemma SXcpt_subcls_Throwable_lemma: 
"class G (SXcpt xn) = Some xc;
  super xc = (if xn = Throwable then Object else  SXcpt Throwable) 
 GSXcpt xnC SXcpt Throwable"
apply (case_tac "xn = Throwable")
apply  simp_all
apply (drule subcls_direct)
apply (auto dest: sym)
done

lemma subcls_ObjectI: "is_class G C; ws_prog G  GCC Object"
apply (erule ws_subcls1_induct)
apply clarsimp
apply (case_tac "C = Object")
apply  (fast intro: r_into_rtrancl [THEN rtrancl_trans])+
done

lemma subclseq_ObjectD [dest!]: "GObjectC C  C = Object"
apply (erule rtrancl_induct)
apply  (auto dest: subcls1D)
done

lemma subcls_ObjectD [dest!]: "GObjectC C  False"
apply (erule trancl_induct)
apply  (auto dest: subcls1D)
done

lemma subcls_ObjectI1 [intro!]: 
 "C  Object;is_class G C;ws_prog G  GC C Object" 
apply (drule (1) subcls_ObjectI)
apply (auto intro: rtrancl_into_trancl3)
done

lemma subcls_is_class: "(C,D)  (subcls1 G)+  is_class G C"
apply (erule trancl_trans_induct)
apply (auto dest!: subcls1D)
done

lemma subcls_is_class2 [rule_format (no_asm)]: 
 "GCC D  is_class G D  is_class G C"
apply (erule rtrancl_induct)
apply (drule_tac [2] subcls1D)
apply  auto
done

lemma single_inheritance: 
"GA C1 B; GA C1 C  B = C"
by (auto simp add: subcls1_def)
  
lemma subcls_compareable:
"GA C X; GA C Y 
   GX C Y  GY C X"
by (rule triangle_lemma)  (auto intro: single_inheritance) 

lemma subcls1_irrefl: "GC C1 D; ws_prog G 
  C  D"
proof 
  assume ws: "ws_prog G" and
    subcls1: "GC C1 D" and
     eq_C_D: "C=D"
  from subcls1 obtain c 
    where
      neq_C_Object: "CObject" and
              clsC: "class G C = Some c" and
           super_c: "super c = D"
    by (auto simp add: subcls1_def)
  with super_c subcls1 eq_C_D 
  have subcls_super_c_C: "Gsuper c C C"
    by auto
  from ws clsC neq_C_Object 
  have "¬ Gsuper c C C"
    by (auto dest: ws_prog_cdeclD)
  from this subcls_super_c_C 
  show "False"
    by (rule notE)
qed

lemma no_subcls_Object: "GC C D  C  Object"
by (erule converse_trancl_induct) (auto dest: subcls1D)

lemma subcls_acyclic: "GC C D; ws_prog G  ¬ GD C C"
proof -
  assume         ws: "ws_prog G"
  assume subcls_C_D: "GC C D"
  then show ?thesis
  proof (induct rule: converse_trancl_induct)
    fix C
    assume subcls1_C_D: "GC C1 D"
    then obtain c  where
        "CObject" and
        "class G C = Some c" and
        "super c = D"
      by (auto simp add: subcls1_def)
    with ws 
    show "¬ GD C C"
      by (auto dest: ws_prog_cdeclD)
  next
    fix C Z
    assume subcls1_C_Z: "GC C1 Z" and
            subcls_Z_D: "GZ C D" and
           nsubcls_D_Z: "¬ GD C Z"
    show "¬ GD C C"
    proof
      assume subcls_D_C: "GD C C"
      show "False"
      proof -
        from subcls_D_C subcls1_C_Z
        have "GD C Z"
          by (auto dest: r_into_trancl trancl_trans)
        with nsubcls_D_Z
        show ?thesis
          by (rule notE)
      qed
    qed
  qed  
qed

lemma subclseq_cases:
  assumes "GC C D"
  obtains (Eq) "C = D" | (Subcls) "GC C D"
using assms by (blast intro: rtrancl_cases)

lemma subclseq_acyclic: 
 "GC C D; GD C C; ws_prog G  C=D"
by (auto elim: subclseq_cases dest: subcls_acyclic)

lemma subcls_irrefl: "GC C D; ws_prog G
  C  D"
proof -
  assume     ws: "ws_prog G"
  assume subcls: "GC C D"
  then show ?thesis
  proof (induct rule: converse_trancl_induct)
    fix C
    assume "GC C1 D"
    with ws 
    show "CD" 
      by (blast dest: subcls1_irrefl)
  next
    fix C Z
    assume subcls1_C_Z: "GC C1 Z" and
            subcls_Z_D: "GZ C D" and
               neq_Z_D: "Z  D"
    show "CD"
    proof
      assume eq_C_D: "C=D"
      show "False"
      proof -
        from subcls1_C_Z eq_C_D 
        have "GD C Z"
          by (auto)
        also
        from subcls_Z_D ws   
        have "¬ GD C Z"
          by (rule subcls_acyclic)
        ultimately 
        show ?thesis 
          by - (rule notE)
      qed
    qed
  qed
qed

lemma invert_subclseq:
"GC C D; ws_prog G
  ¬ GD C C"
proof -
  assume       ws: "ws_prog G" and
     subclseq_C_D: "GC C D"
  show ?thesis
  proof (cases "D=C")
    case True
    with ws 
    show ?thesis 
      by (auto dest: subcls_irrefl)
  next
    case False
    with subclseq_C_D 
    have "GC C D"
      by (blast intro: rtrancl_into_trancl3) 
    with ws 
    show ?thesis 
      by (blast dest: subcls_acyclic)
  qed
qed

lemma invert_subcls:
"GC C D; ws_prog G
  ¬ GD C C"
proof -
  assume        ws: "ws_prog G" and
        subcls_C_D: "GC C D"
  then 
  have nsubcls_D_C: "¬ GD C C"
    by (blast dest: subcls_acyclic)
  show ?thesis
  proof
    assume "GD C C"
    then show "False"
    proof (cases rule: subclseq_cases)
      case Eq
      with ws subcls_C_D
      show ?thesis 
        by (auto dest: subcls_irrefl)
    next
      case Subcls
      with nsubcls_D_C
      show ?thesis
        by blast
    qed
  qed
qed

lemma subcls_superD:
 "GC C D; class G C = Some c  G(super c) C D"
proof -
  assume       clsC: "class G C = Some c"
  assume subcls_C_C: "GC C D"
  then obtain S where 
                  "GC C1 S" and
    subclseq_S_D: "GS C D"
    by (blast dest: tranclD)
  with clsC 
  have "S=super c" 
    by (auto dest: subcls1D)
  with subclseq_S_D show ?thesis by simp
qed
 

lemma subclseq_superD:
 "GC C D; CD;class G C = Some c  G(super c) C D"
proof -
  assume neq_C_D: "CD"
  assume    clsC: "class G C = Some c"
  assume subclseq_C_D: "GC C D" 
  then show ?thesis
  proof (cases rule: subclseq_cases)
    case Eq with neq_C_D show ?thesis by contradiction
  next
    case Subcls
    with clsC show ?thesis by (blast dest: subcls_superD)
  qed
qed

subsubsection "implementation relation"

lemma implmt1D: "GC↝1I  CObject  (cclass G C: Iset (superIfs c))"
apply (unfold implmt1_def)
apply auto
done

inductive ― ‹implementation, cf. 8.1.4›
  implmt :: "prog  qtname  qtname  bool" ("___" [71,71,71] 70)
  for G :: prog
where
  direct: "GC↝1J  GCJ"
| subint: "GC↝1I  GI≼I J  GCJ"
| subcls1: "GCC1D  GDJ  GCJ"

lemma implmtD: "GCJ  (I. GC↝1I  GI≼I J)  (D. GCC1D  GDJ)" 
apply (erule implmt.induct)
apply fast+
done

lemma implmt_ObjectE [elim!]: "GObjectI  R"
by (auto dest!: implmtD implmt1D subcls1D)

lemma subcls_implmt [rule_format (no_asm)]: "GAC B  GBK  GAK"
apply (erule rtrancl_induct)
apply  (auto intro: implmt.subcls1)
done

lemma implmt_subint2: " GAJ; GJ≼I K  GAK"
apply (erule rev_mp, erule implmt.induct)
apply (auto dest: implmt.subint rtrancl_trans implmt.subcls1)
done

lemma implmt_is_class: "GCI  is_class G C"
apply (erule implmt.induct)
apply (auto dest: implmt1D subcls1D)
done


subsubsection "widening relation"

inductive
 ― ‹widening, viz. method invocation conversion, cf. 5.3
                            i.e. kind of syntactic subtyping›
  widen :: "prog  ty  ty  bool" ("___" [71,71,71] 70)
  for G :: prog
where
  refl:    "GTT" ― ‹identity conversion, cf. 5.1.1›
| subint:  "GI≼I J   GIface I Iface J" ― ‹wid.ref.conv.,cf. 5.1.4›
| int_obj: "GIface I Class Object"
| subcls:  "GCC D   GClass C Class D"
| implmt:  "GCI    GClass C Iface I"
| null:    "GNT RefT R"
| arr_obj: "GT.[] Class Object"
| array:   "GRefT SRefT T  GRefT S.[] RefT T.[]"

declare widen.refl [intro!]
declare widen.intros [simp]

(* too strong in general:
lemma widen_PrimT: "G⊢PrimT x≼T ⟹ T = PrimT x"
*)
lemma widen_PrimT: "GPrimT xT  (y. T = PrimT y)"
apply (ind_cases "GPrimT xT")
by auto

(* too strong in general:
lemma widen_PrimT2: "G⊢S≼PrimT x ⟹ S = PrimT x"
*)
lemma widen_PrimT2: "GSPrimT x  y. S = PrimT y"
apply (ind_cases "GSPrimT x")
by auto

text ‹
   These widening lemmata hold in Bali but are to strong for ordinary
   Java. They  would not work for real Java Integral Types, like short, 
   long, int. These lemmata are just for documentation and are not used.
›

lemma widen_PrimT_strong: "GPrimT xT  T = PrimT x"
by (ind_cases "GPrimT xT") simp_all

lemma widen_PrimT2_strong: "GSPrimT x  S = PrimT x"
by (ind_cases "GSPrimT x") simp_all

text ‹Specialized versions for booleans also would work for real Java›

lemma widen_Boolean: "GPrimT BooleanT  T = PrimT Boolean"
by (ind_cases "GPrimT BooleanT") simp_all

lemma widen_Boolean2: "GSPrimT Boolean  S = PrimT Boolean"
by (ind_cases "GSPrimT Boolean") simp_all

lemma widen_RefT: "GRefT RT  t. T=RefT t"
apply (ind_cases "GRefT RT")
by auto

lemma widen_RefT2: "GSRefT R  t. S=RefT t"
apply (ind_cases "GSRefT R")
by auto

lemma widen_Iface: "GIface IT  T=Class Object  (J. T=Iface J)"
apply (ind_cases "GIface IT")
by auto

lemma widen_Iface2: "GS Iface J  S = NT  (I. S = Iface I)  (D. S = Class D)"
apply (ind_cases "GS Iface J")
by auto

lemma widen_Iface_Iface: "GIface I Iface J  GI≼I J"
apply (ind_cases "GIface I Iface J")
by auto

lemma widen_Iface_Iface_eq [simp]: "GIface I Iface J = GI≼I J"
apply (rule iffI)
apply  (erule widen_Iface_Iface)
apply (erule widen.subint)
done

lemma widen_Class: "GClass CT   (D. T=Class D)  (I. T=Iface I)"
apply (ind_cases "GClass CT")
by auto

lemma widen_Class2: "GS Class C  C = Object  S = NT  (D. S = Class D)"
apply (ind_cases "GS Class C")
by auto

lemma widen_Class_Class: "GClass C Class cm  GCC cm"
apply (ind_cases "GClass C Class cm")
by auto

lemma widen_Class_Class_eq [simp]: "GClass C Class cm = GCC cm"
apply (rule iffI)
apply  (erule widen_Class_Class)
apply (erule widen.subcls)
done

lemma widen_Class_Iface: "GClass C Iface I  GCI"
apply (ind_cases "GClass C Iface I")
by auto

lemma widen_Class_Iface_eq [simp]: "GClass C Iface I = GCI"
apply (rule iffI)
apply  (erule widen_Class_Iface)
apply (erule widen.implmt)
done

lemma widen_Array: "GS.[]T  T=Class Object  (T'. T=T'.[]  GST')"
apply (ind_cases "GS.[]T")
by auto

lemma widen_Array2: "GST.[]  S = NT  (S'. S=S'.[]  GS'T)"
apply (ind_cases "GST.[]")
by auto


lemma widen_ArrayPrimT: "GPrimT t.[]T  T=Class Object  T=PrimT t.[]"
apply (ind_cases "GPrimT t.[]T")
by auto

lemma widen_ArrayRefT: 
  "GRefT t.[]T  T=Class Object  (s. T=RefT s.[]  GRefT tRefT s)"
apply (ind_cases "GRefT t.[]T")
by auto

lemma widen_ArrayRefT_ArrayRefT_eq [simp]: 
  "GRefT T.[]RefT T'.[] = GRefT TRefT T'"
apply (rule iffI)
apply (drule widen_ArrayRefT)
apply simp
apply (erule widen.array)
done

lemma widen_Array_Array: "GT.[]T'.[]  GTT'"
apply (drule widen_Array)
apply auto
done

lemma widen_Array_Class: "GS.[]  Class C  C=Object"
by (auto dest: widen_Array)


lemma widen_NT2: "GSNT  S = NT"
apply (ind_cases "GSNT")
by auto

lemma widen_Object:
  assumes "isrtype G T" and "ws_prog G"
  shows "GRefT T  Class Object"
proof (cases T)
  case (ClassT C) with assms have "GCC Object" by (auto intro: subcls_ObjectI)
  with ClassT show ?thesis by auto
qed simp_all

lemma widen_trans_lemma [rule_format (no_asm)]: 
  "GSU; C. is_class G C  GCC Object  T. GUT  GST"
apply (erule widen.induct)
apply        safe
prefer      5 apply (drule widen_RefT) apply clarsimp
apply      (frule_tac [1] widen_Iface)
apply      (frule_tac [2] widen_Class)
apply      (frule_tac [3] widen_Class)
apply      (frule_tac [4] widen_Iface)
apply      (frule_tac [5] widen_Class)
apply      (frule_tac [6] widen_Array)
apply      safe
apply            (rule widen.int_obj)
prefer          6 apply (drule implmt_is_class) apply simp
apply (erule_tac [!] thin_rl)
prefer         6 apply simp
apply          (rule_tac [9] widen.arr_obj)
apply         (rotate_tac [9] -1)
apply         (frule_tac [9] widen_RefT)
apply         (auto elim!: rtrancl_trans subcls_implmt implmt_subint2)
done

lemma ws_widen_trans: "GSU; GUT; ws_prog G  GST"
by (auto intro: widen_trans_lemma subcls_ObjectI)

lemma widen_antisym_lemma [rule_format (no_asm)]: "GST;  
 I J. GI≼I J  GJ≼I I  I = J;  
 C D. GCC D  GDC C  C = D;  
 I  . GObjectI         False  GTS  S = T"
apply (erule widen.induct)
apply (auto dest: widen_Iface widen_NT2 widen_Class)
done

lemmas subint_antisym = 
       subint1_acyclic [THEN acyclic_impl_antisym_rtrancl]
lemmas subcls_antisym = 
       subcls1_acyclic [THEN acyclic_impl_antisym_rtrancl]

lemma widen_antisym: "GST; GTS; ws_prog G  S=T"
by (fast elim: widen_antisym_lemma subint_antisym [THEN antisymD] 
                                   subcls_antisym [THEN antisymD])

lemma widen_ObjectD [dest!]: "GClass ObjectT  T=Class Object"
apply (frule widen_Class)
apply (fast dest: widen_Class_Class widen_Class_Iface)
done

definition
  widens :: "prog  [ty list, ty list]  bool" ("__[≼]_" [71,71,71] 70)
  where "GTs[≼]Ts' = list_all2 (λT T'. GTT') Ts Ts'"

lemma widens_Nil [simp]: "G[][≼][]"
apply (unfold widens_def)
apply auto
done

lemma widens_Cons [simp]: "G(S#Ss)[≼](T#Ts) = (GST  GSs[≼]Ts)"
apply (unfold widens_def)
apply auto
done


subsubsection "narrowing relation"

(* all properties of narrowing and casting conversions we actually need *)
(* these can easily be proven from the definitions below *)
(*
rules
  cast_RefT2   "G⊢S≼? RefT R   ⟹ ∃t. S=RefT t" 
  cast_PrimT2  "G⊢S≼? PrimT pt ⟹ ∃t. S=PrimT t ∧ G⊢PrimT t≼PrimT pt"
*)

(* more detailed than necessary for type-safety, see above rules. *)
inductive ― ‹narrowing reference conversion, cf. 5.1.5›
  narrow :: "prog  ty  ty  bool" ("___" [71,71,71] 70)
  for G :: prog
where
  subcls:  "GCC D  G     Class DClass C"
| implmt:  "¬GCI  G     Class CIface I"
| obj_arr: "GClass ObjectT.[]"
| int_cls: "G     Iface IClass C"
| subint:  "imethds G I hidings imethds G J entails 
           (λ(md, mh   ) (md',mh'). Gmrt mhmrt mh') 
           ¬GI≼I J          G     Iface IIface J"
| array:   "GRefT SRefT T  G   RefT S.[]RefT T.[]"

(*unused*)
lemma narrow_RefT: "GRefT RT  t. T=RefT t"
apply (ind_cases "GRefT RT")
by auto

lemma narrow_RefT2: "GSRefT R  t. S=RefT t"
apply (ind_cases "GSRefT R")
by auto

(*unused*)
lemma narrow_PrimT: "GPrimT ptT  t. T=PrimT t"
by (ind_cases "GPrimT ptT")

lemma narrow_PrimT2: "GSPrimT pt   
                                  t. S=PrimT t  GPrimT tPrimT pt"
by (ind_cases "GSPrimT pt")

text ‹
   These narrowing lemmata hold in Bali but are to strong for ordinary
   Java. They  would not work for real Java Integral Types, like short, 
   long, int. These lemmata are just for documentation and are not used.
›
lemma narrow_PrimT_strong: "GPrimT ptT  T=PrimT pt"
by (ind_cases "GPrimT ptT")

lemma narrow_PrimT2_strong: "GSPrimT pt  S=PrimT pt"
by (ind_cases "GSPrimT pt")

text ‹Specialized versions for booleans also would work for real Java›

lemma narrow_Boolean: "GPrimT BooleanT  T=PrimT Boolean"
by (ind_cases "GPrimT BooleanT")

lemma narrow_Boolean2: "GSPrimT Boolean  S=PrimT Boolean"
by (ind_cases "GSPrimT Boolean")

subsubsection "casting relation"

inductive ― ‹casting conversion, cf. 5.5›
  cast :: "prog  ty  ty  bool" ("__≼? _" [71,71,71] 70)
  for G :: prog
where
  widen:   "GST  GS≼? T"
| narrow:  "GST  GS≼? T"

(*unused*)
lemma cast_RefT: "GRefT R≼? T  t. T=RefT t"
apply (ind_cases "GRefT R≼? T")
by (auto dest: widen_RefT narrow_RefT)

lemma cast_RefT2: "GS≼? RefT R  t. S=RefT t"
apply (ind_cases "GS≼? RefT R")
by (auto dest: widen_RefT2 narrow_RefT2)

(*unused*)
lemma cast_PrimT: "GPrimT pt≼? T  t. T=PrimT t"
apply (ind_cases "GPrimT pt≼? T")
by (auto dest: widen_PrimT narrow_PrimT)

lemma cast_PrimT2: "GS≼? PrimT pt  t. S=PrimT t  GPrimT tPrimT pt"
apply (ind_cases "GS≼? PrimT pt")
by (auto dest: widen_PrimT2 narrow_PrimT2)

lemma cast_Boolean: 
  assumes bool_cast: "GPrimT Boolean≼? T" 
  shows "T=PrimT Boolean"
using bool_cast 
proof (cases)
  case widen 
  hence "GPrimT Boolean T"
    by simp
  thus ?thesis by  (rule widen_Boolean)
next
  case narrow
  hence "GPrimT BooleanT"
    by simp
  thus ?thesis by (rule narrow_Boolean)
qed

lemma cast_Boolean2: 
  assumes bool_cast: "GS≼? PrimT Boolean" 
  shows "S = PrimT Boolean"
using bool_cast 
proof (cases)
  case widen 
  hence "GS PrimT Boolean"
    by simp
  thus ?thesis by  (rule widen_Boolean2)
next
  case narrow
  hence "GSPrimT Boolean"
    by simp
  thus ?thesis by (rule narrow_Boolean2)
qed

end