wfenv.abs


// This file defines environments and the well-formedness
// constraints upon them, and other interesting things
// like searching through class hierarchies for nearest
// fields/methods.


notation syntax rels ;
import syntax wf ;

reserve TE for :tyenv;
reserve C for :id;
reserve i for :id;


// Well formed environments 
//
// We do not force environments to be finite here.
//
// RANDOM NOTES
//
// old execution problem: Cadd, Vadd etc. are almost constructors, but
// are not 1-1 (though the side conditions in the rules ensure
// they are).  
//
// Hence we resort to a concrete model of declarations.
// 
// Fix suggested by David von Oheimb: Environment well-formedness does not
// depend on order of introduction at all in Java.  Hence scrap use of 
// inductive relation and just define as a set/unary relation.
//
// The rules below have been modified from those in the tech report.
// The two return-types-wider clauses demand a minimum behaviour
// from MSigsC and MSigsI: all super-methods must continue
// to be available at the new class/interface.



def wf_tyenv TE wf_tyenv <=>
 (?methods. Cdec(TE,Object) = SOME(CLASS(NONE,EMPTY,PEMPTY,methods)))  &
 (!C. C :: PDOM(FST(TE)) -->
  !Csupo Is fields methods. Cdec(TE,C) = SOME(CLASS(Csupo,Is,fields,methods)) -->

     (!Csup. Csupo = SOME(Csup) --> 
       (~(TE |- Csup subclass_of C))  &
       (!m at rt₁.  MSigsC(TE,Csup)(m,MT(at,rt₁)) -->
       (?rt₂. MSigsC(TE,C)(m,MT(at,rt₂)) &
          TE |- rt₂ expty_widens_to rt₁) )) &

     (Csupo = NONE --> (C = Object)  &
                       (fields = PEMPTY)  &
                       (Is = EMPTY) ) &

     (!m mt₁. (m,mt₁) :: methods -->
      !mt₂. (m,mt₂) :: methods -->
         (if (Args(mt₁) = Args(mt₂)) then (mt₁ = mt₂) else T) ) &

     (!i. i :: Is -->
      !m at rt₁. MSigsI(TE,i)(m,MT(at,rt₁)) -->
      (?rt₂. MSigsC(TE,C)(m,MT(at,rt₂)) &
             TE |- rt₂ expty_widens_to rt₁) ))
& 
  (!i Is methods.
     i :: PDOM(SND(TE)) &
     Idec(TE,i) = SOME(INTERFACE(Is,methods)) -->
     (!i'. i' :: Is --> 
          (~(TE |- i' subinterface_of i)) ) &

     (!m mt₁. (m,mt₁) :: methods -->
      !mt₂. (m,mt₂) :: methods  -->
         (if (Args(mt₁) = Args(mt₂)) then (mt₁ = mt₂) else T) ) &

     (!i'. i' :: Is -->
      !m at rt₁. MSigsI(TE,i')(m,MT(at,rt₁)) --> 
      (?rt₂. MSigsI(TE,i)(m,MT(at,rt₂)) & 
             TE |- rt₂ expty_widens_to rt₁) ) &

     (Is = EMPTY --> 
      !m at rt₁. (m,MT(at,rt₁)) :: methods -->
      !rt₂. MSigsC(TE,Object)(m,MT(at,rt₂)) -->
         (TE |- rt₁ expty_widens_to rt₂) ))



// Reflexivity results for widening relations.


lemma simpty_widens_to-refl [prolog,simp,auto]
  TE |- st₁ simpty_widens_to st₁

thm varty_widens_to-refl [prolog,simp,auto]
  TE |- vt₁ varty_widens_to vt₁

thm expty_widens_to-refl [prolog,simp,auto]
  TE |- et₁ expty_widens_to et₁



// Results about Object
//
// In a wfenv,  Object is only a subclass of Object


lemma Object-implements TE wf_tyenv --> ~(TE |- Object implements i);
lemma Object-subclass  TE wf_tyenv --> (TE |- Object subclass_of C <=> C = Object);
lemma Object-simpty 
      TE wf_tyenv --> (TE |- Class(Object) simpty_widens_to st <=> st = Class(Object));


// Transitivity results for widening relations.


lemma simpty_widens_to-trans
  TE wf_tyenv &
   TE |- vt₁ simpty_widens_to vt₂ & 
   TE |- vt₂ simpty_widens_to vt₃ -->
   TE |- vt₁ simpty_widens_to vt₃

thm varty_widens_to-trans
  TE wf_tyenv &
   TE |- vt₁ varty_widens_to vt₂ & 
   TE |- vt₂ varty_widens_to vt₃ -->
   TE |- vt₁ varty_widens_to vt₃

thm expty_widens_to-trans
  TE wf_tyenv &
   TE |- vt₁ expty_widens_to vt₂ & 
   TE |- vt₂ expty_widens_to vt₃ -->
   TE |- vt₁ expty_widens_to vt₃



// subtype lemmas follow, e.g. anything that widens to an array is an 
// array of the some simple type that widens to the simple type of the array.
//
// the proofs of these are all by straight forward case analysis using the rules
thm lemma">array-widens-lemma
  TE |- expty expty_widens_to SOME(VT(simpty₀,dim)) &
   0 < dim 
   --> ?simpty₁. 
        expty = SOME(VT(simpty₁,dim)) &
        TE |- simpty₁ simpty_widens_to simpty₀

thm lemma">prim-widens-lemma 
  TE |- expty expty_widens_to SOME(VT(PrimT(primty),0))
   <=> expty = SOME(VT(PrimT(primty),0))

thm lemma">var-prim-widens-lemma 
  TE |- varty varty_widens_to VT(PrimT(primty),0)
   --> varty = VT(PrimT(primty),0)

thm lemma">class-widens-lemma 
  TE wf_tyenv &
   TE |- expty expty_widens_to SOME(VT(Class(C),0)) &
   C <> Object 
   --> ?C'. TE |- C' subclass_of C &
            expty = SOME(VT(Class(C'),0));


// a lemma that need not be exported:
lemma FDecs-finds-subclasses  
   FDecs(TE,C)((Cf,f),vt) --> TE |- C subclass_of Cf;

thm object-fields-unique 
   TE wf_tyenv & FDecs(TE,C)(fspec) & FDecs(TE,C)(fspec') 
   --> fspec = fspec';

thm object-fields-form-graph
  TE wf_tyenv --> IS_GRAPH {fspec | FDecs(TE,C)(fspec)};

thm FDecs-Object  
   TE wf_tyenv --> ~(x :: FDecs(TE,Object));


// subclasses inherit (or redeclare) methods from superclasses.
//
// This says that if we did a static search for the method from class C₀,
// and got a result, then did the same from C₁, then we get a method
// with a return type that is narrower.
lemma class-inherited-class-methods-are-narrower 
    TE wf_tyenv &
     TE |- C₁ subclass_of C₀ &
     MSigsC(TE,C₀)(m,MT(AT,rt₀))
     --> ?rt₁. MSigsC(TE,C₁)(m,MT(AT,rt₁)) & TE |- rt₁ expty_widens_to rt₀

lemma interface-inherited-interface-methods-are-narrower 
    TE wf_tyenv &
     TE |- i₁ subinterface_of i₀ &
     MSigsI(TE,i₀)(m,MT(AT,rt₀))
     --> ?rt₁. MSigsI(TE,i₁)(m,MT(AT,rt₁)) & TE |- rt₁ expty_widens_to rt₀

lemma class-inherited-interface-methods-are-narrower 
    TE wf_tyenv &
     TE |- C₁ implements i₁ &
     MSigsI(TE,i₀)(m,MT(AT,rt₀))
     --> ?rt₁. MSigsC(TE,C₂)(m,MT(AT,rt₁)) & TE |- rt₁ expty_widens_to rt₀

// all interfaces inherit (or redeclare with narrower type) methods from Object.
lemma interface-inherited-Object-methods-are-narrower
    TE wf_tyenv &
     TE |- i wellfounded_interface &
     MSigsC(TE,Object)(m,MT(AT,rt₀))
     --> ?rt₁. MSigsI(TE,i)(m,MT(AT,rt₁)) & TE |- rt₁ expty_widens_to rt₀

// all interfaces inherit (or redeclare with narrower type) methods from Object.
lemma array-inherited-Object-methods-are-identical  
    MSigsC(TE,Object)(m,MT(AT,rt₀))
     --> MSigsA(TE)(m,MT(AT,rt₀))




// subclasses inherit declared fields.  Should be strengthened to be up to widening,
// so array methods can be modelled correctly.
thm inherited-fields-exist
    TE wf_tyenv &
     TE |- C₁ subclass_of C₀ &
     ((C',f),var₀_ty) :: FDecs(TE,C₀) -->
     ((C',f),var₀_ty) :: FDecs(TE,C₁)

// The crucial theorem about visibility of methods under widening, for all reference types.
thm inherited-methods-exist
    TE wf_tyenv &
     MSigs(TE,vt₀)(m,MT(AT,rt₀)) &
     TE |- vt₁ varty_widens_to vt₀
     --> ?rt₁. MSigs(TE,vt₁)(m,MT(AT,rt₁)) & TE |- rt₁ expty_widens_to rt₀