Consider the following inductive definition describing the small step semantics of the language of guarded commands:
inductive small_step :: "com × state ⇒ com × state ⇒ bool" (infix "→" 55)
where
Assign: "(x ::= a, s) → (SKIP, s(x := aval a s))" |
Seq1: "(SKIP;;c2,s) → (c2,s)" |
Seq2: "(c1,s) → (c1',s') ⟹ (c1;;c2,s) → (c1';;c2,s')" |
IfBlock: "(b,c) ∈ set gcs ⟹ bval b s ⟹ (IF gcs FI,s) → (c,s)" |
DoTrue: "(b,c) ∈ set gcs ⟹ bval b s ⟹ (DO gcs OD,s) → (c;;DO gcs OD,s)" |
DoFalse: "(∀ b c. (b,c) ∈ set gcs ⟶ ¬ bval b s) ⟹ (DO gcs OD,s) → (SKIP,s)"
I want to prove:
lemma "((c1 ;; c2) ;; c3) ~ (c1 ;; (c2 ;; c3))"
where:
definition equiv_c :: "com ⇒ com ⇒ bool" (infix "~" 50) where
"c ~ c' ≡ ∀ s c0 s0. (c,s) → (c0,s0) = (c',s) → (c0,s0)"
And it is getting surprinsingly difficult to do so. The closest solution I have found is given in "An operational semantics for the Guarded Command Language" by Johan J. Lukkien. However, in that article programs are modelled as sequences of states whereas here I'm modelling them as command configurations, plus states. Perhaps, there is a relation between the two but my tries so far have been frustrated.
Do you see a way to prove this lemma in Isabelle?
The desired lemma as stated does not hold. So you will not be able to prove this. I can see two main problems:
The → denotes one step of the execution, but equivalence should talk about the whole behaviour, not just one step. After one step, it is likely that the resulting programs are still different.
The semantics can get stuck for some programs, e.g., IF [] FI. Such stuck states make it hard to state equivalence if you want to say something about the remaining program c0. For example, take c1 = SKIP;; IF [] FI in your lemma and c2 = c3 = SKIP. Then no partially evaluated command reachable from (c1 ;; c2) ;; c3 is identical to one reachable from c1 ;; (c2 ;; c3).
I recommend that you first figure out what the behaviour of a program is supposed to be. For a while language, this is typically the set of reachable final states and possibly non-termination. Then, you have to decide what kind of equivalence you are interested in. Typically, one looks at trace equivalence or at bisimulation, which are not the same for non-deterministic programs. And the equivalence notion will determine how to prove such a lemma.