public_html: comparison Nominal/activities/cas09/Lec2.thy

equal deleted inserted replaced

-:05e5d68c9627
+:f1be8028a4a9
+(*****************************************************************
+Isabelle Tutorial
+-----------------
+1st June 2009, Beijing
+*)
+theory Lec2
+imports "Main"
+begin
+text {***********************************************************
+Automatic proofs again:
+*}
+inductive
+even :: "nat \<Rightarrow> bool"
+where
+eZ[intro]:  "even 0"
+| eSS[intro]: "even n \<Longrightarrow> even (Suc (Suc n))"
+text {*
+In the following two lemmas we have to indicate the induction,
+but the routine calculations can be done completely automatically
+by Isabelle's internal tools.
+*}
+lemma even_twice:
+shows "even (n + n)"
+by (induct n) (auto)
+lemma even_add:
+assumes a: "even n"
+and     b: "even m"
+shows "even (n + m)"
+using a b by (induct) (auto)
+text {*
+In the next proof it was crucial that we introduced
+the equation
+(Suc (Suc n) * m) = (m + m) + (n * m)
+because this allowed us to use the induction hypothesis
+and the previous two lemmas. *}
+lemma even_mul:
+assumes a: "even n"
+shows "even (n * m)"
+using a
+proof (induct)
+case eZ
+show "even (0 * m)" by auto
+next
+case (eSS n)
+have as: "even n" by fact
+have ih: "even (n * m)" by fact
+have "(Suc (Suc n) * m) = (m + m) + (n * m)" by simp
+moreover
+have "even (m + m)" using even_twice by simp
+ultimately
+show "even (Suc (Suc n) * m)" using ih even_add by (simp only:)
+qed
+text {*
+This proof cannot be found by the internal tools, but
+Isabelle has an interface to external provers. This
+interface is called sledgehammer and it finds the
+proof more or less automatically.
+*}
+lemma even_mul_auto:
+assumes a: "even n"
+shows "even (n * m)"
+using a
+apply(induct)
+apply(metis eZ mult_is_0)
+apply(metis even_add even_twice mult_Suc_right nat_add_assoc nat_mult_commute)
+done
+text {*
+The disadvantage of such proofs is that you do
+not know why they are true.
+*}
+text {*****************************************************************
+Function Definitions
+--------------------
+Many functions over datatypes can be defined by recursion on the
+structure. For this purpose, Isabelle provides "fun". To use it one needs
+to give a name for the function, its type, optionally some pretty-syntax
+and then some equations defining the function. Like in "inductive",
+"fun" expects that more than one such equation is separated by "|".
+The Fibonacci function:
+*}
+fun
+fib :: "nat \<Rightarrow> nat"
+where
+"fib 0 = 1"
+| "fib (Suc 0) = 1"
+| "fib (Suc (Suc n)) = fib n + fib (Suc n)"
+text {* The Ackermann function: *}
+fun
+ack :: "nat \<Rightarrow> nat \<Rightarrow> nat"
+where
+"ack 0 m = Suc m"
+| "ack (Suc n) 0 = ack n (Suc 0)"
+| "ack (Suc n) (Suc m) = ack n (ack (Suc n) m)"
+text {*
+Non-terminating functions can lead to inconsistencies.
+*}
+lemma
+assumes a: "f x = f x + (1::nat)"
+shows "False"
+proof -
+from a have "0 = (1::nat)" by simp
+then show "False" by simp
+qed
+text {*
+If Isabelle cannot automatically prove termination,
+then you can give an explicit measure that establishes
+termination. For example a generalisation of the
+Fibonacci function to integers can be shown terminating
+*}
+function
+fib' :: "int \<Rightarrow> int"
+where
+"n< -1 \<Longrightarrow> fib' n = fib' (n + 2) - fib' (n + 1)"
+| "fib' -1 = (1::int)"
+| "fib' 0 = (0::int)"
+| "fib' 1 = (1::int)"
+| "n > 1 \<Longrightarrow> fib' n = fib' (n - 1) + fib' (n - 2)"
+by (atomize_elim, presburger) (auto)
+termination
+by (relation "measure (\<lambda>x. nat (\<bar>x\<bar>))")
+(simp_all add: zabs_def)
+text {*****************************************************************
+Datatypes
+---------
+Datatypes can be defined in Isabelle as follows: we have to provide the name
+of the datatype and list its type-constructors. Each type-constructor needs
+to have the information about the types of its arguments, and optionally
+can also contain some information about pretty syntax. For example, we write
+"[]" for Nil and ":::" for Cons.
+*}
+datatype 'a mylist =
+MyNil                   ("[]")
+| MyCons "'a" "'a mylist" ("_ ::: _" 65)
+text {*
+You can easily define functions over the structure of datatypes.
+*}
+fun
+myappend :: "'a mylist \<Rightarrow> 'a mylist \<Rightarrow> 'a mylist" ("_ @@ _" 65)
+where
+"[] @@ xs = xs"
+| "(y:::ys) @@ xs = y:::(ys @@ xs)"
+fun
+myrev :: "'a mylist \<Rightarrow> 'a mylist"
+where
+"myrev [] = []"
+| "myrev (x:::xs) = (myrev xs) @@ (x:::[])"
+text {*****************************************************************
+Exercise: Prove the following fact about append and reversal.
+*}
+lemma myrev_append:
+shows "myrev (xs @@ ys) = (myrev ys) @@ (myrev xs)"
+proof (induct xs)
+case MyNil
+show "myrev ([] @@ ys) = myrev ys @@ myrev []" sorry
+next
+case (MyCons x xs)
+have ih: "myrev (xs @@ ys) = myrev ys @@ myrev xs" by fact
+show "myrev ((x:::xs) @@ ys) = myrev ys @@ myrev (x:::xs)" sorry
+qed
+text {* auxiliary lemmas *}
+lemma mynil_append[simp]:
+shows "xs @@ [] = xs"
+by (induct xs) (auto)
+lemma myappend_assoc[simp]:
+"(xs @@ ys) @@ zs = xs @@ (ys @@ zs)"
+by (induct xs) (auto)
+lemma
+shows "myrev (xs @@ ys) = (myrev ys) @@ (myrev xs)"
+by (induct xs) (auto)
+text {*****************************************************************
+A WHILE Language:
+Arithmetic Expressions, Boolean Expressions, Commands
+-----------------------------------------------------
+*}
+types memory = "nat \<Rightarrow> nat"
+datatype aexp =
+C nat
+| X nat
+| Op1 "nat \<Rightarrow> nat" aexp
+| Op2 "nat \<Rightarrow> nat \<Rightarrow> nat" aexp aexp
+datatype bexp =
+TRUE
+| FALSE
+| ROp  "nat \<Rightarrow> nat \<Rightarrow> bool" aexp aexp
+| NOT bexp
+| AND bexp bexp
+| OR  bexp bexp
+datatype cmd =
+SKIP
+| ASSIGN nat aexp      ("_ ::= _ " 60)
+| SEQ    cmd cmd       ("_; _" [60, 60] 10)
+| COND   bexp cmd cmd  ("IF _ THEN _ ELSE _" 60)
+| WHILE  bexp cmd      ("WHILE _ DO _" 60)
+text {*****************************************************************
+Big-step Evaluation Semantics
+-----------------------------
+*}
+inductive
+evala :: "aexp \<Rightarrow> memory \<Rightarrow> nat \<Rightarrow> bool"  ("'(_,_') \<longrightarrow>a _" [100,100] 50)
+where
+C:   "(C n, m) \<longrightarrow>a n"
+| X:   "(X i, m) \<longrightarrow>a m i"
+| Op1: "(e, m) \<longrightarrow>a n \<Longrightarrow> (Op1 f e, m) \<longrightarrow>a (f n)"
+| Op2: "\<lbrakk>(e0, m) \<longrightarrow>a n0;  (e1, m)  \<longrightarrow>a n1\<rbrakk> \<Longrightarrow> (Op2 f e0 e1, m) \<longrightarrow>a f n0 n1"
+inductive
+evalb :: "bexp \<Rightarrow> memory \<Rightarrow> bool \<Rightarrow> bool"  ("'(_,_') \<longrightarrow>b _" [100,100] 50)
+where
+TRUE:  "(TRUE, m) \<longrightarrow>b True"
+| FALSE: "(FALSE, m) \<longrightarrow>b False"
+| ROp:   "\<lbrakk>(e1, m) \<longrightarrow>a n1; (e2, m) \<longrightarrow>a n2\<rbrakk> \<Longrightarrow> (ROp f e1 e2, m) \<longrightarrow>b (f n1 n2)"
+| NOT:   "(e, m) \<longrightarrow>b b \<Longrightarrow> (NOT e, m) \<longrightarrow>b (Not b)"
+| AND:   "\<lbrakk>(e1, m) \<longrightarrow>b b1; (e2, m) \<longrightarrow>b b2\<rbrakk> \<Longrightarrow> (AND e1 e2, m) \<longrightarrow>b (b1 \<and> b2)"
+| OR:    "\<lbrakk>(e1, m) \<longrightarrow>b b1; (e2, m) \<longrightarrow>b b2\<rbrakk> \<Longrightarrow> (OR e1 e2, m) \<longrightarrow>b (b1 \<or> b2)"
+inductive
+evalc :: "cmd \<Rightarrow> memory \<Rightarrow> memory \<Rightarrow> bool" ("'(_,_') \<longrightarrow>c _" [0,0,60] 60)
+where
+SKIP:    "(SKIP, m) \<longrightarrow>c m"
+| ASSIGN:  "(a, m) \<longrightarrow>a n \<Longrightarrow> (x::=a, m) \<longrightarrow>c m(x:=n)"
+| SEQ:     "\<lbrakk>(c0, m) \<longrightarrow>c m'; (c1, m') \<longrightarrow>c m''\<rbrakk> \<Longrightarrow> (c0; c1, m) \<longrightarrow>c m''"
+| IFTrue:  "\<lbrakk>(e, m) \<longrightarrow>b True; (c0, m) \<longrightarrow>c m'\<rbrakk> \<Longrightarrow> (IF e THEN c0 ELSE c1, m) \<longrightarrow>c m'"
+| IFFalse: "\<lbrakk>(e, m) \<longrightarrow>b False; (c1, m) \<longrightarrow>c m'\<rbrakk> \<Longrightarrow> (IF e THEN c0 ELSE c1, m) \<longrightarrow>c m'"
+| WHILEFalse: "(e, m) \<longrightarrow>b False \<Longrightarrow> (WHILE e DO c,m) \<longrightarrow>c m"
+| WHILETrue:  "\<lbrakk>(e, m) \<longrightarrow>b True; (c,m) \<longrightarrow>c m'; (WHILE e DO c, m') \<longrightarrow>c m''\<rbrakk>
+\<Longrightarrow> (WHILE e DO c, m) \<longrightarrow>c m''"
+lemmas evala.intros[intro] evalb.intros[intro] evalc.intros[intro]
+text {*****************************************************************
+Machine Instructions
+--------------------
+*}
+datatype instr =
+JPFZ  "nat"               (* JUMP forward n steps, if top of stack is False *)
+| JPB   "nat"               (* JUMP backward n steps *)
+| FETCH "nat"               (* move memory to top of stack *)
+| STORE "nat"               (* move top of stack to memory *)
+| PUSH  "nat"               (* push to stack *)
+| OPU   "nat \<Rightarrow> nat"        (* pop one from stack and apply f *)
+| OPB   "nat \<Rightarrow> nat \<Rightarrow> nat" (* pop two from stack and apply f *)
+text {*****************************************************************
+Booleans 'as' Zero and One
+--------------------------
+*}
+fun
+WRAP::"bool\<Rightarrow>nat"
+where
+"WRAP True = Suc 0"
+| "WRAP False = 0"
+fun
+MNot::"nat \<Rightarrow> nat"
+where
+"MNot 0 = 1"
+| "MNot (Suc 0) = 0"
+fun
+MAnd::"nat \<Rightarrow> nat \<Rightarrow> nat"
+where
+"MAnd 0 x = 0"
+| "MAnd x 0 = 0"
+| "MAnd (Suc 0) (Suc 0) = 1"
+fun
+MOr::"nat \<Rightarrow> nat \<Rightarrow> nat"
+where
+"MOr 0 0 = 0"
+| "MOr (Suc 0) x = 1"
+| "MOr x (Suc 0) = 1"
+lemma MNot_WRAP:
+"MNot (WRAP b) = WRAP (Not b)"
+by (cases b) (auto)
+lemma MAnd_WRAP:
+"MAnd (WRAP b1) (WRAP b2) = WRAP (b1 \<and> b2)"
+by (cases b1, auto) (cases b2, simp_all)
+lemma MOr_WRAP:
+"MOr (WRAP b1) (WRAP b2) = WRAP (b1 \<or> b2)"
+by (cases b1, auto) (cases b2, simp_all)
+lemmas WRAP_lems = MNot_WRAP MAnd_WRAP MOr_WRAP
+text {*****************************************************************
+Compiler Functions
+------------------
+*}
+fun
+compa
+where
+"compa (C n) = [PUSH n]"
+| "compa (X l) = [FETCH l]"
+| "compa (Op1 f e) = (compa e) @ [OPU f]"
+| "compa (Op2 f e1 e2) = (compa e1) @ (compa e2) @ [OPB f]"
+fun
+compb
+where
+"compb (TRUE) = [PUSH 1]"
+| "compb (FALSE) = [PUSH 0]"
+| "compb (ROp f e1 e2) = (compa e1) @ (compa e2) @ [OPB (\<lambda>x y. WRAP (f x y))]"
+| "compb (NOT e) = (compb e) @ [OPU MNot]"
+| "compb (AND e1 e2) = (compb e1) @ (compb e2) @ [OPB MAnd]"
+| "compb (OR e1 e2) = (compb e1) @ (compb e2) @ [OPB MOr]"
+fun
+compc :: "cmd \<Rightarrow> instr list"
+where
+"compc SKIP = []"
+| "compc (x::=a) = (compa a) @ [STORE x]"
+| "compc (c1;c2) = compc c1 @ compc c2"
+| "compc (IF b THEN c1 ELSE c2) =
+(compb b) @ [JPFZ (length(compc c1) + 2)] @ compc c1 @
+[PUSH 0, JPFZ (length(compc c2))] @ compc c2"
+| "compc (WHILE b DO c) =
+(compb b) @
+[JPFZ (length(compc c) + 1)] @ compc c @
+[JPB (length(compc c) + length(compb b)+1)]"
+value "compc SKIP"
+value "compc (SKIP; SKIP)"
+value "compa (Op2 (op +) (C 2) (C 3))"
+value "compb (ROp (op <) (C 2) (C 3))"
+value "compc (IF (ROp (op <) (C 2) (C 3)) THEN SKIP ELSE SKIP)"
+value "compc (WHILE (ROp (op <) (C 2) (C 3)) DO SKIP)"
+value "compc (x::= C 0; WHILE (ROp (op <) (X x) (C 3)) DO (x::= (Op2 (op +) (X x) (C 1))))"
+text {*****************************************************************
+Machine Execution
+-----------------
+*}
+types instrs = "instr list"
+types stack = "nat list"
+abbreviation
+"rtake i xs \<equiv> rev (take i xs)"
+inductive
+step :: "instrs \<Rightarrow> instrs \<Rightarrow> stack \<Rightarrow> memory \<Rightarrow>
+instrs \<Rightarrow> instrs \<Rightarrow> stack \<Rightarrow> memory \<Rightarrow> bool" ("'(_,_,_,_') \<longrightarrow>m '(_,_,_,_')")
+where
+"(PUSH n#p, q, s, m) \<longrightarrow>m (p, PUSH n#q, n#s, m)"
+| "(FETCH i#p, q, s, m) \<longrightarrow>m (p, FETCH i#q, m i#s, m)"
+| "(OPU f#p, q, n#s, m) \<longrightarrow>m (p, OPU f#q, f n#s, m)"
+| "(OPB f#p, q, n1#n2#s, m) \<longrightarrow>m (p, OPB f#q, f n2 n1#s, m)"
+| "(STORE i#p, q, n#s, m) \<longrightarrow>m (p, STORE i#q, s, m(i:=n))"
+| "(JPFZ i#p, q, Suc 0#s, m) \<longrightarrow>m (p, JPFZ i#q, s, m)"
+| "i\<le>length p\<Longrightarrow>(JPFZ i#p, q, 0#s, m) \<longrightarrow>m (drop i p, (rtake i p) @ (JPFZ i#q), s, m)"
+| "i\<le>length q\<Longrightarrow>(JPB i#p, q, s, m) \<longrightarrow>m ((rtake i q) @ (JPB i#p), drop i q, s, m)"
+lemmas step.intros[intro]
+inductive_cases step_elim[elim]:
+"(p,q,s,m) \<longrightarrow>m (p',q',s',m')"
+lemma exec_simp:
+shows "(instr#p, q, s, m) \<longrightarrow>m (p', q', s', m') =
+(case instr of
+PUSH n \<Rightarrow> (p' = p \<and> q' = instr#q \<and> s' = n#s \<and> m' = m)
+| FETCH i \<Rightarrow> (p' = p \<and> q' = instr#q \<and> s' = m i#s \<and> m' = m)
+| OPU f \<Rightarrow> (\<exists>n si. p' = p \<and> q' = instr#q \<and> s = n#si \<and> s' = f n#si \<and> m' = m)
+| OPB f \<Rightarrow> (\<exists>n1 n2 si. p' = p \<and> q' = instr#q \<and> s = n1#n2#si \<and> s' = f n2 n1#si \<and> m' = m)
+| STORE i \<Rightarrow> (\<exists>n si. p' = p \<and> q' = instr#q \<and> s = n#si \<and> s' = si \<and> m' = m(i:=n))
+| JPFZ i \<Rightarrow> (\<exists>si. (p' = p \<and> q' = instr#q \<and> s = Suc 0#si \<and> s' = si \<and> m' = m) \<or>
+(i\<le> length p \<and> p' = (drop i p) \<and> q' = (rev (take i p))@(instr#q)
+\<and> s = 0#si \<and> s' = si \<and> m' = m ))
+| JPB i \<Rightarrow> (i \<le> length q \<and> p' = (rtake i q)@(JPB i#p) \<and> q' = drop i q \<and> s' = s \<and> m' = m))"
+by (auto split: instr.split_asm split_if_asm)
+inductive
+steps :: "instrs \<Rightarrow> instrs \<Rightarrow> stack \<Rightarrow> memory \<Rightarrow>
+instrs \<Rightarrow> instrs \<Rightarrow> stack \<Rightarrow> memory \<Rightarrow> bool" ("'(_,_,_,_') \<longrightarrow>m* '(_,_,_,_')")
+where
+refl: "(p,q,s,m) \<longrightarrow>m* (p,q,s,m)"
+| step: "\<lbrakk>(p1,q1,s1,m1) \<longrightarrow>m (p2,q2,s2,m2); (p2,q2,s2,m2) \<longrightarrow>m* (p3,q3,s3,m3)\<rbrakk>
+\<Longrightarrow> (p1,q1,s1,m1) \<longrightarrow>m* (p3,q3,s3,m3)"
+lemmas steps.step[intro]
+lemmas steps.refl[simp]
+inductive_cases steps_elim[elim]:
+"(p,q,s,m) \<longrightarrow>m* (p',q',s',m')"
+lemma steps_trans:
+assumes a: "(p1,q1,s1,m1) \<longrightarrow>m* (p2,q2,s2,m2)"
+and     b: "(p2,q2,s2,m2) \<longrightarrow>m* (p3,q3,s3,m3)"
+shows "(p1,q1,s1,m1) \<longrightarrow>m* (p3,q3,s3,m3)"
+using a b by (induct) (auto)
+lemma steps_simp:
+shows "(i#p,q,s,m) \<longrightarrow>m* (p',q',s',m') =
+((i#p,q,s,m) = (p',q',s',m') \<or>
+(\<exists>pi qi si mi. (i#p,q,s,m) \<longrightarrow>m (pi,qi,si,mi) \<and> (pi,qi,si,mi) \<longrightarrow>m* (p',q',s',m')))"
+by (auto)
+lemma compa_first_attempt:
+assumes a: "(e, m) \<longrightarrow>a n"
+shows "(compa e, [], [], m) \<longrightarrow>m* ([], rev (compa e), [n], m)"
+using a
+proof (induct)
+case (C n m)
+show "(compa (C n),[],[],m) \<longrightarrow>m* ([],rev (compa (C n)),[n],m)"
+sorry
+next
+case (X i m)
+show "(compa (X i),[],[],m) \<longrightarrow>m* ([],rev (compa (X i)),[m i],m)"
+sorry
+next
+case (Op1 e m n f)
+have as: "(e, m) \<longrightarrow>a n" by fact
+have ih: "(compa e,[],[],m) \<longrightarrow>m* ([],rev (compa e),[n],m)" by fact
+show "(compa (Op1 f e),[],[],m) \<longrightarrow>m* ([],rev (compa (Op1 f e)),[f n],m)"
+using ih sorry
+next
+case (Op2 e0 m n0 e1 n1 f)
+have as1: "(e0, m) \<longrightarrow>a n0" by fact
+have as2: "(e1, m) \<longrightarrow>a n1" by fact
+have ih1: "(compa e0,[],[],m) \<longrightarrow>m* ([],rev (compa e0),[n0],m)" by fact
+have ih2: "(compa e1,[],[],m) \<longrightarrow>m* ([],rev (compa e1),[n1],m)" by fact
+show "(compa (Op2 f e0 e1),[],[],m) \<longrightarrow>m* ([],rev (compa (Op2 f e0 e1)),[f n0 n1],m)"
+using ih1[THEN steps_trans] ih2[THEN steps_trans]
+sorry
+qed
+lemma compa_aux:
+assumes a: "(e, m) \<longrightarrow>a n"
+shows "(compa e@p, q, s, m) \<longrightarrow>m* (p, rev (compa e)@q, n#s, m)"
+using a
+proof (induct arbitrary: p q s)
+case (C n m p q s)
+show "(compa (C n)@p,q,s,m) \<longrightarrow>m* (p,rev (compa (C n))@q,n#s,m)"
+by (simp add: steps_simp exec_simp)
+next
+case (X i m p q s)
+show "(compa (X i)@p,q,s,m) \<longrightarrow>m* (p,rev (compa (X i))@q,m i#s,m)"
+by (simp add: steps_simp exec_simp)
+next
+case (Op1 e m n f p q s)
+have as: "(e, m) \<longrightarrow>a n" by fact
+have ih: "\<And>p q s. (compa e@p,q,s,m) \<longrightarrow>m* (p,rev (compa e)@q,n#s,m)" by fact
+show "(compa (Op1 f e)@p,q,s,m) \<longrightarrow>m* (p,rev (compa (Op1 f e))@q,f n#s,m)"
+using ih[THEN steps_trans] by (simp add: steps_simp exec_simp)
+next
+case (Op2 e0 m n0 e1 n1 f p q s)
+have as1: "(e0, m) \<longrightarrow>a n0" by fact
+have as2: "(e1, m) \<longrightarrow>a n1" by fact
+have ih1: "\<And>p q s. (compa e0@p,q,s,m) \<longrightarrow>m* (p,rev (compa e0)@q,n0#s,m)" by fact
+have ih2: "\<And>p q s. (compa e1@p,q,s,m) \<longrightarrow>m* (p,rev (compa e1)@q,n1#s,m)" by fact
+show "(compa (Op2 f e0 e1)@p,q,s,m) \<longrightarrow>m* (p,rev (compa (Op2 f e0 e1))@q,f n0 n1#s,m)"
+using ih1[THEN steps_trans] ih2[THEN steps_trans]
+by (simp add: steps_simp exec_simp)
+qed
+text {*
+After the fact I constructed the detailed proof, I
+could guide Isabelle to find the proof automatically.
+*B U T    T H A T    I S   C H E A T I N G!!!*
+*}
+lemma compa_aux_cheating:
+assumes a: "(e,m) \<longrightarrow>a n"
+shows "(compa e@p,q,s,m) \<longrightarrow>m* (p,rev (compa e)@q,n#s,m)"
+using a
+by (induct arbitrary: p q s)
+(force intro: steps_trans simp add: steps_simp exec_simp)+
+lemma compb_aux_cheating:
+assumes a: "(e,m) \<longrightarrow>b b"
+shows "(compb e@p,q,s,m) \<longrightarrow>m* (p,rev (compb e)@q,(WRAP b)#s,m)"
+using a
+by (induct arbitrary: p q s)
+(force intro: compa_aux steps_trans
+simp add: steps_simp exec_simp WRAP_lems)+
+text {*
+Exercise: After you know the lemma is provable,
+try to give all details.
+*}
+lemma compb_aux:
+assumes a: "(e, m) \<longrightarrow>b b"
+shows "(compb e@p, q, s, m) \<longrightarrow>m* (p, rev (compb e)@q, WRAP b#s, m)"
+using a
+proof (induct arbitrary: p q s)
+case (TRUE m p q s)
+show "(compb TRUE@p,q,s,m) \<longrightarrow>m* (p,rev (compb TRUE)@q,WRAP True#s,m)"
+sorry
+next
+case (FALSE m p q s)
+show "(compb FALSE@p,q,s,m) \<longrightarrow>m* (p,rev (compb FALSE)@q,WRAP False#s,m)"
+sorry
+next
+case (ROp e1 m n1 e2 n2 f p q s)
+have as1: "(e1, m) \<longrightarrow>a n1" by fact
+have as2: "(e2, m) \<longrightarrow>a n2" by fact
+show "(compb (ROp f e1 e2)@p,q,s,m)
+\<longrightarrow>m* (p,rev (compb (ROp f e1 e2))@q,WRAP (f n1 n2)#s,m)"
+using as1 as2 sorry
+next
+case (NOT e m b p q s)
+have ih: "\<And>p q s. (compb e@p,q,s,m) \<longrightarrow>m* (p,rev (compb e)@q,WRAP b#s,m)" by fact
+show "(compb (NOT e)@p,q,s,m) \<longrightarrow>m* (p,rev (compb (NOT e))@q,WRAP (\<not>b)#s,m)"
+using ih[THEN steps_trans]
+sorry
+next
+case (AND e1 m b1 e2 b2 p q s)
+have ih1: "\<And>p q s. (compb e1@p,q,s,m) \<longrightarrow>m* (p,rev (compb e1)@q,WRAP b1#s,m)" by fact
+have ih2: "\<And>p q s. (compb e2@p,q,s,m) \<longrightarrow>m* (p,rev (compb e2)@q,WRAP b2#s,m)" by fact
+show "(compb (AND e1 e2)@p,q,s,m) \<longrightarrow>m* (p,rev (compb (AND e1 e2))@q,WRAP (b1 \<and> b2)#s,m)"
+using ih1[THEN steps_trans] ih2[THEN steps_trans]
+sorry
+next
+case (OR e1 m b1 e2 b2 p q s)
+have ih1: "\<And>p q s. (compb e1@p,q,s,m) \<longrightarrow>m* (p,rev (compb e1)@q,WRAP b1#s,m)" by fact
+have ih2: "\<And>p q s. (compb e2@p,q,s,m) \<longrightarrow>m* (p,rev (compb e2)@q,WRAP b2#s,m)" by fact
+show "(compb (OR e1 e2)@p,q,s,m) \<longrightarrow>m* (p,rev (compb (OR e1 e2))@q,WRAP (b1 \<or> b2)#s,m)"
+using ih1[THEN steps_trans] ih2[THEN steps_trans]
+sorry
+qed
+text {*
+Also the detailed proof of this lemma is left as an exercise.
+*}
+lemma compc_aux_cheating:
+assumes a: "(c,m) \<longrightarrow>c m'"
+shows "(compc c@p,q,s,m) \<longrightarrow>m* (p,rev (compc c)@q,s,m')"
+using a
+by (induct arbitrary: p q)
+(force intro: compa_aux compb_aux_cheating steps_trans
+simp add: steps_simp exec_simp)+
+end