Christian Urban
1st June 2009, Beijing
changeset 457 3feaf8bc3e48
parent 415 f1be8028a4a9
  Isabelle Tutorial

  1st June 2009, Beijing 


theory Lec2
  imports "Main" 

text {***********************************************************

  Automatic proofs again:


 even :: "nat \<Rightarrow> bool"
  eZ[intro]:  "even 0"
| eSS[intro]: "even n \<Longrightarrow> even (Suc (Suc n))"

text {* 
  In the following two lemmas we have to indicate the induction,
  but the routine calculations can be done completely automatically
  by Isabelle's internal tools. 

lemma even_twice:
  shows "even (n + n)"
by (induct n) (auto)

lemma even_add:
  assumes a: "even n"
  and     b: "even m"
  shows "even (n + m)"
using a b by (induct) (auto)

text {* 
  In the next proof it was crucial that we introduced
  the equation
     (Suc (Suc n) * m) = (m + m) + (n * m)
  because this allowed us to use the induction hypothesis
  and the previous two lemmas. *}

lemma even_mul:
  assumes a: "even n"
  shows "even (n * m)"
using a
proof (induct)
  case eZ
  show "even (0 * m)" by auto
  case (eSS n)
  have as: "even n" by fact
  have ih: "even (n * m)" by fact
  have "(Suc (Suc n) * m) = (m + m) + (n * m)" by simp
  have "even (m + m)" using even_twice by simp
  show "even (Suc (Suc n) * m)" using ih even_add by (simp only:)

text {* 
  This proof cannot be found by the internal tools, but
  Isabelle has an interface to external provers. This
  interface is called sledgehammer and it finds the 
  proof more or less automatically.


lemma even_mul_auto:
  assumes a: "even n"
  shows "even (n * m)"
using a
apply(metis eZ mult_is_0)
apply(metis even_add even_twice mult_Suc_right nat_add_assoc nat_mult_commute)

text {*
  The disadvantage of such proofs is that you do
  not know why they are true.

text {***************************************************************** 

  Function Definitions

  Many functions over datatypes can be defined by recursion on the
  structure. For this purpose, Isabelle provides "fun". To use it one needs 
  to give a name for the function, its type, optionally some pretty-syntax 
  and then some equations defining the function. Like in "inductive",
  "fun" expects that more than one such equation is separated by "|".

  The Fibonacci function:


  fib :: "nat \<Rightarrow> nat"
  "fib 0 = 1"
| "fib (Suc 0) = 1"
| "fib (Suc (Suc n)) = fib n + fib (Suc n)"

text {* The Ackermann function: *}

  ack :: "nat \<Rightarrow> nat \<Rightarrow> nat"
  "ack 0 m = Suc m"
| "ack (Suc n) 0 = ack n (Suc 0)"
| "ack (Suc n) (Suc m) = ack n (ack (Suc n) m)"

text {*
  Non-terminating functions can lead to inconsistencies.

  assumes a: "f x = f x + (1::nat)"
  shows "False"
proof -
  from a have "0 = (1::nat)" by simp
  then show "False" by simp

text {*
  If Isabelle cannot automatically prove termination,
  then you can give an explicit measure that establishes
  termination. For example a generalisation of the
  Fibonacci function to integers can be shown terminating

  fib' :: "int \<Rightarrow> int"
  "n< -1 \<Longrightarrow> fib' n = fib' (n + 2) - fib' (n + 1)"
| "fib' -1 = (1::int)"
| "fib' 0 = (0::int)"
| "fib' 1 = (1::int)"
| "n > 1 \<Longrightarrow> fib' n = fib' (n - 1) + fib' (n - 2)"
  by (atomize_elim, presburger) (auto)

  by (relation "measure (\<lambda>x. nat (\<bar>x\<bar>))")
     (simp_all add: zabs_def)

text {***************************************************************** 


  Datatypes can be defined in Isabelle as follows: we have to provide the name 
  of the datatype and list its type-constructors. Each type-constructor needs 
  to have the information about the types of its arguments, and optionally 
  can also contain some information about pretty syntax. For example, we write
  "[]" for Nil and ":::" for Cons.


datatype 'a mylist =
  MyNil                   ("[]")
| MyCons "'a" "'a mylist" ("_ ::: _" 65)

text {*
  You can easily define functions over the structure of datatypes.

  myappend :: "'a mylist \<Rightarrow> 'a mylist \<Rightarrow> 'a mylist" ("_ @@ _" 65)
  "[] @@ xs = xs"
| "(y:::ys) @@ xs = y:::(ys @@ xs)"

  myrev :: "'a mylist \<Rightarrow> 'a mylist"
  "myrev [] = []"
| "myrev (x:::xs) = (myrev xs) @@ (x:::[])"

text {*****************************************************************

  Exercise: Prove the following fact about append and reversal.


lemma myrev_append:
  shows "myrev (xs @@ ys) = (myrev ys) @@ (myrev xs)"
proof (induct xs)
  case MyNil
  show "myrev ([] @@ ys) = myrev ys @@ myrev []" sorry
  case (MyCons x xs)
  have ih: "myrev (xs @@ ys) = myrev ys @@ myrev xs" by fact
  show "myrev ((x:::xs) @@ ys) = myrev ys @@ myrev (x:::xs)" sorry

text {* auxiliary lemmas *}

lemma mynil_append[simp]:
  shows "xs @@ [] = xs"
by (induct xs) (auto)

lemma myappend_assoc[simp]: 
  "(xs @@ ys) @@ zs = xs @@ (ys @@ zs)"
by (induct xs) (auto)

  shows "myrev (xs @@ ys) = (myrev ys) @@ (myrev xs)"
by (induct xs) (auto)

text {***************************************************************** 

  A WHILE Language:

  Arithmetic Expressions, Boolean Expressions, Commands


types memory = "nat \<Rightarrow> nat"

datatype aexp = 
    C nat
  | X nat
  | Op1 "nat \<Rightarrow> nat" aexp
  | Op2 "nat \<Rightarrow> nat \<Rightarrow> nat" aexp aexp

datatype bexp = 
  | ROp  "nat \<Rightarrow> nat \<Rightarrow> bool" aexp aexp
  | NOT bexp
  | AND bexp bexp  
  | OR  bexp bexp

datatype cmd = 
  | ASSIGN nat aexp      ("_ ::= _ " 60)
  | SEQ    cmd cmd       ("_; _" [60, 60] 10)
  | COND   bexp cmd cmd  ("IF _ THEN _ ELSE _" 60)
  | WHILE  bexp cmd      ("WHILE _ DO _" 60)

text {***************************************************************** 

  Big-step Evaluation Semantics 


  evala :: "aexp \<Rightarrow> memory \<Rightarrow> nat \<Rightarrow> bool"  ("'(_,_') \<longrightarrow>a _" [100,100] 50)
  C:   "(C n, m) \<longrightarrow>a n"
| X:   "(X i, m) \<longrightarrow>a m i" 
| Op1: "(e, m) \<longrightarrow>a n \<Longrightarrow> (Op1 f e, m) \<longrightarrow>a (f n)"
| Op2: "\<lbrakk>(e0, m) \<longrightarrow>a n0;  (e1, m)  \<longrightarrow>a n1\<rbrakk> \<Longrightarrow> (Op2 f e0 e1, m) \<longrightarrow>a f n0 n1"

  evalb :: "bexp \<Rightarrow> memory \<Rightarrow> bool \<Rightarrow> bool"  ("'(_,_') \<longrightarrow>b _" [100,100] 50)
  TRUE:  "(TRUE, m) \<longrightarrow>b True"
| FALSE: "(FALSE, m) \<longrightarrow>b False" 
| ROp:   "\<lbrakk>(e1, m) \<longrightarrow>a n1; (e2, m) \<longrightarrow>a n2\<rbrakk> \<Longrightarrow> (ROp f e1 e2, m) \<longrightarrow>b (f n1 n2)" 
| NOT:   "(e, m) \<longrightarrow>b b \<Longrightarrow> (NOT e, m) \<longrightarrow>b (Not b)"
| AND:   "\<lbrakk>(e1, m) \<longrightarrow>b b1; (e2, m) \<longrightarrow>b b2\<rbrakk> \<Longrightarrow> (AND e1 e2, m) \<longrightarrow>b (b1 \<and> b2)"
| OR:    "\<lbrakk>(e1, m) \<longrightarrow>b b1; (e2, m) \<longrightarrow>b b2\<rbrakk> \<Longrightarrow> (OR e1 e2, m) \<longrightarrow>b (b1 \<or> b2)"

  evalc :: "cmd \<Rightarrow> memory \<Rightarrow> memory \<Rightarrow> bool" ("'(_,_') \<longrightarrow>c _" [0,0,60] 60)
  SKIP:    "(SKIP, m) \<longrightarrow>c m"
| ASSIGN:  "(a, m) \<longrightarrow>a n \<Longrightarrow> (x::=a, m) \<longrightarrow>c m(x:=n)"
| SEQ:     "\<lbrakk>(c0, m) \<longrightarrow>c m'; (c1, m') \<longrightarrow>c m''\<rbrakk> \<Longrightarrow> (c0; c1, m) \<longrightarrow>c m''"
| IFTrue:  "\<lbrakk>(e, m) \<longrightarrow>b True; (c0, m) \<longrightarrow>c m'\<rbrakk> \<Longrightarrow> (IF e THEN c0 ELSE c1, m) \<longrightarrow>c m'"
| IFFalse: "\<lbrakk>(e, m) \<longrightarrow>b False; (c1, m) \<longrightarrow>c m'\<rbrakk> \<Longrightarrow> (IF e THEN c0 ELSE c1, m) \<longrightarrow>c m'"
| WHILEFalse: "(e, m) \<longrightarrow>b False \<Longrightarrow> (WHILE e DO c,m) \<longrightarrow>c m"
| WHILETrue:  "\<lbrakk>(e, m) \<longrightarrow>b True; (c,m) \<longrightarrow>c m'; (WHILE e DO c, m') \<longrightarrow>c m''\<rbrakk>
               \<Longrightarrow> (WHILE e DO c, m) \<longrightarrow>c m''"

lemmas evala.intros[intro] evalb.intros[intro] evalc.intros[intro]

text {***************************************************************** 

  Machine Instructions


datatype instr = 
    JPFZ  "nat"               (* JUMP forward n steps, if top of stack is False *)
  | JPB   "nat"               (* JUMP backward n steps *)
  | FETCH "nat"               (* move memory to top of stack *)  
  | STORE "nat"               (* move top of stack to memory *)
  | PUSH  "nat"               (* push to stack *) 
  | OPU   "nat \<Rightarrow> nat"        (* pop one from stack and apply f *)
  | OPB   "nat \<Rightarrow> nat \<Rightarrow> nat" (* pop two from stack and apply f *)

text {***************************************************************** 

  Booleans 'as' Zero and One


  "WRAP True = Suc 0"
| "WRAP False = 0"

  MNot::"nat \<Rightarrow> nat"
  "MNot 0 = 1"
| "MNot (Suc 0) = 0"

  MAnd::"nat \<Rightarrow> nat \<Rightarrow> nat"
  "MAnd 0 x = 0"
| "MAnd x 0 = 0"
| "MAnd (Suc 0) (Suc 0) = 1"

  MOr::"nat \<Rightarrow> nat \<Rightarrow> nat"
  "MOr 0 0 = 0"
| "MOr (Suc 0) x = 1"
| "MOr x (Suc 0) = 1"

lemma MNot_WRAP:
  "MNot (WRAP b) = WRAP (Not b)"
by (cases b) (auto)

lemma MAnd_WRAP:
  "MAnd (WRAP b1) (WRAP b2) = WRAP (b1 \<and> b2)"
by (cases b1, auto) (cases b2, simp_all)

lemma MOr_WRAP:
  "MOr (WRAP b1) (WRAP b2) = WRAP (b1 \<or> b2)"
by (cases b1, auto) (cases b2, simp_all)

lemmas WRAP_lems = MNot_WRAP MAnd_WRAP MOr_WRAP

text {***************************************************************** 

  Compiler Functions


  "compa (C n) = [PUSH n]"
| "compa (X l) = [FETCH l]"
| "compa (Op1 f e) = (compa e) @ [OPU f]"
| "compa (Op2 f e1 e2) = (compa e1) @ (compa e2) @ [OPB f]"

  "compb (TRUE) = [PUSH 1]"
| "compb (FALSE) = [PUSH 0]"
| "compb (ROp f e1 e2) = (compa e1) @ (compa e2) @ [OPB (\<lambda>x y. WRAP (f x y))]"
| "compb (NOT e) = (compb e) @ [OPU MNot]"
| "compb (AND e1 e2) = (compb e1) @ (compb e2) @ [OPB MAnd]"
| "compb (OR e1 e2) = (compb e1) @ (compb e2) @ [OPB MOr]"

  compc :: "cmd \<Rightarrow> instr list"
  "compc SKIP = []"
| "compc (x::=a) = (compa a) @ [STORE x]"
| "compc (c1;c2) = compc c1 @ compc c2"
| "compc (IF b THEN c1 ELSE c2) =
    (compb b) @ [JPFZ (length(compc c1) + 2)] @ compc c1 @   
    [PUSH 0, JPFZ (length(compc c2))] @ compc c2" 
| "compc (WHILE b DO c) = 
    (compb b) @
    [JPFZ (length(compc c) + 1)] @ compc c @
    [JPB (length(compc c) + length(compb b)+1)]"

value "compc SKIP"
value "compc (SKIP; SKIP)"
value "compa (Op2 (op +) (C 2) (C 3))"
value "compb (ROp (op <) (C 2) (C 3))"
value "compc (IF (ROp (op <) (C 2) (C 3)) THEN SKIP ELSE SKIP)"
value "compc (WHILE (ROp (op <) (C 2) (C 3)) DO SKIP)"
value "compc (x::= C 0; WHILE (ROp (op <) (X x) (C 3)) DO (x::= (Op2 (op +) (X x) (C 1))))"

text {***************************************************************** 

  Machine Execution


types instrs = "instr list"
types stack = "nat list"

 "rtake i xs \<equiv> rev (take i xs)"

  step :: "instrs \<Rightarrow> instrs \<Rightarrow> stack \<Rightarrow> memory \<Rightarrow> 
           instrs \<Rightarrow> instrs \<Rightarrow> stack \<Rightarrow> memory \<Rightarrow> bool" ("'(_,_,_,_') \<longrightarrow>m '(_,_,_,_')")
    "(PUSH n#p, q, s, m) \<longrightarrow>m (p, PUSH n#q, n#s, m)"
  | "(FETCH i#p, q, s, m) \<longrightarrow>m (p, FETCH i#q, m i#s, m)"
  | "(OPU f#p, q, n#s, m) \<longrightarrow>m (p, OPU f#q, f n#s, m)"
  | "(OPB f#p, q, n1#n2#s, m) \<longrightarrow>m (p, OPB f#q, f n2 n1#s, m)"
  | "(STORE i#p, q, n#s, m) \<longrightarrow>m (p, STORE i#q, s, m(i:=n))"
  | "(JPFZ i#p, q, Suc 0#s, m) \<longrightarrow>m (p, JPFZ i#q, s, m)"
  | "i\<le>length p\<Longrightarrow>(JPFZ i#p, q, 0#s, m) \<longrightarrow>m (drop i p, (rtake i p) @ (JPFZ i#q), s, m)"
  | "i\<le>length q\<Longrightarrow>(JPB i#p, q, s, m) \<longrightarrow>m ((rtake i q) @ (JPB i#p), drop i q, s, m)"

lemmas step.intros[intro]

inductive_cases step_elim[elim]:
   "(p,q,s,m) \<longrightarrow>m (p',q',s',m')"

lemma exec_simp:
  shows "(instr#p, q, s, m) \<longrightarrow>m (p', q', s', m') =
    (case instr of
        PUSH n \<Rightarrow> (p' = p \<and> q' = instr#q \<and> s' = n#s \<and> m' = m)
      | FETCH i \<Rightarrow> (p' = p \<and> q' = instr#q \<and> s' = m i#s \<and> m' = m)     
      | OPU f \<Rightarrow> (\<exists>n si. p' = p \<and> q' = instr#q \<and> s = n#si \<and> s' = f n#si \<and> m' = m) 
      | OPB f \<Rightarrow> (\<exists>n1 n2 si. p' = p \<and> q' = instr#q \<and> s = n1#n2#si \<and> s' = f n2 n1#si \<and> m' = m) 
      | STORE i \<Rightarrow> (\<exists>n si. p' = p \<and> q' = instr#q \<and> s = n#si \<and> s' = si \<and> m' = m(i:=n))
      | JPFZ i \<Rightarrow> (\<exists>si. (p' = p \<and> q' = instr#q \<and> s = Suc 0#si \<and> s' = si \<and> m' = m) \<or>
                        (i\<le> length p \<and> p' = (drop i p) \<and> q' = (rev (take i p))@(instr#q) 
                         \<and> s = 0#si \<and> s' = si \<and> m' = m )) 
      | JPB i \<Rightarrow> (i \<le> length q \<and> p' = (rtake i q)@(JPB i#p) \<and> q' = drop i q \<and> s' = s \<and> m' = m))"
by (auto split: instr.split_asm split_if_asm)

  steps :: "instrs \<Rightarrow> instrs \<Rightarrow> stack \<Rightarrow> memory \<Rightarrow> 
            instrs \<Rightarrow> instrs \<Rightarrow> stack \<Rightarrow> memory \<Rightarrow> bool" ("'(_,_,_,_') \<longrightarrow>m* '(_,_,_,_')")
  refl: "(p,q,s,m) \<longrightarrow>m* (p,q,s,m)"
| step: "\<lbrakk>(p1,q1,s1,m1) \<longrightarrow>m (p2,q2,s2,m2); (p2,q2,s2,m2) \<longrightarrow>m* (p3,q3,s3,m3)\<rbrakk> 
         \<Longrightarrow> (p1,q1,s1,m1) \<longrightarrow>m* (p3,q3,s3,m3)"

lemmas steps.step[intro]
lemmas steps.refl[simp]

inductive_cases steps_elim[elim]:
  "(p,q,s,m) \<longrightarrow>m* (p',q',s',m')"

lemma steps_trans:
  assumes a: "(p1,q1,s1,m1) \<longrightarrow>m* (p2,q2,s2,m2)" 
  and     b: "(p2,q2,s2,m2) \<longrightarrow>m* (p3,q3,s3,m3)" 
  shows "(p1,q1,s1,m1) \<longrightarrow>m* (p3,q3,s3,m3)"
using a b by (induct) (auto)

lemma steps_simp:
  shows "(i#p,q,s,m) \<longrightarrow>m* (p',q',s',m') = 
        ((i#p,q,s,m) = (p',q',s',m') \<or> 
         (\<exists>pi qi si mi. (i#p,q,s,m) \<longrightarrow>m (pi,qi,si,mi) \<and> (pi,qi,si,mi) \<longrightarrow>m* (p',q',s',m')))"
by (auto)

lemma compa_first_attempt:
  assumes a: "(e, m) \<longrightarrow>a n"
  shows "(compa e, [], [], m) \<longrightarrow>m* ([], rev (compa e), [n], m)"
using a
proof (induct)
  case (C n m)
  show "(compa (C n),[],[],m) \<longrightarrow>m* ([],rev (compa (C n)),[n],m)" 
  case (X i m)
  show "(compa (X i),[],[],m) \<longrightarrow>m* ([],rev (compa (X i)),[m i],m)" 
  case (Op1 e m n f)
  have as: "(e, m) \<longrightarrow>a n" by fact
  have ih: "(compa e,[],[],m) \<longrightarrow>m* ([],rev (compa e),[n],m)" by fact
  show "(compa (Op1 f e),[],[],m) \<longrightarrow>m* ([],rev (compa (Op1 f e)),[f n],m)" 
    using ih sorry
  case (Op2 e0 m n0 e1 n1 f)
  have as1: "(e0, m) \<longrightarrow>a n0" by fact
  have as2: "(e1, m) \<longrightarrow>a n1" by fact
  have ih1: "(compa e0,[],[],m) \<longrightarrow>m* ([],rev (compa e0),[n0],m)" by fact
  have ih2: "(compa e1,[],[],m) \<longrightarrow>m* ([],rev (compa e1),[n1],m)" by fact
  show "(compa (Op2 f e0 e1),[],[],m) \<longrightarrow>m* ([],rev (compa (Op2 f e0 e1)),[f n0 n1],m)" 
    using ih1[THEN steps_trans] ih2[THEN steps_trans] 

lemma compa_aux:
  assumes a: "(e, m) \<longrightarrow>a n"
  shows "(compa e@p, q, s, m) \<longrightarrow>m* (p, rev (compa e)@q, n#s, m)"
using a
proof (induct arbitrary: p q s)
  case (C n m p q s)
  show "(compa (C n)@p,q,s,m) \<longrightarrow>m* (p,rev (compa (C n))@q,n#s,m)" 
    by (simp add: steps_simp exec_simp)
  case (X i m p q s)
  show "(compa (X i)@p,q,s,m) \<longrightarrow>m* (p,rev (compa (X i))@q,m i#s,m)" 
    by (simp add: steps_simp exec_simp)
  case (Op1 e m n f p q s)
  have as: "(e, m) \<longrightarrow>a n" by fact
  have ih: "\<And>p q s. (compa e@p,q,s,m) \<longrightarrow>m* (p,rev (compa e)@q,n#s,m)" by fact
  show "(compa (Op1 f e)@p,q,s,m) \<longrightarrow>m* (p,rev (compa (Op1 f e))@q,f n#s,m)" 
    using ih[THEN steps_trans] by (simp add: steps_simp exec_simp)
  case (Op2 e0 m n0 e1 n1 f p q s)
  have as1: "(e0, m) \<longrightarrow>a n0" by fact
  have as2: "(e1, m) \<longrightarrow>a n1" by fact
  have ih1: "\<And>p q s. (compa e0@p,q,s,m) \<longrightarrow>m* (p,rev (compa e0)@q,n0#s,m)" by fact
  have ih2: "\<And>p q s. (compa e1@p,q,s,m) \<longrightarrow>m* (p,rev (compa e1)@q,n1#s,m)" by fact
  show "(compa (Op2 f e0 e1)@p,q,s,m) \<longrightarrow>m* (p,rev (compa (Op2 f e0 e1))@q,f n0 n1#s,m)" 
    using ih1[THEN steps_trans] ih2[THEN steps_trans] 
    by (simp add: steps_simp exec_simp)

text {*
  After the fact I constructed the detailed proof, I 
  could guide Isabelle to find the proof automatically.

  *B U T    T H A T    I S   C H E A T I N G!!!*

lemma compa_aux_cheating:
  assumes a: "(e,m) \<longrightarrow>a n"
  shows "(compa e@p,q,s,m) \<longrightarrow>m* (p,rev (compa e)@q,n#s,m)"
using a
by (induct arbitrary: p q s)
   (force intro: steps_trans simp add: steps_simp exec_simp)+

lemma compb_aux_cheating:
  assumes a: "(e,m) \<longrightarrow>b b"
  shows "(compb e@p,q,s,m) \<longrightarrow>m* (p,rev (compb e)@q,(WRAP b)#s,m)"
using a
by (induct arbitrary: p q s)
   (force intro: compa_aux steps_trans 
          simp add: steps_simp exec_simp WRAP_lems)+

text {*
  Exercise: After you know the lemma is provable,
  try to give all details.


lemma compb_aux:
  assumes a: "(e, m) \<longrightarrow>b b"
  shows "(compb e@p, q, s, m) \<longrightarrow>m* (p, rev (compb e)@q, WRAP b#s, m)"
using a
proof (induct arbitrary: p q s)
  case (TRUE m p q s)
  show "(compb TRUE@p,q,s,m) \<longrightarrow>m* (p,rev (compb TRUE)@q,WRAP True#s,m)"
  case (FALSE m p q s)
   show "(compb FALSE@p,q,s,m) \<longrightarrow>m* (p,rev (compb FALSE)@q,WRAP False#s,m)"
  case (ROp e1 m n1 e2 n2 f p q s)
  have as1: "(e1, m) \<longrightarrow>a n1" by fact
  have as2: "(e2, m) \<longrightarrow>a n2" by fact
  show "(compb (ROp f e1 e2)@p,q,s,m) 
          \<longrightarrow>m* (p,rev (compb (ROp f e1 e2))@q,WRAP (f n1 n2)#s,m)"
    using as1 as2 sorry
  case (NOT e m b p q s)
  have ih: "\<And>p q s. (compb e@p,q,s,m) \<longrightarrow>m* (p,rev (compb e)@q,WRAP b#s,m)" by fact
  show "(compb (NOT e)@p,q,s,m) \<longrightarrow>m* (p,rev (compb (NOT e))@q,WRAP (\<not>b)#s,m)"
    using ih[THEN steps_trans] 
  case (AND e1 m b1 e2 b2 p q s)
  have ih1: "\<And>p q s. (compb e1@p,q,s,m) \<longrightarrow>m* (p,rev (compb e1)@q,WRAP b1#s,m)" by fact
  have ih2: "\<And>p q s. (compb e2@p,q,s,m) \<longrightarrow>m* (p,rev (compb e2)@q,WRAP b2#s,m)" by fact
  show "(compb (AND e1 e2)@p,q,s,m) \<longrightarrow>m* (p,rev (compb (AND e1 e2))@q,WRAP (b1 \<and> b2)#s,m)"
    using ih1[THEN steps_trans] ih2[THEN steps_trans]
  case (OR e1 m b1 e2 b2 p q s)
  have ih1: "\<And>p q s. (compb e1@p,q,s,m) \<longrightarrow>m* (p,rev (compb e1)@q,WRAP b1#s,m)" by fact
  have ih2: "\<And>p q s. (compb e2@p,q,s,m) \<longrightarrow>m* (p,rev (compb e2)@q,WRAP b2#s,m)" by fact
  show "(compb (OR e1 e2)@p,q,s,m) \<longrightarrow>m* (p,rev (compb (OR e1 e2))@q,WRAP (b1 \<or> b2)#s,m)"
    using ih1[THEN steps_trans] ih2[THEN steps_trans]

text {*
  Also the detailed proof of this lemma is left as an exercise.


lemma compc_aux_cheating:
  assumes a: "(c,m) \<longrightarrow>c m'"
  shows "(compc c@p,q,s,m) \<longrightarrow>m* (p,rev (compc c)@q,s,m')"
using a
by (induct arbitrary: p q)
   (force intro: compa_aux compb_aux_cheating steps_trans 
            simp add: steps_simp exec_simp)+
