Experimental development
========================

Here is explanation notes on multiple/experimental versions here:

ToyGrailDef, ToyGrailLemmas   Main definitions and lemmas
ToyGrailLemmasExtras	      Extra properties (determinacy)

ToyHLbasic, ToyHLderived: Basic and derived rules for Hoare Logic.
ToyHLextras		  Old stuff removed from ToyHLderived,
			  probably not needed

ToyVDM, ToyVDMderived:	  VDM versions of above

ToyHLrec, ToyHLproofs   : soundness for partial correctness rule for CALL,
			  also for proof system using that rule.
			  (uses a second operational semantics annotated
			   with derivation height).

ToyHLrec2, ToyHLproofs2  : same as above but uses definition of -->n that
			  uses callcount instead of second op sems: much simpler.

ToyHLrec3, ToyHLproofs3  : same as above, but uses clock instead of callcount.
			  Probably best option (since will work for invoke too),
			  but requires nats for clock (or validity defined for
			  "good starting states" which have non-negative clocks).
			  Also needs proof by cases for every |=n relativized rule.
			  Uses XXXNat.thy

 XXXNat.thy:   Based on natural numbers in all state components
	       Avoids problems with deriving rules, but we may hit
	       problems again with nat/int differences trying to 
	       prove properties of clock.  
	       (Isabelle2003 may be better, though?)


ToyFunGrailDef:  Version of ToyGrailDef that uses environments.
	      UNFINISHED: in particular, pre-assertions now need to range
		over environments; moreover, this version may only make sense
		for checking complete method bodies, since inside a method
		we need to treat the environment as a store (global variables).
		Probably also need restriction to Grail conventions (tail-recursion)
		to make sense of it.



DEFUNCT STUFF:

ToyHLmutrec 
ToyGrailDefoverloaded





NB: I'm using Isabelle2003.  Only minor diffs in ToyGrailDef so far,
can be reverted to Isabelle 20002 easily, see comments there.


