src/HOL/UNITY/Alloc.ML
author paulson
Tue Aug 31 15:56:56 1999 +0200 (1999-08-31)
changeset 7399 cf780c2bcccf
parent 7365 b5bb32e0861c
child 7482 7badd511844d
permissions -rw-r--r--
changed "component" infix in HOL/UNITY/Comp.thy to be overloaded <
paulson@6828
     1
(*  Title:      HOL/UNITY/Alloc
paulson@6828
     2
    ID:         $Id$
paulson@6828
     3
    Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
paulson@6828
     4
    Copyright   1998  University of Cambridge
paulson@6828
     5
paulson@6828
     6
Specification of Chandy and Charpentier's Allocator
paulson@6828
     7
*)
paulson@6828
     8
paulson@7399
     9
paulson@7399
    10
Goal "~ f #2 ==> ~ (!t::nat. (#0 <= t & t <= #10) --> f t)";
paulson@7399
    11
paulson@7399
    12
(*Useful examples:  singletonI RS subst_elem,  subst_elem RSN (2,IntI) *)
paulson@7399
    13
Goal "[| b:A;  a=b |] ==> a:A";
paulson@7399
    14
by (etac ssubst 1);
paulson@7399
    15
by (assume_tac 1);
paulson@7399
    16
qed "subst_elem";
paulson@7399
    17
paulson@7399
    18
paulson@7399
    19
paulson@7399
    20
paulson@6840
    21
(*Generalized version allowing different clients*)
paulson@6840
    22
Goal "[| Alloc : alloc_spec;  \
paulson@6840
    23
\        Client : (lessThan Nclients) funcset client_spec;  \
paulson@6840
    24
\        Network : network_spec |] \
paulson@6840
    25
\     ==> (extend sysOfAlloc Alloc) \
paulson@6840
    26
\         Join (extend sysOfClient (PLam (lessThan Nclients) Client)) \
paulson@6840
    27
\         Join Network : system_spec";
paulson@6840
    28
paulson@6840
    29
Goal "System : system_spec";
paulson@6840
    30
paulson@6840
    31
paulson@6828
    32
Goalw [sysOfAlloc_def] "inj sysOfAlloc";
paulson@6828
    33
by (rtac injI 1);
paulson@7347
    34
by (auto_tac (claset() addSWrapper record_split_wrapper, simpset()));
paulson@6828
    35
qed "inj_sysOfAlloc";
paulson@6828
    36
paulson@6828
    37
Goalw [sysOfAlloc_def] "surj sysOfAlloc";
paulson@6828
    38
by (res_inst_tac [("f", "%s. ((| allocGiv = allocGiv s,    \
paulson@6828
    39
\                                allocAsk = allocAsk s,    \
paulson@6828
    40
\                                allocRel = allocRel s |), \
paulson@6828
    41
\                             client s)")] surjI 1);
paulson@7347
    42
by (auto_tac (claset() addSWrapper record_split_wrapper, simpset()));
paulson@6828
    43
qed "surj_sysOfAlloc";
paulson@6828
    44
paulson@6828
    45
AddIffs [inj_sysOfAlloc, surj_sysOfAlloc];
paulson@6828
    46
paulson@7399
    47
val bij_sysOfAlloc = [inj_sysOfAlloc, surj_sysOfAlloc] MRS bijI;
paulson@7399
    48
paulson@7399
    49
(*MUST BE AUTOMATED: even the statement of such results*)
paulson@7399
    50
Goal "!!s. inv sysOfAlloc s = \
paulson@7399
    51
\            ((| allocGiv = allocGiv s,   \
paulson@7399
    52
\                allocAsk = allocAsk s,   \
paulson@7399
    53
\                allocRel = allocRel s|), \
paulson@7399
    54
\             client s)";
paulson@7399
    55
by (rtac (inj_sysOfAlloc RS inv_f_eq) 1);
paulson@7399
    56
by (auto_tac (claset() addSWrapper record_split_wrapper, 
paulson@7399
    57
	      simpset() addsimps [sysOfAlloc_def]));
paulson@7399
    58
qed "inv_sysOfAlloc_eq";
paulson@7399
    59
paulson@7399
    60
paulson@7365
    61
(**SHOULD NOT BE NECESSARY: The various injections into the system
paulson@7365
    62
   state need to be treated symmetrically or done automatically*)
paulson@7347
    63
Goalw [sysOfClient_def] "inj sysOfClient";
paulson@7347
    64
by (rtac injI 1);
paulson@7347
    65
by (auto_tac (claset() addSDs [inj_sysOfAlloc RS injD]
paulson@7347
    66
		       addSWrapper record_split_wrapper, simpset()));
paulson@7347
    67
qed "inj_sysOfClient";
paulson@7347
    68
paulson@7347
    69
Goalw [sysOfClient_def] "surj sysOfClient";
paulson@7347
    70
by (cut_facts_tac [surj_sysOfAlloc] 1);
paulson@7347
    71
by (rewtac surj_def);
paulson@7347
    72
by Auto_tac;
paulson@7347
    73
by (Blast_tac 1);
paulson@7347
    74
qed "surj_sysOfClient";
paulson@7347
    75
paulson@7347
    76
AddIffs [inj_sysOfClient, surj_sysOfClient];
paulson@7347
    77
paulson@7399
    78
val bij_sysOfClient = [inj_sysOfClient, surj_sysOfClient] MRS bijI;
paulson@6828
    79
paulson@7347
    80
(*MUST BE AUTOMATED: even the statement of such results*)
paulson@7347
    81
Goal "!!s. inv sysOfClient s = \
paulson@7347
    82
\            (client s, \
paulson@7347
    83
\             (| allocGiv = allocGiv s, \
paulson@7347
    84
\                allocAsk = allocAsk s, \
paulson@7347
    85
\                allocRel = allocRel s|) )";
paulson@7347
    86
by (rtac (inj_sysOfClient RS inv_f_eq) 1);
paulson@7399
    87
by (auto_tac (claset() addSWrapper record_split_wrapper, 
paulson@7399
    88
	      simpset() addsimps [sysOfAlloc_def, sysOfClient_def]));
paulson@7365
    89
qed "inv_sysOfClient_eq";
paulson@6837
    90
paulson@6837
    91
paulson@7365
    92
Open_locale "System";
paulson@7365
    93
paulson@7365
    94
val Alloc = thm "Alloc";
paulson@7365
    95
val Client = thm "Client";
paulson@7365
    96
val Network = thm "Network";
paulson@7365
    97
val System_def = thm "System_def";
paulson@7365
    98
paulson@7365
    99
AddIffs [finite_lessThan];
paulson@7365
   100
paulson@7365
   101
(*Client : <unfolded specification> *)
paulson@7365
   102
val Client_Spec =
paulson@7365
   103
    rewrite_rule [client_spec_def, client_increasing_def,
paulson@7365
   104
		  client_bounded_def, client_progress_def] Client;
paulson@7365
   105
paulson@7365
   106
Goal "Client : UNIV guarantees Increasing ask";
paulson@7365
   107
by (cut_facts_tac [Client_Spec] 1);
paulson@7365
   108
by (asm_full_simp_tac (simpset() addsimps [guarantees_Int_right]) 1);
paulson@7365
   109
qed "Client_Increasing_ask";
paulson@7365
   110
paulson@7365
   111
Goal "Client : UNIV guarantees Increasing rel";
paulson@7365
   112
by (cut_facts_tac [Client_Spec] 1);
paulson@7365
   113
by (asm_full_simp_tac (simpset() addsimps [guarantees_Int_right]) 1);
paulson@7365
   114
qed "Client_Increasing_rel";
paulson@7365
   115
paulson@7365
   116
AddIffs [Client_Increasing_ask, Client_Increasing_rel];
paulson@7365
   117
paulson@7365
   118
Goal "Client : UNIV guarantees Always {s. ALL elt : set (ask s). elt <= NbT}";
paulson@7365
   119
by (cut_facts_tac [Client_Spec] 1);
paulson@7365
   120
by Auto_tac;
paulson@7365
   121
qed "Client_Bounded";
paulson@7365
   122
paulson@7365
   123
(*Client_Progress is cumbersome to state*)
paulson@7365
   124
val Client_Progress = Client_Spec RS IntD2;
paulson@6828
   125
paulson@6828
   126
paulson@7365
   127
(*Network : <unfolded specification> *)
paulson@7365
   128
val Network_Spec =
paulson@7365
   129
    rewrite_rule [network_spec_def, network_ask_def,
paulson@7365
   130
		  network_giv_def, network_rel_def] Network;
paulson@7365
   131
paulson@7365
   132
(*CANNOT use bind_thm: it puts the theorem into standard form, in effect
paulson@7365
   133
  exporting it from the locale*)
paulson@7365
   134
val Network_Ask = Network_Spec RS IntD1 RS IntD1;
paulson@7365
   135
val Network_Giv = Network_Spec RS IntD1 RS IntD2;
paulson@7365
   136
val Network_Rel = Network_Spec RS IntD2 RS INT_D;
paulson@7365
   137
paulson@7365
   138
paulson@7365
   139
(*Alloc : <unfolded specification> *)
paulson@7365
   140
val Alloc_Spec =
paulson@7365
   141
    rewrite_rule [alloc_spec_def, alloc_increasing_def,
paulson@7365
   142
		  alloc_safety_def, alloc_progress_def] Alloc;
paulson@7365
   143
paulson@7365
   144
Goal "i < Nclients ==> Alloc : UNIV guarantees Increasing (sub i o allocAsk)";
paulson@7365
   145
by (cut_facts_tac [Alloc_Spec] 1);
paulson@7365
   146
by (asm_full_simp_tac (simpset() addsimps [guarantees_INT_right]) 1);
paulson@7365
   147
qed "Alloc_Increasing";
paulson@7365
   148
paulson@7365
   149
val Alloc_Safety = Alloc_Spec RS IntD1 RS IntD2;
paulson@7365
   150
val Alloc_Progress = (Alloc_Spec RS IntD2
paulson@7365
   151
                      |> simplify (simpset() addsimps [guarantees_INT_right]))
paulson@7365
   152
                     RS bspec RS spec;
paulson@7365
   153
		     
paulson@7365
   154
paulson@7347
   155
paulson@7365
   156
(*Not sure what to say about the other components because they involve
paulson@7365
   157
  extend*)
paulson@7399
   158
Goalw [System_def] "Network <= System";
paulson@7365
   159
by (blast_tac (claset() addIs [componentI]) 1);
paulson@7365
   160
qed "Network_component_System";
paulson@7365
   161
paulson@7399
   162
Goalw [System_def] "(extend sysOfAlloc Alloc) <= System";
paulson@7399
   163
by (blast_tac (claset() addIs [componentI]) 1);
paulson@7399
   164
qed "Alloc_component_System";
paulson@7365
   165
paulson@7399
   166
AddIffs [Network_component_System, Alloc_component_System];
paulson@7399
   167
paulson@7365
   168
paulson@7365
   169
(* F : UNIV guarantees Increasing func
paulson@7365
   170
   ==> extend sysOfClient F : UNIV guarantees Increasing (func o client) *)
paulson@7399
   171
val extend_Client_guar_Increasing =
paulson@7399
   172
  bij_sysOfClient RS export extend_guar_Increasing
paulson@7365
   173
  |> simplify (simpset() addsimps [inv_sysOfClient_eq]);
paulson@7365
   174
paulson@7365
   175
paulson@7365
   176
(** Proof of property (1) **)
paulson@7365
   177
paulson@7365
   178
(*step 1*)
paulson@7365
   179
Goalw [System_def]
paulson@7365
   180
     "i < Nclients ==> System : Increasing (rel o sub i o client)";
paulson@7365
   181
by (rtac ([guaranteesI RS disjI2 RS guarantees_Join_I, UNIV_I] 
paulson@7365
   182
	  MRS guaranteesD) 1);
paulson@7365
   183
by (asm_simp_tac 
paulson@7365
   184
    (simpset() addsimps [guarantees_PLam_I, 
paulson@7399
   185
			 extend_Client_guar_Increasing RS guaranteesD,
paulson@7365
   186
			 lift_prog_guar_Increasing]) 1);
paulson@7347
   187
qed "System_Increasing_rel";
paulson@6828
   188
paulson@7365
   189
(*Note: the first step above performs simple quantifier reasoning.  It could
paulson@7365
   190
  be replaced by a proof mentioning no guarantees primitives*)
paulson@6828
   191
paulson@6828
   192
paulson@7365
   193
(*step 2*)
paulson@7365
   194
Goal "i < Nclients ==> System : Increasing (sub i o allocRel)";
paulson@7365
   195
by (rtac Follows_Increasing1 1);
paulson@7365
   196
by (blast_tac (claset() addIs [Network_Rel RS component_guaranteesD,
paulson@7365
   197
			       System_Increasing_rel, Network]) 1);
paulson@7365
   198
qed "System_Increasing_allocRel";
paulson@6828
   199
paulson@7399
   200
paulson@7399
   201
(*NEED TO PROVE something like this (maybe without premise)*)
paulson@7399
   202
Goal "i < Nclients ==> System : (sub i o allocRel) localTo Network";
paulson@7347
   203
paulson@7399
   204
fun alloc_export th = bij_sysOfAlloc RS export th;
paulson@7399
   205
paulson@7399
   206
val extend_Alloc_guar_Increasing =
paulson@7399
   207
  alloc_export extend_guar_Increasing
paulson@7365
   208
  |> simplify (simpset() addsimps [inv_sysOfAlloc_eq]);
paulson@6828
   209
paulson@7399
   210
Goal "System : Always {s. sum (%i. (tokens o sub i o allocGiv) s) Nclients \
paulson@7399
   211
\                  <= NbT + sum (%i. (tokens o sub i o allocRel) s) Nclients}";
paulson@7399
   212
by (res_inst_tac 
paulson@7399
   213
    [("X", "(INT i : lessThan Nclients. (sub i o allocRel) localTo Network \
paulson@7399
   214
\                                       Int Increasing (sub i o allocRel))")] 
paulson@7399
   215
    component_guaranteesD 1);;
paulson@7399
   216
br Alloc_component_System 3;
paulson@7399
   217
br project_guarantees 1;
paulson@7399
   218
br Alloc_Safety 1;
paulson@7399
   219
by (dtac (alloc_export (project_extend_Join RSN (2, subst_elem RS project_Always_D))) 2 
paulson@7399
   220
     THEN
paulson@7399
   221
     full_simp_tac
paulson@7399
   222
     (simpset() addsimps [inv_sysOfAlloc_eq,
paulson@7399
   223
			  alloc_export Collect_eq_extend_set RS sym]) 2);
paulson@7399
   224
auto();
paulson@7399
   225
by (force_tac (claset(), simpset() addsimps [System_Increasing_allocRel]) 3);
paulson@7399
   226
paulson@7399
   227
bd bspec 1;
paulson@7399
   228
by (Blast_tac 1);
paulson@7399
   229
paulson@7399
   230
paulson@7399
   231
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
paulson@7399
   232
paulson@7399
   233
       [| i < Nclients;
paulson@7399
   234
          extend sysOfAlloc Alloc Join G
paulson@7399
   235
          : (sub i o allocRel) localTo Network &
paulson@7399
   236
          extend sysOfAlloc Alloc Join G : Increasing (sub i o allocRel) |]
paulson@7399
   237
       ==> Alloc Join project sysOfAlloc G : Increasing (sub i o allocRel)
paulson@7399
   238
paulson@7399
   239
paulson@7399
   240
       [| i < Nclients;
paulson@7399
   241
          H : (sub i o allocRel) localTo Network &
paulson@7399
   242
          H : Increasing (sub i o allocRel) |]
paulson@7399
   243
       ==> project sysOfAlloc H : Increasing (sub i o allocRel)
paulson@7399
   244
paulson@7399
   245
Open_locale"Extend";
paulson@7399
   246
paulson@7399
   247
Goal "(H : (func o f) localTo G) ==> (project h H : func localTo (project h G))";
paulson@7399
   248
by (asm_full_simp_tac 
paulson@7399
   249
    (simpset() addsimps [localTo_def, 
paulson@7399
   250
			 project_extend_Join RS sym,
paulson@7399
   251
			 Diff_project_stable,
paulson@7399
   252
			 Collect_eq_extend_set RS sym]) 1);
paulson@7399
   253
auto();
paulson@7399
   254
br Diff_project_stable 1;
paulson@7399
   255
PROBABLY FALSE;
paulson@7399
   256
paulson@7399
   257
by (Clarify_tac 1);
paulson@7399
   258
by (dres_inst_tac [("x","z")] spec 1);
paulson@7399
   259
paulson@7399
   260
br (alloc_export project_Always_D) 2;
paulson@7399
   261
paulson@7399
   262
by (rtac (alloc_export extend_Always RS iffD2) 2);
paulson@7399
   263
paulson@7399
   264
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
paulson@7399
   265
paulson@7399
   266
br guaranteesI 1;
paulson@7399
   267
paulson@7399
   268
by (res_inst_tac 
paulson@7399
   269
    [("X", "(INT i : lessThan Nclients. Increasing (sub i o allocRel))")] 
paulson@7399
   270
    component_guaranteesD 1);;
paulson@7399
   271
paulson@7399
   272
paulson@7365
   273
by (rtac (Alloc_Safety RS component_guaranteesD) 1);
paulson@7399
   274
paulson@7399
   275
paulson@7399
   276
br (alloc_export guarantees_imp_extend_guarantees RS guarantees_weaken) 1;
paulson@7399
   277
br Alloc_Safety 1;