reorganization of HOL/UNITY, moving examples to subdirectories Simple and Comp
1 
(* Title: HOL/UNITY/AllocImpl 
2 
ID: $Id$ 
3 
Author: Lawrence C Paulson, Cambridge University Computer Laboratory 
4 
Copyright 1998 University of Cambridge 
5 
*) 
6 

7 
header{*Implementation of a multipleclient allocator from a singleclient allocator*} 
8 

9 
theory AllocImpl = AllocBase + Follows + PPROD: 
10 

11 

12 
(** State definitions. OUTPUT variables are locals **) 
13 

14 
(*Type variable 'b is the type of items being merged*) 
15 
record 'b merge = 
14114  16 
In :: "nat => 'b list" (*merge's INPUT histories: streams to merge*) 
17 
Out :: "'b list" (*merge's OUTPUT history: merged items*) 

18 
iOut :: "nat list" (*merge's OUTPUT history: origins of merged items*) 
19 

20 
record ('a,'b) merge_d = 
21 
"'b merge" + 
22 
dummy :: 'a (*dummy field for new variables*) 
23 

24 
constdefs 
25 
non_dummy :: "('a,'b) merge_d => 'b merge" 
26 
"non_dummy s == (In = In s, Out = Out s, iOut = iOut s)" 
27 

28 
record 'b distr = 
29 
In :: "'b list" (*items to distribute*) 
30 
iIn :: "nat list" (*destinations of items to distribute*) 
31 
Out :: "nat => 'b list" (*distributed items*) 
32 

33 
record ('a,'b) distr_d = 
34 
"'b distr" + 
35 
dummy :: 'a (*dummy field for new variables*) 
36 

37 
record allocState = 
38 
giv :: "nat list" (*OUTPUT history: source of tokens*) 
39 
ask :: "nat list" (*INPUT: tokens requested from allocator*) 
40 
rel :: "nat list" (*INPUT: tokens released to allocator*) 
41 

42 
record 'a allocState_d = 
43 
allocState + 
44 
dummy :: 'a (*dummy field for new variables*) 
45 

46 
record 'a systemState = 
47 
allocState + 
48 
mergeRel :: "nat merge" 
49 
mergeAsk :: "nat merge" 
50 
distr :: "nat distr" 
51 
dummy :: 'a (*dummy field for new variables*) 
52 

53 

54 
constdefs 
55 

56 
(** Merge specification (the number of inputs is Nclients) ***) 
57 

58 
(*spec (10)*) 
59 
merge_increasing :: "('a,'b) merge_d program set" 
60 
"merge_increasing == 
61 
UNIV guarantees (Increasing merge.Out) Int (Increasing merge.iOut)" 
62 

63 
(*spec (11)*) 
64 
merge_eqOut :: "('a,'b) merge_d program set" 
65 
"merge_eqOut == 
66 
UNIV guarantees 
67 
Always {s. length (merge.Out s) = length (merge.iOut s)}" 
68 

69 
(*spec (12)*) 
70 
merge_bounded :: "('a,'b) merge_d program set" 
71 
"merge_bounded == 
72 
UNIV guarantees 
73 
Always {s. \<forall>elt \<in> set (merge.iOut s). elt < Nclients}" 
74 

75 
(*spec (13)*) 
76 
merge_follows :: "('a,'b) merge_d program set" 
77 
"merge_follows == 
78 
(\<Inter>i \<in> lessThan Nclients. Increasing (sub i o merge.In)) 
79 
guarantees 
14114  80 
(\<Inter>i \<in> lessThan Nclients. 
81 
(%s. sublist (merge.Out s) 

82 
{k. k < size(merge.iOut s) & merge.iOut s! k = i}) 
83 
Fols (sub i o merge.In))" 
84 

85 
(*spec: preserves part*) 
86 
merge_preserves :: "('a,'b) merge_d program set" 
87 
"merge_preserves == preserves merge.In Int preserves merge_d.dummy" 
88 

89 
(*environmental constraints*) 
90 
merge_allowed_acts :: "('a,'b) merge_d program set" 
91 
"merge_allowed_acts == 
92 
{F. AllowedActs F = 
93 
insert Id (UNION (preserves (funPair merge.Out merge.iOut)) Acts)}" 
94 

95 
merge_spec :: "('a,'b) merge_d program set" 
96 
"merge_spec == merge_increasing Int merge_eqOut Int merge_bounded Int 
97 
merge_follows Int merge_allowed_acts Int merge_preserves" 
98 

99 
(** Distributor specification (the number of outputs is Nclients) ***) 
100 

101 
(*spec (14)*) 
102 
distr_follows :: "('a,'b) distr_d program set" 
103 
"distr_follows == 
104 
Increasing distr.In Int Increasing distr.iIn Int 
105 
Always {s. \<forall>elt \<in> set (distr.iIn s). elt < Nclients} 
106 
guarantees 
14114  107 
(\<Inter>i \<in> lessThan Nclients. 
108 
(sub i o distr.Out) Fols 
14114  109 
(%s. sublist (distr.In s) 
110 
{k. k < size(distr.iIn s) & distr.iIn s ! k = i}))" 
111 

112 
distr_allowed_acts :: "('a,'b) distr_d program set" 
113 
"distr_allowed_acts == 
114 
{D. AllowedActs D = insert Id (UNION (preserves distr.Out) Acts)}" 
115 

116 
distr_spec :: "('a,'b) distr_d program set" 
117 
"distr_spec == distr_follows Int distr_allowed_acts" 
118 

119 
(** Singleclient allocator specification (required) ***) 
120 

121 
(*spec (18)*) 
122 
alloc_increasing :: "'a allocState_d program set" 
123 
"alloc_increasing == UNIV guarantees Increasing giv" 
124 

125 
(*spec (19)*) 
126 
alloc_safety :: "'a allocState_d program set" 
127 
"alloc_safety == 
128 
Increasing rel 
14114  129 
guarantees Always {s. tokens (giv s) \<le> NbT + tokens (rel s)}" 
130 

131 
(*spec (20)*) 
132 
alloc_progress :: "'a allocState_d program set" 
133 
"alloc_progress == 
134 
Increasing ask Int Increasing rel Int 
14114  135 
Always {s. \<forall>elt \<in> set (ask s). elt \<le> NbT} 
136 
Int 
14114  137 
(\<Inter>h. {s. h \<le> giv s & h pfixGe (ask s)} 
138 
LeadsTo 
14114  139 
{s. tokens h \<le> tokens (rel s)}) 
140 
guarantees (\<Inter>h. {s. h \<le> ask s} LeadsTo {s. h pfixLe giv s})" 

141 

142 
(*spec: preserves part*) 
143 
alloc_preserves :: "'a allocState_d program set" 
144 
"alloc_preserves == preserves rel Int 
145 
preserves ask Int 
146 
preserves allocState_d.dummy" 
14114  147 

148 

149 
(*environmental constraints*) 
150 
alloc_allowed_acts :: "'a allocState_d program set" 
151 
"alloc_allowed_acts == 
152 
{F. AllowedActs F = insert Id (UNION (preserves giv) Acts)}" 
153 

154 
alloc_spec :: "'a allocState_d program set" 
155 
"alloc_spec == alloc_increasing Int alloc_safety Int alloc_progress Int 
156 
alloc_allowed_acts Int alloc_preserves" 
157 

158 
locale Merge = 
159 
fixes M :: "('a,'b::order) merge_d program" 
160 
assumes 
161 
Merge_spec: "M \<in> merge_spec" 
162 

163 
locale Distrib = 
164 
fixes D :: "('a,'b::order) distr_d program" 
165 
assumes 
166 
Distrib_spec: "D \<in> distr_spec" 
167 

168 

169 
(**** 
170 
# {** Network specification ***} 
11194
171 

172 
# {*spec (9.1)*} 
173 
# network_ask :: "'a systemState program set 
174 
# "network_ask == \<Inter>i \<in> lessThan Nclients. 
175 
# Increasing (ask o sub i o client) 
176 
# guarantees[ask] 
177 
# (ask Fols (ask o sub i o client))" 
178 

179 
# {*spec (9.2)*} 
180 
# network_giv :: "'a systemState program set 
181 
# "network_giv == \<Inter>i \<in> lessThan Nclients. 
183 
# guarantees[giv o sub i o client] 
184 
# ((giv o sub i o client) Fols giv)" 
185 

186 
# {*spec (9.3)*} 
187 
# network_rel :: "'a systemState program set 
188 
# "network_rel == \<Inter>i \<in> lessThan Nclients. 
189 
# Increasing (rel o sub i o client) 
190 
# guarantees[rel] 
191 
# (rel Fols (rel o sub i o client))" 
192 

193 
# {*spec: preserves part*} 
194 
# network_preserves :: "'a systemState program set 
195 
# "network_preserves == preserves giv Int 
196 
# (\<Inter>i \<in> lessThan Nclients. 
197 
# preserves (funPair rel ask o sub i o client))" 
198 

199 
# network_spec :: "'a systemState program set 
200 
# "network_spec == network_ask Int network_giv Int 
201 
# network_rel Int network_preserves" 
202 

203 

204 
# {** State mappings **} 
205 
# sysOfAlloc :: "((nat => merge) * 'a) allocState_d => 'a systemState" 
206 
# "sysOfAlloc == %s. let (cl,xtr) = allocState_d.dummy s 
207 
# in ( giv = giv s, 
208 
# ask = ask s, 
209 
# rel = rel s, 
210 
# client = cl, 
211 
# dummy = xtr)" 
212 

213 

214 
# sysOfClient :: "(nat => merge) * 'a allocState_d => 'a systemState" 
215 
# "sysOfClient == %(cl,al). ( giv = giv al, 
216 
# ask = ask al, 
217 
# rel = rel al, 
218 
# client = cl, 
219 
# systemState.dummy = allocState_d.dummy al)" 
220 
****) 
221 

222 

223 
declare subset_preserves_o [THEN subsetD, intro] 
224 
declare funPair_o_distrib [simp] 
225 
declare Always_INT_distrib [simp] 
226 
declare o_apply [simp del] 
227 

228 

229 
subsection{*Theorems for Merge*} 
230 

231 
lemma (in Merge) Merge_Allowed: 
232 
"Allowed M = (preserves merge.Out) Int (preserves merge.iOut)" 
233 
apply (cut_tac Merge_spec) 
14114  234 
apply (auto simp add: merge_spec_def merge_allowed_acts_def Allowed_def 
235 
safety_prop_Acts_iff) 

236 
done 
237 

238 
lemma (in Merge) M_ok_iff [iff]: 
14114  239 
"M ok G = (G \<in> preserves merge.Out & G \<in> preserves merge.iOut & 
14089
7b34f58b1b81
converted UNITY/Comp/{AllocImpl,Client} to Isar scripts
paulson
parents:
11194
diff
changeset

240 
M \<in> Allowed G)" 
by (auto simp add: Merge_Allowed ok_iff_Allowed) 
242 

243 

244 
lemma (in Merge) Merge_Always_Out_eq_iOut: 
14114  245 
"[ G \<in> preserves merge.Out; G \<in> preserves merge.iOut; M \<in> Allowed G ] 
14089
7b34f58b1b81
converted UNITY/Comp/{AllocImpl,Client} to Isar scripts
paulson
parents:
11194
diff
changeset

246 
==> M Join G \<in> Always {s. length (merge.Out s) = length (merge.iOut s)}" 
247 
apply (cut_tac Merge_spec) 
248 
apply (force dest: guaranteesD simp add: merge_spec_def merge_eqOut_def) 
249 
done 
250 

251 
lemma (in Merge) Merge_Bounded: 
253 
==> M Join G \<in> Always {s. \<forall>elt \<in> set (merge.iOut s). elt < Nclients}" 
254 
apply (cut_tac Merge_spec) 
255 
apply (force dest: guaranteesD simp add: merge_spec_def merge_bounded_def) 
256 
done 
257 

258 
lemma (in Merge) Merge_Bag_Follows_lemma: 
14089
263 
(bag_of o merge.Out) s}" 
14089
267 
apply (subst bag_of_sublist_UN_disjoint [symmetric]) 
268 
apply (simp) 
269 
apply blast 
270 
apply (simp add: set_conv_nth) 
271 
apply (subgoal_tac 
272 
"(\<Union>i \<in> lessThan Nclients. {k. k < length (iOut x) & iOut x ! k = i}) = 
273 
lessThan (length (iOut x))") 
274 
apply (simp (no_asm_simp) add: o_def) 
275 
apply blast 
276 
done 
277 

278 
lemma (in Merge) Merge_Bag_Follows: 
14089
283 
apply (rule Merge_Bag_Follows_lemma [THEN Always_Follows1, THEN guaranteesI], auto) 
284 
apply (rule Follows_setsum) 
285 
apply (cut_tac Merge_spec) 
286 
apply (auto simp add: merge_spec_def merge_follows_def o_def) 
288 
prefer 3 
289 
apply (best intro: mono_bag_of [THEN mono_Follows_apply, THEN subsetD], auto) 
290 
done 
291 

292 

293 
subsection{*Theorems for Distributor*} 
294 

295 
lemma (in Distrib) Distr_Increasing_Out: 
converted UNITY/Comp/{AllocImpl,Client} to Isar scripts
paulson
parents:
11194
diff
changeset

299 
(\<Inter>i \<in> lessThan Nclients. Increasing (sub i o distr.Out))" 
300 
apply (cut_tac Distrib_spec) 
301 
apply (simp add: distr_spec_def distr_follows_def) 
302 
apply clarify 
303 
apply (blast intro: guaranteesI Follows_Increasing1 dest: guaranteesD) 
304 
done 
305 

306 
lemma (in Distrib) Distr_Bag_Follows_lemma: 
14089
7b34f58b1b81
converted UNITY/Comp/{AllocImpl,Client} to Isar scripts
paulson
parents:
11194
diff
changeset

312 
bag_of (sublist (distr.In s) (lessThan (length (iIn s))))}" 
313 
apply (erule Always_Compl_Un_eq [THEN iffD1]) 
314 
apply (rule UNIV_AlwaysI, clarify) 
315 
apply (subst bag_of_sublist_UN_disjoint [symmetric]) 
316 
apply (simp (no_asm)) 
317 
apply blast 
318 
apply (simp add: set_conv_nth) 
319 
apply (subgoal_tac 
321 
lessThan (length (iIn x))") 
322 
apply (simp (no_asm_simp)) 
323 
apply blast 
324 
done 
325 

326 
lemma (in Distrib) D_ok_iff [iff]: 
327 
"D ok G = (G \<in> preserves distr.Out & D \<in> Allowed G)" 
328 
apply (cut_tac Distrib_spec) 
safety_prop_Acts_iff ok_iff_Allowed) 
331 
done 
332 

converted UNITY/Comp/{AllocImpl,Client} to Isar scripts
paulson
parents:
11194
diff
changeset

340 
(%s. bag_of (sublist (distr.In s) (lessThan (length(distr.iIn s))))))" 
341 
apply (rule guaranteesI, clarify) 
342 
apply (rule Distr_Bag_Follows_lemma [THEN Always_Follows2], auto) 
343 
apply (rule Follows_setsum) 
344 
apply (cut_tac Distrib_spec) 
345 
apply (auto simp add: distr_spec_def distr_follows_def o_def) 
346 
apply (drule guaranteesD) 
347 
prefer 3 
348 
apply (best intro: mono_bag_of [THEN mono_Follows_apply, THEN subsetD], auto) 
349 
done 
350 

351 

352 
subsection{*Theorems for Allocator*} 
353 

354 
lemma alloc_refinement_lemma: 
357 
apply (induct_tac "n") 
358 
apply (auto simp add: lessThan_Suc) 
359 
done 
360 

14089
382 
apply (auto simp add: ball_conj_distrib) 
383 
apply (rename_tac F hf) 
384 
apply (rule LeadsTo_weaken_R [OF Finite_stable_completion alloc_refinement_lemma], blast, blast) 
385 
apply (subgoal_tac "F \<in> Increasing (tokens o (sub i o allocRel))") 
386 
apply (simp add: Increasing_def o_assoc) 
387 
apply (blast intro: mono_tokens [THEN mono_Increasing_o, THEN subsetD]) 
388 
done 
389 

11194
390 
end 