tuned version by Stephan Merz (unbatchified etc.);
authorwenzelm
Thu Aug 03 19:29:03 2000 +0200 (2000-08-03)
changeset 9517f58863b1406a
parent 9516 72b5d28aae58
child 9518 0c8422ed066f
tuned version by Stephan Merz (unbatchified etc.);
src/HOL/TLA/Action.ML
src/HOL/TLA/Action.thy
src/HOL/TLA/Buffer/Buffer.ML
src/HOL/TLA/Inc/Inc.ML
src/HOL/TLA/Inc/Inc.thy
src/HOL/TLA/IntLemmas.ML
src/HOL/TLA/Intensional.ML
src/HOL/TLA/Intensional.thy
src/HOL/TLA/Memory/MIlive.ML
src/HOL/TLA/Memory/MIsafe.ML
src/HOL/TLA/Memory/MemClerk.ML
src/HOL/TLA/Memory/MemClerk.thy
src/HOL/TLA/Memory/Memory.ML
src/HOL/TLA/Memory/Memory.thy
src/HOL/TLA/Memory/MemoryImplementation.ML
src/HOL/TLA/Memory/MemoryImplementation.thy
src/HOL/TLA/Memory/MemoryParameters.ML
src/HOL/TLA/Memory/MemoryParameters.thy
src/HOL/TLA/Memory/ProcedureInterface.ML
src/HOL/TLA/Memory/ProcedureInterface.thy
src/HOL/TLA/Memory/RPC.ML
src/HOL/TLA/Memory/RPC.thy
src/HOL/TLA/Memory/RPCParameters.ML
src/HOL/TLA/Memory/RPCParameters.thy
src/HOL/TLA/TLA.ML
src/HOL/TLA/TLA.thy
     1.1 --- a/src/HOL/TLA/Action.ML	Thu Aug 03 19:28:37 2000 +0200
     1.2 +++ b/src/HOL/TLA/Action.ML	Thu Aug 03 19:29:03 2000 +0200
     1.3 @@ -9,11 +9,13 @@
     1.4  (* The following assertion specializes "intI" for any world type 
     1.5     which is a pair, not just for "state * state".
     1.6  *)
     1.7 -qed_goal "actionI" Action.thy "(!!s t. (s,t) |= A) ==> |- A"
     1.8 -  (fn [prem] => [REPEAT (resolve_tac [prem,intI,prod_induct] 1)]);
     1.9 +val [prem] = goal thy "(!!s t. (s,t) |= A) ==> |- A";
    1.10 +by (REPEAT (resolve_tac [prem,intI,prod_induct] 1));
    1.11 +qed "actionI";
    1.12  
    1.13 -qed_goal "actionD" Action.thy "|- A ==> (s,t) |= A"
    1.14 -  (fn [prem] => [rtac (prem RS intD) 1]);
    1.15 +Goal "|- A ==> (s,t) |= A";
    1.16 +by (etac intD 1);
    1.17 +qed "actionD";
    1.18  
    1.19  local
    1.20    fun prover s = prove_goal Action.thy s 
    1.21 @@ -57,166 +59,154 @@
    1.22  
    1.23  (* ===================== Update simpset and classical prover ============================= *)
    1.24  
    1.25 -(***
    1.26 -(* Make the simplifier use action_use rather than int_use
    1.27 -   when action simplifications are added.
    1.28 -*)
    1.29 -
    1.30 -let
    1.31 -  val ss = simpset_ref()
    1.32 -  fun try_rewrite th = 
    1.33 -      (action_rewrite th) handle _ => (action_use th) handle _ => th
    1.34 -in
    1.35 -  ss := !ss setmksimps ((mksimps mksimps_pairs) o try_rewrite)
    1.36 -end;
    1.37 -***)
    1.38 -
    1.39  AddSIs [actionI];
    1.40  AddDs  [actionD];
    1.41  
    1.42  (* =========================== square / angle brackets =========================== *)
    1.43  
    1.44 -qed_goalw "idle_squareI" Action.thy [square_def]
    1.45 -   "!!s t. (s,t) |= unchanged v ==> (s,t) |= [A]_v"
    1.46 -   (fn _ => [ Asm_full_simp_tac 1 ]);
    1.47 +Goalw [square_def] "(s,t) |= unchanged v ==> (s,t) |= [A]_v";
    1.48 +by (Asm_full_simp_tac 1);
    1.49 +qed "idle_squareI";
    1.50 +
    1.51 +Goalw [square_def] "(s,t) |= A ==> (s,t) |= [A]_v";
    1.52 +by (Asm_simp_tac 1);
    1.53 +qed "busy_squareI";
    1.54  
    1.55 -qed_goalw "busy_squareI" Action.thy [square_def]
    1.56 -   "!!s t. (s,t) |= A ==> (s,t) |= [A]_v"
    1.57 -   (fn _ => [ Asm_simp_tac 1 ]);
    1.58 -
    1.59 -qed_goal "squareE" Action.thy
    1.60 -  "[| (s,t) |= [A]_v; A (s,t) ==> B (s,t); v t = v s ==> B (s,t) |] ==> B (s,t)"
    1.61 -  (fn prems => [cut_facts_tac prems 1,
    1.62 -                rewrite_goals_tac (square_def::action_rews),
    1.63 -                etac disjE 1,
    1.64 -                REPEAT (eresolve_tac prems 1)]);
    1.65 +val prems = goal thy
    1.66 +  "[| (s,t) |= [A]_v; A (s,t) ==> B (s,t); v t = v s ==> B (s,t) |] ==> B (s,t)";
    1.67 +by (cut_facts_tac prems 1);
    1.68 +by (rewrite_goals_tac (square_def::action_rews));
    1.69 +by (etac disjE 1);
    1.70 +by (REPEAT (eresolve_tac prems 1));
    1.71 +qed "squareE";
    1.72  
    1.73 -qed_goalw "squareCI" Action.thy (square_def::action_rews)
    1.74 -  "[| v t ~= v s ==> A (s,t) |] ==> (s,t) |= [A]_v"
    1.75 -  (fn prems => [rtac disjCI 1,
    1.76 -                eresolve_tac prems 1]);
    1.77 +val prems = goalw thy (square_def::action_rews)
    1.78 +  "[| v t ~= v s ==> A (s,t) |] ==> (s,t) |= [A]_v";
    1.79 +by (rtac disjCI 1);
    1.80 +by (eresolve_tac prems 1);
    1.81 +qed "squareCI";
    1.82  
    1.83 -qed_goalw "angleI" Action.thy [angle_def]
    1.84 -  "!!s t. [| A (s,t); v t ~= v s |] ==> (s,t) |= <A>_v"
    1.85 -  (fn _ => [ Asm_simp_tac 1 ]);
    1.86 +goalw thy [angle_def]
    1.87 +  "!!s t. [| A (s,t); v t ~= v s |] ==> (s,t) |= <A>_v";
    1.88 +by (Asm_simp_tac 1);
    1.89 +qed "angleI";
    1.90  
    1.91 -qed_goalw "angleE" Action.thy (angle_def::action_rews)
    1.92 -  "[| (s,t) |= <A>_v; [| A (s,t); v t ~= v s |] ==> R |] ==> R"
    1.93 -  (fn prems => [cut_facts_tac prems 1,
    1.94 -                etac conjE 1,
    1.95 -                REPEAT (ares_tac prems 1)]);
    1.96 +val prems = goalw thy (angle_def::action_rews)
    1.97 +  "[| (s,t) |= <A>_v; [| A (s,t); v t ~= v s |] ==> R |] ==> R";
    1.98 +by (cut_facts_tac prems 1);
    1.99 +by (etac conjE 1);
   1.100 +by (REPEAT (ares_tac prems 1));
   1.101 +qed "angleE";
   1.102  
   1.103  AddIs [angleI, squareCI];
   1.104  AddEs [angleE, squareE];
   1.105  
   1.106 -qed_goal "square_simulation" Action.thy
   1.107 +goal thy
   1.108     "!!f. [| |- unchanged f & ~B --> unchanged g;   \
   1.109  \           |- A & ~unchanged g --> B              \
   1.110 -\        |] ==> |- [A]_f --> [B]_g"
   1.111 -   (fn _ => [Clarsimp_tac 1,
   1.112 -             etac squareE 1,
   1.113 -             auto_tac (claset(), simpset() addsimps [square_def])
   1.114 -            ]);
   1.115 +\        |] ==> |- [A]_f --> [B]_g";
   1.116 +by (Clarsimp_tac 1);
   1.117 +by (etac squareE 1);
   1.118 +by (auto_tac (claset(), simpset() addsimps [square_def]));
   1.119 +qed "square_simulation";
   1.120  
   1.121 -qed_goalw "not_square" Action.thy [square_def,angle_def]
   1.122 -   "|- (~ [A]_v) = <~A>_v"
   1.123 -   (fn _ => [ Auto_tac ]);
   1.124 +goalw thy [square_def,angle_def]
   1.125 +   "|- (~ [A]_v) = <~A>_v";
   1.126 +by Auto_tac;
   1.127 +qed "not_square";
   1.128  
   1.129 -qed_goalw "not_angle" Action.thy [square_def,angle_def]
   1.130 -   "|- (~ <A>_v) = [~A]_v"
   1.131 -   (fn _ => [ Auto_tac ]);
   1.132 +goalw thy [square_def,angle_def]
   1.133 +   "|- (~ <A>_v) = [~A]_v";
   1.134 +by Auto_tac;
   1.135 +qed "not_angle";
   1.136  
   1.137  (* ============================== Facts about ENABLED ============================== *)
   1.138  
   1.139 -qed_goal "enabledI" Action.thy
   1.140 -  "|- A --> $Enabled A"
   1.141 -  (fn _ => [ auto_tac (claset(), simpset() addsimps [enabled_def]) ]);
   1.142 +goal thy "|- A --> $Enabled A";
   1.143 +by (auto_tac (claset(), simpset() addsimps [enabled_def]));
   1.144 +qed "enabledI";
   1.145  
   1.146 -qed_goalw "enabledE" Action.thy [enabled_def]
   1.147 -  "[| s |= Enabled A; !!u. A (s,u) ==> Q |] ==> Q"
   1.148 -  (fn prems => [cut_facts_tac prems 1,
   1.149 -                etac exE 1,
   1.150 -                resolve_tac prems 1, atac 1
   1.151 -               ]);
   1.152 +val prems = goalw thy [enabled_def]
   1.153 +  "[| s |= Enabled A; !!u. A (s,u) ==> Q |] ==> Q";
   1.154 +by (cut_facts_tac prems 1);
   1.155 +by (etac exE 1);
   1.156 +by (resolve_tac prems 1);
   1.157 +by (atac 1);
   1.158 +qed "enabledE";
   1.159  
   1.160 -qed_goal "notEnabledD" Action.thy
   1.161 -  "|- ~$Enabled G --> ~ G"
   1.162 -  (fn _ => [ auto_tac (claset(), simpset() addsimps [enabled_def]) ]);
   1.163 +goal thy "|- ~$Enabled G --> ~ G";
   1.164 +by (auto_tac (claset(), simpset() addsimps [enabled_def]));
   1.165 +qed "notEnabledD";
   1.166  
   1.167  (* Monotonicity *)
   1.168 -qed_goal "enabled_mono" Action.thy
   1.169 -  "[| s |= Enabled F; |- F --> G |] ==> s |= Enabled G"
   1.170 -  (fn [min,maj] => [rtac (min RS enabledE) 1,
   1.171 -                    rtac (action_use enabledI) 1,
   1.172 -                    etac (action_use maj) 1
   1.173 -                   ]);
   1.174 +val [min,maj] = goal thy
   1.175 +  "[| s |= Enabled F; |- F --> G |] ==> s |= Enabled G";
   1.176 +by (rtac (min RS enabledE) 1);
   1.177 +by (rtac (action_use enabledI) 1);
   1.178 +by (etac (action_use maj) 1);
   1.179 +qed "enabled_mono";
   1.180  
   1.181  (* stronger variant *)
   1.182 -qed_goal "enabled_mono2" Action.thy
   1.183 -   "[| s |= Enabled F; !!t. F (s,t) ==> G (s,t) |] ==> s |= Enabled G"
   1.184 -   (fn [min,maj] => [rtac (min RS enabledE) 1,
   1.185 -		     rtac (action_use enabledI) 1,
   1.186 -		     etac maj 1
   1.187 -		    ]);
   1.188 +val [min,maj] = goal thy
   1.189 +  "[| s |= Enabled F; !!t. F (s,t) ==> G (s,t) |] ==> s |= Enabled G";
   1.190 +by (rtac (min RS enabledE) 1);
   1.191 +by (rtac (action_use enabledI) 1);
   1.192 +by (etac maj 1);
   1.193 +qed "enabled_mono2";
   1.194  
   1.195 -qed_goal "enabled_disj1" Action.thy
   1.196 -  "|- Enabled F --> Enabled (F | G)"
   1.197 -  (fn _ => [ auto_tac (claset() addSEs [enabled_mono], simpset()) ]);
   1.198 +goal thy "|- Enabled F --> Enabled (F | G)";
   1.199 +by (auto_tac (claset() addSEs [enabled_mono], simpset()));
   1.200 +qed "enabled_disj1";
   1.201  
   1.202 -qed_goal "enabled_disj2" Action.thy
   1.203 -  "|- Enabled G --> Enabled (F | G)"
   1.204 -  (fn _ => [ auto_tac (claset() addSEs [enabled_mono], simpset()) ]);
   1.205 +goal thy "|- Enabled G --> Enabled (F | G)";
   1.206 +by (auto_tac (claset() addSEs [enabled_mono], simpset()));
   1.207 +qed "enabled_disj2";
   1.208  
   1.209 -qed_goal "enabled_conj1" Action.thy
   1.210 -  "|- Enabled (F & G) --> Enabled F"
   1.211 -  (fn _ => [ auto_tac (claset() addSEs [enabled_mono], simpset()) ]);
   1.212 +goal thy "|- Enabled (F & G) --> Enabled F";
   1.213 +by (auto_tac (claset() addSEs [enabled_mono], simpset()));
   1.214 +qed "enabled_conj1";
   1.215  
   1.216 -qed_goal "enabled_conj2" Action.thy
   1.217 -  "|- Enabled (F & G) --> Enabled G"
   1.218 -  (fn _ => [ auto_tac (claset() addSEs [enabled_mono], simpset()) ]);
   1.219 +goal thy "|- Enabled (F & G) --> Enabled G";
   1.220 +by (auto_tac (claset() addSEs [enabled_mono], simpset()));
   1.221 +qed "enabled_conj2";
   1.222  
   1.223 -qed_goal "enabled_conjE" Action.thy
   1.224 -  "[| s |= Enabled (F & G); [| s |= Enabled F; s |= Enabled G |] ==> Q |] ==> Q"
   1.225 -  (fn prems => [cut_facts_tac prems 1, resolve_tac prems 1,
   1.226 -                etac (action_use enabled_conj1) 1, 
   1.227 -		etac (action_use enabled_conj2) 1
   1.228 -	       ]);
   1.229 -
   1.230 -qed_goal "enabled_disjD" Action.thy
   1.231 -  "|- Enabled (F | G) --> Enabled F | Enabled G"
   1.232 -  (fn _ => [ auto_tac (claset(), simpset() addsimps [enabled_def]) ]);
   1.233 +val prems = goal thy
   1.234 +  "[| s |= Enabled (F & G); [| s |= Enabled F; s |= Enabled G |] ==> Q |] ==> Q";
   1.235 +by (cut_facts_tac prems 1);
   1.236 +by (resolve_tac prems 1);
   1.237 +by (etac (action_use enabled_conj1) 1);
   1.238 +by (etac (action_use enabled_conj2) 1);
   1.239 +qed "enabled_conjE";
   1.240  
   1.241 -qed_goal "enabled_disj" Action.thy
   1.242 -  "|- Enabled (F | G) = (Enabled F | Enabled G)"
   1.243 -  (fn _ => [Clarsimp_tac 1,
   1.244 -	    rtac iffI 1,
   1.245 -            etac (action_use enabled_disjD) 1,
   1.246 -            REPEAT (eresolve_tac (disjE::map action_use [enabled_disj1,enabled_disj2]) 1)
   1.247 -           ]);
   1.248 +goal thy "|- Enabled (F | G) --> Enabled F | Enabled G";
   1.249 +by (auto_tac (claset(), simpset() addsimps [enabled_def]));
   1.250 +qed "enabled_disjD";
   1.251  
   1.252 -qed_goal "enabled_ex" Action.thy
   1.253 -  "|- Enabled (? x. F x) = (? x. Enabled (F x))"
   1.254 -  (fn _ => [ force_tac (claset(), simpset() addsimps [enabled_def]) 1 ]);
   1.255 +goal thy "|- Enabled (F | G) = (Enabled F | Enabled G)";
   1.256 +by (Clarsimp_tac 1);
   1.257 +by (rtac iffI 1);
   1.258 +by (etac (action_use enabled_disjD) 1);
   1.259 +by (REPEAT (eresolve_tac (disjE::map action_use [enabled_disj1,enabled_disj2]) 1));
   1.260 +qed "enabled_disj";
   1.261 +
   1.262 +goal thy "|- Enabled (EX x. F x) = (EX x. Enabled (F x))";
   1.263 +by (force_tac (claset(), simpset() addsimps [enabled_def]) 1);
   1.264 +qed "enabled_ex";
   1.265  
   1.266  
   1.267 -(* A rule that combines enabledI and baseE, but generates fewer possible instantiations *)
   1.268 -qed_goal "base_enabled" Action.thy
   1.269 -  "[| basevars vs; ? c. ! u. vs u = c --> A(s,u) |] ==> s |= Enabled A"
   1.270 -  (fn prems => [cut_facts_tac prems 1,
   1.271 -		etac exE 1, etac baseE 1, 
   1.272 -                rtac (action_use enabledI) 1,
   1.273 -                etac allE 1, etac mp 1, atac 1
   1.274 -               ]);
   1.275 -                
   1.276 -(*** old version immediately generates schematic variable
   1.277 -qed_goal "base_enabled" Action.thy
   1.278 -  "[| basevars vs; !!u. vs u = c s ==> A (s,u) |] ==> s |= Enabled A"
   1.279 -  (fn prems => [cut_facts_tac prems 1,
   1.280 -		etac baseE 1, rtac (action_use enabledI) 1,
   1.281 -		REPEAT (ares_tac prems 1)]);
   1.282 -***)
   1.283 +(* A rule that combines enabledI and baseE, but generates fewer instantiations *)
   1.284 +val prems = goal thy
   1.285 +  "[| basevars vs; EX c. ! u. vs u = c --> A(s,u) |] ==> s |= Enabled A";
   1.286 +by (cut_facts_tac prems 1);
   1.287 +by (etac exE 1);
   1.288 +by (etac baseE 1);
   1.289 +by (rtac (action_use enabledI) 1);
   1.290 +by (etac allE 1);
   1.291 +by (etac mp 1);
   1.292 +by (atac 1);
   1.293 +qed "base_enabled";
   1.294  
   1.295 -(* ================================ action_simp_tac ================================== *)
   1.296 +(* ======================= action_simp_tac ============================== *)
   1.297  
   1.298  (* A dumb simplification-based tactic with just a little first-order logic:
   1.299     should plug in only "very safe" rules that can be applied blindly.
   1.300 @@ -244,16 +234,6 @@
   1.301     - Solve for the unknowns using standard HOL reasoning.
   1.302     The following tactic combines these steps except the final one.
   1.303  *)
   1.304 -(*** old version
   1.305 -fun enabled_tac base_vars i =
   1.306 -    EVERY [(* apply actionI (plus rewriting) if the goal is of the form $(Enabled A),
   1.307 -	      do nothing if it is of the form s |= Enabled A *)
   1.308 -	   TRY ((resolve_tac [actionI,intI] i) 
   1.309 -                THEN (SELECT_GOAL (rewrite_goals_tac action_rews) i)),
   1.310 -	   clarify_tac (claset() addSIs [base_vars RS base_enabled]) i,
   1.311 -	   (SELECT_GOAL (rewrite_goals_tac action_rews) i)
   1.312 -	  ];
   1.313 -***)
   1.314  
   1.315  fun enabled_tac base_vars =
   1.316      clarsimp_tac (claset() addSIs [base_vars RS base_enabled], simpset());
     2.1 --- a/src/HOL/TLA/Action.thy	Thu Aug 03 19:28:37 2000 +0200
     2.2 +++ b/src/HOL/TLA/Action.thy	Thu Aug 03 19:29:03 2000 +0200
     2.3 @@ -50,9 +50,9 @@
     2.4  translations
     2.5    "ACT A"            =>   "(A::state*state => _)"
     2.6    "_before"          ==   "before"
     2.7 -  "_after"           =>   "_prime"
     2.8 +  "_after"           ==   "after"
     2.9 +  "_prime"           =>   "_after"
    2.10    "_unchanged"       ==   "unch"
    2.11 -  "_prime"           ==   "after"
    2.12    "_SqAct"           ==   "SqAct"
    2.13    "_AnAct"           ==   "AnAct"
    2.14    "_Enabled"         ==   "enabled"
    2.15 @@ -63,7 +63,7 @@
    2.16  
    2.17  rules
    2.18    unl_before    "(ACT $v) (s,t) == v s"
    2.19 -  unl_after     "(ACT v`) (s,t) == v t"
    2.20 +  unl_after     "(ACT v$) (s,t) == v t"
    2.21  
    2.22    unchanged_def "(s,t) |= unchanged v == (v t = v s)"
    2.23    square_def    "ACT [A]_v == ACT (A | unchanged v)"
     3.1 --- a/src/HOL/TLA/Buffer/Buffer.ML	Thu Aug 03 19:28:37 2000 +0200
     3.2 +++ b/src/HOL/TLA/Buffer/Buffer.ML	Thu Aug 03 19:29:03 2000 +0200
     3.3 @@ -26,7 +26,8 @@
     3.4  (* Enabling condition for dequeue -- NOT NEEDED *)
     3.5  Goalw [temp_rewrite Deq_visible]
     3.6     "!!q. basevars (ic,q,oc) ==> |- Enabled (<Deq ic q oc>_(ic,q,oc)) = (q ~= #[])";
     3.7 -by (force_tac (claset() addSEs [base_enabled,enabledE], simpset() addsimps [Deq_def]) 1);
     3.8 +by (force_tac (claset() addSEs [base_enabled,enabledE], 
     3.9 +               simpset() addsimps [Deq_def]) 1);
    3.10  qed "Deq_enabled";
    3.11  
    3.12  (* For the left-to-right implication, we don't need the base variable stuff *)
     4.1 --- a/src/HOL/TLA/Inc/Inc.ML	Thu Aug 03 19:28:37 2000 +0200
     4.2 +++ b/src/HOL/TLA/Inc/Inc.ML	Thu Aug 03 19:29:03 2000 +0200
     4.3 @@ -14,37 +14,46 @@
     4.4  
     4.5  (*** Invariant proof for Psi: "manual" proof proves individual lemmas ***)
     4.6  
     4.7 -qed_goal "PsiInv_Init" Inc.thy "|- InitPsi --> PsiInv"
     4.8 - (fn _ => [ auto_tac (Inc_css addsimps2 InitPsi_def::PsiInv_defs) ]);
     4.9 +Goal "|- InitPsi --> PsiInv";
    4.10 +by (auto_tac (Inc_css addsimps2 InitPsi_def::PsiInv_defs));
    4.11 +qed "PsiInv_Init";
    4.12  
    4.13 -qed_goal "PsiInv_alpha1" Inc.thy "|- alpha1 & $PsiInv --> PsiInv`"
    4.14 -  (fn _ => [ auto_tac (Inc_css addsimps2 alpha1_def::PsiInv_defs) ]);
    4.15 +Goal "|- alpha1 & $PsiInv --> PsiInv$";
    4.16 +by (auto_tac (Inc_css addsimps2 alpha1_def::PsiInv_defs));
    4.17 +qed "PsiInv_alpha1";
    4.18  
    4.19 -qed_goal "PsiInv_alpha2" Inc.thy "|- alpha2 & $PsiInv --> PsiInv`"
    4.20 -  (fn _ => [ auto_tac (Inc_css addsimps2 alpha2_def::PsiInv_defs) ]);
    4.21 +Goal "|- alpha2 & $PsiInv --> PsiInv$";
    4.22 +by (auto_tac (Inc_css addsimps2 alpha2_def::PsiInv_defs));
    4.23 +qed "PsiInv_alpha2";
    4.24  
    4.25 -qed_goal "PsiInv_beta1" Inc.thy "|- beta1 & $PsiInv --> PsiInv`"
    4.26 -  (fn _ => [ auto_tac (Inc_css addsimps2 beta1_def::PsiInv_defs) ]);
    4.27 +Goal "|- beta1 & $PsiInv --> PsiInv$";
    4.28 +by (auto_tac (Inc_css addsimps2 beta1_def::PsiInv_defs));
    4.29 +qed "PsiInv_beta1";
    4.30  
    4.31 -qed_goal "PsiInv_beta2" Inc.thy "|- beta2 & $PsiInv --> PsiInv`"
    4.32 -  (fn _ => [ auto_tac (Inc_css addsimps2 beta2_def::PsiInv_defs) ]);
    4.33 +Goal "|- beta2 & $PsiInv --> PsiInv$";
    4.34 +by (auto_tac (Inc_css addsimps2 beta2_def::PsiInv_defs));
    4.35 +qed "PsiInv_beta2";
    4.36  
    4.37 -qed_goal "PsiInv_gamma1" Inc.thy "|- gamma1 & $PsiInv --> PsiInv`"
    4.38 -  (fn _ => [ auto_tac (Inc_css addsimps2 gamma1_def::PsiInv_defs) ]);
    4.39 +Goal "|- gamma1 & $PsiInv --> PsiInv$";
    4.40 +by (auto_tac (Inc_css addsimps2 gamma1_def::PsiInv_defs));
    4.41 +qed "PsiInv_gamma1";
    4.42  
    4.43 -qed_goal "PsiInv_gamma2" Inc.thy "|- gamma2 & $PsiInv --> PsiInv`"
    4.44 -  (fn _ => [ auto_tac (Inc_css addsimps2 gamma2_def::PsiInv_defs) ]);
    4.45 +Goal "|- gamma2 & $PsiInv --> PsiInv$";
    4.46 +by (auto_tac (Inc_css addsimps2 gamma2_def::PsiInv_defs));
    4.47 +qed "PsiInv_gamma2";
    4.48  
    4.49 -qed_goal "PsiInv_stutter" Inc.thy "|- unchanged (x,y,sem,pc1,pc2) & $PsiInv --> PsiInv`"
    4.50 -  (fn _ => [ auto_tac (Inc_css addsimps2 PsiInv_defs) ]);
    4.51 +Goal "|- unchanged (x,y,sem,pc1,pc2) & $PsiInv --> PsiInv$";
    4.52 +by (auto_tac (Inc_css addsimps2 PsiInv_defs));
    4.53 +qed "PsiInv_stutter";
    4.54  
    4.55 -qed_goal "PsiInv" Inc.thy "|- Psi --> []PsiInv" (K [
    4.56 -	    inv_tac (Inc_css addsimps2 [Psi_def]) 1,
    4.57 -	    force_tac (Inc_css addsimps2 [PsiInv_Init, Init_def]) 1,
    4.58 -	    auto_tac (Inc_css addIs2
    4.59 -		        [PsiInv_alpha1,PsiInv_alpha2,PsiInv_beta1,
    4.60 -			 PsiInv_beta2,PsiInv_gamma1,PsiInv_gamma2,PsiInv_stutter]
    4.61 -                        addsimps2 [square_def,N1_def, N2_def]) ]);
    4.62 +Goal "|- Psi --> []PsiInv";
    4.63 +by (inv_tac (Inc_css addsimps2 [Psi_def]) 1);
    4.64 + by (force_tac (Inc_css addsimps2 [PsiInv_Init, Init_def]) 1);
    4.65 +by (auto_tac (Inc_css
    4.66 +              addIs2 [PsiInv_alpha1,PsiInv_alpha2,PsiInv_beta1,
    4.67 +                      PsiInv_beta2,PsiInv_gamma1,PsiInv_gamma2,PsiInv_stutter]
    4.68 +              addsimps2 [square_def,N1_def, N2_def]));
    4.69 +qed "PsiInv";
    4.70  
    4.71  (* Automatic proof works too, but it make take a while on a slow machine.
    4.72     More realistic examples require user guidance anyway.
    4.73 @@ -56,13 +65,14 @@
    4.74  
    4.75  (**** Step simulation ****)
    4.76  
    4.77 -qed_goal "Init_sim" Inc.thy "|- Psi --> Init InitPhi"
    4.78 -  (fn _ => [ auto_tac (Inc_css addsimps2 [InitPhi_def,Psi_def,InitPsi_def,Init_def]) ]);
    4.79 +Goal "|- Psi --> Init InitPhi";
    4.80 +by (auto_tac (Inc_css addsimps2 [InitPhi_def,Psi_def,InitPsi_def,Init_def]));
    4.81 +qed "Init_sim";
    4.82  
    4.83 -qed_goal "Step_sim" Inc.thy "|- Psi --> [][M1 | M2]_(x,y)"
    4.84 -  (fn _ => [auto_tac (Inc_css addsimps2 [square_def,M1_def,M2_def] @ Psi_defs
    4.85 -                              addSEs2 [STL4E])
    4.86 -           ]);
    4.87 +Goal "|- Psi --> [][M1 | M2]_(x,y)";
    4.88 +by (auto_tac (Inc_css addsimps2 [square_def,M1_def,M2_def] @ Psi_defs
    4.89 +                      addSEs2 [STL4E]));
    4.90 +qed "Step_sim";
    4.91  
    4.92  (**** Proof of fairness ****)
    4.93  
    4.94 @@ -82,166 +92,152 @@
    4.95     the auxiliary lemmas are very similar.
    4.96  *)
    4.97  
    4.98 -qed_goal "Stuck_at_b" Inc.thy
    4.99 -  "|- [][(N1 | N2) & ~ beta1]_(x,y,sem,pc1,pc2) --> stable(pc1 = #b)"
   4.100 -  (fn _ => [ auto_tac (Inc_css addSEs2 [Stable,squareE] addsimps2 Psi_defs) ]);
   4.101 +Goal "|- [][(N1 | N2) & ~ beta1]_(x,y,sem,pc1,pc2) --> stable(pc1 = #b)";
   4.102 +by (auto_tac (Inc_css addSEs2 [Stable,squareE] addsimps2 Psi_defs));
   4.103 +qed "Stuck_at_b";
   4.104  
   4.105 -qed_goal "N1_enabled_at_g" Inc.thy
   4.106 -  "|- pc1 = #g --> Enabled (<N1>_(x,y,sem,pc1,pc2))"
   4.107 -  (fn _ => [Clarsimp_tac 1,
   4.108 -	    res_inst_tac [("F","gamma1")] enabled_mono 1,
   4.109 -	    enabled_tac Inc_base 1,
   4.110 -            force_tac (Inc_css addsimps2 [gamma1_def]) 1,
   4.111 -	    force_tac (Inc_css addsimps2 [angle_def,gamma1_def,N1_def]) 1
   4.112 -	   ]);
   4.113 +Goal "|- pc1 = #g --> Enabled (<N1>_(x,y,sem,pc1,pc2))";
   4.114 +by (Clarsimp_tac 1);
   4.115 +by (res_inst_tac [("F","gamma1")] enabled_mono 1);
   4.116 +by (enabled_tac Inc_base 1);
   4.117 + by (force_tac (Inc_css addsimps2 [gamma1_def]) 1);
   4.118 +by (force_tac (Inc_css addsimps2 [angle_def,gamma1_def,N1_def]) 1);
   4.119 +qed "N1_enabled_at_g";
   4.120  
   4.121 -qed_goal "g1_leadsto_a1" Inc.thy
   4.122 -  "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N1)_(x,y,sem,pc1,pc2) & []#True \
   4.123 -\     --> (pc1 = #g ~> pc1 = #a)"
   4.124 -  (fn _ => [rtac SF1 1,
   4.125 -	    action_simp_tac (simpset() addsimps Psi_defs) [] [squareE] 1,
   4.126 -	    action_simp_tac (simpset() addsimps angle_def::Psi_defs) [] [] 1,
   4.127 -	    (* reduce |- []A --> <>Enabled B  to  |- A --> Enabled B *)
   4.128 -	    auto_tac (Inc_css addSIs2 [InitDmd_gen, N1_enabled_at_g]
   4.129 -		              addSDs2 [STL2_gen]
   4.130 -		              addsimps2 [Init_def])
   4.131 -	   ]);
   4.132 +Goal "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N1)_(x,y,sem,pc1,pc2) & []#True \
   4.133 +\        --> (pc1 = #g ~> pc1 = #a)";
   4.134 +by (rtac SF1 1);
   4.135 +by (action_simp_tac (simpset() addsimps Psi_defs) [] [squareE] 1);
   4.136 +by (action_simp_tac (simpset() addsimps angle_def::Psi_defs) [] [] 1);
   4.137 +(* reduce |- []A --> <>Enabled B  to  |- A --> Enabled B *)
   4.138 +by (auto_tac (Inc_css addSIs2 [InitDmd_gen, N1_enabled_at_g]
   4.139 +	              addSDs2 [STL2_gen]
   4.140 +                      addsimps2 [Init_def]));
   4.141 +qed "g1_leadsto_a1";
   4.142  
   4.143  (* symmetrical for N2, and similar for beta2 *)
   4.144 -qed_goal "N2_enabled_at_g" Inc.thy
   4.145 -  "|- pc2 = #g --> Enabled (<N2>_(x,y,sem,pc1,pc2))"
   4.146 -  (fn _ => [Clarsimp_tac 1,
   4.147 -	    res_inst_tac [("F","gamma2")] enabled_mono 1,
   4.148 -	    enabled_tac Inc_base 1,
   4.149 -            force_tac (Inc_css addsimps2 [gamma2_def]) 1,
   4.150 -	    force_tac (Inc_css addsimps2 [angle_def,gamma2_def,N2_def]) 1
   4.151 -	   ]);
   4.152 +Goal "|- pc2 = #g --> Enabled (<N2>_(x,y,sem,pc1,pc2))";
   4.153 +by (Clarsimp_tac 1);
   4.154 +by (res_inst_tac [("F","gamma2")] enabled_mono 1);
   4.155 +by (enabled_tac Inc_base 1);
   4.156 + by (force_tac (Inc_css addsimps2 [gamma2_def]) 1);
   4.157 +by (force_tac (Inc_css addsimps2 [angle_def,gamma2_def,N2_def]) 1);
   4.158 +qed "N2_enabled_at_g";
   4.159  
   4.160 -qed_goal "g2_leadsto_a2" Inc.thy
   4.161 -  "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & []#True \
   4.162 -\     --> (pc2 = #g ~> pc2 = #a)"
   4.163 -  (fn _ => [rtac SF1 1,
   4.164 -	    action_simp_tac (simpset() addsimps Psi_defs) [] [squareE] 1,
   4.165 -	    action_simp_tac (simpset() addsimps angle_def::Psi_defs) [] [] 1,
   4.166 -	    auto_tac (Inc_css addSIs2 [InitDmd_gen, N2_enabled_at_g]
   4.167 -		              addSDs2 [STL2_gen]
   4.168 -		              addsimps2 [Init_def])
   4.169 -	   ]);
   4.170 +Goal "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & []#True \
   4.171 +\        --> (pc2 = #g ~> pc2 = #a)";
   4.172 +by (rtac SF1 1);
   4.173 +by (action_simp_tac (simpset() addsimps Psi_defs) [] [squareE] 1);
   4.174 +by (action_simp_tac (simpset() addsimps angle_def::Psi_defs) [] [] 1);
   4.175 +by (auto_tac (Inc_css addSIs2 [InitDmd_gen, N2_enabled_at_g]
   4.176 +	              addSDs2 [STL2_gen]
   4.177 +                      addsimps2 [Init_def]));
   4.178 +qed "g2_leadsto_a2";
   4.179  
   4.180 -qed_goal "N2_enabled_at_b" Inc.thy
   4.181 -  "|- pc2 = #b --> Enabled (<N2>_(x,y,sem,pc1,pc2))"
   4.182 -  (fn _ => [Clarsimp_tac 1,
   4.183 -	    res_inst_tac [("F","beta2")] enabled_mono 1,
   4.184 -	    enabled_tac Inc_base 1,
   4.185 -            force_tac (Inc_css addsimps2 [beta2_def]) 1,
   4.186 -	    force_tac (Inc_css addsimps2 [angle_def,beta2_def,N2_def]) 1
   4.187 -	   ]);
   4.188 +Goal "|- pc2 = #b --> Enabled (<N2>_(x,y,sem,pc1,pc2))";
   4.189 +by (Clarsimp_tac 1);
   4.190 +by (res_inst_tac [("F","beta2")] enabled_mono 1);
   4.191 +by (enabled_tac Inc_base 1);
   4.192 + by (force_tac (Inc_css addsimps2 [beta2_def]) 1);
   4.193 +by (force_tac (Inc_css addsimps2 [angle_def,beta2_def,N2_def]) 1);
   4.194 +qed "N2_enabled_at_b";
   4.195  
   4.196 -qed_goal "b2_leadsto_g2" Inc.thy
   4.197 -  "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & []#True \
   4.198 -\     --> (pc2 = #b ~> pc2 = #g)"
   4.199 -  (fn _ => [rtac SF1 1,
   4.200 -	    action_simp_tac (simpset() addsimps Psi_defs) [] [squareE] 1,
   4.201 -	    action_simp_tac (simpset() addsimps angle_def::Psi_defs) [] [] 1,
   4.202 -	    auto_tac (Inc_css addSIs2 [InitDmd_gen, N2_enabled_at_b]
   4.203 -		              addSDs2 [STL2_gen]
   4.204 -		              addsimps2 [Init_def])
   4.205 -	   ]);
   4.206 +Goal "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & []#True \
   4.207 +\        --> (pc2 = #b ~> pc2 = #g)";
   4.208 +by (rtac SF1 1);
   4.209 +by (action_simp_tac (simpset() addsimps Psi_defs) [] [squareE] 1);
   4.210 +by (action_simp_tac (simpset() addsimps angle_def::Psi_defs) [] [] 1);
   4.211 +by (auto_tac (Inc_css addSIs2 [InitDmd_gen, N2_enabled_at_b]
   4.212 +                      addSDs2 [STL2_gen]
   4.213 +                      addsimps2 [Init_def]));
   4.214 +qed "b2_leadsto_g2";
   4.215  
   4.216  (* Combine above lemmas: the second component will eventually reach pc2 = a *)
   4.217 -qed_goal "N2_leadsto_a" Inc.thy
   4.218 -  "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & []#True \
   4.219 -\     --> (pc2 = #a | pc2 = #b | pc2 = #g ~> pc2 = #a)"
   4.220 -  (fn _ => [auto_tac (Inc_css addSIs2 [LatticeDisjunctionIntro]),
   4.221 -	    rtac (temp_use LatticeReflexivity) 1,
   4.222 -	    rtac (temp_use LatticeTransitivity) 1,
   4.223 -	    auto_tac (Inc_css addSIs2 [b2_leadsto_g2,g2_leadsto_a2])
   4.224 -	   ]);
   4.225 +Goal "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & []#True \
   4.226 +\        --> (pc2 = #a | pc2 = #b | pc2 = #g ~> pc2 = #a)";
   4.227 +by (auto_tac (Inc_css addSIs2 [LatticeDisjunctionIntro]));
   4.228 +by (rtac (temp_use LatticeReflexivity) 1);
   4.229 +by (rtac (temp_use LatticeTransitivity) 1);
   4.230 +by (auto_tac (Inc_css addSIs2 [b2_leadsto_g2,g2_leadsto_a2]));
   4.231 +qed "N2_leadsto_a";
   4.232  
   4.233 -(* Get rid of complete disjunction on the left-hand side of ~> above. *)
   4.234 -qed_goal "N2_live" Inc.thy
   4.235 -  "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) \
   4.236 -\     --> <>(pc2 = #a)"
   4.237 -  (fn _ => [auto_tac (Inc_css addsimps2 Init_defs
   4.238 -                              addSIs2 [(temp_use N2_leadsto_a) 
   4.239 -                                       RSN(2, (temp_use leadsto_init))]),
   4.240 -	    case_tac "pc2 (st1 sigma)" 1,
   4.241 -	    Auto_tac
   4.242 -	   ]);
   4.243 +(* Get rid of disjunction on the left-hand side of ~> above. *)
   4.244 +Goal "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) \
   4.245 +\        --> <>(pc2 = #a)";
   4.246 +by (auto_tac (Inc_css addsimps2 Init_defs
   4.247 +                      addSIs2 [(temp_use N2_leadsto_a) 
   4.248 +                               RSN(2, (temp_use leadsto_init))]));
   4.249 +by (case_tac "pc2 (st1 sigma)" 1);
   4.250 +by Auto_tac;
   4.251 +qed "N2_live";
   4.252  
   4.253  (* Now prove that the first component will eventually reach pc1 = b from pc1 = a *)
   4.254  
   4.255 -qed_goal "N1_enabled_at_both_a" Inc.thy
   4.256 -  "|- pc2 = #a & (PsiInv & pc1 = #a) --> Enabled (<N1>_(x,y,sem,pc1,pc2))"
   4.257 -  (fn _ => [Clarsimp_tac 1,
   4.258 -	    res_inst_tac [("F","alpha1")] enabled_mono 1,
   4.259 -	    enabled_tac Inc_base 1,
   4.260 -            force_tac (Inc_css addsimps2 (alpha1_def::PsiInv_defs)) 1,
   4.261 -	    force_tac (Inc_css addsimps2 [angle_def,alpha1_def,N1_def]) 1
   4.262 -	   ]);
   4.263 +Goal "|- pc2 = #a & (PsiInv & pc1 = #a) --> Enabled (<N1>_(x,y,sem,pc1,pc2))";
   4.264 +by (Clarsimp_tac 1);
   4.265 +by (res_inst_tac [("F","alpha1")] enabled_mono 1);
   4.266 +by (enabled_tac Inc_base 1);
   4.267 + by (force_tac (Inc_css addsimps2 (alpha1_def::PsiInv_defs)) 1);
   4.268 +by (force_tac (Inc_css addsimps2 [angle_def,alpha1_def,N1_def]) 1);
   4.269 +qed "N1_enabled_at_both_a";
   4.270  
   4.271 -qed_goal "a1_leadsto_b1" Inc.thy
   4.272 -  "|- []($PsiInv & [(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2))            \
   4.273 -\           & SF(N1)_(x,y,sem,pc1,pc2) & [] SF(N2)_(x,y,sem,pc1,pc2)  \
   4.274 -\     --> (pc1 = #a ~> pc1 = #b)"
   4.275 -  (fn _ => [rtac SF1 1,
   4.276 -            action_simp_tac (simpset() addsimps Psi_defs) [] [squareE] 1,
   4.277 -            action_simp_tac (simpset() addsimps angle_def::Psi_defs) [] [] 1,
   4.278 -	    clarsimp_tac (Inc_css addSIs2 [N1_enabled_at_both_a RS (temp_use DmdImpl)]) 1,
   4.279 -	    auto_tac (Inc_css addSIs2 [BoxDmd2_simple, N2_live]
   4.280 -		              addsimps2 split_box_conj::more_temp_simps)
   4.281 -	   ]);
   4.282 +Goal "|- []($PsiInv & [(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2))      \
   4.283 +\        & SF(N1)_(x,y,sem,pc1,pc2) & [] SF(N2)_(x,y,sem,pc1,pc2)  \
   4.284 +\        --> (pc1 = #a ~> pc1 = #b)";
   4.285 +by (rtac SF1 1);
   4.286 +by (action_simp_tac (simpset() addsimps Psi_defs) [] [squareE] 1);
   4.287 +by (action_simp_tac (simpset() addsimps angle_def::Psi_defs) [] [] 1);
   4.288 +by (clarsimp_tac (Inc_css addSIs2 [N1_enabled_at_both_a RS (temp_use DmdImpl)]) 1);
   4.289 +by (auto_tac (Inc_css addSIs2 [BoxDmd2_simple, N2_live]
   4.290 +	              addsimps2 split_box_conj::more_temp_simps));
   4.291 +qed "a1_leadsto_b1";
   4.292  
   4.293  (* Combine the leadsto properties for N1: it will arrive at pc1 = b *)
   4.294  
   4.295 -qed_goal "N1_leadsto_b" Inc.thy
   4.296 -  "|- []($PsiInv & [(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2))             \
   4.297 -\            & SF(N1)_(x,y,sem,pc1,pc2) & [] SF(N2)_(x,y,sem,pc1,pc2)  \
   4.298 -\     --> (pc1 = #b | pc1 = #g | pc1 = #a ~> pc1 = #b)"
   4.299 -  (fn _ => [auto_tac (Inc_css addSIs2 [LatticeDisjunctionIntro]),
   4.300 -	    rtac (temp_use LatticeReflexivity) 1,
   4.301 -	    rtac (temp_use LatticeTransitivity) 1,
   4.302 -	    auto_tac (Inc_css addSIs2 [a1_leadsto_b1,g1_leadsto_a1]
   4.303 -		              addsimps2 [split_box_conj])
   4.304 -	   ]);
   4.305 +Goal "|- []($PsiInv & [(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2))             \
   4.306 +\        & SF(N1)_(x,y,sem,pc1,pc2) & [] SF(N2)_(x,y,sem,pc1,pc2)  \
   4.307 +\        --> (pc1 = #b | pc1 = #g | pc1 = #a ~> pc1 = #b)";
   4.308 +by (auto_tac (Inc_css addSIs2 [LatticeDisjunctionIntro]));
   4.309 +by (rtac (temp_use LatticeReflexivity) 1);
   4.310 +by (rtac (temp_use LatticeTransitivity) 1);
   4.311 +by (auto_tac (Inc_css addSIs2 [a1_leadsto_b1,g1_leadsto_a1]
   4.312 +	              addsimps2 [split_box_conj]));
   4.313 +qed "N1_leadsto_b";
   4.314  
   4.315 -qed_goal "N1_live" Inc.thy
   4.316 -  "|- []($PsiInv & [(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2))             \
   4.317 -\            & SF(N1)_(x,y,sem,pc1,pc2) & [] SF(N2)_(x,y,sem,pc1,pc2)  \
   4.318 -\     --> <>(pc1 = #b)"
   4.319 -  (fn _ => [auto_tac (Inc_css addsimps2 Init_defs
   4.320 -                              addSIs2 [(temp_use N1_leadsto_b) 
   4.321 -                                       RSN(2, temp_use leadsto_init)]),
   4.322 -	    case_tac "pc1 (st1 sigma)" 1,
   4.323 -	    Auto_tac
   4.324 -	   ]);
   4.325 +Goal "|- []($PsiInv & [(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2))             \
   4.326 +\        & SF(N1)_(x,y,sem,pc1,pc2) & [] SF(N2)_(x,y,sem,pc1,pc2)  \
   4.327 +\        --> <>(pc1 = #b)";
   4.328 +by (auto_tac (Inc_css addsimps2 Init_defs
   4.329 +                      addSIs2 [(temp_use N1_leadsto_b) 
   4.330 +                               RSN(2, temp_use leadsto_init)]));
   4.331 +by (case_tac "pc1 (st1 sigma)" 1);
   4.332 +by Auto_tac;
   4.333 +qed "N1_live";
   4.334  
   4.335 -qed_goal "N1_enabled_at_b" Inc.thy
   4.336 -  "|- pc1 = #b --> Enabled (<N1>_(x,y,sem,pc1,pc2))"
   4.337 -  (fn _ => [Clarsimp_tac 1,
   4.338 -	    res_inst_tac [("F","beta1")] enabled_mono 1,
   4.339 -	    enabled_tac Inc_base 1,
   4.340 -            force_tac (Inc_css addsimps2 [beta1_def]) 1,
   4.341 -	    force_tac (Inc_css addsimps2 [angle_def,beta1_def,N1_def]) 1
   4.342 -	   ]);
   4.343 +Goal "|- pc1 = #b --> Enabled (<N1>_(x,y,sem,pc1,pc2))";
   4.344 +by (Clarsimp_tac 1);
   4.345 +by (res_inst_tac [("F","beta1")] enabled_mono 1);
   4.346 +by (enabled_tac Inc_base 1);
   4.347 + by (force_tac (Inc_css addsimps2 [beta1_def]) 1);
   4.348 +by (force_tac (Inc_css addsimps2 [angle_def,beta1_def,N1_def]) 1);
   4.349 +qed "N1_enabled_at_b";
   4.350  
   4.351  (* Now assemble the bits and pieces to prove that Psi is fair. *)
   4.352  
   4.353 -qed_goal "Fair_M1_lemma" Inc.thy
   4.354 -  "|- []($PsiInv & [(N1 | N2)]_(x,y,sem,pc1,pc2))   \
   4.355 -\     & SF(N1)_(x,y,sem,pc1,pc2) & []SF(N2)_(x,y,sem,pc1,pc2)  \
   4.356 -\     --> SF(M1)_(x,y)"
   4.357 -  (fn _ => [ res_inst_tac [("B","beta1"),("P","PRED pc1 = #b")] SF2 1,
   4.358 -               (* action premises *)
   4.359 -             force_tac (Inc_css addsimps2 [angle_def,M1_def,beta1_def]) 1,
   4.360 -             force_tac (Inc_css addsimps2 angle_def::Psi_defs) 1,
   4.361 -             force_tac (Inc_css addSEs2 [N1_enabled_at_b]) 1,
   4.362 -               (* temporal premise: use previous lemmas and simple TL *)
   4.363 -             force_tac (Inc_css addSIs2 [DmdStable, N1_live,Stuck_at_b] 
   4.364 -                                addEs2 [STL4E] addsimps2 [square_def]) 1
   4.365 -            ]);
   4.366 +Goal "|- []($PsiInv & [(N1 | N2)]_(x,y,sem,pc1,pc2))   \
   4.367 +\        & SF(N1)_(x,y,sem,pc1,pc2) & []SF(N2)_(x,y,sem,pc1,pc2)  \
   4.368 +\        --> SF(M1)_(x,y)";
   4.369 +by (res_inst_tac [("B","beta1"),("P","PRED pc1 = #b")] SF2 1);
   4.370 +   (* action premises *)
   4.371 +by (force_tac (Inc_css addsimps2 [angle_def,M1_def,beta1_def]) 1);
   4.372 +by (force_tac (Inc_css addsimps2 angle_def::Psi_defs) 1);
   4.373 +by (force_tac (Inc_css addSEs2 [N1_enabled_at_b]) 1);
   4.374 +   (* temporal premise: use previous lemmas and simple TL *)
   4.375 +by (force_tac (Inc_css addSIs2 [DmdStable, N1_live,Stuck_at_b] 
   4.376 +                       addEs2 [STL4E] addsimps2 [square_def]) 1);
   4.377 +qed "Fair_M1_lemma";
   4.378  
   4.379 -qed_goal "Fair_M1" Inc.thy "|- Psi --> WF(M1)_(x,y)"
   4.380 -  (fn _ => [auto_tac (Inc_css addSIs2 [SFImplWF, Fair_M1_lemma, PsiInv]
   4.381 -		              addsimps2 [Psi_def,split_box_conj]@more_temp_simps)
   4.382 -	   ]);
   4.383 +Goal "|- Psi --> WF(M1)_(x,y)";
   4.384 +by (auto_tac (Inc_css addSIs2 [SFImplWF, Fair_M1_lemma, PsiInv]
   4.385 +		      addsimps2 [Psi_def,split_box_conj]@more_temp_simps));
   4.386 +qed "Fair_M1";
     5.1 --- a/src/HOL/TLA/Inc/Inc.thy	Thu Aug 03 19:28:37 2000 +0200
     5.2 +++ b/src/HOL/TLA/Inc/Inc.thy	Thu Aug 03 19:29:03 2000 +0200
     5.3 @@ -1,5 +1,5 @@
     5.4  (* 
     5.5 -    File:        TLA/ex/inc/Inc.thy
     5.6 +    File:        TLA/Inc/Inc.thy
     5.7      Author:      Stephan Merz
     5.8      Copyright:   1997 University of Munich
     5.9  
    5.10 @@ -34,17 +34,17 @@
    5.11  
    5.12    (* definitions for high-level program *)
    5.13    InitPhi_def   "InitPhi == PRED x = # 0 & y = # 0"
    5.14 -  M1_def        "M1      == ACT  x` = Suc<$x> & y` = $y"
    5.15 -  M2_def        "M2      == ACT  y` = Suc<$y> & x` = $x"
    5.16 +  M1_def        "M1      == ACT  x$ = Suc<$x> & y$ = $y"
    5.17 +  M2_def        "M2      == ACT  y$ = Suc<$y> & x$ = $x"
    5.18    Phi_def       "Phi     == TEMP Init InitPhi & [][M1 | M2]_(x,y)
    5.19                                   & WF(M1)_(x,y) & WF(M2)_(x,y)"
    5.20  
    5.21    (* definitions for low-level program *)
    5.22    InitPsi_def   "InitPsi == PRED pc1 = #a & pc2 = #a
    5.23                                   & x = # 0 & y = # 0 & sem = # 1"
    5.24 -  alpha1_def    "alpha1  == ACT  $pc1 = #a & pc1$ = #b & $sem = Suc<sem`> 
    5.25 +  alpha1_def    "alpha1  == ACT  $pc1 = #a & pc1$ = #b & $sem = Suc<sem$> 
    5.26                                   & unchanged(x,y,pc2)"
    5.27 -  alpha2_def    "alpha2  == ACT  $pc2 = #a & pc2$ = #b & $sem = Suc<sem`>
    5.28 +  alpha2_def    "alpha2  == ACT  $pc2 = #a & pc2$ = #b & $sem = Suc<sem$>
    5.29                                   & unchanged(x,y,pc1)"
    5.30    beta1_def     "beta1   == ACT  $pc1 = #b & pc1$ = #g & x$ = Suc<$x>
    5.31                                   & unchanged(y,sem,pc2)"
     6.1 --- a/src/HOL/TLA/IntLemmas.ML	Thu Aug 03 19:28:37 2000 +0200
     6.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     6.3 @@ -1,361 +0,0 @@
     6.4 -(* 
     6.5 -    File:	 IntLemmas.ML
     6.6 -    Author:      Stephan Merz
     6.7 -    Copyright:   1998 University of Munich
     6.8 -
     6.9 -Lemmas and tactics for "intensional" logics. 
    6.10 -
    6.11 -Mostly a lifting of standard HOL lemmas. They are not required in standard
    6.12 -reasoning about intensional logics, which starts by unlifting proof goals
    6.13 -to the HOL level.
    6.14 -*)
    6.15 -
    6.16 -
    6.17 -qed_goal "substW" Intensional.thy
    6.18 -  "[| |- x = y; w |= P(x) |] ==> w |= P(y)"
    6.19 -  (fn [prem1,prem2] => [rtac (rewrite_rule ([prem1] RL [inteq_reflection]) prem2) 1]);
    6.20 -                        
    6.21 -
    6.22 -(* Lift HOL rules to intensional reasoning *)
    6.23 -
    6.24 -qed_goal "reflW" Intensional.thy "|- x = x"
    6.25 -  (fn _ => [Simp_tac 1]);
    6.26 -
    6.27 -qed_goal "symW" Intensional.thy "|- s = t  ==>  |- t = s"
    6.28 -  (fn prems => [ cut_facts_tac prems 1,
    6.29 -                 rtac intI 1, dtac intD 1,
    6.30 -                 rewrite_goals_tac intensional_rews,
    6.31 -                 etac sym 1 ]);
    6.32 -
    6.33 -qed_goal "not_symW" Intensional.thy "|- s ~= t  ==>  |- t ~= s"
    6.34 -  (fn prems => [ cut_facts_tac prems 1,
    6.35 -                 rtac intI 1, dtac intD 1,
    6.36 -                 rewrite_goals_tac intensional_rews,
    6.37 -                 etac not_sym 1 ]);
    6.38 -
    6.39 -qed_goal "transW" Intensional.thy 
    6.40 -  "[| |- r = s; |- s = t |] ==> |- r = t"
    6.41 -  (fn prems => [ cut_facts_tac prems 1,
    6.42 -                 rtac intI 1, REPEAT (dtac intD 1),
    6.43 -                 rewrite_goals_tac intensional_rews,
    6.44 -                 etac trans 1,
    6.45 -                 atac 1 ]);
    6.46 -
    6.47 -qed_goal "box_equalsW" Intensional.thy 
    6.48 -   "[| |- a = b; |- a = c; |- b = d |] ==> |- c = d"
    6.49 -   (fn prems => [ (rtac transW 1),
    6.50 -                  (rtac transW 1),
    6.51 -                  (rtac symW 1),
    6.52 -                  (REPEAT (resolve_tac prems 1)) ]);
    6.53 -
    6.54 -
    6.55 -(* NB: Antecedent is a standard HOL (non-intensional) formula. *)
    6.56 -qed_goal "fun_congW" Intensional.thy 
    6.57 -   "f = g ==> |- f<x> = g<x>"
    6.58 -   (fn prems => [ cut_facts_tac prems 1,
    6.59 -                  rtac intI 1,
    6.60 -                  rewrite_goals_tac intensional_rews,
    6.61 -                  etac fun_cong 1 ]);
    6.62 -
    6.63 -qed_goal "fun_cong2W" Intensional.thy 
    6.64 -   "f = g ==> |- f<x,y> = g<x,y>"
    6.65 -   (fn prems => [ cut_facts_tac prems 1,
    6.66 -                  rtac intI 1,
    6.67 -                  Asm_full_simp_tac 1 ]);
    6.68 -
    6.69 -qed_goal "fun_cong3W" Intensional.thy 
    6.70 -   "f = g ==> |- f<x,y,z> = g<x,y,z>"
    6.71 -   (fn prems => [ cut_facts_tac prems 1,
    6.72 -                  rtac intI 1,
    6.73 -                  Asm_full_simp_tac 1 ]);
    6.74 -
    6.75 -
    6.76 -qed_goal "arg_congW" Intensional.thy "|- x = y ==> |- f<x> = f<y>"
    6.77 -   (fn prems => [ cut_facts_tac prems 1,
    6.78 -                  rtac intI 1,
    6.79 -                  dtac intD 1,
    6.80 -                  rewrite_goals_tac intensional_rews,
    6.81 -                  etac arg_cong 1 ]);
    6.82 -
    6.83 -qed_goal "arg_cong2W" Intensional.thy 
    6.84 -   "[| |- u = v; |- x = y |] ==> |- f<u,x> = f<v,y>"
    6.85 -   (fn prems => [ cut_facts_tac prems 1,
    6.86 -                  rtac intI 1,
    6.87 -                  REPEAT (dtac intD 1),
    6.88 -                  rewrite_goals_tac intensional_rews,
    6.89 -                  REPEAT (etac subst 1),
    6.90 -                  rtac refl 1 ]);
    6.91 -
    6.92 -qed_goal "arg_cong3W" Intensional.thy 
    6.93 -   "[| |- r = s; |- u = v; |- x = y |] ==> |- f<r,u,x> = f<s,v,y>"
    6.94 -   (fn prems => [ cut_facts_tac prems 1,
    6.95 -                  rtac intI 1,
    6.96 -                  REPEAT (dtac intD 1),
    6.97 -                  rewrite_goals_tac intensional_rews,
    6.98 -                  REPEAT (etac subst 1),
    6.99 -                  rtac refl 1 ]);
   6.100 -
   6.101 -qed_goal "congW" Intensional.thy 
   6.102 -   "[| f = g; |- x = y |] ==> |- f<x> = g<y>"
   6.103 -   (fn prems => [ rtac box_equalsW 1,
   6.104 -                  rtac reflW 3,
   6.105 -                  rtac arg_congW 1,
   6.106 -                  resolve_tac prems 1,
   6.107 -                  rtac fun_congW 1,
   6.108 -                  rtac sym 1,
   6.109 -                  resolve_tac prems 1 ]);
   6.110 -
   6.111 -qed_goal "cong2W" Intensional.thy 
   6.112 -   "[| f = g; |- u = v; |- x = y |] ==> |- f<u,x> = g<v,y>"
   6.113 -   (fn prems => [ rtac box_equalsW 1,
   6.114 -                  rtac reflW 3,
   6.115 -                  rtac arg_cong2W 1,
   6.116 -                  REPEAT (resolve_tac prems 1),
   6.117 -                  rtac fun_cong2W 1,
   6.118 -                  rtac sym 1,
   6.119 -                  resolve_tac prems 1 ]);
   6.120 -
   6.121 -qed_goal "cong3W" Intensional.thy 
   6.122 -   "[| f = g; |- r = s; |- u = v; |- x = y |] ==> |- f<r,u,x> = g<s,v,y>"
   6.123 -   (fn prems => [ rtac box_equalsW 1,
   6.124 -                  rtac reflW 3,
   6.125 -                  rtac arg_cong3W 1,
   6.126 -                  REPEAT (resolve_tac prems 1),
   6.127 -                  rtac fun_cong3W 1,
   6.128 -                  rtac sym 1,
   6.129 -                  resolve_tac prems 1 ]);
   6.130 -
   6.131 -
   6.132 -(** Lifted equivalence **)
   6.133 -
   6.134 -(* Note the object-level implication in the hypothesis. Meta-level implication
   6.135 -   would be incorrect! *)
   6.136 -qed_goal "iffIW" Intensional.thy 
   6.137 -  "[| |- A --> B; |- B --> A |] ==> |- A = B"
   6.138 -  (fn prems => [ cut_facts_tac prems 1,
   6.139 -                 rewrite_goals_tac (Valid_def::intensional_rews),
   6.140 -                 Blast_tac 1 ]);
   6.141 -
   6.142 -qed_goal "iffD2W" Intensional.thy 
   6.143 -  "[| |- P = Q; w |= Q |] ==> w |= P"
   6.144 - (fn prems => [ cut_facts_tac prems 1,
   6.145 -	        rewrite_goals_tac (Valid_def::intensional_rews),
   6.146 -                Blast_tac 1 ]);
   6.147 -
   6.148 -val iffD1W = symW RS iffD2W;
   6.149 -
   6.150 -(** #True **)
   6.151 -
   6.152 -qed_goal "eqTrueIW" Intensional.thy "|- P ==> |- P = #True"
   6.153 -  (fn prems => [cut_facts_tac prems 1,
   6.154 -                rtac intI 1,
   6.155 -                dtac intD 1,
   6.156 -		Asm_full_simp_tac 1]);
   6.157 -
   6.158 -qed_goal "eqTrueEW" Intensional.thy "|- P = #True ==> |- P"
   6.159 -  (fn prems => [cut_facts_tac prems 1,
   6.160 -                rtac intI 1,
   6.161 -                dtac intD 1,
   6.162 -		Asm_full_simp_tac 1]);
   6.163 -
   6.164 -(** #False **)
   6.165 -
   6.166 -qed_goal "FalseEW" Intensional.thy "|- #False ==> |- P"
   6.167 -  (fn prems => [cut_facts_tac prems 1,
   6.168 -                rtac intI 1,
   6.169 -                dtac intD 1,
   6.170 -                rewrite_goals_tac intensional_rews,
   6.171 -                etac FalseE 1]);
   6.172 -
   6.173 -qed_goal "False_neq_TrueW" Intensional.thy 
   6.174 - "|- #False = #True ==> |- P"
   6.175 - (fn [prem] => [rtac (prem RS eqTrueEW RS FalseEW) 1]);
   6.176 -
   6.177 -
   6.178 -(** Negation **)
   6.179 -
   6.180 -(* Again use object-level implication *)
   6.181 -qed_goal "notIW" Intensional.thy "|- P --> #False ==> |- ~P"
   6.182 -  (fn prems => [cut_facts_tac prems 1,
   6.183 -		rewrite_goals_tac (Valid_def::intensional_rews),
   6.184 -		Blast_tac 1]);
   6.185 -
   6.186 -qed_goal "notEWV" Intensional.thy 
   6.187 -  "[| |- ~P; |- P |] ==> |- R"
   6.188 -  (fn prems => [cut_facts_tac prems 1,
   6.189 -		rtac intI 1,
   6.190 -                REPEAT (dtac intD 1),
   6.191 -                rewrite_goals_tac intensional_rews,
   6.192 -                etac notE 1, atac 1]);
   6.193 -
   6.194 -(* The following rule is stronger: It is enough to detect an 
   6.195 -   inconsistency at *some* world to conclude R. Note also that P and R
   6.196 -   are allowed to be (intensional) formulas of different types! *)
   6.197 -
   6.198 -qed_goal "notEW" Intensional.thy 
   6.199 -   "[| w |= ~P; w |= P |] ==> |- R"
   6.200 -  (fn prems => [cut_facts_tac prems 1,
   6.201 -                rtac intI 1,
   6.202 -                rewrite_goals_tac intensional_rews,
   6.203 -                etac notE 1, atac 1]);
   6.204 -
   6.205 -(** Implication **)
   6.206 -
   6.207 -qed_goal "impIW" Intensional.thy "(!!w. (w |= A) ==> (w |= B)) ==> |- A --> B"
   6.208 -  (fn [prem] => [ rtac intI 1,
   6.209 -                 rewrite_goals_tac intensional_rews,
   6.210 -                 rtac impI 1,
   6.211 -                 etac prem 1 ]);
   6.212 -
   6.213 -
   6.214 -qed_goal "mpW" Intensional.thy "[| |- A --> B; w |= A |] ==> w |= B"
   6.215 -   (fn prems => [ cut_facts_tac prems 1,
   6.216 -                  dtac intD 1,
   6.217 -                  rewrite_goals_tac intensional_rews,
   6.218 -                  etac mp 1,
   6.219 -                  atac 1 ]);
   6.220 -
   6.221 -qed_goal "impEW" Intensional.thy 
   6.222 -  "[| |- A --> B; w |= A; w |= B ==> w |= C |] ==> w |= C"
   6.223 -  (fn prems => [ (REPEAT (resolve_tac (prems@[mpW]) 1)) ]);
   6.224 -
   6.225 -qed_goal "rev_mpW" Intensional.thy "[| w |= P; |- P --> Q |] ==> w |= Q"
   6.226 -  (fn prems => [ (REPEAT (resolve_tac (prems@[mpW]) 1)) ]);
   6.227 -
   6.228 -qed_goalw "contraposW" Intensional.thy intensional_rews
   6.229 -  "[| w |= ~Q; |- P --> Q |] ==> w |= ~P"
   6.230 -  (fn [major,minor] => [rtac (major RS contrapos) 1,
   6.231 -                        etac rev_mpW 1,
   6.232 -                        rtac minor 1]);
   6.233 -
   6.234 -qed_goal "iffEW" Intensional.thy
   6.235 -    "[| |- P = Q; [| |- P --> Q; |- Q --> P |] ==> R |] ==> R"
   6.236 - (fn [p1,p2] => [REPEAT(ares_tac([p1 RS iffD2W, p1 RS iffD1W, p2, impIW])1)]);
   6.237 -
   6.238 -
   6.239 -(** Conjunction **)
   6.240 -
   6.241 -qed_goalw "conjIW" Intensional.thy intensional_rews "[| w |= P; w |= Q |] ==> w |= P & Q"
   6.242 -  (fn prems => [REPEAT (resolve_tac ([conjI]@prems) 1)]);
   6.243 -
   6.244 -qed_goal "conjunct1W" Intensional.thy "(w |= P & Q) ==> w |= P"
   6.245 -  (fn prems => [cut_facts_tac prems 1,
   6.246 -                rewrite_goals_tac intensional_rews,
   6.247 -                etac conjunct1 1]);
   6.248 -
   6.249 -qed_goal "conjunct2W" Intensional.thy "(w |= P & Q) ==> w |= Q"
   6.250 -  (fn prems => [cut_facts_tac prems 1,
   6.251 -                rewrite_goals_tac intensional_rews,
   6.252 -                etac conjunct2 1]);
   6.253 -
   6.254 -qed_goal "conjEW" Intensional.thy 
   6.255 -  "[| w |= P & Q; [| w |= P; w |= Q |] ==> w |= R |] ==> w |= R"
   6.256 -  (fn prems => [cut_facts_tac prems 1, resolve_tac prems 1,
   6.257 -	        etac conjunct1W 1, etac conjunct2W 1]);
   6.258 -
   6.259 -
   6.260 -(** Disjunction **)
   6.261 -
   6.262 -qed_goalw "disjI1W" Intensional.thy intensional_rews "w |= P ==> w |= P | Q"
   6.263 -  (fn [prem] => [REPEAT (resolve_tac [disjI1,prem] 1)]);
   6.264 -
   6.265 -qed_goalw "disjI2W" Intensional.thy intensional_rews "w |= Q ==> w |= P | Q"
   6.266 -  (fn [prem] => [REPEAT (resolve_tac [disjI2,prem] 1)]);
   6.267 -
   6.268 -qed_goal "disjEW" Intensional.thy 
   6.269 -         "[| w |= P | Q; |- P --> R; |- Q --> R |] ==> w |= R"
   6.270 -  (fn prems => [cut_facts_tac prems 1,
   6.271 -                REPEAT (dtac intD 1),
   6.272 -                rewrite_goals_tac intensional_rews,
   6.273 -		Blast_tac 1]);
   6.274 -
   6.275 -(** Classical propositional logic **)
   6.276 -
   6.277 -qed_goalw "classicalW" Intensional.thy (Valid_def::intensional_rews)
   6.278 -  "!!P. |- ~P --> P  ==>  |- P"
   6.279 -  (fn prems => [Blast_tac 1]);
   6.280 -
   6.281 -qed_goal "notnotDW" Intensional.thy "!!P. |- ~~P  ==>  |- P"
   6.282 -  (fn prems => [rtac intI 1,
   6.283 -                dtac intD 1,
   6.284 -                rewrite_goals_tac intensional_rews,
   6.285 -                etac notnotD 1]);
   6.286 -
   6.287 -qed_goal "disjCIW" Intensional.thy "!!P Q. (w |= ~Q --> P) ==> (w |= P|Q)"
   6.288 -  (fn prems => [rewrite_goals_tac intensional_rews,
   6.289 -                Blast_tac 1]);
   6.290 -
   6.291 -qed_goal "impCEW" Intensional.thy 
   6.292 -   "[| |- P --> Q; (w |= ~P) ==> (w |= R); (w |= Q) ==> (w |= R) |] ==> w |= R"
   6.293 -  (fn [a1,a2,a3] => 
   6.294 -    [rtac (excluded_middle RS disjE) 1,
   6.295 -     etac (rewrite_rule intensional_rews a2) 1,
   6.296 -     rtac a3 1,
   6.297 -     etac (a1 RS mpW) 1]);
   6.298 -
   6.299 -qed_goalw "iffCEW" Intensional.thy intensional_rews
   6.300 -   "[| |- P = Q;      \
   6.301 -\      [| (w |= P); (w |= Q) |] ==> (w |= R);   \
   6.302 -\      [| (w |= ~P); (w |= ~Q) |] ==> (w |= R)  \
   6.303 -\   |] ==> w |= R"
   6.304 -   (fn [a1,a2,a3] =>
   6.305 -      [rtac iffCE 1,
   6.306 -       etac a2 2, atac 2,
   6.307 -       etac a3 2, atac 2,
   6.308 -       rtac (int_unlift a1) 1]);
   6.309 -
   6.310 -qed_goal "case_split_thmW" Intensional.thy 
   6.311 -   "!!P. [| |- P --> Q; |- ~P --> Q |] ==> |- Q"
   6.312 -  (fn _ => [rewrite_goals_tac (Valid_def::intensional_rews),
   6.313 -	    Blast_tac 1]);
   6.314 -
   6.315 -fun case_tacW a = res_inst_tac [("P",a)] case_split_thmW;
   6.316 -
   6.317 -
   6.318 -(** Rigid quantifiers **)
   6.319 -
   6.320 -qed_goal "allIW" Intensional.thy "(!!x. |- P x) ==> |- ! x. P(x)"
   6.321 -  (fn [prem] => [rtac intI 1,
   6.322 -                 rewrite_goals_tac intensional_rews,
   6.323 -                 rtac allI 1,
   6.324 -                 rtac (prem RS intD) 1]);
   6.325 -
   6.326 -qed_goal "specW" Intensional.thy "|- ! x. P x ==> |- P x"
   6.327 -  (fn prems => [cut_facts_tac prems 1,
   6.328 -                rtac intI 1,
   6.329 -                dtac intD 1,
   6.330 -                rewrite_goals_tac intensional_rews,
   6.331 -                etac spec 1]);
   6.332 -
   6.333 -
   6.334 -qed_goal "allEW" Intensional.thy 
   6.335 -         "[| |- ! x. P x;  |- P x ==> |- R |] ==> |- R"
   6.336 - (fn major::prems=>
   6.337 -  [ (REPEAT (resolve_tac (prems @ [major RS specW]) 1)) ]);
   6.338 -
   6.339 -qed_goal "all_dupEW" Intensional.thy 
   6.340 -    "[| |- ! x. P x;  [| |- P x; |- ! x. P x |] ==> |- R |] ==> |- R"
   6.341 - (fn prems =>
   6.342 -  [ (REPEAT (resolve_tac (prems @ (prems RL [specW])) 1)) ]);
   6.343 -
   6.344 -
   6.345 -qed_goal "exIW" Intensional.thy "|- P x ==> |- ? x. P x"
   6.346 -  (fn [prem] => [rtac intI 1,
   6.347 -                 rewrite_goals_tac intensional_rews,
   6.348 -                 rtac exI 1,
   6.349 -                 rtac (prem RS intD) 1]);
   6.350 -
   6.351 -qed_goal "exEW" Intensional.thy 
   6.352 -  "[| w |= ? x. P x; !!x. |- P x --> Q |] ==> w |= Q"
   6.353 -  (fn [major,minor] => [rtac exE 1,
   6.354 -                        rtac (rewrite_rule intensional_rews major) 1,
   6.355 -                        etac rev_mpW 1,
   6.356 -                        rtac minor 1]);
   6.357 -
   6.358 -(** Classical quantifier reasoning **)
   6.359 -
   6.360 -qed_goal "exCIW" Intensional.thy 
   6.361 -  "!!P. w |= (! x. ~P x) --> P a ==> w |= ? x. P x"
   6.362 -  (fn prems => [rewrite_goals_tac intensional_rews,
   6.363 -                Blast_tac 1]);
   6.364 -
     7.1 --- a/src/HOL/TLA/Intensional.ML	Thu Aug 03 19:28:37 2000 +0200
     7.2 +++ b/src/HOL/TLA/Intensional.ML	Thu Aug 03 19:29:03 2000 +0200
     7.3 @@ -8,16 +8,19 @@
     7.4  
     7.5  val intensional_rews = [unl_con,unl_lift,unl_lift2,unl_lift3,unl_Rall,unl_Rex,unl_Rex1];
     7.6  
     7.7 -qed_goalw "inteq_reflection" Intensional.thy  [Valid_def,unl_lift2]
     7.8 -  "|- x=y  ==>  (x==y)"
     7.9 -  (fn [prem] => [rtac eq_reflection 1, rtac ext 1, rtac (prem RS spec) 1 ]);
    7.10 +Goalw [Valid_def,unl_lift2] "|- x=y  ==>  (x==y)";
    7.11 +by (rtac eq_reflection 1);
    7.12 +by (rtac ext 1);
    7.13 +by (etac spec 1);
    7.14 +qed "inteq_reflection";
    7.15  
    7.16 -qed_goalw "intI" Intensional.thy [Valid_def] "(!!w. w |= A) ==> |- A"
    7.17 -  (fn [prem] => [REPEAT (resolve_tac [allI,prem] 1)]);
    7.18 +val [prem] = goalw thy [Valid_def] "(!!w. w |= A) ==> |- A";
    7.19 +by (REPEAT (resolve_tac [allI,prem] 1));
    7.20 +qed "intI";
    7.21  
    7.22 -qed_goalw "intD" Intensional.thy [Valid_def] "|- A ==> w |= A"
    7.23 -  (fn [prem] => [rtac (prem RS spec) 1]);
    7.24 -
    7.25 +Goalw [Valid_def] "|- A ==> w |= A";
    7.26 +by (etac spec 1);
    7.27 +qed "intD";
    7.28  
    7.29  (** Lift usual HOL simplifications to "intensional" level. **)
    7.30  local
    7.31 @@ -45,11 +48,12 @@
    7.32     "|- (P | P) = P", "|- (P | ~P) = #True", "|- (~P | P) = #True",
    7.33     "|- (! x. P) = P", "|- (? x. P) = P", 
    7.34     "|- (~Q --> ~P) = (P --> Q)",
    7.35 -   "|- (P|Q --> R) = ((P-->R)&(Q-->R))" ];
    7.36 +   "|- (P|Q --> R) = ((P-->R)&(Q-->R))" ]
    7.37  end;
    7.38  
    7.39 -qed_goal "TrueW" Intensional.thy "|- #True"
    7.40 -  (fn _ => [simp_tac (simpset() addsimps [Valid_def,unl_con]) 1]);
    7.41 +Goal "|- #True";
    7.42 +by (simp_tac (simpset() addsimps [Valid_def,unl_con]) 1);
    7.43 +qed "TrueW";
    7.44  
    7.45  Addsimps (TrueW::intensional_rews);
    7.46  Addsimps int_simps;
    7.47 @@ -109,33 +113,13 @@
    7.48                ((flatten (int_unlift th)) handle _ => th)
    7.49      | _ => th;
    7.50  
    7.51 -(***
    7.52 -(* Make the simplifier accept "intensional" goals by either turning them into
    7.53 -   a meta-equality or by unlifting them.
    7.54 -*)
    7.55 -
    7.56 -let 
    7.57 -  val ss = simpset_ref()
    7.58 -  fun try_rewrite th = (int_rewrite th) handle _ => (int_use th) handle _ => th
    7.59 -in 
    7.60 -  ss := !ss setmksimps ((mksimps mksimps_pairs) o try_rewrite)
    7.61 -end;
    7.62 -***)
    7.63 -
    7.64  (* ========================================================================= *)
    7.65  
    7.66 -qed_goal "Not_Rall" Intensional.thy
    7.67 -   "|- (~(! x. F x)) = (? x. ~F x)"
    7.68 -   (fn _ => [simp_tac (simpset() addsimps [Valid_def]) 1]);
    7.69 -
    7.70 -qed_goal "Not_Rex" Intensional.thy
    7.71 -   "|- (~ (? x. F x)) = (! x. ~ F x)"
    7.72 -   (fn _ => [simp_tac (simpset() addsimps [Valid_def]) 1]);
    7.73 +Goalw [Valid_def] "|- (~(! x. F x)) = (? x. ~F x)";
    7.74 +by (Simp_tac 1);
    7.75 +qed "Not_Rall";
    7.76  
    7.77 -(* IntLemmas.ML contains a collection of further lemmas about "intensional" logic.
    7.78 -   These are not loaded by default because they are not required for the
    7.79 -   standard proof procedures that first unlift proof goals to the HOL level.
    7.80 +Goalw [Valid_def] "|- (~ (? x. F x)) = (! x. ~ F x)";
    7.81 +by (Simp_tac 1);
    7.82 +qed "Not_Rex";
    7.83  
    7.84 -use "IntLemmas.ML";
    7.85 -
    7.86 -*)
     8.1 --- a/src/HOL/TLA/Intensional.thy	Thu Aug 03 19:28:37 2000 +0200
     8.2 +++ b/src/HOL/TLA/Intensional.thy	Thu Aug 03 19:29:03 2000 +0200
     8.3 @@ -82,17 +82,17 @@
     8.4    (** TODO: syntax for lifted collection / comprehension **)
     8.5    "_liftPair"   :: [lift,liftargs] => lift                   ("(1'(_,/ _'))")
     8.6    (* infix syntax for list operations *)
     8.7 -  "_liftCons" :: [lift, lift] => lift                    ("(_ #/ _)" [65,66] 65)
     8.8 -  "_liftApp"  :: [lift, lift] => lift                    ("(_ @/ _)" [65,66] 65)
     8.9 -  "_liftList" :: liftargs => lift                        ("[(_)]")
    8.10 +  "_liftCons" :: [lift, lift] => lift                  ("(_ #/ _)" [65,66] 65)
    8.11 +  "_liftApp"  :: [lift, lift] => lift                  ("(_ @/ _)" [65,66] 65)
    8.12 +  "_liftList" :: liftargs => lift                      ("[(_)]")
    8.13  
    8.14    (* Rigid quantification (syntax level) *)
    8.15 -  "_RAll"  :: [idts, lift] => lift                     ("(3! _./ _)" [0, 10] 10)
    8.16 -  "_REx"   :: [idts, lift] => lift                     ("(3? _./ _)" [0, 10] 10)
    8.17 -  "_REx1"  :: [idts, lift] => lift                     ("(3?! _./ _)" [0, 10] 10)
    8.18 -  "_ARAll" :: [idts, lift] => lift                     ("(3ALL _./ _)" [0, 10] 10)
    8.19 -  "_AREx"  :: [idts, lift] => lift                     ("(3EX _./ _)" [0, 10] 10)
    8.20 -  "_AREx1" :: [idts, lift] => lift                     ("(3EX! _./ _)" [0, 10] 10)
    8.21 +  "_ARAll"  :: [idts, lift] => lift                    ("(3! _./ _)" [0, 10] 10)
    8.22 +  "_AREx"   :: [idts, lift] => lift                    ("(3? _./ _)" [0, 10] 10)
    8.23 +  "_AREx1"  :: [idts, lift] => lift                    ("(3?! _./ _)" [0, 10] 10)
    8.24 +  "_RAll" :: [idts, lift] => lift                      ("(3ALL _./ _)" [0, 10] 10)
    8.25 +  "_REx"  :: [idts, lift] => lift                      ("(3EX _./ _)" [0, 10] 10)
    8.26 +  "_REx1" :: [idts, lift] => lift                      ("(3EX! _./ _)" [0, 10] 10)
    8.27  
    8.28  translations
    8.29    "_const"        == "const"
    8.30 @@ -142,9 +142,9 @@
    8.31    "w |= A | B"    <= "_liftOr A B w"
    8.32    "w |= A --> B"  <= "_liftImp A B w"
    8.33    "w |= u = v"    <= "_liftEqu u v w"
    8.34 -  "w |= ! x. A"   <= "_RAll x A w"
    8.35 -  "w |= ? x. A"   <= "_REx x A w"
    8.36 -  "w |= ?! x. A"  <= "_REx1 x A w"
    8.37 +  "w |= ALL x. A"   <= "_RAll x A w"
    8.38 +  "w |= EX x. A"   <= "_REx x A w"
    8.39 +  "w |= EX! x. A"  <= "_REx1 x A w"
    8.40  
    8.41  syntax (symbols)
    8.42    "_Valid"      :: lift => bool                        ("(\\<turnstile> _)" 5)
    8.43 @@ -172,7 +172,7 @@
    8.44    unl_lift2   "LIFT f<x, y> w == f (x w) (y w)"
    8.45    unl_lift3   "LIFT f<x, y, z> w == f (x w) (y w) (z w)"
    8.46  
    8.47 -  unl_Rall    "w |= ! x. A x  ==  ! x. (w |= A x)" 
    8.48 -  unl_Rex     "w |= ? x. A x  ==  ? x. (w |= A x)"
    8.49 -  unl_Rex1    "w |= ?! x. A x  ==  ?! x. (w |= A x)"
    8.50 +  unl_Rall    "w |= ALL x. A x  ==  ALL x. (w |= A x)" 
    8.51 +  unl_Rex     "w |= EX x. A x   ==  EX x. (w |= A x)"
    8.52 +  unl_Rex1    "w |= EX! x. A x  ==  EX! x. (w |= A x)"
    8.53  end
     9.1 --- a/src/HOL/TLA/Memory/MIlive.ML	Thu Aug 03 19:28:37 2000 +0200
     9.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     9.3 @@ -1,365 +0,0 @@
     9.4 -(* 
     9.5 -    File:        MIlive.ML
     9.6 -    Author:      Stephan Merz
     9.7 -    Copyright:   1997 University of Munich
     9.8 -
     9.9 -    RPC-Memory example: Lower-level lemmas for the liveness proof
    9.10 -*)
    9.11 -
    9.12 -(* Liveness assertions for the different implementation states, based on the
    9.13 -   fairness conditions. Prove subgoals of WF1 / SF1 rules as separate lemmas
    9.14 -   for readability. Reuse action proofs from safety part.
    9.15 -*)
    9.16 -
    9.17 -(* ------------------------------ State S1 ------------------------------ *)
    9.18 -
    9.19 -qed_goal "S1_successors" MemoryImplementation.thy
    9.20 -   "|- $S1 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)  \
    9.21 -\      --> (S1 rmhist p)` | (S2 rmhist p)`"
    9.22 -   (fn _ => [split_idle_tac [] 1,
    9.23 -	     auto_tac (MI_css addSDs2 [Step1_2_1])
    9.24 -	    ]);
    9.25 -
    9.26 -(* Show that the implementation can satisfy the high-level fairness requirements
    9.27 -   by entering the state S1 infinitely often.
    9.28 -*)
    9.29 -
    9.30 -qed_goal "S1_RNextdisabled" MemoryImplementation.thy
    9.31 -   "|- S1 rmhist p --> \
    9.32 -\      ~Enabled (<RNext memCh mm (resbar rmhist) p>_(rtrner memCh!p, resbar rmhist!p))"
    9.33 -   (fn _ => [action_simp_tac (simpset() addsimps [angle_def,S_def,S1_def])
    9.34 -	                     [notI] [enabledE,temp_elim Memoryidle] 1,
    9.35 -	     Force_tac 1
    9.36 -	    ]);
    9.37 -
    9.38 -qed_goal "S1_Returndisabled" MemoryImplementation.thy
    9.39 -   "|- S1 rmhist p --> \
    9.40 -\      ~Enabled (<MemReturn memCh (resbar rmhist) p>_(rtrner memCh!p, resbar rmhist!p))"
    9.41 -   (fn _ => [action_simp_tac (simpset() addsimps [angle_def,MemReturn_def,Return_def,S_def,S1_def])
    9.42 -	                     [notI] [enabledE] 1
    9.43 -	    ]);
    9.44 -
    9.45 -qed_goal "RNext_fair" MemoryImplementation.thy
    9.46 -   "|- []<>S1 rmhist p   \
    9.47 -\      --> WF(RNext memCh mm (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
    9.48 -   (fn _ => [auto_tac (MI_css addsimps2 [WF_alt]
    9.49 -			      addSIs2 [S1_RNextdisabled] addSEs2 [STL4E,DmdImplE])
    9.50 -	    ]);
    9.51 -
    9.52 -qed_goal "Return_fair" MemoryImplementation.thy
    9.53 -   "|- []<>S1 rmhist p   \
    9.54 -\      --> WF(MemReturn memCh (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
    9.55 -   (fn _ => [auto_tac (MI_css addsimps2 [WF_alt]
    9.56 -			      addSIs2 [S1_Returndisabled] addSEs2 [STL4E,DmdImplE])
    9.57 -	    ]);
    9.58 -
    9.59 -(* ------------------------------ State S2 ------------------------------ *)
    9.60 -
    9.61 -qed_goal "S2_successors" MemoryImplementation.thy
    9.62 -   "|- $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)   \
    9.63 -\      --> (S2 rmhist p)` | (S3 rmhist p)`"
    9.64 -   (fn _ => [split_idle_tac [] 1,
    9.65 -	     auto_tac (MI_css addSDs2 [Step1_2_2])
    9.66 -	    ]);
    9.67 -
    9.68 -qed_goal "S2MClkFwd_successors" MemoryImplementation.thy
    9.69 -   "|- ($S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))    \
    9.70 -\      & <MClkFwd memCh crCh cst p>_(c p) \
    9.71 -\      --> (S3 rmhist p)`"
    9.72 -   (fn _ => [ auto_tac (MI_css addsimps2 [angle_def] addSDs2 [Step1_2_2]) ]);
    9.73 -
    9.74 -qed_goal "S2MClkFwd_enabled" MemoryImplementation.thy
    9.75 -   "|- $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)    \
    9.76 -\      --> $Enabled (<MClkFwd memCh crCh cst p>_(c p))"
    9.77 -   (fn _ => [auto_tac (MI_css addsimps2 [c_def] addSIs2 [MClkFwd_ch_enabled,MClkFwd_enabled]),
    9.78 -             cut_facts_tac [MI_base] 1,
    9.79 -             blast_tac (claset() addDs [base_pair]) 1,
    9.80 -             ALLGOALS (asm_full_simp_tac (simpset() addsimps [S_def,S2_def]))
    9.81 -	    ]);
    9.82 -
    9.83 -qed_goal "S2_live" MemoryImplementation.thy
    9.84 -   "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)) & WF(MClkFwd memCh crCh cst p)_(c p) \
    9.85 -\      --> (S2 rmhist p ~> S3 rmhist p)"
    9.86 -   (fn _ => [REPEAT (resolve_tac [WF1,S2_successors,
    9.87 -				  S2MClkFwd_successors,S2MClkFwd_enabled] 1)
    9.88 -	    ]);
    9.89 -
    9.90 -
    9.91 -(* ------------------------------ State S3 ------------------------------ *)
    9.92 -
    9.93 -qed_goal "S3_successors" MemoryImplementation.thy
    9.94 -   "|- $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)   \
    9.95 -\      --> (S3 rmhist p)` | (S4 rmhist p | S6 rmhist p)`"
    9.96 -   (fn _ => [split_idle_tac [] 1,
    9.97 -	     auto_tac (MI_css addSDs2 [Step1_2_3])
    9.98 -	    ]);
    9.99 -
   9.100 -qed_goal "S3RPC_successors" MemoryImplementation.thy
   9.101 -   "|- ($S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))   \
   9.102 -\      & <RPCNext crCh rmCh rst p>_(r p) \
   9.103 -\      --> (S4 rmhist p | S6 rmhist p)`"
   9.104 -   (fn _ => [ auto_tac (MI_css addsimps2 [angle_def] addSDs2 [Step1_2_3]) ]);
   9.105 -
   9.106 -qed_goal "S3RPC_enabled" MemoryImplementation.thy
   9.107 -   "|- $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)   \
   9.108 -\      --> $Enabled (<RPCNext crCh rmCh rst p>_(r p))"
   9.109 -   (fn _ => [auto_tac (MI_css addsimps2 [r_def]
   9.110 -		              addSIs2 [RPCFail_Next_enabled,RPCFail_enabled]),
   9.111 -	     cut_facts_tac [MI_base] 1,
   9.112 -	     blast_tac (claset() addDs [base_pair]) 1,
   9.113 -             ALLGOALS (asm_full_simp_tac (simpset() addsimps [S_def,S3_def]))
   9.114 -	    ]);
   9.115 -
   9.116 -qed_goal "S3_live" MemoryImplementation.thy
   9.117 -   "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)) & WF(RPCNext crCh rmCh rst p)_(r p) \
   9.118 -\   --> (S3 rmhist p ~> S4 rmhist p | S6 rmhist p)"
   9.119 -   (fn _ => [REPEAT (resolve_tac [WF1,S3_successors,S3RPC_successors,S3RPC_enabled] 1)]);
   9.120 -
   9.121 -(* ------------- State S4 -------------------------------------------------- *)
   9.122 -
   9.123 -qed_goal "S4_successors" MemoryImplementation.thy
   9.124 -   "|- $S4 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) \
   9.125 -\                   & (!l. $MemInv mm l)  \
   9.126 -\      --> (S4 rmhist p)` | (S5 rmhist p)`"
   9.127 -   (fn _ => [split_idle_tac [] 1,
   9.128 -	     auto_tac (MI_css addSDs2 [Step1_2_4])
   9.129 -	    ]);
   9.130 -
   9.131 -(* ------------- State S4a: S4 /\ (ires p = NotAResult) ------------------------------ *)
   9.132 -
   9.133 -qed_goal "S4a_successors" MemoryImplementation.thy
   9.134 -   "|- $(S4 rmhist p & ires!p = #NotAResult) \
   9.135 -\      & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (!l. $MemInv mm l) \
   9.136 -\      --> (S4 rmhist p & ires!p = #NotAResult)`  \
   9.137 -\        | ((S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p)`"
   9.138 -   (fn _ => [split_idle_tac [m_def] 1,
   9.139 -	     auto_tac (MI_css addSDs2 [Step1_2_4])
   9.140 -	    ]);
   9.141 -
   9.142 -qed_goal "S4aRNext_successors" MemoryImplementation.thy
   9.143 -   "|- ($(S4 rmhist p & ires!p = #NotAResult)  \
   9.144 -\       & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (!l. $MemInv mm l))  \
   9.145 -\      & <RNext rmCh mm ires p>_(m p) \
   9.146 -\      --> ((S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p)`"
   9.147 -   (fn _ => [auto_tac (MI_css addsimps2 [angle_def]
   9.148 -		              addSDs2 [Step1_2_4, ReadResult, WriteResult])
   9.149 -	    ]);
   9.150 -
   9.151 -qed_goal "S4aRNext_enabled" MemoryImplementation.thy
   9.152 -   "|- $(S4 rmhist p & ires!p = #NotAResult) \
   9.153 -\      & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (!l. $MemInv mm l)  \
   9.154 -\   --> $Enabled (<RNext rmCh mm ires p>_(m p))"
   9.155 -   (fn _ => [auto_tac (MI_css addsimps2 [m_def] addSIs2 [RNext_enabled]),
   9.156 -	     cut_facts_tac [MI_base] 1,
   9.157 -	     blast_tac (claset() addDs [base_pair]) 1,
   9.158 -	     asm_full_simp_tac (simpset() addsimps [S_def,S4_def]) 1
   9.159 -	    ]);
   9.160 -
   9.161 -qed_goal "S4a_live" MemoryImplementation.thy
   9.162 -  "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (!l. $MemInv mm l)) \
   9.163 -\     & WF(RNext rmCh mm ires p)_(m p) \
   9.164 -\     --> (S4 rmhist p & ires!p = #NotAResult  \
   9.165 -\          ~> (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p)"
   9.166 -   (K [REPEAT (resolve_tac [WF1, S4a_successors, S4aRNext_successors, S4aRNext_enabled] 1)]);
   9.167 -
   9.168 -(* ------------- State S4b: S4 /\ (ires p # NotAResult) ------------------------------ *)
   9.169 -
   9.170 -qed_goal "S4b_successors" MemoryImplementation.thy
   9.171 -   "|- $(S4 rmhist p & ires!p ~= #NotAResult)  \
   9.172 -\      & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (!l. $MemInv mm l) \
   9.173 -\      --> (S4 rmhist p & ires!p ~= #NotAResult)` | (S5 rmhist p)`"
   9.174 -   (fn _ => [split_idle_tac [m_def] 1,
   9.175 -	     auto_tac (MI_css addSDs2 [WriteResult,Step1_2_4,ReadResult])
   9.176 -	    ]);
   9.177 -
   9.178 -qed_goal "S4bReturn_successors" MemoryImplementation.thy
   9.179 -   "|- ($(S4 rmhist p & ires!p ~= #NotAResult)  \
   9.180 -\       & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (!l. $MemInv mm l))   \
   9.181 -\      & <MemReturn rmCh ires p>_(m p) \
   9.182 -\      --> (S5 rmhist p)`"
   9.183 -   (fn _ => [force_tac (MI_css addsimps2 [angle_def] addSDs2 [Step1_2_4]
   9.184 -                               addDs2 [ReturnNotReadWrite]) 1
   9.185 -	    ]);
   9.186 -
   9.187 -qed_goal "S4bReturn_enabled" MemoryImplementation.thy
   9.188 -   "|- $(S4 rmhist p & ires!p ~= #NotAResult)  \
   9.189 -\      & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (!l. $MemInv mm l)  \
   9.190 -\      --> $Enabled (<MemReturn rmCh ires p>_(m p))"
   9.191 -   (fn _ => [auto_tac (MI_css addsimps2 [m_def] addSIs2 [MemReturn_enabled]),
   9.192 -	     cut_facts_tac [MI_base] 1,
   9.193 -             blast_tac (claset() addDs [base_pair]) 1,
   9.194 -	     asm_full_simp_tac (simpset() addsimps [S_def,S4_def]) 1
   9.195 -	    ]);
   9.196 -
   9.197 -qed_goal "S4b_live" MemoryImplementation.thy
   9.198 -  "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (!l. $MemInv mm l)) \
   9.199 -\     & WF(MemReturn rmCh ires p)_(m p) \
   9.200 -\     --> (S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p)"
   9.201 -   (K [REPEAT (resolve_tac [WF1, S4b_successors,S4bReturn_successors, S4bReturn_enabled] 1)]);
   9.202 -
   9.203 -(* ------------------------------ State S5 ------------------------------ *)
   9.204 -
   9.205 -qed_goal "S5_successors" MemoryImplementation.thy
   9.206 -   "|- $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) \
   9.207 -\      --> (S5 rmhist p)` | (S6 rmhist p)`"
   9.208 -   (fn _ => [split_idle_tac [] 1,
   9.209 -	     auto_tac (MI_css addSDs2 [Step1_2_5])
   9.210 -	    ]);
   9.211 -
   9.212 -qed_goal "S5RPC_successors" MemoryImplementation.thy
   9.213 -   "|- ($S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)) \
   9.214 -\     & <RPCNext crCh rmCh rst p>_(r p) \
   9.215 -\     --> (S6 rmhist p)`"
   9.216 -   (fn _ => [ auto_tac (MI_css addsimps2 [angle_def] addSDs2 [Step1_2_5]) ]);
   9.217 -
   9.218 -qed_goal "S5RPC_enabled" MemoryImplementation.thy
   9.219 -   "|- $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) \
   9.220 -\      --> $Enabled (<RPCNext crCh rmCh rst p>_(r p))"
   9.221 -   (fn _ => [auto_tac (MI_css addsimps2 [r_def]
   9.222 -		              addSIs2 [RPCFail_Next_enabled, RPCFail_enabled]),
   9.223 -	     cut_facts_tac [MI_base] 1,
   9.224 -	     blast_tac (claset() addDs [base_pair]) 1,
   9.225 -	     ALLGOALS (asm_full_simp_tac (simpset() addsimps [S_def,S5_def]))
   9.226 -	    ]);
   9.227 -
   9.228 -qed_goal "S5_live" MemoryImplementation.thy
   9.229 -   "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))   \
   9.230 -\      & WF(RPCNext crCh rmCh rst p)_(r p) \
   9.231 -\      --> (S5 rmhist p ~> S6 rmhist p)"
   9.232 -   (fn _ => [REPEAT (resolve_tac [WF1,S5_successors,S5RPC_successors,S5RPC_enabled] 1)]);
   9.233 -
   9.234 -
   9.235 -(* ------------------------------ State S6 ------------------------------ *)
   9.236 -
   9.237 -qed_goal "S6_successors" MemoryImplementation.thy
   9.238 -   "|- $S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) \
   9.239 -\      --> (S1 rmhist p)` | (S3 rmhist p)` | (S6 rmhist p)`"
   9.240 -   (fn _ => [split_idle_tac [] 1,
   9.241 -	     auto_tac (MI_css addSDs2 [Step1_2_6])
   9.242 -	    ]);
   9.243 -
   9.244 -qed_goal "S6MClkReply_successors" MemoryImplementation.thy
   9.245 -   "|- ($S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)) \
   9.246 -\      & <MClkReply memCh crCh cst p>_(c p) \
   9.247 -\      --> (S1 rmhist p)`"
   9.248 -   (fn _ => [auto_tac (MI_css addsimps2 [angle_def] addSDs2 [Step1_2_6, MClkReplyNotRetry])
   9.249 -	    ]);
   9.250 -
   9.251 -qed_goal "MClkReplyS6" MemoryImplementation.thy
   9.252 -   "|- $ImpInv rmhist p & <MClkReply memCh crCh cst p>_(c p) --> $S6 rmhist p"
   9.253 -   (fn _ => [action_simp_tac
   9.254 -	        (simpset() addsimps
   9.255 -		    [angle_def,MClkReply_def,Return_def,
   9.256 -		     ImpInv_def,S_def,S1_def,S2_def,S3_def,S4_def,S5_def])
   9.257 -		[] [] 1
   9.258 -	    ]);
   9.259 -
   9.260 -qed_goal "S6MClkReply_enabled" MemoryImplementation.thy
   9.261 -   "|- S6 rmhist p --> Enabled (<MClkReply memCh crCh cst p>_(c p))"
   9.262 -   (fn _ => [auto_tac (MI_css addsimps2 [c_def] addSIs2 [MClkReply_enabled]),
   9.263 -	     cut_facts_tac [MI_base] 1,
   9.264 -	     blast_tac (claset() addDs [base_pair]) 1,
   9.265 -	     ALLGOALS (action_simp_tac (simpset() addsimps [S_def,S6_def]) [] [])
   9.266 -	    ]);
   9.267 -
   9.268 -qed_goal "S6_live" MemoryImplementation.thy
   9.269 -   "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & $(ImpInv rmhist p)) \
   9.270 -\      & SF(MClkReply memCh crCh cst p)_(c p) & []<>(S6 rmhist p)  \
   9.271 -\      --> []<>(S1 rmhist p)"
   9.272 -   (fn _ => [Clarsimp_tac 1,
   9.273 -	     subgoal_tac "sigma |= []<>(<MClkReply memCh crCh cst p>_(c p))" 1,
   9.274 -             etac InfiniteEnsures 1, atac 1,
   9.275 -	     action_simp_tac (simpset()) []
   9.276 -	                     (map temp_elim [MClkReplyS6,S6MClkReply_successors]) 1,
   9.277 -	     auto_tac (MI_css addsimps2 [SF_def]),
   9.278 -	     etac swap 1,
   9.279 -	     auto_tac (MI_css addSIs2 [S6MClkReply_enabled] addSEs2 [STL4E, DmdImplE])
   9.280 -	    ]);
   9.281 -
   9.282 -(* ------------------------------ complex leadsto properties ------------------------------ *)
   9.283 -
   9.284 -qed_goal "S5S6LeadstoS6" MemoryImplementation.thy
   9.285 -   "!!sigma. sigma |= S5 rmhist p ~> S6 rmhist p \
   9.286 -\      ==> sigma |= (S5 rmhist p | S6 rmhist p) ~> S6 rmhist p"
   9.287 -   (fn _ => [auto_tac (MI_css addSIs2 [LatticeDisjunctionIntro, LatticeReflexivity])
   9.288 -	    ]);
   9.289 -
   9.290 -qed_goal "S4bS5S6LeadstoS6" MemoryImplementation.thy
   9.291 -   "!!sigma. [| sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;  \
   9.292 -\               sigma |= S5 rmhist p ~> S6 rmhist p |]  \
   9.293 -\      ==> sigma |= (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p | S6 rmhist p \
   9.294 -\                   ~> S6 rmhist p"
   9.295 -   (fn _ => [auto_tac (MI_css addSIs2 [LatticeDisjunctionIntro,S5S6LeadstoS6]
   9.296 -		              addIs2 [LatticeTransitivity])
   9.297 -            ]);
   9.298 -
   9.299 -qed_goal "S4S5S6LeadstoS6" MemoryImplementation.thy
   9.300 -   "!!sigma. [| sigma |= S4 rmhist p & ires!p = #NotAResult \
   9.301 -\                        ~> (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p; \
   9.302 -\               sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;  \
   9.303 -\               sigma |= S5 rmhist p ~> S6 rmhist p |]  \
   9.304 -\      ==> sigma |= S4 rmhist p | S5 rmhist p | S6 rmhist p ~> S6 rmhist p"
   9.305 -   (fn _ => [subgoal_tac "sigma |= (S4 rmhist p & ires!p = #NotAResult) | (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p | S6 rmhist p ~> S6 rmhist p" 1,
   9.306 -	     eres_inst_tac [("G", "PRED ((S4 rmhist p & ires!p = #NotAResult) | (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p | S6 rmhist p)")] (temp_use LatticeTransitivity) 1,
   9.307 -	     force_tac (MI_css addsimps2 Init_defs addSIs2 [ImplLeadsto_gen, necT]) 1,
   9.308 -	     rtac (temp_use LatticeDisjunctionIntro) 1,
   9.309 -	     etac (temp_use LatticeTransitivity) 1,
   9.310 -	     etac (temp_use LatticeTriangle2) 1, atac 1,
   9.311 -	     auto_tac (MI_css addSIs2 [S4bS5S6LeadstoS6])
   9.312 -	    ]);
   9.313 -
   9.314 -qed_goal "S3S4S5S6LeadstoS6" MemoryImplementation.thy
   9.315 -   "!!sigma. [| sigma |= S3 rmhist p ~> S4 rmhist p | S6 rmhist p;   \
   9.316 -\               sigma |= S4 rmhist p & ires!p = #NotAResult \
   9.317 -\                         ~> (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p; \
   9.318 -\               sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;  \
   9.319 -\               sigma |= S5 rmhist p ~> S6 rmhist p |]  \
   9.320 -\      ==> sigma |= S3 rmhist p | S4 rmhist p | S5 rmhist p | S6 rmhist p ~> S6 rmhist p"
   9.321 -   (fn _ => [rtac (temp_use LatticeDisjunctionIntro) 1,
   9.322 -	     etac (temp_use LatticeTriangle2) 1,
   9.323 -	     rtac (S4S5S6LeadstoS6 RS (temp_use LatticeTransitivity)) 1,
   9.324 -	     auto_tac (MI_css addSIs2 [S4S5S6LeadstoS6,necT]
   9.325 -			      addIs2 [ImplLeadsto_gen] addsimps2 Init_defs)
   9.326 -	    ]);
   9.327 -
   9.328 -qed_goal "S2S3S4S5S6LeadstoS6" MemoryImplementation.thy
   9.329 -   "!!sigma. [| sigma |= S2 rmhist p ~> S3 rmhist p; \
   9.330 -\               sigma |= S3 rmhist p ~> S4 rmhist p | S6 rmhist p;   \
   9.331 -\               sigma |= S4 rmhist p & ires!p = #NotAResult \
   9.332 -\                         ~> S4 rmhist p & ires!p ~= #NotAResult | S5 rmhist p; \
   9.333 -\               sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;  \
   9.334 -\               sigma |= S5 rmhist p ~> S6 rmhist p |]  \
   9.335 -\      ==> sigma |= S2 rmhist p | S3 rmhist p | S4 rmhist p | S5 rmhist p | S6 rmhist p \
   9.336 -\                   ~> S6 rmhist p"
   9.337 -   (fn _ => [rtac (temp_use LatticeDisjunctionIntro) 1,
   9.338 -	     rtac (temp_use LatticeTransitivity) 1, atac 2,
   9.339 -	     rtac (S3S4S5S6LeadstoS6 RS (temp_use LatticeTransitivity)) 1,
   9.340 -	     auto_tac (MI_css addSIs2 [S3S4S5S6LeadstoS6,necT]
   9.341 -			      addIs2 [ImplLeadsto_gen] addsimps2 Init_defs)
   9.342 -	    ]);
   9.343 -
   9.344 -qed_goal "NotS1LeadstoS6" MemoryImplementation.thy
   9.345 -   "!!sigma. [| sigma |= []ImpInv rmhist p; \
   9.346 -\        sigma |= S2 rmhist p ~> S3 rmhist p; \
   9.347 -\        sigma |= S3 rmhist p ~> S4 rmhist p | S6 rmhist p; \
   9.348 -\        sigma |= S4 rmhist p & ires!p = #NotAResult \
   9.349 -\                 ~> S4 rmhist p & ires!p ~= #NotAResult | S5 rmhist p; \
   9.350 -\        sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;  \
   9.351 -\        sigma |= S5 rmhist p ~> S6 rmhist p |] \
   9.352 -\        ==> sigma |= ~S1 rmhist p ~> S6 rmhist p"
   9.353 -   (fn _ => [rtac (S2S3S4S5S6LeadstoS6 RS (temp_use LatticeTransitivity)) 1,
   9.354 -             TRYALL atac,
   9.355 -             etac (temp_use INV_leadsto) 1,
   9.356 -             rtac (temp_use ImplLeadsto_gen) 1,
   9.357 -             rtac (temp_use necT) 1,
   9.358 -	     auto_tac (MI_css addsimps2 ImpInv_def::Init_defs addSIs2 [necT])
   9.359 -	    ]);
   9.360 -
   9.361 -qed_goal "S1Infinite" MemoryImplementation.thy
   9.362 -   "!!sigma. [| sigma |= ~S1 rmhist p ~> S6 rmhist p; \
   9.363 -\               sigma |= []<>S6 rmhist p --> []<>S1 rmhist p |] \
   9.364 -\            ==> sigma |= []<>S1 rmhist p"
   9.365 -   (fn _ => [rtac classical 1,
   9.366 -	     asm_full_simp_tac (simpset() addsimps [temp_use NotBox, NotDmd]) 1,
   9.367 -	     auto_tac (MI_css addSEs2 [mp,leadsto_infinite] addSDs2 [DBImplBD])
   9.368 -	    ]);
    10.1 --- a/src/HOL/TLA/Memory/MIsafe.ML	Thu Aug 03 19:28:37 2000 +0200
    10.2 +++ b/src/HOL/TLA/Memory/MIsafe.ML	Thu Aug 03 19:29:03 2000 +0200
    10.3 @@ -10,17 +10,17 @@
    10.4  
    10.5  (* RPCFailure notin MemVals U {OK,BadArg} *)
    10.6  
    10.7 -qed_goalw "MVOKBAnotRF" MemoryImplementation.thy [MVOKBA_def]
    10.8 -   "!!x. MVOKBA x ==> x ~= RPCFailure"
    10.9 -   (fn _ => [ Auto_tac ]);
   10.10 +Goalw [MVOKBA_def] "MVOKBA x ==> x ~= RPCFailure";
   10.11 +by Auto_tac;
   10.12 +qed "MVOKBAnotRF";
   10.13  
   10.14  (* NotAResult notin MemVals U {OK,BadArg,RPCFailure} *)
   10.15  
   10.16 -qed_goalw "MVOKBARFnotNR" MemoryImplementation.thy [MVOKBARF_def]
   10.17 -   "!!x. MVOKBARF x ==> x ~= NotAResult"
   10.18 -   (fn _ => [ Auto_tac ]);
   10.19 +Goalw [MVOKBARF_def] "MVOKBARF x ==> x ~= NotAResult";
   10.20 +by Auto_tac;
   10.21 +qed "MVOKBARFnotNR";
   10.22  
   10.23 -(* ========================= Si's are mutually exclusive ==================================== *)
   10.24 +(* ================ Si's are mutually exclusive ================================ *)
   10.25  (* Si and Sj are mutually exclusive for i # j. This helps to simplify the big
   10.26     conditional in the definition of resbar when doing the step-simulation proof.
   10.27     We prove a weaker result, which suffices for our purposes: 
   10.28 @@ -28,42 +28,41 @@
   10.29  *)
   10.30  
   10.31  (* --- not used ---
   10.32 -qed_goal "S1_excl" MemoryImplementation.thy 
   10.33 -     "|- S1 rmhist p --> S1 rmhist p & ~S2 rmhist p & ~S3 rmhist p & \
   10.34 -\                        ~S4 rmhist p & ~S5 rmhist p & ~S6 rmhist p"
   10.35 -   (fn _ => [ auto_tac (MI_css addsimps2 [S_def, S1_def, S2_def,
   10.36 -                                          S3_def, S4_def, S5_def, S6_def])
   10.37 -            ]);
   10.38 +Goal "|- S1 rmhist p --> S1 rmhist p & ~S2 rmhist p & ~S3 rmhist p & \
   10.39 +\                        ~S4 rmhist p & ~S5 rmhist p & ~S6 rmhist p";
   10.40 +by (auto_tac (MI_css addsimps2 [S_def, S1_def, S2_def,
   10.41 +                                S3_def, S4_def, S5_def, S6_def]));
   10.42 +qed "S1_excl";
   10.43  *)
   10.44  
   10.45 -qed_goal "S2_excl" MemoryImplementation.thy 
   10.46 -     "|- S2 rmhist p --> S2 rmhist p & ~S1 rmhist p"
   10.47 -   (fn _ => [ auto_tac (MI_css addsimps2 [S_def, S1_def, S2_def]) ]);
   10.48 +Goal "|- S2 rmhist p --> S2 rmhist p & ~S1 rmhist p";
   10.49 +by (auto_tac (MI_css addsimps2 [S_def, S1_def, S2_def]));
   10.50 +qed "S2_excl";
   10.51  
   10.52 -qed_goal "S3_excl" MemoryImplementation.thy 
   10.53 -     "|- S3 rmhist p --> S3 rmhist p & ~S1 rmhist p & ~S2 rmhist p"
   10.54 -   (fn _ => [ auto_tac (MI_css addsimps2 [S_def, S1_def, S2_def, S3_def]) ]);
   10.55 +Goal "|- S3 rmhist p --> S3 rmhist p & ~S1 rmhist p & ~S2 rmhist p";
   10.56 +by (auto_tac (MI_css addsimps2 [S_def, S1_def, S2_def, S3_def]));
   10.57 +qed "S3_excl";
   10.58  
   10.59 -qed_goal "S4_excl" MemoryImplementation.thy 
   10.60 -     "|- S4 rmhist p --> S4 rmhist p & ~S1 rmhist p & ~S2 rmhist p & ~S3 rmhist p"
   10.61 -   (fn _ => [ auto_tac (MI_css addsimps2 [S_def,S1_def,S2_def,S3_def,S4_def]) ]);
   10.62 +Goal "|- S4 rmhist p --> S4 rmhist p & ~S1 rmhist p & ~S2 rmhist p & ~S3 rmhist p";
   10.63 +by (auto_tac (MI_css addsimps2 [S_def,S1_def,S2_def,S3_def,S4_def]));
   10.64 +qed "S4_excl";
   10.65  
   10.66 -qed_goal "S5_excl" MemoryImplementation.thy 
   10.67 -     "|- S5 rmhist p --> S5 rmhist p & ~S1 rmhist p & ~S2 rmhist p \
   10.68 -\                        & ~S3 rmhist p & ~S4 rmhist p"
   10.69 -   (fn _ => [ auto_tac (MI_css addsimps2 [S_def,S1_def,S2_def,S3_def,S4_def,S5_def]) ]);
   10.70 +Goal "|- S5 rmhist p --> S5 rmhist p & ~S1 rmhist p & ~S2 rmhist p \
   10.71 +\                        & ~S3 rmhist p & ~S4 rmhist p";
   10.72 +by (auto_tac (MI_css addsimps2 [S_def,S1_def,S2_def,S3_def,S4_def,S5_def]));
   10.73 +qed "S5_excl";
   10.74  
   10.75 -qed_goal "S6_excl" MemoryImplementation.thy 
   10.76 -     "|- S6 rmhist p --> S6 rmhist p & ~S1 rmhist p & ~S2 rmhist p  \
   10.77 -\                        & ~S3 rmhist p & ~S4 rmhist p & ~S5 rmhist p"
   10.78 -   (fn _ => [ auto_tac (MI_css addsimps2 [S_def,S1_def,S2_def,S3_def,S4_def,S5_def,S6_def]) ]);
   10.79 +Goal "|- S6 rmhist p --> S6 rmhist p & ~S1 rmhist p & ~S2 rmhist p  \
   10.80 +\                        & ~S3 rmhist p & ~S4 rmhist p & ~S5 rmhist p";
   10.81 +by (auto_tac (MI_css addsimps2 [S_def,S1_def,S2_def,S3_def,S4_def,S5_def,S6_def]));
   10.82 +qed "S6_excl";
   10.83  
   10.84  
   10.85  (* ==================== Lemmas about the environment ============================== *)
   10.86  
   10.87 -qed_goal "Envbusy" MemoryImplementation.thy
   10.88 -   "|- $(Calling memCh p) --> ~ENext p"
   10.89 -   (fn _ => [ auto_tac (MI_css addsimps2 [ENext_def,Call_def]) ]);
   10.90 +Goal "|- $(Calling memCh p) --> ~ENext p";
   10.91 +by (auto_tac (MI_css addsimps2 [ENext_def,Call_def]));
   10.92 +qed "Envbusy";
   10.93  
   10.94  (* ==================== Lemmas about the implementation's states ==================== *)
   10.95  
   10.96 @@ -74,287 +73,268 @@
   10.97  
   10.98  (* ------------------------------ State S1 ---------------------------------------- *) 
   10.99  
  10.100 -qed_goal "S1Env" MemoryImplementation.thy
  10.101 -   "|- ENext p & $(S1 rmhist p) & unchanged (c p, r p, m p, rmhist!p) --> (S2 rmhist p)$"
  10.102 -   (fn _ => [force_tac (MI_css
  10.103 -		        addsimps2 [ENext_def,Call_def,c_def,r_def,m_def,
  10.104 -			   	   caller_def,rtrner_def,MVNROKBA_def,
  10.105 -                                   S_def,S1_def,S2_def,Calling_def]) 1
  10.106 -	    ]);
  10.107 +Goal "|- ENext p & $(S1 rmhist p) & unchanged (c p, r p, m p, rmhist!p) \
  10.108 +\        --> (S2 rmhist p)$";
  10.109 +by (force_tac (MI_css addsimps2 [ENext_def,Call_def,c_def,r_def,m_def,
  10.110 +                                 caller_def,rtrner_def,MVNROKBA_def,
  10.111 +                                 S_def,S1_def,S2_def,Calling_def]) 1);
  10.112 +qed "S1Env";
  10.113  
  10.114 -qed_goal "S1ClerkUnch" MemoryImplementation.thy 
  10.115 -   "|- [MClkNext memCh crCh cst p]_(c p) & $(S1 rmhist p) --> unchanged (c p)"
  10.116 -   (fn _ => [auto_tac (MI_fast_css addSDs2 [MClkidle] addsimps2 [S_def,S1_def]) ]);
  10.117 +Goal "|- [MClkNext memCh crCh cst p]_(c p) & $(S1 rmhist p) --> unchanged (c p)";
  10.118 +by (auto_tac (MI_fast_css addSDs2 [MClkidle] addsimps2 [S_def,S1_def]));
  10.119 +qed "S1ClerkUnch";
  10.120  
  10.121 -qed_goal "S1RPCUnch" MemoryImplementation.thy
  10.122 -   "|- [RPCNext crCh rmCh rst p]_(r p) & $(S1 rmhist p) --> unchanged (r p)"
  10.123 -   (fn _ => [auto_tac (MI_fast_css addSDs2 [RPCidle] addsimps2 [S_def,S1_def]) ]);
  10.124 +Goal "|- [RPCNext crCh rmCh rst p]_(r p) & $(S1 rmhist p) --> unchanged (r p)";
  10.125 +by (auto_tac (MI_fast_css addSDs2 [RPCidle] addsimps2 [S_def,S1_def]));
  10.126 +qed "S1RPCUnch";
  10.127  
  10.128 -qed_goal "S1MemUnch" MemoryImplementation.thy
  10.129 -   "|- [RNext rmCh mm ires p]_(m p) & $(S1 rmhist p) --> unchanged (m p)"
  10.130 -   (fn _ => [auto_tac (MI_fast_css addSDs2 [Memoryidle] addsimps2 [S_def,S1_def]) ]);
  10.131 +Goal "|- [RNext rmCh mm ires p]_(m p) & $(S1 rmhist p) --> unchanged (m p)";
  10.132 +by (auto_tac (MI_fast_css addSDs2 [Memoryidle] addsimps2 [S_def,S1_def]));
  10.133 +qed "S1MemUnch";
  10.134  
  10.135 -qed_goal "S1Hist" MemoryImplementation.thy
  10.136 -   "|- [HNext rmhist p]_(c p,r p,m p,rmhist!p) & $(S1 rmhist p) --> unchanged (rmhist!p)"
  10.137 -   (fn _ => [action_simp_tac (simpset() addsimps [HNext_def, S_def, S1_def, MemReturn_def, 
  10.138 -                                                  RPCFail_def,MClkReply_def,Return_def])
  10.139 -                             [] [squareE] 1
  10.140 -	    ]);
  10.141 +Goal "|- [HNext rmhist p]_(c p,r p,m p,rmhist!p) & $(S1 rmhist p)\
  10.142 +\        --> unchanged (rmhist!p)";
  10.143 +by (action_simp_tac (simpset() addsimps [HNext_def, S_def, S1_def, MemReturn_def, 
  10.144 +                                         RPCFail_def,MClkReply_def,Return_def])
  10.145 +                    [] [squareE] 1);
  10.146 +qed "S1Hist";
  10.147  
  10.148  (* ------------------------------ State S2 ---------------------------------------- *)
  10.149  
  10.150 -qed_goal "S2EnvUnch" MemoryImplementation.thy
  10.151 -   "|- [ENext p]_(e p) & $(S2 rmhist p) --> unchanged (e p)"
  10.152 -   (fn _ => [auto_tac (MI_css addSDs2 [Envbusy] addsimps2 [S_def,S2_def]) ]);
  10.153 +Goal "|- [ENext p]_(e p) & $(S2 rmhist p) --> unchanged (e p)";
  10.154 +by (auto_tac (MI_css addSDs2 [Envbusy] addsimps2 [S_def,S2_def]));
  10.155 +qed "S2EnvUnch";
  10.156  
  10.157 -qed_goal "S2Clerk" MemoryImplementation.thy
  10.158 -   "|- MClkNext memCh crCh cst p & $(S2 rmhist p) --> MClkFwd memCh crCh cst p"
  10.159 -   (fn _ => [auto_tac (MI_css addsimps2 [MClkNext_def,MClkRetry_def,MClkReply_def,
  10.160 -					 S_def,S2_def])
  10.161 -	    ]);
  10.162 +Goal "|- MClkNext memCh crCh cst p & $(S2 rmhist p) --> MClkFwd memCh crCh cst p";
  10.163 +by (auto_tac (MI_css addsimps2 [MClkNext_def,MClkRetry_def,MClkReply_def,
  10.164 +                                S_def,S2_def]));
  10.165 +qed "S2Clerk";
  10.166  
  10.167 -qed_goal "S2Forward" MemoryImplementation.thy
  10.168 -   "|- $(S2 rmhist p) & MClkFwd memCh crCh cst p & unchanged (e p, r p, m p, rmhist!p) \
  10.169 -\      --> (S3 rmhist p)$"
  10.170 -   (fn _ => [action_simp_tac (simpset() addsimps
  10.171 +Goal "|- $(S2 rmhist p) & MClkFwd memCh crCh cst p\
  10.172 +\        & unchanged (e p, r p, m p, rmhist!p) \
  10.173 +\        --> (S3 rmhist p)$";
  10.174 +by (action_simp_tac 
  10.175 +         (simpset() addsimps
  10.176                  [MClkFwd_def,Call_def,e_def,r_def,m_def,caller_def,rtrner_def,
  10.177                   S_def,S2_def,S3_def,Calling_def])
  10.178 -               [] [] 1
  10.179 -	     ]);
  10.180 +         [] [] 1);
  10.181 +qed "S2Forward";
  10.182  
  10.183 -qed_goal "S2RPCUnch" MemoryImplementation.thy
  10.184 -   "|- [RPCNext crCh rmCh rst p]_(r p) & $(S2 rmhist p) --> unchanged (r p)"
  10.185 -   (fn _ => [auto_tac (MI_css addsimps2 [S_def,S2_def] addSDs2 [RPCidle]) ]);
  10.186 +Goal "|- [RPCNext crCh rmCh rst p]_(r p) & $(S2 rmhist p) --> unchanged (r p)";
  10.187 +by (auto_tac (MI_css addsimps2 [S_def,S2_def] addSDs2 [RPCidle]));
  10.188 +qed "S2RPCUnch";
  10.189  
  10.190 -qed_goal "S2MemUnch" MemoryImplementation.thy
  10.191 -   "|- [RNext rmCh mm ires p]_(m p) & $(S2 rmhist p) --> unchanged (m p)"
  10.192 -   (fn _ => [auto_tac (MI_css addsimps2 [S_def,S2_def] addSDs2 [Memoryidle]) ]);
  10.193 +Goal "|- [RNext rmCh mm ires p]_(m p) & $(S2 rmhist p) --> unchanged (m p)";
  10.194 +by (auto_tac (MI_css addsimps2 [S_def,S2_def] addSDs2 [Memoryidle]));
  10.195 +qed "S2MemUnch";
  10.196  
  10.197 -qed_goal "S2Hist" MemoryImplementation.thy
  10.198 -   "|- [HNext rmhist p]_(c p,r p,m p,rmhist!p) & $(S2 rmhist p) --> unchanged (rmhist!p)"
  10.199 -   (fn _ => [auto_tac (MI_fast_css
  10.200 -		       addsimps2 [HNext_def,MemReturn_def,
  10.201 -				  RPCFail_def,MClkReply_def,Return_def,S_def,S2_def])
  10.202 -	    ]);
  10.203 +Goal "|- [HNext rmhist p]_(c p,r p,m p,rmhist!p) & $(S2 rmhist p)\
  10.204 +\        --> unchanged (rmhist!p)";
  10.205 +by (auto_tac (MI_fast_css
  10.206 +		addsimps2 [HNext_def,MemReturn_def,
  10.207 +		           RPCFail_def,MClkReply_def,Return_def,S_def,S2_def]));
  10.208 +qed "S2Hist";
  10.209  
  10.210  (* ------------------------------ State S3 ---------------------------------------- *)
  10.211  
  10.212 -qed_goal "S3EnvUnch" MemoryImplementation.thy
  10.213 -   "|- [ENext p]_(e p) & $(S3 rmhist p) --> unchanged (e p)"
  10.214 -   (fn _ => [auto_tac (MI_css addSDs2 [Envbusy] addsimps2 [S_def,S3_def]) ]);
  10.215 +Goal "|- [ENext p]_(e p) & $(S3 rmhist p) --> unchanged (e p)";
  10.216 +by (auto_tac (MI_css addSDs2 [Envbusy] addsimps2 [S_def,S3_def]));
  10.217 +qed "S3EnvUnch";
  10.218  
  10.219 -qed_goal "S3ClerkUnch" MemoryImplementation.thy 
  10.220 -   "|- [MClkNext memCh crCh cst p]_(c p) & $(S3 rmhist p) --> unchanged (c p)"
  10.221 -   (fn _ => [auto_tac (MI_css addSDs2 [MClkbusy] addsimps2 [square_def,S_def,S3_def]) ]);
  10.222 +Goal "|- [MClkNext memCh crCh cst p]_(c p) & $(S3 rmhist p) --> unchanged (c p)";
  10.223 +by (auto_tac (MI_css addSDs2 [MClkbusy] addsimps2 [square_def,S_def,S3_def]));
  10.224 +qed "S3ClerkUnch";
  10.225  
  10.226 -qed_goal "S3LegalRcvArg" MemoryImplementation.thy
  10.227 -   "|- S3 rmhist p --> IsLegalRcvArg<arg<crCh!p>>"
  10.228 -   (fn _ => [auto_tac (MI_css addsimps2 [IsLegalRcvArg_def,MClkRelayArg_def,S_def,S3_def]) ]);
  10.229 +Goal "|- S3 rmhist p --> IsLegalRcvArg<arg<crCh!p>>";
  10.230 +by (auto_tac (MI_css addsimps2 [IsLegalRcvArg_def,MClkRelayArg_def,S_def,S3_def]));
  10.231 +qed "S3LegalRcvArg";
  10.232  
  10.233 -qed_goal "S3RPC" MemoryImplementation.thy
  10.234 -   "|- RPCNext crCh rmCh rst p & $(S3 rmhist p) \
  10.235 -\      --> RPCFwd crCh rmCh rst p | RPCFail crCh rmCh rst p"
  10.236 -   (fn _ => [Clarsimp_tac 1,
  10.237 -             forward_tac [action_use S3LegalRcvArg] 1,
  10.238 -	     auto_tac (MI_css addsimps2 [RPCNext_def,RPCReject_def,RPCReply_def,S_def,S3_def])
  10.239 -	    ]);
  10.240 +Goal "|- RPCNext crCh rmCh rst p & $(S3 rmhist p) \
  10.241 +\        --> RPCFwd crCh rmCh rst p | RPCFail crCh rmCh rst p";
  10.242 +by (Clarsimp_tac 1);
  10.243 +by (forward_tac [action_use S3LegalRcvArg] 1);
  10.244 +by (auto_tac (MI_css addsimps2 [RPCNext_def,RPCReject_def,RPCReply_def,S_def,S3_def]));
  10.245 +qed "S3RPC";
  10.246  
  10.247 -qed_goal "S3Forward" MemoryImplementation.thy
  10.248 -   "|- RPCFwd crCh rmCh rst p & HNext rmhist p & $(S3 rmhist p) & unchanged (e p, c p, m p) \
  10.249 -\      --> (S4 rmhist p)$ & unchanged (rmhist!p)"
  10.250 -   (fn _ => [action_simp_tac 
  10.251 -               (simpset() addsimps [RPCFwd_def,HNext_def,MemReturn_def,RPCFail_def,MClkReply_def,
  10.252 -				   Return_def,Call_def,e_def,c_def,m_def,caller_def,rtrner_def, 
  10.253 -				   S_def,S3_def,S4_def,Calling_def])
  10.254 -	       [] [] 1
  10.255 -	    ]);
  10.256 +Goal "|- RPCFwd crCh rmCh rst p & HNext rmhist p & $(S3 rmhist p)\
  10.257 +\        & unchanged (e p, c p, m p) \
  10.258 +\        --> (S4 rmhist p)$ & unchanged (rmhist!p)";
  10.259 +by (action_simp_tac 
  10.260 +      (simpset() addsimps [RPCFwd_def,HNext_def,MemReturn_def,RPCFail_def,MClkReply_def,
  10.261 +	                   Return_def,Call_def,e_def,c_def,m_def,caller_def,rtrner_def, 
  10.262 +                           S_def,S3_def,S4_def,Calling_def])
  10.263 +      [] [] 1);
  10.264 +qed "S3Forward";
  10.265  
  10.266 -qed_goal "S3Fail" MemoryImplementation.thy
  10.267 -   "|- RPCFail crCh rmCh rst p & $(S3 rmhist p) & HNext rmhist p & unchanged (e p, c p, m p) \
  10.268 -\      --> (S6 rmhist p)$"
  10.269 -   (fn _ => [action_simp_tac 
  10.270 -               (simpset() addsimps [HNext_def,RPCFail_def,Return_def,e_def,c_def,m_def,
  10.271 -				   caller_def,rtrner_def,MVOKBARF_def,
  10.272 -				   S_def,S3_def,S6_def,Calling_def])
  10.273 -               [] [] 1
  10.274 -	    ]);
  10.275 +Goal "|- RPCFail crCh rmCh rst p & $(S3 rmhist p) & HNext rmhist p\
  10.276 +\        & unchanged (e p, c p, m p) \
  10.277 +\        --> (S6 rmhist p)$";
  10.278 +by (action_simp_tac 
  10.279 +      (simpset() addsimps [HNext_def,RPCFail_def,Return_def,e_def,c_def,m_def,
  10.280 +			   caller_def,rtrner_def,MVOKBARF_def,
  10.281 +			   S_def,S3_def,S6_def,Calling_def])
  10.282 +      [] [] 1);
  10.283 +qed "S3Fail";
  10.284  
  10.285 -qed_goal "S3MemUnch" MemoryImplementation.thy
  10.286 -   "|- [RNext rmCh mm ires p]_(m p) & $(S3 rmhist p) --> unchanged (m p)"
  10.287 -   (fn _ => [auto_tac (MI_css addsimps2 [S_def,S3_def] addSDs2 [Memoryidle]) ]);
  10.288 +Goal "|- [RNext rmCh mm ires p]_(m p) & $(S3 rmhist p) --> unchanged (m p)";
  10.289 +by (auto_tac (MI_css addsimps2 [S_def,S3_def] addSDs2 [Memoryidle]));
  10.290 +qed "S3MemUnch";
  10.291  
  10.292 -qed_goal "S3Hist" MemoryImplementation.thy
  10.293 -   "|- HNext rmhist p & $(S3 rmhist p) & unchanged (r p) --> unchanged (rmhist!p)"
  10.294 -   (fn _ => [auto_tac (MI_css
  10.295 -		       addsimps2 [HNext_def,MemReturn_def,RPCFail_def,MClkReply_def,
  10.296 -				  Return_def,r_def,rtrner_def,S_def,S3_def,Calling_def])
  10.297 -	    ]);
  10.298 -
  10.299 +Goal "|- HNext rmhist p & $(S3 rmhist p) & unchanged (r p) --> unchanged (rmhist!p)";
  10.300 +by (auto_tac (MI_css addsimps2 [HNext_def,MemReturn_def,RPCFail_def,MClkReply_def,
  10.301 +			        Return_def,r_def,rtrner_def,S_def,S3_def,Calling_def]));
  10.302 +qed "S3Hist";
  10.303  
  10.304  (* ------------------------------ State S4 ---------------------------------------- *)
  10.305  
  10.306 -qed_goal "S4EnvUnch" MemoryImplementation.thy
  10.307 -   "|- [ENext p]_(e p) & $(S4 rmhist p) --> unchanged (e p)"
  10.308 -   (fn _ => [auto_tac (MI_css addsimps2 [S_def,S4_def] addSDs2 [Envbusy]) ]);
  10.309 +Goal "|- [ENext p]_(e p) & $(S4 rmhist p) --> unchanged (e p)";
  10.310 +by (auto_tac (MI_css addsimps2 [S_def,S4_def] addSDs2 [Envbusy]));
  10.311 +qed "S4EnvUnch";
  10.312  
  10.313 -qed_goal "S4ClerkUnch" MemoryImplementation.thy
  10.314 -   "|- [MClkNext memCh crCh cst p]_(c p) & $(S4 rmhist p) --> unchanged (c p)"
  10.315 -   (fn _ => [auto_tac (MI_css addsimps2 [S_def,S4_def] addSDs2 [MClkbusy]) ]);
  10.316 +Goal "|- [MClkNext memCh crCh cst p]_(c p) & $(S4 rmhist p) --> unchanged (c p)";
  10.317 +by (auto_tac (MI_css addsimps2 [S_def,S4_def] addSDs2 [MClkbusy]));
  10.318 +qed "S4ClerkUnch";
  10.319  
  10.320 -qed_goal "S4RPCUnch" MemoryImplementation.thy
  10.321 -   "|- [RPCNext crCh rmCh rst p]_(r p) & $(S4 rmhist p) --> unchanged (r p)"
  10.322 -   (fn _ => [auto_tac (MI_fast_css addsimps2 [S_def,S4_def] addSDs2 [RPCbusy]) ]);
  10.323 +Goal "|- [RPCNext crCh rmCh rst p]_(r p) & $(S4 rmhist p) --> unchanged (r p)";
  10.324 +by (auto_tac (MI_fast_css addsimps2 [S_def,S4_def] addSDs2 [RPCbusy]));
  10.325 +qed "S4RPCUnch";
  10.326  
  10.327 -qed_goal "S4ReadInner" MemoryImplementation.thy
  10.328 -   "|- ReadInner rmCh mm ires p l & $(S4 rmhist p) & unchanged (e p, c p, r p) \
  10.329 -\           & HNext rmhist p & $(MemInv mm l) \
  10.330 -\      --> (S4 rmhist p)$ & unchanged (rmhist!p)"
  10.331 -   (fn _ => [action_simp_tac 
  10.332 -               (simpset() addsimps [ReadInner_def,GoodRead_def, BadRead_def,HNext_def,
  10.333 -				   MemReturn_def, RPCFail_def,MClkReply_def,Return_def,
  10.334 -				   e_def,c_def,r_def,rtrner_def,caller_def,MVNROKBA_def,
  10.335 -				   S_def,S4_def,RdRequest_def,Calling_def,MemInv_def])
  10.336 -               [] [] 1
  10.337 -	    ]);
  10.338 +Goal "|- ReadInner rmCh mm ires p l & $(S4 rmhist p) & unchanged (e p, c p, r p) \
  10.339 +\        & HNext rmhist p & $(MemInv mm l) \
  10.340 +\        --> (S4 rmhist p)$ & unchanged (rmhist!p)";
  10.341 +by (action_simp_tac 
  10.342 +      (simpset() addsimps [ReadInner_def,GoodRead_def, BadRead_def,HNext_def,
  10.343 +			   MemReturn_def, RPCFail_def,MClkReply_def,Return_def,
  10.344 +			   e_def,c_def,r_def,rtrner_def,caller_def,MVNROKBA_def,
  10.345 +			   S_def,S4_def,RdRequest_def,Calling_def,MemInv_def])
  10.346 +      [] [] 1);
  10.347 +qed "S4ReadInner";
  10.348  
  10.349 -qed_goal "S4Read" MemoryImplementation.thy
  10.350 -   "|- Read rmCh mm ires p & $(S4 rmhist p) & unchanged (e p, c p, r p) \
  10.351 -\           & HNext rmhist p & (!l. $MemInv mm l) \
  10.352 -\      --> (S4 rmhist p)$ & unchanged (rmhist!p)"
  10.353 -   (fn _ => [auto_tac (MI_css addsimps2 [Read_def] addSDs2 [S4ReadInner]) ]);
  10.354 +Goal "|- Read rmCh mm ires p & $(S4 rmhist p) & unchanged (e p, c p, r p) \
  10.355 +\        & HNext rmhist p & (!l. $MemInv mm l) \
  10.356 +\        --> (S4 rmhist p)$ & unchanged (rmhist!p)";
  10.357 +by (auto_tac (MI_css addsimps2 [Read_def] addSDs2 [S4ReadInner]));
  10.358 +qed "S4Read";
  10.359  
  10.360 -qed_goal "S4WriteInner" MemoryImplementation.thy
  10.361 -   "|- WriteInner rmCh mm ires p l v & $(S4 rmhist p) & unchanged (e p, c p, r p) \
  10.362 -\           & HNext rmhist p \
  10.363 -\      --> (S4 rmhist p)$ & unchanged (rmhist!p)"
  10.364 -   (fn _ => [action_simp_tac 
  10.365 -               (simpset() addsimps [WriteInner_def,GoodWrite_def, BadWrite_def,HNext_def,
  10.366 -				   MemReturn_def,RPCFail_def,MClkReply_def,Return_def,
  10.367 -				   e_def,c_def,r_def,rtrner_def,caller_def,MVNROKBA_def, 
  10.368 -				   S_def,S4_def,WrRequest_def,Calling_def])
  10.369 -               [] [] 1
  10.370 -	    ]);
  10.371 +Goal "|- WriteInner rmCh mm ires p l v & $(S4 rmhist p) & unchanged (e p, c p, r p) \
  10.372 +\        & HNext rmhist p \
  10.373 +\        --> (S4 rmhist p)$ & unchanged (rmhist!p)";
  10.374 +by (action_simp_tac 
  10.375 +      (simpset() addsimps [WriteInner_def,GoodWrite_def, BadWrite_def,HNext_def,
  10.376 +			   MemReturn_def,RPCFail_def,MClkReply_def,Return_def,
  10.377 +			   e_def,c_def,r_def,rtrner_def,caller_def,MVNROKBA_def, 
  10.378 +			   S_def,S4_def,WrRequest_def,Calling_def])
  10.379 +      [] [] 1);
  10.380 +qed "S4WriteInner";
  10.381  
  10.382 -qed_goal "S4Write" MemoryImplementation.thy
  10.383 -   "|- Write rmCh mm ires p l & $(S4 rmhist p) & unchanged (e p, c p, r p) & (HNext rmhist p) \
  10.384 -\      --> (S4 rmhist p)$ & unchanged (rmhist!p)"
  10.385 -   (fn _ => [ auto_tac (MI_css addsimps2 [Write_def] addSDs2 [S4WriteInner]) ]);
  10.386 +Goal "|- Write rmCh mm ires p l & $(S4 rmhist p) & unchanged (e p, c p, r p)\
  10.387 +\        & (HNext rmhist p) \
  10.388 +\        --> (S4 rmhist p)$ & unchanged (rmhist!p)";
  10.389 +by (auto_tac (MI_css addsimps2 [Write_def] addSDs2 [S4WriteInner]));
  10.390 +qed "S4Write";
  10.391  
  10.392 -qed_goal "WriteS4" MemoryImplementation.thy
  10.393 -   "|- $ImpInv rmhist p & Write rmCh mm ires p l --> $S4 rmhist p"
  10.394 -   (fn _ => [auto_tac (MI_css
  10.395 -		       addsimps2 [Write_def,WriteInner_def,ImpInv_def,WrRequest_def,
  10.396 -				  S_def,S1_def,S2_def,S3_def,S4_def,S5_def,S6_def])
  10.397 -            ]);
  10.398 +Goal "|- $ImpInv rmhist p & Write rmCh mm ires p l --> $S4 rmhist p";
  10.399 +by (auto_tac (MI_css addsimps2 [Write_def,WriteInner_def,ImpInv_def,WrRequest_def,
  10.400 +			        S_def,S1_def,S2_def,S3_def,S4_def,S5_def,S6_def]));
  10.401 +qed "WriteS4";
  10.402  
  10.403 -qed_goal "S4Return" MemoryImplementation.thy
  10.404 -   "|- MemReturn rmCh ires p & $S4 rmhist p & unchanged (e p, c p, r p) & HNext rmhist p \
  10.405 -\      --> (S5 rmhist p)$"
  10.406 -   (fn _ => [auto_tac (MI_css
  10.407 -		       addsimps2 [HNext_def,MemReturn_def,Return_def,e_def,c_def,r_def,
  10.408 -				  rtrner_def,caller_def,MVNROKBA_def,MVOKBA_def,
  10.409 -		                  S_def,S4_def,S5_def,Calling_def])
  10.410 -	    ]);
  10.411 +Goal "|- MemReturn rmCh ires p & $S4 rmhist p & unchanged (e p, c p, r p)\
  10.412 +\        & HNext rmhist p \
  10.413 +\        --> (S5 rmhist p)$";
  10.414 +by (auto_tac (MI_css addsimps2 [HNext_def,MemReturn_def,Return_def,e_def,c_def,r_def,
  10.415 +				rtrner_def,caller_def,MVNROKBA_def,MVOKBA_def,
  10.416 +		                S_def,S4_def,S5_def,Calling_def]));
  10.417 +qed "S4Return";
  10.418  
  10.419 -qed_goal "S4Hist" MemoryImplementation.thy
  10.420 -   "|- HNext rmhist p & $S4 rmhist p & (m p)$ = $(m p) --> (rmhist!p)$ = $(rmhist!p)"
  10.421 -   (fn _ => [auto_tac (MI_css
  10.422 -		       addsimps2 [HNext_def,MemReturn_def,RPCFail_def,MClkReply_def,
  10.423 -				  Return_def,m_def,rtrner_def,S_def,S4_def,Calling_def])
  10.424 -	    ]);
  10.425 +Goal "|- HNext rmhist p & $S4 rmhist p & (m p)$ = $(m p) --> (rmhist!p)$ = $(rmhist!p)";
  10.426 +by (auto_tac (MI_css addsimps2 [HNext_def,MemReturn_def,RPCFail_def,MClkReply_def,
  10.427 +				Return_def,m_def,rtrner_def,S_def,S4_def,Calling_def]));
  10.428 +qed "S4Hist";
  10.429  
  10.430  (* ------------------------------ State S5 ---------------------------------------- *)
  10.431  
  10.432 -qed_goal "S5EnvUnch" MemoryImplementation.thy
  10.433 -   "|- [ENext p]_(e p) & $(S5 rmhist p) --> unchanged (e p)"
  10.434 -   (fn _ => [auto_tac (MI_css addsimps2 [S_def,S5_def] addSDs2 [Envbusy]) ]);
  10.435 +Goal "|- [ENext p]_(e p) & $(S5 rmhist p) --> unchanged (e p)";
  10.436 +by (auto_tac (MI_css addsimps2 [S_def,S5_def] addSDs2 [Envbusy]));
  10.437 +qed "S5EnvUnch";
  10.438  
  10.439 -qed_goal "S5ClerkUnch" MemoryImplementation.thy
  10.440 -   "|- [MClkNext memCh crCh cst p]_(c p) & $(S5 rmhist p) --> unchanged (c p)"
  10.441 -   (fn _ => [auto_tac (MI_css addsimps2 [S_def,S5_def] addSDs2 [MClkbusy]) ]);
  10.442 +Goal "|- [MClkNext memCh crCh cst p]_(c p) & $(S5 rmhist p) --> unchanged (c p)";
  10.443 +by (auto_tac (MI_css addsimps2 [S_def,S5_def] addSDs2 [MClkbusy]));
  10.444 +qed "S5ClerkUnch";
  10.445  
  10.446 -qed_goal "S5RPC" MemoryImplementation.thy
  10.447 -   "|- RPCNext crCh rmCh rst p & $(S5 rmhist p)   \
  10.448 -\      --> RPCReply crCh rmCh rst p | RPCFail crCh rmCh rst p"
  10.449 -   (fn _ => [auto_tac (MI_css
  10.450 -		       addsimps2 [RPCNext_def,RPCReject_def,RPCFwd_def,S_def,S5_def])
  10.451 -	    ]);
  10.452 +Goal "|- RPCNext crCh rmCh rst p & $(S5 rmhist p)   \
  10.453 +\        --> RPCReply crCh rmCh rst p | RPCFail crCh rmCh rst p";
  10.454 +by (auto_tac (MI_css addsimps2 [RPCNext_def,RPCReject_def,RPCFwd_def,S_def,S5_def]));
  10.455 +qed "S5RPC";
  10.456  
  10.457 -qed_goal "S5Reply" MemoryImplementation.thy
  10.458 -   "|- RPCReply crCh rmCh rst p & $(S5 rmhist p) & unchanged (e p, c p, m p,rmhist!p) \
  10.459 -\      --> (S6 rmhist p)$"
  10.460 -   (fn _ => [action_simp_tac 
  10.461 -               (simpset()
  10.462 -		addsimps [RPCReply_def,Return_def,e_def,c_def,m_def,
  10.463 -			  MVOKBA_def,MVOKBARF_def,caller_def,rtrner_def,
  10.464 -			  S_def,S5_def,S6_def,Calling_def])
  10.465 -               [] [] 1
  10.466 -	    ]);
  10.467 +Goal "|- RPCReply crCh rmCh rst p & $(S5 rmhist p) & unchanged (e p, c p, m p,rmhist!p)\
  10.468 +\      --> (S6 rmhist p)$";
  10.469 +by (action_simp_tac 
  10.470 +      (simpset() addsimps [RPCReply_def,Return_def,e_def,c_def,m_def,
  10.471 +			   MVOKBA_def,MVOKBARF_def,caller_def,rtrner_def,
  10.472 +			   S_def,S5_def,S6_def,Calling_def])
  10.473 +      [] [] 1);
  10.474 +qed "S5Reply";
  10.475  
  10.476 -qed_goal "S5Fail" MemoryImplementation.thy
  10.477 -   "|- RPCFail crCh rmCh rst p & $(S5 rmhist p) & unchanged (e p, c p, m p,rmhist!p) \
  10.478 -\      --> (S6 rmhist p)$"
  10.479 -   (fn _ => [action_simp_tac
  10.480 -	       (simpset()
  10.481 -		addsimps [RPCFail_def,Return_def,e_def,c_def,m_def,
  10.482 -			  MVOKBARF_def,caller_def,rtrner_def,
  10.483 -			  S_def,S5_def,S6_def,Calling_def])
  10.484 -               [] [] 1
  10.485 -	    ]);
  10.486 +Goal "|- RPCFail crCh rmCh rst p & $(S5 rmhist p) & unchanged (e p, c p, m p,rmhist!p) \
  10.487 +\        --> (S6 rmhist p)$";
  10.488 +by (action_simp_tac
  10.489 +      (simpset() addsimps [RPCFail_def,Return_def,e_def,c_def,m_def,
  10.490 +			   MVOKBARF_def,caller_def,rtrner_def,
  10.491 +			   S_def,S5_def,S6_def,Calling_def])
  10.492 +      [] [] 1);
  10.493 +qed "S5Fail";
  10.494  
  10.495 -qed_goal "S5MemUnch" MemoryImplementation.thy
  10.496 -   "|- [RNext rmCh mm ires p]_(m p) & $(S5 rmhist p) --> unchanged (m p)"
  10.497 -   (fn _ => [auto_tac (MI_css addsimps2 [S_def,S5_def] addSDs2 [Memoryidle]) ]);
  10.498 +Goal "|- [RNext rmCh mm ires p]_(m p) & $(S5 rmhist p) --> unchanged (m p)";
  10.499 +by (auto_tac (MI_css addsimps2 [S_def,S5_def] addSDs2 [Memoryidle]));
  10.500 +qed "S5MemUnch";
  10.501  
  10.502 -qed_goal "S5Hist" MemoryImplementation.thy
  10.503 -   "|- [HNext rmhist p]_(c p, r p, m p, rmhist!p) & $(S5 rmhist p) --> (rmhist!p)$ = $(rmhist!p)"
  10.504 -   (fn _ => [auto_tac (MI_fast_css
  10.505 -		       addsimps2 [HNext_def,MemReturn_def,
  10.506 -				  RPCFail_def,MClkReply_def,Return_def,S_def,S5_def])
  10.507 -	    ]);
  10.508 +Goal "|- [HNext rmhist p]_(c p, r p, m p, rmhist!p) & $(S5 rmhist p)\
  10.509 +\        --> (rmhist!p)$ = $(rmhist!p)";
  10.510 +by (auto_tac (MI_fast_css
  10.511 +	      addsimps2 [HNext_def,MemReturn_def,
  10.512 +		         RPCFail_def,MClkReply_def,Return_def,S_def,S5_def]));
  10.513 +qed "S5Hist";
  10.514  
  10.515  (* ------------------------------ State S6 ---------------------------------------- *)
  10.516  
  10.517 -qed_goal "S6EnvUnch" MemoryImplementation.thy
  10.518 -   "|- [ENext p]_(e p) & $(S6 rmhist p) --> unchanged (e p)"
  10.519 -   (fn _ => [auto_tac (MI_css addsimps2 [S_def,S6_def] addSDs2 [Envbusy]) ]);
  10.520 +Goal "|- [ENext p]_(e p) & $(S6 rmhist p) --> unchanged (e p)";
  10.521 +by (auto_tac (MI_css addsimps2 [S_def,S6_def] addSDs2 [Envbusy]));
  10.522 +qed "S6EnvUnch";
  10.523  
  10.524 -qed_goal "S6Clerk" MemoryImplementation.thy
  10.525 -   "|- MClkNext memCh crCh cst p & $(S6 rmhist p) \
  10.526 -\      --> MClkRetry memCh crCh cst p | MClkReply memCh crCh cst p"
  10.527 -   (fn _ => [ auto_tac (MI_css addsimps2 [MClkNext_def,MClkFwd_def,S_def,S6_def]) ]);
  10.528 +Goal "|- MClkNext memCh crCh cst p & $(S6 rmhist p) \
  10.529 +\        --> MClkRetry memCh crCh cst p | MClkReply memCh crCh cst p";
  10.530 +by (auto_tac (MI_css addsimps2 [MClkNext_def,MClkFwd_def,S_def,S6_def]));
  10.531 +qed "S6Clerk";
  10.532  
  10.533 -qed_goal "S6Retry" MemoryImplementation.thy
  10.534 -   "|- MClkRetry memCh crCh cst p & HNext rmhist p & $S6 rmhist p & unchanged (e p,r p,m p) \
  10.535 -\      --> (S3 rmhist p)$ & unchanged (rmhist!p)"
  10.536 -   (fn _ => [action_simp_tac
  10.537 -	        (simpset() addsimps [HNext_def,MClkReply_def,MClkRetry_def,Call_def,
  10.538 -				    Return_def,e_def,r_def,m_def,caller_def,rtrner_def,
  10.539 -		                    S_def,S6_def,S3_def,Calling_def])
  10.540 -                [] [] 1]);
  10.541 +Goal "|- MClkRetry memCh crCh cst p & HNext rmhist p & $S6 rmhist p\
  10.542 +\        & unchanged (e p,r p,m p) \
  10.543 +\        --> (S3 rmhist p)$ & unchanged (rmhist!p)";
  10.544 +by (action_simp_tac
  10.545 +      (simpset() addsimps [HNext_def,MClkReply_def,MClkRetry_def,Call_def,
  10.546 +	                   Return_def,e_def,r_def,m_def,caller_def,rtrner_def,
  10.547 +                           S_def,S6_def,S3_def,Calling_def])
  10.548 +      [] [] 1);
  10.549 +qed "S6Retry";
  10.550  
  10.551 -qed_goal "S6Reply" MemoryImplementation.thy
  10.552 -   "|- MClkReply memCh crCh cst p & HNext rmhist p & $S6 rmhist p & unchanged (e p,r p,m p) \
  10.553 -\      --> (S1 rmhist p)$"
  10.554 -   (fn _ => [action_simp_tac (simpset()
  10.555 -			      addsimps [HNext_def,MemReturn_def,RPCFail_def,Return_def,
  10.556 -					MClkReply_def,e_def,r_def,m_def,caller_def,rtrner_def,
  10.557 -					S_def,S6_def,S1_def,Calling_def])
  10.558 -	                     [] [] 1
  10.559 -	    ]);
  10.560 +Goal "|- MClkReply memCh crCh cst p & HNext rmhist p & $S6 rmhist p\
  10.561 +\        & unchanged (e p,r p,m p) \
  10.562 +\        --> (S1 rmhist p)$";
  10.563 +by (action_simp_tac 
  10.564 +      (simpset() addsimps [HNext_def,MemReturn_def,RPCFail_def,Return_def,
  10.565 +		           MClkReply_def,e_def,r_def,m_def,caller_def,rtrner_def,
  10.566 +                           S_def,S6_def,S1_def,Calling_def])
  10.567 +      [] [] 1);
  10.568 +qed "S6Reply";
  10.569  
  10.570 -qed_goal "S6RPCUnch" MemoryImplementation.thy
  10.571 -   "|- [RPCNext crCh rmCh rst p]_(r p) & $S6 rmhist p --> unchanged (r p)"
  10.572 -   (fn _ => [auto_tac (MI_css addsimps2 [S_def,S6_def] addSDs2 [RPCidle]) ]);
  10.573 -
  10.574 -qed_goal "S6MemUnch" MemoryImplementation.thy
  10.575 -   "|- [RNext rmCh mm ires p]_(m p) & $(S6 rmhist p) --> unchanged (m p)"
  10.576 -   (fn _ => [auto_tac (MI_css addsimps2 [S_def,S6_def] addSDs2 [Memoryidle]) ]);
  10.577 +Goal "|- [RPCNext crCh rmCh rst p]_(r p) & $S6 rmhist p --> unchanged (r p)";
  10.578 +by (auto_tac (MI_css addsimps2 [S_def,S6_def] addSDs2 [RPCidle]));
  10.579 +qed "S6RPCUnch";
  10.580  
  10.581 -qed_goal "S6Hist" MemoryImplementation.thy
  10.582 -   "|- HNext rmhist p & $S6 rmhist p & (c p)$ = $(c p) --> (rmhist!p)$ = $(rmhist!p)"
  10.583 -   (fn _ => [auto_tac (MI_css
  10.584 -		       addsimps2 [HNext_def,MClkReply_def,Return_def,c_def,rtrner_def,
  10.585 -		                  S_def,S6_def,Calling_def])
  10.586 -	    ]);
  10.587 +Goal "|- [RNext rmCh mm ires p]_(m p) & $(S6 rmhist p) --> unchanged (m p)";
  10.588 +by (auto_tac (MI_css addsimps2 [S_def,S6_def] addSDs2 [Memoryidle]));
  10.589 +qed "S6MemUnch";
  10.590  
  10.591 +Goal "|- HNext rmhist p & $S6 rmhist p & (c p)$ = $(c p) --> (rmhist!p)$ = $(rmhist!p)";
  10.592 +by (auto_tac (MI_css addsimps2 [HNext_def,MClkReply_def,Return_def,c_def,rtrner_def,
  10.593 +		                S_def,S6_def,Calling_def]));
  10.594 +qed "S6Hist";
    11.1 --- a/src/HOL/TLA/Memory/MemClerk.ML	Thu Aug 03 19:28:37 2000 +0200
    11.2 +++ b/src/HOL/TLA/Memory/MemClerk.ML	Thu Aug 03 19:29:03 2000 +0200
    11.3 @@ -16,47 +16,42 @@
    11.4  (* The Clerk engages in an action for process p only if there is an outstanding,
    11.5     unanswered call for that process.
    11.6  *)
    11.7 +Goal "|- ~$Calling send p & $(cst!p) = #clkA --> ~MClkNext send rcv cst p";
    11.8 +by (auto_tac (mem_css addsimps2 (Return_def::MC_action_defs)));
    11.9 +qed "MClkidle";
   11.10  
   11.11 -qed_goal "MClkidle" MemClerk.thy
   11.12 -   "|- ~$Calling send p & $(cst!p) = #clkA --> ~MClkNext send rcv cst p"
   11.13 -   (fn _ => [ auto_tac (mem_css addsimps2 (Return_def::MC_action_defs)) ]);
   11.14 -
   11.15 -qed_goal "MClkbusy" MemClerk.thy
   11.16 -   "|- $Calling rcv p --> ~MClkNext send rcv cst p"
   11.17 -   (fn _ => [ auto_tac (mem_css addsimps2 (MC_action_defs @ [Call_def])) ]);
   11.18 +Goal "|- $Calling rcv p --> ~MClkNext send rcv cst p";
   11.19 +by (auto_tac (mem_css addsimps2 (Call_def::MC_action_defs)));
   11.20 +qed "MClkbusy";
   11.21  
   11.22  (* Enabledness of actions *)
   11.23  
   11.24 -qed_goal "MClkFwd_enabled" MemClerk.thy
   11.25 -   "!!p. basevars (rtrner send!p, caller rcv!p, cst!p) ==> \
   11.26 -\        |- Calling send p & ~Calling rcv p & cst!p = #clkA  \
   11.27 -\           --> Enabled (MClkFwd send rcv cst p)"
   11.28 -   (fn _ => [action_simp_tac (simpset() addsimps [MClkFwd_def,Call_def,caller_def,rtrner_def])
   11.29 -                             [exI] [base_enabled,Pair_inject] 1]);
   11.30 +Goal "!!p. basevars (rtrner send!p, caller rcv!p, cst!p) ==> \
   11.31 +\     |- Calling send p & ~Calling rcv p & cst!p = #clkA  \
   11.32 +\        --> Enabled (MClkFwd send rcv cst p)";
   11.33 +by (action_simp_tac (simpset() addsimps [MClkFwd_def,Call_def,caller_def,rtrner_def])
   11.34 +                    [exI] [base_enabled,Pair_inject] 1);
   11.35 +qed "MClkFwd_enabled";
   11.36  
   11.37 -qed_goal "MClkFwd_ch_enabled" MemClerk.thy
   11.38 -   "|- Enabled (MClkFwd send rcv cst p)  -->  \
   11.39 -\      Enabled (<MClkFwd send rcv cst p>_(cst!p, rtrner send!p, caller rcv!p))"
   11.40 -   (fn _ => [auto_tac (mem_css addSEs2 [enabled_mono]
   11.41 -	                       addsimps2 [angle_def,MClkFwd_def])
   11.42 -  	    ]);
   11.43 +Goal "|- Enabled (MClkFwd send rcv cst p)  -->  \
   11.44 +\        Enabled (<MClkFwd send rcv cst p>_(cst!p, rtrner send!p, caller rcv!p))";
   11.45 +by (auto_tac (mem_css addSEs2 [enabled_mono] addsimps2 [angle_def,MClkFwd_def]));
   11.46 +qed "MClkFwd_ch_enabled";
   11.47  
   11.48 -qed_goal "MClkReply_change" MemClerk.thy
   11.49 -   "|- MClkReply send rcv cst p --> <MClkReply send rcv cst p>_(cst!p, rtrner send!p, caller rcv!p)"
   11.50 -   (fn _ => [auto_tac (mem_css addsimps2 [angle_def,MClkReply_def]
   11.51 -			       addEs2 [Return_changed])
   11.52 -            ]);
   11.53 +Goal "|- MClkReply send rcv cst p --> \
   11.54 +\        <MClkReply send rcv cst p>_(cst!p, rtrner send!p, caller rcv!p)";
   11.55 +by (auto_tac (mem_css addsimps2 [angle_def,MClkReply_def]
   11.56 +	              addEs2 [Return_changed]));
   11.57 +qed "MClkReply_change";
   11.58  
   11.59 -qed_goal "MClkReply_enabled" MemClerk.thy
   11.60 -   "!!p. basevars (rtrner send!p, caller rcv!p, cst!p) ==> \
   11.61 -\        |- Calling send p & ~Calling rcv p & cst!p = #clkB  \
   11.62 -\           --> Enabled (<MClkReply send rcv cst p>_(cst!p, rtrner send!p, caller rcv!p))"
   11.63 -   (fn _ => [action_simp_tac (simpset()) [MClkReply_change RSN (2,enabled_mono)] [] 1,
   11.64 -	     action_simp_tac (simpset() addsimps [MClkReply_def,Return_def,caller_def,rtrner_def])
   11.65 -                             [exI] [base_enabled,Pair_inject] 1
   11.66 -	    ]);
   11.67 +Goal "!!p. basevars (rtrner send!p, caller rcv!p, cst!p) ==> \
   11.68 +\     |- Calling send p & ~Calling rcv p & cst!p = #clkB  \
   11.69 +\        --> Enabled (<MClkReply send rcv cst p>_(cst!p, rtrner send!p, caller rcv!p))";
   11.70 +by (action_simp_tac (simpset()) [MClkReply_change RSN (2,enabled_mono)] [] 1);
   11.71 +by (action_simp_tac (simpset() addsimps [MClkReply_def,Return_def,caller_def,rtrner_def])
   11.72 +                    [exI] [base_enabled,Pair_inject] 1);
   11.73 +qed "MClkReply_enabled";
   11.74  
   11.75 -qed_goal "MClkReplyNotRetry" MemClerk.thy
   11.76 -   "|- MClkReply send rcv cst p --> ~MClkRetry send rcv cst p"
   11.77 -   (fn _ => [ auto_tac (mem_css addsimps2 [MClkReply_def,MClkRetry_def]) ]);
   11.78 -
   11.79 +Goal "|- MClkReply send rcv cst p --> ~MClkRetry send rcv cst p";
   11.80 +by (auto_tac (mem_css addsimps2 [MClkReply_def,MClkRetry_def]));
   11.81 +qed "MClkReplyNotRetry";
    12.1 --- a/src/HOL/TLA/Memory/MemClerk.thy	Thu Aug 03 19:28:37 2000 +0200
    12.2 +++ b/src/HOL/TLA/Memory/MemClerk.thy	Thu Aug 03 19:29:03 2000 +0200
    12.3 @@ -62,7 +62,7 @@
    12.4                           & SF(MClkReply send rcv cst p)_(cst!p, rtrner send!p, caller rcv!p)"
    12.5  
    12.6    MClkISpec     :: "mClkSndChType => mClkRcvChType => mClkStType => temporal"
    12.7 -      "MClkISpec send rcv cst == TEMP (!p. MClkIPSpec send rcv cst p)"
    12.8 +      "MClkISpec send rcv cst == TEMP (ALL p. MClkIPSpec send rcv cst p)"
    12.9  
   12.10  end
   12.11  
    13.1 --- a/src/HOL/TLA/Memory/Memory.ML	Thu Aug 03 19:28:37 2000 +0200
    13.2 +++ b/src/HOL/TLA/Memory/Memory.ML	Thu Aug 03 19:29:03 2000 +0200
    13.3 @@ -22,112 +22,104 @@
    13.4  (* -------------------- Proofs ---------------------------------------------- *)
    13.5  
    13.6  (* The reliable memory is an implementation of the unreliable one *)
    13.7 -qed_goal "ReliableImplementsUnReliable" Memory.thy 
    13.8 -   "|- IRSpec ch mm rs --> IUSpec ch mm rs"
    13.9 -   (K [force_tac (temp_css addsimps2 ([UNext_def,UPSpec_def,IUSpec_def] @ RM_temp_defs)
   13.10 -			   addSEs2 [STL4E,squareE]) 1]);
   13.11 +Goal "|- IRSpec ch mm rs --> IUSpec ch mm rs";
   13.12 +by (force_tac (temp_css addsimps2 ([UNext_def,UPSpec_def,IUSpec_def] @ RM_temp_defs)
   13.13 +			addSEs2 [STL4E,squareE]) 1);
   13.14 +qed "ReliableImplementsUnReliable";
   13.15  
   13.16  (* The memory spec implies the memory invariant *)
   13.17 -qed_goal "MemoryInvariant" Memory.thy 
   13.18 -   "|- MSpec ch mm rs l --> [](MemInv mm l)"
   13.19 -   (fn _ => [ auto_inv_tac (simpset() addsimps RM_temp_defs @ RM_action_defs) 1 ]);
   13.20 +Goal "|- MSpec ch mm rs l --> [](MemInv mm l)";
   13.21 +by (auto_inv_tac (simpset() addsimps RM_temp_defs @ RM_action_defs) 1);
   13.22 +qed "MemoryInvariant";
   13.23  
   13.24  (* The invariant is trivial for non-locations *)
   13.25 -qed_goal "NonMemLocInvariant" Memory.thy
   13.26 -   "|- #l ~: #MemLoc --> [](MemInv mm l)"
   13.27 -   (K [ auto_tac (temp_css addsimps2 [MemInv_def] addSIs2 [necT]) ]);
   13.28 +Goal "|- #l ~: #MemLoc --> [](MemInv mm l)";
   13.29 +by (auto_tac (temp_css addsimps2 [MemInv_def] addSIs2 [necT]));
   13.30 +qed "NonMemLocInvariant";
   13.31  
   13.32 -qed_goal "MemoryInvariantAll" Memory.thy
   13.33 -   "|- (!l. #l : #MemLoc --> MSpec ch mm rs l) --> (!l. [](MemInv mm l))"
   13.34 -    (K [step_tac temp_cs 1,
   13.35 -	case_tac "l : MemLoc" 1,
   13.36 -	auto_tac (temp_css addSEs2 [MemoryInvariant,NonMemLocInvariant]) ]);
   13.37 +Goal "|- (ALL l. #l : #MemLoc --> MSpec ch mm rs l) --> (ALL l. [](MemInv mm l))";
   13.38 +by (step_tac temp_cs 1);
   13.39 +by (case_tac "l : MemLoc" 1);
   13.40 +by (auto_tac (temp_css addSEs2 [MemoryInvariant,NonMemLocInvariant]));
   13.41 +qed "MemoryInvariantAll";
   13.42  
   13.43  (* The memory engages in an action for process p only if there is an 
   13.44     unanswered call from p.
   13.45     We need this only for the reliable memory.
   13.46  *)
   13.47  
   13.48 -qed_goal "Memoryidle" Memory.thy
   13.49 -   "|- ~$(Calling ch p) --> ~ RNext ch mm rs p"
   13.50 -   (K [ auto_tac (mem_css addsimps2 (Return_def::RM_action_defs)) ]);
   13.51 +Goal "|- ~$(Calling ch p) --> ~ RNext ch mm rs p";
   13.52 +by (auto_tac (mem_css addsimps2 (Return_def::RM_action_defs)));
   13.53 +qed "Memoryidle";
   13.54  
   13.55  (* Enabledness conditions *)
   13.56  
   13.57 -qed_goal "MemReturn_change" Memory.thy
   13.58 -   "|- MemReturn ch rs p --> <MemReturn ch rs p>_(rtrner ch ! p, rs!p)"
   13.59 -   (K [ force_tac (mem_css addsimps2 [MemReturn_def,angle_def]) 1]);
   13.60 +Goal "|- MemReturn ch rs p --> <MemReturn ch rs p>_(rtrner ch ! p, rs!p)";
   13.61 +by (force_tac (mem_css addsimps2 [MemReturn_def,angle_def]) 1);
   13.62 +qed "MemReturn_change";
   13.63  
   13.64 -qed_goal "MemReturn_enabled" Memory.thy
   13.65 -   "!!p. basevars (rtrner ch ! p, rs!p) ==> \
   13.66 -\        |- Calling ch p & (rs!p ~= #NotAResult) \
   13.67 -\           --> Enabled (<MemReturn ch rs p>_(rtrner ch ! p, rs!p))"
   13.68 -  (K [action_simp_tac (simpset()) [MemReturn_change RSN (2,enabled_mono)] [] 1,
   13.69 -      action_simp_tac (simpset() addsimps [MemReturn_def,Return_def,rtrner_def])
   13.70 -                      [exI] [base_enabled,Pair_inject] 1
   13.71 -     ]);
   13.72 +Goal "!!p. basevars (rtrner ch ! p, rs!p) ==> \
   13.73 +\     |- Calling ch p & (rs!p ~= #NotAResult) \
   13.74 +\        --> Enabled (<MemReturn ch rs p>_(rtrner ch ! p, rs!p))";
   13.75 +by (action_simp_tac (simpset()) [MemReturn_change RSN (2,enabled_mono)] [] 1);
   13.76 +by (action_simp_tac (simpset() addsimps [MemReturn_def,Return_def,rtrner_def])
   13.77 +                    [exI] [base_enabled,Pair_inject] 1);
   13.78 +qed "MemReturn_enabled";
   13.79  
   13.80 -qed_goal "ReadInner_enabled" Memory.thy
   13.81 - "!!p. basevars (rtrner ch ! p, rs!p) ==> \
   13.82 -\      |- Calling ch p & (arg<ch!p> = #(read l)) --> Enabled (ReadInner ch mm rs p l)"
   13.83 -   (fn _ => [case_tac "l : MemLoc" 1,
   13.84 -             ALLGOALS
   13.85 -	        (force_tac (mem_css addsimps2 [ReadInner_def,GoodRead_def,
   13.86 -                                               BadRead_def,RdRequest_def]
   13.87 -                            addSIs2 [exI] addSEs2 [base_enabled]))
   13.88 -            ]);
   13.89 +Goal "!!p. basevars (rtrner ch ! p, rs!p) ==> \
   13.90 +\     |- Calling ch p & (arg<ch!p> = #(read l)) --> Enabled (ReadInner ch mm rs p l)";
   13.91 +by (case_tac "l : MemLoc" 1);
   13.92 +by (ALLGOALS
   13.93 +     (force_tac (mem_css addsimps2 [ReadInner_def,GoodRead_def,
   13.94 +                                    BadRead_def,RdRequest_def]
   13.95 +                         addSIs2 [exI] addSEs2 [base_enabled])));
   13.96 +qed "ReadInner_enabled";
   13.97  
   13.98 -qed_goal "WriteInner_enabled" Memory.thy
   13.99 -   "!!p. basevars (mm!l, rtrner ch ! p, rs!p) ==> \
  13.100 -\        |- Calling ch p & (arg<ch!p> = #(write l v)) \
  13.101 -\           --> Enabled (WriteInner ch mm rs p l v)"
  13.102 -   (fn _ => [case_tac "l:MemLoc & v:MemVal" 1,
  13.103 -             ALLGOALS 
  13.104 -	        (force_tac (mem_css addsimps2 [WriteInner_def,GoodWrite_def,
  13.105 -                                               BadWrite_def,WrRequest_def]
  13.106 -                            addSIs2 [exI] addSEs2 [base_enabled]))
  13.107 -            ]);
  13.108 +Goal "!!p. basevars (mm!l, rtrner ch ! p, rs!p) ==> \
  13.109 +\     |- Calling ch p & (arg<ch!p> = #(write l v)) \
  13.110 +\        --> Enabled (WriteInner ch mm rs p l v)";
  13.111 +by (case_tac "l:MemLoc & v:MemVal" 1);
  13.112 +by (ALLGOALS 
  13.113 +     (force_tac (mem_css addsimps2 [WriteInner_def,GoodWrite_def,
  13.114 +                                    BadWrite_def,WrRequest_def]
  13.115 +                         addSIs2 [exI] addSEs2 [base_enabled])));
  13.116 +qed "WriteInner_enabled";
  13.117  
  13.118 -qed_goal "ReadResult" Memory.thy
  13.119 -   "|- Read ch mm rs p & (!l. $(MemInv mm l)) --> (rs!p)` ~= #NotAResult"
  13.120 -   (fn _ => [force_tac (mem_css addsimps2 
  13.121 -                            [Read_def,ReadInner_def,GoodRead_def,BadRead_def,MemInv_def]) 1]);
  13.122 +Goal "|- Read ch mm rs p & (!l. $(MemInv mm l)) --> (rs!p)` ~= #NotAResult";
  13.123 +by (force_tac (mem_css addsimps2 
  13.124 +                       [Read_def,ReadInner_def,GoodRead_def,BadRead_def,MemInv_def]) 1);
  13.125 +qed "ReadResult";
  13.126  
  13.127 -qed_goal "WriteResult" Memory.thy
  13.128 -   "|- Write ch mm rs p l --> (rs!p)` ~= #NotAResult"
  13.129 -   (fn _ => [auto_tac (mem_css addsimps2 ([Write_def,WriteInner_def,GoodWrite_def,BadWrite_def]))
  13.130 -	    ]);
  13.131 +Goal "|- Write ch mm rs p l --> (rs!p)` ~= #NotAResult";
  13.132 +by (auto_tac (mem_css addsimps2 ([Write_def,WriteInner_def,GoodWrite_def,BadWrite_def])));
  13.133 +qed "WriteResult";
  13.134  
  13.135 -qed_goal "ReturnNotReadWrite" Memory.thy
  13.136 -   "|- (!l. $MemInv mm l) & MemReturn ch rs p \
  13.137 -\      --> ~ Read ch mm rs p & (!l. ~ Write ch mm rs p l)"
  13.138 -   (fn _ => [auto_tac
  13.139 -	       (mem_css addsimps2 [MemReturn_def] addSDs2 [WriteResult, ReadResult])
  13.140 -	    ]);
  13.141 +Goal "|- (ALL l. $MemInv mm l) & MemReturn ch rs p \
  13.142 +\        --> ~ Read ch mm rs p & (ALL l. ~ Write ch mm rs p l)";
  13.143 +by (auto_tac (mem_css addsimps2 [MemReturn_def] addSDs2 [WriteResult, ReadResult]));
  13.144 +qed "ReturnNotReadWrite";
  13.145  
  13.146 -qed_goal "RWRNext_enabled" Memory.thy
  13.147 -   "|- (rs!p = #NotAResult) & (!l. MemInv mm l)  \
  13.148 -\          & Enabled (Read ch mm rs p | (? l. Write ch mm rs p l)) \
  13.149 -\      --> Enabled (<RNext ch mm rs p>_(rtrner ch ! p, rs!p))"
  13.150 -   (K [force_tac (mem_css addsimps2 [RNext_def,angle_def]
  13.151 -	     addSEs2 [enabled_mono2]
  13.152 -	     addDs2 [ReadResult, WriteResult]) 1]);
  13.153 +Goal "|- (rs!p = #NotAResult) & (!l. MemInv mm l)  \
  13.154 +\        & Enabled (Read ch mm rs p | (? l. Write ch mm rs p l)) \
  13.155 +\        --> Enabled (<RNext ch mm rs p>_(rtrner ch ! p, rs!p))";
  13.156 +by (force_tac (mem_css addsimps2 [RNext_def,angle_def]
  13.157 +	               addSEs2 [enabled_mono2]
  13.158 +	               addDs2 [ReadResult, WriteResult]) 1);
  13.159 +qed "RWRNext_enabled";
  13.160  
  13.161  
  13.162  (* Combine previous lemmas: the memory can make a visible step if there is an
  13.163     outstanding call for which no result has been produced.
  13.164  *)
  13.165 -qed_goal "RNext_enabled" Memory.thy
  13.166 -"!!p. !l. basevars (mm!l, rtrner ch!p, rs!p) ==> \
  13.167 +Goal "!!p. !l. basevars (mm!l, rtrner ch!p, rs!p) ==> \
  13.168  \     |- (rs!p = #NotAResult) & Calling ch p & (!l. MemInv mm l)  \
  13.169 -\        --> Enabled (<RNext ch mm rs p>_(rtrner ch ! p, rs!p))" (K [
  13.170 -	     auto_tac (mem_css addsimps2 [enabled_disj]
  13.171 -		                  addSIs2 [RWRNext_enabled]),
  13.172 -             case_tac "arg(ch w p)" 1,
  13.173 - 	      action_simp_tac (simpset()addsimps[Read_def,enabled_ex])
  13.174 -	                      [ReadInner_enabled,exI] [] 1,
  13.175 -              force_tac (mem_css addDs2 [base_pair]) 1,
  13.176 -	     etac swap 1,
  13.177 -	     action_simp_tac (simpset() addsimps [Write_def,enabled_ex])
  13.178 -	                     [WriteInner_enabled,exI] [] 1]);
  13.179 -
  13.180 +\        --> Enabled (<RNext ch mm rs p>_(rtrner ch ! p, rs!p))";
  13.181 +by (auto_tac (mem_css addsimps2 [enabled_disj] addSIs2 [RWRNext_enabled]));
  13.182 +by (case_tac "arg(ch w p)" 1);
  13.183 + by (action_simp_tac (simpset()addsimps[Read_def,enabled_ex])
  13.184 +                     [ReadInner_enabled,exI] [] 1);
  13.185 + by (force_tac (mem_css addDs2 [base_pair]) 1);
  13.186 +by (etac swap 1);
  13.187 +by (action_simp_tac (simpset() addsimps [Write_def,enabled_ex])
  13.188 +	            [WriteInner_enabled,exI] [] 1);
  13.189 +qed "RNext_enabled";
    14.1 --- a/src/HOL/TLA/Memory/Memory.thy	Thu Aug 03 19:28:37 2000 +0200
    14.2 +++ b/src/HOL/TLA/Memory/Memory.thy	Thu Aug 03 19:29:03 2000 +0200
    14.3 @@ -74,7 +74,7 @@
    14.4                           & (GoodRead mm rs p l  |  BadRead mm rs p l)
    14.5                           & unchanged (rtrner ch ! p)"
    14.6    (* the read action with l quantified *)
    14.7 -  Read_def          "Read ch mm rs p == ACT (? l. ReadInner ch mm rs p l)"
    14.8 +  Read_def          "Read ch mm rs p == ACT (EX l. ReadInner ch mm rs p l)"
    14.9  
   14.10    (* similar definitions for the write action *)
   14.11    GoodWrite_def     "GoodWrite mm rs p l v == ACT
   14.12 @@ -87,7 +87,7 @@
   14.13                          $(WrRequest ch p l v)
   14.14                          & (GoodWrite mm rs p l v  |  BadWrite mm rs p l v)
   14.15                          & unchanged (rtrner ch ! p)"
   14.16 -  Write_def         "Write ch mm rs p l == ACT (? v. WriteInner ch mm rs p l v)"
   14.17 +  Write_def         "Write ch mm rs p l == ACT (EX v. WriteInner ch mm rs p l v)"
   14.18  
   14.19    (* the return action *)
   14.20    MemReturn_def     "MemReturn ch rs p == ACT
   14.21 @@ -103,7 +103,7 @@
   14.22    (* next-state relations for reliable / unreliable memory *)
   14.23    RNext_def         "RNext ch mm rs p == ACT 
   14.24                         (  Read ch mm rs p
   14.25 -                        | (? l. Write ch mm rs p l)
   14.26 +                        | (EX l. Write ch mm rs p l)
   14.27                          | MemReturn ch rs p)"
   14.28    UNext_def         "UNext ch mm rs p == ACT
   14.29                          (RNext ch mm rs p | MemFail ch rs p)"
   14.30 @@ -120,13 +120,13 @@
   14.31                          & WF(MemReturn ch rs p)_(rtrner ch ! p, rs!p)"
   14.32    MSpec_def         "MSpec ch mm rs l == TEMP
   14.33                          Init(MInit mm l)
   14.34 -                        & [][ ? p. Write ch mm rs p l ]_(mm!l)"
   14.35 +                        & [][ EX p. Write ch mm rs p l ]_(mm!l)"
   14.36    IRSpec_def        "IRSpec ch mm rs == TEMP
   14.37 -                        (! p. RPSpec ch mm rs p)
   14.38 -                        & (! l. #l : #MemLoc --> MSpec ch mm rs l)"
   14.39 +                        (ALL p. RPSpec ch mm rs p)
   14.40 +                        & (ALL l. #l : #MemLoc --> MSpec ch mm rs l)"
   14.41    IUSpec_def        "IUSpec ch mm rs == TEMP
   14.42 -                        (! p. UPSpec ch mm rs p)
   14.43 -                        & (! l. #l : #MemLoc --> MSpec ch mm rs l)"
   14.44 +                        (ALL p. UPSpec ch mm rs p)
   14.45 +                        & (ALL l. #l : #MemLoc --> MSpec ch mm rs l)"
   14.46  
   14.47    RSpec_def         "RSpec ch rs == TEMP (EEX mm. IRSpec ch mm rs)"
   14.48    USpec_def         "USpec ch == TEMP (EEX mm rs. IUSpec ch mm rs)"
    15.1 --- a/src/HOL/TLA/Memory/MemoryImplementation.ML	Thu Aug 03 19:28:37 2000 +0200
    15.2 +++ b/src/HOL/TLA/Memory/MemoryImplementation.ML	Thu Aug 03 19:29:03 2000 +0200
    15.3 @@ -36,30 +36,30 @@
    15.4  (****************************** The history variable ******************************)
    15.5  section "History variable";
    15.6  
    15.7 -qed_goal "HistoryLemma" MemoryImplementation.thy
    15.8 -   "|- Init(!p. ImpInit p) & [](!p. ImpNext p)  \
    15.9 -\      --> (EEX rmhist. Init(! p. HInit rmhist p) \
   15.10 -\                     & [](!p. [HNext rmhist p]_(c p, r p, m p, rmhist!p)))"
   15.11 -   (fn _ => [Clarsimp_tac 1,
   15.12 -             rtac historyI 1, TRYALL atac, rtac MI_base 1,
   15.13 -             action_simp_tac (simpset() addsimps [HInit_def]) [] [] 1,
   15.14 -             etac fun_cong 1,
   15.15 -             action_simp_tac (simpset() addsimps [HNext_def]) [busy_squareI] [] 1,
   15.16 -             etac fun_cong 1
   15.17 -            ]);
   15.18 +Goal "|- Init(ALL p. ImpInit p) & [](ALL p. ImpNext p)  \
   15.19 +\        --> (EEX rmhist. Init(ALL p. HInit rmhist p) \
   15.20 +\                         & [](ALL p. [HNext rmhist p]_(c p, r p, m p, rmhist!p)))";
   15.21 +by (Clarsimp_tac 1);
   15.22 +by (rtac historyI 1); 
   15.23 +by (TRYALL atac); 
   15.24 +by (rtac MI_base 1);
   15.25 +by (action_simp_tac (simpset() addsimps [HInit_def]) [] [] 1);
   15.26 +by (etac fun_cong 1);
   15.27 +by (action_simp_tac (simpset() addsimps [HNext_def]) [busy_squareI] [] 1);
   15.28 +by (etac fun_cong 1);
   15.29 +qed "HistoryLemma";
   15.30  
   15.31 -qed_goal "History" MemoryImplementation.thy
   15.32 -   "|- Implementation --> (EEX rmhist. Hist rmhist)"
   15.33 -   (fn _ => [Clarsimp_tac 1,
   15.34 -             rtac ((temp_use HistoryLemma) RS eex_mono) 1,
   15.35 -             force_tac (MI_css 
   15.36 -                        addsimps2 [Hist_def,HistP_def,Init_def,all_box,split_box_conj]) 3,
   15.37 -             auto_tac (MI_css
   15.38 -                       addsimps2 [Implementation_def,MClkISpec_def,RPCISpec_def,IRSpec_def,
   15.39 -                                  MClkIPSpec_def,RPCIPSpec_def,RPSpec_def,
   15.40 -                                  ImpInit_def,Init_def,ImpNext_def,
   15.41 -                                  c_def,r_def,m_def,all_box,split_box_conj])
   15.42 -            ]);
   15.43 +Goal "|- Implementation --> (EEX rmhist. Hist rmhist)";
   15.44 +by (Clarsimp_tac 1);
   15.45 +by (rtac ((temp_use HistoryLemma) RS eex_mono) 1);
   15.46 +by (force_tac (MI_css 
   15.47 +               addsimps2 [Hist_def,HistP_def,Init_def,all_box,split_box_conj]) 3);
   15.48 +by (auto_tac (MI_css
   15.49 +              addsimps2 [Implementation_def,MClkISpec_def,RPCISpec_def,IRSpec_def,
   15.50 +                         MClkIPSpec_def,RPCIPSpec_def,RPSpec_def,
   15.51 +                         ImpInit_def,Init_def,ImpNext_def,
   15.52 +                         c_def,r_def,m_def,all_box,split_box_conj]));
   15.53 +qed "History";
   15.54  
   15.55  (******************************** The safety part *********************************)
   15.56  
   15.57 @@ -74,82 +74,76 @@
   15.58  (* ========== Step 1.1 ================================================= *)
   15.59  (* The implementation's initial condition implies the state predicate S1 *)
   15.60  
   15.61 -qed_goal "Step1_1" MemoryImplementation.thy
   15.62 -   "|- ImpInit p & HInit rmhist p --> S1 rmhist p"
   15.63 -   (fn _ => [auto_tac (MI_fast_css
   15.64 -		       addsimps2 [MVNROKBA_def,MClkInit_def,RPCInit_def,PInit_def,
   15.65 -			          HInit_def,ImpInit_def,S_def,S1_def])
   15.66 -	    ]);
   15.67 +Goal "|- ImpInit p & HInit rmhist p --> S1 rmhist p";
   15.68 +by (auto_tac (MI_fast_css
   15.69 +              addsimps2 [MVNROKBA_def,MClkInit_def,RPCInit_def,PInit_def,
   15.70 +		         HInit_def,ImpInit_def,S_def,S1_def]));
   15.71 +qed "Step1_1";
   15.72  
   15.73  (* ========== Step 1.2 ================================================== *)
   15.74  (* Figure 16 is a predicate-action diagram for the implementation. *)
   15.75  
   15.76 -qed_goal "Step1_2_1" MemoryImplementation.thy
   15.77 -   "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p  \
   15.78 -\             & ~unchanged (e p, c p, r p, m p, rmhist!p)  & $S1 rmhist p \
   15.79 -\      --> (S2 rmhist p)$ & ENext p & unchanged (c p, r p, m p)"
   15.80 -   (fn _ => [action_simp_tac (simpset() addsimps [ImpNext_def]) []
   15.81 -                             (map temp_elim [S1ClerkUnch,S1RPCUnch,S1MemUnch,S1Hist]) 1,
   15.82 -             auto_tac (MI_fast_css addSIs2 [S1Env])
   15.83 -	    ]);
   15.84 +Goal "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p  \
   15.85 +\        & ~unchanged (e p, c p, r p, m p, rmhist!p)  & $S1 rmhist p \
   15.86 +\        --> (S2 rmhist p)$ & ENext p & unchanged (c p, r p, m p)";
   15.87 +by (action_simp_tac (simpset() addsimps [ImpNext_def]) []
   15.88 +                    (map temp_elim [S1ClerkUnch,S1RPCUnch,S1MemUnch,S1Hist]) 1);
   15.89 +by (auto_tac (MI_fast_css addSIs2 [S1Env]));
   15.90 +qed "Step1_2_1";
   15.91  
   15.92 -qed_goal "Step1_2_2" MemoryImplementation.thy
   15.93 -   "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p  \
   15.94 -\             & ~unchanged (e p, c p, r p, m p, rmhist!p) & $S2 rmhist p \
   15.95 -\      --> (S3 rmhist p)$ & MClkFwd memCh crCh cst p & unchanged (e p, r p, m p, rmhist!p)"
   15.96 -   (fn _ => [action_simp_tac (simpset() addsimps [ImpNext_def]) []
   15.97 -                             (map temp_elim [S2EnvUnch,S2RPCUnch,S2MemUnch,S2Hist]) 1,
   15.98 -	     auto_tac (MI_fast_css addSIs2 [S2Clerk,S2Forward])
   15.99 -	    ]);
  15.100 +Goal "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p  \
  15.101 +\        & ~unchanged (e p, c p, r p, m p, rmhist!p) & $S2 rmhist p \
  15.102 +\        --> (S3 rmhist p)$ & MClkFwd memCh crCh cst p\
  15.103 +\            & unchanged (e p, r p, m p, rmhist!p)";
  15.104 +by (action_simp_tac (simpset() addsimps [ImpNext_def]) []
  15.105 +                    (map temp_elim [S2EnvUnch,S2RPCUnch,S2MemUnch,S2Hist]) 1);
  15.106 +by (auto_tac (MI_fast_css addSIs2 [S2Clerk,S2Forward]));
  15.107 +qed "Step1_2_2";
  15.108  
  15.109 -qed_goal "Step1_2_3" MemoryImplementation.thy
  15.110 -   "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p  \
  15.111 -\             & ~unchanged (e p, c p, r p, m p, rmhist!p) & $S3 rmhist p \
  15.112 -\      --> ((S4 rmhist p)$ & RPCFwd crCh rmCh rst p & unchanged (e p, c p, m p, rmhist!p)) \
  15.113 -\        | ((S6 rmhist p)$ & RPCFail crCh rmCh rst p & unchanged (e p, c p, m p))"
  15.114 -   (fn _ => [action_simp_tac (simpset() addsimps [ImpNext_def]) []
  15.115 -	          (map temp_elim [S3EnvUnch,S3ClerkUnch,S3MemUnch]) 1,
  15.116 -             action_simp_tac (simpset()) [] 
  15.117 -                  (squareE::map temp_elim [S3RPC,S3Forward,S3Fail]) 1,
  15.118 -             auto_tac (MI_css addDs2 [S3Hist])
  15.119 -	    ]);
  15.120 +Goal "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p  \
  15.121 +\        & ~unchanged (e p, c p, r p, m p, rmhist!p) & $S3 rmhist p \
  15.122 +\        --> ((S4 rmhist p)$ & RPCFwd crCh rmCh rst p & unchanged (e p, c p, m p, rmhist!p)) \
  15.123 +\            | ((S6 rmhist p)$ & RPCFail crCh rmCh rst p & unchanged (e p, c p, m p))";
  15.124 +by (action_simp_tac (simpset() addsimps [ImpNext_def]) []
  15.125 +	            (map temp_elim [S3EnvUnch,S3ClerkUnch,S3MemUnch]) 1);
  15.126 +by (action_simp_tac (simpset()) [] 
  15.127 +                    (squareE::map temp_elim [S3RPC,S3Forward,S3Fail]) 1);
  15.128 +by (auto_tac (MI_css addDs2 [S3Hist]));
  15.129 +qed "Step1_2_3";
  15.130  
  15.131 -qed_goal "Step1_2_4" MemoryImplementation.thy
  15.132 -   "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p  \
  15.133 +Goal "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p  \
  15.134  \             & ~unchanged (e p, c p, r p, m p, rmhist!p) \
  15.135  \             & $S4 rmhist p & (!l. $(MemInv mm l))     \
  15.136 -\      --> ((S4 rmhist p)$ & Read rmCh mm ires p & unchanged (e p, c p, r p, rmhist!p)) \
  15.137 -\        | ((S4 rmhist p)$ & (? l. Write rmCh mm ires p l) & unchanged (e p, c p, r p, rmhist!p)) \
  15.138 -\        | ((S5 rmhist p)$ & MemReturn rmCh ires p & unchanged (e p, c p, r p))"
  15.139 -   (fn _ => [action_simp_tac (simpset() addsimps [ImpNext_def]) []
  15.140 -                             (map temp_elim [S4EnvUnch,S4ClerkUnch,S4RPCUnch]) 1,
  15.141 -             action_simp_tac (simpset() addsimps [RNext_def]) []
  15.142 -                             (squareE::map temp_elim [S4Read,S4Write,S4Return]) 1,
  15.143 -             auto_tac (MI_css addDs2 [S4Hist])
  15.144 -            ]);
  15.145 +\        --> ((S4 rmhist p)$ & Read rmCh mm ires p & unchanged (e p, c p, r p, rmhist!p)) \
  15.146 +\            | ((S4 rmhist p)$ & (? l. Write rmCh mm ires p l) & unchanged (e p, c p, r p, rmhist!p)) \
  15.147 +\            | ((S5 rmhist p)$ & MemReturn rmCh ires p & unchanged (e p, c p, r p))";
  15.148 +by (action_simp_tac (simpset() addsimps [ImpNext_def]) []
  15.149 +                    (map temp_elim [S4EnvUnch,S4ClerkUnch,S4RPCUnch]) 1);
  15.150 +by (action_simp_tac (simpset() addsimps [RNext_def]) []
  15.151 +                    (squareE::map temp_elim [S4Read,S4Write,S4Return]) 1);
  15.152 +by (auto_tac (MI_css addDs2 [S4Hist]));
  15.153 +qed "Step1_2_4";
  15.154  
  15.155 -qed_goal "Step1_2_5" MemoryImplementation.thy
  15.156 -   "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p  \
  15.157 +Goal "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p  \
  15.158  \             & ~unchanged (e p, c p, r p, m p, rmhist!p) & $S5 rmhist p \
  15.159 -\      --> ((S6 rmhist p)$ & RPCReply crCh rmCh rst p & unchanged (e p, c p, m p)) \
  15.160 -\        | ((S6 rmhist p)$ & RPCFail crCh rmCh rst p & unchanged (e p, c p, m p))"
  15.161 -   (fn _ => [action_simp_tac (simpset() addsimps [ImpNext_def]) []
  15.162 -                             (map temp_elim [S5EnvUnch,S5ClerkUnch,S5MemUnch,S5Hist]) 1,
  15.163 -	     action_simp_tac (simpset()) [] [squareE, temp_elim S5RPC] 1,
  15.164 -	     auto_tac (MI_fast_css addSDs2 [S5Reply,S5Fail])
  15.165 -	    ]);
  15.166 +\        --> ((S6 rmhist p)$ & RPCReply crCh rmCh rst p & unchanged (e p, c p, m p)) \
  15.167 +\            | ((S6 rmhist p)$ & RPCFail crCh rmCh rst p & unchanged (e p, c p, m p))";
  15.168 +by (action_simp_tac (simpset() addsimps [ImpNext_def]) []
  15.169 +                    (map temp_elim [S5EnvUnch,S5ClerkUnch,S5MemUnch,S5Hist]) 1);
  15.170 +by (action_simp_tac (simpset()) [] [squareE, temp_elim S5RPC] 1);
  15.171 +by (auto_tac (MI_fast_css addSDs2 [S5Reply,S5Fail]));
  15.172 +qed "Step1_2_5";
  15.173  
  15.174 -qed_goal "Step1_2_6" MemoryImplementation.thy
  15.175 -   "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p  \
  15.176 +Goal "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p  \
  15.177  \             & ~unchanged (e p, c p, r p, m p, rmhist!p) & $S6 rmhist p \
  15.178 -\      --> ((S1 rmhist p)$ & MClkReply memCh crCh cst p & unchanged (e p, r p, m p))\
  15.179 -\        | ((S3 rmhist p)$ & MClkRetry memCh crCh cst p & unchanged (e p,r p,m p,rmhist!p))"
  15.180 -   (fn _ => [action_simp_tac (simpset() addsimps [ImpNext_def]) []
  15.181 -                             (map temp_elim [S6EnvUnch,S6RPCUnch,S6MemUnch]) 1,
  15.182 -             action_simp_tac (simpset()) []
  15.183 -                             (squareE::map temp_elim [S6Clerk,S6Retry,S6Reply]) 1,
  15.184 -             auto_tac (MI_css addDs2 [S6Hist])
  15.185 -            ]);
  15.186 +\        --> ((S1 rmhist p)$ & MClkReply memCh crCh cst p & unchanged (e p, r p, m p))\
  15.187 +\            | ((S3 rmhist p)$ & MClkRetry memCh crCh cst p & unchanged (e p,r p,m p,rmhist!p))";
  15.188 +by (action_simp_tac (simpset() addsimps [ImpNext_def]) []
  15.189 +                    (map temp_elim [S6EnvUnch,S6RPCUnch,S6MemUnch]) 1);
  15.190 +by (action_simp_tac (simpset()) []
  15.191 +                    (squareE::map temp_elim [S6Clerk,S6Retry,S6Reply]) 1);
  15.192 +by (auto_tac (MI_css addDs2 [S6Hist]));
  15.193 +qed "Step1_2_6";
  15.194  
  15.195  (* --------------------------------------------------------------------------
  15.196     Step 1.3: S1 implies the barred initial condition.
  15.197 @@ -157,11 +151,10 @@
  15.198  
  15.199  section "Initialization (Step 1.3)";
  15.200  
  15.201 -qed_goal "Step1_3" MemoryImplementation.thy 
  15.202 -   "|- S1 rmhist p --> PInit (resbar rmhist) p"
  15.203 -   (fn _ => [action_simp_tac (simpset() addsimps [resbar_def,PInit_def,S_def,S1_def])
  15.204 -                             [] [] 1
  15.205 -            ]);
  15.206 +Goal "|- S1 rmhist p --> PInit (resbar rmhist) p";
  15.207 +by (action_simp_tac (simpset() addsimps [resbar_def,PInit_def,S_def,S1_def])
  15.208 +                    [] [] 1);
  15.209 +qed "Step1_3";
  15.210  
  15.211  (* ----------------------------------------------------------------------
  15.212     Step 1.4: Implementation's next-state relation simulates specification's
  15.213 @@ -170,171 +163,161 @@
  15.214  
  15.215  section "Step simulation (Step 1.4)";
  15.216  
  15.217 -qed_goal "Step1_4_1" MemoryImplementation.thy
  15.218 -   "|- ENext p & $S1 rmhist p & (S2 rmhist p)$ & unchanged (c p, r p, m p) \
  15.219 -\      --> unchanged (rtrner memCh!p, resbar rmhist!p)"
  15.220 -  (fn _ => [ auto_tac (MI_fast_css addsimps2 [c_def,r_def,m_def,resbar_def]) ]);
  15.221 +Goal "|- ENext p & $S1 rmhist p & (S2 rmhist p)$ & unchanged (c p, r p, m p) \
  15.222 +\        --> unchanged (rtrner memCh!p, resbar rmhist!p)";
  15.223 +by (auto_tac (MI_fast_css addsimps2 [c_def,r_def,m_def,resbar_def]));
  15.224 +qed "Step1_4_1";
  15.225  
  15.226 -qed_goal "Step1_4_2" MemoryImplementation.thy
  15.227 -   "|- MClkFwd memCh crCh cst p & $S2 rmhist p & (S3 rmhist p)$  \
  15.228 -\                & unchanged (e p, r p, m p, rmhist!p) \
  15.229 -\      --> unchanged (rtrner memCh!p, resbar rmhist!p)"
  15.230 -  (fn _ => [action_simp_tac
  15.231 -                (simpset() addsimps [MClkFwd_def, e_def, r_def, m_def, resbar_def,
  15.232 -                                     S_def, S2_def, S3_def]) [] [] 1
  15.233 -           ]);
  15.234 +Goal "|- MClkFwd memCh crCh cst p & $S2 rmhist p & (S3 rmhist p)$  \
  15.235 +\        & unchanged (e p, r p, m p, rmhist!p) \
  15.236 +\        --> unchanged (rtrner memCh!p, resbar rmhist!p)";
  15.237 +by (action_simp_tac
  15.238 +      (simpset() addsimps [MClkFwd_def, e_def, r_def, m_def, resbar_def,
  15.239 +                           S_def, S2_def, S3_def]) [] [] 1);
  15.240 +qed "Step1_4_2";
  15.241  
  15.242 -qed_goal "Step1_4_3a" MemoryImplementation.thy
  15.243 -   "|- RPCFwd crCh rmCh rst p & $S3 rmhist p & (S4 rmhist p)$    \
  15.244 -\                  & unchanged (e p, c p, m p, rmhist!p) \
  15.245 -\      --> unchanged (rtrner memCh!p, resbar rmhist!p)"
  15.246 -  (fn _ => [Clarsimp_tac 1,
  15.247 -            REPEAT (dresolve_tac (map temp_use [S3_excl,S4_excl]) 1),
  15.248 -            action_simp_tac 
  15.249 -                 (simpset() addsimps [e_def,c_def,m_def,resbar_def,S_def, S3_def]) [] [] 1
  15.250 -           ]);
  15.251 +Goal "|- RPCFwd crCh rmCh rst p & $S3 rmhist p & (S4 rmhist p)$    \
  15.252 +\        & unchanged (e p, c p, m p, rmhist!p) \
  15.253 +\        --> unchanged (rtrner memCh!p, resbar rmhist!p)";
  15.254 +by (Clarsimp_tac 1);
  15.255 +by (REPEAT (dresolve_tac (map temp_use [S3_excl,S4_excl]) 1));
  15.256 +by (action_simp_tac 
  15.257 +      (simpset() addsimps [e_def,c_def,m_def,resbar_def,S_def, S3_def]) [] [] 1);
  15.258 +qed "Step1_4_3a";
  15.259  
  15.260 -qed_goal "Step1_4_3b" MemoryImplementation.thy
  15.261 -   "|- RPCFail crCh rmCh rst p & $S3 rmhist p & (S6 rmhist p)$ & unchanged (e p, c p, m p) \
  15.262 -\      --> MemFail memCh (resbar rmhist) p"
  15.263 -  (fn _ => [Clarsimp_tac 1,
  15.264 -            dtac (temp_use S6_excl) 1,
  15.265 -            auto_tac (MI_css addsimps2 [RPCFail_def,MemFail_def,e_def,c_def,m_def,
  15.266 -		                        resbar_def]),
  15.267 -            force_tac (MI_css addsimps2 [S3_def,S_def]) 1,
  15.268 -            auto_tac (MI_css addsimps2 [Return_def])
  15.269 -           ]);
  15.270 -
  15.271 +Goal "|- RPCFail crCh rmCh rst p & $S3 rmhist p & (S6 rmhist p)$\
  15.272 +\        & unchanged (e p, c p, m p) \
  15.273 +\        --> MemFail memCh (resbar rmhist) p";
  15.274 +by (Clarsimp_tac 1);
  15.275 +by (dtac (temp_use S6_excl) 1);
  15.276 +by (auto_tac (MI_css addsimps2 [RPCFail_def,MemFail_def,e_def,c_def,m_def,
  15.277 +	                        resbar_def]));
  15.278 +by (force_tac (MI_css addsimps2 [S3_def,S_def]) 1);
  15.279 +by (auto_tac (MI_css addsimps2 [Return_def]));
  15.280 +qed "Step1_4_3b";
  15.281  
  15.282 -qed_goal "Step1_4_4a1" MemoryImplementation.thy
  15.283 -   "|- $S4 rmhist p & (S4 rmhist p)$ & ReadInner rmCh mm ires p l \
  15.284 -\             & unchanged (e p, c p, r p, rmhist!p) & $MemInv mm l \
  15.285 -\      --> ReadInner memCh mm (resbar rmhist) p l"
  15.286 -  (fn _ => [Clarsimp_tac 1,
  15.287 -            REPEAT (dtac (temp_use S4_excl) 1),
  15.288 -            action_simp_tac 
  15.289 -               (simpset() addsimps [ReadInner_def,GoodRead_def,BadRead_def,e_def,c_def,m_def]) 
  15.290 -               [] [] 1,
  15.291 -            auto_tac (MI_css addsimps2 [resbar_def]),
  15.292 -	    ALLGOALS (action_simp_tac 
  15.293 -                        (simpset() addsimps [RPCRelayArg_def,MClkRelayArg_def,
  15.294 -		                            S_def,S4_def,RdRequest_def,MemInv_def])
  15.295 -		      [] [impE,MemValNotAResultE])
  15.296 -           ]);
  15.297 +Goal "|- $S4 rmhist p & (S4 rmhist p)$ & ReadInner rmCh mm ires p l \
  15.298 +\        & unchanged (e p, c p, r p, rmhist!p) & $MemInv mm l \
  15.299 +\        --> ReadInner memCh mm (resbar rmhist) p l";
  15.300 +by (Clarsimp_tac 1);
  15.301 +by (REPEAT (dtac (temp_use S4_excl) 1));
  15.302 +by (action_simp_tac 
  15.303 +      (simpset() addsimps [ReadInner_def,GoodRead_def,BadRead_def,e_def,c_def,m_def]) 
  15.304 +      [] [] 1);
  15.305 +by (auto_tac (MI_css addsimps2 [resbar_def]));
  15.306 +by (ALLGOALS (action_simp_tac 
  15.307 +                (simpset() addsimps [RPCRelayArg_def,MClkRelayArg_def,
  15.308 +	                             S_def,S4_def,RdRequest_def,MemInv_def])
  15.309 +		[] [impE,MemValNotAResultE]));
  15.310 +qed "Step1_4_4a1";
  15.311  
  15.312 -qed_goal "Step1_4_4a" MemoryImplementation.thy
  15.313 -   "|- Read rmCh mm ires p & $S4 rmhist p & (S4 rmhist p)$ \
  15.314 -\           & unchanged (e p, c p, r p, rmhist!p) & (!l. $(MemInv mm l)) \
  15.315 -\      --> Read memCh mm (resbar rmhist) p"
  15.316 -  (fn _ => [ force_tac (MI_css addsimps2 [Read_def] addSEs2 [Step1_4_4a1]) 1 ]);
  15.317 +Goal "|- Read rmCh mm ires p & $S4 rmhist p & (S4 rmhist p)$ \
  15.318 +\        & unchanged (e p, c p, r p, rmhist!p) & (!l. $(MemInv mm l)) \
  15.319 +\        --> Read memCh mm (resbar rmhist) p";
  15.320 +by (force_tac (MI_css addsimps2 [Read_def] addSEs2 [Step1_4_4a1]) 1);
  15.321 +qed "Step1_4_4a";
  15.322  
  15.323 -qed_goal "Step1_4_4b1" MemoryImplementation.thy
  15.324 -   "|- $S4 rmhist p & (S4 rmhist p)$ & WriteInner rmCh mm ires p l v   \
  15.325 -\                   & unchanged (e p, c p, r p, rmhist!p) \
  15.326 -\      --> WriteInner memCh mm (resbar rmhist) p l v"
  15.327 -  (fn _ => [Clarsimp_tac 1,
  15.328 -            REPEAT (dtac (temp_use S4_excl) 1),
  15.329 -            action_simp_tac 
  15.330 -               (simpset() addsimps [WriteInner_def, GoodWrite_def, BadWrite_def,
  15.331 -			           e_def, c_def, m_def])
  15.332 -               [] [] 1,
  15.333 -	    auto_tac (MI_css addsimps2 [resbar_def]),
  15.334 -	    ALLGOALS (action_simp_tac
  15.335 -                        (simpset() addsimps [RPCRelayArg_def,MClkRelayArg_def,
  15.336 -		                            S_def,S4_def,WrRequest_def])
  15.337 -		      [] [])
  15.338 -           ]);
  15.339 +Goal "|- $S4 rmhist p & (S4 rmhist p)$ & WriteInner rmCh mm ires p l v   \
  15.340 +\        & unchanged (e p, c p, r p, rmhist!p) \
  15.341 +\        --> WriteInner memCh mm (resbar rmhist) p l v";
  15.342 +by (Clarsimp_tac 1);
  15.343 +by (REPEAT (dtac (temp_use S4_excl) 1));
  15.344 +by (action_simp_tac 
  15.345 +      (simpset() addsimps [WriteInner_def, GoodWrite_def, BadWrite_def,
  15.346 +		           e_def, c_def, m_def])
  15.347 +      [] [] 1);
  15.348 +by (auto_tac (MI_css addsimps2 [resbar_def]));
  15.349 +by (ALLGOALS (action_simp_tac
  15.350 +                (simpset() addsimps [RPCRelayArg_def,MClkRelayArg_def,
  15.351 +	                             S_def,S4_def,WrRequest_def])
  15.352 +		[] []));
  15.353 +qed "Step1_4_4b1";
  15.354  
  15.355 -qed_goal "Step1_4_4b" MemoryImplementation.thy
  15.356 -   "|- Write rmCh mm ires p l & $S4 rmhist p & (S4 rmhist p)$   \
  15.357 -\                 & unchanged (e p, c p, r p, rmhist!p) \
  15.358 -\      --> Write memCh mm (resbar rmhist) p l"
  15.359 -  (fn _ => [ force_tac (MI_css addsimps2 [Write_def] addSEs2 [Step1_4_4b1]) 1 ]);
  15.360 +Goal "|- Write rmCh mm ires p l & $S4 rmhist p & (S4 rmhist p)$   \
  15.361 +\        & unchanged (e p, c p, r p, rmhist!p) \
  15.362 +\        --> Write memCh mm (resbar rmhist) p l";
  15.363 +by (force_tac (MI_css addsimps2 [Write_def] addSEs2 [Step1_4_4b1]) 1);
  15.364 +qed "Step1_4_4b";
  15.365  
  15.366 -qed_goal "Step1_4_4c" MemoryImplementation.thy
  15.367 -   "|- MemReturn rmCh ires p & $S4 rmhist p & (S5 rmhist p)$ & unchanged (e p, c p, r p) \
  15.368 -\      --> unchanged (rtrner memCh!p, resbar rmhist!p)"
  15.369 -  (fn _ => [action_simp_tac
  15.370 -	       (simpset() addsimps [e_def,c_def,r_def,resbar_def]) [] [] 1,
  15.371 -	    REPEAT (dresolve_tac [temp_use S4_excl, temp_use S5_excl] 1),
  15.372 -	    auto_tac (MI_fast_css addsimps2 [MemReturn_def,Return_def])
  15.373 -           ]);
  15.374 +Goal "|- MemReturn rmCh ires p & $S4 rmhist p & (S5 rmhist p)$\
  15.375 +\        & unchanged (e p, c p, r p) \
  15.376 +\        --> unchanged (rtrner memCh!p, resbar rmhist!p)";
  15.377 +by (action_simp_tac
  15.378 +      (simpset() addsimps [e_def,c_def,r_def,resbar_def]) [] [] 1);
  15.379 +by (REPEAT (dresolve_tac [temp_use S4_excl, temp_use S5_excl] 1));
  15.380 +by (auto_tac (MI_fast_css addsimps2 [MemReturn_def,Return_def]));
  15.381 +qed "Step1_4_4c";
  15.382  
  15.383 -qed_goal "Step1_4_5a" MemoryImplementation.thy
  15.384 -   "|- RPCReply crCh rmCh rst p & $S5 rmhist p & (S6 rmhist p)$ & unchanged (e p, c p, m p) \
  15.385 -\      --> unchanged (rtrner memCh!p, resbar rmhist!p)"
  15.386 -  (fn _ => [Clarsimp_tac 1,
  15.387 -            REPEAT (dresolve_tac [temp_use S5_excl, temp_use S6_excl] 1),
  15.388 -            auto_tac (MI_css addsimps2 [e_def,c_def,m_def, resbar_def]),
  15.389 -	    auto_tac (MI_css addsimps2 [RPCReply_def,Return_def,S5_def,S_def] 
  15.390 -                             addSDs2 [MVOKBAnotRF])
  15.391 -           ]);
  15.392 +Goal "|- RPCReply crCh rmCh rst p & $S5 rmhist p & (S6 rmhist p)$\
  15.393 +\        & unchanged (e p, c p, m p) \
  15.394 +\        --> unchanged (rtrner memCh!p, resbar rmhist!p)";
  15.395 +by (Clarsimp_tac 1);
  15.396 +by (REPEAT (dresolve_tac [temp_use S5_excl, temp_use S6_excl] 1));
  15.397 +by (auto_tac (MI_css addsimps2 [e_def,c_def,m_def, resbar_def]));
  15.398 +by (auto_tac (MI_css addsimps2 [RPCReply_def,Return_def,S5_def,S_def] 
  15.399 +                     addSDs2 [MVOKBAnotRF]));
  15.400 +qed "Step1_4_5a";
  15.401  
  15.402 -qed_goal "Step1_4_5b" MemoryImplementation.thy
  15.403 -   "|- RPCFail crCh rmCh rst p & $S5 rmhist p & (S6 rmhist p)$ & unchanged (e p, c p, m p) \
  15.404 -\      --> MemFail memCh (resbar rmhist) p"
  15.405 -  (fn _ => [Clarsimp_tac 1,
  15.406 -            dtac (temp_use S6_excl) 1,
  15.407 -            auto_tac (MI_css addsimps2 [e_def, c_def, m_def, RPCFail_def, Return_def,
  15.408 -		 		        MemFail_def, resbar_def]),
  15.409 -	    auto_tac (MI_css addsimps2 [S5_def,S_def])
  15.410 -           ]);
  15.411 +Goal "|- RPCFail crCh rmCh rst p & $S5 rmhist p & (S6 rmhist p)$\
  15.412 +\        & unchanged (e p, c p, m p) \
  15.413 +\        --> MemFail memCh (resbar rmhist) p";
  15.414 +by (Clarsimp_tac 1);
  15.415 +by (dtac (temp_use S6_excl) 1);
  15.416 +by (auto_tac (MI_css addsimps2 [e_def, c_def, m_def, RPCFail_def, Return_def,
  15.417 +		 		MemFail_def, resbar_def]));
  15.418 +by (auto_tac (MI_css addsimps2 [S5_def,S_def]));
  15.419 +qed "Step1_4_5b";
  15.420  
  15.421 -qed_goal "Step1_4_6a" MemoryImplementation.thy
  15.422 -   "|- MClkReply memCh crCh cst p & $S6 rmhist p & (S1 rmhist p)$ & unchanged (e p, r p, m p) \
  15.423 -\      --> MemReturn memCh (resbar rmhist) p"
  15.424 -  (fn _ => [Clarsimp_tac 1,
  15.425 -            dtac (temp_use S6_excl) 1,
  15.426 -            action_simp_tac
  15.427 -	      (simpset() addsimps [e_def, r_def, m_def, MClkReply_def, MemReturn_def,
  15.428 -				  Return_def, resbar_def]) [] [] 1,
  15.429 -	    ALLGOALS Asm_full_simp_tac,  (* simplify if-then-else *)
  15.430 -	    ALLGOALS (action_simp_tac
  15.431 -    	              (simpset() addsimps [MClkReplyVal_def,S6_def,S_def])
  15.432 -		      [] [MVOKBARFnotNR])
  15.433 -           ]);
  15.434 +Goal "|- MClkReply memCh crCh cst p & $S6 rmhist p & (S1 rmhist p)$\
  15.435 +\        & unchanged (e p, r p, m p) \
  15.436 +\        --> MemReturn memCh (resbar rmhist) p";
  15.437 +by (Clarsimp_tac 1);
  15.438 +by (dtac (temp_use S6_excl) 1);
  15.439 +by (action_simp_tac
  15.440 +      (simpset() addsimps [e_def,r_def,m_def,MClkReply_def,MemReturn_def,
  15.441 +		           Return_def,resbar_def]) [] [] 1);
  15.442 +by (ALLGOALS Asm_full_simp_tac);  (* simplify if-then-else *)
  15.443 +by (ALLGOALS (action_simp_tac
  15.444 +                (simpset() addsimps [MClkReplyVal_def,S6_def,S_def])
  15.445 +	        [] [MVOKBARFnotNR]));
  15.446 +qed "Step1_4_6a";
  15.447  
  15.448 -qed_goal "Step1_4_6b" MemoryImplementation.thy
  15.449 -   "|- MClkRetry memCh crCh cst p & $S6 rmhist p & (S3 rmhist p)$   \
  15.450 -\                & unchanged (e p, r p, m p, rmhist!p) \
  15.451 -\      --> MemFail memCh (resbar rmhist) p"
  15.452 -  (fn _ => [Clarsimp_tac 1,
  15.453 -            dtac (temp_use S3_excl) 1,
  15.454 -            action_simp_tac
  15.455 -	       (simpset() addsimps [e_def, r_def, m_def, MClkRetry_def, MemFail_def, resbar_def])
  15.456 -	       [] [] 1,
  15.457 -	    auto_tac (MI_css addsimps2 [S6_def,S_def])
  15.458 -           ]);
  15.459 +Goal "|- MClkRetry memCh crCh cst p & $S6 rmhist p & (S3 rmhist p)$   \
  15.460 +\        & unchanged (e p, r p, m p, rmhist!p) \
  15.461 +\        --> MemFail memCh (resbar rmhist) p";
  15.462 +by (Clarsimp_tac 1);
  15.463 +by (dtac (temp_use S3_excl) 1);
  15.464 +by (action_simp_tac
  15.465 +      (simpset() addsimps [e_def, r_def, m_def, MClkRetry_def, MemFail_def, resbar_def])
  15.466 +      [] [] 1);
  15.467 +by (auto_tac (MI_css addsimps2 [S6_def,S_def]));
  15.468 +qed "Step1_4_6b";
  15.469  
  15.470 -qed_goal "S_lemma" MemoryImplementation.thy
  15.471 -   "|- unchanged (e p, c p, r p, m p, rmhist!p) \
  15.472 -\      --> unchanged (S rmhist ec cc rc cs rs hs1 hs2 p)"
  15.473 -   (fn _ => [auto_tac (MI_css addsimps2 [e_def,c_def,r_def,m_def,caller_def,rtrner_def,
  15.474 -					 S_def,Calling_def])
  15.475 -            ]);
  15.476 +Goal "|- unchanged (e p, c p, r p, m p, rmhist!p) \
  15.477 +\        --> unchanged (S rmhist ec cc rc cs rs hs1 hs2 p)";
  15.478 +by (auto_tac (MI_css addsimps2 [e_def,c_def,r_def,m_def,caller_def,rtrner_def,
  15.479 +			        S_def,Calling_def]));
  15.480 +qed "S_lemma";
  15.481  
  15.482 -qed_goal "Step1_4_7H" MemoryImplementation.thy
  15.483 -   "|- unchanged (e p, c p, r p, m p, rmhist!p) \
  15.484 -\      --> unchanged (rtrner memCh!p, S1 rmhist p, S2 rmhist p, S3 rmhist p, \
  15.485 -\                     S4 rmhist p, S5 rmhist p, S6 rmhist p)"
  15.486 -   (fn _ => [Clarsimp_tac 1,
  15.487 -             rtac conjI 1,
  15.488 -             force_tac (MI_css addsimps2 [c_def]) 1,
  15.489 -             force_tac (MI_css addsimps2 [S1_def,S2_def,S3_def,S4_def,S5_def,S6_def]
  15.490 -                               addSIs2 [S_lemma]) 1
  15.491 -            ]);
  15.492 +Goal "|- unchanged (e p, c p, r p, m p, rmhist!p) \
  15.493 +\        --> unchanged (rtrner memCh!p, S1 rmhist p, S2 rmhist p, S3 rmhist p, \
  15.494 +\                       S4 rmhist p, S5 rmhist p, S6 rmhist p)";
  15.495 +by (Clarsimp_tac 1);
  15.496 +by (rtac conjI 1);
  15.497 +by (force_tac (MI_css addsimps2 [c_def]) 1);
  15.498 +by (force_tac (MI_css addsimps2 [S1_def,S2_def,S3_def,S4_def,S5_def,S6_def]
  15.499 +                      addSIs2 [S_lemma]) 1);
  15.500 +qed "Step1_4_7H";
  15.501  
  15.502 -qed_goal "Step1_4_7" MemoryImplementation.thy
  15.503 -   "|- unchanged (e p, c p, r p, m p, rmhist!p) \
  15.504 -\      --> unchanged (rtrner memCh!p, resbar rmhist!p, S1 rmhist p, S2 rmhist p, S3 rmhist p, \
  15.505 -\                     S4 rmhist p, S5 rmhist p, S6 rmhist p)"
  15.506 -  (fn _ => [rtac actionI 1,
  15.507 -            rewrite_goals_tac action_rews,
  15.508 -            rtac impI 1,
  15.509 -            forward_tac [temp_use Step1_4_7H] 1,
  15.510 -	    auto_tac (MI_css addsimps2 [e_def,c_def,r_def,m_def,rtrner_def,resbar_def])
  15.511 -           ]);
  15.512 -
  15.513 +Goal "|- unchanged (e p, c p, r p, m p, rmhist!p) \
  15.514 +\        --> unchanged (rtrner memCh!p, resbar rmhist!p, S1 rmhist p, S2 rmhist p, \
  15.515 +\                       S3 rmhist p, S4 rmhist p, S5 rmhist p, S6 rmhist p)";
  15.516 +by (rtac actionI 1);
  15.517 +by (rewrite_goals_tac action_rews);
  15.518 +by (rtac impI 1);
  15.519 +by (forward_tac [temp_use Step1_4_7H] 1);
  15.520 +by (auto_tac (MI_css addsimps2 [e_def,c_def,r_def,m_def,rtrner_def,resbar_def]));
  15.521 +qed "Step1_4_7";
  15.522  
  15.523  (* Frequently needed abbreviation: distinguish between idling and non-idling
  15.524     steps of the implementation, and try to solve the idling case by simplification
  15.525 @@ -354,74 +337,66 @@
  15.526  
  15.527  (* Steps that leave all variables unchanged are safe, so I may assume
  15.528     that some variable changes in the proof that a step is safe. *)
  15.529 -qed_goal "unchanged_safe" MemoryImplementation.thy
  15.530 -   "|- (~unchanged (e p, c p, r p, m p, rmhist!p) \
  15.531 -\        --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)) \
  15.532 -\      --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  15.533 -   (fn _ => [split_idle_tac [square_def] 1,
  15.534 -             Force_tac 1
  15.535 -            ]);
  15.536 +Goal "|- (~unchanged (e p, c p, r p, m p, rmhist!p) \
  15.537 +\            --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)) \
  15.538 +\        --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)";
  15.539 +by (split_idle_tac [square_def] 1);
  15.540 +by (Force_tac 1);
  15.541 +qed "unchanged_safe";
  15.542  (* turn into (unsafe, looping!) introduction rule *)
  15.543  bind_thm("unchanged_safeI", impI RS (action_use unchanged_safe));
  15.544  
  15.545 -qed_goal "S1safe" MemoryImplementation.thy
  15.546 -   "|- $S1 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)   \
  15.547 -\      --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  15.548 -   (fn _ => [Clarsimp_tac 1, 
  15.549 -             rtac unchanged_safeI 1,
  15.550 -             rtac idle_squareI 1,
  15.551 -	     auto_tac (MI_css addSDs2 [Step1_2_1,Step1_4_1])
  15.552 -	    ]);
  15.553 +Goal "|- $S1 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)   \
  15.554 +\        --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)";
  15.555 +by (Clarsimp_tac 1);
  15.556 +by (rtac unchanged_safeI 1);
  15.557 +by (rtac idle_squareI 1);
  15.558 +by (auto_tac (MI_css addSDs2 [Step1_2_1,Step1_4_1]));
  15.559 +qed "S1safe";
  15.560  
  15.561 -qed_goal "S2safe" MemoryImplementation.thy
  15.562 -   "|- $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)   \
  15.563 -\      --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  15.564 -   (fn _ => [Clarsimp_tac 1, 
  15.565 -             rtac unchanged_safeI 1,
  15.566 -             rtac idle_squareI 1,
  15.567 -	     auto_tac (MI_css addSDs2 [Step1_2_2,Step1_4_2])
  15.568 -	    ]);
  15.569 +Goal "|- $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)   \
  15.570 +\        --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)";
  15.571 +by (Clarsimp_tac 1);
  15.572 +by (rtac unchanged_safeI 1);
  15.573 +by (rtac idle_squareI 1);
  15.574 +by (auto_tac (MI_css addSDs2 [Step1_2_2,Step1_4_2]));
  15.575 +qed "S2safe";
  15.576  
  15.577 -qed_goal "S3safe" MemoryImplementation.thy
  15.578 -   "|- $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)   \
  15.579 -\      --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  15.580 -   (fn _ => [Clarsimp_tac 1,
  15.581 -	     rtac unchanged_safeI 1,
  15.582 -             auto_tac (MI_css addSDs2 [Step1_2_3]),
  15.583 -	     auto_tac (MI_css addsimps2 [square_def,UNext_def]
  15.584 -		              addSDs2 [Step1_4_3a,Step1_4_3b])
  15.585 -	    ]);
  15.586 +Goal "|- $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)   \
  15.587 +\        --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)";
  15.588 +by (Clarsimp_tac 1);
  15.589 +by (rtac unchanged_safeI 1);
  15.590 +by (auto_tac (MI_css addSDs2 [Step1_2_3]));
  15.591 +by (auto_tac (MI_css addsimps2 [square_def,UNext_def] addSDs2 [Step1_4_3a,Step1_4_3b]));
  15.592 +qed "S3safe";
  15.593  
  15.594 -qed_goal "S4safe" MemoryImplementation.thy
  15.595 -   "|- $S4 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)  \
  15.596 -\                   & (!l. $(MemInv mm l)) \
  15.597 -\      --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  15.598 -   (fn _ => [Clarsimp_tac 1,
  15.599 -	     rtac unchanged_safeI 1,
  15.600 -             auto_tac (MI_css addSDs2 [Step1_2_4]),
  15.601 -	     auto_tac (MI_css addsimps2 [square_def,UNext_def,RNext_def]
  15.602 -                              addSDs2 [Step1_4_4a,Step1_4_4b,Step1_4_4c])
  15.603 -	    ]);
  15.604 +Goal "|- $S4 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)  \
  15.605 +\        & (!l. $(MemInv mm l)) \
  15.606 +\        --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)";
  15.607 +by (Clarsimp_tac 1);
  15.608 +by (rtac unchanged_safeI 1);
  15.609 +by (auto_tac (MI_css addSDs2 [Step1_2_4]));
  15.610 +by (auto_tac (MI_css addsimps2 [square_def,UNext_def,RNext_def]
  15.611 +                     addSDs2 [Step1_4_4a,Step1_4_4b,Step1_4_4c]));
  15.612 +qed "S4safe";
  15.613  
  15.614 -qed_goal "S5safe" MemoryImplementation.thy
  15.615 -   "|- $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)  \
  15.616 -\      --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  15.617 -   (fn _ => [Clarsimp_tac 1,
  15.618 -	     rtac unchanged_safeI 1,
  15.619 -             auto_tac (MI_css addSDs2 [Step1_2_5]),
  15.620 -	     auto_tac (MI_css addsimps2 [square_def,UNext_def]
  15.621 -		              addSDs2 [Step1_4_5a,Step1_4_5b])
  15.622 -	    ]);
  15.623 +Goal "|- $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)  \
  15.624 +\        --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)";
  15.625 +by (Clarsimp_tac 1);
  15.626 +by (rtac unchanged_safeI 1);
  15.627 +by (auto_tac (MI_css addSDs2 [Step1_2_5]));
  15.628 +by (auto_tac (MI_css addsimps2 [square_def,UNext_def]
  15.629 +	             addSDs2 [Step1_4_5a,Step1_4_5b]));
  15.630 +qed "S5safe";
  15.631  
  15.632 -qed_goal "S6safe" MemoryImplementation.thy
  15.633 -   "|- $S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)   \
  15.634 -\      --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
  15.635 -   (fn _ => [Clarsimp_tac 1,
  15.636 -	     rtac unchanged_safeI 1,
  15.637 -             auto_tac (MI_css addSDs2 [Step1_2_6]),
  15.638 -	     auto_tac (MI_css addsimps2 [square_def,UNext_def,RNext_def]
  15.639 -		              addSDs2 [Step1_4_6a,Step1_4_6b])
  15.640 -	    ]);
  15.641 +Goal "|- $S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)   \
  15.642 +\        --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)";
  15.643 +by (Clarsimp_tac 1);
  15.644 +by (rtac unchanged_safeI 1);
  15.645 +by (auto_tac (MI_css addSDs2 [Step1_2_6]));
  15.646 +by (auto_tac (MI_css addsimps2 [square_def,UNext_def,RNext_def]
  15.647 +	             addSDs2 [Step1_4_6a,Step1_4_6b]));
  15.648 +qed "S6safe";
  15.649  
  15.650  (* ----------------------------------------------------------------------
  15.651     Step 1.5: Temporal refinement proof, based on previous steps.
  15.652 @@ -429,7 +404,343 @@
  15.653  
  15.654  section "The liveness part";
  15.655  
  15.656 -use "MIlive.ML";
  15.657 +(* Liveness assertions for the different implementation states, based on the
  15.658 +   fairness conditions. Prove subgoals of WF1 / SF1 rules as separate lemmas
  15.659 +   for readability. Reuse action proofs from safety part.
  15.660 +*)
  15.661 +
  15.662 +(* ------------------------------ State S1 ------------------------------ *)
  15.663 +
  15.664 +Goal "|- $S1 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)  \
  15.665 +\        --> (S1 rmhist p)$ | (S2 rmhist p)$";
  15.666 +by (split_idle_tac [] 1);
  15.667 +by (auto_tac (MI_css addSDs2 [Step1_2_1]));
  15.668 +qed "S1_successors";
  15.669 +
  15.670 +(* Show that the implementation can satisfy the high-level fairness requirements
  15.671 +   by entering the state S1 infinitely often.
  15.672 +*)
  15.673 +
  15.674 +Goal "|- S1 rmhist p --> \
  15.675 +\        ~Enabled (<RNext memCh mm (resbar rmhist) p>_(rtrner memCh!p, resbar rmhist!p))";
  15.676 +by (action_simp_tac (simpset() addsimps [angle_def,S_def,S1_def])
  15.677 +	            [notI] [enabledE,temp_elim Memoryidle] 1);
  15.678 +by (Force_tac 1);
  15.679 +qed "S1_RNextdisabled";
  15.680 +
  15.681 +Goal "|- S1 rmhist p --> \
  15.682 +\        ~Enabled (<MemReturn memCh (resbar rmhist) p>_(rtrner memCh!p, resbar rmhist!p))";
  15.683 +by (action_simp_tac 
  15.684 +      (simpset() addsimps [angle_def,MemReturn_def,Return_def,S_def,S1_def])
  15.685 +      [notI] [enabledE] 1);
  15.686 +qed "S1_Returndisabled";
  15.687 +
  15.688 +Goal "|- []<>S1 rmhist p   \
  15.689 +\        --> WF(RNext memCh mm (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)";
  15.690 +by (auto_tac (MI_css addsimps2 [WF_alt]
  15.691 +		     addSIs2 [S1_RNextdisabled] addSEs2 [STL4E,DmdImplE]));
  15.692 +qed "RNext_fair";
  15.693 +
  15.694 +Goal "|- []<>S1 rmhist p   \
  15.695 +\        --> WF(MemReturn memCh (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)";
  15.696 +by (auto_tac (MI_css addsimps2 [WF_alt]
  15.697 +		     addSIs2 [S1_Returndisabled] addSEs2 [STL4E,DmdImplE]));
  15.698 +qed "Return_fair";
  15.699 +
  15.700 +(* ------------------------------ State S2 ------------------------------ *)
  15.701 +
  15.702 +Goal "|- $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)   \
  15.703 +\        --> (S2 rmhist p)$ | (S3 rmhist p)$";
  15.704 +by (split_idle_tac [] 1);
  15.705 +by (auto_tac (MI_css addSDs2 [Step1_2_2]));
  15.706 +qed "S2_successors";
  15.707 +
  15.708 +Goal "|- ($S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))\
  15.709 +\        & <MClkFwd memCh crCh cst p>_(c p) \
  15.710 +\        --> (S3 rmhist p)$";
  15.711 +by (auto_tac (MI_css addsimps2 [angle_def] addSDs2 [Step1_2_2]));
  15.712 +qed "S2MClkFwd_successors";
  15.713 +
  15.714 +Goal "|- $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)\
  15.715 +\        --> $Enabled (<MClkFwd memCh crCh cst p>_(c p))";
  15.716 +by (auto_tac (MI_css addsimps2 [c_def] addSIs2 [MClkFwd_ch_enabled,MClkFwd_enabled]));
  15.717 +by (cut_facts_tac [MI_base] 1);
  15.718 +by (blast_tac (claset() addDs [base_pair]) 1);
  15.719 +by (ALLGOALS (asm_full_simp_tac (simpset() addsimps [S_def,S2_def])));
  15.720 +qed "S2MClkFwd_enabled";
  15.721 +
  15.722 +Goal "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))\
  15.723 +\        & WF(MClkFwd memCh crCh cst p)_(c p) \
  15.724 +\        --> (S2 rmhist p ~> S3 rmhist p)";
  15.725 +by (REPEAT (resolve_tac [WF1,S2_successors,
  15.726 +                         S2MClkFwd_successors,S2MClkFwd_enabled] 1));
  15.727 +qed "S2_live";
  15.728 +
  15.729 +(* ------------------------------ State S3 ------------------------------ *)
  15.730 +
  15.731 +Goal "|- $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)\
  15.732 +\        --> (S3 rmhist p)$ | (S4 rmhist p | S6 rmhist p)$";
  15.733 +by (split_idle_tac [] 1);
  15.734 +by (auto_tac (MI_css addSDs2 [Step1_2_3]));
  15.735 +qed "S3_successors";
  15.736 +
  15.737 +Goal "|- ($S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))\
  15.738 +\        & <RPCNext crCh rmCh rst p>_(r p) \
  15.739 +\        --> (S4 rmhist p | S6 rmhist p)$";
  15.740 +by (auto_tac (MI_css addsimps2 [angle_def] addSDs2 [Step1_2_3]));
  15.741 +qed "S3RPC_successors";
  15.742 +
  15.743 +Goal "|- $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)\
  15.744 +\        --> $Enabled (<RPCNext crCh rmCh rst p>_(r p))";
  15.745 +by (auto_tac (MI_css addsimps2 [r_def]
  15.746 +		     addSIs2 [RPCFail_Next_enabled,RPCFail_enabled]));
  15.747 +by (cut_facts_tac [MI_base] 1);
  15.748 +by (blast_tac (claset() addDs [base_pair]) 1);
  15.749 +by (ALLGOALS (asm_full_simp_tac (simpset() addsimps [S_def,S3_def])));
  15.750 +qed "S3RPC_enabled";
  15.751 +
  15.752 +Goal "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))\
  15.753 +\        & WF(RPCNext crCh rmCh rst p)_(r p) \
  15.754 +\        --> (S3 rmhist p ~> S4 rmhist p | S6 rmhist p)";
  15.755 +by (REPEAT (resolve_tac [WF1,S3_successors,S3RPC_successors,S3RPC_enabled] 1));
  15.756 +qed "S3_live";
  15.757 +
  15.758 +(* ------------- State S4 -------------------------------------------------- *)
  15.759 +
  15.760 +Goal"|- $S4 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) \
  15.761 +\       & (ALL l. $MemInv mm l)  \
  15.762 +\       --> (S4 rmhist p)$ | (S5 rmhist p)$";
  15.763 +by (split_idle_tac [] 1);
  15.764 +by (auto_tac (MI_css addSDs2 [Step1_2_4]));
  15.765 +qed "S4_successors";
  15.766 +
  15.767 +(* --------- State S4a: S4 /\ (ires p = NotAResult) ------------------------ *)
  15.768 +
  15.769 +Goal "|- $(S4 rmhist p & ires!p = #NotAResult) \
  15.770 +\        & ImpNext p & [HNext rmhist p]_(c p,r p,m p,rmhist!p) & (ALL l. $MemInv mm l)\
  15.771 +\        --> (S4 rmhist p & ires!p = #NotAResult)$  \
  15.772 +\            | ((S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p)$";
  15.773 +by (split_idle_tac [m_def] 1);
  15.774 +by (auto_tac (MI_css addSDs2 [Step1_2_4]));
  15.775 +qed "S4a_successors";
  15.776 +
  15.777 +Goal "|- ($(S4 rmhist p & ires!p = #NotAResult)  \
  15.778 +\        & ImpNext p & [HNext rmhist p]_(c p,r p,m p,rmhist!p) & (ALL l. $MemInv mm l))\
  15.779 +\        & <RNext rmCh mm ires p>_(m p) \
  15.780 +\        --> ((S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p)$";
  15.781 +by (auto_tac (MI_css addsimps2 [angle_def]
  15.782 +		     addSDs2 [Step1_2_4, ReadResult, WriteResult]));
  15.783 +qed "S4aRNext_successors";
  15.784 +
  15.785 +Goal "|- $(S4 rmhist p & ires!p = #NotAResult) \
  15.786 +\        & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (ALL l. $MemInv mm l)\
  15.787 +\        --> $Enabled (<RNext rmCh mm ires p>_(m p))";
  15.788 +by (auto_tac (MI_css addsimps2 [m_def] addSIs2 [RNext_enabled]));
  15.789 +by (cut_facts_tac [MI_base] 1);
  15.790 +by (blast_tac (claset() addDs [base_pair]) 1);
  15.791 +by (asm_full_simp_tac (simpset() addsimps [S_def,S4_def]) 1);
  15.792 +qed "S4aRNext_enabled";
  15.793 +
  15.794 +Goal "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)\
  15.795 +\        & (ALL l. $MemInv mm l)) & WF(RNext rmCh mm ires p)_(m p) \
  15.796 +\        --> (S4 rmhist p & ires!p = #NotAResult  \
  15.797 +\             ~> (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p)";
  15.798 +by (REPEAT (resolve_tac [WF1, S4a_successors, S4aRNext_successors, S4aRNext_enabled] 1));
  15.799 +qed "S4a_live";
  15.800 +
  15.801 +(* ---------- State S4b: S4 /\ (ires p # NotAResult) --------------------------- *)
  15.802 +
  15.803 +Goal "|- $(S4 rmhist p & ires!p ~= #NotAResult)  \
  15.804 +\        & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (ALL l. $MemInv mm l)\
  15.805 +\        --> (S4 rmhist p & ires!p ~= #NotAResult)$ | (S5 rmhist p)$";
  15.806 +by (split_idle_tac [m_def] 1);
  15.807 +by (auto_tac (MI_css addSDs2 [WriteResult,Step1_2_4,ReadResult]));
  15.808 +qed "S4b_successors";
  15.809 +
  15.810 +Goal "|- ($(S4 rmhist p & ires!p ~= #NotAResult)  \
  15.811 +\        & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) \
  15.812 +\        & (ALL l. $MemInv mm l)) & <MemReturn rmCh ires p>_(m p) \
  15.813 +\        --> (S5 rmhist p)$";
  15.814 +by (force_tac (MI_css addsimps2 [angle_def] addSDs2 [Step1_2_4]
  15.815 +                      addDs2 [ReturnNotReadWrite]) 1);
  15.816 +qed "S4bReturn_successors";
  15.817 +
  15.818 +Goal "|- $(S4 rmhist p & ires!p ~= #NotAResult)  \
  15.819 +\        & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)\
  15.820 +\        & (ALL l. $MemInv mm l)  \
  15.821 +\        --> $Enabled (<MemReturn rmCh ires p>_(m p))";
  15.822 +by (auto_tac (MI_css addsimps2 [m_def] addSIs2 [MemReturn_enabled]));
  15.823 +by (cut_facts_tac [MI_base] 1);
  15.824 +by (blast_tac (claset() addDs [base_pair]) 1);
  15.825 +by (asm_full_simp_tac (simpset() addsimps [S_def,S4_def]) 1);
  15.826 +qed "S4bReturn_enabled";
  15.827 +
  15.828 +Goal "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (!l. $MemInv mm l)) \
  15.829 +\        & WF(MemReturn rmCh ires p)_(m p) \
  15.830 +\        --> (S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p)";
  15.831 +by (REPEAT (resolve_tac [WF1, S4b_successors,S4bReturn_successors, S4bReturn_enabled] 1));
  15.832 +qed "S4b_live";
  15.833 +
  15.834 +(* ------------------------------ State S5 ------------------------------ *)
  15.835 +
  15.836 +Goal "|- $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) \
  15.837 +\        --> (S5 rmhist p)$ | (S6 rmhist p)$";
  15.838 +by (split_idle_tac [] 1);
  15.839 +by (auto_tac (MI_css addSDs2 [Step1_2_5]));
  15.840 +qed "S5_successors";
  15.841 +
  15.842 +Goal "|- ($S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)) \
  15.843 +\        & <RPCNext crCh rmCh rst p>_(r p) \
  15.844 +\        --> (S6 rmhist p)$";
  15.845 +by (auto_tac (MI_css addsimps2 [angle_def] addSDs2 [Step1_2_5]));
  15.846 +qed "S5RPC_successors";
  15.847 +
  15.848 +Goal "|- $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) \
  15.849 +\        --> $Enabled (<RPCNext crCh rmCh rst p>_(r p))";
  15.850 +by (auto_tac (MI_css addsimps2 [r_def]
  15.851 +		     addSIs2 [RPCFail_Next_enabled, RPCFail_enabled]));
  15.852 +by (cut_facts_tac [MI_base] 1);
  15.853 +by (blast_tac (claset() addDs [base_pair]) 1);
  15.854 +by (ALLGOALS (asm_full_simp_tac (simpset() addsimps [S_def,S5_def])));
  15.855 +qed "S5RPC_enabled";
  15.856 +
  15.857 +Goal "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))\
  15.858 +\        & WF(RPCNext crCh rmCh rst p)_(r p) \
  15.859 +\        --> (S5 rmhist p ~> S6 rmhist p)";
  15.860 +by (REPEAT (resolve_tac [WF1,S5_successors,S5RPC_successors,S5RPC_enabled] 1));
  15.861 +qed "S5_live";
  15.862 +
  15.863 +(* ------------------------------ State S6 ------------------------------ *)
  15.864 +
  15.865 +Goal "|- $S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) \
  15.866 +\        --> (S1 rmhist p)$ | (S3 rmhist p)$ | (S6 rmhist p)$";
  15.867 +by (split_idle_tac [] 1);
  15.868 +by (auto_tac (MI_css addSDs2 [Step1_2_6]));
  15.869 +qed "S6_successors";
  15.870 +
  15.871 +Goal "|- ($S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)) \
  15.872 +\        & <MClkReply memCh crCh cst p>_(c p) \
  15.873 +\        --> (S1 rmhist p)$";
  15.874 +by (auto_tac (MI_css addsimps2 [angle_def] addSDs2 [Step1_2_6, MClkReplyNotRetry]));
  15.875 +qed "S6MClkReply_successors";
  15.876 +
  15.877 +Goal "|- $ImpInv rmhist p & <MClkReply memCh crCh cst p>_(c p) --> $S6 rmhist p";
  15.878 +by (action_simp_tac
  15.879 +      (simpset() addsimps [angle_def,MClkReply_def,Return_def,
  15.880 +		     ImpInv_def,S_def,S1_def,S2_def,S3_def,S4_def,S5_def])
  15.881 +      [] [] 1);
  15.882 +qed "MClkReplyS6";
  15.883 +
  15.884 +Goal "|- S6 rmhist p --> Enabled (<MClkReply memCh crCh cst p>_(c p))";
  15.885 +by (auto_tac (MI_css addsimps2 [c_def] addSIs2 [MClkReply_enabled]));
  15.886 +by (cut_facts_tac [MI_base] 1);
  15.887 +by (blast_tac (claset() addDs [base_pair]) 1);
  15.888 +by (ALLGOALS (action_simp_tac (simpset() addsimps [S_def,S6_def]) [] []));
  15.889 +qed "S6MClkReply_enabled";
  15.890 +
  15.891 +Goal "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & $(ImpInv rmhist p))\
  15.892 +\        & SF(MClkReply memCh crCh cst p)_(c p) & []<>(S6 rmhist p)  \
  15.893 +\        --> []<>(S1 rmhist p)";
  15.894 +by (Clarsimp_tac 1);
  15.895 +by (subgoal_tac "sigma |= []<>(<MClkReply memCh crCh cst p>_(c p))" 1);
  15.896 +by (etac InfiniteEnsures 1); 
  15.897 +by (atac 1);
  15.898 +by (action_simp_tac (simpset()) []
  15.899 +	            (map temp_elim [MClkReplyS6,S6MClkReply_successors]) 1);
  15.900 +by (auto_tac (MI_css addsimps2 [SF_def]));
  15.901 +by (etac swap 1);
  15.902 +by (auto_tac (MI_css addSIs2 [S6MClkReply_enabled] addSEs2 [STL4E, DmdImplE]));
  15.903 +qed "S6_live";
  15.904 +
  15.905 +(* --------------- aggregate leadsto properties----------------------------- *)
  15.906 +
  15.907 +Goal "sigma |= S5 rmhist p ~> S6 rmhist p \
  15.908 +\     ==> sigma |= (S5 rmhist p | S6 rmhist p) ~> S6 rmhist p";
  15.909 +by (auto_tac (MI_css addSIs2 [LatticeDisjunctionIntro, LatticeReflexivity]));
  15.910 +qed "S5S6LeadstoS6";
  15.911 +
  15.912 +Goal "[| sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;\
  15.913 +\        sigma |= S5 rmhist p ~> S6 rmhist p |]  \
  15.914 +\     ==> sigma |= (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p | S6 rmhist p \
  15.915 +\                   ~> S6 rmhist p";
  15.916 +by (auto_tac (MI_css addSIs2 [LatticeDisjunctionIntro,S5S6LeadstoS6]
  15.917 +		     addIs2 [LatticeTransitivity]));
  15.918 +qed "S4bS5S6LeadstoS6";
  15.919 +
  15.920 +Goal "[| sigma |= S4 rmhist p & ires!p = #NotAResult \
  15.921 +\                 ~> (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p; \
  15.922 +\        sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;  \
  15.923 +\        sigma |= S5 rmhist p ~> S6 rmhist p |]  \
  15.924 +\     ==> sigma |= S4 rmhist p | S5 rmhist p | S6 rmhist p ~> S6 rmhist p";
  15.925 +by (subgoal_tac 
  15.926 +     "sigma |= (S4 rmhist p & ires!p = #NotAResult)\
  15.927 +\            | (S4 rmhist p & ires!p ~= #NotAResult)\
  15.928 +\            | S5 rmhist p | S6 rmhist p ~> S6 rmhist p" 1);
  15.929 + by (eres_inst_tac 
  15.930 +      [("G", "PRED ((S4 rmhist p & ires!p = #NotAResult)\
  15.931 +\                | (S4 rmhist p & ires!p ~= #NotAResult)\
  15.932 +\                | S5 rmhist p | S6 rmhist p)")] 
  15.933 +      (temp_use LatticeTransitivity) 1);
  15.934 + by (force_tac (MI_css addsimps2 Init_defs addSIs2 [ImplLeadsto_gen, necT]) 1);
  15.935 +by (rtac (temp_use LatticeDisjunctionIntro) 1);
  15.936 +by (etac (temp_use LatticeTransitivity) 1);
  15.937 +by (etac (temp_use LatticeTriangle2) 1); 
  15.938 +by (atac 1);
  15.939 +by (auto_tac (MI_css addSIs2 [S4bS5S6LeadstoS6]));
  15.940 +qed "S4S5S6LeadstoS6";
  15.941 +
  15.942 +Goal "[| sigma |= S3 rmhist p ~> S4 rmhist p | S6 rmhist p;   \
  15.943 +\        sigma |= S4 rmhist p & ires!p = #NotAResult \
  15.944 +\                 ~> (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p; \
  15.945 +\        sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;  \
  15.946 +\        sigma |= S5 rmhist p ~> S6 rmhist p |]  \
  15.947 +\     ==> sigma |= S3 rmhist p | S4 rmhist p | S5 rmhist p | S6 rmhist p ~> S6 rmhist p";
  15.948 +by (rtac (temp_use LatticeDisjunctionIntro) 1);
  15.949 +by (etac (temp_use LatticeTriangle2) 1);
  15.950 +by (rtac (S4S5S6LeadstoS6 RS (temp_use LatticeTransitivity)) 1);
  15.951 +by (auto_tac (MI_css addSIs2 [S4S5S6LeadstoS6,necT]
  15.952 +	             addIs2 [ImplLeadsto_gen] addsimps2 Init_defs));
  15.953 +qed "S3S4S5S6LeadstoS6";
  15.954 +
  15.955 +Goal "[| sigma |= S2 rmhist p ~> S3 rmhist p; \
  15.956 +\        sigma |= S3 rmhist p ~> S4 rmhist p | S6 rmhist p;   \
  15.957 +\        sigma |= S4 rmhist p & ires!p = #NotAResult \
  15.958 +\                 ~> S4 rmhist p & ires!p ~= #NotAResult | S5 rmhist p; \
  15.959 +\        sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;  \
  15.960 +\        sigma |= S5 rmhist p ~> S6 rmhist p |]  \
  15.961 +\     ==> sigma |= S2 rmhist p | S3 rmhist p | S4 rmhist p | S5 rmhist p | S6 rmhist p \
  15.962 +\                  ~> S6 rmhist p";
  15.963 +by (rtac (temp_use LatticeDisjunctionIntro) 1);
  15.964 +by (rtac (temp_use LatticeTransitivity) 1); 
  15.965 +by (atac 2);
  15.966 +by (rtac (S3S4S5S6LeadstoS6 RS (temp_use LatticeTransitivity)) 1);
  15.967 +by (auto_tac (MI_css addSIs2 [S3S4S5S6LeadstoS6,necT]
  15.968 +	             addIs2 [ImplLeadsto_gen] addsimps2 Init_defs));
  15.969 +qed "S2S3S4S5S6LeadstoS6";
  15.970 +
  15.971 +Goal "[| sigma |= []ImpInv rmhist p; \
  15.972 +\        sigma |= S2 rmhist p ~> S3 rmhist p; \
  15.973 +\        sigma |= S3 rmhist p ~> S4 rmhist p | S6 rmhist p; \
  15.974 +\        sigma |= S4 rmhist p & ires!p = #NotAResult \
  15.975 +\                 ~> S4 rmhist p & ires!p ~= #NotAResult | S5 rmhist p; \
  15.976 +\        sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;  \
  15.977 +\        sigma |= S5 rmhist p ~> S6 rmhist p |] \
  15.978 +\     ==> sigma |= ~S1 rmhist p ~> S6 rmhist p";
  15.979 +by (rtac (S2S3S4S5S6LeadstoS6 RS (temp_use LatticeTransitivity)) 1);
  15.980 +by (TRYALL atac);
  15.981 +by (etac (temp_use INV_leadsto) 1);
  15.982 +by (rtac (temp_use ImplLeadsto_gen) 1);
  15.983 +by (rtac (temp_use necT) 1);
  15.984 +by (auto_tac (MI_css addsimps2 ImpInv_def::Init_defs addSIs2 [necT]));
  15.985 +qed "NotS1LeadstoS6";
  15.986 +
  15.987 +Goal "[| sigma |= ~S1 rmhist p ~> S6 rmhist p; \
  15.988 +\        sigma |= []<>S6 rmhist p --> []<>S1 rmhist p |] \
  15.989 +\     ==> sigma |= []<>S1 rmhist p";
  15.990 +by (rtac classical 1);
  15.991 +by (asm_full_simp_tac (simpset() addsimps [temp_use NotBox, NotDmd]) 1);
  15.992 +by (auto_tac (MI_css addSEs2 [mp,leadsto_infinite] addSDs2 [DBImplBD]));
  15.993 +qed "S1Infinite";
  15.994  
  15.995  section "Refinement proof (step 1.5)";
  15.996  
  15.997 @@ -437,148 +748,134 @@
  15.998     a. memory invariant
  15.999     b. "implementation invariant": always in states S1,...,S6
 15.1000  *)
 15.1001 -qed_goal "Step1_5_1a" MemoryImplementation.thy 
 15.1002 -   "|- IPImp p --> (!l. []$MemInv mm l)"
 15.1003 -   (fn _ => [auto_tac (MI_css addsimps2 [IPImp_def,box_stp_act]
 15.1004 -			      addSIs2 [MemoryInvariantAll])
 15.1005 -	    ]);
 15.1006 +Goal "|- IPImp p --> (ALL l. []$MemInv mm l)";
 15.1007 +by (auto_tac (MI_css addsimps2 [IPImp_def,box_stp_act]
 15.1008 +	             addSIs2 [MemoryInvariantAll]));
 15.1009 +qed "Step1_5_1a";
 15.1010  
 15.1011 -qed_goal "Step1_5_1b" MemoryImplementation.thy
 15.1012 -   "|- Init(ImpInit p & HInit rmhist p) & [](ImpNext p) \
 15.1013 -\      & [][HNext rmhist p]_(c p, r p, m p, rmhist!p) & [](!l. $MemInv mm l) \
 15.1014 -\      --> []ImpInv rmhist p"
 15.1015 -   (fn _ => [inv_tac MI_css 1,
 15.1016 -	     auto_tac (MI_css addsimps2 [Init_def, ImpInv_def, box_stp_act]
 15.1017 -                              addSDs2 [Step1_1]
 15.1018 -		              addDs2 [S1_successors,S2_successors,S3_successors,
 15.1019 -			              S4_successors,S5_successors,S6_successors])
 15.1020 -            ]);
 15.1021 +Goal "|- Init(ImpInit p & HInit rmhist p) & [](ImpNext p) \
 15.1022 +\        & [][HNext rmhist p]_(c p, r p, m p, rmhist!p) & [](ALL l. $MemInv mm l) \
 15.1023 +\        --> []ImpInv rmhist p";
 15.1024 +by (inv_tac MI_css 1);
 15.1025 +by (auto_tac (MI_css addsimps2 [Init_def, ImpInv_def, box_stp_act]
 15.1026 +                     addSDs2 [Step1_1]
 15.1027 +	             addDs2 [S1_successors,S2_successors,S3_successors,
 15.1028 +		             S4_successors,S5_successors,S6_successors]));
 15.1029 +qed "Step1_5_1b";
 15.1030  
 15.1031  (*** Initialization ***)
 15.1032 -qed_goal "Step1_5_2a" MemoryImplementation.thy
 15.1033 -   "|- Init(ImpInit p & HInit rmhist p) --> Init(PInit (resbar rmhist) p)"
 15.1034 -   (fn _ => [auto_tac (MI_css addsimps2 [Init_def]
 15.1035 -                              addSIs2 [Step1_1,Step1_3])
 15.1036 -            ]);
 15.1037 +Goal "|- Init(ImpInit p & HInit rmhist p) --> Init(PInit (resbar rmhist) p)";
 15.1038 +by (auto_tac (MI_css addsimps2 [Init_def] addSIs2 [Step1_1,Step1_3]));
 15.1039 +qed "Step1_5_2a";
 15.1040  
 15.1041  (*** step simulation ***)
 15.1042 -qed_goal "Step1_5_2b" MemoryImplementation.thy
 15.1043 -   "|- [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p)   \
 15.1044 -\                   & $ImpInv rmhist p & (!l. $MemInv mm l))       \
 15.1045 -\      --> [][UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
 15.1046 -   (fn _ => [auto_tac (MI_css 
 15.1047 -                          addsimps2 [ImpInv_def] addSEs2 [STL4E]
 15.1048 -                          addSDs2 [S1safe,S2safe,S3safe,S4safe,S5safe,S6safe])
 15.1049 -            ]);
 15.1050 -
 15.1051 +Goal "|- [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p)   \
 15.1052 +\        & $ImpInv rmhist p & (!l. $MemInv mm l)) \
 15.1053 +\        --> [][UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)";
 15.1054 +by (auto_tac (MI_css addsimps2 [ImpInv_def] addSEs2 [STL4E]
 15.1055 +                     addSDs2 [S1safe,S2safe,S3safe,S4safe,S5safe,S6safe]));
 15.1056 +qed "Step1_5_2b";
 15.1057  
 15.1058  (*** Liveness ***)
 15.1059 -qed_goal "GoodImpl" MemoryImplementation.thy
 15.1060 -   "|- IPImp p & HistP rmhist p  \
 15.1061 -\      -->   Init(ImpInit p & HInit rmhist p)   \
 15.1062 -\          & [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p)) \
 15.1063 -\          & [](!l. $MemInv mm l) & []($ImpInv rmhist p) \
 15.1064 -\          & ImpLive p"
 15.1065 -   (fn _ => [Clarsimp_tac 1,
 15.1066 -	     subgoal_tac
 15.1067 -	       "sigma |= Init(ImpInit p & HInit rmhist p) \
 15.1068 -\                        & [](ImpNext p) \
 15.1069 -\                        & [][HNext rmhist p]_(c p, r p, m p, rmhist!p) \
 15.1070 -\                        & [](!l. $MemInv mm l)" 1,
 15.1071 -	     auto_tac (MI_css addsimps2 [split_box_conj,box_stp_act] addSDs2 [Step1_5_1b]),
 15.1072 -	     force_tac (MI_css addsimps2 [IPImp_def,MClkIPSpec_def,RPCIPSpec_def,RPSpec_def,
 15.1073 -					  ImpLive_def,c_def,r_def,m_def]) 1,
 15.1074 -	     force_tac (MI_css addsimps2 [IPImp_def,MClkIPSpec_def,RPCIPSpec_def,RPSpec_def,
 15.1075 -					  HistP_def,Init_def,ImpInit_def]) 1,
 15.1076 -	     force_tac (MI_css addsimps2 [IPImp_def,MClkIPSpec_def,RPCIPSpec_def,RPSpec_def,
 15.1077 -					  ImpNext_def,c_def,r_def,m_def,split_box_conj]) 1,
 15.1078 -	     force_tac (MI_css addsimps2 [HistP_def]) 1,
 15.1079 -             force_tac (MI_css addsimps2 [temp_use allT] addSDs2 [Step1_5_1a]) 1
 15.1080 -	    ]);
 15.1081 +Goal "|- IPImp p & HistP rmhist p  \
 15.1082 +\        -->   Init(ImpInit p & HInit rmhist p)   \
 15.1083 +\            & [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p)) \
 15.1084 +\            & [](ALL l. $MemInv mm l) & []($ImpInv rmhist p) \
 15.1085 +\            & ImpLive p";
 15.1086 +by (Clarsimp_tac 1);
 15.1087 +by (subgoal_tac
 15.1088 +      "sigma |= Init(ImpInit p & HInit rmhist p) \
 15.1089 +\             & [](ImpNext p) \
 15.1090 +\             & [][HNext rmhist p]_(c p, r p, m p, rmhist!p) \
 15.1091 +\             & [](ALL l. $MemInv mm l)" 1);
 15.1092 +by (auto_tac (MI_css addsimps2 [split_box_conj,box_stp_act] addSDs2 [Step1_5_1b]));
 15.1093 +by (force_tac (MI_css addsimps2 [IPImp_def,MClkIPSpec_def,RPCIPSpec_def,RPSpec_def,
 15.1094 +				 ImpLive_def,c_def,r_def,m_def]) 1);
 15.1095 +by (force_tac (MI_css addsimps2 [IPImp_def,MClkIPSpec_def,RPCIPSpec_def,RPSpec_def,
 15.1096 +	                         HistP_def,Init_def,ImpInit_def]) 1);
 15.1097 +by (force_tac (MI_css addsimps2 [IPImp_def,MClkIPSpec_def,RPCIPSpec_def,RPSpec_def,
 15.1098 +                                 ImpNext_def,c_def,r_def,m_def,split_box_conj]) 1);
 15.1099 +by (force_tac (MI_css addsimps2 [HistP_def]) 1);
 15.1100 +by (force_tac (MI_css addsimps2 [temp_use allT] addSDs2 [Step1_5_1a]) 1);
 15.1101 +qed "GoodImpl";
 15.1102  
 15.1103  (* The implementation is infinitely often in state S1... *)
 15.1104 -qed_goal "Step1_5_3a" MemoryImplementation.thy
 15.1105 -   "|- [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p)) \
 15.1106 -\      & [](!l. $MemInv mm l)  \
 15.1107 -\      & []($ImpInv rmhist p) & ImpLive p  \
 15.1108 -\      --> []<>S1 rmhist p"
 15.1109 -   (fn _ => [clarsimp_tac (MI_css addsimps2 [ImpLive_def]) 1,
 15.1110 -             rtac S1Infinite 1,
 15.1111 -	     force_tac (MI_css
 15.1112 -			  addsimps2 [split_box_conj,box_stp_act]
 15.1113 -			  addSIs2 [NotS1LeadstoS6,S2_live,S3_live,S4a_live,S4b_live,S5_live]) 1,
 15.1114 -             auto_tac (MI_css addsimps2 [split_box_conj] addSIs2 [S6_live])
 15.1115 -            ]);
 15.1116 +Goal "|- [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p)) \
 15.1117 +\        & [](ALL l. $MemInv mm l)  \
 15.1118 +\        & []($ImpInv rmhist p) & ImpLive p  \
 15.1119 +\        --> []<>S1 rmhist p";
 15.1120 +by (clarsimp_tac (MI_css addsimps2 [ImpLive_def]) 1);
 15.1121 +by (rtac S1Infinite 1);
 15.1122 +by (force_tac
 15.1123 +      (MI_css addsimps2 [split_box_conj,box_stp_act]
 15.1124 +              addSIs2 [NotS1LeadstoS6,S2_live,S3_live,S4a_live,S4b_live,S5_live]) 1);
 15.1125 +by (auto_tac (MI_css addsimps2 [split_box_conj] addSIs2 [S6_live]));
 15.1126 +qed "Step1_5_3a";
 15.1127  
 15.1128 -(* ... which implies that it satisfies the fairness requirements of the specification *)
 15.1129 -qed_goal "Step1_5_3b" MemoryImplementation.thy
 15.1130 -   "|- [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p)) \
 15.1131 -\      & [](!l. $MemInv mm l) & []($ImpInv rmhist p) & ImpLive p  \
 15.1132 -\      --> WF(RNext memCh mm (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
 15.1133 -   (fn _ => [ auto_tac (MI_css addSIs2 [RNext_fair,Step1_5_3a]) ]);
 15.1134 +(* ... and therefore satisfies the fairness requirements of the specification *)
 15.1135 +Goal "|- [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p)) \
 15.1136 +\        & [](ALL l. $MemInv mm l) & []($ImpInv rmhist p) & ImpLive p  \
 15.1137 +\        --> WF(RNext memCh mm (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)";
 15.1138 +by (auto_tac (MI_css addSIs2 [RNext_fair,Step1_5_3a]));
 15.1139 +qed "Step1_5_3b";
 15.1140  
 15.1141 -qed_goal "Step1_5_3c" MemoryImplementation.thy
 15.1142 -   "|- [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p)) \
 15.1143 -\      & [](!l. $MemInv mm l) & []($ImpInv rmhist p) & ImpLive p  \
 15.1144 -\      --> WF(MemReturn memCh (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
 15.1145 -   (fn _ => [ auto_tac (MI_css addSIs2 [Return_fair,Step1_5_3a]) ]);
 15.1146 -
 15.1147 +Goal "|- [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p)) \
 15.1148 +\        & [](ALL l. $MemInv mm l) & []($ImpInv rmhist p) & ImpLive p  \
 15.1149 +\        --> WF(MemReturn memCh (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)";
 15.1150 +by (auto_tac (MI_css addSIs2 [Return_fair,Step1_5_3a]));
 15.1151 +qed "Step1_5_3c";
 15.1152  
 15.1153  (* QED step of step 1 *)
 15.1154 -qed_goal "Step1" MemoryImplementation.thy
 15.1155 -   "|- IPImp p & HistP rmhist p --> UPSpec memCh mm (resbar rmhist) p"
 15.1156 -   (fn _ => [auto_tac
 15.1157 -               (MI_css addsimps2 [UPSpec_def,split_box_conj]
 15.1158 -		       addSDs2 [GoodImpl]
 15.1159 -                       addSIs2 [Step1_5_2a,Step1_5_2b,Step1_5_3b,Step1_5_3c])
 15.1160 -            ]);
 15.1161 -
 15.1162 +Goal "|- IPImp p & HistP rmhist p --> UPSpec memCh mm (resbar rmhist) p";
 15.1163 +by (auto_tac (MI_css addsimps2 [UPSpec_def,split_box_conj]
 15.1164 +		     addSDs2 [GoodImpl]
 15.1165 +                     addSIs2 [Step1_5_2a,Step1_5_2b,Step1_5_3b,Step1_5_3c]));
 15.1166 +qed "Step1";
 15.1167  
 15.1168  (* ------------------------------ Step 2 ------------------------------ *)
 15.1169  section "Step 2";
 15.1170  
 15.1171 -qed_goal "Step2_2a" MemoryImplementation.thy
 15.1172 -   "|- Write rmCh mm ires p l & ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p) \
 15.1173 -\      & $ImpInv rmhist p  \
 15.1174 -\      --> (S4 rmhist p)` & unchanged (e p, c p, r p, rmhist!p)"
 15.1175 -   (fn _ => [Clarsimp_tac 1,
 15.1176 -             dtac (action_use WriteS4) 1, atac 1,
 15.1177 -             split_idle_tac [] 1,
 15.1178 -             auto_tac (MI_css addsimps2 [ImpNext_def] 
 15.1179 -                              addSDs2 [S4EnvUnch,S4ClerkUnch,S4RPCUnch]),
 15.1180 -             auto_tac (MI_css addsimps2 [square_def] addDs2 [S4Write])
 15.1181 -            ]);
 15.1182 +Goal "|- Write rmCh mm ires p l & ImpNext p\
 15.1183 +\        & [HNext rmhist p]_(c p, r p, m p, rmhist!p) \
 15.1184 +\        & $ImpInv rmhist p  \
 15.1185 +\        --> (S4 rmhist p)$ & unchanged (e p, c p, r p, rmhist!p)";
 15.1186 +by (Clarsimp_tac 1);
 15.1187 +by (dtac (action_use WriteS4) 1); 
 15.1188 +by (atac 1);
 15.1189 +by (split_idle_tac [] 1);
 15.1190 +by (auto_tac (MI_css addsimps2 [ImpNext_def] 
 15.1191 +                     addSDs2 [S4EnvUnch,S4ClerkUnch,S4RPCUnch]));
 15.1192 +by (auto_tac (MI_css addsimps2 [square_def] addDs2 [S4Write]));
 15.1193 +qed "Step2_2a";
 15.1194  
 15.1195 -qed_goal "Step2_2" MemoryImplementation.thy
 15.1196 -   "|-   (!p. ImpNext p) \
 15.1197 -\      & (!p. [HNext rmhist p]_(c p, r p, m p, rmhist!p)) \
 15.1198 -\      & (!p. $ImpInv rmhist p) \
 15.1199 -\      & [? q. Write rmCh mm ires q l]_(mm!l) \
 15.1200 -\      --> [? q. Write memCh mm (resbar rmhist) q l]_(mm!l)"
 15.1201 -   (fn _ => [auto_tac (MI_css addSIs2 [squareCI] addSEs2 [squareE]),
 15.1202 -             REPEAT (ares_tac [exI, action_use Step1_4_4b] 1),
 15.1203 -             force_tac (MI_css addSIs2 [WriteS4]) 1,
 15.1204 -             auto_tac (MI_css addSDs2 [Step2_2a])
 15.1205 -            ]);
 15.1206 +Goal "|-   (ALL p. ImpNext p) \
 15.1207 +\        & (ALL p. [HNext rmhist p]_(c p, r p, m p, rmhist!p)) \
 15.1208 +\        & (ALL p. $ImpInv rmhist p) \
 15.1209 +\        & [EX q. Write rmCh mm ires q l]_(mm!l) \
 15.1210 +\        --> [EX q. Write memCh mm (resbar rmhist) q l]_(mm!l)";
 15.1211 +by (auto_tac (MI_css addSIs2 [squareCI] addSEs2 [squareE]));
 15.1212 +by (REPEAT (ares_tac [exI, action_use Step1_4_4b] 1));
 15.1213 +by (force_tac (MI_css addSIs2 [WriteS4]) 1);
 15.1214 +by (auto_tac (MI_css addSDs2 [Step2_2a]));
 15.1215 +qed "Step2_2";
 15.1216  
 15.1217 -qed_goal "Step2_lemma" MemoryImplementation.thy
 15.1218 -   "|-  [](  (!p. ImpNext p) \
 15.1219 -\          & (!p. [HNext rmhist p]_(c p, r p, m p, rmhist!p)) \
 15.1220 -\          & (!p. $ImpInv rmhist p) \
 15.1221 -\          & [? q. Write rmCh mm ires q l]_(mm!l)) \
 15.1222 -\       --> [][? q. Write memCh mm (resbar rmhist) q l]_(mm!l)"
 15.1223 -   (fn _ => [ force_tac (MI_css addSEs2 [STL4E] addSDs2 [Step2_2]) 1 ]);
 15.1224 +Goal "|- [](  (ALL p. ImpNext p) \
 15.1225 +\           & (ALL p. [HNext rmhist p]_(c p, r p, m p, rmhist!p)) \
 15.1226 +\           & (ALL p. $ImpInv rmhist p) \
 15.1227 +\           & [EX q. Write rmCh mm ires q l]_(mm!l)) \
 15.1228 +\        --> [][EX q. Write memCh mm (resbar rmhist) q l]_(mm!l)";
 15.1229 +by (force_tac (MI_css addSEs2 [STL4E] addSDs2 [Step2_2]) 1);
 15.1230 +qed "Step2_lemma";
 15.1231  
 15.1232 -qed_goal "Step2" MemoryImplementation.thy
 15.1233 -   "|- #l : #MemLoc & (!p. IPImp p & HistP rmhist p)  \
 15.1234 -\      --> MSpec memCh mm (resbar rmhist) l"
 15.1235 -   (fn _ => [auto_tac (MI_css addsimps2 [MSpec_def]),
 15.1236 -	     force_tac (MI_css addsimps2 [IPImp_def,MSpec_def]) 1,
 15.1237 -	     auto_tac (MI_css addSIs2 [Step2_lemma]
 15.1238 -		              addsimps2 [split_box_conj,all_box]),
 15.1239 -	     force_tac (MI_css addsimps2 [IPImp_def,MSpec_def]) 4,
 15.1240 -             auto_tac (MI_css addsimps2 [split_box_conj] addSEs2 [allE] addSDs2 [GoodImpl])
 15.1241 -	    ]);
 15.1242 +Goal "|- #l : #MemLoc & (ALL p. IPImp p & HistP rmhist p)  \
 15.1243 +\        --> MSpec memCh mm (resbar rmhist) l";
 15.1244 +by (auto_tac (MI_css addsimps2 [MSpec_def]));
 15.1245 +by (force_tac (MI_css addsimps2 [IPImp_def,MSpec_def]) 1);
 15.1246 +by (auto_tac (MI_css addSIs2 [Step2_lemma]
 15.1247 +	             addsimps2 [split_box_conj,all_box]));
 15.1248 +by (force_tac (MI_css addsimps2 [IPImp_def,MSpec_def]) 4);
 15.1249 +by (auto_tac (MI_css addsimps2 [split_box_conj] addSEs2 [allE] addSDs2 [GoodImpl]));
 15.1250 +qed "Step2";
 15.1251  
 15.1252  (* ----------------------------- Main theorem --------------------------------- *)
 15.1253  section "Memory implementation";
 15.1254 @@ -590,21 +887,17 @@
 15.1255  (* Implementation of internal specification by combination of implementation
 15.1256     and history variable with explicit refinement mapping
 15.1257  *)
 15.1258 -qed_goal "Impl_IUSpec" MemoryImplementation.thy
 15.1259 -   "|- Implementation & Hist rmhist --> IUSpec memCh mm (resbar rmhist)"
 15.1260 -   (fn _ => [auto_tac (MI_css addsimps2 [IUSpec_def,Implementation_def,IPImp_def,
 15.1261 -					 MClkISpec_def,RPCISpec_def,IRSpec_def,Hist_def]
 15.1262 -		              addSIs2 [Step1,Step2])
 15.1263 -	    ]);
 15.1264 +Goal "|- Implementation & Hist rmhist --> IUSpec memCh mm (resbar rmhist)";
 15.1265 +by (auto_tac (MI_css addsimps2 [IUSpec_def,Implementation_def,IPImp_def,
 15.1266 +			        MClkISpec_def,RPCISpec_def,IRSpec_def,Hist_def]
 15.1267 +		     addSIs2 [Step1,Step2]));
 15.1268 +qed "Impl_IUSpec";
 15.1269  
 15.1270  (* The main theorem: introduce hiding and eliminate history variable. *)
 15.1271 -qed_goal "Implementation" MemoryImplementation.thy
 15.1272 -   "|- Implementation --> USpec memCh"
 15.1273 -   (fn _ => [Clarsimp_tac 1,
 15.1274 -             forward_tac [temp_use History] 1,
 15.1275 -             auto_tac (MI_css addsimps2 [USpec_def] 
 15.1276 -                              addIs2 [eexI, Impl_IUSpec, MI_base]
 15.1277 -                              addSEs2 [eexE])
 15.1278 -            ]);
 15.1279 -
 15.1280 -
 15.1281 +Goal "|- Implementation --> USpec memCh";
 15.1282 +by (Clarsimp_tac 1);
 15.1283 +by (forward_tac [temp_use History] 1);
 15.1284 +by (auto_tac (MI_css addsimps2 [USpec_def] 
 15.1285 +                     addIs2 [eexI, Impl_IUSpec, MI_base]
 15.1286 +                     addSEs2 [eexE]));
 15.1287 +qed "Implementation";
    16.1 --- a/src/HOL/TLA/Memory/MemoryImplementation.thy	Thu Aug 03 19:28:37 2000 +0200
    16.2 +++ b/src/HOL/TLA/Memory/MemoryImplementation.thy	Thu Aug 03 19:29:03 2000 +0200
    16.3 @@ -33,9 +33,6 @@
    16.4    rst           :: "rpcStType"
    16.5    cst           :: "mClkStType"
    16.6    ires          :: "resType"
    16.7 -(* the history variable : not defined as a constant
    16.8 -  rmhist        :: "histType"
    16.9 -*)
   16.10  
   16.11  constdefs
   16.12    (* auxiliary predicates *)
   16.13 @@ -78,7 +75,7 @@
   16.14                             & [][HNext rmhist p]_(c p,r p,m p, rmhist!p)"
   16.15  
   16.16    Hist          :: "histType => temporal"
   16.17 -      "Hist rmhist == TEMP (!p. HistP rmhist p)"
   16.18 +      "Hist rmhist == TEMP (ALL p. HistP rmhist p)"
   16.19  
   16.20    (* the implementation *)
   16.21    IPImp          :: "PrIds => temporal"
   16.22 @@ -86,7 +83,7 @@
   16.23  	               & MClkIPSpec memCh crCh cst p
   16.24    	               & RPCIPSpec crCh rmCh rst p
   16.25  	               & RPSpec rmCh mm ires p
   16.26 -		       & (! l. #l : #MemLoc --> MSpec rmCh mm ires l))"
   16.27 +		       & (ALL l. #l : #MemLoc --> MSpec rmCh mm ires l))"
   16.28  
   16.29    ImpInit        :: "PrIds => stpred"
   16.30        "ImpInit p == PRED (  ~Calling memCh p
   16.31 @@ -108,7 +105,7 @@
   16.32  			& WF(MemReturn rmCh ires p)_(m p)"
   16.33  
   16.34    Implementation :: "temporal"
   16.35 -      "Implementation == TEMP ( (!p. Init (~Calling memCh p) & [][ENext p]_(e p))
   16.36 +      "Implementation == TEMP ( (ALL p. Init (~Calling memCh p) & [][ENext p]_(e p))
   16.37                                 & MClkISpec memCh crCh cst
   16.38                                 & RPCISpec crCh rmCh rst
   16.39                                 & IRSpec rmCh mm ires)"
    17.1 --- a/src/HOL/TLA/Memory/MemoryParameters.ML	Thu Aug 03 19:28:37 2000 +0200
    17.2 +++ b/src/HOL/TLA/Memory/MemoryParameters.ML	Thu Aug 03 19:29:03 2000 +0200
    17.3 @@ -6,24 +6,13 @@
    17.4      RPC-Memory example: memory parameters (ML file)
    17.5  *)
    17.6  
    17.7 -(*
    17.8 -val MP_simps = [BadArgNoMemVal,MemFailNoMemVal,InitValMemVal,NotAResultNotVal,
    17.9 -                  NotAResultNotOK, NotAResultNotBA, NotAResultNotMF]
   17.10 -               @ (map (fn x => x RS not_sym) 
   17.11 -                      [NotAResultNotOK, NotAResultNotBA, NotAResultNotMF]);
   17.12 -*)
   17.13 -
   17.14  Addsimps ([BadArgNoMemVal,MemFailNoMemVal,InitValMemVal,NotAResultNotVal,
   17.15                    NotAResultNotOK, NotAResultNotBA, NotAResultNotMF]
   17.16                 @ (map (fn x => x RS not_sym) 
   17.17                        [NotAResultNotOK, NotAResultNotBA, NotAResultNotMF]));
   17.18  
   17.19 -(* Auxiliary rules *)
   17.20 -
   17.21 -qed_goal "MemValNotAResultE" MemoryParameters.thy
   17.22 -   "[| x : MemVal; (x ~= NotAResult ==> P) |] ==> P"
   17.23 -   (fn prems => [resolve_tac prems 1,
   17.24 -                 cut_facts_tac (NotAResultNotVal::prems) 1,
   17.25 -                 Force_tac 1
   17.26 -                ]);
   17.27 -
   17.28 +val prems = goal thy "[| x : MemVal; (x ~= NotAResult ==> P) |] ==> P";
   17.29 +by (resolve_tac prems 1);
   17.30 +by (cut_facts_tac (NotAResultNotVal::prems) 1);
   17.31 +by (Force_tac 1);
   17.32 +qed "MemValNotAResultE";
    18.1 --- a/src/HOL/TLA/Memory/MemoryParameters.thy	Thu Aug 03 19:28:37 2000 +0200
    18.2 +++ b/src/HOL/TLA/Memory/MemoryParameters.thy	Thu Aug 03 19:29:03 2000 +0200
    18.3 @@ -12,19 +12,8 @@
    18.4  MemoryParameters = Datatype + RPCMemoryParams +
    18.5  
    18.6  (* the memory operations *)
    18.7 -(***
    18.8 -datatype  Rd = read
    18.9 -datatype  Wr = write
   18.10 -***)
   18.11 -
   18.12  datatype memOp = read Locs | write Locs Vals
   18.13  
   18.14 -(***
   18.15 -types
   18.16 -  (* legal arguments for the memory *)
   18.17 -  memArgType = "(Rd * Locs) + (Wr * Locs * Vals)"
   18.18 -***)
   18.19 -
   18.20  consts
   18.21    (* memory locations and contents *)
   18.22    MemLoc         :: Locs set
    19.1 --- a/src/HOL/TLA/Memory/ProcedureInterface.ML	Thu Aug 03 19:28:37 2000 +0200
    19.2 +++ b/src/HOL/TLA/Memory/ProcedureInterface.ML	Thu Aug 03 19:29:03 2000 +0200
    19.3 @@ -16,45 +16,12 @@
    19.4  		      PLegalCaller_def, LegalCaller_def,
    19.5  		      PLegalReturner_def, LegalReturner_def];
    19.6  
    19.7 -(* sample theorems (not used in the proof):
    19.8 -   1. calls and returns are mutually exclusive
    19.9 -
   19.10 -qed_goal "CallNotReturn" ProcedureInterface.thy
   19.11 -     "|- Call ch p v --> ~ Return ch p w"
   19.12 -  (fn prems => [ auto_tac (temp_css addsimps2 [Call_def,Return_def]) ]);
   19.13 -
   19.14 -
   19.15 -  2. enabledness of calls and returns
   19.16 -
   19.17 -qed_goal "Call_enabled" ProcedureInterface.thy
   19.18 -   "!!p. basevars ((caller ch)!p) ==> |- ~ Calling ch p --> Enabled (Call ch p v)"
   19.19 -   (fn _ => [action_simp_tac (simpset() addsimps [caller_def, Call_def]) 
   19.20 -                             [] [base_enabled,Pair_inject] 1
   19.21 -            ]);
   19.22 +(* Calls and returns change their subchannel *)
   19.23 +Goal "|- Call ch p v --> <Call ch p v>_((caller ch)!p)";
   19.24 +by (auto_tac (mem_css addsimps2 [angle_def,Call_def,caller_def,Calling_def]));
   19.25 +qed "Call_changed";
   19.26  
   19.27 -qed_goal "Call_enabled_rew" ProcedureInterface.thy
   19.28 -   "basevars ((caller ch)!p) ==> |- Enabled (Call ch p v) = (~Calling ch p)"
   19.29 -   (fn [prem] => [auto_tac (mem_css addsimps2 [Call_def]),
   19.30 -                  force_tac (mem_css addsimps2 [enabled_def]) 1,
   19.31 -                  enabled_tac prem 1,
   19.32 -                  action_simp_tac (simpset() addsimps [caller_def]) [] [Pair_inject] 1
   19.33 -            ]);
   19.34 +Goal "|- Return ch p v --> <Return ch p v>_((rtrner ch)!p)";
   19.35 +by (auto_tac (mem_css addsimps2 [angle_def,Return_def,rtrner_def,Calling_def]));
   19.36 +qed "Return_changed";
   19.37  
   19.38 -qed_goal "Return_enabled" ProcedureInterface.thy
   19.39 -   "!!p. basevars ((rtrner ch)!p) ==> |- Calling ch p --> Enabled (Return ch p v)"
   19.40 -   (fn _ => [action_simp_tac (simpset() addsimps [rtrner_def, Return_def]) 
   19.41 -                             [] [base_enabled,Pair_inject] 1
   19.42 -            ]);
   19.43 -
   19.44 -*)
   19.45 -
   19.46 -(* Calls and returns change their subchannel *)
   19.47 -qed_goal "Call_changed" ProcedureInterface.thy
   19.48 -   "|- Call ch p v --> <Call ch p v>_((caller ch)!p)"
   19.49 -   (fn _ => [ auto_tac (mem_css addsimps2 [angle_def,Call_def,caller_def,Calling_def]) ]);
   19.50 -
   19.51 -qed_goal "Return_changed" ProcedureInterface.thy
   19.52 -   "|- Return ch p v --> <Return ch p v>_((rtrner ch)!p)"
   19.53 -   (fn _ => [ auto_tac (mem_css addsimps2 [angle_def,Return_def,rtrner_def,Calling_def]) ]);
   19.54 -
   19.55 -
    20.1 --- a/src/HOL/TLA/Memory/ProcedureInterface.thy	Thu Aug 03 19:28:37 2000 +0200
    20.2 +++ b/src/HOL/TLA/Memory/ProcedureInterface.thy	Thu Aug 03 19:29:03 2000 +0200
    20.3 @@ -69,11 +69,11 @@
    20.4  
    20.5    Calling_def	"Calling ch p  == PRED cbit< ch!p > ~= rbit< ch!p >"
    20.6    Call_def      "(ACT Call ch p v)   == ACT  ~ $Calling ch p
    20.7 -                                     & (cbit<ch!p>` ~= $rbit<ch!p>)
    20.8 -                                     & (arg<ch!p>` = $v)"
    20.9 +                                     & (cbit<ch!p>$ ~= $rbit<ch!p>)
   20.10 +                                     & (arg<ch!p>$ = $v)"
   20.11    Return_def    "(ACT Return ch p v) == ACT  $Calling ch p
   20.12 -                                     & (rbit<ch!p>` = $cbit<ch!p>)
   20.13 -                                     & (res<ch!p>` = $v)"
   20.14 +                                     & (rbit<ch!p>$ = $cbit<ch!p>)
   20.15 +                                     & (res<ch!p>$ = $v)"
   20.16    PLegalCaller_def      "PLegalCaller ch p == TEMP
   20.17                               Init(~ Calling ch p)
   20.18                               & [][ ? a. Call ch p a ]_((caller ch)!p)"
    21.1 --- a/src/HOL/TLA/Memory/RPC.ML	Thu Aug 03 19:28:37 2000 +0200
    21.2 +++ b/src/HOL/TLA/Memory/RPC.ML	Thu Aug 03 19:29:03 2000 +0200
    21.3 @@ -17,40 +17,36 @@
    21.4     unanswered call for that process.
    21.5  *)
    21.6  
    21.7 -qed_goal "RPCidle" RPC.thy
    21.8 -   "|- ~$(Calling send p) --> ~RPCNext send rcv rst p"
    21.9 -   (fn _ => [ auto_tac (mem_css addsimps2 (Return_def::RPC_action_defs)) ]);
   21.10 +Goal "|- ~$(Calling send p) --> ~RPCNext send rcv rst p";
   21.11 +by (auto_tac (mem_css addsimps2 (Return_def::RPC_action_defs)));
   21.12 +qed "RPCidle";
   21.13  
   21.14 -qed_goal "RPCbusy" RPC.thy
   21.15 -   "|- $(Calling rcv p) & $(rst!p) = #rpcB --> ~RPCNext send rcv rst p"
   21.16 -   (fn _ => [ auto_tac (mem_css addsimps2 RPC_action_defs) ]);
   21.17 +Goal "|- $(Calling rcv p) & $(rst!p) = #rpcB --> ~RPCNext send rcv rst p";
   21.18 +by (auto_tac (mem_css addsimps2 RPC_action_defs));
   21.19 +qed "RPCbusy";
   21.20  
   21.21  (* RPC failure actions are visible. *)
   21.22 -qed_goal "RPCFail_vis" RPC.thy
   21.23 -   "|- RPCFail send rcv rst p --> \
   21.24 -\      <RPCNext send rcv rst p>_(rst!p, rtrner send!p, caller rcv!p)"
   21.25 -   (fn _ => [auto_tac (claset() addSDs [Return_changed],
   21.26 -		       simpset() addsimps [angle_def,RPCNext_def,RPCFail_def])
   21.27 -	    ]);
   21.28 +Goal "|- RPCFail send rcv rst p --> \
   21.29 +\        <RPCNext send rcv rst p>_(rst!p, rtrner send!p, caller rcv!p)";
   21.30 +by (auto_tac (claset() addSDs [Return_changed],
   21.31 +	     simpset() addsimps [angle_def,RPCNext_def,RPCFail_def]));
   21.32 +qed "RPCFail_vis";
   21.33  
   21.34 -qed_goal "RPCFail_Next_enabled" RPC.thy
   21.35 -   "|- Enabled (RPCFail send rcv rst p) --> \
   21.36 -\      Enabled (<RPCNext send rcv rst p>_(rst!p, rtrner send!p, caller rcv!p))"
   21.37 -   (fn _ => [force_tac (mem_css addSEs2 [enabled_mono,RPCFail_vis]) 1]);
   21.38 +Goal "|- Enabled (RPCFail send rcv rst p) --> \
   21.39 +\        Enabled (<RPCNext send rcv rst p>_(rst!p, rtrner send!p, caller rcv!p))";
   21.40 +by (force_tac (mem_css addSEs2 [enabled_mono,RPCFail_vis]) 1);
   21.41 +qed "RPCFail_Next_enabled";
   21.42  
   21.43  (* Enabledness of some actions *)
   21.44 -
   21.45 -qed_goal "RPCFail_enabled" RPC.thy
   21.46 -   "!!p. basevars (rtrner send!p, caller rcv!p, rst!p) ==> \
   21.47 -\        |- ~Calling rcv p & Calling send p --> Enabled (RPCFail send rcv rst p)"
   21.48 -   (fn _ => [action_simp_tac (simpset() addsimps [RPCFail_def,Return_def,caller_def,rtrner_def])
   21.49 -                             [exI] [base_enabled,Pair_inject] 1
   21.50 -	    ]);
   21.51 +Goal "!!p. basevars (rtrner send!p, caller rcv!p, rst!p) ==> \
   21.52 +\     |- ~Calling rcv p & Calling send p --> Enabled (RPCFail send rcv rst p)";
   21.53 +by (action_simp_tac (simpset() addsimps [RPCFail_def,Return_def,caller_def,rtrner_def])
   21.54 +                    [exI] [base_enabled,Pair_inject] 1);
   21.55 +qed "RPCFail_enabled";
   21.56  
   21.57 -qed_goal "RPCReply_enabled" RPC.thy
   21.58 -   "!!p. basevars (rtrner send!p, caller rcv!p, rst!p) ==> \
   21.59 -\        |- ~Calling rcv p & Calling send p & rst!p = #rpcB \
   21.60 -\           --> Enabled (RPCReply send rcv rst p)"
   21.61 -   (fn _ => [action_simp_tac (simpset() addsimps [RPCReply_def,Return_def,caller_def,rtrner_def])
   21.62 -                             [exI] [base_enabled,Pair_inject] 1]);
   21.63 -
   21.64 +Goal "!!p. basevars (rtrner send!p, caller rcv!p, rst!p) ==> \
   21.65 +\     |- ~Calling rcv p & Calling send p & rst!p = #rpcB \
   21.66 +\        --> Enabled (RPCReply send rcv rst p)";
   21.67 +by (action_simp_tac (simpset() addsimps [RPCReply_def,Return_def,caller_def,rtrner_def])
   21.68 +                    [exI] [base_enabled,Pair_inject] 1);
   21.69 +qed "RPCReply_enabled";
    22.1 --- a/src/HOL/TLA/Memory/RPC.thy	Thu Aug 03 19:28:37 2000 +0200
    22.2 +++ b/src/HOL/TLA/Memory/RPC.thy	Thu Aug 03 19:29:03 2000 +0200
    22.3 @@ -72,7 +72,7 @@
    22.4                           & [][ RPCNext send rcv rst p ]_(rst!p, rtrner send!p, caller rcv!p)
    22.5                           & WF(RPCNext send rcv rst p)_(rst!p, rtrner send!p, caller rcv!p)"
    22.6  
    22.7 -  RPCISpec_def      "RPCISpec send rcv rst == TEMP (! p. RPCIPSpec send rcv rst p)"
    22.8 +  RPCISpec_def      "RPCISpec send rcv rst == TEMP (ALL p. RPCIPSpec send rcv rst p)"
    22.9  
   22.10  end
   22.11  
    23.1 --- a/src/HOL/TLA/Memory/RPCParameters.ML	Thu Aug 03 19:28:37 2000 +0200
    23.2 +++ b/src/HOL/TLA/Memory/RPCParameters.ML	Thu Aug 03 19:29:03 2000 +0200
    23.3 @@ -7,11 +7,5 @@
    23.4  *)
    23.5  
    23.6  
    23.7 -(*
    23.8 -val RP_simps = MP_simps @ [RFNoMemVal, NotAResultNotRF, OKNotRF, BANotRF]
    23.9 -                        @ (map (fn x => x RS not_sym) [NotAResultNotRF, OKNotRF, BANotRF])
   23.10 -                        @ rpcState.simps @ rpcOp.simps;
   23.11 -*)
   23.12 -
   23.13  Addsimps ([RFNoMemVal, NotAResultNotRF, OKNotRF, BANotRF]
   23.14            @ (map (fn x => x RS not_sym) [NotAResultNotRF, OKNotRF, BANotRF]));
    24.1 --- a/src/HOL/TLA/Memory/RPCParameters.thy	Thu Aug 03 19:28:37 2000 +0200
    24.2 +++ b/src/HOL/TLA/Memory/RPCParameters.thy	Thu Aug 03 19:29:03 2000 +0200
    24.3 @@ -16,17 +16,6 @@
    24.4  datatype  rpcOp = memcall memOp | othercall Vals
    24.5  datatype  rpcState = rpcA | rpcB
    24.6  
    24.7 -(***
    24.8 -types
    24.9 -  (* type of RPC arguments other than memory calls *)
   24.10 -  noMemArgType
   24.11 -  (* legal arguments for (our instance of) the RPC component *)
   24.12 -  rpcArgType = "(rpcOps * memArgType) + (rpcOps * noMemArgType)"
   24.13 -
   24.14 -arities
   24.15 -  noMemArgType :: term
   24.16 -***)
   24.17 -
   24.18  consts
   24.19    (* some particular return values *)
   24.20    RPCFailure     :: Vals
   24.21 @@ -36,10 +25,6 @@
   24.22       is legal for the receiver (i.e., the memory). This can now be a little
   24.23       simpler than for the generic RPC component. RelayArg returns an arbitrary
   24.24       memory call for illegal arguments. *)
   24.25 -(***
   24.26 -  IsLegalRcvArg  :: rpcArgType => bool
   24.27 -  RPCRelayArg    :: rpcArgType => memArgType
   24.28 -***)
   24.29    IsLegalRcvArg  :: rpcOp => bool
   24.30    RPCRelayArg    :: rpcOp => memOp
   24.31  
   24.32 @@ -50,12 +35,6 @@
   24.33    OKNotRF           "OK ~= RPCFailure"
   24.34    BANotRF           "BadArg ~= RPCFailure"
   24.35  
   24.36 -(***
   24.37 -  IsLegalRcvArg_def "IsLegalRcvArg ra == EX marg. ra = Inl (remoteCall,marg)"
   24.38 -  RPCRelayArg_def   "RPCRelayArg ra == 
   24.39 -                         case ra of Inl (rm) => (snd rm)
   24.40 -                                  | Inr (rn) => (read, @ l. True)"
   24.41 -***)
   24.42  defs
   24.43    IsLegalRcvArg_def "IsLegalRcvArg ra ==
   24.44  		         case ra of (memcall m) => True
    25.1 --- a/src/HOL/TLA/TLA.ML	Thu Aug 03 19:28:37 2000 +0200
    25.2 +++ b/src/HOL/TLA/TLA.ML	Thu Aug 03 19:29:03 2000 +0200
    25.3 @@ -8,11 +8,13 @@
    25.4  
    25.5  (* Specialize intensional introduction/elimination rules for temporal formulas *)
    25.6  
    25.7 -qed_goal "tempI" TLA.thy "(!!sigma. sigma |= (F::temporal)) ==> |- F"
    25.8 -  (fn [prem] => [ REPEAT (resolve_tac [prem,intI] 1) ]);
    25.9 +val [prem] = goal thy "(!!sigma. sigma |= (F::temporal)) ==> |- F";
   25.10 +by (REPEAT (resolve_tac [prem,intI] 1));
   25.11 +qed "tempI";
   25.12  
   25.13 -qed_goal "tempD" TLA.thy "|- (F::temporal) ==> sigma |= F"
   25.14 -  (fn [prem] => [ rtac (prem RS intD) 1 ]);
   25.15 +val [prem] = goal thy "|- (F::temporal) ==> sigma |= F";
   25.16 +by (rtac (prem RS intD) 1);
   25.17 +qed "tempD";
   25.18  
   25.19  
   25.20  (* ======== Functions to "unlift" temporal theorems ====== *)
   25.21 @@ -75,13 +77,16 @@
   25.22  section "Simple temporal logic";
   25.23  
   25.24  (* []~F == []~Init F *)
   25.25 -bind_thm("boxNotInit", rewrite_rule Init_simps (read_instantiate [("F", "LIFT ~F")] boxInit));
   25.26 +bind_thm("boxNotInit", 
   25.27 +         rewrite_rule Init_simps (read_instantiate [("F", "LIFT ~F")] boxInit));
   25.28  
   25.29 -qed_goalw "dmdInit" TLA.thy [dmd_def] "TEMP <>F == TEMP <> Init F"
   25.30 -  (fn _ => [rewtac (read_instantiate [("F", "LIFT ~F")] boxInit),
   25.31 -            simp_tac (simpset() addsimps Init_simps) 1]);
   25.32 +Goalw [dmd_def] "TEMP <>F == TEMP <> Init F";
   25.33 +by (rewtac (read_instantiate [("F", "LIFT ~F")] boxInit));
   25.34 +by (simp_tac (simpset() addsimps Init_simps) 1);
   25.35 +qed "dmdInit";
   25.36  
   25.37 -bind_thm("dmdNotInit", rewrite_rule Init_simps (read_instantiate [("F", "LIFT ~F")] dmdInit));
   25.38 +bind_thm("dmdNotInit", 
   25.39 +         rewrite_rule Init_simps (read_instantiate [("F", "LIFT ~F")] dmdInit));
   25.40  
   25.41  (* boxInit and dmdInit cannot be used as rewrites, because they loop.
   25.42     Non-looping instances for state predicates and actions are occasionally useful.
   25.43 @@ -103,26 +108,30 @@
   25.44  bind_thm("STL2", reflT);
   25.45  
   25.46  (* The "polymorphic" (generic) variant *)
   25.47 -qed_goal "STL2_gen" TLA.thy "|- []F --> Init F"
   25.48 -  (fn _ => [rewtac (read_instantiate [("F", "F")] boxInit),
   25.49 -            rtac STL2 1]);
   25.50 +Goal "|- []F --> Init F";
   25.51 +by (rewtac (read_instantiate [("F", "F")] boxInit));
   25.52 +by (rtac STL2 1);
   25.53 +qed "STL2_gen";
   25.54  
   25.55  (* see also STL2_pr below: "|- []P --> Init P & Init (P`)" *)
   25.56  
   25.57  
   25.58  (* Dual versions for <> *)
   25.59 -qed_goalw "InitDmd" TLA.thy [dmd_def] "|- F --> <> F"
   25.60 -   (fn _ => [ auto_tac (temp_css addSDs2 [STL2]) ]);
   25.61 +Goalw [dmd_def] "|- F --> <> F";
   25.62 +by (auto_tac (temp_css addSDs2 [STL2]));
   25.63 +qed "InitDmd";
   25.64  
   25.65 -qed_goal "InitDmd_gen" TLA.thy "|- Init F --> <>F"
   25.66 -   (fn _ => [Clarsimp_tac 1,
   25.67 -             dtac (temp_use InitDmd) 1,
   25.68 -             asm_full_simp_tac (simpset() addsimps [dmdInitD]) 1]);
   25.69 +Goal "|- Init F --> <>F";
   25.70 +by (Clarsimp_tac 1);
   25.71 +by (dtac (temp_use InitDmd) 1);
   25.72 +by (asm_full_simp_tac (simpset() addsimps [dmdInitD]) 1);
   25.73 +qed "InitDmd_gen";
   25.74  
   25.75  
   25.76  (* ------------------------ STL3 ------------------------------------------- *)
   25.77 -qed_goal "STL3" TLA.thy "|- ([][]F) = ([]F)"
   25.78 -   (K [force_tac (temp_css addEs2 [transT,STL2]) 1]);
   25.79 +Goal "|- ([][]F) = ([]F)";
   25.80 +by (force_tac (temp_css addEs2 [transT,STL2]) 1);
   25.81 +qed "STL3";
   25.82  
   25.83  (* corresponding elimination rule introduces double boxes: 
   25.84     [| (sigma |= []F); (sigma |= [][]F) ==> PROP W |] ==> PROP W
   25.85 @@ -131,31 +140,34 @@
   25.86  bind_thm("dup_boxD", (temp_unlift STL3) RS iffD1);
   25.87  
   25.88  (* dual versions for <> *)
   25.89 -qed_goalw "DmdDmd" TLA.thy [dmd_def] "|- (<><>F) = (<>F)"
   25.90 -   (fn _ => [ auto_tac (temp_css addsimps2 [STL3]) ]);
   25.91 +Goal "|- (<><>F) = (<>F)";
   25.92 +by (auto_tac (temp_css addsimps2 [dmd_def,STL3]));
   25.93 +qed "DmdDmd";
   25.94  bind_thm("dup_dmdE", make_elim((temp_unlift DmdDmd) RS iffD2));
   25.95  bind_thm("dup_dmdD", (temp_unlift DmdDmd) RS iffD1);
   25.96  
   25.97  
   25.98  (* ------------------------ STL4 ------------------------------------------- *)
   25.99 -qed_goal "STL4" TLA.thy "|- F --> G  ==> |- []F --> []G"
  25.100 -   (fn [prem] => [Clarsimp_tac 1,
  25.101 -		  rtac (temp_use normalT) 1,
  25.102 -                  rtac (temp_use (prem RS necT)) 1,
  25.103 -		  atac 1
  25.104 -		 ]);
  25.105 +val [prem] = goal thy "|- F --> G  ==> |- []F --> []G";
  25.106 +by (Clarsimp_tac 1);
  25.107 +by (rtac (temp_use normalT) 1);
  25.108 +by (rtac (temp_use (prem RS necT)) 1);
  25.109 +by (atac 1);
  25.110 +qed "STL4";
  25.111  
  25.112  (* Unlifted version as an elimination rule *)
  25.113 -qed_goal "STL4E" TLA.thy 
  25.114 -         "[| sigma |= []F; |- F --> G |] ==> sigma |= []G"
  25.115 -   (fn prems => [ REPEAT (resolve_tac (prems @ [temp_use STL4]) 1) ]);
  25.116 +val prems = goal thy "[| sigma |= []F; |- F --> G |] ==> sigma |= []G";
  25.117 +by (REPEAT (resolve_tac (prems @ [temp_use STL4]) 1));
  25.118 +qed "STL4E";
  25.119  
  25.120 -qed_goal "STL4_gen" TLA.thy "|- Init F --> Init G ==> |- []F --> []G"
  25.121 -   (fn [prem] => [rtac (rewrite_rule [boxInitD] (prem RS STL4)) 1]);
  25.122 +val [prem] = goal thy "|- Init F --> Init G ==> |- []F --> []G";
  25.123 +by (rtac (rewrite_rule [boxInitD] (prem RS STL4)) 1);
  25.124 +qed "STL4_gen";
  25.125  
  25.126 -qed_goal "STL4E_gen" TLA.thy
  25.127 -         "[| sigma |= []F; |- Init F --> Init G |] ==> sigma |= []G"
  25.128 -   (fn prems => [ REPEAT (resolve_tac (prems @ [temp_use STL4_gen]) 1) ]);
  25.129 +val prems = goal thy
  25.130 +   "[| sigma |= []F; |- Init F --> Init G |] ==> sigma |= []G";
  25.131 +by (REPEAT (resolve_tac (prems @ [temp_use STL4_gen]) 1));
  25.132 +qed "STL4E_gen";
  25.133  
  25.134  (* see also STL4Edup below, which allows an auxiliary boxed formula:
  25.135         []A /\ F => G
  25.136 @@ -164,22 +176,24 @@
  25.137  *)
  25.138  
  25.139  (* The dual versions for <> *)
  25.140 -qed_goalw "DmdImpl" TLA.thy [dmd_def]
  25.141 -   "|- F --> G ==> |- <>F --> <>G"
  25.142 -   (fn [prem] => [fast_tac (temp_cs addSIs [prem] addSEs [STL4E]) 1]);
  25.143 +val [prem] = goalw thy [dmd_def]
  25.144 +   "|- F --> G ==> |- <>F --> <>G";
  25.145 +by (fast_tac (temp_cs addSIs [prem] addSEs [STL4E]) 1);
  25.146 +qed "DmdImpl";
  25.147  
  25.148 -qed_goal "DmdImplE" TLA.thy
  25.149 -   "[| sigma |= <>F; |- F --> G |] ==> sigma |= <>G"
  25.150 -   (fn prems => [ REPEAT (resolve_tac (prems @ [temp_use DmdImpl]) 1) ]);
  25.151 +val prems = goal thy "[| sigma |= <>F; |- F --> G |] ==> sigma |= <>G";
  25.152 +by (REPEAT (resolve_tac (prems @ [temp_use DmdImpl]) 1));
  25.153 +qed "DmdImplE";
  25.154  
  25.155  
  25.156  (* ------------------------ STL5 ------------------------------------------- *)
  25.157 -qed_goal "STL5" TLA.thy "|- ([]F & []G) = ([](F & G))"
  25.158 -   (fn _ => [Auto_tac,
  25.159 -	     subgoal_tac "sigma |= [](G --> (F & G))" 1,
  25.160 -	     etac (temp_use normalT) 1, atac 1,
  25.161 -	     ALLGOALS (fast_tac (temp_cs addSEs [STL4E]))
  25.162 -	    ]);
  25.163 +Goal "|- ([]F & []G) = ([](F & G))";
  25.164 +by Auto_tac;
  25.165 +by (subgoal_tac "sigma |= [](G --> (F & G))" 1);
  25.166 +by (etac (temp_use normalT) 1);
  25.167 +by (ALLGOALS (fast_tac (temp_cs addSEs [STL4E])));
  25.168 +qed "STL5";
  25.169 +
  25.170  (* rewrite rule to split conjunctions under boxes *)
  25.171  bind_thm("split_box_conj", (temp_unlift STL5) RS sym);
  25.172  
  25.173 @@ -187,10 +201,10 @@
  25.174     (NB: F and G must have the same type, i.e., both actions or temporals.)
  25.175     Use "addSE2" etc. if you want to add this to a claset, otherwise it will loop!
  25.176  *)
  25.177 -qed_goal "box_conjE" TLA.thy
  25.178 -   "[| sigma |= []F; sigma |= []G; sigma |= [](F&G) ==> PROP R |] ==> PROP R"
  25.179 -   (fn prems => [ REPEAT (resolve_tac
  25.180 -			   (prems @ [(temp_unlift STL5) RS iffD1, conjI]) 1) ]);
  25.181 +val prems = goal thy
  25.182 +   "[| sigma |= []F; sigma |= []G; sigma |= [](F&G) ==> PROP R |] ==> PROP R";
  25.183 +by (REPEAT (resolve_tac (prems @ [(temp_unlift STL5) RS iffD1, conjI]) 1));
  25.184 +qed "box_conjE";
  25.185  
  25.186  (* Instances of box_conjE for state predicates, actions, and temporals
  25.187     in case the general rule is "too polymorphic".
  25.188 @@ -229,99 +243,104 @@
  25.189  bind_thm("all_box", standard((temp_unlift allT) RS sym));
  25.190  
  25.191  
  25.192 -qed_goal "DmdOr" TLA.thy "|- (<>(F | G)) = (<>F | <>G)"
  25.193 -   (fn _ => [auto_tac (temp_css addsimps2 [dmd_def,split_box_conj]),
  25.194 -             TRYALL (EVERY' [etac swap, 
  25.195 -                             merge_box_tac, 
  25.196 -                             fast_tac (temp_cs addSEs [STL4E])])
  25.197 -            ]);
  25.198 +Goal "|- (<>(F | G)) = (<>F | <>G)";
  25.199 +by (auto_tac (temp_css addsimps2 [dmd_def,split_box_conj]));
  25.200 +by (ALLGOALS (EVERY' [etac swap, 
  25.201 +                      merge_box_tac, 
  25.202 +                      fast_tac (temp_cs addSEs [STL4E])]));
  25.203 +qed "DmdOr";
  25.204  
  25.205 -qed_goal "exT" TLA.thy "|- (? x. <>(F x)) = (<>(? x. F x))"
  25.206 -   (fn _ => [ auto_tac (temp_css addsimps2 [dmd_def,Not_Rex,all_box]) ]);
  25.207 +Goal "|- (EX x. <>(F x)) = (<>(EX x. F x))";
  25.208 +by (auto_tac (temp_css addsimps2 [dmd_def,Not_Rex,all_box]));
  25.209 +qed "exT";
  25.210  
  25.211  bind_thm("ex_dmd", standard((temp_unlift exT) RS sym));
  25.212  	     
  25.213  
  25.214 -qed_goal "STL4Edup" TLA.thy
  25.215 -   "!!sigma. [| sigma |= []A; sigma |= []F; |- F & []A --> G |] ==> sigma |= []G"
  25.216 -   (fn _ => [etac dup_boxE 1,
  25.217 -	     merge_box_tac 1,
  25.218 -	     etac STL4E 1,
  25.219 -	     atac 1
  25.220 -	    ]);
  25.221 +Goal "!!sigma. [| sigma |= []A; sigma |= []F; |- F & []A --> G |] ==> sigma |= []G";
  25.222 +by (etac dup_boxE 1);
  25.223 +by (merge_box_tac 1);
  25.224 +by (etac STL4E 1);
  25.225 +by (atac 1);
  25.226 +qed "STL4Edup";
  25.227  
  25.228 -qed_goalw "DmdImpl2" TLA.thy [dmd_def]
  25.229 -   "!!sigma. [| sigma |= <>F; sigma |= [](F --> G) |] ==> sigma |= <>G"
  25.230 -   (fn _ => [Auto_tac,
  25.231 -	     etac notE 1,
  25.232 -	     merge_box_tac 1,
  25.233 -	     fast_tac (temp_cs addSEs [STL4E]) 1
  25.234 -	    ]);
  25.235 +Goalw [dmd_def]
  25.236 +   "!!sigma. [| sigma |= <>F; sigma |= [](F --> G) |] ==> sigma |= <>G";
  25.237 +by Auto_tac;
  25.238 +by (etac notE 1);
  25.239 +by (merge_box_tac 1);
  25.240 +by (fast_tac (temp_cs addSEs [STL4E]) 1);
  25.241 +qed "DmdImpl2";
  25.242  
  25.243 -qed_goal "InfImpl" TLA.thy
  25.244 -   "[| sigma |= []<>F; sigma |= []G; |- F & G --> H |] ==> sigma |= []<>H"
  25.245 -   (fn [prem1,prem2,prem3] 
  25.246 -       => [cut_facts_tac [prem1,prem2] 1,
  25.247 -	   eres_inst_tac [("F","G")] dup_boxE 1,
  25.248 -	   merge_box_tac 1,
  25.249 -	   fast_tac (temp_cs addSEs [STL4E,DmdImpl2] addSIs [prem3]) 1
  25.250 -	  ]);
  25.251 +val [prem1,prem2,prem3] = goal thy
  25.252 +  "[| sigma |= []<>F; sigma |= []G; |- F & G --> H |] ==> sigma |= []<>H";
  25.253 +by (cut_facts_tac [prem1,prem2] 1);
  25.254 +by (eres_inst_tac [("F","G")] dup_boxE 1);
  25.255 +by (merge_box_tac 1);
  25.256 +by (fast_tac (temp_cs addSEs [STL4E,DmdImpl2] addSIs [prem3]) 1);
  25.257 +qed "InfImpl";
  25.258  
  25.259  (* ------------------------ STL6 ------------------------------------------- *)
  25.260  (* Used in the proof of STL6, but useful in itself. *)
  25.261 -qed_goalw "BoxDmd" TLA.thy [dmd_def] "|- []F & <>G --> <>([]F & G)"
  25.262 -  (fn _ => [ Clarsimp_tac 1,
  25.263 -             etac dup_boxE 1,
  25.264 -	     merge_box_tac 1,
  25.265 -             etac swap 1,
  25.266 -             fast_tac (temp_cs addSEs [STL4E]) 1 ]);
  25.267 +Goalw [dmd_def] "|- []F & <>G --> <>([]F & G)";
  25.268 +by (Clarsimp_tac 1);
  25.269 +by (etac dup_boxE 1);
  25.270 +by (merge_box_tac 1);
  25.271 +by (etac swap 1);
  25.272 +by (fast_tac (temp_cs addSEs [STL4E]) 1);
  25.273 +qed "BoxDmd";
  25.274  
  25.275  (* weaker than BoxDmd, but more polymorphic (and often just right) *)
  25.276 -qed_goalw "BoxDmd_simple" TLA.thy [dmd_def] "|- []F & <>G --> <>(F & G)"
  25.277 -  (fn _ => [ Clarsimp_tac 1,
  25.278 -	     merge_box_tac 1,
  25.279 -             fast_tac (temp_cs addSEs [notE,STL4E]) 1
  25.280 -	   ]);
  25.281 +Goalw [dmd_def] "|- []F & <>G --> <>(F & G)";
  25.282 +by (Clarsimp_tac 1);
  25.283 +by (merge_box_tac 1);
  25.284 +by (fast_tac (temp_cs addSEs [notE,STL4E]) 1);
  25.285 +qed "BoxDmd_simple";
  25.286  
  25.287 -qed_goalw "BoxDmd2_simple" TLA.thy [dmd_def] "|- []F & <>G --> <>(G & F)"
  25.288 -  (fn _ => [ Clarsimp_tac 1,
  25.289 -	     merge_box_tac 1,
  25.290 -             fast_tac (temp_cs addSEs [notE,STL4E]) 1
  25.291 -	   ]);
  25.292 +Goalw [dmd_def] "|- []F & <>G --> <>(G & F)";
  25.293 +by (Clarsimp_tac 1);
  25.294 +by (merge_box_tac 1);
  25.295 +by (fast_tac (temp_cs addSEs [notE,STL4E]) 1);
  25.296 +qed "BoxDmd2_simple";
  25.297  
  25.298 -qed_goal "DmdImpldup" TLA.thy 
  25.299 -   "[| sigma |= []A; sigma |= <>F; |- []A & F --> G |] ==> sigma |= <>G"
  25.300 -   (fn [p1,p2,p3] => [rtac ((p2 RS (p1 RS (temp_use BoxDmd))) RS DmdImplE) 1,
  25.301 -                      rtac p3 1]);
  25.302 +val [p1,p2,p3] = goal thy
  25.303 +   "[| sigma |= []A; sigma |= <>F; |- []A & F --> G |] ==> sigma |= <>G";
  25.304 +by (rtac ((p2 RS (p1 RS (temp_use BoxDmd))) RS DmdImplE) 1);
  25.305 +by (rtac p3 1);
  25.306 +qed "DmdImpldup";
  25.307  
  25.308 -qed_goal "STL6" TLA.thy "|- <>[]F & <>[]G --> <>[](F & G)"
  25.309 -  (fn _ => [auto_tac (temp_css addsimps2 [symmetric (temp_rewrite STL5)]),
  25.310 -	    dtac (temp_use linT) 1, atac 1, etac thin_rl 1,
  25.311 -	    rtac ((temp_unlift DmdDmd) RS iffD1) 1,
  25.312 -	    etac disjE 1,
  25.313 -	    etac DmdImplE 1, rtac BoxDmd 1,
  25.314 -	    (* the second subgoal needs commutativity of &, which complicates the proof *)
  25.315 -	    etac DmdImplE 1,
  25.316 -	    Auto_tac,
  25.317 -	    dtac (temp_use BoxDmd) 1, atac 1, etac thin_rl 1,
  25.318 -	    fast_tac (temp_cs addSEs [DmdImplE]) 1
  25.319 -	   ]);
  25.320 +Goal "|- <>[]F & <>[]G --> <>[](F & G)";
  25.321 +by (auto_tac (temp_css addsimps2 [symmetric (temp_rewrite STL5)]));
  25.322 +by (dtac (temp_use linT) 1);
  25.323 +by (atac 1); 
  25.324 +by (etac thin_rl 1);
  25.325 +by (rtac ((temp_unlift DmdDmd) RS iffD1) 1);
  25.326 +by (etac disjE 1);
  25.327 +by (etac DmdImplE 1);
  25.328 +by (rtac BoxDmd 1);
  25.329 +by (etac DmdImplE 1);
  25.330 +by Auto_tac;
  25.331 +by (dtac (temp_use BoxDmd) 1); 
  25.332 +by (atac 1); 
  25.333 +by (etac thin_rl 1);
  25.334 +by (fast_tac (temp_cs addSEs [DmdImplE]) 1);
  25.335 +qed "STL6";
  25.336  
  25.337  
  25.338  (* ------------------------ True / False ----------------------------------------- *)
  25.339  section "Simplification of constants";
  25.340  
  25.341 -qed_goal "BoxConst" TLA.thy "|- ([]#P) = #P"
  25.342 -  (fn _ => [rtac tempI 1,
  25.343 -            case_tac "P" 1,
  25.344 -            auto_tac (temp_css addSIs2 [necT] addDs2 [STL2_gen] 
  25.345 -                               addsimps2 Init_simps)
  25.346 -           ]);
  25.347 +Goal "|- ([]#P) = #P";
  25.348 +by (rtac tempI 1);
  25.349 +by (case_tac "P" 1);
  25.350 +by (auto_tac (temp_css addSIs2 [necT] addDs2 [STL2_gen] 
  25.351 +                       addsimps2 Init_simps));
  25.352 +qed "BoxConst";
  25.353  
  25.354 -qed_goalw "DmdConst" TLA.thy [dmd_def] "|- (<>#P) = #P"
  25.355 -  (fn _ => [case_tac "P" 1,
  25.356 -            ALLGOALS (asm_full_simp_tac (simpset() addsimps [BoxConst]))
  25.357 -           ]);
  25.358 +Goalw [dmd_def] "|- (<>#P) = #P";
  25.359 +by (case_tac "P" 1);
  25.360 +by (ALLGOALS (asm_full_simp_tac (simpset() addsimps [BoxConst])));
  25.361 +qed "DmdConst";
  25.362  
  25.363  val temp_simps = map temp_rewrite [BoxConst, DmdConst];
  25.364  
  25.365 @@ -334,11 +353,13 @@
  25.366  (* ------------------------ Further rewrites ----------------------------------------- *)
  25.367  section "Further rewrites";
  25.368  
  25.369 -qed_goalw "NotBox" TLA.thy [dmd_def] "|- (~[]F) = (<>~F)"
  25.370 -   (fn _ => [ Simp_tac 1 ]);
  25.371 +Goalw [dmd_def] "|- (~[]F) = (<>~F)";
  25.372 +by (Simp_tac 1);
  25.373 +qed "NotBox";
  25.374  
  25.375 -qed_goalw "NotDmd" TLA.thy [dmd_def] "|- (~<>F) = ([]~F)"
  25.376 -   (fn _ => [ Simp_tac 1 ]);
  25.377 +Goalw [dmd_def] "|- (~<>F) = ([]~F)";
  25.378 +by (Simp_tac 1);
  25.379 +qed "NotDmd";
  25.380  
  25.381  (* These are not by default included in temp_css, because they could be harmful,
  25.382     e.g. []F & ~[]F becomes []F & <>~F !! *)
  25.383 @@ -346,48 +367,51 @@
  25.384                         @ (map (fn th => (temp_unlift th) RS eq_reflection)
  25.385  		         [NotBox, NotDmd]);
  25.386  
  25.387 -qed_goal "BoxDmdBox" TLA.thy "|- ([]<>[]F) = (<>[]F)"
  25.388 -   (fn _ => [ auto_tac (temp_css addSDs2 [STL2]),
  25.389 -              rtac ccontr 1,
  25.390 -              subgoal_tac "sigma |= <>[][]F & <>[]~[]F" 1,
  25.391 -              etac thin_rl 1,
  25.392 -              Auto_tac,
  25.393 -	      dtac (temp_use STL6) 1, atac 1,
  25.394 -	      Asm_full_simp_tac 1,
  25.395 -	      ALLGOALS (asm_full_simp_tac (simpset() addsimps more_temp_simps))
  25.396 -	    ]);
  25.397 +Goal "|- ([]<>[]F) = (<>[]F)";
  25.398 +by (auto_tac (temp_css addSDs2 [STL2]));
  25.399 +by (rtac ccontr 1);
  25.400 +by (subgoal_tac "sigma |= <>[][]F & <>[]~[]F" 1);
  25.401 +by (etac thin_rl 1);
  25.402 +by Auto_tac;
  25.403 +by (dtac (temp_use STL6) 1); 
  25.404 +by (atac 1);
  25.405 +by (Asm_full_simp_tac 1);
  25.406 +by (ALLGOALS (asm_full_simp_tac (simpset() addsimps more_temp_simps)));
  25.407 +qed "BoxDmdBox";
  25.408  
  25.409 -qed_goalw "DmdBoxDmd" TLA.thy [dmd_def] "|- (<>[]<>F) = ([]<>F)"
  25.410 -  (fn _ => [ auto_tac (temp_css addsimps2 [rewrite_rule [dmd_def] BoxDmdBox]) ]);
  25.411 +Goalw [dmd_def] "|- (<>[]<>F) = ([]<>F)";
  25.412 +by (auto_tac (temp_css addsimps2 [rewrite_rule [dmd_def] BoxDmdBox]));
  25.413 +qed "DmdBoxDmd";
  25.414  
  25.415  val more_temp_simps = more_temp_simps @ (map temp_rewrite [BoxDmdBox, DmdBoxDmd]);
  25.416  
  25.417  
  25.418  (* ------------------------ Miscellaneous ----------------------------------- *)
  25.419  
  25.420 -qed_goal "BoxOr" TLA.thy 
  25.421 -   "!!sigma. [| sigma |= []F | []G |] ==> sigma |= [](F | G)"
  25.422 -   (fn _ => [ fast_tac (temp_cs addSEs [STL4E]) 1 ]);
  25.423 +Goal "!!sigma. [| sigma |= []F | []G |] ==> sigma |= [](F | G)";
  25.424 +by (fast_tac (temp_cs addSEs [STL4E]) 1);
  25.425 +qed "BoxOr";
  25.426  
  25.427  (* "persistently implies infinitely often" *)
  25.428 -qed_goal "DBImplBD" TLA.thy "|- <>[]F --> []<>F"
  25.429 -  (fn _ => [Clarsimp_tac 1,
  25.430 -	    rtac ccontr 1,
  25.431 -            asm_full_simp_tac (simpset() addsimps more_temp_simps) 1,
  25.432 -            dtac (temp_use STL6) 1, atac 1,
  25.433 -            Asm_full_simp_tac 1
  25.434 -	   ]);
  25.435 +Goal "|- <>[]F --> []<>F";
  25.436 +by (Clarsimp_tac 1);
  25.437 +by (rtac ccontr 1);
  25.438 +by (asm_full_simp_tac (simpset() addsimps more_temp_simps) 1);
  25.439 +by (dtac (temp_use STL6) 1); 
  25.440 +by (atac 1);
  25.441 +by (Asm_full_simp_tac 1);
  25.442 +qed "DBImplBD";
  25.443  
  25.444 -qed_goal "BoxDmdDmdBox" TLA.thy
  25.445 -   "|- []<>F & <>[]G --> []<>(F & G)"
  25.446 -   (fn _ => [Clarsimp_tac 1,
  25.447 -             rtac ccontr 1,
  25.448 -	     rewrite_goals_tac more_temp_simps,
  25.449 -	     dtac (temp_use STL6) 1, atac 1,
  25.450 -	     subgoal_tac "sigma |= <>[]~F" 1,
  25.451 -	     force_tac (temp_css addsimps2 [dmd_def]) 1,
  25.452 -	     fast_tac (temp_cs addEs [DmdImplE,STL4E]) 1
  25.453 -	    ]);
  25.454 +Goal "|- []<>F & <>[]G --> []<>(F & G)";
  25.455 +by (Clarsimp_tac 1);
  25.456 +by (rtac ccontr 1);
  25.457 +by (rewrite_goals_tac more_temp_simps);
  25.458 +by (dtac (temp_use STL6) 1);
  25.459 +by (atac 1);
  25.460 +by (subgoal_tac "sigma |= <>[]~F" 1);
  25.461 + by (force_tac (temp_css addsimps2 [dmd_def]) 1);
  25.462 +by (fast_tac (temp_cs addEs [DmdImplE,STL4E]) 1);
  25.463 +qed "BoxDmdDmdBox";
  25.464  
  25.465  
  25.466  (* ------------------------------------------------------------------------- *)
  25.467 @@ -396,79 +420,85 @@
  25.468  section "priming";
  25.469  
  25.470  (* ------------------------ TLA2 ------------------------------------------- *)
  25.471 -qed_goal "STL2_pr" TLA.thy
  25.472 -  "|- []P --> Init P & Init P`"
  25.473 -  (fn _ => [fast_tac (temp_cs addSIs [primeI, STL2_gen]) 1]);
  25.474 +Goal "|- []P --> Init P & Init P`";
  25.475 +by (fast_tac (temp_cs addSIs [primeI, STL2_gen]) 1);
  25.476 +qed "STL2_pr";
  25.477  
  25.478  (* Auxiliary lemma allows priming of boxed actions *)
  25.479 -qed_goal "BoxPrime" TLA.thy "|- []P --> []($P & P$)"
  25.480 -  (fn _ => [Clarsimp_tac 1,
  25.481 -	    etac dup_boxE 1,
  25.482 -            rewtac boxInit_act,
  25.483 -            etac STL4E 1,
  25.484 -	    auto_tac (temp_css addsimps2 Init_simps addSDs2 [STL2_pr])
  25.485 -	   ]);
  25.486 +Goal "|- []P --> []($P & P$)";
  25.487 +by (Clarsimp_tac 1);
  25.488 +by (etac dup_boxE 1);
  25.489 +by (rewtac boxInit_act);
  25.490 +by (etac STL4E 1);
  25.491 +by (auto_tac (temp_css addsimps2 Init_simps addSDs2 [STL2_pr]));
  25.492 +qed "BoxPrime";
  25.493  
  25.494 -qed_goal "TLA2" TLA.thy "|- $P & P$ --> A  ==>  |- []P --> []A"
  25.495 -  (fn prems => [Clarsimp_tac 1,
  25.496 -                dtac (temp_use BoxPrime) 1,
  25.497 -                auto_tac (temp_css addsimps2 [Init_stp_act_rev] addSIs2 prems addSEs2 [STL4E])
  25.498 -               ]);
  25.499 +val prems = goal thy "|- $P & P$ --> A  ==>  |- []P --> []A";
  25.500 +by (Clarsimp_tac 1);
  25.501 +by (dtac (temp_use BoxPrime) 1);
  25.502 +by (auto_tac (temp_css addsimps2 [Init_stp_act_rev] 
  25.503 +                       addSIs2 prems addSEs2 [STL4E]));
  25.504 +qed "TLA2";
  25.505  
  25.506 -qed_goal "TLA2E" TLA.thy 
  25.507 -   "[| sigma |= []P; |- $P & P$ --> A |] ==> sigma |= []A"
  25.508 -   (fn prems => [REPEAT (resolve_tac (prems @ (prems RL [temp_use TLA2])) 1)]);
  25.509 +val prems = goal thy 
  25.510 +  "[| sigma |= []P; |- $P & P$ --> A |] ==> sigma |= []A";
  25.511 +by (REPEAT (resolve_tac (prems @ (prems RL [temp_use TLA2])) 1));
  25.512 +qed "TLA2E";
  25.513  
  25.514 -qed_goalw "DmdPrime" TLA.thy [dmd_def] "|- (<>P`) --> (<>P)"
  25.515 -   (fn _ => [ fast_tac (temp_cs addSEs [TLA2E]) 1 ]);
  25.516 +Goalw [dmd_def] "|- (<>P`) --> (<>P)";
  25.517 +by (fast_tac (temp_cs addSEs [TLA2E]) 1);
  25.518 +qed "DmdPrime";
  25.519  
  25.520  bind_thm("PrimeDmd", (temp_use InitDmd_gen) RS (temp_use DmdPrime));
  25.521  
  25.522  (* ------------------------ INV1, stable --------------------------------------- *)
  25.523  section "stable, invariant";
  25.524  
  25.525 -qed_goal "ind_rule" TLA.thy
  25.526 +val prems = goal thy
  25.527     "[| sigma |= []H; sigma |= Init P; |- H --> (Init P & ~[]F --> Init(P`) & F) |] \
  25.528 -\   ==> sigma |= []F"
  25.529 -   (fn prems => [rtac (temp_use indT) 1,
  25.530 -		 REPEAT (resolve_tac (prems @ (prems RL [STL4E])) 1)]);
  25.531 +\   ==> sigma |= []F";
  25.532 +by (rtac (temp_use indT) 1);
  25.533 +by (REPEAT (resolve_tac (prems @ (prems RL [STL4E])) 1));
  25.534 +qed "ind_rule";
  25.535  
  25.536 -qed_goalw "box_stp_act" TLA.thy [boxInit_act] "|- ([]$P) = ([]P)"
  25.537 -  (K [simp_tac (simpset() addsimps Init_simps) 1]);
  25.538 +Goalw [boxInit_act] "|- ([]$P) = ([]P)";
  25.539 +by (simp_tac (simpset() addsimps Init_simps) 1);
  25.540 +qed "box_stp_act";
  25.541  bind_thm("box_stp_actI", zero_var_indexes ((temp_use box_stp_act) RS iffD2));
  25.542  bind_thm("box_stp_actD", zero_var_indexes ((temp_use box_stp_act) RS iffD1));
  25.543  
  25.544  val more_temp_simps = (temp_rewrite box_stp_act)::more_temp_simps;
  25.545  
  25.546 -qed_goalw "INV1" TLA.thy [stable_def,boxInit_stp,boxInit_act] 
  25.547 -  "|- (Init P) --> (stable P) --> []P"
  25.548 -  (K [Clarsimp_tac 1,
  25.549 -      etac ind_rule 1,
  25.550 -      auto_tac (temp_css addsimps2 Init_simps addEs2 [ind_rule])
  25.551 -     ]);
  25.552 +Goalw [stable_def,boxInit_stp,boxInit_act] 
  25.553 +  "|- (Init P) --> (stable P) --> []P";
  25.554 +by (Clarsimp_tac 1);
  25.555 +by (etac ind_rule 1);
  25.556 +by (auto_tac (temp_css addsimps2 Init_simps addEs2 [ind_rule]));
  25.557 +qed "INV1";
  25.558  
  25.559 -qed_goalw "StableT" TLA.thy [stable_def]
  25.560 -   "|- $P & A --> P` ==> |- []A --> stable P"
  25.561 -   (fn [prem] => [fast_tac (temp_cs addSEs [STL4E] addIs [prem]) 1]);
  25.562 +Goalw [stable_def]
  25.563 +   "!!P. |- $P & A --> P` ==> |- []A --> stable P";
  25.564 +by (fast_tac (temp_cs addSEs [STL4E]) 1);
  25.565 +qed "StableT";
  25.566  
  25.567 -qed_goal "Stable" TLA.thy
  25.568 -   "[| sigma |= []A; |- $P & A --> P` |] ==> sigma |= stable P"
  25.569 -   (fn prems => [ REPEAT (resolve_tac (prems @ [temp_use StableT]) 1) ]);
  25.570 +val prems = goal thy
  25.571 +   "[| sigma |= []A; |- $P & A --> P` |] ==> sigma |= stable P";
  25.572 +by (REPEAT (resolve_tac (prems @ [temp_use StableT]) 1));
  25.573 +qed "Stable";
  25.574  
  25.575  (* Generalization of INV1 *)
  25.576 -qed_goalw "StableBox" TLA.thy [stable_def]
  25.577 -   "|- (stable P) --> [](Init P --> []P)"
  25.578 -   (K [Clarsimp_tac 1,
  25.579 -       etac dup_boxE 1,
  25.580 -       force_tac (temp_css addsimps2 [stable_def] addEs2 [STL4E, INV1]) 1]);
  25.581 +Goalw [stable_def] "|- (stable P) --> [](Init P --> []P)";
  25.582 +by (Clarsimp_tac 1);
  25.583 +by (etac dup_boxE 1);
  25.584 +by (force_tac (temp_css addsimps2 [stable_def] addEs2 [STL4E, INV1]) 1);
  25.585 +qed "StableBox";
  25.586  
  25.587 -qed_goal "DmdStable" TLA.thy 
  25.588 -   "|- (stable P) & <>P --> <>[]P"
  25.589 -   (fn _ => [Clarsimp_tac 1,
  25.590 -             rtac DmdImpl2 1,
  25.591 -	     etac (temp_use StableBox) 2,
  25.592 -	     asm_simp_tac (simpset() addsimps [dmdInitD]) 1
  25.593 -	    ]);
  25.594 +Goal "|- (stable P) & <>P --> <>[]P";
  25.595 +by (Clarsimp_tac 1);
  25.596 +by (rtac DmdImpl2 1);
  25.597 +by (etac (temp_use StableBox) 2);
  25.598 +by (asm_simp_tac (simpset() addsimps [dmdInitD]) 1);
  25.599 +qed "DmdStable";
  25.600  
  25.601  (* ---------------- (Semi-)automatic invariant tactics ---------------------- *)
  25.602  
  25.603 @@ -491,84 +521,89 @@
  25.604       (TRYALL (action_simp_tac (ss addsimps [Init_stp,Init_act]) [] [squareE])));
  25.605  
  25.606  
  25.607 -qed_goalw "unless" TLA.thy [dmd_def]
  25.608 -   "|- []($P --> P` | Q`) --> (stable P) | <>Q"
  25.609 -   (fn _ => [clarsimp_tac (temp_css addSDs2 [BoxPrime]) 1,
  25.610 -	     merge_box_tac 1,
  25.611 -             etac swap 1,
  25.612 -	     fast_tac (temp_cs addSEs [Stable]) 1
  25.613 -	    ]);
  25.614 +Goalw [dmd_def] "|- []($P --> P` | Q`) --> (stable P) | <>Q";
  25.615 +by (clarsimp_tac (temp_css addSDs2 [BoxPrime]) 1);
  25.616 +by (merge_box_tac 1);
  25.617 +by (etac swap 1);
  25.618 +by (fast_tac (temp_cs addSEs [Stable]) 1);
  25.619 +qed "unless";
  25.620  
  25.621  
  25.622  (* --------------------- Recursive expansions --------------------------------------- *)
  25.623  section "recursive expansions";
  25.624  
  25.625  (* Recursive expansions of [] and <> for state predicates *)
  25.626 -qed_goal "BoxRec" TLA.thy "|- ([]P) = (Init P & []P`)"
  25.627 -   (fn _ => [auto_tac (temp_css addSIs2 [STL2_gen]),
  25.628 -	     fast_tac (temp_cs addSEs [TLA2E]) 1,
  25.629 -	     auto_tac (temp_css addsimps2 [stable_def] addSEs2 [INV1,STL4E])
  25.630 -	    ]);
  25.631 +Goal "|- ([]P) = (Init P & []P`)";
  25.632 +by (auto_tac (temp_css addSIs2 [STL2_gen]));
  25.633 +by (fast_tac (temp_cs addSEs [TLA2E]) 1);
  25.634 +by (auto_tac (temp_css addsimps2 [stable_def] addSEs2 [INV1,STL4E]));
  25.635 +qed "BoxRec";
  25.636  
  25.637 -qed_goalw "DmdRec" TLA.thy [dmd_def, temp_rewrite BoxRec] "|- (<>P) = (Init P | <>P`)" 
  25.638 -  (K [ auto_tac (temp_css addsimps2 Init_simps) ]);
  25.639 +Goalw [dmd_def, temp_rewrite BoxRec] "|- (<>P) = (Init P | <>P`)";
  25.640 +by (auto_tac (temp_css addsimps2 Init_simps));
  25.641 +qed "DmdRec";
  25.642  
  25.643 -qed_goal "DmdRec2" TLA.thy
  25.644 - "!!sigma. [| sigma |= <>P; sigma |= []~P` |] ==> sigma |= Init P"
  25.645 -   (K [ force_tac (temp_css addsimps2 [DmdRec,dmd_def]) 1]);
  25.646 +Goal "!!sigma. [| sigma |= <>P; sigma |= []~P` |] ==> sigma |= Init P";
  25.647 +by (force_tac (temp_css addsimps2 [DmdRec,dmd_def]) 1);
  25.648 +qed "DmdRec2";
  25.649  
  25.650 -(* The "-->" part of the following is a little intricate. *)
  25.651 -qed_goal "InfinitePrime" TLA.thy "|- ([]<>P) = ([]<>P`)"
  25.652 -   (fn _ => [Auto_tac,
  25.653 -	     rtac classical 1,
  25.654 -	     rtac (temp_use DBImplBD) 1,
  25.655 -	     subgoal_tac "sigma |= <>[]P" 1,
  25.656 -	     fast_tac (temp_cs addSEs [DmdImplE,TLA2E]) 1,
  25.657 -	     subgoal_tac "sigma |= <>[](<>P & []~P`)" 1,
  25.658 -	     force_tac (temp_css addsimps2 [boxInit_stp]
  25.659 -			             addSEs2 [DmdImplE,STL4E,DmdRec2]) 1,
  25.660 -	     force_tac (temp_css addSIs2 [STL6] addsimps2 more_temp_simps) 1,
  25.661 -	     fast_tac (temp_cs addIs [DmdPrime] addSEs [STL4E]) 1
  25.662 -	    ]);
  25.663 +Goal "|- ([]<>P) = ([]<>P`)";
  25.664 +by Auto_tac;
  25.665 +by (rtac classical 1);
  25.666 +by (rtac (temp_use DBImplBD) 1);
  25.667 +by (subgoal_tac "sigma |= <>[]P" 1);
  25.668 + by (fast_tac (temp_cs addSEs [DmdImplE,TLA2E]) 1);
  25.669 + by (subgoal_tac "sigma |= <>[](<>P & []~P`)" 1);
  25.670 +  by (force_tac (temp_css addsimps2 [boxInit_stp]
  25.671 +                          addSEs2 [DmdImplE,STL4E,DmdRec2]) 1);
  25.672 + by (force_tac (temp_css addSIs2 [STL6] addsimps2 more_temp_simps) 1);
  25.673 +by (fast_tac (temp_cs addIs [DmdPrime] addSEs [STL4E]) 1);
  25.674 +qed "InfinitePrime";
  25.675  
  25.676 -qed_goal "InfiniteEnsures" TLA.thy
  25.677 -   "[| sigma |= []N; sigma |= []<>A; |- A & N --> P` |] ==> sigma |= []<>P"
  25.678 -   (fn prems => [rewtac (temp_rewrite InfinitePrime),
  25.679 -                 rtac InfImpl 1,
  25.680 -                 REPEAT (resolve_tac prems 1)
  25.681 -                ]);
  25.682 +val prems = goalw thy [temp_rewrite InfinitePrime]
  25.683 +  "[| sigma |= []N; sigma |= []<>A; |- A & N --> P` |] ==> sigma |= []<>P";
  25.684 +by (rtac InfImpl 1);
  25.685 +by (REPEAT (resolve_tac prems 1));
  25.686 +qed "InfiniteEnsures";
  25.687  
  25.688  (* ------------------------ fairness ------------------------------------------- *)
  25.689  section "fairness";
  25.690  
  25.691  (* alternative definitions of fairness *)
  25.692 -qed_goalw "WF_alt" TLA.thy [WF_def,dmd_def] 
  25.693 -   "|- WF(A)_v = ([]<>~Enabled(<A>_v) | []<><A>_v)"
  25.694 -   (fn _ => [ fast_tac temp_cs 1 ]);
  25.695 +Goalw [WF_def,dmd_def] 
  25.696 +  "|- WF(A)_v = ([]<>~Enabled(<A>_v) | []<><A>_v)";
  25.697 +by (fast_tac temp_cs 1);
  25.698 +qed "WF_alt";
  25.699  
  25.700 -qed_goalw "SF_alt" TLA.thy [SF_def,dmd_def]
  25.701 -   "|- SF(A)_v = (<>[]~Enabled(<A>_v) | []<><A>_v)"
  25.702 -   (fn _ => [ fast_tac temp_cs 1 ]);
  25.703 +Goalw [SF_def,dmd_def]
  25.704 +  "|- SF(A)_v = (<>[]~Enabled(<A>_v) | []<><A>_v)";
  25.705 +by (fast_tac temp_cs 1);
  25.706 +qed "SF_alt";
  25.707  
  25.708  (* theorems to "box" fairness conditions *)
  25.709 -qed_goal "BoxWFI" TLA.thy "|- WF(A)_v --> []WF(A)_v"
  25.710 -   (fn _ => [ auto_tac (temp_css addsimps2 (WF_alt::more_temp_simps) 
  25.711 -                                 addSIs2 [BoxOr]) ]);
  25.712 +Goal "|- WF(A)_v --> []WF(A)_v";
  25.713 +by (auto_tac (temp_css addsimps2 (WF_alt::more_temp_simps) 
  25.714 +                       addSIs2 [BoxOr]));
  25.715 +qed "BoxWFI";
  25.716  
  25.717 -qed_goal "WF_Box" TLA.thy "|- ([]WF(A)_v) = WF(A)_v"
  25.718 -  (fn prems => [ fast_tac (temp_cs addSIs [BoxWFI] addSDs [STL2]) 1 ]);
  25.719 +Goal "|- ([]WF(A)_v) = WF(A)_v";
  25.720 +by (fast_tac (temp_cs addSIs [BoxWFI] addSDs [STL2]) 1);
  25.721 +qed "WF_Box";
  25.722  
  25.723 -qed_goal "BoxSFI" TLA.thy "|- SF(A)_v --> []SF(A)_v"
  25.724 -   (fn _ => [ auto_tac (temp_css addsimps2 (SF_alt::more_temp_simps) 
  25.725 -                                 addSIs2 [BoxOr]) ]);
  25.726 +Goal "|- SF(A)_v --> []SF(A)_v";
  25.727 +by (auto_tac (temp_css addsimps2 (SF_alt::more_temp_simps) 
  25.728 +                       addSIs2 [BoxOr]));
  25.729 +qed "BoxSFI";
  25.730  
  25.731 -qed_goal "SF_Box" TLA.thy "|- ([]SF(A)_v) = SF(A)_v"
  25.732 -  (fn prems => [ fast_tac (temp_cs addSIs [BoxSFI] addSDs [STL2]) 1 ]);
  25.733 +Goal "|- ([]SF(A)_v) = SF(A)_v";
  25.734 +by (fast_tac (temp_cs addSIs [BoxSFI] addSDs [STL2]) 1);
  25.735 +qed "SF_Box";
  25.736  
  25.737  val more_temp_simps = more_temp_simps @ (map temp_rewrite [WF_Box, SF_Box]);
  25.738  
  25.739 -qed_goalw "SFImplWF" TLA.thy [SF_def,WF_def] "|- SF(A)_v --> WF(A)_v"
  25.740 -  (fn _ => [ fast_tac (temp_cs addSDs [DBImplBD]) 1 ]);
  25.741 +Goalw [SF_def,WF_def] "|- SF(A)_v --> WF(A)_v";
  25.742 +by (fast_tac (temp_cs addSDs [DBImplBD]) 1);
  25.743 +qed "SFImplWF";
  25.744  
  25.745  (* A tactic that "boxes" all fairness conditions. Apply more_temp_simps to "unbox". *)
  25.746  val box_fair_tac = SELECT_GOAL (REPEAT (dresolve_tac [BoxWFI,BoxSFI] 1));
  25.747 @@ -578,354 +613,359 @@
  25.748  
  25.749  section "~>";
  25.750  
  25.751 -qed_goalw "leadsto_init" TLA.thy [leadsto_def]
  25.752 -   "|- (Init F) & (F ~> G) --> <>G"
  25.753 -   (fn _ => [ auto_tac (temp_css addSDs2 [STL2]) ]);
  25.754 +Goalw  [leadsto_def] "|- (Init F) & (F ~> G) --> <>G";
  25.755 +by (auto_tac (temp_css addSDs2 [STL2]));
  25.756 +qed "leadsto_init";
  25.757  
  25.758  (* |- F & (F ~> G) --> <>G *)
  25.759  bind_thm("leadsto_init_temp", 
  25.760           rewrite_rule Init_simps (read_instantiate [("'a","behavior")] leadsto_init));
  25.761  
  25.762 -qed_goalw "streett_leadsto" TLA.thy [leadsto_def]
  25.763 -   "|- ([]<>Init F --> []<>G) = (<>(F ~> G))" (K [
  25.764 -             Auto_tac,
  25.765 -             asm_full_simp_tac (simpset() addsimps more_temp_simps) 1,
  25.766 -             fast_tac (temp_cs addSEs [DmdImplE,STL4E]) 1,
  25.767 -             fast_tac (temp_cs addSIs [InitDmd] addSEs [STL4E]) 1,
  25.768 -             subgoal_tac "sigma |= []<><>G" 1,
  25.769 -             asm_full_simp_tac (simpset() addsimps more_temp_simps) 1,
  25.770 -             dtac (temp_use BoxDmdDmdBox) 1, atac 1,
  25.771 -             fast_tac (temp_cs addSEs [DmdImplE,STL4E]) 1
  25.772 -            ]);
  25.773 +Goalw [leadsto_def] "|- ([]<>Init F --> []<>G) = (<>(F ~> G))";
  25.774 +by Auto_tac;
  25.775 +by (asm_full_simp_tac (simpset() addsimps more_temp_simps) 1);
  25.776 +by (fast_tac (temp_cs addSEs [DmdImplE,STL4E]) 1);
  25.777 +by (fast_tac (temp_cs addSIs [InitDmd] addSEs [STL4E]) 1);
  25.778 +by (subgoal_tac "sigma |= []<><>G" 1);
  25.779 +by (asm_full_simp_tac (simpset() addsimps more_temp_simps) 1);
  25.780 +by (dtac (temp_use BoxDmdDmdBox) 1); 
  25.781 +by (atac 1);
  25.782 +by (fast_tac (temp_cs addSEs [DmdImplE,STL4E]) 1);
  25.783 +qed "streett_leadsto";
  25.784  
  25.785 -qed_goal "leadsto_infinite" TLA.thy
  25.786 -   "|- []<>F & (F ~> G) --> []<>G"
  25.787 -   (fn _ => [Clarsimp_tac 1,
  25.788 -             etac ((temp_use InitDmd) RS 
  25.789 -                   ((temp_unlift streett_leadsto) RS iffD2 RS mp)) 1,
  25.790 -             asm_simp_tac (simpset() addsimps [dmdInitD]) 1
  25.791 -            ]);
  25.792 +Goal "|- []<>F & (F ~> G) --> []<>G";
  25.793 +by (Clarsimp_tac 1);
  25.794 +by (etac ((temp_use InitDmd) RS 
  25.795 +          ((temp_unlift streett_leadsto) RS iffD2 RS mp)) 1);
  25.796 +by (asm_simp_tac (simpset() addsimps [dmdInitD]) 1);
  25.797 +qed "leadsto_infinite";
  25.798  
  25.799  (* In particular, strong fairness is a Streett condition. The following
  25.800     rules are sometimes easier to use than WF2 or SF2 below.
  25.801  *)
  25.802 -qed_goalw "leadsto_SF" TLA.thy [SF_def]
  25.803 -  "|- (Enabled(<A>_v) ~> <A>_v) --> SF(A)_v"
  25.804 -  (K [clarsimp_tac (temp_css addSEs2 [leadsto_infinite]) 1]);
  25.805 +Goalw [SF_def] "|- (Enabled(<A>_v) ~> <A>_v) --> SF(A)_v";
  25.806 +by (clarsimp_tac (temp_css addSEs2 [leadsto_infinite]) 1);
  25.807 +qed "leadsto_SF";
  25.808  
  25.809 -qed_goal "leadsto_WF" TLA.thy 
  25.810 -  "|- (Enabled(<A>_v) ~> <A>_v) --> WF(A)_v"
  25.811 -  (K [ clarsimp_tac (temp_css addSIs2 [SFImplWF, leadsto_SF]) 1 ]);
  25.812 +Goal "|- (Enabled(<A>_v) ~> <A>_v) --> WF(A)_v";
  25.813 +by (clarsimp_tac (temp_css addSIs2 [SFImplWF, leadsto_SF]) 1);
  25.814 +qed "leadsto_WF";
  25.815  
  25.816  (* introduce an invariant into the proof of a leadsto assertion.
  25.817     []I --> ((P ~> Q)  =  (P /\ I ~> Q))
  25.818  *)
  25.819 -qed_goalw "INV_leadsto" TLA.thy [leadsto_def]
  25.820 -   "|- []I & (P & I ~> Q) --> (P ~> Q)"
  25.821 -   (fn _ => [Clarsimp_tac 1,
  25.822 -             etac STL4Edup 1, atac 1,
  25.823 -	     auto_tac (temp_css addsimps2 Init_simps addSDs2 [STL2_gen])
  25.824 -	    ]);
  25.825 +Goalw [leadsto_def] "|- []I & (P & I ~> Q) --> (P ~> Q)";
  25.826 +by (Clarsimp_tac 1);
  25.827 +by (etac STL4Edup 1); 
  25.828 +by (atac 1);
  25.829 +by (auto_tac (temp_css addsimps2 Init_simps addSDs2 [STL2_gen]));
  25.830 +qed "INV_leadsto";
  25.831  
  25.832 -qed_goalw "leadsto_classical" TLA.thy [leadsto_def,dmd_def]
  25.833 -   "|- (Init F & []~G ~> G) --> (F ~> G)"
  25.834 -   (fn _ => [force_tac (temp_css addsimps2 Init_simps addSEs2 [STL4E]) 1]);
  25.835 +Goalw [leadsto_def,dmd_def]
  25.836 +  "|- (Init F & []~G ~> G) --> (F ~> G)";
  25.837 +by (force_tac (temp_css addsimps2 Init_simps addSEs2 [STL4E]) 1);
  25.838 +qed "leadsto_classical";
  25.839  
  25.840 -qed_goalw "leadsto_false" TLA.thy [leadsto_def]
  25.841 -  "|- (F ~> #False) = ([]~F)"
  25.842 -  (fn _ => [ simp_tac (simpset() addsimps [boxNotInitD]) 1 ]);
  25.843 +Goalw [leadsto_def] "|- (F ~> #False) = ([]~F)";
  25.844 +by (simp_tac (simpset() addsimps [boxNotInitD]) 1);
  25.845 +qed "leadsto_false";
  25.846  
  25.847 -qed_goalw "leadsto_exists" TLA.thy [leadsto_def]
  25.848 -  "|- ((? x. F x) ~> G) = (!x. (F x ~> G))"
  25.849 -  (K [auto_tac (temp_css addsimps2 allT::Init_simps addSEs2 [STL4E])]);
  25.850 -
  25.851 +Goalw [leadsto_def] "|- ((EX x. F x) ~> G) = (ALL x. (F x ~> G))";
  25.852 +by (auto_tac (temp_css addsimps2 allT::Init_simps addSEs2 [STL4E]));
  25.853 +qed "leadsto_exists";
  25.854  
  25.855  (* basic leadsto properties, cf. Unity *)
  25.856  
  25.857 -qed_goalw "ImplLeadsto_gen" TLA.thy [leadsto_def]
  25.858 -   "|- [](Init F --> Init G) --> (F ~> G)"
  25.859 -   (fn _ => [auto_tac (temp_css addSIs2 [InitDmd_gen] 
  25.860 -                                addSEs2 [STL4E_gen] addsimps2 Init_simps)
  25.861 -	    ]);
  25.862 +Goalw [leadsto_def] "|- [](Init F --> Init G) --> (F ~> G)";
  25.863 +by (auto_tac (temp_css addSIs2 [InitDmd_gen] addSEs2 [STL4E_gen]
  25.864 +                       addsimps2 Init_simps));
  25.865 +qed "ImplLeadsto_gen";
  25.866  
  25.867  bind_thm("ImplLeadsto",
  25.868           rewrite_rule Init_simps 
  25.869               (read_instantiate [("'a","behavior"), ("'b","behavior")] ImplLeadsto_gen));
  25.870  
  25.871 -qed_goal "ImplLeadsto_simple" TLA.thy
  25.872 -  "|- F --> G ==> |- F ~> G"
  25.873 -  (fn [prem] => [auto_tac (temp_css addsimps2 [Init_def] 
  25.874 -                                    addSIs2 [ImplLeadsto_gen,necT,prem])]);
  25.875 +Goal "!!F G. |- F --> G ==> |- F ~> G";
  25.876 +by (auto_tac (temp_css addsimps2 [Init_def] 
  25.877 +                       addSIs2 [ImplLeadsto_gen,necT]));
  25.878 +qed "ImplLeadsto_simple";
  25.879  
  25.880 -qed_goalw "EnsuresLeadsto" TLA.thy [leadsto_def]
  25.881 -   "|- A & $P --> Q` ==> |- []A --> (P ~> Q)" (fn [prem] => [
  25.882 -		  clarsimp_tac (temp_css addSEs2 [INV_leadsto]) 1, 
  25.883 -                  etac STL4E_gen 1,
  25.884 -                  auto_tac (temp_css addsimps2 Init_defs
  25.885 -                                     addSIs2 [PrimeDmd, prem])
  25.886 -                 ]);
  25.887 +val [prem] = goalw thy [leadsto_def]
  25.888 +  "|- A & $P --> Q` ==> |- []A --> (P ~> Q)";
  25.889 +by (clarsimp_tac (temp_css addSEs2 [INV_leadsto]) 1); 
  25.890 +by (etac STL4E_gen 1);
  25.891 +by (auto_tac (temp_css addsimps2 Init_defs addSIs2 [PrimeDmd,prem]));
  25.892 +qed "EnsuresLeadsto";
  25.893  
  25.894 -qed_goalw "EnsuresLeadsto2" TLA.thy [leadsto_def]
  25.895 -   "|- []($P --> Q`) --> (P ~> Q)"
  25.896 -   (fn _ => [Clarsimp_tac 1,
  25.897 -             etac STL4E_gen 1,
  25.898 -             auto_tac (temp_css addsimps2 Init_simps addSIs2 [PrimeDmd])
  25.899 -            ]);
  25.900 +Goalw  [leadsto_def] "|- []($P --> Q`) --> (P ~> Q)";
  25.901 +by (Clarsimp_tac 1);
  25.902 +by (etac STL4E_gen 1);
  25.903 +by (auto_tac (temp_css addsimps2 Init_simps addSIs2 [PrimeDmd]));
  25.904 +qed "EnsuresLeadsto2";
  25.905  
  25.906 -qed_goalw "ensures" TLA.thy [leadsto_def]
  25.907 +val [p1,p2] = goalw thy [leadsto_def]
  25.908    "[| |- $P & N --> P` | Q`; \
  25.909  \     |- ($P & N) & A --> Q` \
  25.910 -\  |] ==> |- []N & []([]P --> <>A) --> (P ~> Q)"
  25.911 -  (fn [p1,p2] => [Clarsimp_tac 1,
  25.912 -                  etac STL4Edup 1, atac 1,
  25.913 -                  Clarsimp_tac 1,
  25.914 -                  subgoal_tac "sigmaa |= []($P --> P` | Q`)" 1,
  25.915 -                   dtac (temp_use unless) 1,
  25.916 -                   clarsimp_tac (temp_css addSDs2 [INV1]) 1,
  25.917 -                   rtac ((temp_use (p2 RS DmdImpl)) RS (temp_use DmdPrime)) 1,
  25.918 -                   force_tac (temp_css addSIs2 [BoxDmd_simple]
  25.919 -                                       addsimps2 [split_box_conj,box_stp_act]) 1,
  25.920 -                  force_tac (temp_css addEs2 [STL4E] addDs2 [p1]) 1
  25.921 -                 ]);
  25.922 +\  |] ==> |- []N & []([]P --> <>A) --> (P ~> Q)";
  25.923 +by (Clarsimp_tac 1);
  25.924 +by (etac STL4Edup 1); 
  25.925 +by (atac 1);
  25.926 +by (Clarsimp_tac 1);
  25.927 +by (subgoal_tac "sigmaa |= []($P --> P` | Q`)" 1);
  25.928 + by (dtac (temp_use unless) 1);
  25.929 + by (clarsimp_tac (temp_css addSDs2 [INV1]) 1);
  25.930 + by (rtac ((temp_use (p2 RS DmdImpl)) RS (temp_use DmdPrime)) 1);
  25.931 + by (force_tac (temp_css addSIs2 [BoxDmd_simple]
  25.932 +                         addsimps2 [split_box_conj,box_stp_act]) 1);
  25.933 +by (force_tac (temp_css addEs2 [STL4E] addDs2 [p1]) 1);
  25.934 +qed "ensures";
  25.935  
  25.936 -qed_goal "ensures_simple" TLA.thy
  25.937 +val prems = goal thy
  25.938    "[| |- $P & N --> P` | Q`; \
  25.939  \     |- ($P & N) & A --> Q` \
  25.940 -\  |] ==> |- []N & []<>A --> (P ~> Q)"
  25.941 -  (fn prems => [Clarsimp_tac 1,
  25.942 -                rtac (temp_use ensures) 1,
  25.943 -                TRYALL (ares_tac prems),
  25.944 -                force_tac (temp_css addSEs2 [STL4E]) 1
  25.945 -               ]);
  25.946 +\  |] ==> |- []N & []<>A --> (P ~> Q)";
  25.947 +by (Clarsimp_tac 1);
  25.948 +by (rtac (temp_use ensures) 1);
  25.949 +by (TRYALL (ares_tac prems));
  25.950 +by (force_tac (temp_css addSEs2 [STL4E]) 1);
  25.951 +qed "ensures_simple";
  25.952  
  25.953 -qed_goal "EnsuresInfinite" TLA.thy
  25.954 -   "[| sigma |= []<>P; sigma |= []A; |- A & $P --> Q` |] ==> sigma |= []<>Q"
  25.955 -   (fn prems => [REPEAT (resolve_tac (prems @ [temp_use leadsto_infinite,
  25.956 -					       temp_use EnsuresLeadsto]) 1)]);
  25.957 +val prems = goal thy
  25.958 +  "[| sigma |= []<>P; sigma |= []A; |- A & $P --> Q` |] ==> sigma |= []<>Q";
  25.959 +by (REPEAT (resolve_tac (prems @ 
  25.960 +                         (map temp_use [leadsto_infinite, EnsuresLeadsto])) 1));
  25.961 +qed "EnsuresInfinite";
  25.962  
  25.963  
  25.964  (*** Gronning's lattice rules (taken from TLP) ***)
  25.965  section "Lattice rules";
  25.966  
  25.967 -qed_goalw "LatticeReflexivity" TLA.thy [leadsto_def] "|- F ~> F"
  25.968 -   (fn _ => [REPEAT (resolve_tac [necT,InitDmd_gen] 1)]);
  25.969 -
  25.970 -qed_goalw "LatticeTransitivity" TLA.thy [leadsto_def]
  25.971 -   "|- (G ~> H) & (F ~> G) --> (F ~> H)"
  25.972 -   (fn _ => [Clarsimp_tac 1,
  25.973 -             etac dup_boxE 1,  (* [][](Init G --> H) *)
  25.974 -	     merge_box_tac 1,
  25.975 -	     clarsimp_tac (temp_css addSEs2 [STL4E]) 1,
  25.976 -             rtac dup_dmdD 1,
  25.977 -             subgoal_tac "sigmaa |= <>Init G" 1,
  25.978 -             etac DmdImpl2 1, atac 1,
  25.979 -             asm_simp_tac (simpset() addsimps [dmdInitD]) 1
  25.980 -	    ]);
  25.981 +Goalw [leadsto_def] "|- F ~> F";
  25.982 +by (REPEAT (resolve_tac [necT,InitDmd_gen] 1));
  25.983 +qed "LatticeReflexivity";
  25.984  
  25.985 -qed_goalw "LatticeDisjunctionElim1" TLA.thy [leadsto_def]
  25.986 -   "|- (F | G ~> H) --> (F ~> H)"
  25.987 -   (fn _ => [ auto_tac (temp_css addsimps2 Init_simps addSEs2 [STL4E]) ]);
  25.988 +Goalw [leadsto_def] "|- (G ~> H) & (F ~> G) --> (F ~> H)";
  25.989 +by (Clarsimp_tac 1);
  25.990 +by (etac dup_boxE 1);  (* [][](Init G --> H) *)
  25.991 +by (merge_box_tac 1);
  25.992 +by (clarsimp_tac (temp_css addSEs2 [STL4E]) 1);
  25.993 +by (rtac dup_dmdD 1);
  25.994 +by (subgoal_tac "sigmaa |= <>Init G" 1);
  25.995 + by (etac DmdImpl2 1); 
  25.996 + by (atac 1);
  25.997 +by (asm_simp_tac (simpset() addsimps [dmdInitD]) 1);
  25.998 +qed "LatticeTransitivity";
  25.999  
 25.1000 -qed_goalw "LatticeDisjunctionElim2" TLA.thy [leadsto_def]
 25.1001 -   "|- (F | G ~> H) --> (G ~> H)"
 25.1002 -   (fn _ => [ auto_tac (temp_css addsimps2 Init_simps addSEs2 [STL4E]) ]);
 25.1003 +Goalw [leadsto_def] "|- (F | G ~> H) --> (F ~> H)";
 25.1004 +by (auto_tac (temp_css addsimps2 Init_simps addSEs2 [STL4E]));
 25.1005 +qed "LatticeDisjunctionElim1";
 25.1006  
 25.1007 -qed_goalw "LatticeDisjunctionIntro" TLA.thy [leadsto_def]
 25.1008 -   "|- (F ~> H) & (G ~> H) --> (F | G ~> H)"
 25.1009 -   (fn _ => [Clarsimp_tac 1,
 25.1010 -             merge_box_tac 1,
 25.1011 -	     auto_tac (temp_css addsimps2 Init_simps addSEs2 [STL4E])
 25.1012 -	    ]);
 25.1013 +Goalw [leadsto_def] "|- (F | G ~> H) --> (G ~> H)";
 25.1014 +by (auto_tac (temp_css addsimps2 Init_simps addSEs2 [STL4E]));
 25.1015 +qed "LatticeDisjunctionElim2";
 25.1016  
 25.1017 -qed_goal "LatticeDisjunction" TLA.thy
 25.1018 -   "|- (F | G ~> H) = ((F ~> H) & (G ~> H))"
 25.1019 -   (fn _ => [auto_tac (temp_css addIs2 [LatticeDisjunctionIntro,
 25.1020 -                                LatticeDisjunctionElim1, LatticeDisjunctionElim2])]);
 25.1021 +Goalw [leadsto_def] "|- (F ~> H) & (G ~> H) --> (F | G ~> H)";
 25.1022 +by (Clarsimp_tac 1);
 25.1023 +by (merge_box_tac 1);
 25.1024 +by (auto_tac (temp_css addsimps2 Init_simps addSEs2 [STL4E]));
 25.1025 +qed "LatticeDisjunctionIntro";
 25.1026  
 25.1027 -qed_goal "LatticeDiamond" TLA.thy
 25.1028 -   "|- (A ~> B | C) & (B ~> D) & (C ~> D) --> (A ~> D)"
 25.1029 -   (fn _ => [Clarsimp_tac 1,
 25.1030 -             subgoal_tac "sigma |= (B | C) ~> D" 1,
 25.1031 -	     eres_inst_tac [("G", "LIFT (B | C)")] (temp_use LatticeTransitivity) 1,
 25.1032 -	     ALLGOALS (fast_tac (temp_cs addSIs [LatticeDisjunctionIntro]))
 25.1033 -	    ]);
 25.1034 +Goal "|- (F | G ~> H) = ((F ~> H) & (G ~> H))";
 25.1035 +by (auto_tac (temp_css addIs2 [LatticeDisjunctionIntro,
 25.1036 +                               LatticeDisjunctionElim1, LatticeDisjunctionElim2]));
 25.1037 +qed "LatticeDisjunction";
 25.1038  
 25.1039 -qed_goal "LatticeTriangle" TLA.thy
 25.1040 -   "|- (A ~> D | B) & (B ~> D) --> (A ~> D)"
 25.1041 -   (fn _ => [Clarsimp_tac 1,
 25.1042 -             subgoal_tac "sigma |= (D | B) ~> D" 1,
 25.1043 -	     eres_inst_tac [("G", "LIFT (D | B)")] (temp_use LatticeTransitivity) 1, atac 1,
 25.1044 -	     auto_tac (temp_css addSIs2 [LatticeDisjunctionIntro] 
 25.1045 -                                addIs2 [LatticeReflexivity])
 25.1046 -	    ]);
 25.1047 +Goal "|- (A ~> B | C) & (B ~> D) & (C ~> D) --> (A ~> D)";
 25.1048 +by (Clarsimp_tac 1);
 25.1049 +by (subgoal_tac "sigma |= (B | C) ~> D" 1);
 25.1050 +by (eres_inst_tac [("G", "LIFT (B | C)")] (temp_use LatticeTransitivity) 1);
 25.1051 +by (ALLGOALS (fast_tac (temp_cs addSIs [LatticeDisjunctionIntro])));
 25.1052 +qed "LatticeDiamond";
 25.1053  
 25.1054 -qed_goal "LatticeTriangle2" TLA.thy
 25.1055 -   "|- (A ~> B | D) & (B ~> D) --> (A ~> D)"
 25.1056 -   (fn _ => [Clarsimp_tac 1,
 25.1057 -             subgoal_tac "sigma |= B | D ~> D" 1,
 25.1058 -	     eres_inst_tac [("G", "LIFT (B | D)")] (temp_use LatticeTransitivity) 1, atac 1,
 25.1059 -	     auto_tac (temp_css addSIs2 [LatticeDisjunctionIntro] 
 25.1060 -                                addIs2 [LatticeReflexivity])
 25.1061 -	    ]);
 25.1062 +Goal "|- (A ~> D | B) & (B ~> D) --> (A ~> D)";
 25.1063 +by (Clarsimp_tac 1);
 25.1064 +by (subgoal_tac "sigma |= (D | B) ~> D" 1);
 25.1065 +by (eres_inst_tac [("G", "LIFT (D | B)")] (temp_use LatticeTransitivity) 1); 
 25.1066 +by (atac 1);
 25.1067 +by (auto_tac (temp_css addIs2 [LatticeDisjunctionIntro,LatticeReflexivity]));
 25.1068 +qed "LatticeTriangle";
 25.1069 +
 25.1070 +Goal "|- (A ~> B | D) & (B ~> D) --> (A ~> D)";
 25.1071 +by (Clarsimp_tac 1);
 25.1072 +by (subgoal_tac "sigma |= B | D ~> D" 1);
 25.1073 +by (eres_inst_tac [("G", "LIFT (B | D)")] (temp_use LatticeTransitivity) 1); 
 25.1074 +by (atac 1);
 25.1075 +by (auto_tac (temp_css addIs2 [LatticeDisjunctionIntro,LatticeReflexivity]));
 25.1076 +qed "LatticeTriangle2";
 25.1077  
 25.1078  (*** Lamport's fairness rules ***)
 25.1079  section "Fairness rules";
 25.1080  
 25.1081 -qed_goal "WF1" TLA.thy
 25.1082 -   "[| |- $P & N  --> P` | Q`;   \
 25.1083 -\      |- ($P & N) & <A>_v --> Q`;   \
 25.1084 -\      |- $P & N --> $(Enabled(<A>_v)) |]   \
 25.1085 -\  ==> |- []N & WF(A)_v --> (P ~> Q)"  (fn prems => [
 25.1086 -             clarsimp_tac (temp_css addSDs2 [BoxWFI]) 1,
 25.1087 -             rtac (temp_use ensures) 1,
 25.1088 -             TRYALL (ares_tac prems),
 25.1089 -             etac STL4Edup 1, atac 1,
 25.1090 -             clarsimp_tac (temp_css addsimps2 [WF_def]) 1,
 25.1091 -             rtac (temp_use STL2) 1,
 25.1092 -             clarsimp_tac (temp_css addSEs2 [mp] addSIs2 [InitDmd]) 1,
 25.1093 -             resolve_tac ((map temp_use (prems RL [STL4])) RL [box_stp_actD]) 1,
 25.1094 -             asm_simp_tac (simpset() addsimps [split_box_conj,box_stp_actI]) 1
 25.1095 -            ]);
 25.1096 +val prems = goal thy
 25.1097 +  "[| |- $P & N  --> P` | Q`;   \
 25.1098 +\     |- ($P & N) & <A>_v --> Q`;   \
 25.1099 +\     |- $P & N --> $(Enabled(<A>_v)) |]   \
 25.1100 +\ ==> |- []N & WF(A)_v --> (P ~> Q)";
 25.1101 +by (clarsimp_tac (temp_css addSDs2 [BoxWFI]) 1);
 25.1102 +by (rtac (temp_use ensures) 1);
 25.1103 +by (TRYALL (ares_tac prems));
 25.1104 +by (etac STL4Edup 1); 
 25.1105 +by (atac 1);
 25.1106 +by (clarsimp_tac (temp_css addsimps2 [WF_def]) 1);
 25.1107 +by (rtac (temp_use STL2) 1);
 25.1108 +by (clarsimp_tac (temp_css addSEs2 [mp] addSIs2 [InitDmd]) 1);
 25.1109 +by (resolve_tac ((map temp_use (prems RL [STL4])) RL [box_stp_actD]) 1);
 25.1110 +by (asm_simp_tac (simpset() addsimps [split_box_conj,box_stp_actI]) 1);
 25.1111 +qed "WF1";
 25.1112  
 25.1113  (* Sometimes easier to use; designed for action B rather than state predicate Q *)
 25.1114 -qed_goalw "WF_leadsto" TLA.thy [leadsto_def]
 25.1115 -   "[| |- N & $P --> $Enabled (<A>_v);            \
 25.1116 -\      |- N & <A>_v --> B;                  \ 
 25.1117 -\      |- [](N & [~A]_v) --> stable P  |]  \
 25.1118 -\   ==> |- []N & WF(A)_v --> (P ~> B)"
 25.1119 -   (fn [prem1,prem2,prem3]
 25.1120 -       => [clarsimp_tac (temp_css addSDs2 [BoxWFI]) 1,
 25.1121 -           etac STL4Edup 1, atac 1,
 25.1122 -           Clarsimp_tac 1,
 25.1123 -           rtac (temp_use (prem2 RS DmdImpl)) 1,
 25.1124 -           rtac (temp_use BoxDmd_simple) 1, atac 1,
 25.1125 -           rtac classical 1,
 25.1126 -           rtac (temp_use STL2) 1,
 25.1127 -           clarsimp_tac (temp_css addsimps2 [WF_def] addSEs2 [mp] addSIs2 [InitDmd]) 1,
 25.1128 -           rtac ((temp_use (prem1 RS STL4)) RS box_stp_actD) 1,
 25.1129 -           asm_simp_tac (simpset() addsimps [split_box_conj,box_stp_act]) 1,
 25.1130 -           etac (temp_use INV1) 1,
 25.1131 -           rtac (temp_use prem3) 1,
 25.1132 -           asm_full_simp_tac (simpset() addsimps [split_box_conj,temp_use NotDmd,not_angle]) 1
 25.1133 -          ]);
 25.1134 +val [prem1,prem2,prem3] = goalw thy [leadsto_def]
 25.1135 +  "[| |- N & $P --> $Enabled (<A>_v);            \
 25.1136 +\     |- N & <A>_v --> B;                  \ 
 25.1137 +\     |- [](N & [~A]_v) --> stable P  |]  \
 25.1138 +\  ==> |- []N & WF(A)_v --> (P ~> B)";
 25.1139 +by (clarsimp_tac (temp_css addSDs2 [BoxWFI]) 1);
 25.1140 +by (etac STL4Edup 1); 
 25.1141 +by (atac 1);
 25.1142 +by (Clarsimp_tac 1);
 25.1143 +by (rtac (temp_use (prem2 RS DmdImpl)) 1);
 25.1144 +by (rtac (temp_use BoxDmd_simple) 1); 
 25.1145 +by (atac 1);
 25.1146 +by (rtac classical 1);
 25.1147 +by (rtac (temp_use STL2) 1);
 25.1148 +by (clarsimp_tac (temp_css addsimps2 [WF_def] addSEs2 [mp] addSIs2 [InitDmd]) 1);
 25.1149 +by (rtac ((temp_use (prem1 RS STL4)) RS box_stp_actD) 1);
 25.1150 +by (asm_simp_tac (simpset() addsimps [split_box_conj,box_stp_act]) 1);
 25.1151 +by (etac (temp_use INV1) 1);
 25.1152 +by (rtac (temp_use prem3) 1);
 25.1153 +by (asm_full_simp_tac (simpset() addsimps [split_box_conj,temp_use NotDmd,not_angle]) 1);
 25.1154 +qed "WF_leadsto";
 25.1155  
 25.1156 -qed_goal "SF1" TLA.thy
 25.1157 -   "[| |- $P & N  --> P` | Q`;   \
 25.1158 -\      |- ($P & N) & <A>_v --> Q`;   \
 25.1159 -\      |- []P & []N & []F --> <>Enabled(<A>_v) |]   \
 25.1160 -\  ==> |- []N & SF(A)_v & []F --> (P ~> Q)"
 25.1161 -   (fn prems => [
 25.1162 -             clarsimp_tac (temp_css addSDs2 [BoxSFI]) 1,
 25.1163 -             rtac (temp_use ensures) 1,
 25.1164 -             TRYALL (ares_tac prems),
 25.1165 -             eres_inst_tac [("F","F")] dup_boxE 1,
 25.1166 -             merge_temp_box_tac 1,
 25.1167 -             etac STL4Edup 1, atac 1,
 25.1168 -             clarsimp_tac (temp_css addsimps2 [SF_def]) 1,
 25.1169 -             rtac (temp_use STL2) 1, etac mp 1,
 25.1170 -             resolve_tac (map temp_use (prems RL [STL4])) 1,
 25.1171 -             asm_simp_tac (simpset() addsimps [split_box_conj, STL3]) 1
 25.1172 -            ]);
 25.1173 +val prems = goal thy
 25.1174 +  "[| |- $P & N  --> P` | Q`;   \
 25.1175 +\     |- ($P & N) & <A>_v --> Q`;   \
 25.1176 +\     |- []P & []N & []F --> <>Enabled(<A>_v) |]   \
 25.1177 +\ ==> |- []N & SF(A)_v & []F --> (P ~> Q)";
 25.1178 +by (clarsimp_tac (temp_css addSDs2 [BoxSFI]) 1);
 25.1179 +by (rtac (temp_use ensures) 1);
 25.1180 +by (TRYALL (ares_tac prems));
 25.1181 +by (eres_inst_tac [("F","F")] dup_boxE 1);
 25.1182 +by (merge_temp_box_tac 1);
 25.1183 +by (etac STL4Edup 1); 
 25.1184 +by (atac 1);
 25.1185 +by (clarsimp_tac (temp_css addsimps2 [SF_def]) 1);
 25.1186 +by (rtac (temp_use STL2) 1); 
 25.1187 +by (etac mp 1);
 25.1188 +by (resolve_tac (map temp_use (prems RL [STL4])) 1);
 25.1189 +by (asm_simp_tac (simpset() addsimps [split_box_conj, STL3]) 1);
 25.1190 +qed "SF1";
 25.1191  
 25.1192 -qed_goal "WF2" TLA.thy
 25.1193 -   "[| |- N & <B>_f --> <M>_g;   \
 25.1194 -\      |- $P & P` & <N & A>_f --> B;   \
 25.1195 -\      |- P & Enabled(<M>_g) --> Enabled(<A>_f);   \
 25.1196 -\      |- [](N & [~B]_f) & WF(A)_f & []F & <>[]Enabled(<M>_g) --> <>[]P |]   \
 25.1197 -\  ==> |- []N & WF(A)_f & []F --> WF(M)_g"
 25.1198 -(fn [prem1,prem2,prem3,prem4] => [
 25.1199 -	   clarsimp_tac (temp_css addSDs2 [BoxWFI, (temp_use BoxDmdBox) RS iffD2] 
 25.1200 -                            addsimps2 [read_instantiate [("A","M")] WF_def]) 1,
 25.1201 -           eres_inst_tac [("F","F")] dup_boxE 1,
 25.1202 -           merge_temp_box_tac 1,
 25.1203 -           etac STL4Edup 1, atac 1,
 25.1204 -           clarsimp_tac (temp_css addSIs2 [(temp_use BoxDmd_simple) RS (temp_use (prem1 RS DmdImpl))]) 1,
 25.1205 -           rtac classical 1,
 25.1206 -           subgoal_tac "sigmaa |= <>(($P & P` & N) & <A>_f)" 1,
 25.1207 -           force_tac (temp_css addsimps2 [angle_def] addSIs2 [prem2] addSEs2 [DmdImplE]) 1,
 25.1208 -           rtac (temp_use (rewrite_rule [temp_rewrite DmdDmd] (BoxDmd_simple RS DmdImpl))) 1,
 25.1209 -           asm_full_simp_tac (simpset() addsimps [temp_use NotDmd, not_angle]) 1,
 25.1210 -           merge_act_box_tac 1,
 25.1211 -           forward_tac [temp_use prem4] 1, TRYALL atac,
 25.1212 -           dtac (temp_use STL6) 1, atac 1, 
 25.1213 -           eres_inst_tac [("V","sigmaa |= <>[]P")] thin_rl 1,
 25.1214 -           eres_inst_tac [("V","sigmaa |= []F")] thin_rl 1,
 25.1215 -           dtac (temp_use BoxWFI) 1,
 25.1216 -           eres_inst_tac [("F", "ACT N & [~B]_f")] dup_boxE 1,
 25.1217 -           merge_temp_box_tac 1,
 25.1218 -           etac DmdImpldup 1, atac 1,
 25.1219 -           auto_tac (temp_css addsimps2 [split_box_conj,STL3,WF_Box,box_stp_act]),
 25.1220 -           force_tac (temp_css addSEs2 [read_instantiate [("P","P")] TLA2E]) 1,
 25.1221 -           rtac (temp_use STL2) 1,
 25.1222 -           force_tac (temp_css addsimps2 [WF_def,split_box_conj] addSEs2 [mp] 
 25.1223 -                               addSIs2 [InitDmd, prem3 RS STL4]) 1
 25.1224 -	  ]);
 25.1225 +val [prem1,prem2,prem3,prem4] = goal thy
 25.1226 +  "[| |- N & <B>_f --> <M>_g;   \
 25.1227 +\     |- $P & P` & <N & A>_f --> B;   \
 25.1228 +\     |- P & Enabled(<M>_g) --> Enabled(<A>_f);   \
 25.1229 +\     |- [](N & [~B]_f) & WF(A)_f & []F & <>[]Enabled(<M>_g) --> <>[]P |]   \
 25.1230 +\ ==> |- []N & WF(A)_f & []F --> WF(M)_g";
 25.1231 +by (clarsimp_tac (temp_css addSDs2 [BoxWFI, (temp_use BoxDmdBox) RS iffD2] 
 25.1232 +                           addsimps2 [read_instantiate [("A","M")] WF_def]) 1);
 25.1233 +by (eres_inst_tac [("F","F")] dup_boxE 1);
 25.1234 +by (merge_temp_box_tac 1);
 25.1235 +by (etac STL4Edup 1); 
 25.1236 +by (atac 1);
 25.1237 +by (clarsimp_tac (temp_css addSIs2
 25.1238 +         [(temp_use BoxDmd_simple) RS (temp_use (prem1 RS DmdImpl))]) 1);
 25.1239 +by (rtac classical 1);
 25.1240 +by (subgoal_tac "sigmaa |= <>(($P & P` & N) & <A>_f)" 1);
 25.1241 + by (force_tac (temp_css addsimps2 [angle_def] addSIs2 [prem2] addSEs2 [DmdImplE]) 1);
 25.1242 +by (rtac (temp_use (rewrite_rule [temp_rewrite DmdDmd] (BoxDmd_simple RS DmdImpl))) 1);
 25.1243 +by (asm_full_simp_tac (simpset() addsimps [temp_use NotDmd, not_angle]) 1);
 25.1244 +by (merge_act_box_tac 1);
 25.1245 +by (forward_tac [temp_use prem4] 1); 
 25.1246 +by (TRYALL atac);
 25.1247 +by (dtac (temp_use STL6) 1); 
 25.1248 +by (atac 1);
 25.1249 +by (eres_inst_tac [("V","sigmaa |= <>[]P")] thin_rl 1);
 25.1250 +by (eres_inst_tac [("V","sigmaa |= []F")] thin_rl 1);
 25.1251 +by (dtac (temp_use BoxWFI) 1);
 25.1252 +by (eres_inst_tac [("F", "ACT N & [~B]_f")] dup_boxE 1);
 25.1253 +by (merge_temp_box_tac 1);
 25.1254 +by (etac DmdImpldup 1); 
 25.1255 +by (atac 1);
 25.1256 +by (auto_tac (temp_css addsimps2 [split_box_conj,STL3,WF_Box,box_stp_act]));
 25.1257 + by (force_tac (temp_css addSEs2 [read_instantiate [("P","P")] TLA2E]) 1);
 25.1258 +by (rtac (temp_use STL2) 1);
 25.1259 +by (force_tac (temp_css addsimps2 [WF_def,split_box_conj] addSEs2 [mp] 
 25.1260 +                        addSIs2 [InitDmd, prem3 RS STL4]) 1);
 25.1261 +qed "WF2";
 25.1262  
 25.1263 -qed_goal "SF2" TLA.thy
 25.1264 -   "[| |- N & <B>_f --> <M>_g;   \
 25.1265 -\      |- $P & P` & <N & A>_f --> B;   \
 25.1266 -\      |- P & Enabled(<M>_g) --> Enabled(<A>_f);   \
 25.1267 -\      |- [](N & [~B]_f) & SF(A)_f & []F & []<>Enabled(<M>_g) --> <>[]P |]   \
 25.1268 -\  ==> |- []N & SF(A)_f & []F --> SF(M)_g"
 25.1269 -(fn [prem1,prem2,prem3,prem4] => [
 25.1270 -	   clarsimp_tac (temp_css addSDs2 [BoxSFI] 
 25.1271 -                            addsimps2 [read_instantiate [("A","M")] SF_def]) 1,
 25.1272 -           eres_inst_tac [("F","F")] dup_boxE 1,
 25.1273 -           eres_inst_tac [("F","TEMP <>Enabled(<M>_g)")] dup_boxE 1,
 25.1274 -           merge_temp_box_tac 1,
 25.1275 -           etac STL4Edup 1, atac 1,
 25.1276 -           clarsimp_tac (temp_css addSIs2 [(temp_use BoxDmd_simple) RS (temp_use (prem1 RS DmdImpl))]) 1,
 25.1277 -           rtac classical 1,
 25.1278 -           subgoal_tac "sigmaa |= <>(($P & P` & N) & <A>_f)" 1,
 25.1279 -           force_tac (temp_css addsimps2 [angle_def] addSIs2 [prem2] addSEs2 [DmdImplE]) 1,
 25.1280 -           rtac (temp_use (rewrite_rule [temp_rewrite DmdDmd] (BoxDmd_simple RS DmdImpl))) 1,
 25.1281 -           asm_full_simp_tac (simpset() addsimps [temp_use NotDmd, not_angle]) 1,
 25.1282 -           merge_act_box_tac 1,
 25.1283 -           forward_tac [temp_use prem4] 1, TRYALL atac,
 25.1284 -           eres_inst_tac [("V","sigmaa |= []F")] thin_rl 1,
 25.1285 -           dtac (temp_use BoxSFI) 1,
 25.1286 -           eres_inst_tac [("F","TEMP <>Enabled(<M>_g)")] dup_boxE 1,
 25.1287 -           eres_inst_tac [("F", "ACT N & [~B]_f")] dup_boxE 1,
 25.1288 -           merge_temp_box_tac 1,
 25.1289 -           etac DmdImpldup 1, atac 1,
 25.1290 -           auto_tac (temp_css addsimps2 [split_box_conj,STL3,SF_Box,box_stp_act]),
 25.1291 -           force_tac (temp_css addSEs2 [read_instantiate [("P","P")] TLA2E]) 1,
 25.1292 -           rtac (temp_use STL2) 1,
 25.1293 -           force_tac (temp_css addsimps2 [SF_def,split_box_conj] addSEs2 [mp,InfImpl] 
 25.1294 -                               addSIs2 [prem3]) 1
 25.1295 -	  ]);
 25.1296 +val [prem1,prem2,prem3,prem4] = goal thy
 25.1297 +  "[| |- N & <B>_f --> <M>_g;   \
 25.1298 +\     |- $P & P` & <N & A>_f --> B;   \
 25.1299 +\     |- P & Enabled(<M>_g) --> Enabled(<A>_f);   \
 25.1300 +\     |- [](N & [~B]_f) & SF(A)_f & []F & []<>Enabled(<M>_g) --> <>[]P |]   \
 25.1301 +\ ==> |- []N & SF(A)_f & []F --> SF(M)_g";
 25.1302 +by (clarsimp_tac (temp_css addSDs2 [BoxSFI] 
 25.1303 +                           addsimps2 [read_instantiate [("A","M")] SF_def]) 1);
 25.1304 +by (eres_inst_tac [("F","F")] dup_boxE 1);
 25.1305 +by (eres_inst_tac [("F","TEMP <>Enabled(<M>_g)")] dup_boxE 1);
 25.1306 +by (merge_temp_box_tac 1);
 25.1307 +by (etac STL4Edup 1); 
 25.1308 +by (atac 1);
 25.1309 +by (clarsimp_tac (temp_css addSIs2
 25.1310 +        [(temp_use BoxDmd_simple) RS (temp_use (prem1 RS DmdImpl))]) 1);
 25.1311 +by (rtac classical 1);
 25.1312 +by (subgoal_tac "sigmaa |= <>(($P & P` & N) & <A>_f)" 1);
 25.1313 + by (force_tac (temp_css addsimps2 [angle_def] addSIs2 [prem2] addSEs2 [DmdImplE]) 1);
 25.1314 +by (rtac (temp_use (rewrite_rule [temp_rewrite DmdDmd] (BoxDmd_simple RS DmdImpl))) 1);
 25.1315 +by (asm_full_simp_tac (simpset() addsimps [temp_use NotDmd, not_angle]) 1);
 25.1316 +by (merge_act_box_tac 1);
 25.1317 +by (forward_tac [temp_use prem4] 1); 
 25.1318 +by (TRYALL atac);
 25.1319 +by (eres_inst_tac [("V","sigmaa |= []F")] thin_rl 1);
 25.1320 +by (dtac (temp_use BoxSFI) 1);
 25.1321 +by (eres_inst_tac [("F","TEMP <>Enabled(<M>_g)")] dup_boxE 1);
 25.1322 +by (eres_inst_tac [("F", "ACT N & [~B]_f")] dup_boxE 1);
 25.1323 +by (merge_temp_box_tac 1);
 25.1324 +by (etac DmdImpldup 1); 
 25.1325 +by (atac 1);
 25.1326 +by (auto_tac (temp_css addsimps2 [split_box_conj,STL3,SF_Box,box_stp_act]));
 25.1327 + by (force_tac (temp_css addSEs2 [read_instantiate [("P","P")] TLA2E]) 1);
 25.1328 +by (rtac (temp_use STL2) 1);
 25.1329 +by (force_tac (temp_css addsimps2 [SF_def,split_box_conj] addSEs2 [mp,InfImpl] 
 25.1330 +                        addSIs2 [prem3]) 1);
 25.1331 +qed "SF2";
 25.1332  
 25.1333  (* ------------------------------------------------------------------------- *)
 25.1334  (***           Liveness proofs by well-founded orderings                   ***)
 25.1335  (* ------------------------------------------------------------------------- *)
 25.1336  section "Well-founded orderings";
 25.1337  
 25.1338 -qed_goal "wf_leadsto" TLA.thy
 25.1339 +val p1::prems = goal thy
 25.1340    "[| wf r;  \
 25.1341 -\     !!x. sigma |= F x ~> (G | (? y. #((y,x):r) & F y))   \
 25.1342 -\  |] ==> sigma |= F x ~> G"
 25.1343 -  (fn p1::prems =>
 25.1344 -     [rtac (p1 RS wf_induct) 1,
 25.1345 -      rtac (temp_use LatticeTriangle) 1,
 25.1346 -      resolve_tac prems 1,
 25.1347 -      auto_tac (temp_css addsimps2 [leadsto_exists]),
 25.1348 -      case_tac "(y,x):r" 1,
 25.1349 -       Force_tac 1,
 25.1350 -      force_tac (temp_css addsimps2 leadsto_def::Init_simps addSIs2 [necT]) 1]);
 25.1351 +\     !!x. sigma |= F x ~> (G | (EX y. #((y,x):r) & F y))   \
 25.1352 +\  |] ==> sigma |= F x ~> G";
 25.1353 +by (rtac (p1 RS wf_induct) 1);
 25.1354 +by (rtac (temp_use LatticeTriangle) 1);
 25.1355 +by (resolve_tac prems 1);
 25.1356 +by (auto_tac (temp_css addsimps2 [leadsto_exists]));
 25.1357 +by (case_tac "(y,x):r" 1);
 25.1358 + by (Force_tac 1);
 25.1359 +by (force_tac (temp_css addsimps2 leadsto_def::Init_simps addSIs2 [necT]) 1);
 25.1360 +qed "wf_leadsto";
 25.1361  
 25.1362  (* If r is well-founded, state function v cannot decrease forever *)
 25.1363 -qed_goal "wf_not_box_decrease" TLA.thy
 25.1364 -  "!!r. wf r ==> |- [][ (v`, $v) : #r ]_v --> <>[][#False]_v"
 25.1365 -  (fn _ => [Clarsimp_tac 1,
 25.1366 -            rtac ccontr 1,
 25.1367 -            subgoal_tac "sigma |= (? x. v=#x) ~> #False" 1,
 25.1368 -             dtac ((temp_use leadsto_false) RS iffD1 RS (temp_use STL2_gen)) 1,
 25.1369 -             force_tac (temp_css addsimps2 Init_defs) 1,
 25.1370 -            clarsimp_tac (temp_css addsimps2 [leadsto_exists,not_square]@more_temp_simps) 1,
 25.1371 -            etac wf_leadsto 1,
 25.1372 -            rtac (temp_use ensures_simple) 1, TRYALL atac,
 25.1373 -            auto_tac (temp_css addsimps2 [square_def,angle_def])
 25.1374 -           ]);
 25.1375 +Goal "!!r. wf r ==> |- [][ (v`, $v) : #r ]_v --> <>[][#False]_v";
 25.1376 +by (Clarsimp_tac 1);
 25.1377 +by (rtac ccontr 1);
 25.1378 +by (subgoal_tac "sigma |= (EX x. v=#x) ~> #False" 1);
 25.1379 + by (dtac ((temp_use leadsto_false) RS iffD1 RS (temp_use STL2_gen)) 1);
 25.1380 + by (force_tac (temp_css addsimps2 Init_defs) 1);
 25.1381 +by (clarsimp_tac (temp_css addsimps2 [leadsto_exists,not_square]@more_temp_simps) 1);
 25.1382 +by (etac wf_leadsto 1);
 25.1383 +by (rtac (temp_use ensures_simple) 1); 
 25.1384 +by (TRYALL atac);
 25.1385 +by (auto_tac (temp_css addsimps2 [square_def,angle_def]));
 25.1386 +qed "wf_not_box_decrease";
 25.1387  
 25.1388  (* "wf r  ==>  |- <>[][ (v`, $v) : #r ]_v --> <>[][#False]_v" *)
 25.1389  bind_thm("wf_not_dmd_box_decrease",
 25.1390 @@ -934,35 +974,36 @@
 25.1391  (* If there are infinitely many steps where v decreases, then there
 25.1392     have to be infinitely many non-stuttering steps where v doesn't decrease.
 25.1393  *)
 25.1394 -qed_goal "wf_box_dmd_decrease" TLA.thy
 25.1395 -  "wf r ==> |- []<>((v`, $v) : #r) --> []<><(v`, $v) ~: #r>_v"
 25.1396 -  (fn [prem] => [
 25.1397 -            Clarsimp_tac 1,
 25.1398 -            rtac ccontr 1,
 25.1399 -            asm_full_simp_tac (simpset() addsimps not_angle::more_temp_simps) 1,
 25.1400 -            dtac (prem RS (temp_use wf_not_dmd_box_decrease)) 1,
 25.1401 -            dtac (temp_use BoxDmdDmdBox) 1, atac 1,
 25.1402 -            subgoal_tac "sigma |= []<>((#False)::action)" 1,
 25.1403 -            Force_tac 1,
 25.1404 -            etac STL4E 1,
 25.1405 -            rtac DmdImpl 1,
 25.1406 -            force_tac (temp_css addIs2 [prem RS wf_irrefl]) 1
 25.1407 -           ]);
 25.1408 +val [prem] = goal thy
 25.1409 +  "wf r ==> |- []<>((v`, $v) : #r) --> []<><(v`, $v) ~: #r>_v";
 25.1410 +by (Clarsimp_tac 1);
 25.1411 +by (rtac ccontr 1);
 25.1412 +by (asm_full_simp_tac (simpset() addsimps not_angle::more_temp_simps) 1);
 25.1413 +by (dtac (prem RS (temp_use wf_not_dmd_box_decrease)) 1);
 25.1414 +by (dtac (temp_use BoxDmdDmdBox) 1); 
 25.1415 +by (atac 1);
 25.1416 +by (subgoal_tac "sigma |= []<>((#False)::action)" 1);
 25.1417 + by (Force_tac 1);
 25.1418 +by (etac STL4E 1);
 25.1419 +by (rtac DmdImpl 1);
 25.1420 +by (force_tac (temp_css addIs2 [prem RS wf_irrefl]) 1);
 25.1421 +qed "wf_box_dmd_decrease";
 25.1422  
 25.1423  (* In particular, for natural numbers, if n decreases infinitely often
 25.1424     then it has to increase infinitely often.
 25.1425  *)
 25.1426 -qed_goal "nat_box_dmd_decrease" TLA.thy
 25.1427 -  "!!n::nat stfun. |- []<>(n` < $n) --> []<>($n < n`)"
 25.1428 -  (K [Clarsimp_tac 1,
 25.1429 -      subgoal_tac "sigma |= []<><~( (n`,$n) : #less_than )>_n" 1,
 25.1430 -      etac thin_rl 1, etac STL4E 1, rtac DmdImpl 1,
 25.1431 -      clarsimp_tac (temp_css addsimps2 [angle_def]) 1,
 25.1432 -      rtac nat_less_cases 1,
 25.1433 -      Auto_tac,
 25.1434 -      rtac (temp_use wf_box_dmd_decrease) 1,
 25.1435 -      auto_tac (temp_css addSEs2 [STL4E,DmdImplE])
 25.1436 -     ]);
 25.1437 +Goal "!!n::nat stfun. |- []<>(n` < $n) --> []<>($n < n`)";
 25.1438 +by (Clarsimp_tac 1);
 25.1439 +by (subgoal_tac "sigma |= []<><~( (n`,$n) : #less_than )>_n" 1);
 25.1440 + by (etac thin_rl 1); 
 25.1441 + by (etac STL4E 1); 
 25.1442 + by (rtac DmdImpl 1);
 25.1443 + by (clarsimp_tac (temp_css addsimps2 [angle_def]) 1);
 25.1444 + by (rtac nat_less_cases 1);
 25.1445 + by Auto_tac;
 25.1446 +by (rtac (temp_use wf_box_dmd_decrease) 1);
 25.1447 +by (auto_tac (temp_css addSEs2 [STL4E,DmdImplE]));
 25.1448 +qed "nat_box_dmd_decrease";
 25.1449  
 25.1450  
 25.1451  (* ------------------------------------------------------------------------- *)
 25.1452 @@ -970,47 +1011,51 @@
 25.1453  (* ------------------------------------------------------------------------- *)
 25.1454  section "Flexible quantification";
 25.1455  
 25.1456 -qed_goal "aallI" TLA.thy 
 25.1457 -  "[| basevars vs; (!!x. basevars (x,vs) ==> sigma |= F x) |] ==> sigma |= (AALL x. F x)"
 25.1458 -  (fn [prem1,prem2] => [auto_tac (temp_css addsimps2 [aall_def] addSEs2 [eexE] 
 25.1459 -                                   addSIs2 [prem1] addSDs2 [prem2])]);
 25.1460 +val [prem1,prem2] = goal thy
 25.1461 +  "[| basevars vs; (!!x. basevars (x,vs) ==> sigma |= F x) |]\
 25.1462 +\  ==> sigma |= (AALL x. F x)";
 25.1463 +by (auto_tac (temp_css addsimps2 [aall_def] addSEs2 [eexE] 
 25.1464 +                       addSIs2 [prem1] addSDs2 [prem2]));
 25.1465 +qed "aallI";
 25.1466  
 25.1467 -qed_goalw "aallE" TLA.thy [aall_def] "|- (AALL x. F x) --> F x"
 25.1468 -   (K [Clarsimp_tac 1, etac swap 1,
 25.1469 -       force_tac (temp_css addSIs2 [eexI]) 1]);
 25.1470 +Goalw [aall_def] "|- (AALL x. F x) --> F x";
 25.1471 +by (Clarsimp_tac 1);
 25.1472 +by (etac swap 1);
 25.1473 +by (force_tac (temp_css addSIs2 [eexI]) 1);
 25.1474 +qed "aallE";
 25.1475  
 25.1476  (* monotonicity of quantification *)
 25.1477 -qed_goal "eex_mono" TLA.thy
 25.1478 -  "[| sigma |= EEX x. F x; !!x. sigma |= F x --> G x |] ==> sigma |= EEX x. G x"
 25.1479 -  (fn [min,maj] => [rtac (unit_base RS (min RS eexE)) 1,
 25.1480 -                    rtac (temp_use eexI) 1,
 25.1481 -                    etac ((rewrite_rule intensional_rews maj) RS mp) 1
 25.1482 -                   ]);
 25.1483 +val [min,maj] = goal thy
 25.1484 +  "[| sigma |= EEX x. F x; !!x. sigma |= F x --> G x |] ==> sigma |= EEX x. G x";
 25.1485 +by (rtac (unit_base RS (min RS eexE)) 1);
 25.1486 +by (rtac (temp_use eexI) 1);
 25.1487 +by (etac ((rewrite_rule intensional_rews maj) RS mp) 1);
 25.1488 +qed "eex_mono";
 25.1489  
 25.1490 -qed_goal "aall_mono" TLA.thy
 25.1491 -  "[| sigma |= AALL x. F(x); !!x. sigma |= F(x) --> G(x) |] ==> sigma |= AALL x. G(x)"
 25.1492 -  (fn [min,maj] => [rtac (unit_base RS aallI) 1,
 25.1493 -                    rtac ((rewrite_rule intensional_rews maj) RS mp) 1,
 25.1494 -                    rtac (min RS (temp_use aallE)) 1
 25.1495 -                   ]);
 25.1496 +val [min,maj] = goal thy
 25.1497 +  "[| sigma |= AALL x. F(x); !!x. sigma |= F(x) --> G(x) |] ==> sigma |= AALL x. G(x)";
 25.1498 +by (rtac (unit_base RS aallI) 1);
 25.1499 +by (rtac ((rewrite_rule intensional_rews maj) RS mp) 1);
 25.1500 +by (rtac (min RS (temp_use aallE)) 1);
 25.1501 +qed "aall_mono";
 25.1502  
 25.1503  (* Derived history introduction rule *)
 25.1504 -qed_goal "historyI" TLA.thy
 25.1505 +val [p1,p2,p3,p4,p5] = goal thy
 25.1506    "[| sigma |= Init I; sigma |= []N; basevars vs; \
 25.1507  \     (!!h. basevars(h,vs) ==> |- I & h = ha --> HI h); \
 25.1508  \     (!!h s t. [| basevars(h,vs); N (s,t); h t = hb (h s) (s,t) |] ==> HN h (s,t)) \
 25.1509 -\  |] ==> sigma |= EEX h. Init (HI h) & [](HN h)" 
 25.1510 -  (fn [p1,p2,p3,p4,p5] 
 25.1511 -   => [rtac ((temp_use history) RS eexE) 1,
 25.1512 -       rtac p3 1,
 25.1513 -       rtac (temp_use eexI) 1,
 25.1514 -       Clarsimp_tac 1, rtac conjI 1,
 25.1515 -       cut_facts_tac [p2] 2,
 25.1516 -       merge_box_tac 2,
 25.1517 -       force_tac (temp_css addSEs2 [STL4E,p5]) 2,
 25.1518 -       cut_facts_tac [p1] 1,
 25.1519 -       force_tac (temp_css addsimps2 Init_defs addSEs2 [p4]) 1
 25.1520 -      ]);
 25.1521 +\  |] ==> sigma |= EEX h. Init (HI h) & [](HN h)";
 25.1522 +by (rtac ((temp_use history) RS eexE) 1);
 25.1523 + by (rtac p3 1);
 25.1524 +by (rtac (temp_use eexI) 1);
 25.1525 +by (Clarsimp_tac 1); 
 25.1526 +by (rtac conjI 1);
 25.1527 +by (cut_facts_tac [p2] 2);
 25.1528 +by (merge_box_tac 2);
 25.1529 +by (force_tac (temp_css addSEs2 [STL4E,p5]) 2);
 25.1530 +by (cut_facts_tac [p1] 1);
 25.1531 +by (force_tac (temp_css addsimps2 Init_defs addSEs2 [p4]) 1);
 25.1532 +qed "historyI";
 25.1533  
 25.1534  (* ----------------------------------------------------------------------
 25.1535     example of a history variable: existence of a clock
 25.1536 @@ -1022,4 +1067,3 @@
 25.1537  (** solved **)
 25.1538  
 25.1539  ---------------------------------------------------------------------- *)
 25.1540 -
    26.1 --- a/src/HOL/TLA/TLA.thy	Thu Aug 03 19:28:37 2000 +0200
    26.2 +++ b/src/HOL/TLA/TLA.thy	Thu Aug 03 19:29:03 2000 +0200
    26.3 @@ -81,7 +81,7 @@
    26.4    primeI     "|- []P --> Init P`"
    26.5    primeE     "|- [](Init P --> []F) --> Init P` --> (F --> []F)"
    26.6    indT       "|- [](Init P & ~[]F --> Init P` & F) --> Init P --> []F"
    26.7 -  allT       "|- (! x. [](F x)) = ([](! x. F x))"
    26.8 +  allT       "|- (ALL x. [](F x)) = ([](ALL x. F x))"
    26.9  
   26.10    necT       "|- F ==> |- []F"      (* polymorphic *)
   26.11