|
168
|
1 |
(* Title: HOL/IOA/example/Correctness.ML
|
|
|
2 |
ID: $Id$
|
|
|
3 |
Author: Tobias Nipkow & Konrad Slind
|
|
|
4 |
Copyright 1994 TU Muenchen
|
|
|
5 |
|
|
|
6 |
The main correctness proof: Impl implements Spec
|
|
|
7 |
*)
|
|
|
8 |
|
|
156
|
9 |
open Impl;
|
|
|
10 |
open Spec;
|
|
|
11 |
|
|
|
12 |
val hom_ss = impl_ss;
|
|
|
13 |
val hom_ioas = [Spec.ioa_def, Spec.trans_def,
|
|
|
14 |
Sender.sender_trans_def,Receiver.receiver_trans_def]
|
|
|
15 |
@ impl_ioas;
|
|
|
16 |
|
|
|
17 |
val hom_ss' = hom_ss addsimps hom_ioas;
|
|
|
18 |
|
|
|
19 |
val impl_asigs = [Sender.sender_asig_def,Receiver.receiver_asig_def,
|
|
|
20 |
Channels.srch_asig_def,Channels.rsch_asig_def];
|
|
|
21 |
|
|
|
22 |
(* A lemma about restricting the action signature of the implementation
|
|
|
23 |
* to that of the specification.
|
|
|
24 |
****************************)
|
|
|
25 |
goal Correctness.thy
|
|
|
26 |
"a:externals(asig_of(restrict(impl_ioa,externals(spec_sig)))) = \
|
|
|
27 |
\ (case a of \
|
|
|
28 |
\ S_msg(m) => True \
|
|
|
29 |
\ | R_msg(m) => True \
|
|
|
30 |
\ | S_pkt(pkt) => False \
|
|
|
31 |
\ | R_pkt(pkt) => False \
|
|
|
32 |
\ | S_ack(b) => False \
|
|
|
33 |
\ | R_ack(b) => False \
|
|
|
34 |
\ | C_m_s => False \
|
|
|
35 |
\ | C_m_r => False \
|
|
|
36 |
\ | C_r_s => False \
|
|
|
37 |
\ | C_r_r(m) => False)";
|
|
|
38 |
by(simp_tac (hom_ss addcongs [if_weak_cong]
|
|
168
|
39 |
addsimps ([externals_def, restrict_def, restrict_asig_def,
|
|
|
40 |
asig_of_par, asig_comp_def, Spec.sig_def] @
|
|
|
41 |
asig_projections @ impl_ioas @ impl_asigs)) 1);
|
|
|
42 |
by(Action.action.induct_tac "a" 1);
|
|
156
|
43 |
by(ALLGOALS(simp_tac (action_ss addsimps
|
|
168
|
44 |
(actions_def :: asig_projections @ set_lemmas))));
|
|
156
|
45 |
val externals_lemma = result();
|
|
|
46 |
|
|
|
47 |
|
|
|
48 |
val sels = [Sender.sbit_def, Sender.sq_def, Sender.ssending_def,
|
|
|
49 |
Receiver.rbit_def, Receiver.rq_def, Receiver.rsending_def];
|
|
|
50 |
|
|
|
51 |
(* Proof of correctness *)
|
|
|
52 |
goalw Correctness.thy [Spec.ioa_def, Solve.is_weak_pmap_def]
|
|
|
53 |
"is_weak_pmap(hom, restrict(impl_ioa,externals(spec_sig)), spec_ioa)";
|
|
|
54 |
by(simp_tac (hom_ss addsimps
|
|
|
55 |
(Correctness.hom_def::[cancel_restrict,externals_lemma])) 1);
|
|
|
56 |
br conjI 1;
|
|
|
57 |
by(simp_tac (hom_ss addsimps impl_ioas) 1);
|
|
|
58 |
br ballI 1;
|
|
|
59 |
bd CollectD 1;
|
|
|
60 |
by(asm_simp_tac (hom_ss addsimps sels) 1);
|
|
|
61 |
by(REPEAT(rtac allI 1));
|
|
|
62 |
br imp_conj_lemma 1; (* from lemmas.ML *)
|
|
|
63 |
by(Action.action.induct_tac "a" 1);
|
|
|
64 |
by(asm_simp_tac (hom_ss' setloop (split_tac [expand_if])) 1);
|
|
|
65 |
by(forward_tac [inv4] 1);
|
|
|
66 |
by(asm_full_simp_tac (hom_ss addsimps
|
|
|
67 |
[imp_ex_equiv,neq_Nil_conv,ex_all_equiv]) 1);
|
|
|
68 |
by(simp_tac hom_ss' 1);
|
|
|
69 |
by(simp_tac hom_ss' 1);
|
|
|
70 |
by(simp_tac hom_ss' 1);
|
|
|
71 |
by(simp_tac hom_ss' 1);
|
|
|
72 |
by(simp_tac hom_ss' 1);
|
|
|
73 |
by(simp_tac hom_ss' 1);
|
|
|
74 |
by(simp_tac hom_ss' 1);
|
|
|
75 |
|
|
|
76 |
by(asm_simp_tac hom_ss' 1);
|
|
|
77 |
by(forward_tac [inv4] 1);
|
|
|
78 |
by(forward_tac [inv2] 1);
|
|
|
79 |
be disjE 1;
|
|
|
80 |
by(asm_simp_tac hom_ss 1);
|
|
|
81 |
by(asm_full_simp_tac (hom_ss addsimps
|
|
|
82 |
[imp_ex_equiv,neq_Nil_conv,ex_all_equiv]) 1);
|
|
|
83 |
|
|
|
84 |
by(asm_simp_tac hom_ss' 1);
|
|
|
85 |
by(forward_tac [inv2] 1);
|
|
|
86 |
be disjE 1;
|
|
|
87 |
|
|
|
88 |
by(forward_tac [inv3] 1);
|
|
|
89 |
by(case_tac "sq(sen(s))=[]" 1);
|
|
|
90 |
|
|
|
91 |
by(asm_full_simp_tac hom_ss' 1);
|
|
|
92 |
by(fast_tac (HOL_cs addSDs [plus_leD1 RS leD]) 1);
|
|
|
93 |
|
|
|
94 |
by(case_tac "m = hd(sq(sen(s)))" 1);
|
|
|
95 |
|
|
|
96 |
by(asm_full_simp_tac (hom_ss addsimps
|
|
|
97 |
[imp_ex_equiv,neq_Nil_conv,ex_all_equiv]) 1);
|
|
|
98 |
|
|
|
99 |
by(asm_full_simp_tac hom_ss 1);
|
|
|
100 |
by(fast_tac (HOL_cs addSDs [plus_leD1 RS leD]) 1);
|
|
|
101 |
|
|
|
102 |
by(asm_full_simp_tac hom_ss 1);
|
|
|
103 |
result();
|