|
3807
|
1 |
(*
|
|
|
2 |
File: DBuffer.thy
|
|
17309
|
3 |
ID: $Id$
|
|
3807
|
4 |
Author: Stephan Merz
|
|
|
5 |
Copyright: 1997 University of Munich
|
|
|
6 |
*)
|
|
|
7 |
|
|
17309
|
8 |
header {* Two FIFO buffers in a row, with interleaving assumption *}
|
|
|
9 |
|
|
|
10 |
theory DBuffer
|
|
|
11 |
imports Buffer
|
|
|
12 |
begin
|
|
3807
|
13 |
|
|
|
14 |
consts
|
|
|
15 |
(* implementation variables *)
|
|
17309
|
16 |
inp :: "nat stfun"
|
|
|
17 |
mid :: "nat stfun"
|
|
|
18 |
out :: "nat stfun"
|
|
|
19 |
q1 :: "nat list stfun"
|
|
|
20 |
q2 :: "nat list stfun"
|
|
|
21 |
qc :: "nat list stfun"
|
|
3807
|
22 |
|
|
17309
|
23 |
DBInit :: stpred
|
|
|
24 |
DBEnq :: action
|
|
|
25 |
DBDeq :: action
|
|
|
26 |
DBPass :: action
|
|
|
27 |
DBNext :: action
|
|
|
28 |
DBuffer :: temporal
|
|
3807
|
29 |
|
|
17309
|
30 |
axioms
|
|
|
31 |
DB_base: "basevars (inp,mid,out,q1,q2)"
|
|
3807
|
32 |
|
|
|
33 |
(* the concatenation of the two buffers *)
|
|
17309
|
34 |
qc_def: "PRED qc == PRED (q2 @ q1)"
|
|
3807
|
35 |
|
|
17309
|
36 |
DBInit_def: "DBInit == PRED (BInit inp q1 mid & BInit mid q2 out)"
|
|
|
37 |
DBEnq_def: "DBEnq == ACT Enq inp q1 mid & unchanged (q2,out)"
|
|
|
38 |
DBDeq_def: "DBDeq == ACT Deq mid q2 out & unchanged (inp,q1)"
|
|
|
39 |
DBPass_def: "DBPass == ACT Deq inp q1 mid
|
|
6255
|
40 |
& (q2$ = $q2 @ [ mid$ ])
|
|
|
41 |
& (out$ = $out)"
|
|
17309
|
42 |
DBNext_def: "DBNext == ACT (DBEnq | DBDeq | DBPass)"
|
|
|
43 |
DBuffer_def: "DBuffer == TEMP Init DBInit
|
|
6255
|
44 |
& [][DBNext]_(inp,mid,out,q1,q2)
|
|
|
45 |
& WF(DBDeq)_(inp,mid,out,q1,q2)
|
|
|
46 |
& WF(DBPass)_(inp,mid,out,q1,q2)"
|
|
3807
|
47 |
|
|
21624
|
48 |
|
|
|
49 |
declare qc_def [simp]
|
|
|
50 |
|
|
|
51 |
lemmas db_defs =
|
|
|
52 |
BInit_def Enq_def Deq_def Next_def IBuffer_def Buffer_def
|
|
|
53 |
DBInit_def DBEnq_def DBDeq_def DBPass_def DBNext_def DBuffer_def
|
|
|
54 |
|
|
|
55 |
|
|
|
56 |
(*** Proper initialization ***)
|
|
|
57 |
lemma DBInit: "|- Init DBInit --> Init (BInit inp qc out)"
|
|
|
58 |
by (auto simp: Init_def DBInit_def BInit_def)
|
|
|
59 |
|
|
|
60 |
|
|
|
61 |
(*** Step simulation ***)
|
|
|
62 |
lemma DB_step_simulation: "|- [DBNext]_(inp,mid,out,q1,q2) --> [Next inp qc out]_(inp,qc,out)"
|
|
|
63 |
apply (rule square_simulation)
|
|
|
64 |
apply clarsimp
|
|
|
65 |
apply (tactic
|
|
|
66 |
{* action_simp_tac (simpset () addsimps (thm "hd_append" :: thms "db_defs")) [] [] 1 *})
|
|
|
67 |
done
|
|
|
68 |
|
|
|
69 |
|
|
|
70 |
(*** Simulation of fairness ***)
|
|
|
71 |
|
|
|
72 |
(* Compute enabledness predicates for DBDeq and DBPass actions *)
|
|
|
73 |
lemma DBDeq_visible: "|- <DBDeq>_(inp,mid,out,q1,q2) = DBDeq"
|
|
|
74 |
apply (unfold angle_def DBDeq_def Deq_def)
|
|
|
75 |
apply (safe, simp (asm_lr))+
|
|
|
76 |
done
|
|
|
77 |
|
|
|
78 |
lemma DBDeq_enabled:
|
|
|
79 |
"|- Enabled (<DBDeq>_(inp,mid,out,q1,q2)) = (q2 ~= #[])"
|
|
|
80 |
apply (unfold DBDeq_visible [action_rewrite])
|
|
|
81 |
apply (force intro!: DB_base [THEN base_enabled, temp_use]
|
|
|
82 |
elim!: enabledE simp: angle_def DBDeq_def Deq_def)
|
|
|
83 |
done
|
|
|
84 |
|
|
|
85 |
lemma DBPass_visible: "|- <DBPass>_(inp,mid,out,q1,q2) = DBPass"
|
|
|
86 |
by (auto simp: angle_def DBPass_def Deq_def)
|
|
|
87 |
|
|
|
88 |
lemma DBPass_enabled:
|
|
|
89 |
"|- Enabled (<DBPass>_(inp,mid,out,q1,q2)) = (q1 ~= #[])"
|
|
|
90 |
apply (unfold DBPass_visible [action_rewrite])
|
|
|
91 |
apply (force intro!: DB_base [THEN base_enabled, temp_use]
|
|
|
92 |
elim!: enabledE simp: angle_def DBPass_def Deq_def)
|
|
|
93 |
done
|
|
|
94 |
|
|
|
95 |
|
|
|
96 |
(* The plan for proving weak fairness at the higher level is to prove
|
|
|
97 |
(0) DBuffer => (Enabled (Deq inp qc out) ~> (Deq inp qc out))
|
|
|
98 |
which is in turn reduced to the two leadsto conditions
|
|
|
99 |
(1) DBuffer => (Enabled (Deq inp qc out) ~> q2 ~= [])
|
|
|
100 |
(2) DBuffer => (q2 ~= [] ~> DBDeq)
|
|
|
101 |
and the fact that DBDeq implies <Deq inp qc out>_(inp,qc,out)
|
|
|
102 |
(and therefore DBDeq ~> <Deq inp qc out>_(inp,qc,out) trivially holds).
|
|
17309
|
103 |
|
|
21624
|
104 |
Condition (1) is reduced to
|
|
|
105 |
(1a) DBuffer => (qc ~= [] /\ q2 = [] ~> q2 ~= [])
|
|
|
106 |
by standard leadsto rules (leadsto_classical) and rule Deq_enabledE.
|
|
|
107 |
|
|
|
108 |
Both (1a) and (2) are proved from DBuffer's WF conditions by standard
|
|
|
109 |
WF reasoning (Lamport's WF1 and WF_leadsto).
|
|
|
110 |
The condition WF(Deq inp qc out) follows from (0) by rule leadsto_WF.
|
|
|
111 |
|
|
|
112 |
One could use Lamport's WF2 instead.
|
|
|
113 |
*)
|
|
|
114 |
|
|
|
115 |
(* Condition (1a) *)
|
|
|
116 |
lemma DBFair_1a: "|- [][DBNext]_(inp,mid,out,q1,q2) & WF(DBPass)_(inp,mid,out,q1,q2)
|
|
|
117 |
--> (qc ~= #[] & q2 = #[] ~> q2 ~= #[])"
|
|
|
118 |
apply (rule WF1)
|
|
|
119 |
apply (force simp: db_defs)
|
|
|
120 |
apply (force simp: angle_def DBPass_def)
|
|
|
121 |
apply (force simp: DBPass_enabled [temp_use])
|
|
|
122 |
done
|
|
|
123 |
|
|
|
124 |
(* Condition (1) *)
|
|
|
125 |
lemma DBFair_1: "|- [][DBNext]_(inp,mid,out,q1,q2) & WF(DBPass)_(inp,mid,out,q1,q2)
|
|
|
126 |
--> (Enabled (<Deq inp qc out>_(inp,qc,out)) ~> q2 ~= #[])"
|
|
|
127 |
apply clarsimp
|
|
|
128 |
apply (rule leadsto_classical [temp_use])
|
|
|
129 |
apply (rule DBFair_1a [temp_use, THEN LatticeTransitivity [temp_use]])
|
|
|
130 |
apply assumption+
|
|
|
131 |
apply (rule ImplLeadsto_gen [temp_use])
|
|
|
132 |
apply (force intro!: necT [temp_use] dest!: STL2_gen [temp_use] Deq_enabledE [temp_use]
|
|
|
133 |
simp add: Init_defs)
|
|
|
134 |
done
|
|
|
135 |
|
|
|
136 |
(* Condition (2) *)
|
|
|
137 |
lemma DBFair_2: "|- [][DBNext]_(inp,mid,out,q1,q2) & WF(DBDeq)_(inp,mid,out,q1,q2)
|
|
|
138 |
--> (q2 ~= #[] ~> DBDeq)"
|
|
|
139 |
apply (rule WF_leadsto)
|
|
|
140 |
apply (force simp: DBDeq_enabled [temp_use])
|
|
|
141 |
apply (force simp: angle_def)
|
|
|
142 |
apply (force simp: db_defs elim!: Stable [temp_use])
|
|
|
143 |
done
|
|
|
144 |
|
|
|
145 |
(* High-level fairness *)
|
|
|
146 |
lemma DBFair: "|- [][DBNext]_(inp,mid,out,q1,q2) & WF(DBPass)_(inp,mid,out,q1,q2)
|
|
|
147 |
& WF(DBDeq)_(inp,mid,out,q1,q2)
|
|
|
148 |
--> WF(Deq inp qc out)_(inp,qc,out)"
|
|
|
149 |
apply (auto simp del: qc_def intro!: leadsto_WF [temp_use]
|
|
|
150 |
DBFair_1 [temp_use, THEN [2] LatticeTransitivity [temp_use]]
|
|
|
151 |
DBFair_2 [temp_use, THEN [2] LatticeTransitivity [temp_use]])
|
|
|
152 |
apply (auto intro!: ImplLeadsto_simple [temp_use]
|
|
|
153 |
simp: angle_def DBDeq_def Deq_def hd_append [try_rewrite])
|
|
|
154 |
done
|
|
|
155 |
|
|
|
156 |
(*** Main theorem ***)
|
|
|
157 |
lemma DBuffer_impl_Buffer: "|- DBuffer --> Buffer inp out"
|
|
|
158 |
apply (unfold DBuffer_def Buffer_def IBuffer_def)
|
|
|
159 |
apply (force intro!: eexI [temp_use] DBInit [temp_use]
|
|
|
160 |
DB_step_simulation [THEN STL4, temp_use] DBFair [temp_use])
|
|
|
161 |
done
|
|
|
162 |
|
|
|
163 |
end
|