src/HOL/UNITY/Simple/Token.thy
author wenzelm
Sun Nov 02 18:21:45 2014 +0100 (2014-11-02)
changeset 58889 5b7a9633cfa8
parent 58310 91ea607a34d8
child 63146 f1ecba0272f9
permissions -rw-r--r--
modernized header uniformly as section;
wenzelm@37936
     1
(*  Title:      HOL/UNITY/Simple/Token.thy
paulson@11195
     2
    Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
paulson@11195
     3
    Copyright   1998  University of Cambridge
paulson@11195
     4
*)
paulson@11195
     5
paulson@11195
     6
wenzelm@58889
     7
section {*The Token Ring*}
paulson@15618
     8
paulson@15618
     9
theory Token
paulson@15618
    10
imports "../WFair"
paulson@15618
    11
paulson@15618
    12
begin
paulson@11195
    13
paulson@15618
    14
text{*From Misra, "A Logic for Concurrent Programming" (1994), sections 5.2 and 13.2.*}
paulson@15618
    15
paulson@15618
    16
subsection{*Definitions*}
paulson@15618
    17
blanchet@58310
    18
datatype pstate = Hungry | Eating | Thinking
paulson@15618
    19
    --{*process states*}
paulson@11195
    20
paulson@11195
    21
record state =
paulson@13785
    22
  token :: "nat"
paulson@13785
    23
  proc  :: "nat => pstate"
paulson@11195
    24
paulson@11195
    25
haftmann@35416
    26
definition HasTok :: "nat => state set" where
paulson@11195
    27
    "HasTok i == {s. token s = i}"
paulson@11195
    28
haftmann@35416
    29
definition H :: "nat => state set" where
paulson@11195
    30
    "H i == {s. proc s i = Hungry}"
paulson@11195
    31
haftmann@35416
    32
definition E :: "nat => state set" where
paulson@11195
    33
    "E i == {s. proc s i = Eating}"
paulson@11195
    34
haftmann@35416
    35
definition T :: "nat => state set" where
paulson@11195
    36
    "T i == {s. proc s i = Thinking}"
paulson@11195
    37
paulson@11195
    38
paulson@11195
    39
locale Token =
paulson@13785
    40
  fixes N and F and nodeOrder and "next"   
paulson@13785
    41
  defines nodeOrder_def:
paulson@15618
    42
       "nodeOrder j == measure(%i. ((j+N)-i) mod N) \<inter> {..<N} \<times> {..<N}"
paulson@13785
    43
      and next_def:
paulson@13785
    44
       "next i == (Suc i) mod N"
paulson@13785
    45
  assumes N_positive [iff]: "0<N"
paulson@13806
    46
      and TR2:  "F \<in> (T i) co (T i \<union> H i)"
paulson@13806
    47
      and TR3:  "F \<in> (H i) co (H i \<union> E i)"
paulson@13806
    48
      and TR4:  "F \<in> (H i - HasTok i) co (H i)"
paulson@13806
    49
      and TR5:  "F \<in> (HasTok i) co (HasTok i \<union> -(E i))"
paulson@13806
    50
      and TR6:  "F \<in> (H i \<inter> HasTok i) leadsTo (E i)"
paulson@13806
    51
      and TR7:  "F \<in> (HasTok i) leadsTo (HasTok (next i))"
paulson@13785
    52
paulson@13785
    53
paulson@13806
    54
lemma HasToK_partition: "[| s \<in> HasTok i; s \<in> HasTok j |] ==> i=j"
paulson@13785
    55
by (unfold HasTok_def, auto)
paulson@11195
    56
paulson@13806
    57
lemma not_E_eq: "(s \<notin> E i) = (s \<in> H i | s \<in> T i)"
paulson@13785
    58
apply (simp add: H_def E_def T_def)
wenzelm@46911
    59
apply (cases "proc s i", auto)
paulson@13785
    60
done
paulson@11195
    61
wenzelm@46912
    62
context Token
wenzelm@46912
    63
begin
wenzelm@46912
    64
wenzelm@46912
    65
lemma token_stable: "F \<in> stable (-(E i) \<union> (HasTok i))"
paulson@13785
    66
apply (unfold stable_def)
paulson@13785
    67
apply (rule constrains_weaken)
paulson@13785
    68
apply (rule constrains_Un [OF constrains_Un [OF TR2 TR4] TR5])
paulson@13785
    69
apply (auto simp add: not_E_eq)
paulson@13785
    70
apply (simp_all add: H_def E_def T_def)
paulson@13785
    71
done
paulson@11195
    72
paulson@13785
    73
paulson@15618
    74
subsection{*Progress under Weak Fairness*}
paulson@13785
    75
wenzelm@46912
    76
lemma wf_nodeOrder: "wf(nodeOrder j)"
paulson@13785
    77
apply (unfold nodeOrder_def)
paulson@15618
    78
apply (rule wf_measure [THEN wf_subset], blast)
paulson@13785
    79
done
paulson@11195
    80
wenzelm@46912
    81
lemma nodeOrder_eq: 
paulson@13806
    82
     "[| i<N; j<N |] ==> ((next i, i) \<in> nodeOrder j) = (i \<noteq> j)"
krauss@19769
    83
apply (unfold nodeOrder_def next_def)
paulson@13785
    84
apply (auto simp add: mod_Suc mod_geq)
paulson@13785
    85
apply (auto split add: nat_diff_split simp add: linorder_neq_iff mod_geq)
paulson@13785
    86
done
paulson@11195
    87
paulson@15618
    88
text{*From "A Logic for Concurrent Programming", but not used in Chapter 4.
wenzelm@46911
    89
  Note the use of @{text cases}.  Reasoning about leadsTo takes practice!*}
wenzelm@46912
    90
lemma TR7_nodeOrder:
paulson@13785
    91
     "[| i<N; j<N |] ==>    
paulson@13806
    92
      F \<in> (HasTok i) leadsTo ({s. (token s, i) \<in> nodeOrder j} \<union> HasTok j)"
wenzelm@46911
    93
apply (cases "i=j")
paulson@13785
    94
apply (blast intro: subset_imp_leadsTo)
paulson@13785
    95
apply (rule TR7 [THEN leadsTo_weaken_R])
paulson@13785
    96
apply (auto simp add: HasTok_def nodeOrder_eq)
paulson@13785
    97
done
paulson@11195
    98
paulson@13785
    99
paulson@15618
   100
text{*Chapter 4 variant, the one actually used below.*}
wenzelm@46912
   101
lemma TR7_aux: "[| i<N; j<N; i\<noteq>j |]     
paulson@13806
   102
      ==> F \<in> (HasTok i) leadsTo {s. (token s, i) \<in> nodeOrder j}"
paulson@13785
   103
apply (rule TR7 [THEN leadsTo_weaken_R])
paulson@13785
   104
apply (auto simp add: HasTok_def nodeOrder_eq)
paulson@13785
   105
done
paulson@11195
   106
wenzelm@46912
   107
lemma token_lemma:
paulson@13806
   108
     "({s. token s < N} \<inter> token -` {m}) = (if m<N then token -` {m} else {})"
paulson@13785
   109
by auto
paulson@13785
   110
paulson@11195
   111
paulson@15618
   112
text{*Misra's TR9: the token reaches an arbitrary node*}
wenzelm@46912
   113
lemma leadsTo_j: "j<N ==> F \<in> {s. token s < N} leadsTo (HasTok j)"
paulson@13785
   114
apply (rule leadsTo_weaken_R)
paulson@13785
   115
apply (rule_tac I = "-{j}" and f = token and B = "{}" 
paulson@13785
   116
       in wf_nodeOrder [THEN bounded_induct])
paulson@13785
   117
apply (simp_all (no_asm_simp) add: token_lemma vimage_Diff HasTok_def)
paulson@13785
   118
 prefer 2 apply blast
paulson@13785
   119
apply clarify
paulson@13785
   120
apply (rule TR7_aux [THEN leadsTo_weaken])
paulson@13785
   121
apply (auto simp add: HasTok_def nodeOrder_def)
paulson@13785
   122
done
paulson@13785
   123
paulson@15618
   124
text{*Misra's TR8: a hungry process eventually eats*}
wenzelm@46912
   125
lemma token_progress:
paulson@13806
   126
     "j<N ==> F \<in> ({s. token s < N} \<inter> H j) leadsTo (E j)"
paulson@13785
   127
apply (rule leadsTo_cancel1 [THEN leadsTo_Un_duplicate])
paulson@13785
   128
apply (rule_tac [2] TR6)
paulson@13785
   129
apply (rule psp [OF leadsTo_j TR3, THEN leadsTo_weaken], blast+)
paulson@13785
   130
done
paulson@13785
   131
wenzelm@46912
   132
end
paulson@11195
   133
paulson@11195
   134
end