|
11479
|
1 |
(* Title: ZF/UNITY/Mutex.thy
|
|
|
2 |
ID: $Id$
|
|
|
3 |
Author: Sidi O Ehmety, Computer Laboratory
|
|
|
4 |
Copyright 2001 University of Cambridge
|
|
|
5 |
|
|
|
6 |
Based on "A Family of 2-Process Mutual Exclusion Algorithms" by J Misra
|
|
|
7 |
|
|
12195
|
8 |
Variables' types are introduced globally so that type verification
|
|
|
9 |
reduces to the usual ZF typechecking: an ill-tyed expressions reduce to the empty set.
|
|
11479
|
10 |
*)
|
|
|
11 |
|
|
|
12 |
Mutex = SubstAx +
|
|
|
13 |
consts
|
|
|
14 |
p, m, n, u, v :: i
|
|
|
15 |
|
|
|
16 |
translations
|
|
14046
|
17 |
"p" == "Var([0])"
|
|
|
18 |
"m" == "Var([1])"
|
|
|
19 |
"n" == "Var([0,0])"
|
|
|
20 |
"u" == "Var([0,1])"
|
|
|
21 |
"v" == "Var([1,0])"
|
|
11479
|
22 |
|
|
|
23 |
rules (** Type declarations **)
|
|
14046
|
24 |
p_type "type_of(p)=bool & default_val(p)=0"
|
|
|
25 |
m_type "type_of(m)=int & default_val(m)=#0"
|
|
|
26 |
n_type "type_of(n)=int & default_val(n)=#0"
|
|
|
27 |
u_type "type_of(u)=bool & default_val(u)=0"
|
|
|
28 |
v_type "type_of(v)=bool & default_val(v)=0"
|
|
11479
|
29 |
|
|
|
30 |
constdefs
|
|
|
31 |
(** The program for process U **)
|
|
|
32 |
U0 :: i
|
|
|
33 |
"U0 == {<s,t>:state*state. t = s(u:=1, m:=#1) & s`m = #0}"
|
|
|
34 |
|
|
|
35 |
U1 :: i
|
|
|
36 |
"U1 == {<s,t>:state*state. t = s(p:= s`v, m:=#2) & s`m = #1}"
|
|
|
37 |
|
|
|
38 |
U2 :: i
|
|
|
39 |
"U2 == {<s,t>:state*state. t = s(m:=#3) & s`p=0 & s`m = #2}"
|
|
|
40 |
|
|
|
41 |
U3 :: i
|
|
|
42 |
"U3 == {<s,t>:state*state. t=s(u:=0, m:=#4) & s`m = #3}"
|
|
|
43 |
|
|
|
44 |
U4 :: i
|
|
|
45 |
"U4 == {<s,t>:state*state. t = s(p:=1, m:=#0) & s`m = #4}"
|
|
|
46 |
|
|
|
47 |
|
|
|
48 |
(** The program for process V **)
|
|
|
49 |
|
|
|
50 |
V0 :: i
|
|
|
51 |
"V0 == {<s,t>:state*state. t = s (v:=1, n:=#1) & s`n = #0}"
|
|
|
52 |
|
|
|
53 |
V1 :: i
|
|
|
54 |
"V1 == {<s,t>:state*state. t = s(p:=not(s`u), n:=#2) & s`n = #1}"
|
|
|
55 |
|
|
|
56 |
V2 :: i
|
|
|
57 |
"V2 == {<s,t>:state*state. t = s(n:=#3) & s`p=1 & s`n = #2}"
|
|
|
58 |
|
|
|
59 |
V3 :: i
|
|
|
60 |
"V3 == {<s,t>:state*state. t = s (v:=0, n:=#4) & s`n = #3}"
|
|
|
61 |
|
|
|
62 |
V4 :: i
|
|
|
63 |
"V4 == {<s,t>:state*state. t = s (p:=0, n:=#0) & s`n = #4}"
|
|
|
64 |
|
|
|
65 |
Mutex :: i
|
|
|
66 |
"Mutex == mk_program({s:state. s`u=0 & s`v=0 & s`m = #0 & s`n = #0},
|
|
14046
|
67 |
{U0, U1, U2, U3, U4, V0, V1, V2, V3, V4}, Pow(state*state))"
|
|
11479
|
68 |
|
|
|
69 |
(** The correct invariants **)
|
|
|
70 |
|
|
|
71 |
IU :: i
|
|
|
72 |
"IU == {s:state. (s`u = 1<->(#1 $<= s`m & s`m $<= #3))
|
|
|
73 |
& (s`m = #3 --> s`p=0)}"
|
|
|
74 |
|
|
|
75 |
IV :: i
|
|
|
76 |
"IV == {s:state. (s`v = 1 <-> (#1 $<= s`n & s`n $<= #3))
|
|
|
77 |
& (s`n = #3 --> s`p=1)}"
|
|
|
78 |
|
|
|
79 |
(** The faulty invariant (for U alone) **)
|
|
|
80 |
|
|
|
81 |
bad_IU :: i
|
|
|
82 |
"bad_IU == {s:state. (s`u = 1 <-> (#1 $<= s`m & s`m $<= #3))&
|
|
|
83 |
(#3 $<= s`m & s`m $<= #4 --> s`p=0)}"
|
|
|
84 |
|
|
|
85 |
end |