|
41589
|
1 |
(* Title: HOL/TLA/Buffer/Buffer.thy
|
|
|
2 |
Author: Stephan Merz, University of Munich
|
|
3807
|
3 |
*)
|
|
|
4 |
|
|
17309
|
5 |
header {* A simple FIFO buffer (synchronous communication, interleaving) *}
|
|
|
6 |
|
|
|
7 |
theory Buffer
|
|
|
8 |
imports TLA
|
|
|
9 |
begin
|
|
3807
|
10 |
|
|
|
11 |
consts
|
|
|
12 |
(* actions *)
|
|
6255
|
13 |
BInit :: "'a stfun => 'a list stfun => 'a stfun => stpred"
|
|
3807
|
14 |
Enq :: "'a stfun => 'a list stfun => 'a stfun => action"
|
|
|
15 |
Deq :: "'a stfun => 'a list stfun => 'a stfun => action"
|
|
|
16 |
Next :: "'a stfun => 'a list stfun => 'a stfun => action"
|
|
|
17 |
|
|
|
18 |
(* temporal formulas *)
|
|
|
19 |
IBuffer :: "'a stfun => 'a list stfun => 'a stfun => temporal"
|
|
|
20 |
Buffer :: "'a stfun => 'a stfun => temporal"
|
|
|
21 |
|
|
17309
|
22 |
defs
|
|
|
23 |
BInit_def: "BInit ic q oc == PRED q = #[]"
|
|
|
24 |
Enq_def: "Enq ic q oc == ACT (ic$ ~= $ic)
|
|
|
25 |
& (q$ = $q @ [ ic$ ])
|
|
6255
|
26 |
& (oc$ = $oc)"
|
|
17309
|
27 |
Deq_def: "Deq ic q oc == ACT ($q ~= #[])
|
|
6255
|
28 |
& (oc$ = hd< $q >)
|
|
|
29 |
& (q$ = tl< $q >)
|
|
|
30 |
& (ic$ = $ic)"
|
|
17309
|
31 |
Next_def: "Next ic q oc == ACT (Enq ic q oc | Deq ic q oc)"
|
|
|
32 |
IBuffer_def: "IBuffer ic q oc == TEMP Init (BInit ic q oc)
|
|
6255
|
33 |
& [][Next ic q oc]_(ic,q,oc)
|
|
|
34 |
& WF(Deq ic q oc)_(ic,q,oc)"
|
|
17309
|
35 |
Buffer_def: "Buffer ic oc == TEMP (EEX q. IBuffer ic q oc)"
|
|
3807
|
36 |
|
|
21624
|
37 |
|
|
|
38 |
(* ---------------------------- Data lemmas ---------------------------- *)
|
|
|
39 |
|
|
|
40 |
(*FIXME: move to theory List? Maybe as (tl xs = xs) = (xs = [])"?*)
|
|
|
41 |
lemma tl_not_self [simp]: "xs ~= [] ==> tl xs ~= xs"
|
|
|
42 |
by (auto simp: neq_Nil_conv)
|
|
|
43 |
|
|
|
44 |
|
|
|
45 |
(* ---------------------------- Action lemmas ---------------------------- *)
|
|
|
46 |
|
|
|
47 |
(* Dequeue is visible *)
|
|
|
48 |
lemma Deq_visible: "|- <Deq ic q oc>_(ic,q,oc) = Deq ic q oc"
|
|
|
49 |
apply (unfold angle_def Deq_def)
|
|
|
50 |
apply (safe, simp (asm_lr))+
|
|
|
51 |
done
|
|
|
52 |
|
|
|
53 |
(* Enabling condition for dequeue -- NOT NEEDED *)
|
|
|
54 |
lemma Deq_enabled:
|
|
|
55 |
"!!q. basevars (ic,q,oc) ==> |- Enabled (<Deq ic q oc>_(ic,q,oc)) = (q ~= #[])"
|
|
|
56 |
apply (unfold Deq_visible [temp_rewrite])
|
|
|
57 |
apply (force elim!: base_enabled [temp_use] enabledE [temp_use] simp: Deq_def)
|
|
|
58 |
done
|
|
|
59 |
|
|
|
60 |
(* For the left-to-right implication, we don't need the base variable stuff *)
|
|
|
61 |
lemma Deq_enabledE:
|
|
|
62 |
"|- Enabled (<Deq ic q oc>_(ic,q,oc)) --> (q ~= #[])"
|
|
|
63 |
apply (unfold Deq_visible [temp_rewrite])
|
|
|
64 |
apply (auto elim!: enabledE simp add: Deq_def)
|
|
|
65 |
done
|
|
3807
|
66 |
|
|
17309
|
67 |
end
|