| author | wenzelm |
| Fri, 08 Mar 2002 16:24:06 +0100 | |
| changeset 13049 | ce180e5b7fa0 |
| parent 9517 | f58863b1406a |
| child 17309 | c43ed29bd197 |
| permissions | -rw-r--r-- |
| 3807 | 1 |
(* |
2 |
File: TLA/ex/inc/Inc.ML |
|
3 |
Author: Stephan Merz |
|
4 |
Copyright: 1997 University of Munich |
|
5 |
||
6 |
Proofs for the "increment" example from SRC79. |
|
7 |
*) |
|
8 |
||
9 |
val PsiInv_defs = [PsiInv_def,PsiInv1_def,PsiInv2_def,PsiInv3_def]; |
|
10 |
val Psi_defs = [Psi_def,InitPsi_def,N1_def,N2_def,alpha1_def,alpha2_def, |
|
11 |
beta1_def,beta2_def,gamma1_def,gamma2_def]; |
|
12 |
||
| 4089 | 13 |
val Inc_css = (claset(), simpset()); |
| 3807 | 14 |
|
15 |
(*** Invariant proof for Psi: "manual" proof proves individual lemmas ***) |
|
16 |
||
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
17 |
Goal "|- InitPsi --> PsiInv"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
18 |
by (auto_tac (Inc_css addsimps2 InitPsi_def::PsiInv_defs)); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
19 |
qed "PsiInv_Init"; |
| 3807 | 20 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
21 |
Goal "|- alpha1 & $PsiInv --> PsiInv$"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
22 |
by (auto_tac (Inc_css addsimps2 alpha1_def::PsiInv_defs)); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
23 |
qed "PsiInv_alpha1"; |
| 3807 | 24 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
25 |
Goal "|- alpha2 & $PsiInv --> PsiInv$"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
26 |
by (auto_tac (Inc_css addsimps2 alpha2_def::PsiInv_defs)); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
27 |
qed "PsiInv_alpha2"; |
| 3807 | 28 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
29 |
Goal "|- beta1 & $PsiInv --> PsiInv$"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
30 |
by (auto_tac (Inc_css addsimps2 beta1_def::PsiInv_defs)); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
31 |
qed "PsiInv_beta1"; |
| 3807 | 32 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
33 |
Goal "|- beta2 & $PsiInv --> PsiInv$"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
34 |
by (auto_tac (Inc_css addsimps2 beta2_def::PsiInv_defs)); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
35 |
qed "PsiInv_beta2"; |
| 3807 | 36 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
37 |
Goal "|- gamma1 & $PsiInv --> PsiInv$"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
38 |
by (auto_tac (Inc_css addsimps2 gamma1_def::PsiInv_defs)); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
39 |
qed "PsiInv_gamma1"; |
| 3807 | 40 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
41 |
Goal "|- gamma2 & $PsiInv --> PsiInv$"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
42 |
by (auto_tac (Inc_css addsimps2 gamma2_def::PsiInv_defs)); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
43 |
qed "PsiInv_gamma2"; |
| 3807 | 44 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
45 |
Goal "|- unchanged (x,y,sem,pc1,pc2) & $PsiInv --> PsiInv$"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
46 |
by (auto_tac (Inc_css addsimps2 PsiInv_defs)); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
47 |
qed "PsiInv_stutter"; |
| 3807 | 48 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
49 |
Goal "|- Psi --> []PsiInv"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
50 |
by (inv_tac (Inc_css addsimps2 [Psi_def]) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
51 |
by (force_tac (Inc_css addsimps2 [PsiInv_Init, Init_def]) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
52 |
by (auto_tac (Inc_css |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
53 |
addIs2 [PsiInv_alpha1,PsiInv_alpha2,PsiInv_beta1, |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
54 |
PsiInv_beta2,PsiInv_gamma1,PsiInv_gamma2,PsiInv_stutter] |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
55 |
addsimps2 [square_def,N1_def, N2_def])); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
56 |
qed "PsiInv"; |
| 3807 | 57 |
|
58 |
(* Automatic proof works too, but it make take a while on a slow machine. |
|
| 6255 | 59 |
More realistic examples require user guidance anyway. |
| 3807 | 60 |
|
| 6255 | 61 |
Goal "|- Psi --> []PsiInv"; |
62 |
by (auto_inv_tac (simpset() addsimps PsiInv_defs @ Psi_defs) 1); |
|
| 3807 | 63 |
|
64 |
*) |
|
65 |
||
66 |
(**** Step simulation ****) |
|
67 |
||
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
68 |
Goal "|- Psi --> Init InitPhi"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
69 |
by (auto_tac (Inc_css addsimps2 [InitPhi_def,Psi_def,InitPsi_def,Init_def])); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
70 |
qed "Init_sim"; |
| 3807 | 71 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
72 |
Goal "|- Psi --> [][M1 | M2]_(x,y)"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
73 |
by (auto_tac (Inc_css addsimps2 [square_def,M1_def,M2_def] @ Psi_defs |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
74 |
addSEs2 [STL4E])); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
75 |
qed "Step_sim"; |
| 3807 | 76 |
|
77 |
(**** Proof of fairness ****) |
|
78 |
||
79 |
(* |
|
80 |
The goal is to prove Fair_M1 far below, which asserts |
|
| 6255 | 81 |
|- Psi --> WF(M1)_(x,y) |
| 3807 | 82 |
(the other fairness condition is symmetrical). |
83 |
||
84 |
The strategy is to use WF2 (with beta1 as the helpful action). Proving its |
|
85 |
temporal premise needs two auxiliary lemmas: |
|
86 |
1. Stuck_at_b: control can only proceed at pc1 = b by executing beta1 |
|
87 |
2. N1_live: the first component will eventually reach b |
|
88 |
||
89 |
Lemma 1 is easy, lemma 2 relies on the invariant, the strong fairness |
|
90 |
of the semaphore, and needs auxiliary lemmas that ensure that the second |
|
91 |
component will eventually release the semaphore. Most of the proofs of |
|
92 |
the auxiliary lemmas are very similar. |
|
93 |
*) |
|
94 |
||
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
95 |
Goal "|- [][(N1 | N2) & ~ beta1]_(x,y,sem,pc1,pc2) --> stable(pc1 = #b)"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
96 |
by (auto_tac (Inc_css addSEs2 [Stable,squareE] addsimps2 Psi_defs)); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
97 |
qed "Stuck_at_b"; |
| 3807 | 98 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
99 |
Goal "|- pc1 = #g --> Enabled (<N1>_(x,y,sem,pc1,pc2))"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
100 |
by (Clarsimp_tac 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
101 |
by (res_inst_tac [("F","gamma1")] enabled_mono 1);
|
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
102 |
by (enabled_tac Inc_base 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
103 |
by (force_tac (Inc_css addsimps2 [gamma1_def]) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
104 |
by (force_tac (Inc_css addsimps2 [angle_def,gamma1_def,N1_def]) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
105 |
qed "N1_enabled_at_g"; |
| 3807 | 106 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
107 |
Goal "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N1)_(x,y,sem,pc1,pc2) & []#True \ |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
108 |
\ --> (pc1 = #g ~> pc1 = #a)"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
109 |
by (rtac SF1 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
110 |
by (action_simp_tac (simpset() addsimps Psi_defs) [] [squareE] 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
111 |
by (action_simp_tac (simpset() addsimps angle_def::Psi_defs) [] [] 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
112 |
(* reduce |- []A --> <>Enabled B to |- A --> Enabled B *) |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
113 |
by (auto_tac (Inc_css addSIs2 [InitDmd_gen, N1_enabled_at_g] |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
114 |
addSDs2 [STL2_gen] |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
115 |
addsimps2 [Init_def])); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
116 |
qed "g1_leadsto_a1"; |
| 3807 | 117 |
|
118 |
(* symmetrical for N2, and similar for beta2 *) |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
119 |
Goal "|- pc2 = #g --> Enabled (<N2>_(x,y,sem,pc1,pc2))"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
120 |
by (Clarsimp_tac 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
121 |
by (res_inst_tac [("F","gamma2")] enabled_mono 1);
|
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
122 |
by (enabled_tac Inc_base 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
123 |
by (force_tac (Inc_css addsimps2 [gamma2_def]) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
124 |
by (force_tac (Inc_css addsimps2 [angle_def,gamma2_def,N2_def]) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
125 |
qed "N2_enabled_at_g"; |
| 3807 | 126 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
127 |
Goal "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & []#True \ |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
128 |
\ --> (pc2 = #g ~> pc2 = #a)"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
129 |
by (rtac SF1 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
130 |
by (action_simp_tac (simpset() addsimps Psi_defs) [] [squareE] 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
131 |
by (action_simp_tac (simpset() addsimps angle_def::Psi_defs) [] [] 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
132 |
by (auto_tac (Inc_css addSIs2 [InitDmd_gen, N2_enabled_at_g] |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
133 |
addSDs2 [STL2_gen] |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
134 |
addsimps2 [Init_def])); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
135 |
qed "g2_leadsto_a2"; |
| 3807 | 136 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
137 |
Goal "|- pc2 = #b --> Enabled (<N2>_(x,y,sem,pc1,pc2))"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
138 |
by (Clarsimp_tac 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
139 |
by (res_inst_tac [("F","beta2")] enabled_mono 1);
|
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
140 |
by (enabled_tac Inc_base 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
141 |
by (force_tac (Inc_css addsimps2 [beta2_def]) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
142 |
by (force_tac (Inc_css addsimps2 [angle_def,beta2_def,N2_def]) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
143 |
qed "N2_enabled_at_b"; |
| 3807 | 144 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
145 |
Goal "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & []#True \ |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
146 |
\ --> (pc2 = #b ~> pc2 = #g)"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
147 |
by (rtac SF1 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
148 |
by (action_simp_tac (simpset() addsimps Psi_defs) [] [squareE] 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
149 |
by (action_simp_tac (simpset() addsimps angle_def::Psi_defs) [] [] 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
150 |
by (auto_tac (Inc_css addSIs2 [InitDmd_gen, N2_enabled_at_b] |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
151 |
addSDs2 [STL2_gen] |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
152 |
addsimps2 [Init_def])); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
153 |
qed "b2_leadsto_g2"; |
| 3807 | 154 |
|
155 |
(* Combine above lemmas: the second component will eventually reach pc2 = a *) |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
156 |
Goal "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & []#True \ |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
157 |
\ --> (pc2 = #a | pc2 = #b | pc2 = #g ~> pc2 = #a)"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
158 |
by (auto_tac (Inc_css addSIs2 [LatticeDisjunctionIntro])); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
159 |
by (rtac (temp_use LatticeReflexivity) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
160 |
by (rtac (temp_use LatticeTransitivity) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
161 |
by (auto_tac (Inc_css addSIs2 [b2_leadsto_g2,g2_leadsto_a2])); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
162 |
qed "N2_leadsto_a"; |
| 3807 | 163 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
164 |
(* Get rid of disjunction on the left-hand side of ~> above. *) |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
165 |
Goal "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) \ |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
166 |
\ --> <>(pc2 = #a)"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
167 |
by (auto_tac (Inc_css addsimps2 Init_defs |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
168 |
addSIs2 [(temp_use N2_leadsto_a) |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
169 |
RSN(2, (temp_use leadsto_init))])); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
170 |
by (case_tac "pc2 (st1 sigma)" 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
171 |
by Auto_tac; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
172 |
qed "N2_live"; |
| 3807 | 173 |
|
174 |
(* Now prove that the first component will eventually reach pc1 = b from pc1 = a *) |
|
175 |
||
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
176 |
Goal "|- pc2 = #a & (PsiInv & pc1 = #a) --> Enabled (<N1>_(x,y,sem,pc1,pc2))"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
177 |
by (Clarsimp_tac 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
178 |
by (res_inst_tac [("F","alpha1")] enabled_mono 1);
|
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
179 |
by (enabled_tac Inc_base 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
180 |
by (force_tac (Inc_css addsimps2 (alpha1_def::PsiInv_defs)) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
181 |
by (force_tac (Inc_css addsimps2 [angle_def,alpha1_def,N1_def]) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
182 |
qed "N1_enabled_at_both_a"; |
| 3807 | 183 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
184 |
Goal "|- []($PsiInv & [(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2)) \ |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
185 |
\ & SF(N1)_(x,y,sem,pc1,pc2) & [] SF(N2)_(x,y,sem,pc1,pc2) \ |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
186 |
\ --> (pc1 = #a ~> pc1 = #b)"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
187 |
by (rtac SF1 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
188 |
by (action_simp_tac (simpset() addsimps Psi_defs) [] [squareE] 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
189 |
by (action_simp_tac (simpset() addsimps angle_def::Psi_defs) [] [] 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
190 |
by (clarsimp_tac (Inc_css addSIs2 [N1_enabled_at_both_a RS (temp_use DmdImpl)]) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
191 |
by (auto_tac (Inc_css addSIs2 [BoxDmd2_simple, N2_live] |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
192 |
addsimps2 split_box_conj::more_temp_simps)); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
193 |
qed "a1_leadsto_b1"; |
| 3807 | 194 |
|
195 |
(* Combine the leadsto properties for N1: it will arrive at pc1 = b *) |
|
196 |
||
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
197 |
Goal "|- []($PsiInv & [(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2)) \ |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
198 |
\ & SF(N1)_(x,y,sem,pc1,pc2) & [] SF(N2)_(x,y,sem,pc1,pc2) \ |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
199 |
\ --> (pc1 = #b | pc1 = #g | pc1 = #a ~> pc1 = #b)"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
200 |
by (auto_tac (Inc_css addSIs2 [LatticeDisjunctionIntro])); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
201 |
by (rtac (temp_use LatticeReflexivity) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
202 |
by (rtac (temp_use LatticeTransitivity) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
203 |
by (auto_tac (Inc_css addSIs2 [a1_leadsto_b1,g1_leadsto_a1] |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
204 |
addsimps2 [split_box_conj])); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
205 |
qed "N1_leadsto_b"; |
| 3807 | 206 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
207 |
Goal "|- []($PsiInv & [(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2)) \ |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
208 |
\ & SF(N1)_(x,y,sem,pc1,pc2) & [] SF(N2)_(x,y,sem,pc1,pc2) \ |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
209 |
\ --> <>(pc1 = #b)"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
210 |
by (auto_tac (Inc_css addsimps2 Init_defs |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
211 |
addSIs2 [(temp_use N1_leadsto_b) |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
212 |
RSN(2, temp_use leadsto_init)])); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
213 |
by (case_tac "pc1 (st1 sigma)" 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
214 |
by Auto_tac; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
215 |
qed "N1_live"; |
| 3807 | 216 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
217 |
Goal "|- pc1 = #b --> Enabled (<N1>_(x,y,sem,pc1,pc2))"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
218 |
by (Clarsimp_tac 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
219 |
by (res_inst_tac [("F","beta1")] enabled_mono 1);
|
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
220 |
by (enabled_tac Inc_base 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
221 |
by (force_tac (Inc_css addsimps2 [beta1_def]) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
222 |
by (force_tac (Inc_css addsimps2 [angle_def,beta1_def,N1_def]) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
223 |
qed "N1_enabled_at_b"; |
| 3807 | 224 |
|
225 |
(* Now assemble the bits and pieces to prove that Psi is fair. *) |
|
226 |
||
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
227 |
Goal "|- []($PsiInv & [(N1 | N2)]_(x,y,sem,pc1,pc2)) \ |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
228 |
\ & SF(N1)_(x,y,sem,pc1,pc2) & []SF(N2)_(x,y,sem,pc1,pc2) \ |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
229 |
\ --> SF(M1)_(x,y)"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
230 |
by (res_inst_tac [("B","beta1"),("P","PRED pc1 = #b")] SF2 1);
|
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
231 |
(* action premises *) |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
232 |
by (force_tac (Inc_css addsimps2 [angle_def,M1_def,beta1_def]) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
233 |
by (force_tac (Inc_css addsimps2 angle_def::Psi_defs) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
234 |
by (force_tac (Inc_css addSEs2 [N1_enabled_at_b]) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
235 |
(* temporal premise: use previous lemmas and simple TL *) |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
236 |
by (force_tac (Inc_css addSIs2 [DmdStable, N1_live,Stuck_at_b] |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
237 |
addEs2 [STL4E] addsimps2 [square_def]) 1); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
238 |
qed "Fair_M1_lemma"; |
| 5525 | 239 |
|
|
9517
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
240 |
Goal "|- Psi --> WF(M1)_(x,y)"; |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
241 |
by (auto_tac (Inc_css addSIs2 [SFImplWF, Fair_M1_lemma, PsiInv] |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
242 |
addsimps2 [Psi_def,split_box_conj]@more_temp_simps)); |
|
f58863b1406a
tuned version by Stephan Merz (unbatchified etc.);
wenzelm
parents:
8442
diff
changeset
|
243 |
qed "Fair_M1"; |