src/HOL/TLA/Memory/MemoryImplementation.thy
author blanchet
Wed, 15 Sep 2010 18:51:48 +0200
changeset 39427 a28be69dcb68
parent 39159 0dec18004e75
child 41589 bbd861837ebc
permissions -rw-r--r--
update comment
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
     1
(*
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
     2
    File:        MemoryImplementation.thy
17309
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
     3
    ID:          $Id$
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
     4
    Author:      Stephan Merz
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
     5
    Copyright:   1997 University of Munich
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
     6
*)
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
     7
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
     8
header {* RPC-Memory example: Memory implementation *}
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
     9
17309
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
    10
theory MemoryImplementation
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
    11
imports Memory RPC MemClerk
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
    12
begin
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    13
17309
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
    14
datatype histState = histA | histB
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    15
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    16
types
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    17
  histType  = "(PrIds => histState) stfun"     (* the type of the history variable *)
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    18
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    19
consts
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    20
  (* the specification *)
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    21
     (* channel (external) *)
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    22
  memCh         :: "memChType"
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    23
     (* internal variables *)
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    24
  mm            :: "memType"
17309
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
    25
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    26
  (* the state variables of the implementation *)
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    27
     (* channels *)
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    28
  (* same interface channel memCh *)
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    29
  crCh          :: "rpcSndChType"
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    30
  rmCh          :: "rpcRcvChType"
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    31
     (* internal variables *)
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    32
  (* identity refinement mapping for mm -- simply reused *)
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    33
  rst           :: "rpcStType"
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    34
  cst           :: "mClkStType"
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    35
  ires          :: "resType"
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    36
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    37
definition
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    38
  (* auxiliary predicates *)
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    39
  MVOKBARF      :: "Vals => bool"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    40
  where "MVOKBARF v <-> (v : MemVal) | (v = OK) | (v = BadArg) | (v = RPCFailure)"
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    41
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    42
definition
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    43
  MVOKBA        :: "Vals => bool"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    44
  where "MVOKBA v <-> (v : MemVal) | (v = OK) | (v = BadArg)"
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    45
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    46
definition
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    47
  MVNROKBA      :: "Vals => bool"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    48
  where "MVNROKBA v <-> (v : MemVal) | (v = NotAResult) | (v = OK) | (v = BadArg)"
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    49
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    50
definition
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    51
  (* tuples of state functions changed by the various components *)
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    52
  e             :: "PrIds => (bit * memOp) stfun"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    53
  where "e p = PRED (caller memCh!p)"
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    54
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    55
definition
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    56
  c             :: "PrIds => (mClkState * (bit * Vals) * (bit * rpcOp)) stfun"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    57
  where "c p = PRED (cst!p, rtrner memCh!p, caller crCh!p)"
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    58
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    59
definition
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    60
  r             :: "PrIds => (rpcState * (bit * Vals) * (bit * memOp)) stfun"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    61
  where "r p = PRED (rst!p, rtrner crCh!p, caller rmCh!p)"
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    62
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    63
definition
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    64
  m             :: "PrIds => ((bit * Vals) * Vals) stfun"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    65
  where "m p = PRED (rtrner rmCh!p, ires!p)"
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    66
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    67
definition
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    68
  (* the environment action *)
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    69
  ENext         :: "PrIds => action"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    70
  where "ENext p = ACT (? l. #l : #MemLoc & Call memCh p #(read l))"
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    71
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    72
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    73
definition
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    74
  (* specification of the history variable *)
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    75
  HInit         :: "histType => PrIds => stpred"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    76
  where "HInit rmhist p = PRED rmhist!p = #histA"
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    77
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    78
definition
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    79
  HNext         :: "histType => PrIds => action"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    80
  where "HNext rmhist p = ACT (rmhist!p)$ =
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    81
                     (if (MemReturn rmCh ires p | RPCFail crCh rmCh rst p)
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    82
                      then #histB
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    83
                      else if (MClkReply memCh crCh cst p)
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    84
                           then #histA
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    85
                           else $(rmhist!p))"
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    86
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    87
definition
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    88
  HistP         :: "histType => PrIds => temporal"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    89
  where "HistP rmhist p = (TEMP Init HInit rmhist p
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    90
                           & [][HNext rmhist p]_(c p,r p,m p, rmhist!p))"
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    91
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    92
definition
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    93
  Hist          :: "histType => temporal"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    94
  where "Hist rmhist = TEMP (ALL p. HistP rmhist p)"
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    95
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    96
definition
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
    97
  (* the implementation *)
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
    98
  IPImp          :: "PrIds => temporal"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
    99
  where "IPImp p = (TEMP (  Init ~Calling memCh p & [][ENext p]_(e p)
17309
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
   100
                       & MClkIPSpec memCh crCh cst p
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
   101
                       & RPCIPSpec crCh rmCh rst p
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
   102
                       & RPSpec rmCh mm ires p
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   103
                       & (ALL l. #l : #MemLoc --> MSpec rmCh mm ires l)))"
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   104
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   105
definition
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
   106
  ImpInit        :: "PrIds => stpred"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   107
  where "ImpInit p = PRED (  ~Calling memCh p
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   108
                          & MClkInit crCh cst p
17309
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
   109
                          & RPCInit rmCh rst p
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
   110
                          & PInit ires p)"
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   111
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   112
definition
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
   113
  ImpNext        :: "PrIds => action"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   114
  where "ImpNext p = (ACT  [ENext p]_(e p)
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   115
                       & [MClkNext memCh crCh cst p]_(c p)
17309
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
   116
                       & [RPCNext crCh rmCh rst p]_(r p)
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   117
                       & [RNext rmCh mm ires p]_(m p))"
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   118
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   119
definition
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
   120
  ImpLive        :: "PrIds => temporal"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   121
  where "ImpLive p = (TEMP  WF(MClkFwd memCh crCh cst p)_(c p)
17309
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
   122
                        & SF(MClkReply memCh crCh cst p)_(c p)
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
   123
                        & WF(RPCNext crCh rmCh rst p)_(r p)
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
   124
                        & WF(RNext rmCh mm ires p)_(m p)
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   125
                        & WF(MemReturn rmCh ires p)_(m p))"
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   126
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   127
definition
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
   128
  Implementation :: "temporal"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   129
  where "Implementation = (TEMP ( (ALL p. Init (~Calling memCh p) & [][ENext p]_(e p))
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   130
                               & MClkISpec memCh crCh cst
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   131
                               & RPCISpec crCh rmCh rst
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   132
                               & IRSpec rmCh mm ires))"
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
   133
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   134
definition
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
   135
  (* the predicate S describes the states of the implementation.
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   136
     slight simplification: two "histState" parameters instead of a
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   137
     (one- or two-element) set.
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   138
     NB: The second conjunct of the definition in the paper is taken care of by
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   139
     the type definitions. The last conjunct is asserted separately as the memory
24180
9f818139951b tuned ML setup;
wenzelm
parents: 21624
diff changeset
   140
     invariant MemInv, proved in Memory.thy. *)
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   141
  S :: "histType => bool => bool => bool => mClkState => rpcState => histState => histState => PrIds => stpred"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   142
  where "S rmhist ecalling ccalling rcalling cs rs hs1 hs2 p = (PRED
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   143
                Calling memCh p = #ecalling
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   144
              & Calling crCh p  = #ccalling
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   145
              & (#ccalling --> arg<crCh!p> = MClkRelayArg<arg<memCh!p>>)
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   146
              & (~ #ccalling & cst!p = #clkB --> MVOKBARF<res<crCh!p>>)
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   147
              & Calling rmCh p  = #rcalling
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   148
              & (#rcalling --> arg<rmCh!p> = RPCRelayArg<arg<crCh!p>>)
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   149
              & (~ #rcalling --> ires!p = #NotAResult)
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   150
              & (~ #rcalling & rst!p = #rpcB --> MVOKBA<res<rmCh!p>>)
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   151
              & cst!p = #cs
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   152
              & rst!p = #rs
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   153
              & (rmhist!p = #hs1 | rmhist!p = #hs2)
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   154
              & MVNROKBA<ires!p>)"
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
   155
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   156
definition
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
   157
  (* predicates S1 -- S6 define special instances of S *)
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
   158
  S1            :: "histType => PrIds => stpred"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   159
  where "S1 rmhist p = S rmhist False False False clkA rpcA histA histA p"
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   160
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   161
definition
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
   162
  S2            :: "histType => PrIds => stpred"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   163
  where "S2 rmhist p = S rmhist True False False clkA rpcA histA histA p"
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   164
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   165
definition
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
   166
  S3            :: "histType => PrIds => stpred"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   167
  where "S3 rmhist p = S rmhist True True False clkB rpcA histA histB p"
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   168
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   169
definition
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
   170
  S4            :: "histType => PrIds => stpred"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   171
  where "S4 rmhist p = S rmhist True True True clkB rpcB histA histB p"
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   172
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   173
definition
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
   174
  S5            :: "histType => PrIds => stpred"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   175
  where "S5 rmhist p = S rmhist True True False clkB rpcB histB histB p"
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   176
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   177
definition
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
   178
  S6            :: "histType => PrIds => stpred"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   179
  where "S6 rmhist p = S rmhist True False False clkB rpcA histB histB p"
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
   180
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   181
definition
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   182
  (* The invariant asserts that the system is always in one of S1 - S6, for every p *)
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   183
  ImpInv         :: "histType => PrIds => stpred"
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   184
  where "ImpInv rmhist p = (PRED (S1 rmhist p | S2 rmhist p | S3 rmhist p
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   185
                                | S4 rmhist p | S5 rmhist p | S6 rmhist p))"
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   186
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   187
definition
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   188
  resbar        :: "histType => resType"        (* refinement mapping *)
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   189
  where"resbar rmhist s p =
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   190
                  (if (S1 rmhist p s | S2 rmhist p s)
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   191
                   then ires s p
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   192
                   else if S3 rmhist p s
17309
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
   193
                   then if rmhist s p = histA
6255
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   194
                        then ires s p else MemFailure
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   195
                   else if S4 rmhist p s
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   196
                   then if (rmhist s p = histB & ires s p = NotAResult)
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   197
                        then MemFailure else ires s p
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   198
                   else if S5 rmhist p s
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   199
                   then res (rmCh s p)
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   200
                   else if S6 rmhist p s
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   201
                   then if res (crCh s p) = RPCFailure
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   202
                        then MemFailure else res (crCh s p)
db63752140c7 updated (Stephan Merz);
wenzelm
parents: 3807
diff changeset
   203
                   else NotAResult)" (* dummy value *)
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
   204
36866
426d5781bb25 modernized specifications;
wenzelm
parents: 32149
diff changeset
   205
axiomatization where
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
   206
  (* the "base" variables: everything except resbar and hist (for any index) *)
17309
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
   207
  MI_base:       "basevars (caller memCh!p,
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
   208
                           (rtrner memCh!p, caller crCh!p, cst!p),
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
   209
                           (rtrner crCh!p, caller rmCh!p, rst!p),
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
   210
                           (mm!l, rtrner rmCh!p, ires!p))"
c43ed29bd197 converted to Isar theory format;
wenzelm
parents: 11703
diff changeset
   211
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   212
(*
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   213
    The main theorem is theorem "Implementation" at the end of this file,
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   214
    which shows that the composition of a reliable memory, an RPC component, and
24180
9f818139951b tuned ML setup;
wenzelm
parents: 21624
diff changeset
   215
    a memory clerk implements an unreliable memory. The files "MIsafe.thy" and
9f818139951b tuned ML setup;
wenzelm
parents: 21624
diff changeset
   216
    "MIlive.thy" contain lower-level lemmas for the safety and liveness parts.
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   217
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   218
    Steps are (roughly) numbered as in the hand proof.
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   219
*)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   220
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   221
(* --------------------------- automatic prover --------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   222
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   223
declare if_weak_cong [cong del]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   224
24180
9f818139951b tuned ML setup;
wenzelm
parents: 21624
diff changeset
   225
ML {* val MI_css = (@{claset}, @{simpset}) *}
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   226
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   227
(* A more aggressive variant that tries to solve subgoals by assumption
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   228
   or contradiction during the simplification.
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   229
   THIS IS UNSAFE, BECAUSE IT DOESN'T RECORD THE CHOICES!!
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   230
   (but it can be a lot faster than MI_css)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   231
*)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   232
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   233
ML {*
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   234
val MI_fast_css =
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   235
  let
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   236
    val (cs,ss) = MI_css
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   237
  in
24180
9f818139951b tuned ML setup;
wenzelm
parents: 21624
diff changeset
   238
    (cs addSEs [temp_use @{thm squareE}],
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   239
      ss addSSolver (mk_solver "" (fn thms => assume_tac ORELSE' (etac notE))))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   240
  end;
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   241
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   242
val temp_elim = make_elim o temp_use;
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   243
*}
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   244
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   245
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   246
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   247
(****************************** The history variable ******************************)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   248
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   249
section "History variable"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   250
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   251
lemma HistoryLemma: "|- Init(ALL p. ImpInit p) & [](ALL p. ImpNext p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   252
         --> (EEX rmhist. Init(ALL p. HInit rmhist p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   253
                          & [](ALL p. [HNext rmhist p]_(c p, r p, m p, rmhist!p)))"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   254
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   255
  apply (rule historyI)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   256
      apply assumption+
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   257
  apply (rule MI_base)
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   258
  apply (tactic {* action_simp_tac (@{simpset} addsimps [@{thm HInit_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   259
   apply (erule fun_cong)
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   260
  apply (tactic {* action_simp_tac (@{simpset} addsimps [@{thm HNext_def}])
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   261
    [@{thm busy_squareI}] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   262
  apply (erule fun_cong)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   263
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   264
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   265
lemma History: "|- Implementation --> (EEX rmhist. Hist rmhist)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   266
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   267
  apply (rule HistoryLemma [temp_use, THEN eex_mono])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   268
    prefer 3
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   269
    apply (force simp: Hist_def HistP_def Init_def all_box [try_rewrite]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   270
      split_box_conj [try_rewrite])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   271
   apply (auto simp: Implementation_def MClkISpec_def RPCISpec_def
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   272
     IRSpec_def MClkIPSpec_def RPCIPSpec_def RPSpec_def ImpInit_def
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   273
     Init_def ImpNext_def c_def r_def m_def all_box [temp_use] split_box_conj [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   274
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   275
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   276
(******************************** The safety part *********************************)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   277
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   278
section "The safety part"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   279
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   280
(* ------------------------- Include lower-level lemmas ------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   281
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   282
(* RPCFailure notin MemVals U {OK,BadArg} *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   283
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   284
lemma MVOKBAnotRF: "MVOKBA x ==> x ~= RPCFailure"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   285
  apply (unfold MVOKBA_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   286
  apply auto
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   287
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   288
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   289
(* NotAResult notin MemVals U {OK,BadArg,RPCFailure} *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   290
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   291
lemma MVOKBARFnotNR: "MVOKBARF x ==> x ~= NotAResult"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   292
  apply (unfold MVOKBARF_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   293
  apply auto
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   294
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   295
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   296
(* ================ Si's are mutually exclusive ================================ *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   297
(* Si and Sj are mutually exclusive for i # j. This helps to simplify the big
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   298
   conditional in the definition of resbar when doing the step-simulation proof.
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   299
   We prove a weaker result, which suffices for our purposes:
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   300
   Si implies (not Sj), for j<i.
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   301
*)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   302
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   303
(* --- not used ---
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   304
Goal "|- S1 rmhist p --> S1 rmhist p & ~S2 rmhist p & ~S3 rmhist p &
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   305
                         ~S4 rmhist p & ~S5 rmhist p & ~S6 rmhist p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   306
by (auto_tac (MI_css addsimps2 [S_def, S1_def, S2_def,
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   307
                                S3_def, S4_def, S5_def, S6_def]));
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   308
qed "S1_excl";
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   309
*)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   310
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   311
lemma S2_excl: "|- S2 rmhist p --> S2 rmhist p & ~S1 rmhist p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   312
  by (auto simp: S_def S1_def S2_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   313
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   314
lemma S3_excl: "|- S3 rmhist p --> S3 rmhist p & ~S1 rmhist p & ~S2 rmhist p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   315
  by (auto simp: S_def S1_def S2_def S3_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   316
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   317
lemma S4_excl: "|- S4 rmhist p --> S4 rmhist p & ~S1 rmhist p & ~S2 rmhist p & ~S3 rmhist p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   318
  by (auto simp: S_def S1_def S2_def S3_def S4_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   319
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   320
lemma S5_excl: "|- S5 rmhist p --> S5 rmhist p & ~S1 rmhist p & ~S2 rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   321
                         & ~S3 rmhist p & ~S4 rmhist p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   322
  by (auto simp: S_def S1_def S2_def S3_def S4_def S5_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   323
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   324
lemma S6_excl: "|- S6 rmhist p --> S6 rmhist p & ~S1 rmhist p & ~S2 rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   325
                         & ~S3 rmhist p & ~S4 rmhist p & ~S5 rmhist p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   326
  by (auto simp: S_def S1_def S2_def S3_def S4_def S5_def S6_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   327
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   328
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   329
(* ==================== Lemmas about the environment ============================== *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   330
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   331
lemma Envbusy: "|- $(Calling memCh p) --> ~ENext p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   332
  by (auto simp: ENext_def Call_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   333
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   334
(* ==================== Lemmas about the implementation's states ==================== *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   335
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   336
(* The following series of lemmas are used in establishing the implementation's
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   337
   next-state relation (Step 1.2 of the proof in the paper). For each state Si, we
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   338
   determine which component actions are possible and what state they result in.
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   339
*)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   340
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   341
(* ------------------------------ State S1 ---------------------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   342
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   343
lemma S1Env: "|- ENext p & $(S1 rmhist p) & unchanged (c p, r p, m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   344
         --> (S2 rmhist p)$"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   345
  by (force simp: ENext_def Call_def c_def r_def m_def
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   346
    caller_def rtrner_def MVNROKBA_def S_def S1_def S2_def Calling_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   347
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   348
lemma S1ClerkUnch: "|- [MClkNext memCh crCh cst p]_(c p) & $(S1 rmhist p) --> unchanged (c p)"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   349
  by (tactic {* auto_tac (MI_fast_css addSDs2 [temp_use @{thm MClkidle}]
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   350
    addsimps2 [@{thm S_def}, @{thm S1_def}]) *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   351
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   352
lemma S1RPCUnch: "|- [RPCNext crCh rmCh rst p]_(r p) & $(S1 rmhist p) --> unchanged (r p)"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   353
  by (tactic {* auto_tac (MI_fast_css addSDs2 [temp_use @{thm RPCidle}]
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   354
    addsimps2 [@{thm S_def}, @{thm S1_def}]) *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   355
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   356
lemma S1MemUnch: "|- [RNext rmCh mm ires p]_(m p) & $(S1 rmhist p) --> unchanged (m p)"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   357
  by (tactic {* auto_tac (MI_fast_css addSDs2 [temp_use @{thm Memoryidle}]
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   358
    addsimps2 [@{thm S_def}, @{thm S1_def}]) *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   359
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   360
lemma S1Hist: "|- [HNext rmhist p]_(c p,r p,m p,rmhist!p) & $(S1 rmhist p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   361
         --> unchanged (rmhist!p)"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   362
  by (tactic {* action_simp_tac (@{simpset} addsimps [@{thm HNext_def}, @{thm S_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   363
    @{thm S1_def}, @{thm MemReturn_def}, @{thm RPCFail_def}, @{thm MClkReply_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   364
    @{thm Return_def}]) [] [temp_use @{thm squareE}] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   365
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   366
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   367
(* ------------------------------ State S2 ---------------------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   368
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   369
lemma S2EnvUnch: "|- [ENext p]_(e p) & $(S2 rmhist p) --> unchanged (e p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   370
  by (auto dest!: Envbusy [temp_use] simp: S_def S2_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   371
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   372
lemma S2Clerk: "|- MClkNext memCh crCh cst p & $(S2 rmhist p) --> MClkFwd memCh crCh cst p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   373
  by (auto simp: MClkNext_def MClkRetry_def MClkReply_def S_def S2_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   374
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   375
lemma S2Forward: "|- $(S2 rmhist p) & MClkFwd memCh crCh cst p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   376
         & unchanged (e p, r p, m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   377
         --> (S3 rmhist p)$"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   378
  by (tactic {* action_simp_tac (@{simpset} addsimps [@{thm MClkFwd_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   379
    @{thm Call_def}, @{thm e_def}, @{thm r_def}, @{thm m_def}, @{thm caller_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   380
    @{thm rtrner_def}, @{thm S_def}, @{thm S2_def}, @{thm S3_def}, @{thm Calling_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   381
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   382
lemma S2RPCUnch: "|- [RPCNext crCh rmCh rst p]_(r p) & $(S2 rmhist p) --> unchanged (r p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   383
  by (auto simp: S_def S2_def dest!: RPCidle [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   384
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   385
lemma S2MemUnch: "|- [RNext rmCh mm ires p]_(m p) & $(S2 rmhist p) --> unchanged (m p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   386
  by (auto simp: S_def S2_def dest!: Memoryidle [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   387
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   388
lemma S2Hist: "|- [HNext rmhist p]_(c p,r p,m p,rmhist!p) & $(S2 rmhist p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   389
         --> unchanged (rmhist!p)"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   390
  by (tactic {* auto_tac (MI_fast_css addsimps2 [@{thm HNext_def}, @{thm MemReturn_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   391
    @{thm RPCFail_def}, @{thm MClkReply_def}, @{thm Return_def}, @{thm S_def}, @{thm S2_def}]) *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   392
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   393
(* ------------------------------ State S3 ---------------------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   394
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   395
lemma S3EnvUnch: "|- [ENext p]_(e p) & $(S3 rmhist p) --> unchanged (e p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   396
  by (auto dest!: Envbusy [temp_use] simp: S_def S3_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   397
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   398
lemma S3ClerkUnch: "|- [MClkNext memCh crCh cst p]_(c p) & $(S3 rmhist p) --> unchanged (c p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   399
  by (auto dest!: MClkbusy [temp_use] simp: square_def S_def S3_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   400
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   401
lemma S3LegalRcvArg: "|- S3 rmhist p --> IsLegalRcvArg<arg<crCh!p>>"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   402
  by (auto simp: IsLegalRcvArg_def MClkRelayArg_def S_def S3_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   403
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   404
lemma S3RPC: "|- RPCNext crCh rmCh rst p & $(S3 rmhist p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   405
         --> RPCFwd crCh rmCh rst p | RPCFail crCh rmCh rst p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   406
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   407
  apply (frule S3LegalRcvArg [action_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   408
  apply (auto simp: RPCNext_def RPCReject_def RPCReply_def S_def S3_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   409
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   410
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   411
lemma S3Forward: "|- RPCFwd crCh rmCh rst p & HNext rmhist p & $(S3 rmhist p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   412
         & unchanged (e p, c p, m p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   413
         --> (S4 rmhist p)$ & unchanged (rmhist!p)"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   414
  by (tactic {* action_simp_tac (@{simpset} addsimps [@{thm RPCFwd_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   415
    @{thm HNext_def}, @{thm MemReturn_def}, @{thm RPCFail_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   416
    @{thm MClkReply_def}, @{thm Return_def}, @{thm Call_def}, @{thm e_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   417
    @{thm c_def}, @{thm m_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm S_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   418
    @{thm S3_def}, @{thm S4_def}, @{thm Calling_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   419
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   420
lemma S3Fail: "|- RPCFail crCh rmCh rst p & $(S3 rmhist p) & HNext rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   421
         & unchanged (e p, c p, m p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   422
         --> (S6 rmhist p)$"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   423
  by (tactic {* action_simp_tac (@{simpset} addsimps [@{thm HNext_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   424
    @{thm RPCFail_def}, @{thm Return_def}, @{thm e_def}, @{thm c_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   425
    @{thm m_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm MVOKBARF_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   426
    @{thm S_def}, @{thm S3_def}, @{thm S6_def}, @{thm Calling_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   427
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   428
lemma S3MemUnch: "|- [RNext rmCh mm ires p]_(m p) & $(S3 rmhist p) --> unchanged (m p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   429
  by (auto simp: S_def S3_def dest!: Memoryidle [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   430
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   431
lemma S3Hist: "|- HNext rmhist p & $(S3 rmhist p) & unchanged (r p) --> unchanged (rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   432
  by (auto simp: HNext_def MemReturn_def RPCFail_def MClkReply_def
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   433
    Return_def r_def rtrner_def S_def S3_def Calling_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   434
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   435
(* ------------------------------ State S4 ---------------------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   436
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   437
lemma S4EnvUnch: "|- [ENext p]_(e p) & $(S4 rmhist p) --> unchanged (e p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   438
  by (auto simp: S_def S4_def dest!: Envbusy [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   439
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   440
lemma S4ClerkUnch: "|- [MClkNext memCh crCh cst p]_(c p) & $(S4 rmhist p) --> unchanged (c p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   441
  by (auto simp: S_def S4_def dest!: MClkbusy [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   442
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   443
lemma S4RPCUnch: "|- [RPCNext crCh rmCh rst p]_(r p) & $(S4 rmhist p) --> unchanged (r p)"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   444
  by (tactic {* auto_tac (MI_fast_css addsimps2 [@{thm S_def}, @{thm S4_def}]
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   445
    addSDs2 [temp_use @{thm RPCbusy}]) *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   446
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   447
lemma S4ReadInner: "|- ReadInner rmCh mm ires p l & $(S4 rmhist p) & unchanged (e p, c p, r p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   448
         & HNext rmhist p & $(MemInv mm l)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   449
         --> (S4 rmhist p)$ & unchanged (rmhist!p)"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   450
  by (tactic {* action_simp_tac (@{simpset} addsimps [@{thm ReadInner_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   451
    @{thm GoodRead_def}, @{thm BadRead_def}, @{thm HNext_def}, @{thm MemReturn_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   452
    @{thm RPCFail_def}, @{thm MClkReply_def}, @{thm Return_def}, @{thm e_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   453
    @{thm c_def}, @{thm r_def}, @{thm rtrner_def}, @{thm caller_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   454
    @{thm MVNROKBA_def}, @{thm S_def}, @{thm S4_def}, @{thm RdRequest_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   455
    @{thm Calling_def}, @{thm MemInv_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   456
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   457
lemma S4Read: "|- Read rmCh mm ires p & $(S4 rmhist p) & unchanged (e p, c p, r p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   458
         & HNext rmhist p & (!l. $MemInv mm l)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   459
         --> (S4 rmhist p)$ & unchanged (rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   460
  by (auto simp: Read_def dest!: S4ReadInner [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   461
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   462
lemma S4WriteInner: "|- WriteInner rmCh mm ires p l v & $(S4 rmhist p) & unchanged (e p, c p, r p)           & HNext rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   463
         --> (S4 rmhist p)$ & unchanged (rmhist!p)"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   464
  by (tactic {* action_simp_tac (@{simpset} addsimps [@{thm WriteInner_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   465
    @{thm GoodWrite_def}, @{thm BadWrite_def}, @{thm HNext_def}, @{thm MemReturn_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   466
    @{thm RPCFail_def}, @{thm MClkReply_def}, @{thm Return_def}, @{thm e_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   467
    @{thm c_def}, @{thm r_def}, @{thm rtrner_def}, @{thm caller_def}, @{thm MVNROKBA_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   468
    @{thm S_def}, @{thm S4_def}, @{thm WrRequest_def}, @{thm Calling_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   469
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   470
lemma S4Write: "|- Write rmCh mm ires p l & $(S4 rmhist p) & unchanged (e p, c p, r p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   471
         & (HNext rmhist p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   472
         --> (S4 rmhist p)$ & unchanged (rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   473
  by (auto simp: Write_def dest!: S4WriteInner [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   474
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   475
lemma WriteS4: "|- $ImpInv rmhist p & Write rmCh mm ires p l --> $S4 rmhist p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   476
  by (auto simp: Write_def WriteInner_def ImpInv_def
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   477
    WrRequest_def S_def S1_def S2_def S3_def S4_def S5_def S6_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   478
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   479
lemma S4Return: "|- MemReturn rmCh ires p & $S4 rmhist p & unchanged (e p, c p, r p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   480
         & HNext rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   481
         --> (S5 rmhist p)$"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   482
  by (auto simp: HNext_def MemReturn_def Return_def e_def c_def r_def
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   483
    rtrner_def caller_def MVNROKBA_def MVOKBA_def S_def S4_def S5_def Calling_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   484
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   485
lemma S4Hist: "|- HNext rmhist p & $S4 rmhist p & (m p)$ = $(m p) --> (rmhist!p)$ = $(rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   486
  by (auto simp: HNext_def MemReturn_def RPCFail_def MClkReply_def
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   487
    Return_def m_def rtrner_def S_def S4_def Calling_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   488
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   489
(* ------------------------------ State S5 ---------------------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   490
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   491
lemma S5EnvUnch: "|- [ENext p]_(e p) & $(S5 rmhist p) --> unchanged (e p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   492
  by (auto simp: S_def S5_def dest!: Envbusy [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   493
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   494
lemma S5ClerkUnch: "|- [MClkNext memCh crCh cst p]_(c p) & $(S5 rmhist p) --> unchanged (c p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   495
  by (auto simp: S_def S5_def dest!: MClkbusy [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   496
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   497
lemma S5RPC: "|- RPCNext crCh rmCh rst p & $(S5 rmhist p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   498
         --> RPCReply crCh rmCh rst p | RPCFail crCh rmCh rst p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   499
  by (auto simp: RPCNext_def RPCReject_def RPCFwd_def S_def S5_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   500
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   501
lemma S5Reply: "|- RPCReply crCh rmCh rst p & $(S5 rmhist p) & unchanged (e p, c p, m p,rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   502
       --> (S6 rmhist p)$"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   503
  by (tactic {* action_simp_tac (@{simpset} addsimps [@{thm RPCReply_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   504
    @{thm Return_def}, @{thm e_def}, @{thm c_def}, @{thm m_def}, @{thm MVOKBA_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   505
    @{thm MVOKBARF_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm S_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   506
    @{thm S5_def}, @{thm S6_def}, @{thm Calling_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   507
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   508
lemma S5Fail: "|- RPCFail crCh rmCh rst p & $(S5 rmhist p) & unchanged (e p, c p, m p,rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   509
         --> (S6 rmhist p)$"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   510
  by (tactic {* action_simp_tac (@{simpset} addsimps [@{thm RPCFail_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   511
    @{thm Return_def}, @{thm e_def}, @{thm c_def}, @{thm m_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   512
    @{thm MVOKBARF_def}, @{thm caller_def}, @{thm rtrner_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   513
    @{thm S_def}, @{thm S5_def}, @{thm S6_def}, @{thm Calling_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   514
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   515
lemma S5MemUnch: "|- [RNext rmCh mm ires p]_(m p) & $(S5 rmhist p) --> unchanged (m p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   516
  by (auto simp: S_def S5_def dest!: Memoryidle [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   517
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   518
lemma S5Hist: "|- [HNext rmhist p]_(c p, r p, m p, rmhist!p) & $(S5 rmhist p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   519
         --> (rmhist!p)$ = $(rmhist!p)"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   520
  by (tactic {* auto_tac (MI_fast_css addsimps2 [@{thm HNext_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   521
    @{thm MemReturn_def}, @{thm RPCFail_def}, @{thm MClkReply_def}, @{thm Return_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   522
    @{thm S_def}, @{thm S5_def}]) *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   523
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   524
(* ------------------------------ State S6 ---------------------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   525
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   526
lemma S6EnvUnch: "|- [ENext p]_(e p) & $(S6 rmhist p) --> unchanged (e p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   527
  by (auto simp: S_def S6_def dest!: Envbusy [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   528
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   529
lemma S6Clerk: "|- MClkNext memCh crCh cst p & $(S6 rmhist p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   530
         --> MClkRetry memCh crCh cst p | MClkReply memCh crCh cst p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   531
  by (auto simp: MClkNext_def MClkFwd_def S_def S6_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   532
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   533
lemma S6Retry: "|- MClkRetry memCh crCh cst p & HNext rmhist p & $S6 rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   534
         & unchanged (e p,r p,m p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   535
         --> (S3 rmhist p)$ & unchanged (rmhist!p)"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   536
  by (tactic {* action_simp_tac (@{simpset} addsimps [@{thm HNext_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   537
    @{thm MClkReply_def}, @{thm MClkRetry_def}, @{thm Call_def}, @{thm Return_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   538
    @{thm e_def}, @{thm r_def}, @{thm m_def}, @{thm caller_def}, @{thm rtrner_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   539
    @{thm S_def}, @{thm S6_def}, @{thm S3_def}, @{thm Calling_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   540
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   541
lemma S6Reply: "|- MClkReply memCh crCh cst p & HNext rmhist p & $S6 rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   542
         & unchanged (e p,r p,m p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   543
         --> (S1 rmhist p)$"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   544
  by (tactic {* action_simp_tac (@{simpset} addsimps [@{thm HNext_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   545
    @{thm MemReturn_def}, @{thm RPCFail_def}, @{thm Return_def}, @{thm MClkReply_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   546
    @{thm e_def}, @{thm r_def}, @{thm m_def}, @{thm caller_def}, @{thm rtrner_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   547
    @{thm S_def}, @{thm S6_def}, @{thm S1_def}, @{thm Calling_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   548
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   549
lemma S6RPCUnch: "|- [RPCNext crCh rmCh rst p]_(r p) & $S6 rmhist p --> unchanged (r p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   550
  by (auto simp: S_def S6_def dest!: RPCidle [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   551
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   552
lemma S6MemUnch: "|- [RNext rmCh mm ires p]_(m p) & $(S6 rmhist p) --> unchanged (m p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   553
  by (auto simp: S_def S6_def dest!: Memoryidle [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   554
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   555
lemma S6Hist: "|- HNext rmhist p & $S6 rmhist p & (c p)$ = $(c p) --> (rmhist!p)$ = $(rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   556
  by (auto simp: HNext_def MClkReply_def Return_def c_def rtrner_def S_def S6_def Calling_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   557
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   558
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   559
section "Correctness of predicate-action diagram"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   560
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   561
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   562
(* ========== Step 1.1 ================================================= *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   563
(* The implementation's initial condition implies the state predicate S1 *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   564
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   565
lemma Step1_1: "|- ImpInit p & HInit rmhist p --> S1 rmhist p"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   566
  by (tactic {* auto_tac (MI_fast_css addsimps2 [@{thm MVNROKBA_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   567
    @{thm MClkInit_def}, @{thm RPCInit_def}, @{thm PInit_def}, @{thm HInit_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   568
    @{thm ImpInit_def}, @{thm S_def}, @{thm S1_def}]) *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   569
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   570
(* ========== Step 1.2 ================================================== *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   571
(* Figure 16 is a predicate-action diagram for the implementation. *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   572
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   573
lemma Step1_2_1: "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   574
         & ~unchanged (e p, c p, r p, m p, rmhist!p)  & $S1 rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   575
         --> (S2 rmhist p)$ & ENext p & unchanged (c p, r p, m p)"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   576
  apply (tactic {* action_simp_tac (@{simpset} addsimps [@{thm ImpNext_def}]) []
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   577
      (map temp_elim [@{thm S1ClerkUnch}, @{thm S1RPCUnch}, @{thm S1MemUnch}, @{thm S1Hist}]) 1 *})
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   578
   apply (tactic {* auto_tac (MI_fast_css addSIs2 [temp_use @{thm S1Env}]) *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   579
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   580
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   581
lemma Step1_2_2: "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   582
         & ~unchanged (e p, c p, r p, m p, rmhist!p) & $S2 rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   583
         --> (S3 rmhist p)$ & MClkFwd memCh crCh cst p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   584
             & unchanged (e p, r p, m p, rmhist!p)"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   585
  apply (tactic {* action_simp_tac (@{simpset} addsimps [@{thm ImpNext_def}]) []
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   586
    (map temp_elim [@{thm S2EnvUnch}, @{thm S2RPCUnch}, @{thm S2MemUnch}, @{thm S2Hist}]) 1 *})
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   587
   apply (tactic {* auto_tac (MI_fast_css addSIs2 [temp_use @{thm S2Clerk},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   588
     temp_use @{thm S2Forward}]) *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   589
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   590
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   591
lemma Step1_2_3: "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   592
         & ~unchanged (e p, c p, r p, m p, rmhist!p) & $S3 rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   593
         --> ((S4 rmhist p)$ & RPCFwd crCh rmCh rst p & unchanged (e p, c p, m p, rmhist!p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   594
             | ((S6 rmhist p)$ & RPCFail crCh rmCh rst p & unchanged (e p, c p, m p))"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   595
  apply (tactic {* action_simp_tac (@{simpset} addsimps [@{thm ImpNext_def}]) []
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   596
    (map temp_elim [@{thm S3EnvUnch}, @{thm S3ClerkUnch}, @{thm S3MemUnch}]) 1 *})
26342
0f65fa163304 more antiquotations;
wenzelm
parents: 24180
diff changeset
   597
  apply (tactic {* action_simp_tac @{simpset} []
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   598
    (@{thm squareE} :: map temp_elim [@{thm S3RPC}, @{thm S3Forward}, @{thm S3Fail}]) 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   599
   apply (auto dest!: S3Hist [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   600
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   601
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   602
lemma Step1_2_4: "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   603
              & ~unchanged (e p, c p, r p, m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   604
              & $S4 rmhist p & (!l. $(MemInv mm l))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   605
         --> ((S4 rmhist p)$ & Read rmCh mm ires p & unchanged (e p, c p, r p, rmhist!p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   606
             | ((S4 rmhist p)$ & (? l. Write rmCh mm ires p l) & unchanged (e p, c p, r p, rmhist!p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   607
             | ((S5 rmhist p)$ & MemReturn rmCh ires p & unchanged (e p, c p, r p))"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   608
  apply (tactic {* action_simp_tac (@{simpset} addsimps [@{thm ImpNext_def}]) []
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   609
    (map temp_elim [@{thm S4EnvUnch}, @{thm S4ClerkUnch}, @{thm S4RPCUnch}]) 1 *})
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   610
  apply (tactic {* action_simp_tac (@{simpset} addsimps [@{thm RNext_def}]) []
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   611
    (@{thm squareE} :: map temp_elim [@{thm S4Read}, @{thm S4Write}, @{thm S4Return}]) 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   612
  apply (auto dest!: S4Hist [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   613
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   614
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   615
lemma Step1_2_5: "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   616
              & ~unchanged (e p, c p, r p, m p, rmhist!p) & $S5 rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   617
         --> ((S6 rmhist p)$ & RPCReply crCh rmCh rst p & unchanged (e p, c p, m p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   618
             | ((S6 rmhist p)$ & RPCFail crCh rmCh rst p & unchanged (e p, c p, m p))"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   619
  apply (tactic {* action_simp_tac (@{simpset} addsimps [@{thm ImpNext_def}]) []
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   620
    (map temp_elim [@{thm S5EnvUnch}, @{thm S5ClerkUnch}, @{thm S5MemUnch}, @{thm S5Hist}]) 1 *})
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   621
  apply (tactic {* action_simp_tac @{simpset} [] [@{thm squareE}, temp_elim @{thm S5RPC}] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   622
   apply (tactic {* auto_tac (MI_fast_css addSDs2
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   623
     [temp_use @{thm S5Reply}, temp_use @{thm S5Fail}]) *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   624
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   625
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   626
lemma Step1_2_6: "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   627
              & ~unchanged (e p, c p, r p, m p, rmhist!p) & $S6 rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   628
         --> ((S1 rmhist p)$ & MClkReply memCh crCh cst p & unchanged (e p, r p, m p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   629
             | ((S3 rmhist p)$ & MClkRetry memCh crCh cst p & unchanged (e p,r p,m p,rmhist!p))"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   630
  apply (tactic {* action_simp_tac (@{simpset} addsimps [@{thm ImpNext_def}]) []
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   631
    (map temp_elim [@{thm S6EnvUnch}, @{thm S6RPCUnch}, @{thm S6MemUnch}]) 1 *})
26342
0f65fa163304 more antiquotations;
wenzelm
parents: 24180
diff changeset
   632
  apply (tactic {* action_simp_tac @{simpset} []
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   633
    (@{thm squareE} :: map temp_elim [@{thm S6Clerk}, @{thm S6Retry}, @{thm S6Reply}]) 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   634
     apply (auto dest: S6Hist [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   635
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   636
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   637
(* --------------------------------------------------------------------------
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   638
   Step 1.3: S1 implies the barred initial condition.
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   639
*)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   640
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   641
section "Initialization (Step 1.3)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   642
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   643
lemma Step1_3: "|- S1 rmhist p --> PInit (resbar rmhist) p"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   644
  by (tactic {* action_simp_tac (@{simpset} addsimps [@{thm resbar_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   645
    @{thm PInit_def}, @{thm S_def}, @{thm S1_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   646
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   647
(* ----------------------------------------------------------------------
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   648
   Step 1.4: Implementation's next-state relation simulates specification's
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   649
             next-state relation (with appropriate substitutions)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   650
*)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   651
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   652
section "Step simulation (Step 1.4)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   653
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   654
lemma Step1_4_1: "|- ENext p & $S1 rmhist p & (S2 rmhist p)$ & unchanged (c p, r p, m p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   655
         --> unchanged (rtrner memCh!p, resbar rmhist!p)"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   656
  by (tactic {* auto_tac (MI_fast_css addsimps2 [@{thm c_def}, @{thm r_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   657
    @{thm m_def}, @{thm resbar_def}]) *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   658
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   659
lemma Step1_4_2: "|- MClkFwd memCh crCh cst p & $S2 rmhist p & (S3 rmhist p)$
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   660
         & unchanged (e p, r p, m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   661
         --> unchanged (rtrner memCh!p, resbar rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   662
  by (tactic {* action_simp_tac
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   663
    (@{simpset} addsimps [@{thm MClkFwd_def}, @{thm e_def}, @{thm r_def}, @{thm m_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   664
    @{thm resbar_def}, @{thm S_def}, @{thm S2_def}, @{thm S3_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   665
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   666
lemma Step1_4_3a: "|- RPCFwd crCh rmCh rst p & $S3 rmhist p & (S4 rmhist p)$
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   667
         & unchanged (e p, c p, m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   668
         --> unchanged (rtrner memCh!p, resbar rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   669
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   670
  apply (drule S3_excl [temp_use] S4_excl [temp_use])+
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   671
  apply (tactic {* action_simp_tac (@{simpset} addsimps [@{thm e_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   672
    @{thm c_def}, @{thm m_def}, @{thm resbar_def}, @{thm S_def}, @{thm S3_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   673
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   674
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   675
lemma Step1_4_3b: "|- RPCFail crCh rmCh rst p & $S3 rmhist p & (S6 rmhist p)$
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   676
         & unchanged (e p, c p, m p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   677
         --> MemFail memCh (resbar rmhist) p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   678
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   679
  apply (drule S6_excl [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   680
  apply (auto simp: RPCFail_def MemFail_def e_def c_def m_def resbar_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   681
    apply (force simp: S3_def S_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   682
   apply (auto simp: Return_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   683
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   684
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   685
lemma Step1_4_4a1: "|- $S4 rmhist p & (S4 rmhist p)$ & ReadInner rmCh mm ires p l
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   686
         & unchanged (e p, c p, r p, rmhist!p) & $MemInv mm l
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   687
         --> ReadInner memCh mm (resbar rmhist) p l"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   688
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   689
  apply (drule S4_excl [temp_use])+
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   690
  apply (tactic {* action_simp_tac (@{simpset} addsimps [@{thm ReadInner_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   691
    @{thm GoodRead_def}, @{thm BadRead_def}, @{thm e_def}, @{thm c_def}, @{thm m_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   692
     apply (auto simp: resbar_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   693
       apply (tactic {* ALLGOALS (action_simp_tac
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   694
                (@{simpset} addsimps [@{thm RPCRelayArg_def}, @{thm MClkRelayArg_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   695
                  @{thm S_def}, @{thm S4_def}, @{thm RdRequest_def}, @{thm MemInv_def}])
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   696
                [] [@{thm impE}, @{thm MemValNotAResultE}]) *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   697
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   698
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   699
lemma Step1_4_4a: "|- Read rmCh mm ires p & $S4 rmhist p & (S4 rmhist p)$
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   700
         & unchanged (e p, c p, r p, rmhist!p) & (!l. $(MemInv mm l))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   701
         --> Read memCh mm (resbar rmhist) p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   702
  by (force simp: Read_def elim!: Step1_4_4a1 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   703
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   704
lemma Step1_4_4b1: "|- $S4 rmhist p & (S4 rmhist p)$ & WriteInner rmCh mm ires p l v
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   705
         & unchanged (e p, c p, r p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   706
         --> WriteInner memCh mm (resbar rmhist) p l v"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   707
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   708
  apply (drule S4_excl [temp_use])+
26342
0f65fa163304 more antiquotations;
wenzelm
parents: 24180
diff changeset
   709
  apply (tactic {* action_simp_tac (@{simpset} addsimps
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   710
    [@{thm WriteInner_def}, @{thm GoodWrite_def}, @{thm BadWrite_def}, @{thm e_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   711
    @{thm c_def}, @{thm m_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   712
     apply (auto simp: resbar_def)
26342
0f65fa163304 more antiquotations;
wenzelm
parents: 24180
diff changeset
   713
    apply (tactic {* ALLGOALS (action_simp_tac (@{simpset} addsimps
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   714
      [@{thm RPCRelayArg_def}, @{thm MClkRelayArg_def}, @{thm S_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   715
      @{thm S4_def}, @{thm WrRequest_def}]) [] []) *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   716
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   717
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   718
lemma Step1_4_4b: "|- Write rmCh mm ires p l & $S4 rmhist p & (S4 rmhist p)$
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   719
         & unchanged (e p, c p, r p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   720
         --> Write memCh mm (resbar rmhist) p l"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   721
  by (force simp: Write_def elim!: Step1_4_4b1 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   722
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   723
lemma Step1_4_4c: "|- MemReturn rmCh ires p & $S4 rmhist p & (S5 rmhist p)$
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   724
         & unchanged (e p, c p, r p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   725
         --> unchanged (rtrner memCh!p, resbar rmhist!p)"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   726
  apply (tactic {* action_simp_tac (@{simpset} addsimps [@{thm e_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   727
    @{thm c_def}, @{thm r_def}, @{thm resbar_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   728
  apply (drule S4_excl [temp_use] S5_excl [temp_use])+
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   729
  apply (tactic {* auto_tac (MI_fast_css addsimps2 [@{thm MemReturn_def}, @{thm Return_def}]) *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   730
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   731
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   732
lemma Step1_4_5a: "|- RPCReply crCh rmCh rst p & $S5 rmhist p & (S6 rmhist p)$
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   733
         & unchanged (e p, c p, m p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   734
         --> unchanged (rtrner memCh!p, resbar rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   735
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   736
  apply (drule S5_excl [temp_use] S6_excl [temp_use])+
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   737
  apply (auto simp: e_def c_def m_def resbar_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   738
   apply (auto simp: RPCReply_def Return_def S5_def S_def dest!: MVOKBAnotRF [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   739
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   740
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   741
lemma Step1_4_5b: "|- RPCFail crCh rmCh rst p & $S5 rmhist p & (S6 rmhist p)$
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   742
         & unchanged (e p, c p, m p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   743
         --> MemFail memCh (resbar rmhist) p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   744
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   745
  apply (drule S6_excl [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   746
  apply (auto simp: e_def c_def m_def RPCFail_def Return_def MemFail_def resbar_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   747
   apply (auto simp: S5_def S_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   748
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   749
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   750
lemma Step1_4_6a: "|- MClkReply memCh crCh cst p & $S6 rmhist p & (S1 rmhist p)$
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   751
         & unchanged (e p, r p, m p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   752
         --> MemReturn memCh (resbar rmhist) p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   753
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   754
  apply (drule S6_excl [temp_use])+
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   755
  apply (tactic {* action_simp_tac (@{simpset} addsimps [@{thm e_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   756
    @{thm r_def}, @{thm m_def}, @{thm MClkReply_def}, @{thm MemReturn_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   757
    @{thm Return_def}, @{thm resbar_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   758
    apply simp_all (* simplify if-then-else *)
26342
0f65fa163304 more antiquotations;
wenzelm
parents: 24180
diff changeset
   759
    apply (tactic {* ALLGOALS (action_simp_tac (@{simpset} addsimps
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   760
      [@{thm MClkReplyVal_def}, @{thm S6_def}, @{thm S_def}]) [] [@{thm MVOKBARFnotNR}]) *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   761
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   762
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   763
lemma Step1_4_6b: "|- MClkRetry memCh crCh cst p & $S6 rmhist p & (S3 rmhist p)$
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   764
         & unchanged (e p, r p, m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   765
         --> MemFail memCh (resbar rmhist) p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   766
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   767
  apply (drule S3_excl [temp_use])+
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   768
  apply (tactic {* action_simp_tac (@{simpset} addsimps [@{thm e_def}, @{thm r_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   769
    @{thm m_def}, @{thm MClkRetry_def}, @{thm MemFail_def}, @{thm resbar_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   770
   apply (auto simp: S6_def S_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   771
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   772
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   773
lemma S_lemma: "|- unchanged (e p, c p, r p, m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   774
         --> unchanged (S rmhist ec cc rc cs rs hs1 hs2 p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   775
  by (auto simp: e_def c_def r_def m_def caller_def rtrner_def S_def Calling_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   776
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   777
lemma Step1_4_7H: "|- unchanged (e p, c p, r p, m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   778
         --> unchanged (rtrner memCh!p, S1 rmhist p, S2 rmhist p, S3 rmhist p,
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   779
                        S4 rmhist p, S5 rmhist p, S6 rmhist p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   780
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   781
  apply (rule conjI)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   782
   apply (force simp: c_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   783
  apply (force simp: S1_def S2_def S3_def S4_def S5_def S6_def intro!: S_lemma [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   784
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   785
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   786
lemma Step1_4_7: "|- unchanged (e p, c p, r p, m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   787
         --> unchanged (rtrner memCh!p, resbar rmhist!p, S1 rmhist p, S2 rmhist p,
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   788
                        S3 rmhist p, S4 rmhist p, S5 rmhist p, S6 rmhist p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   789
  apply (rule actionI)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   790
  apply (unfold action_rews)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   791
  apply (rule impI)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   792
  apply (frule Step1_4_7H [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   793
  apply (auto simp: e_def c_def r_def m_def rtrner_def resbar_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   794
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   795
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   796
(* Frequently needed abbreviation: distinguish between idling and non-idling
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   797
   steps of the implementation, and try to solve the idling case by simplification
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   798
*)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   799
ML {*
27208
5fe899199f85 proper context for tactics derived from res_inst_tac;
wenzelm
parents: 27117
diff changeset
   800
fun split_idle_tac ctxt simps i =
32149
ef59550a55d3 renamed simpset_of to global_simpset_of, and local_simpset_of to simpset_of -- same for claset and clasimpset;
wenzelm
parents: 27208
diff changeset
   801
  let val ss = simpset_of ctxt in
27208
5fe899199f85 proper context for tactics derived from res_inst_tac;
wenzelm
parents: 27117
diff changeset
   802
    TRY (rtac @{thm actionI} i) THEN
5fe899199f85 proper context for tactics derived from res_inst_tac;
wenzelm
parents: 27117
diff changeset
   803
    InductTacs.case_tac ctxt "(s,t) |= unchanged (e p, c p, r p, m p, rmhist!p)" i THEN
5fe899199f85 proper context for tactics derived from res_inst_tac;
wenzelm
parents: 27117
diff changeset
   804
    rewrite_goals_tac @{thms action_rews} THEN
5fe899199f85 proper context for tactics derived from res_inst_tac;
wenzelm
parents: 27117
diff changeset
   805
    forward_tac [temp_use @{thm Step1_4_7}] i THEN
5fe899199f85 proper context for tactics derived from res_inst_tac;
wenzelm
parents: 27117
diff changeset
   806
    asm_full_simp_tac (ss addsimps simps) i
5fe899199f85 proper context for tactics derived from res_inst_tac;
wenzelm
parents: 27117
diff changeset
   807
  end
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   808
*}
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   809
(* ----------------------------------------------------------------------
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   810
   Combine steps 1.2 and 1.4 to prove that the implementation satisfies
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   811
   the specification's next-state relation.
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   812
*)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   813
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   814
(* Steps that leave all variables unchanged are safe, so I may assume
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   815
   that some variable changes in the proof that a step is safe. *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   816
lemma unchanged_safe: "|- (~unchanged (e p, c p, r p, m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   817
             --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   818
         --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   819
  apply (tactic {* split_idle_tac @{context} [@{thm square_def}] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   820
  apply force
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   821
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   822
(* turn into (unsafe, looping!) introduction rule *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   823
lemmas unchanged_safeI = impI [THEN unchanged_safe [action_use], standard]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   824
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   825
lemma S1safe: "|- $S1 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   826
         --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   827
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   828
  apply (rule unchanged_safeI)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   829
  apply (rule idle_squareI)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   830
  apply (auto dest!: Step1_2_1 [temp_use] Step1_4_1 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   831
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   832
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   833
lemma S2safe: "|- $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   834
         --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   835
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   836
  apply (rule unchanged_safeI)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   837
  apply (rule idle_squareI)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   838
  apply (auto dest!: Step1_2_2 [temp_use] Step1_4_2 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   839
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   840
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   841
lemma S3safe: "|- $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   842
         --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   843
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   844
  apply (rule unchanged_safeI)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   845
  apply (auto dest!: Step1_2_3 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   846
  apply (auto simp: square_def UNext_def dest!: Step1_4_3a [temp_use] Step1_4_3b [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   847
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   848
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   849
lemma S4safe: "|- $S4 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   850
         & (!l. $(MemInv mm l))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   851
         --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   852
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   853
  apply (rule unchanged_safeI)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   854
  apply (auto dest!: Step1_2_4 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   855
     apply (auto simp: square_def UNext_def RNext_def
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   856
       dest!: Step1_4_4a [temp_use] Step1_4_4b [temp_use] Step1_4_4c [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   857
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   858
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   859
lemma S5safe: "|- $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   860
         --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   861
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   862
  apply (rule unchanged_safeI)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   863
  apply (auto dest!: Step1_2_5 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   864
  apply (auto simp: square_def UNext_def dest!: Step1_4_5a [temp_use] Step1_4_5b [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   865
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   866
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   867
lemma S6safe: "|- $S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   868
         --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   869
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   870
  apply (rule unchanged_safeI)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   871
  apply (auto dest!: Step1_2_6 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   872
    apply (auto simp: square_def UNext_def RNext_def
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   873
      dest!: Step1_4_6a [temp_use] Step1_4_6b [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   874
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   875
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   876
(* ----------------------------------------------------------------------
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   877
   Step 1.5: Temporal refinement proof, based on previous steps.
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   878
*)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   879
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   880
section "The liveness part"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   881
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   882
(* Liveness assertions for the different implementation states, based on the
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   883
   fairness conditions. Prove subgoals of WF1 / SF1 rules as separate lemmas
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   884
   for readability. Reuse action proofs from safety part.
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   885
*)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   886
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   887
(* ------------------------------ State S1 ------------------------------ *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   888
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   889
lemma S1_successors: "|- $S1 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   890
         --> (S1 rmhist p)$ | (S2 rmhist p)$"
27208
5fe899199f85 proper context for tactics derived from res_inst_tac;
wenzelm
parents: 27117
diff changeset
   891
  apply (tactic "split_idle_tac @{context} [] 1")
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   892
  apply (auto dest!: Step1_2_1 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   893
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   894
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   895
(* Show that the implementation can satisfy the high-level fairness requirements
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   896
   by entering the state S1 infinitely often.
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   897
*)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   898
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   899
lemma S1_RNextdisabled: "|- S1 rmhist p -->
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   900
         ~Enabled (<RNext memCh mm (resbar rmhist) p>_(rtrner memCh!p, resbar rmhist!p))"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   901
  apply (tactic {* action_simp_tac (@{simpset} addsimps [@{thm angle_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   902
    @{thm S_def}, @{thm S1_def}]) [notI] [@{thm enabledE}, temp_elim @{thm Memoryidle}] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   903
  apply force
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   904
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   905
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   906
lemma S1_Returndisabled: "|- S1 rmhist p -->
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   907
         ~Enabled (<MemReturn memCh (resbar rmhist) p>_(rtrner memCh!p, resbar rmhist!p))"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   908
  by (tactic {* action_simp_tac (@{simpset} addsimps [@{thm angle_def}, @{thm MemReturn_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   909
    @{thm Return_def}, @{thm S_def}, @{thm S1_def}]) [notI] [@{thm enabledE}] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   910
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   911
lemma RNext_fair: "|- []<>S1 rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   912
         --> WF(RNext memCh mm (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   913
  by (auto simp: WF_alt [try_rewrite] intro!: S1_RNextdisabled [temp_use]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   914
    elim!: STL4E [temp_use] DmdImplE [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   915
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   916
lemma Return_fair: "|- []<>S1 rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   917
         --> WF(MemReturn memCh (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   918
  by (auto simp: WF_alt [try_rewrite]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   919
    intro!: S1_Returndisabled [temp_use] elim!: STL4E [temp_use] DmdImplE [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   920
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   921
(* ------------------------------ State S2 ------------------------------ *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   922
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   923
lemma S2_successors: "|- $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   924
         --> (S2 rmhist p)$ | (S3 rmhist p)$"
27208
5fe899199f85 proper context for tactics derived from res_inst_tac;
wenzelm
parents: 27117
diff changeset
   925
  apply (tactic "split_idle_tac @{context} [] 1")
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   926
  apply (auto dest!: Step1_2_2 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   927
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   928
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   929
lemma S2MClkFwd_successors: "|- ($S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   930
         & <MClkFwd memCh crCh cst p>_(c p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   931
         --> (S3 rmhist p)$"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   932
  by (auto simp: angle_def dest!: Step1_2_2 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   933
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   934
lemma S2MClkFwd_enabled: "|- $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   935
         --> $Enabled (<MClkFwd memCh crCh cst p>_(c p))"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   936
  apply (auto simp: c_def intro!: MClkFwd_ch_enabled [temp_use] MClkFwd_enabled [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   937
     apply (cut_tac MI_base)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   938
     apply (blast dest: base_pair)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   939
    apply (simp_all add: S_def S2_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   940
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   941
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   942
lemma S2_live: "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   943
         & WF(MClkFwd memCh crCh cst p)_(c p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   944
         --> (S2 rmhist p ~> S3 rmhist p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   945
  by (rule WF1 S2_successors S2MClkFwd_successors S2MClkFwd_enabled)+
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   946
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   947
(* ------------------------------ State S3 ------------------------------ *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   948
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   949
lemma S3_successors: "|- $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   950
         --> (S3 rmhist p)$ | (S4 rmhist p | S6 rmhist p)$"
27208
5fe899199f85 proper context for tactics derived from res_inst_tac;
wenzelm
parents: 27117
diff changeset
   951
  apply (tactic "split_idle_tac @{context} [] 1")
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   952
  apply (auto dest!: Step1_2_3 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   953
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   954
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   955
lemma S3RPC_successors: "|- ($S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   956
         & <RPCNext crCh rmCh rst p>_(r p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   957
         --> (S4 rmhist p | S6 rmhist p)$"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   958
  apply (auto simp: angle_def dest!: Step1_2_3 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   959
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   960
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   961
lemma S3RPC_enabled: "|- $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   962
         --> $Enabled (<RPCNext crCh rmCh rst p>_(r p))"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   963
  apply (auto simp: r_def intro!: RPCFail_Next_enabled [temp_use] RPCFail_enabled [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   964
    apply (cut_tac MI_base)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   965
    apply (blast dest: base_pair)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   966
   apply (simp_all add: S_def S3_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   967
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   968
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   969
lemma S3_live: "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   970
         & WF(RPCNext crCh rmCh rst p)_(r p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   971
         --> (S3 rmhist p ~> S4 rmhist p | S6 rmhist p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   972
  by (rule WF1 S3_successors S3RPC_successors S3RPC_enabled)+
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   973
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   974
(* ------------- State S4 -------------------------------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   975
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   976
lemma S4_successors: "|- $S4 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   977
        & (ALL l. $MemInv mm l)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   978
        --> (S4 rmhist p)$ | (S5 rmhist p)$"
27208
5fe899199f85 proper context for tactics derived from res_inst_tac;
wenzelm
parents: 27117
diff changeset
   979
  apply (tactic "split_idle_tac @{context} [] 1")
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   980
  apply (auto dest!: Step1_2_4 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   981
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   982
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   983
(* --------- State S4a: S4 /\ (ires p = NotAResult) ------------------------ *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   984
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   985
lemma S4a_successors: "|- $(S4 rmhist p & ires!p = #NotAResult)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   986
         & ImpNext p & [HNext rmhist p]_(c p,r p,m p,rmhist!p) & (ALL l. $MemInv mm l)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   987
         --> (S4 rmhist p & ires!p = #NotAResult)$
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   988
             | ((S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p)$"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
   989
  apply (tactic {* split_idle_tac @{context} [@{thm m_def}] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   990
  apply (auto dest!: Step1_2_4 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   991
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   992
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   993
lemma S4aRNext_successors: "|- ($(S4 rmhist p & ires!p = #NotAResult)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   994
         & ImpNext p & [HNext rmhist p]_(c p,r p,m p,rmhist!p) & (ALL l. $MemInv mm l))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   995
         & <RNext rmCh mm ires p>_(m p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   996
         --> ((S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p)$"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   997
  by (auto simp: angle_def
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   998
    dest!: Step1_2_4 [temp_use] ReadResult [temp_use] WriteResult [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
   999
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1000
lemma S4aRNext_enabled: "|- $(S4 rmhist p & ires!p = #NotAResult)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1001
         & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (ALL l. $MemInv mm l)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1002
         --> $Enabled (<RNext rmCh mm ires p>_(m p))"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1003
  apply (auto simp: m_def intro!: RNext_enabled [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1004
   apply (cut_tac MI_base)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1005
   apply (blast dest: base_pair)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1006
  apply (simp add: S_def S4_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1007
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1008
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1009
lemma S4a_live: "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1010
         & (ALL l. $MemInv mm l)) & WF(RNext rmCh mm ires p)_(m p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1011
         --> (S4 rmhist p & ires!p = #NotAResult
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1012
              ~> (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1013
  by (rule WF1 S4a_successors S4aRNext_successors S4aRNext_enabled)+
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1014
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1015
(* ---------- State S4b: S4 /\ (ires p # NotAResult) --------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1016
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1017
lemma S4b_successors: "|- $(S4 rmhist p & ires!p ~= #NotAResult)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1018
         & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (ALL l. $MemInv mm l)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1019
         --> (S4 rmhist p & ires!p ~= #NotAResult)$ | (S5 rmhist p)$"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
  1020
  apply (tactic {* split_idle_tac @{context} [@{thm m_def}] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1021
  apply (auto dest!: WriteResult [temp_use] Step1_2_4 [temp_use] ReadResult [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1022
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1023
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1024
lemma S4bReturn_successors: "|- ($(S4 rmhist p & ires!p ~= #NotAResult)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1025
         & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1026
         & (ALL l. $MemInv mm l)) & <MemReturn rmCh ires p>_(m p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1027
         --> (S5 rmhist p)$"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1028
  by (force simp: angle_def dest!: Step1_2_4 [temp_use] dest: ReturnNotReadWrite [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1029
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1030
lemma S4bReturn_enabled: "|- $(S4 rmhist p & ires!p ~= #NotAResult)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1031
         & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1032
         & (ALL l. $MemInv mm l)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1033
         --> $Enabled (<MemReturn rmCh ires p>_(m p))"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1034
  apply (auto simp: m_def intro!: MemReturn_enabled [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1035
   apply (cut_tac MI_base)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1036
   apply (blast dest: base_pair)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1037
  apply (simp add: S_def S4_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1038
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1039
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1040
lemma S4b_live: "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (!l. $MemInv mm l))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1041
         & WF(MemReturn rmCh ires p)_(m p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1042
         --> (S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1043
  by (rule WF1 S4b_successors S4bReturn_successors S4bReturn_enabled)+
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1044
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1045
(* ------------------------------ State S5 ------------------------------ *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1046
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1047
lemma S5_successors: "|- $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1048
         --> (S5 rmhist p)$ | (S6 rmhist p)$"
27208
5fe899199f85 proper context for tactics derived from res_inst_tac;
wenzelm
parents: 27117
diff changeset
  1049
  apply (tactic "split_idle_tac @{context} [] 1")
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1050
  apply (auto dest!: Step1_2_5 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1051
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1052
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1053
lemma S5RPC_successors: "|- ($S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1054
         & <RPCNext crCh rmCh rst p>_(r p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1055
         --> (S6 rmhist p)$"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1056
  by (auto simp: angle_def dest!: Step1_2_5 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1057
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1058
lemma S5RPC_enabled: "|- $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1059
         --> $Enabled (<RPCNext crCh rmCh rst p>_(r p))"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1060
  apply (auto simp: r_def intro!: RPCFail_Next_enabled [temp_use] RPCFail_enabled [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1061
    apply (cut_tac MI_base)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1062
    apply (blast dest: base_pair)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1063
   apply (simp_all add: S_def S5_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1064
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1065
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1066
lemma S5_live: "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1067
         & WF(RPCNext crCh rmCh rst p)_(r p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1068
         --> (S5 rmhist p ~> S6 rmhist p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1069
  by (rule WF1 S5_successors S5RPC_successors S5RPC_enabled)+
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1070
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1071
(* ------------------------------ State S6 ------------------------------ *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1072
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1073
lemma S6_successors: "|- $S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1074
         --> (S1 rmhist p)$ | (S3 rmhist p)$ | (S6 rmhist p)$"
27208
5fe899199f85 proper context for tactics derived from res_inst_tac;
wenzelm
parents: 27117
diff changeset
  1075
  apply (tactic "split_idle_tac @{context} [] 1")
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1076
  apply (auto dest!: Step1_2_6 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1077
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1078
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1079
lemma S6MClkReply_successors:
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1080
  "|- ($S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1081
         & <MClkReply memCh crCh cst p>_(c p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1082
         --> (S1 rmhist p)$"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1083
  by (auto simp: angle_def dest!: Step1_2_6 [temp_use] MClkReplyNotRetry [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1084
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1085
lemma MClkReplyS6:
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1086
  "|- $ImpInv rmhist p & <MClkReply memCh crCh cst p>_(c p) --> $S6 rmhist p"
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
  1087
  by (tactic {* action_simp_tac (@{simpset} addsimps [@{thm angle_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
  1088
    @{thm MClkReply_def}, @{thm Return_def}, @{thm ImpInv_def}, @{thm S_def},
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
  1089
    @{thm S1_def}, @{thm S2_def}, @{thm S3_def}, @{thm S4_def}, @{thm S5_def}]) [] [] 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1090
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1091
lemma S6MClkReply_enabled: "|- S6 rmhist p --> Enabled (<MClkReply memCh crCh cst p>_(c p))"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1092
  apply (auto simp: c_def intro!: MClkReply_enabled [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1093
     apply (cut_tac MI_base)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1094
     apply (blast dest: base_pair)
26342
0f65fa163304 more antiquotations;
wenzelm
parents: 24180
diff changeset
  1095
    apply (tactic {* ALLGOALS (action_simp_tac (@{simpset}
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
  1096
      addsimps [@{thm S_def}, @{thm S6_def}]) [] []) *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1097
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1098
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1099
lemma S6_live: "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & $(ImpInv rmhist p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1100
         & SF(MClkReply memCh crCh cst p)_(c p) & []<>(S6 rmhist p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1101
         --> []<>(S1 rmhist p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1102
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1103
  apply (subgoal_tac "sigma |= []<> (<MClkReply memCh crCh cst p>_ (c p))")
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1104
   apply (erule InfiniteEnsures)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1105
    apply assumption
26342
0f65fa163304 more antiquotations;
wenzelm
parents: 24180
diff changeset
  1106
   apply (tactic {* action_simp_tac @{simpset} []
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
  1107
     (map temp_elim [@{thm MClkReplyS6}, @{thm S6MClkReply_successors}]) 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1108
  apply (auto simp: SF_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1109
  apply (erule contrapos_np)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1110
  apply (auto intro!: S6MClkReply_enabled [temp_use] elim!: STL4E [temp_use] DmdImplE [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1111
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1112
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1113
(* --------------- aggregate leadsto properties----------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1114
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1115
lemma S5S6LeadstoS6: "sigma |= S5 rmhist p ~> S6 rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1116
      ==> sigma |= (S5 rmhist p | S6 rmhist p) ~> S6 rmhist p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1117
  by (auto intro!: LatticeDisjunctionIntro [temp_use] LatticeReflexivity [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1118
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1119
lemma S4bS5S6LeadstoS6: "[| sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1120
         sigma |= S5 rmhist p ~> S6 rmhist p |]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1121
      ==> sigma |= (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p | S6 rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1122
                    ~> S6 rmhist p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1123
  by (auto intro!: LatticeDisjunctionIntro [temp_use]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1124
    S5S6LeadstoS6 [temp_use] intro: LatticeTransitivity [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1125
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1126
lemma S4S5S6LeadstoS6: "[| sigma |= S4 rmhist p & ires!p = #NotAResult
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1127
                  ~> (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p;
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1128
         sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1129
         sigma |= S5 rmhist p ~> S6 rmhist p |]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1130
      ==> sigma |= S4 rmhist p | S5 rmhist p | S6 rmhist p ~> S6 rmhist p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1131
  apply (subgoal_tac "sigma |= (S4 rmhist p & ires!p = #NotAResult) |
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1132
    (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p | S6 rmhist p ~> S6 rmhist p")
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1133
   apply (erule_tac G = "PRED ((S4 rmhist p & ires!p = #NotAResult) |
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1134
     (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p | S6 rmhist p)" in
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1135
     LatticeTransitivity [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1136
   apply (force simp: Init_defs intro!: ImplLeadsto_gen [temp_use] necT [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1137
  apply (rule LatticeDisjunctionIntro [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1138
   apply (erule LatticeTransitivity [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1139
   apply (erule LatticeTriangle2 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1140
   apply assumption
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1141
  apply (auto intro!: S4bS5S6LeadstoS6 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1142
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1143
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1144
lemma S3S4S5S6LeadstoS6: "[| sigma |= S3 rmhist p ~> S4 rmhist p | S6 rmhist p;
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1145
         sigma |= S4 rmhist p & ires!p = #NotAResult
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1146
                  ~> (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p;
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1147
         sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1148
         sigma |= S5 rmhist p ~> S6 rmhist p |]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1149
      ==> sigma |= S3 rmhist p | S4 rmhist p | S5 rmhist p | S6 rmhist p ~> S6 rmhist p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1150
  apply (rule LatticeDisjunctionIntro [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1151
   apply (erule LatticeTriangle2 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1152
   apply (rule S4S5S6LeadstoS6 [THEN LatticeTransitivity [temp_use]])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1153
      apply (auto intro!: S4S5S6LeadstoS6 [temp_use] necT [temp_use]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1154
        intro: ImplLeadsto_gen [temp_use] simp: Init_defs)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1155
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1156
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1157
lemma S2S3S4S5S6LeadstoS6: "[| sigma |= S2 rmhist p ~> S3 rmhist p;
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1158
         sigma |= S3 rmhist p ~> S4 rmhist p | S6 rmhist p;
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1159
         sigma |= S4 rmhist p & ires!p = #NotAResult
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1160
                  ~> S4 rmhist p & ires!p ~= #NotAResult | S5 rmhist p;
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1161
         sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1162
         sigma |= S5 rmhist p ~> S6 rmhist p |]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1163
      ==> sigma |= S2 rmhist p | S3 rmhist p | S4 rmhist p | S5 rmhist p | S6 rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1164
                   ~> S6 rmhist p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1165
  apply (rule LatticeDisjunctionIntro [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1166
   apply (rule LatticeTransitivity [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1167
    prefer 2 apply assumption
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1168
   apply (rule S3S4S5S6LeadstoS6 [THEN LatticeTransitivity [temp_use]])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1169
       apply (auto intro!: S3S4S5S6LeadstoS6 [temp_use] necT [temp_use]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1170
         intro: ImplLeadsto_gen [temp_use] simp: Init_defs)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1171
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1172
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1173
lemma NotS1LeadstoS6: "[| sigma |= []ImpInv rmhist p;
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1174
         sigma |= S2 rmhist p ~> S3 rmhist p;
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1175
         sigma |= S3 rmhist p ~> S4 rmhist p | S6 rmhist p;
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1176
         sigma |= S4 rmhist p & ires!p = #NotAResult
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1177
                  ~> S4 rmhist p & ires!p ~= #NotAResult | S5 rmhist p;
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1178
         sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1179
         sigma |= S5 rmhist p ~> S6 rmhist p |]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1180
      ==> sigma |= ~S1 rmhist p ~> S6 rmhist p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1181
  apply (rule S2S3S4S5S6LeadstoS6 [THEN LatticeTransitivity [temp_use]])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1182
       apply assumption+
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1183
  apply (erule INV_leadsto [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1184
  apply (rule ImplLeadsto_gen [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1185
  apply (rule necT [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1186
  apply (auto simp: ImpInv_def Init_defs intro!: necT [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1187
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1188
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1189
lemma S1Infinite: "[| sigma |= ~S1 rmhist p ~> S6 rmhist p;
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1190
         sigma |= []<>S6 rmhist p --> []<>S1 rmhist p |]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1191
      ==> sigma |= []<>S1 rmhist p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1192
  apply (rule classical)
26342
0f65fa163304 more antiquotations;
wenzelm
parents: 24180
diff changeset
  1193
  apply (tactic {* asm_lr_simp_tac (@{simpset} addsimps
39159
0dec18004e75 more antiquotations;
wenzelm
parents: 36866
diff changeset
  1194
    [temp_use @{thm NotBox}, temp_rewrite @{thm NotDmd}]) 1 *})
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1195
  apply (auto elim!: leadsto_infinite [temp_use] mp dest!: DBImplBD [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1196
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1197
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1198
section "Refinement proof (step 1.5)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1199
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1200
(* Prove invariants of the implementation:
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1201
   a. memory invariant
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1202
   b. "implementation invariant": always in states S1,...,S6
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1203
*)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1204
lemma Step1_5_1a: "|- IPImp p --> (ALL l. []$MemInv mm l)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1205
  by (auto simp: IPImp_def box_stp_act [temp_use] intro!: MemoryInvariantAll [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1206
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1207
lemma Step1_5_1b: "|- Init(ImpInit p & HInit rmhist p) & [](ImpNext p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1208
         & [][HNext rmhist p]_(c p, r p, m p, rmhist!p) & [](ALL l. $MemInv mm l)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1209
         --> []ImpInv rmhist p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1210
  apply (tactic "inv_tac MI_css 1")
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1211
   apply (auto simp: Init_def ImpInv_def box_stp_act [temp_use]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1212
     dest!: Step1_1 [temp_use] dest: S1_successors [temp_use] S2_successors [temp_use]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1213
     S3_successors [temp_use] S4_successors [temp_use] S5_successors [temp_use]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1214
     S6_successors [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1215
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1216
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1217
(*** Initialization ***)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1218
lemma Step1_5_2a: "|- Init(ImpInit p & HInit rmhist p) --> Init(PInit (resbar rmhist) p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1219
  by (auto simp: Init_def intro!: Step1_1 [temp_use] Step1_3  [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1220
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1221
(*** step simulation ***)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1222
lemma Step1_5_2b: "|- [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1223
         & $ImpInv rmhist p & (!l. $MemInv mm l))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1224
         --> [][UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1225
  by (auto simp: ImpInv_def elim!: STL4E [temp_use]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1226
    dest!: S1safe [temp_use] S2safe [temp_use] S3safe [temp_use] S4safe [temp_use]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1227
    S5safe [temp_use] S6safe [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1228
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1229
(*** Liveness ***)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1230
lemma GoodImpl: "|- IPImp p & HistP rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1231
         -->   Init(ImpInit p & HInit rmhist p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1232
             & [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1233
             & [](ALL l. $MemInv mm l) & []($ImpInv rmhist p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1234
             & ImpLive p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1235
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1236
    apply (subgoal_tac "sigma |= Init (ImpInit p & HInit rmhist p) & [] (ImpNext p) &
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1237
      [][HNext rmhist p]_ (c p, r p, m p, rmhist!p) & [] (ALL l. $MemInv mm l)")
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1238
   apply (auto simp: split_box_conj [try_rewrite] box_stp_act [try_rewrite]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1239
       dest!: Step1_5_1b [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1240
      apply (force simp: IPImp_def MClkIPSpec_def RPCIPSpec_def RPSpec_def
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1241
        ImpLive_def c_def r_def m_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1242
      apply (force simp: IPImp_def MClkIPSpec_def RPCIPSpec_def RPSpec_def
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1243
        HistP_def Init_def ImpInit_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1244
    apply (force simp: IPImp_def MClkIPSpec_def RPCIPSpec_def RPSpec_def
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1245
      ImpNext_def c_def r_def m_def split_box_conj [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1246
   apply (force simp: HistP_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1247
  apply (force simp: allT [temp_use] dest!: Step1_5_1a [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1248
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1249
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1250
(* The implementation is infinitely often in state S1... *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1251
lemma Step1_5_3a: "|- [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1252
         & [](ALL l. $MemInv mm l)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1253
         & []($ImpInv rmhist p) & ImpLive p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1254
         --> []<>S1 rmhist p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1255
  apply (clarsimp simp: ImpLive_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1256
  apply (rule S1Infinite)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1257
   apply (force simp: split_box_conj [try_rewrite] box_stp_act [try_rewrite]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1258
     intro!: NotS1LeadstoS6 [temp_use] S2_live [temp_use] S3_live [temp_use]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1259
     S4a_live [temp_use] S4b_live [temp_use] S5_live [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1260
  apply (auto simp: split_box_conj [temp_use] intro!: S6_live [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1261
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1262
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1263
(* ... and therefore satisfies the fairness requirements of the specification *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1264
lemma Step1_5_3b: "|- [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1265
         & [](ALL l. $MemInv mm l) & []($ImpInv rmhist p) & ImpLive p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1266
         --> WF(RNext memCh mm (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1267
  by (auto intro!: RNext_fair [temp_use] Step1_5_3a [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1268
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1269
lemma Step1_5_3c: "|- [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1270
         & [](ALL l. $MemInv mm l) & []($ImpInv rmhist p) & ImpLive p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1271
         --> WF(MemReturn memCh (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1272
  by (auto intro!: Return_fair [temp_use] Step1_5_3a [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1273
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1274
(* QED step of step 1 *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1275
lemma Step1: "|- IPImp p & HistP rmhist p --> UPSpec memCh mm (resbar rmhist) p"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1276
  by (auto simp: UPSpec_def split_box_conj [temp_use]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1277
    dest!: GoodImpl [temp_use] intro!: Step1_5_2a [temp_use] Step1_5_2b [temp_use]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1278
    Step1_5_3b [temp_use] Step1_5_3c [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1279
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1280
(* ------------------------------ Step 2 ------------------------------ *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1281
section "Step 2"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1282
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1283
lemma Step2_2a: "|- Write rmCh mm ires p l & ImpNext p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1284
         & [HNext rmhist p]_(c p, r p, m p, rmhist!p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1285
         & $ImpInv rmhist p
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1286
         --> (S4 rmhist p)$ & unchanged (e p, c p, r p, rmhist!p)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1287
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1288
  apply (drule WriteS4 [action_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1289
   apply assumption
27208
5fe899199f85 proper context for tactics derived from res_inst_tac;
wenzelm
parents: 27117
diff changeset
  1290
  apply (tactic "split_idle_tac @{context} [] 1")
21624
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1291
  apply (auto simp: ImpNext_def dest!: S4EnvUnch [temp_use] S4ClerkUnch [temp_use]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1292
    S4RPCUnch [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1293
     apply (auto simp: square_def dest: S4Write [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1294
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1295
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1296
lemma Step2_2: "|-   (ALL p. ImpNext p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1297
         & (ALL p. [HNext rmhist p]_(c p, r p, m p, rmhist!p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1298
         & (ALL p. $ImpInv rmhist p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1299
         & [EX q. Write rmCh mm ires q l]_(mm!l)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1300
         --> [EX q. Write memCh mm (resbar rmhist) q l]_(mm!l)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1301
  apply (auto intro!: squareCI elim!: squareE)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1302
  apply (assumption | rule exI Step1_4_4b [action_use])+
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1303
    apply (force intro!: WriteS4 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1304
   apply (auto dest!: Step2_2a [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1305
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1306
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1307
lemma Step2_lemma: "|- [](  (ALL p. ImpNext p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1308
            & (ALL p. [HNext rmhist p]_(c p, r p, m p, rmhist!p))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1309
            & (ALL p. $ImpInv rmhist p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1310
            & [EX q. Write rmCh mm ires q l]_(mm!l))
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1311
         --> [][EX q. Write memCh mm (resbar rmhist) q l]_(mm!l)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1312
  by (force elim!: STL4E [temp_use] dest!: Step2_2 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1313
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1314
lemma Step2: "|- #l : #MemLoc & (ALL p. IPImp p & HistP rmhist p)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1315
         --> MSpec memCh mm (resbar rmhist) l"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1316
  apply (auto simp: MSpec_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1317
   apply (force simp: IPImp_def MSpec_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1318
  apply (auto intro!: Step2_lemma [temp_use] simp: split_box_conj [temp_use] all_box [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1319
     prefer 4
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1320
     apply (force simp: IPImp_def MSpec_def)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1321
    apply (auto simp: split_box_conj [temp_use] elim!: allE dest!: GoodImpl [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1322
  done
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1323
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1324
(* ----------------------------- Main theorem --------------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1325
section "Memory implementation"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1326
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1327
(* The combination of a legal caller, the memory clerk, the RPC component,
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1328
   and a reliable memory implement the unreliable memory.
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1329
*)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1330
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1331
(* Implementation of internal specification by combination of implementation
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1332
   and history variable with explicit refinement mapping
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1333
*)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1334
lemma Impl_IUSpec: "|- Implementation & Hist rmhist --> IUSpec memCh mm (resbar rmhist)"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1335
  by (auto simp: IUSpec_def Implementation_def IPImp_def MClkISpec_def
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1336
    RPCISpec_def IRSpec_def Hist_def intro!: Step1 [temp_use] Step2 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1337
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1338
(* The main theorem: introduce hiding and eliminate history variable. *)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1339
lemma Implementation: "|- Implementation --> USpec memCh"
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1340
  apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1341
  apply (frule History [temp_use])
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1342
  apply (auto simp: USpec_def intro: eexI [temp_use] Impl_IUSpec [temp_use]
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1343
    MI_base [temp_use] elim!: eexE)
6f79647cf536 TLA: converted legacy ML scripts;
wenzelm
parents: 17309
diff changeset
  1344
  done
3807
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
  1345
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz;
wenzelm
parents:
diff changeset
  1346
end