| author | paulson |
| Fri, 20 Jun 2003 18:13:16 +0200 | |
| changeset 14061 | abcb32a7b212 |
| parent 14060 | c0c4af41fa3b |
| child 14071 | 373806545656 |
| permissions | -rw-r--r-- |
|
14060
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
1 |
(*Title: ZF/UNITY/AllocImpl |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
2 |
ID: $Id$ |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
3 |
Author: Sidi O Ehmety, Cambridge University Computer Laboratory |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
4 |
Copyright 2002 University of Cambridge |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
5 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
6 |
Single-client allocator implementation |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
7 |
Charpentier and Chandy, section 7 (page 17). |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
8 |
*) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
9 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
10 |
(*LOCALE NEEDED FOR PROOF OF GUARANTEES THEOREM*) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
11 |
|
| 14061 | 12 |
(*????FIXME: sort out this mess |
13 |
FoldSet.cons_Int_right_lemma1: |
|
14 |
?x \<in> ?D \<Longrightarrow> cons(?x, ?C) \<inter> ?D = cons(?x, ?C \<inter> ?D) |
|
15 |
FoldSet.cons_Int_right_lemma2: ?x \<notin> ?D \<Longrightarrow> cons(?x, ?C) \<inter> ?D = ?C \<inter> ?D |
|
16 |
Multiset.cons_Int_right_cases: |
|
17 |
cons(?x, ?A) \<inter> ?B = (if ?x \<in> ?B then cons(?x, ?A \<inter> ?B) else ?A \<inter> ?B) |
|
18 |
UNITYMisc.Int_cons_right: |
|
19 |
?A \<inter> cons(?a, ?B) = (if ?a \<in> ?A then cons(?a, ?A \<inter> ?B) else ?A \<inter> ?B) |
|
20 |
UNITYMisc.Int_succ_right: |
|
21 |
?A \<inter> succ(?k) = (if ?k \<in> ?A then cons(?k, ?A \<inter> ?k) else ?A \<inter> ?k) |
|
22 |
*) |
|
|
14060
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
23 |
|
| 14061 | 24 |
|
25 |
theory AllocImpl = ClientImpl: |
|
|
14060
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
26 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
27 |
consts |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
28 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
29 |
NbR :: i (*number of consumed messages*) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
30 |
available_tok :: i (*number of free tokens (T in paper)*) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
31 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
32 |
translations |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
33 |
"NbR" == "Var([succ(2)])" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
34 |
"available_tok" == "Var([succ(succ(2))])" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
35 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
36 |
axioms |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
37 |
alloc_type_assumes: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
38 |
"type_of(NbR) = nat & type_of(available_tok)=nat" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
39 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
40 |
alloc_default_val_assumes: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
41 |
"default_val(NbR) = 0 & default_val(available_tok)=0" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
42 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
43 |
constdefs |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
44 |
alloc_giv_act :: i |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
45 |
"alloc_giv_act == |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
46 |
{<s, t> : state*state.
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
47 |
\<exists>k. k = length(s`giv) & |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
48 |
t = s(giv := s`giv @ [nth(k, s`ask)], |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
49 |
available_tok := s`available_tok #- nth(k, s`ask)) & |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
50 |
k < length(s`ask) & nth(k, s`ask) le s`available_tok}" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
51 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
52 |
alloc_rel_act :: i |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
53 |
"alloc_rel_act == |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
54 |
{<s, t> : state*state.
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
55 |
t = s(available_tok := s`available_tok #+ nth(s`NbR, s`rel), |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
56 |
NbR := succ(s`NbR)) & |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
57 |
s`NbR < length(s`rel)}" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
58 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
59 |
(*The initial condition s`giv=[] is missing from the |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
60 |
original definition -- S. O. Ehmety *) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
61 |
alloc_prog :: i |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
62 |
"alloc_prog == |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
63 |
mk_program({s:state. s`available_tok=NbT & s`NbR=0 & s`giv=Nil},
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
64 |
{alloc_giv_act, alloc_rel_act},
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
65 |
\<Union>G \<in> preserves(lift(available_tok)) \<inter> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
66 |
preserves(lift(NbR)) \<inter> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
67 |
preserves(lift(giv)). Acts(G))" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
68 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
69 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
70 |
declare alloc_type_assumes [simp] alloc_default_val_assumes [simp] |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
71 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
72 |
lemma available_tok_value_type [simp,TC]: "s\<in>state ==> s`available_tok \<in> nat" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
73 |
apply (unfold state_def) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
74 |
apply (drule_tac a = "available_tok" in apply_type) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
75 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
76 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
77 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
78 |
lemma NbR_value_type [simp,TC]: "s\<in>state ==> s`NbR \<in> nat" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
79 |
apply (unfold state_def) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
80 |
apply (drule_tac a = "NbR" in apply_type) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
81 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
82 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
83 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
84 |
(** The Alloc Program **) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
85 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
86 |
lemma alloc_prog_type [simp,TC]: "alloc_prog \<in> program" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
87 |
apply (simp add: alloc_prog_def) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
88 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
89 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
90 |
declare alloc_prog_def [THEN def_prg_Init, simp] |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
91 |
declare alloc_prog_def [THEN def_prg_AllowedActs, simp] |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
92 |
ML |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
93 |
{*
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
94 |
program_defs_ref := [thm"alloc_prog_def"] |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
95 |
*} |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
96 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
97 |
declare alloc_giv_act_def [THEN def_act_simp, simp] |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
98 |
declare alloc_rel_act_def [THEN def_act_simp, simp] |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
99 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
100 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
101 |
lemma alloc_prog_ok_iff: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
102 |
"\<forall>G \<in> program. (alloc_prog ok G) <-> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
103 |
(G \<in> preserves(lift(giv)) & G \<in> preserves(lift(available_tok)) & |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
104 |
G \<in> preserves(lift(NbR)) & alloc_prog \<in> Allowed(G))" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
105 |
by (auto simp add: ok_iff_Allowed alloc_prog_def [THEN def_prg_Allowed]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
106 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
107 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
108 |
lemma alloc_prog_preserves: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
109 |
"alloc_prog \<in> (\<Inter>x \<in> var-{giv, available_tok, NbR}. preserves(lift(x)))"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
110 |
apply (rule Inter_var_DiffI) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
111 |
apply (force ); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
112 |
apply (rule ballI) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
113 |
apply (rule preservesI) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
114 |
apply (constrains) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
115 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
116 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
117 |
(* As a special case of the rule above *) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
118 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
119 |
lemma alloc_prog_preserves_rel_ask_tok: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
120 |
"alloc_prog \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
121 |
preserves(lift(rel)) \<inter> preserves(lift(ask)) \<inter> preserves(lift(tok))" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
122 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
123 |
apply (insert alloc_prog_preserves) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
124 |
apply (drule_tac [3] x = "tok" in Inter_var_DiffD) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
125 |
apply (drule_tac [2] x = "ask" in Inter_var_DiffD) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
126 |
apply (drule_tac x = "rel" in Inter_var_DiffD) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
127 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
128 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
129 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
130 |
lemma alloc_prog_Allowed: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
131 |
"Allowed(alloc_prog) = |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
132 |
preserves(lift(giv)) \<inter> preserves(lift(available_tok)) \<inter> preserves(lift(NbR))" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
133 |
apply (cut_tac v="lift(giv)" in preserves_type) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
134 |
apply (auto simp add: Allowed_def client_prog_def [THEN def_prg_Allowed] |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
135 |
cons_Int_distrib safety_prop_Acts_iff) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
136 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
137 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
138 |
(* In particular we have *) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
139 |
lemma alloc_prog_ok_client_prog: "alloc_prog ok client_prog" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
140 |
apply (auto simp add: ok_iff_Allowed) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
141 |
apply (cut_tac alloc_prog_preserves) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
142 |
apply (cut_tac [2] client_prog_preserves) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
143 |
apply (auto simp add: alloc_prog_Allowed client_prog_Allowed) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
144 |
apply (drule_tac [6] B = "preserves (lift (NbR))" in InterD) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
145 |
apply (drule_tac [5] B = "preserves (lift (available_tok))" in InterD) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
146 |
apply (drule_tac [4] B = "preserves (lift (giv))" in InterD) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
147 |
apply (drule_tac [3] B = "preserves (lift (tok))" in InterD) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
148 |
apply (drule_tac [2] B = "preserves (lift (ask))" in InterD) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
149 |
apply (drule_tac B = "preserves (lift (rel))" in InterD) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
150 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
151 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
152 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
153 |
(** Safety property: (28) **) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
154 |
lemma alloc_prog_Increasing_giv: "alloc_prog \<in> program guarantees Incr(lift(giv))" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
155 |
apply (auto intro!: increasing_imp_Increasing simp add: guar_def increasing_def alloc_prog_ok_iff alloc_prog_Allowed) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
156 |
apply constrains+ |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
157 |
apply (auto dest: ActsD) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
158 |
apply (drule_tac f = "lift (giv) " in preserves_imp_eq) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
159 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
160 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
161 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
162 |
lemma giv_Bounded_lamma1: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
163 |
"alloc_prog \<in> stable({s\<in>state. s`NbR \<le> length(s`rel)} \<inter>
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
164 |
{s\<in>state. s`available_tok #+ tokens(s`giv) =
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
165 |
NbT #+ tokens(take(s`NbR, s`rel))})" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
166 |
apply (constrains) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
167 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
168 |
apply (simp add: diff_add_0 add_commute diff_add_inverse add_assoc add_diff_inverse) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
169 |
apply (simp (no_asm_simp) add: take_succ) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
170 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
171 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
172 |
lemma giv_Bounded_lemma2: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
173 |
"[| G \<in> program; alloc_prog ok G; alloc_prog Join G \<in> Incr(lift(rel)) |] |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
174 |
==> alloc_prog Join G \<in> Stable({s\<in>state. s`NbR \<le> length(s`rel)} \<inter>
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
175 |
{s\<in>state. s`available_tok #+ tokens(s`giv) =
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
176 |
NbT #+ tokens(take(s`NbR, s`rel))})" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
177 |
apply (cut_tac giv_Bounded_lamma1) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
178 |
apply (cut_tac alloc_prog_preserves_rel_ask_tok) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
179 |
apply (auto simp add: Collect_conj_eq [symmetric] alloc_prog_ok_iff) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
180 |
apply (subgoal_tac "G \<in> preserves (fun_pair (lift (available_tok), fun_pair (lift (NbR), lift (giv))))") |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
181 |
apply (rotate_tac -1) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
182 |
apply (cut_tac A = "nat * nat * list(nat)" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
183 |
and P = "%<m,n,l> y. n \<le> length(y) & |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
184 |
m #+ tokens(l) = NbT #+ tokens(take(n,y))" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
185 |
and g = "lift(rel)" and F = "alloc_prog" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
186 |
in stable_Join_Stable) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
187 |
prefer 3 apply assumption; |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
188 |
apply (auto simp add: Collect_conj_eq) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
189 |
apply (frule_tac g = "length" in imp_Increasing_comp) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
190 |
apply (blast intro: mono_length) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
191 |
apply (auto simp add: refl_prefix) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
192 |
apply (drule_tac a=xa and f = "length comp lift(rel)" in Increasing_imp_Stable) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
193 |
apply assumption |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
194 |
apply (auto simp add: Le_def length_type) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
195 |
apply (auto dest: ActsD simp add: Stable_def Constrains_def constrains_def) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
196 |
apply (drule_tac f = "lift (rel) " in preserves_imp_eq) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
197 |
apply assumption+ |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
198 |
apply (force dest: ActsD) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
199 |
apply (erule_tac V = "\<forall>x \<in> Acts (alloc_prog) Un Acts (G). ?P(x)" in thin_rl) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
200 |
apply (erule_tac V = "alloc_prog \<in> stable (?u)" in thin_rl) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
201 |
apply (drule_tac a = "xc`rel" and f = "lift (rel)" in Increasing_imp_Stable) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
202 |
apply (auto simp add: Stable_def Constrains_def constrains_def) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
203 |
apply (drule bspec) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
204 |
apply force |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
205 |
apply (drule subsetD) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
206 |
apply (rule imageI) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
207 |
apply assumption |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
208 |
apply (auto simp add: prefix_take_iff) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
209 |
apply (rotate_tac -1) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
210 |
apply (erule ssubst) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
211 |
apply (auto simp add: take_take min_def) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
212 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
213 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
214 |
(*Property (29), page 18: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
215 |
the number of tokens in circulation never exceeds NbT*) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
216 |
lemma alloc_prog_giv_Bounded: "alloc_prog \<in> Incr(lift(rel)) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
217 |
guarantees Always({s\<in>state. tokens(s`giv) \<le> NbT #+ tokens(s`rel)})"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
218 |
apply (cut_tac NbT_pos) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
219 |
apply (auto simp add: guar_def) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
220 |
apply (rule Always_weaken) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
221 |
apply (rule AlwaysI) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
222 |
apply (rule_tac [2] giv_Bounded_lemma2) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
223 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
224 |
apply (rule_tac j = "NbT #+ tokens (take (x` NbR, x`rel))" in le_trans) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
225 |
apply (erule subst) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
226 |
apply (auto intro!: tokens_mono simp add: prefix_take_iff min_def length_take) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
227 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
228 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
229 |
(*Property (30), page 18: the number of tokens given never exceeds the number |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
230 |
asked for*) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
231 |
lemma alloc_prog_ask_prefix_giv: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
232 |
"alloc_prog \<in> Incr(lift(ask)) guarantees |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
233 |
Always({s\<in>state. <s`giv, s`ask>:prefix(tokbag)})"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
234 |
apply (auto intro!: AlwaysI simp add: guar_def) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
235 |
apply (subgoal_tac "G \<in> preserves (lift (giv))") |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
236 |
prefer 2 apply (simp add: alloc_prog_ok_iff) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
237 |
apply (rule_tac P = "%x y. <x,y>:prefix(tokbag)" and A = "list(nat)" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
238 |
in stable_Join_Stable) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
239 |
apply (constrains) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
240 |
prefer 2 apply (simp add: lift_def); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
241 |
apply (clarify ); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
242 |
apply (drule_tac a = "k" in Increasing_imp_Stable) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
243 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
244 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
245 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
246 |
(**** Towards proving the liveness property, (31) ****) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
247 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
248 |
(*** First, we lead up to a proof of Lemma 49, page 28. ***) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
249 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
250 |
lemma alloc_prog_transient_lemma: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
251 |
"G \<in> program ==> \<forall>k\<in>nat. alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
252 |
transient({s\<in>state. k \<le> length(s`rel)}
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
253 |
\<inter> {s\<in>state. succ(s`NbR) = k})"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
254 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
255 |
apply (erule_tac V = "G\<notin>?u" in thin_rl) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
256 |
apply (rule_tac act = "alloc_rel_act" in transientI) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
257 |
apply (simp (no_asm) add: alloc_prog_def [THEN def_prg_Acts]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
258 |
apply (simp (no_asm) add: alloc_rel_act_def [THEN def_act_eq, THEN act_subset]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
259 |
apply (auto simp add: alloc_prog_def [THEN def_prg_Acts] domain_def) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
260 |
apply (rule ReplaceI) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
261 |
apply (rule_tac x = "x (available_tok:= x`available_tok #+ nth (x`NbR, x`rel), |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
262 |
NbR:=succ (x`NbR))" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
263 |
in exI) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
264 |
apply (auto intro!: state_update_type) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
265 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
266 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
267 |
lemma alloc_prog_rel_Stable_NbR_lemma: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
268 |
"[| G \<in> program; alloc_prog ok G; k\<in>nat |] ==> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
269 |
alloc_prog Join G \<in> Stable({s\<in>state . k \<le> succ(s ` NbR)})"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
270 |
apply (auto intro!: stable_imp_Stable simp add: alloc_prog_ok_iff) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
271 |
apply constrains |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
272 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
273 |
apply (blast intro: le_trans leI) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
274 |
apply (drule_tac f = "lift (NbR)" and A = "nat" in preserves_imp_increasing) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
275 |
apply (drule_tac [2] g = "succ" in imp_increasing_comp) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
276 |
apply (rule_tac [2] mono_succ) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
277 |
apply (drule_tac [4] x = "k" in increasing_imp_stable) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
278 |
prefer 5 apply (simp add: Le_def comp_def) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
279 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
280 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
281 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
282 |
lemma alloc_prog_NbR_LeadsTo_lemma [rule_format (no_asm)]: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
283 |
"[| G \<in> program; alloc_prog ok G; |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
284 |
alloc_prog Join G \<in> Incr(lift(rel)) |] ==> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
285 |
\<forall>k\<in>nat. alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
286 |
{s\<in>state. k \<le> length(s`rel)} \<inter> {s\<in>state. succ(s`NbR) = k}
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
287 |
LeadsTo {s\<in>state. k \<le> s`NbR}"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
288 |
apply clarify |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
289 |
apply (subgoal_tac "alloc_prog Join G \<in> Stable ({s\<in>state. k \<le> length (s`rel) }) ")
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
290 |
apply (drule_tac [2] a = "k" and g1 = "length" in imp_Increasing_comp [THEN Increasing_imp_Stable]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
291 |
apply (rule_tac [2] mono_length) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
292 |
prefer 3 apply (simp add: ); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
293 |
apply (simp_all add: refl_prefix Le_def comp_def length_type) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
294 |
apply (rule LeadsTo_weaken) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
295 |
apply (rule PSP_Stable) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
296 |
prefer 2 apply (assumption) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
297 |
apply (rule PSP_Stable) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
298 |
apply (rule_tac [2] alloc_prog_rel_Stable_NbR_lemma) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
299 |
apply (rule alloc_prog_transient_lemma [THEN bspec, THEN transient_imp_leadsTo, THEN leadsTo_imp_LeadsTo]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
300 |
apply assumption+ |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
301 |
apply (auto dest: not_lt_imp_le elim: lt_asym simp add: le_iff) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
302 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
303 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
304 |
lemma alloc_prog_NbR_LeadsTo_lemma2 [rule_format]: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
305 |
"[| G :program; alloc_prog ok G; alloc_prog Join G \<in> Incr(lift(rel)) |] |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
306 |
==> \<forall>k\<in>nat. \<forall>n \<in> nat. n < k --> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
307 |
alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
308 |
{s\<in>state . k \<le> length(s ` rel)} \<inter> {s\<in>state . s ` NbR = n}
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
309 |
LeadsTo {x \<in> state. k \<le> length(x`rel)} \<inter>
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
310 |
(\<Union>m \<in> greater_than(n). {x \<in> state. x ` NbR=m})"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
311 |
apply (unfold greater_than_def) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
312 |
apply clarify |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
313 |
apply (rule_tac A' = "{x \<in> state. k \<le> length (x`rel) } \<inter> {x \<in> state. n < x`NbR}" in LeadsTo_weaken_R)
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
314 |
apply safe |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
315 |
apply (subgoal_tac "alloc_prog Join G \<in> Stable ({s\<in>state. k \<le> length (s`rel) }) ")
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
316 |
apply (drule_tac [2] a = "k" and g1 = "length" in imp_Increasing_comp [THEN Increasing_imp_Stable]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
317 |
apply (rule_tac [2] mono_length) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
318 |
prefer 3 apply (simp add: ); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
319 |
apply (simp_all add: refl_prefix Le_def comp_def length_type) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
320 |
apply (subst Int_commute) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
321 |
apply (rule_tac A = " ({s \<in> state . k \<le> length (s ` rel) } \<inter> {s\<in>state . s ` NbR = n}) \<inter> {s\<in>state. k \<le> length (s`rel) }" in LeadsTo_weaken_L)
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
322 |
apply (rule PSP_Stable) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
323 |
apply safe |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
324 |
apply (rule_tac B = "{x \<in> state . n < length (x ` rel) } \<inter> {s\<in>state . s ` NbR = n}" in LeadsTo_Trans)
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
325 |
apply (rule_tac [2] LeadsTo_weaken) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
326 |
apply (rule_tac [2] k = "succ (n)" in alloc_prog_NbR_LeadsTo_lemma) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
327 |
apply (simp_all add: ) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
328 |
apply (rule subset_imp_LeadsTo) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
329 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
330 |
apply (blast intro: lt_trans2) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
331 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
332 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
333 |
lemma Collect_vimage_eq: "u\<in>nat ==> {<s, f(s)>. s \<in> state} -`` u = {s\<in>state. f(s) < u}"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
334 |
apply (force simp add: lt_def) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
335 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
336 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
337 |
(* Lemma 49, page 28 *) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
338 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
339 |
lemma alloc_prog_NbR_LeadsTo_lemma3: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
340 |
"[|G \<in> program; alloc_prog ok G; alloc_prog Join G \<in> Incr(lift(rel)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
341 |
k\<in>nat|] |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
342 |
==> alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
343 |
{s\<in>state. k \<le> length(s`rel)} LeadsTo {s\<in>state. k \<le> s`NbR}"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
344 |
(* Proof by induction over the difference between k and n *) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
345 |
apply (rule_tac f = "\<lambda>s\<in>state. k #- s`NbR" in LessThan_induct) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
346 |
apply (simp_all add: lam_def) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
347 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
348 |
apply (rule single_LeadsTo_I) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
349 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
350 |
apply (simp (no_asm_simp) add: Collect_vimage_eq) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
351 |
apply (rename_tac "s0") |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
352 |
apply (case_tac "s0`NbR < k") |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
353 |
apply (rule_tac [2] subset_imp_LeadsTo) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
354 |
apply safe |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
355 |
apply (auto dest!: not_lt_imp_le) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
356 |
apply (rule LeadsTo_weaken) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
357 |
apply (rule_tac n = "s0`NbR" in alloc_prog_NbR_LeadsTo_lemma2) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
358 |
apply safe |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
359 |
prefer 3 apply (assumption) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
360 |
apply (auto split add: nat_diff_split simp add: greater_than_def not_lt_imp_le not_le_iff_lt) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
361 |
apply (blast dest: lt_asym) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
362 |
apply (force dest: add_lt_elim2) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
363 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
364 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
365 |
(** Towards proving lemma 50, page 29 **) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
366 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
367 |
lemma alloc_prog_giv_Ensures_lemma: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
368 |
"[| G \<in> program; k\<in>nat; alloc_prog ok G; |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
369 |
alloc_prog Join G \<in> Incr(lift(ask)) |] ==> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
370 |
alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
371 |
{s\<in>state. nth(length(s`giv), s`ask) \<le> s`available_tok} \<inter>
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
372 |
{s\<in>state. k < length(s`ask)} \<inter> {s\<in>state. length(s`giv)=k}
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
373 |
Ensures {s\<in>state. ~ k <length(s`ask)} Un {s\<in>state. length(s`giv) \<noteq> k}"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
374 |
apply (rule EnsuresI) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
375 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
376 |
apply (erule_tac [2] V = "G\<notin>?u" in thin_rl) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
377 |
apply (rule_tac [2] act = "alloc_giv_act" in transientI) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
378 |
prefer 2 |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
379 |
apply (simp add: alloc_prog_def [THEN def_prg_Acts]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
380 |
apply (simp add: alloc_giv_act_def [THEN def_act_eq, THEN act_subset]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
381 |
apply (auto simp add: alloc_prog_def [THEN def_prg_Acts] domain_def) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
382 |
apply (erule_tac [2] swap) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
383 |
apply (rule_tac [2] ReplaceI) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
384 |
apply (rule_tac [2] x = "x (giv := x ` giv @ [nth (length(x`giv), x ` ask) ], available_tok := x ` available_tok #- nth (length (x`giv), x ` ask))" in exI) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
385 |
apply (auto intro!: state_update_type simp add: app_type) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
386 |
apply (rule_tac A = "{s\<in>state . nth (length (s ` giv), s ` ask) \<le> s ` available_tok} \<inter> {s\<in>state . k < length (s ` ask) } \<inter> {s\<in>state. length (s`giv) =k}" and A' = "{s\<in>state . nth (length (s ` giv), s ` ask) \<le> s ` available_tok} Un {s\<in>state. ~ k < length (s`ask) } Un {s\<in>state . length (s ` giv) \<noteq> k}" in Constrains_weaken)
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
387 |
apply safe |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
388 |
apply (auto dest: ActsD simp add: Constrains_def constrains_def length_app alloc_prog_def [THEN def_prg_Acts] alloc_prog_ok_iff) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
389 |
apply (subgoal_tac "length (xa ` giv @ [nth (length (xa ` giv), xa ` ask) ]) = length (xa ` giv) #+ 1") |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
390 |
apply (rule_tac [2] trans) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
391 |
apply (rule_tac [2] length_app) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
392 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
393 |
apply (rule_tac j = "xa ` available_tok" in le_trans) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
394 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
395 |
apply (drule_tac f = "lift (available_tok)" in preserves_imp_eq) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
396 |
apply assumption+ |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
397 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
398 |
apply (drule_tac a = "xa ` ask" and r = "prefix(tokbag)" and A = "list(tokbag)" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
399 |
in Increasing_imp_Stable) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
400 |
apply (auto simp add: prefix_iff) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
401 |
apply (drule StableD) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
402 |
apply (auto simp add: Constrains_def constrains_def) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
403 |
apply force |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
404 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
405 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
406 |
lemma alloc_prog_giv_Stable_lemma: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
407 |
"[| G \<in> program; alloc_prog ok G; k\<in>nat |] |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
408 |
==> alloc_prog Join G \<in> Stable({s\<in>state . k \<le> length(s`giv)})"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
409 |
apply (auto intro!: stable_imp_Stable simp add: alloc_prog_ok_iff) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
410 |
apply (constrains) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
411 |
apply (auto intro: leI simp add: length_app) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
412 |
apply (drule_tac f = "lift (giv)" and g = "length" in imp_preserves_comp) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
413 |
apply (drule_tac f = "length comp lift (giv)" and A = "nat" and r = "Le" in preserves_imp_increasing) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
414 |
apply (drule_tac [2] x = "k" in increasing_imp_stable) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
415 |
prefer 3 apply (simp add: Le_def comp_def) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
416 |
apply (auto simp add: length_type) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
417 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
418 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
419 |
(* Lemma 50, page 29 *) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
420 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
421 |
lemma alloc_prog_giv_LeadsTo_lemma: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
422 |
"[| G \<in> program; alloc_prog ok G; |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
423 |
alloc_prog Join G \<in> Incr(lift(ask)); k\<in>nat |] ==> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
424 |
alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
425 |
{s\<in>state. nth(length(s`giv), s`ask) \<le> s`available_tok} \<inter>
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
426 |
{s\<in>state. k < length(s`ask)} \<inter>
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
427 |
{s\<in>state. length(s`giv) = k}
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
428 |
LeadsTo {s\<in>state. k < length(s`giv)}"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
429 |
apply (subgoal_tac "alloc_prog Join G \<in> {s\<in>state. nth (length (s`giv), s`ask) \<le> s`available_tok} \<inter> {s\<in>state. k < length (s`ask) } \<inter> {s\<in>state. length (s`giv) = k} LeadsTo {s\<in>state. ~ k <length (s`ask) } Un {s\<in>state. length (s`giv) \<noteq> k}")
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
430 |
prefer 2 apply (blast intro: alloc_prog_giv_Ensures_lemma [THEN LeadsTo_Basis]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
431 |
apply (subgoal_tac "alloc_prog Join G \<in> Stable ({s\<in>state. k < length (s`ask) }) ")
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
432 |
apply (drule PSP_Stable) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
433 |
apply assumption |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
434 |
apply (rule LeadsTo_weaken) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
435 |
apply (rule PSP_Stable) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
436 |
apply (rule_tac [2] k = "k" in alloc_prog_giv_Stable_lemma) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
437 |
apply (auto simp add: le_iff) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
438 |
apply (drule_tac a = "succ (k)" and g1 = "length" in imp_Increasing_comp [THEN Increasing_imp_Stable]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
439 |
apply (rule mono_length) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
440 |
prefer 2 apply (simp add: ); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
441 |
apply (simp_all add: refl_prefix Le_def comp_def length_type) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
442 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
443 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
444 |
(* Lemma 51, page 29. |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
445 |
This theorem states as invariant that if the number of |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
446 |
tokens given does not exceed the number returned, then the upper limit |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
447 |
(NbT) does not exceed the number currently available.*) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
448 |
lemma alloc_prog_Always_lemma: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
449 |
"[| G \<in> program; alloc_prog ok G; |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
450 |
alloc_prog Join G \<in> Incr(lift(ask)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
451 |
alloc_prog Join G \<in> Incr(lift(rel)) |] |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
452 |
==> alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
453 |
Always({s\<in>state. tokens(s`giv) \<le> tokens(take(s`NbR, s`rel)) -->
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
454 |
NbT \<le> s`available_tok})" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
455 |
apply (subgoal_tac "alloc_prog Join G \<in> Always ({s\<in>state. s`NbR \<le> length (s`rel) } \<inter> {s\<in>state. s`available_tok #+ tokens (s`giv) = NbT #+ tokens (take (s`NbR, s`rel))}) ")
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
456 |
apply (rule_tac [2] AlwaysI) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
457 |
apply (rule_tac [3] giv_Bounded_lemma2) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
458 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
459 |
apply (rule Always_weaken) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
460 |
apply assumption |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
461 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
462 |
apply (subgoal_tac "0 \<le> tokens (take (x ` NbR, x ` rel)) #- tokens (x`giv) ") |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
463 |
apply (rule_tac [2] nat_diff_split [THEN iffD2]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
464 |
prefer 2 apply (force ); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
465 |
apply (subgoal_tac "x`available_tok = |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
466 |
NbT #+ (tokens(take(x`NbR,x`rel)) #- tokens (x`giv))") |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
467 |
apply (simp (no_asm_simp)) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
468 |
apply (rule nat_diff_split [THEN iffD2]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
469 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
470 |
apply (drule_tac j = "tokens (x ` giv)" in lt_trans2) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
471 |
apply assumption |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
472 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
473 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
474 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
475 |
(* Main lemmas towards proving property (31) *) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
476 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
477 |
lemma LeadsTo_strength_R: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
478 |
"[| F \<in> C LeadsTo B'; F \<in> A-C LeadsTo B; B'<=B |] ==> F \<in> A LeadsTo B" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
479 |
by (blast intro: LeadsTo_weaken LeadsTo_Un_Un) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
480 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
481 |
lemma PSP_StableI: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
482 |
"[| F \<in> Stable(C); F \<in> A - C LeadsTo B; |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
483 |
F \<in> A \<inter> C LeadsTo B Un (state - C) |] ==> F \<in> A LeadsTo B" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
484 |
apply (rule_tac A = " (A-C) Un (A \<inter> C)" in LeadsTo_weaken_L) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
485 |
prefer 2 apply (blast) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
486 |
apply (rule LeadsTo_Un) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
487 |
apply assumption |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
488 |
apply (blast intro: LeadsTo_weaken dest: PSP_Stable) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
489 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
490 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
491 |
lemma state_compl_eq [simp]: "state - {s\<in>state. P(s)} = {s\<in>state. ~P(s)}"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
492 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
493 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
494 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
495 |
(*needed?*) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
496 |
lemma single_state_Diff_eq [simp]: "{s}-{x \<in> state. P(x)} = (if s\<in>state & P(s) then 0 else {s})"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
497 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
498 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
499 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
500 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
501 |
(*First step in proof of (31) -- the corrected version from Charpentier. |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
502 |
This lemma implies that if a client releases some tokens then the Allocator |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
503 |
will eventually recognize that they've been released.*) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
504 |
lemma alloc_prog_LeadsTo_tokens_take_NbR_lemma: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
505 |
"[| alloc_prog Join G \<in> Incr(lift(rel)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
506 |
G \<in> program; alloc_prog ok G; k \<in> tokbag |] |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
507 |
==> alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
508 |
{s\<in>state. k \<le> tokens(s`rel)}
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
509 |
LeadsTo {s\<in>state. k \<le> tokens(take(s`NbR, s`rel))}"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
510 |
apply (rule single_LeadsTo_I) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
511 |
apply safe |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
512 |
apply (rule_tac a1 = "s`rel" in Increasing_imp_Stable [THEN PSP_StableI]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
513 |
apply (rule_tac [4] k1 = "length (s`rel)" in alloc_prog_NbR_LeadsTo_lemma3 [THEN LeadsTo_strength_R]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
514 |
apply (rule_tac [8] subset_imp_LeadsTo) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
515 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
516 |
apply (rule_tac j = "tokens (take (length (s`rel), x`rel))" in le_trans) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
517 |
apply (rule_tac j = "tokens (take (length (s`rel), s`rel))" in le_trans) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
518 |
apply (auto intro!: tokens_mono take_mono simp add: prefix_iff) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
519 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
520 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
521 |
(*** Rest of proofs done by lcp ***) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
522 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
523 |
(*Second step in proof of (31): by LHS of the guarantee and transivity of |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
524 |
LeadsTo *) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
525 |
lemma alloc_prog_LeadsTo_tokens_take_NbR_lemma2: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
526 |
"[| alloc_prog Join G \<in> Incr(lift(rel)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
527 |
G \<in> program; alloc_prog ok G; k \<in> tokbag; |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
528 |
alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
529 |
(\<Inter>k\<in>nat. {s\<in>state. k \<le> tokens(s`giv)} LeadsTo {s\<in>state. k \<le> tokens(s`rel)}) |]
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
530 |
==> alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
531 |
{s\<in>state. tokens(s`giv) = k}
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
532 |
LeadsTo {s\<in>state. k \<le> tokens(take(s`NbR, s`rel))}"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
533 |
apply (rule LeadsTo_Trans) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
534 |
apply (rule_tac [2] alloc_prog_LeadsTo_tokens_take_NbR_lemma) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
535 |
apply (blast intro: LeadsTo_weaken_L nat_into_Ord) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
536 |
apply assumption+ |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
537 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
538 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
539 |
(*Third step in proof of (31): by PSP with the fact that giv increases *) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
540 |
lemma alloc_prog_LeadsTo_length_giv_disj: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
541 |
"[| alloc_prog Join G \<in> Incr(lift(rel)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
542 |
G \<in> program; alloc_prog ok G; k \<in> tokbag; n \<in> nat; |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
543 |
alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
544 |
(\<Inter>k\<in>nat. {s\<in>state. k \<le> tokens(s`giv)} LeadsTo {s\<in>state. k \<le> tokens(s`rel)}) |]
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
545 |
==> alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
546 |
{s\<in>state. length(s`giv) = n & tokens(s`giv) = k}
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
547 |
LeadsTo |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
548 |
{s\<in>state. (length(s`giv) = n & tokens(s`giv) = k &
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
549 |
k \<le> tokens(take(s`NbR, s`rel))) | n < length(s`giv)}" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
550 |
apply (rule single_LeadsTo_I) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
551 |
apply safe |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
552 |
apply (rule_tac a1 = "s`giv" in Increasing_imp_Stable [THEN PSP_StableI]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
553 |
apply (rule alloc_prog_Increasing_giv [THEN guaranteesD]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
554 |
apply (simp_all add: Int_cons_left) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
555 |
apply (rule LeadsTo_weaken) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
556 |
apply (rule_tac k = "tokens (s`giv)" in alloc_prog_LeadsTo_tokens_take_NbR_lemma2) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
557 |
apply simp_all |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
558 |
apply safe |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
559 |
apply (drule prefix_length_le [THEN le_iff [THEN iffD1]]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
560 |
apply (force simp add:) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
561 |
apply (simp add: not_lt_iff_le) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
562 |
apply (drule prefix_length_le_equal) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
563 |
apply assumption |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
564 |
apply (simp add:) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
565 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
566 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
567 |
(*Fourth step in proof of (31): we apply lemma (51) *) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
568 |
lemma alloc_prog_LeadsTo_length_giv_disj2: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
569 |
"[| alloc_prog Join G \<in> Incr(lift(rel)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
570 |
alloc_prog Join G \<in> Incr(lift(ask)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
571 |
G \<in> program; alloc_prog ok G; k \<in> tokbag; n \<in> nat; |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
572 |
alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
573 |
(\<Inter>k\<in>nat. {s\<in>state. k \<le> tokens(s`giv)} LeadsTo {s\<in>state. k \<le> tokens(s`rel)}) |]
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
574 |
==> alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
575 |
{s\<in>state. length(s`giv) = n & tokens(s`giv) = k}
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
576 |
LeadsTo |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
577 |
{s\<in>state. (length(s`giv) = n & NbT \<le> s`available_tok) |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
578 |
n < length(s`giv)}" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
579 |
apply (rule LeadsTo_weaken_R) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
580 |
apply (rule Always_LeadsToD [OF alloc_prog_Always_lemma alloc_prog_LeadsTo_length_giv_disj]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
581 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
582 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
583 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
584 |
(*Fifth step in proof of (31): from the fourth step, taking the union over all |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
585 |
k\<in>nat *) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
586 |
lemma alloc_prog_LeadsTo_length_giv_disj3: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
587 |
"[| alloc_prog Join G \<in> Incr(lift(rel)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
588 |
alloc_prog Join G \<in> Incr(lift(ask)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
589 |
G \<in> program; alloc_prog ok G; n \<in> nat; |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
590 |
alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
591 |
(\<Inter>k\<in>nat. {s\<in>state. k \<le> tokens(s`giv)} LeadsTo {s\<in>state. k \<le> tokens(s`rel)}) |]
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
592 |
==> alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
593 |
{s\<in>state. length(s`giv) = n}
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
594 |
LeadsTo |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
595 |
{s\<in>state. (length(s`giv) = n & NbT \<le> s`available_tok) |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
596 |
n < length(s`giv)}" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
597 |
apply (rule LeadsTo_weaken_L) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
598 |
apply (rule_tac I = "nat" in LeadsTo_UN) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
599 |
apply (rule_tac k = "i" in alloc_prog_LeadsTo_length_giv_disj2) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
600 |
apply (simp_all add: UN_conj_eq) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
601 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
602 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
603 |
(*Sixth step in proof of (31): from the fifth step, by PSP with the |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
604 |
assumption that ask increases *) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
605 |
lemma alloc_prog_LeadsTo_length_ask_giv: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
606 |
"[| alloc_prog Join G \<in> Incr(lift(rel)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
607 |
alloc_prog Join G \<in> Incr(lift(ask)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
608 |
G \<in> program; alloc_prog ok G; k \<in> nat; n < k; |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
609 |
alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
610 |
(\<Inter>k\<in>nat. {s\<in>state. k \<le> tokens(s`giv)} LeadsTo {s\<in>state. k \<le> tokens(s`rel)}) |]
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
611 |
==> alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
612 |
{s\<in>state. length(s`ask) = k & length(s`giv) = n}
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
613 |
LeadsTo |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
614 |
{s\<in>state. (NbT \<le> s`available_tok & length(s`giv) < length(s`ask) &
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
615 |
length(s`giv) = n) | |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
616 |
n < length(s`giv)}" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
617 |
apply (rule single_LeadsTo_I) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
618 |
apply safe |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
619 |
apply (rule_tac a1 = "s`ask" and f1 = "lift (ask)" in Increasing_imp_Stable [THEN PSP_StableI]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
620 |
apply assumption |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
621 |
apply simp_all |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
622 |
apply (rule LeadsTo_weaken) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
623 |
apply (rule_tac n = "length (s ` giv)" in alloc_prog_LeadsTo_length_giv_disj3) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
624 |
apply simp_all |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
625 |
apply (blast intro:) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
626 |
apply clarify |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
627 |
apply (simp add:) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
628 |
apply (blast dest!: prefix_length_le intro: lt_trans2) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
629 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
630 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
631 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
632 |
(*Seventh step in proof of (31): no request (ask[k]) exceeds NbT *) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
633 |
lemma alloc_prog_LeadsTo_length_ask_giv2: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
634 |
"[| alloc_prog Join G \<in> Incr(lift(rel)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
635 |
alloc_prog Join G \<in> Incr(lift(ask)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
636 |
G \<in> program; alloc_prog ok G; k \<in> nat; n < k; |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
637 |
alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
638 |
Always(\<Inter>k \<in> nat. {s\<in>state. nth(k, s`ask) \<le> NbT});
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
639 |
alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
640 |
(\<Inter>k\<in>nat. {s\<in>state. k \<le> tokens(s`giv)} LeadsTo {s\<in>state. k \<le> tokens(s`rel)}) |]
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
641 |
==> alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
642 |
{s\<in>state. length(s`ask) = k & length(s`giv) = n}
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
643 |
LeadsTo |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
644 |
{s\<in>state. (nth(length(s`giv), s`ask) \<le> s`available_tok &
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
645 |
length(s`giv) < length(s`ask) & length(s`giv) = n) | |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
646 |
n < length(s`giv)}" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
647 |
apply (rule LeadsTo_weaken_R) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
648 |
apply (erule Always_LeadsToD [OF asm_rl alloc_prog_LeadsTo_length_ask_giv]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
649 |
apply assumption+ |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
650 |
apply clarify |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
651 |
apply (simp add: INT_iff) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
652 |
apply clarify |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
653 |
apply (drule_tac x = "length (x ` giv)" and P = "%x. ?f (x) \<le> NbT" in bspec) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
654 |
apply (simp add:) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
655 |
apply (blast intro: le_trans) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
656 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
657 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
658 |
(*Eighth step in proof of (31): by (50), we get |giv| > n. *) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
659 |
lemma alloc_prog_LeadsTo_extend_giv: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
660 |
"[| alloc_prog Join G \<in> Incr(lift(rel)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
661 |
alloc_prog Join G \<in> Incr(lift(ask)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
662 |
G \<in> program; alloc_prog ok G; k \<in> nat; n < k; |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
663 |
alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
664 |
Always(\<Inter>k \<in> nat. {s\<in>state. nth(k, s`ask) \<le> NbT});
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
665 |
alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
666 |
(\<Inter>k\<in>nat. {s\<in>state. k \<le> tokens(s`giv)} LeadsTo {s\<in>state. k \<le> tokens(s`rel)}) |]
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
667 |
==> alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
668 |
{s\<in>state. length(s`ask) = k & length(s`giv) = n}
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
669 |
LeadsTo {s\<in>state. n < length(s`giv)}"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
670 |
apply (rule LeadsTo_Un_duplicate) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
671 |
apply (rule LeadsTo_cancel1) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
672 |
apply (rule_tac [2] alloc_prog_giv_LeadsTo_lemma) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
673 |
apply safe; |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
674 |
prefer 2 apply (simp add: lt_nat_in_nat) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
675 |
apply (rule LeadsTo_weaken_R) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
676 |
apply (rule alloc_prog_LeadsTo_length_ask_giv2) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
677 |
apply auto |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
678 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
679 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
680 |
(*Ninth and tenth steps in proof of (31): by (50), we get |giv| > n. |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
681 |
The report has an error: putting |ask|=k for the precondition fails because |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
682 |
we can't expect |ask| to remain fixed until |giv| increases.*) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
683 |
lemma alloc_prog_ask_LeadsTo_giv: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
684 |
"[| alloc_prog Join G \<in> Incr(lift(rel)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
685 |
alloc_prog Join G \<in> Incr(lift(ask)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
686 |
G \<in> program; alloc_prog ok G; k \<in> nat; |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
687 |
alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
688 |
Always(\<Inter>k \<in> nat. {s\<in>state. nth(k, s`ask) \<le> NbT});
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
689 |
alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
690 |
(\<Inter>k\<in>nat. {s\<in>state. k \<le> tokens(s`giv)} LeadsTo {s\<in>state. k \<le> tokens(s`rel)}) |]
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
691 |
==> alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
692 |
{s\<in>state. k \<le> length(s`ask)} LeadsTo {s\<in>state. k \<le> length(s`giv)}"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
693 |
(* Proof by induction over the difference between k and n *) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
694 |
apply (rule_tac f = "\<lambda>s\<in>state. k #- length (s`giv)" in LessThan_induct) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
695 |
apply (simp_all add: lam_def) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
696 |
prefer 2 apply (force) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
697 |
apply clarify |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
698 |
apply (simp add: Collect_vimage_eq) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
699 |
apply (rule single_LeadsTo_I) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
700 |
apply safe |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
701 |
apply simp |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
702 |
apply (rename_tac "s0") |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
703 |
apply (case_tac "length (s0 ` giv) < length (s0 ` ask) ") |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
704 |
apply (rule_tac [2] subset_imp_LeadsTo) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
705 |
apply safe |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
706 |
prefer 2 |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
707 |
apply (simp add: not_lt_iff_le) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
708 |
apply (blast dest: le_imp_not_lt intro: lt_trans2) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
709 |
apply (rule_tac a1 = "s0`ask" and f1 = "lift (ask)" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
710 |
in Increasing_imp_Stable [THEN PSP_StableI]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
711 |
apply assumption |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
712 |
apply (simp add:) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
713 |
apply (force simp add:) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
714 |
apply (rule LeadsTo_weaken) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
715 |
apply (rule_tac n = "length (s0 ` giv)" and k = "length (s0 ` ask)" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
716 |
in alloc_prog_LeadsTo_extend_giv) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
717 |
apply simp_all |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
718 |
apply (force simp add:) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
719 |
apply clarify |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
720 |
apply (simp add:) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
721 |
apply (erule disjE) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
722 |
apply (blast dest!: prefix_length_le intro: lt_trans2) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
723 |
apply (rule not_lt_imp_le) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
724 |
apply clarify |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
725 |
apply (simp_all add: leI diff_lt_iff_lt) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
726 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
727 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
728 |
(*Final lemma: combine previous result with lemma (30)*) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
729 |
lemma alloc_prog_progress_lemma: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
730 |
"[| alloc_prog Join G \<in> Incr(lift(rel)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
731 |
alloc_prog Join G \<in> Incr(lift(ask)); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
732 |
G \<in> program; alloc_prog ok G; h \<in> list(tokbag); |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
733 |
alloc_prog Join G \<in> Always(\<Inter>k \<in> nat. {s\<in>state. nth(k, s`ask) \<le> NbT});
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
734 |
alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
735 |
(\<Inter>k\<in>nat. {s\<in>state. k \<le> tokens(s`giv)} LeadsTo
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
736 |
{s\<in>state. k \<le> tokens(s`rel)}) |]
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
737 |
==> alloc_prog Join G \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
738 |
{s\<in>state. <h, s`ask> \<in> prefix(tokbag)} LeadsTo
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
739 |
{s\<in>state. <h, s`giv> \<in> prefix(tokbag)}"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
740 |
apply (rule single_LeadsTo_I) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
741 |
prefer 2 apply (simp) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
742 |
apply (rename_tac s0) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
743 |
apply (rule_tac a1 = "s0`ask" and f1 = "lift (ask)" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
744 |
in Increasing_imp_Stable [THEN PSP_StableI]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
745 |
apply assumption |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
746 |
prefer 2 apply (force simp add:) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
747 |
apply (simp_all add: Int_cons_left) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
748 |
apply (rule LeadsTo_weaken) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
749 |
apply (rule_tac k1 = "length (s0 ` ask)" |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
750 |
in Always_LeadsToD [OF alloc_prog_ask_prefix_giv [THEN guaranteesD] |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
751 |
alloc_prog_ask_LeadsTo_giv]) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
752 |
apply simp_all |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
753 |
apply (force simp add:) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
754 |
apply (force simp add:) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
755 |
apply (blast intro: length_le_prefix_imp_prefix prefix_trans prefix_length_le lt_trans2) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
756 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
757 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
758 |
(** alloc_prog liveness property (31), page 18 **) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
759 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
760 |
(*missing the LeadsTo assumption on the lhs!?!?!*) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
761 |
lemma alloc_prog_progress: |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
762 |
"alloc_prog \<in> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
763 |
Incr(lift(ask)) \<inter> Incr(lift(rel)) \<inter> |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
764 |
Always(\<Inter>k \<in> nat. {s\<in>state. nth(k, s`ask) \<le> NbT}) \<inter>
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
765 |
(\<Inter>k\<in>nat. {s\<in>state. k \<le> tokens(s`giv)} LeadsTo
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
766 |
{s\<in>state. k \<le> tokens(s`rel)})
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
767 |
guarantees (\<Inter>h \<in> list(tokbag). |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
768 |
{s\<in>state. <h, s`ask> \<in> prefix(tokbag)} LeadsTo
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
769 |
{s\<in>state. <h, s`giv> \<in> prefix(tokbag)})"
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
770 |
apply (rule guaranteesI) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
771 |
apply (rule INT_I) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
772 |
apply (rule alloc_prog_progress_lemma) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
773 |
apply simp_all |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
774 |
apply (blast intro:) |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
775 |
done |
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
776 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
777 |
|
|
c0c4af41fa3b
Adding the theory UNITY/AllocImpl.thy, with supporting lemmas
paulson
parents:
diff
changeset
|
778 |
end |