isabelle: src/HOL/TLA/Memory/MemoryImplementation.thy@ce654b0e6d69 (annotated)

41589 bbd861837ebc tuned headers; wenzelm parents: 39159 diff changeset	1	(* Title: HOL/TLA/Memory/MemoryImplementation.thy
bbd861837ebc tuned headers; wenzelm parents: 39159 diff changeset	2	Author: Stephan Merz, University of Munich
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	3	*)
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	4
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	5	section \<open>RPC-Memory example: Memory implementation\<close>
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	6
17309 c43ed29bd197 converted to Isar theory format; wenzelm parents: 11703 diff changeset	7	theory MemoryImplementation
c43ed29bd197 converted to Isar theory format; wenzelm parents: 11703 diff changeset	8	imports Memory RPC MemClerk
c43ed29bd197 converted to Isar theory format; wenzelm parents: 11703 diff changeset	9	begin
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	10
58310 91ea607a34d8 updated news blanchet parents: 58249 diff changeset	11	datatype histState = histA \| histB
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	12
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	13	type_synonym histType = "(PrIds \<Rightarrow> histState) stfun" (* the type of the history variable *)
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	14
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	15	consts
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	16	(* the specification *)
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	17	(* channel (external) *)
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	18	memCh :: "memChType"
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	19	(* internal variables *)
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	20	mm :: "memType"
17309 c43ed29bd197 converted to Isar theory format; wenzelm parents: 11703 diff changeset	21
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	22	(* the state variables of the implementation *)
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	23	(* channels *)
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	24	(* same interface channel memCh *)
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	25	crCh :: "rpcSndChType"
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	26	rmCh :: "rpcRcvChType"
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	27	(* internal variables *)
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	28	(* identity refinement mapping for mm -- simply reused *)
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	29	rst :: "rpcStType"
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	30	cst :: "mClkStType"
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	31	ires :: "resType"
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	32
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	33	definition
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	34	(* auxiliary predicates *)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	35	MVOKBARF :: "Vals \<Rightarrow> bool"
67613 ce654b0e6d69 more symbols; wenzelm parents: 62146 diff changeset	36	where "MVOKBARF v \<longleftrightarrow> (v \<in> MemVal) \<or> (v = OK) \<or> (v = BadArg) \<or> (v = RPCFailure)"
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	37
426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	38	definition
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	39	MVOKBA :: "Vals \<Rightarrow> bool"
67613 ce654b0e6d69 more symbols; wenzelm parents: 62146 diff changeset	40	where "MVOKBA v \<longleftrightarrow> (v \<in> MemVal) \<or> (v = OK) \<or> (v = BadArg)"
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	41
426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	42	definition
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	43	MVNROKBA :: "Vals \<Rightarrow> bool"
67613 ce654b0e6d69 more symbols; wenzelm parents: 62146 diff changeset	44	where "MVNROKBA v \<longleftrightarrow> (v \<in> MemVal) \<or> (v = NotAResult) \<or> (v = OK) \<or> (v = BadArg)"
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	45
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	46	definition
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	47	(* tuples of state functions changed by the various components *)
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	48	e :: "PrIds => (bit * memOp) stfun"
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	49	where "e p = PRED (caller memCh!p)"
426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	50
426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	51	definition
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	52	c :: "PrIds \<Rightarrow> (mClkState * (bit * Vals) * (bit * rpcOp)) stfun"
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	53	where "c p = PRED (cst!p, rtrner memCh!p, caller crCh!p)"
426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	54
426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	55	definition
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	56	r :: "PrIds \<Rightarrow> (rpcState * (bit * Vals) * (bit * memOp)) stfun"
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	57	where "r p = PRED (rst!p, rtrner crCh!p, caller rmCh!p)"
426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	58
426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	59	definition
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	60	m :: "PrIds \<Rightarrow> ((bit * Vals) * Vals) stfun"
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	61	where "m p = PRED (rtrner rmCh!p, ires!p)"
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	62
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	63	definition
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	64	(* the environment action *)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	65	ENext :: "PrIds \<Rightarrow> action"
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	66	where "ENext p = ACT (\<exists>l. #l \<in> #MemLoc \<and> Call memCh p #(read l))"
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	67
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	68
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	69	definition
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	70	(* specification of the history variable *)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	71	HInit :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	72	where "HInit rmhist p = PRED rmhist!p = #histA"
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	73
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	74	definition
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	75	HNext :: "histType \<Rightarrow> PrIds \<Rightarrow> action"
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	76	where "HNext rmhist p = ACT (rmhist!p)$ =
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	77	(if (MemReturn rmCh ires p \<or> RPCFail crCh rmCh rst p)
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	78	then #histB
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	79	else if (MClkReply memCh crCh cst p)
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	80	then #histA
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	81	else $(rmhist!p))"
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	82
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	83	definition
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	84	HistP :: "histType \<Rightarrow> PrIds \<Rightarrow> temporal"
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	85	where "HistP rmhist p = (TEMP Init HInit rmhist p
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	86	\<and> \<box>[HNext rmhist p]_(c p,r p,m p, rmhist!p))"
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	87
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	88	definition
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	89	Hist :: "histType \<Rightarrow> temporal"
60587 0318b43ee95c more symbols; wenzelm parents: 59826 diff changeset	90	where "Hist rmhist = TEMP (\<forall>p. HistP rmhist p)"
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	91
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	92	definition
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	93	(* the implementation *)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	94	IPImp :: "PrIds \<Rightarrow> temporal"
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	95	where "IPImp p = (TEMP ( Init \<not>Calling memCh p \<and> \<box>[ENext p]_(e p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	96	\<and> MClkIPSpec memCh crCh cst p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	97	\<and> RPCIPSpec crCh rmCh rst p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	98	\<and> RPSpec rmCh mm ires p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	99	\<and> (\<forall>l. #l \<in> #MemLoc \<longrightarrow> MSpec rmCh mm ires l)))"
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	100
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	101	definition
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	102	ImpInit :: "PrIds \<Rightarrow> stpred"
60587 0318b43ee95c more symbols; wenzelm parents: 59826 diff changeset	103	where "ImpInit p = PRED ( \<not>Calling memCh p
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	104	\<and> MClkInit crCh cst p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	105	\<and> RPCInit rmCh rst p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	106	\<and> PInit ires p)"
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	107
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	108	definition
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	109	ImpNext :: "PrIds \<Rightarrow> action"
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	110	where "ImpNext p = (ACT [ENext p]_(e p)
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	111	\<and> [MClkNext memCh crCh cst p]_(c p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	112	\<and> [RPCNext crCh rmCh rst p]_(r p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	113	\<and> [RNext rmCh mm ires p]_(m p))"
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	114
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	115	definition
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	116	ImpLive :: "PrIds \<Rightarrow> temporal"
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	117	where "ImpLive p = (TEMP WF(MClkFwd memCh crCh cst p)_(c p)
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	118	\<and> SF(MClkReply memCh crCh cst p)_(c p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	119	\<and> WF(RPCNext crCh rmCh rst p)_(r p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	120	\<and> WF(RNext rmCh mm ires p)_(m p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	121	\<and> WF(MemReturn rmCh ires p)_(m p))"
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	122
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	123	definition
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	124	Implementation :: "temporal"
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	125	where "Implementation = (TEMP ( (\<forall>p. Init (\<not>Calling memCh p) \<and> \<box>[ENext p]_(e p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	126	\<and> MClkISpec memCh crCh cst
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	127	\<and> RPCISpec crCh rmCh rst
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	128	\<and> IRSpec rmCh mm ires))"
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	129
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	130	definition
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	131	(* the predicate S describes the states of the implementation.
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	132	slight simplification: two "histState" parameters instead of a
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	133	(one- or two-element) set.
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	134	NB: The second conjunct of the definition in the paper is taken care of by
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	135	the type definitions. The last conjunct is asserted separately as the memory
24180 9f818139951b tuned ML setup; wenzelm parents: 21624 diff changeset	136	invariant MemInv, proved in Memory.thy. *)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	137	S :: "histType \<Rightarrow> bool \<Rightarrow> bool \<Rightarrow> bool \<Rightarrow> mClkState \<Rightarrow> rpcState \<Rightarrow> histState \<Rightarrow> histState \<Rightarrow> PrIds \<Rightarrow> stpred"
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	138	where "S rmhist ecalling ccalling rcalling cs rs hs1 hs2 p = (PRED
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	139	Calling memCh p = #ecalling
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	140	\<and> Calling crCh p = #ccalling
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	141	\<and> (#ccalling \<longrightarrow> arg<crCh!p> = MClkRelayArg<arg<memCh!p>>)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	142	\<and> (\<not> #ccalling \<and> cst!p = #clkB \<longrightarrow> MVOKBARF<res<crCh!p>>)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	143	\<and> Calling rmCh p = #rcalling
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	144	\<and> (#rcalling \<longrightarrow> arg<rmCh!p> = RPCRelayArg<arg<crCh!p>>)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	145	\<and> (\<not> #rcalling \<longrightarrow> ires!p = #NotAResult)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	146	\<and> (\<not> #rcalling \<and> rst!p = #rpcB \<longrightarrow> MVOKBA<res<rmCh!p>>)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	147	\<and> cst!p = #cs
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	148	\<and> rst!p = #rs
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	149	\<and> (rmhist!p = #hs1 \<or> rmhist!p = #hs2)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	150	\<and> MVNROKBA<ires!p>)"
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	151
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	152	definition
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	153	(* predicates S1 -- S6 define special instances of S *)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	154	S1 :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	155	where "S1 rmhist p = S rmhist False False False clkA rpcA histA histA p"
426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	156
426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	157	definition
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	158	S2 :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	159	where "S2 rmhist p = S rmhist True False False clkA rpcA histA histA p"
426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	160
426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	161	definition
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	162	S3 :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	163	where "S3 rmhist p = S rmhist True True False clkB rpcA histA histB p"
426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	164
426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	165	definition
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	166	S4 :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	167	where "S4 rmhist p = S rmhist True True True clkB rpcB histA histB p"
426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	168
426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	169	definition
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	170	S5 :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	171	where "S5 rmhist p = S rmhist True True False clkB rpcB histB histB p"
426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	172
426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	173	definition
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	174	S6 :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	175	where "S6 rmhist p = S rmhist True False False clkB rpcA histB histB p"
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	176
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	177	definition
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	178	(* The invariant asserts that the system is always in one of S1 - S6, for every p *)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	179	ImpInv :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	180	where "ImpInv rmhist p = (PRED (S1 rmhist p \<or> S2 rmhist p \<or> S3 rmhist p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	181	\<or> S4 rmhist p \<or> S5 rmhist p \<or> S6 rmhist p))"
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	182
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	183	definition
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	184	resbar :: "histType \<Rightarrow> resType" (* refinement mapping *)
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	185	where"resbar rmhist s p =
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	186	(if (S1 rmhist p s \| S2 rmhist p s)
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	187	then ires s p
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	188	else if S3 rmhist p s
17309 c43ed29bd197 converted to Isar theory format; wenzelm parents: 11703 diff changeset	189	then if rmhist s p = histA
6255 db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	190	then ires s p else MemFailure
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	191	else if S4 rmhist p s
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	192	then if (rmhist s p = histB & ires s p = NotAResult)
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	193	then MemFailure else ires s p
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	194	else if S5 rmhist p s
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	195	then res (rmCh s p)
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	196	else if S6 rmhist p s
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	197	then if res (crCh s p) = RPCFailure
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	198	then MemFailure else res (crCh s p)
db63752140c7 updated (Stephan Merz); wenzelm parents: 3807 diff changeset	199	else NotAResult)" (* dummy value *)
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	200
36866 426d5781bb25 modernized specifications; wenzelm parents: 32149 diff changeset	201	axiomatization where
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	202	(* the "base" variables: everything except resbar and hist (for any index) *)
17309 c43ed29bd197 converted to Isar theory format; wenzelm parents: 11703 diff changeset	203	MI_base: "basevars (caller memCh!p,
c43ed29bd197 converted to Isar theory format; wenzelm parents: 11703 diff changeset	204	(rtrner memCh!p, caller crCh!p, cst!p),
c43ed29bd197 converted to Isar theory format; wenzelm parents: 11703 diff changeset	205	(rtrner crCh!p, caller rmCh!p, rst!p),
c43ed29bd197 converted to Isar theory format; wenzelm parents: 11703 diff changeset	206	(mm!l, rtrner rmCh!p, ires!p))"
c43ed29bd197 converted to Isar theory format; wenzelm parents: 11703 diff changeset	207
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	208	(*
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	209	The main theorem is theorem "Implementation" at the end of this file,
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	210	which shows that the composition of a reliable memory, an RPC component, and
24180 9f818139951b tuned ML setup; wenzelm parents: 21624 diff changeset	211	a memory clerk implements an unreliable memory. The files "MIsafe.thy" and
9f818139951b tuned ML setup; wenzelm parents: 21624 diff changeset	212	"MIlive.thy" contain lower-level lemmas for the safety and liveness parts.
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	213
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	214	Steps are (roughly) numbered as in the hand proof.
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	215	*)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	216
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	217	(* --------------------------- automatic prover --------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	218
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	219	declare if_weak_cong [cong del]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	220
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	221	(* A more aggressive variant that tries to solve subgoals by assumption
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	222	or contradiction during the simplification.
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	223	THIS IS UNSAFE, BECAUSE IT DOESN'T RECORD THE CHOICES!!
42771 b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	224	(but it can be a lot faster than the default setup)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	225	*)
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	226	ML \<open>
42771 b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	227	val config_fast_solver = Attrib.setup_config_bool @{binding fast_solver} (K false);
51717 9e7d1c139569 simplifier uses proper Proof.context instead of historic type simpset; wenzelm parents: 45605 diff changeset	228	val fast_solver = mk_solver "fast_solver" (fn ctxt =>
9e7d1c139569 simplifier uses proper Proof.context instead of historic type simpset; wenzelm parents: 45605 diff changeset	229	if Config.get ctxt config_fast_solver
60754 02924903a6fd prefer tactics with explicit context; wenzelm parents: 60592 diff changeset	230	then assume_tac ctxt ORELSE' (eresolve_tac ctxt [notE])
42771 b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	231	else K no_tac);
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	232	\<close>
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	233
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	234	setup \<open>map_theory_simpset (fn ctxt => ctxt addSSolver fast_solver)\<close>
42771 b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	235
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	236	ML \<open>val temp_elim = make_elim oo temp_use\<close>
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	237
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	238
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	239
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	240	(**************************** The history variable ****************************)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	241
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	242	section "History variable"
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	243
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	244	lemma HistoryLemma: "\<turnstile> Init(\<forall>p. ImpInit p) \<and> \<box>(\<forall>p. ImpNext p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	245	\<longrightarrow> (\<exists>\<exists>rmhist. Init(\<forall>p. HInit rmhist p)
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	246	\<and> \<box>(\<forall>p. [HNext rmhist p]_(c p, r p, m p, rmhist!p)))"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	247	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	248	apply (rule historyI)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	249	apply assumption+
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	250	apply (rule MI_base)
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	251	apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm HInit_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	252	apply (erule fun_cong)
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	253	apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm HNext_def}])
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	254	[@{thm busy_squareI}] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	255	apply (erule fun_cong)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	256	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	257
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	258	lemma History: "\<turnstile> Implementation \<longrightarrow> (\<exists>\<exists>rmhist. Hist rmhist)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	259	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	260	apply (rule HistoryLemma [temp_use, THEN eex_mono])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	261	prefer 3
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	262	apply (force simp: Hist_def HistP_def Init_def all_box [try_rewrite]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	263	split_box_conj [try_rewrite])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	264	apply (auto simp: Implementation_def MClkISpec_def RPCISpec_def
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	265	IRSpec_def MClkIPSpec_def RPCIPSpec_def RPSpec_def ImpInit_def
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	266	Init_def ImpNext_def c_def r_def m_def all_box [temp_use] split_box_conj [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	267	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	268
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	269	(****************************** The safety part *******************************)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	270
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	271	section "The safety part"
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	272
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	273	(* ------------------------- Include lower-level lemmas ------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	274
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	275	(* RPCFailure notin MemVals U {OK,BadArg} *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	276
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	277	lemma MVOKBAnotRF: "MVOKBA x \<Longrightarrow> x \<noteq> RPCFailure"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	278	apply (unfold MVOKBA_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	279	apply auto
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	280	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	281
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	282	(* NotAResult notin MemVals U {OK,BadArg,RPCFailure} *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	283
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	284	lemma MVOKBARFnotNR: "MVOKBARF x \<Longrightarrow> x \<noteq> NotAResult"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	285	apply (unfold MVOKBARF_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	286	apply auto
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	287	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	288
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	289	(* ================ Si's are mutually exclusive ================================ *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	290	(* Si and Sj are mutually exclusive for i # j. This helps to simplify the big
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	291	conditional in the definition of resbar when doing the step-simulation proof.
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	292	We prove a weaker result, which suffices for our purposes:
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	293	Si implies (not Sj), for j<i.
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	294	*)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	295
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	296	(* --- not used ---
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	297	lemma S1_excl: "\<turnstile> S1 rmhist p \<longrightarrow> S1 rmhist p & \<not>S2 rmhist p & \<not>S3 rmhist p &
60587 0318b43ee95c more symbols; wenzelm parents: 59826 diff changeset	298	\<not>S4 rmhist p & \<not>S5 rmhist p & \<not>S6 rmhist p"
42772 2acb503fd857 modernized dead code; wenzelm parents: 42771 diff changeset	299	by (auto simp: S_def S1_def S2_def S3_def S4_def S5_def S6_def)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	300	*)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	301
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	302	lemma S2_excl: "\<turnstile> S2 rmhist p \<longrightarrow> S2 rmhist p \<and> \<not>S1 rmhist p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	303	by (auto simp: S_def S1_def S2_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	304
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	305	lemma S3_excl: "\<turnstile> S3 rmhist p \<longrightarrow> S3 rmhist p \<and> \<not>S1 rmhist p \<and> \<not>S2 rmhist p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	306	by (auto simp: S_def S1_def S2_def S3_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	307
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	308	lemma S4_excl: "\<turnstile> S4 rmhist p \<longrightarrow> S4 rmhist p \<and> \<not>S1 rmhist p \<and> \<not>S2 rmhist p \<and> \<not>S3 rmhist p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	309	by (auto simp: S_def S1_def S2_def S3_def S4_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	310
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	311	lemma S5_excl: "\<turnstile> S5 rmhist p \<longrightarrow> S5 rmhist p \<and> \<not>S1 rmhist p \<and> \<not>S2 rmhist p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	312	\<and> \<not>S3 rmhist p \<and> \<not>S4 rmhist p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	313	by (auto simp: S_def S1_def S2_def S3_def S4_def S5_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	314
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	315	lemma S6_excl: "\<turnstile> S6 rmhist p \<longrightarrow> S6 rmhist p \<and> \<not>S1 rmhist p \<and> \<not>S2 rmhist p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	316	\<and> \<not>S3 rmhist p \<and> \<not>S4 rmhist p \<and> \<not>S5 rmhist p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	317	by (auto simp: S_def S1_def S2_def S3_def S4_def S5_def S6_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	318
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	319
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	320	(* ==================== Lemmas about the environment ============================== *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	321
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	322	lemma Envbusy: "\<turnstile> $(Calling memCh p) \<longrightarrow> \<not>ENext p"
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	323	by (auto simp: ENext_def ACall_def)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	324
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	325	(* ==================== Lemmas about the implementation's states ==================== *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	326
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	327	(* The following series of lemmas are used in establishing the implementation's
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	328	next-state relation (Step 1.2 of the proof in the paper). For each state Si, we
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	329	determine which component actions are possible and what state they result in.
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	330	*)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	331
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	332	(* ------------------------------ State S1 ---------------------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	333
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	334	lemma S1Env: "\<turnstile> ENext p \<and> $(S1 rmhist p) \<and> unchanged (c p, r p, m p, rmhist!p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	335	\<longrightarrow> (S2 rmhist p)$"
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	336	by (force simp: ENext_def ACall_def c_def r_def m_def
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	337	caller_def rtrner_def MVNROKBA_def S_def S1_def S2_def Calling_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	338
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	339	lemma S1ClerkUnch: "\<turnstile> [MClkNext memCh crCh cst p]_(c p) \<and> $(S1 rmhist p) \<longrightarrow> unchanged (c p)"
42771 b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	340	using [[fast_solver]]
b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	341	by (auto elim!: squareE [temp_use] dest!: MClkidle [temp_use] simp: S_def S1_def)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	342
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	343	lemma S1RPCUnch: "\<turnstile> [RPCNext crCh rmCh rst p]_(r p) \<and> $(S1 rmhist p) \<longrightarrow> unchanged (r p)"
42771 b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	344	using [[fast_solver]]
b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	345	by (auto elim!: squareE [temp_use] dest!: RPCidle [temp_use] simp: S_def S1_def)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	346
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	347	lemma S1MemUnch: "\<turnstile> [RNext rmCh mm ires p]_(m p) \<and> $(S1 rmhist p) \<longrightarrow> unchanged (m p)"
42771 b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	348	using [[fast_solver]]
b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	349	by (auto elim!: squareE [temp_use] dest!: Memoryidle [temp_use] simp: S_def S1_def)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	350
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	351	lemma S1Hist: "\<turnstile> [HNext rmhist p]_(c p,r p,m p,rmhist!p) \<and> $(S1 rmhist p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	352	\<longrightarrow> unchanged (rmhist!p)"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	353	by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm HNext_def}, @{thm S_def},
39159 0dec18004e75 more antiquotations; wenzelm parents: 36866 diff changeset	354	@{thm S1_def}, @{thm MemReturn_def}, @{thm RPCFail_def}, @{thm MClkReply_def},
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	355	@{thm AReturn_def}]) [] [temp_use @{context} @{thm squareE}] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	356
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	357
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	358	(* ------------------------------ State S2 ---------------------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	359
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	360	lemma S2EnvUnch: "\<turnstile> [ENext p]_(e p) \<and> $(S2 rmhist p) \<longrightarrow> unchanged (e p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	361	by (auto dest!: Envbusy [temp_use] simp: S_def S2_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	362
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	363	lemma S2Clerk: "\<turnstile> MClkNext memCh crCh cst p \<and> $(S2 rmhist p) \<longrightarrow> MClkFwd memCh crCh cst p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	364	by (auto simp: MClkNext_def MClkRetry_def MClkReply_def S_def S2_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	365
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	366	lemma S2Forward: "\<turnstile> $(S2 rmhist p) \<and> MClkFwd memCh crCh cst p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	367	\<and> unchanged (e p, r p, m p, rmhist!p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	368	\<longrightarrow> (S3 rmhist p)$"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	369	by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm MClkFwd_def},
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	370	@{thm ACall_def}, @{thm e_def}, @{thm r_def}, @{thm m_def}, @{thm caller_def},
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	371	@{thm rtrner_def}, @{thm S_def}, @{thm S2_def}, @{thm S3_def}, @{thm Calling_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	372
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	373	lemma S2RPCUnch: "\<turnstile> [RPCNext crCh rmCh rst p]_(r p) \<and> $(S2 rmhist p) \<longrightarrow> unchanged (r p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	374	by (auto simp: S_def S2_def dest!: RPCidle [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	375
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	376	lemma S2MemUnch: "\<turnstile> [RNext rmCh mm ires p]_(m p) \<and> $(S2 rmhist p) \<longrightarrow> unchanged (m p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	377	by (auto simp: S_def S2_def dest!: Memoryidle [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	378
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	379	lemma S2Hist: "\<turnstile> [HNext rmhist p]_(c p,r p,m p,rmhist!p) \<and> $(S2 rmhist p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	380	\<longrightarrow> unchanged (rmhist!p)"
42771 b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	381	using [[fast_solver]]
b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	382	by (auto elim!: squareE [temp_use] simp: HNext_def MemReturn_def RPCFail_def
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	383	MClkReply_def AReturn_def S_def S2_def)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	384
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	385	(* ------------------------------ State S3 ---------------------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	386
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	387	lemma S3EnvUnch: "\<turnstile> [ENext p]_(e p) \<and> $(S3 rmhist p) \<longrightarrow> unchanged (e p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	388	by (auto dest!: Envbusy [temp_use] simp: S_def S3_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	389
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	390	lemma S3ClerkUnch: "\<turnstile> [MClkNext memCh crCh cst p]_(c p) \<and> $(S3 rmhist p) \<longrightarrow> unchanged (c p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	391	by (auto dest!: MClkbusy [temp_use] simp: square_def S_def S3_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	392
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	393	lemma S3LegalRcvArg: "\<turnstile> S3 rmhist p \<longrightarrow> IsLegalRcvArg<arg<crCh!p>>"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	394	by (auto simp: IsLegalRcvArg_def MClkRelayArg_def S_def S3_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	395
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	396	lemma S3RPC: "\<turnstile> RPCNext crCh rmCh rst p \<and> $(S3 rmhist p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	397	\<longrightarrow> RPCFwd crCh rmCh rst p \<or> RPCFail crCh rmCh rst p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	398	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	399	apply (frule S3LegalRcvArg [action_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	400	apply (auto simp: RPCNext_def RPCReject_def RPCReply_def S_def S3_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	401	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	402
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	403	lemma S3Forward: "\<turnstile> RPCFwd crCh rmCh rst p \<and> HNext rmhist p \<and> $(S3 rmhist p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	404	\<and> unchanged (e p, c p, m p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	405	\<longrightarrow> (S4 rmhist p)$ \<and> unchanged (rmhist!p)"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	406	by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm RPCFwd_def},
39159 0dec18004e75 more antiquotations; wenzelm parents: 36866 diff changeset	407	@{thm HNext_def}, @{thm MemReturn_def}, @{thm RPCFail_def},
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	408	@{thm MClkReply_def}, @{thm AReturn_def}, @{thm ACall_def}, @{thm e_def},
39159 0dec18004e75 more antiquotations; wenzelm parents: 36866 diff changeset	409	@{thm c_def}, @{thm m_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm S_def},
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	410	@{thm S3_def}, @{thm S4_def}, @{thm Calling_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	411
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	412	lemma S3Fail: "\<turnstile> RPCFail crCh rmCh rst p \<and> $(S3 rmhist p) \<and> HNext rmhist p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	413	\<and> unchanged (e p, c p, m p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	414	\<longrightarrow> (S6 rmhist p)$"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	415	by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm HNext_def},
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	416	@{thm RPCFail_def}, @{thm AReturn_def}, @{thm e_def}, @{thm c_def},
39159 0dec18004e75 more antiquotations; wenzelm parents: 36866 diff changeset	417	@{thm m_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm MVOKBARF_def},
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	418	@{thm S_def}, @{thm S3_def}, @{thm S6_def}, @{thm Calling_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	419
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	420	lemma S3MemUnch: "\<turnstile> [RNext rmCh mm ires p]_(m p) \<and> $(S3 rmhist p) \<longrightarrow> unchanged (m p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	421	by (auto simp: S_def S3_def dest!: Memoryidle [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	422
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	423	lemma S3Hist: "\<turnstile> HNext rmhist p \<and> $(S3 rmhist p) \<and> unchanged (r p) \<longrightarrow> unchanged (rmhist!p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	424	by (auto simp: HNext_def MemReturn_def RPCFail_def MClkReply_def
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	425	AReturn_def r_def rtrner_def S_def S3_def Calling_def)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	426
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	427	(* ------------------------------ State S4 ---------------------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	428
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	429	lemma S4EnvUnch: "\<turnstile> [ENext p]_(e p) \<and> $(S4 rmhist p) \<longrightarrow> unchanged (e p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	430	by (auto simp: S_def S4_def dest!: Envbusy [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	431
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	432	lemma S4ClerkUnch: "\<turnstile> [MClkNext memCh crCh cst p]_(c p) \<and> $(S4 rmhist p) \<longrightarrow> unchanged (c p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	433	by (auto simp: S_def S4_def dest!: MClkbusy [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	434
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	435	lemma S4RPCUnch: "\<turnstile> [RPCNext crCh rmCh rst p]_(r p) \<and> $(S4 rmhist p) \<longrightarrow> unchanged (r p)"
42771 b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	436	using [[fast_solver]]
b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	437	by (auto elim!: squareE [temp_use] dest!: RPCbusy [temp_use] simp: S_def S4_def)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	438
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	439	lemma S4ReadInner: "\<turnstile> ReadInner rmCh mm ires p l \<and> $(S4 rmhist p) \<and> unchanged (e p, c p, r p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	440	\<and> HNext rmhist p \<and> $(MemInv mm l)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	441	\<longrightarrow> (S4 rmhist p)$ \<and> unchanged (rmhist!p)"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	442	by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm ReadInner_def},
39159 0dec18004e75 more antiquotations; wenzelm parents: 36866 diff changeset	443	@{thm GoodRead_def}, @{thm BadRead_def}, @{thm HNext_def}, @{thm MemReturn_def},
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	444	@{thm RPCFail_def}, @{thm MClkReply_def}, @{thm AReturn_def}, @{thm e_def},
39159 0dec18004e75 more antiquotations; wenzelm parents: 36866 diff changeset	445	@{thm c_def}, @{thm r_def}, @{thm rtrner_def}, @{thm caller_def},
0dec18004e75 more antiquotations; wenzelm parents: 36866 diff changeset	446	@{thm MVNROKBA_def}, @{thm S_def}, @{thm S4_def}, @{thm RdRequest_def},
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	447	@{thm Calling_def}, @{thm MemInv_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	448
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	449	lemma S4Read: "\<turnstile> Read rmCh mm ires p \<and> $(S4 rmhist p) \<and> unchanged (e p, c p, r p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	450	\<and> HNext rmhist p \<and> (\<forall>l. $MemInv mm l)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	451	\<longrightarrow> (S4 rmhist p)$ \<and> unchanged (rmhist!p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	452	by (auto simp: Read_def dest!: S4ReadInner [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	453
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	454	lemma S4WriteInner: "\<turnstile> WriteInner rmCh mm ires p l v \<and> $(S4 rmhist p) \<and> unchanged (e p, c p, r p) \<and> HNext rmhist p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	455	\<longrightarrow> (S4 rmhist p)$ \<and> unchanged (rmhist!p)"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	456	by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm WriteInner_def},
39159 0dec18004e75 more antiquotations; wenzelm parents: 36866 diff changeset	457	@{thm GoodWrite_def}, @{thm BadWrite_def}, @{thm HNext_def}, @{thm MemReturn_def},
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	458	@{thm RPCFail_def}, @{thm MClkReply_def}, @{thm AReturn_def}, @{thm e_def},
39159 0dec18004e75 more antiquotations; wenzelm parents: 36866 diff changeset	459	@{thm c_def}, @{thm r_def}, @{thm rtrner_def}, @{thm caller_def}, @{thm MVNROKBA_def},
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	460	@{thm S_def}, @{thm S4_def}, @{thm WrRequest_def}, @{thm Calling_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	461
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	462	lemma S4Write: "\<turnstile> Write rmCh mm ires p l \<and> $(S4 rmhist p) \<and> unchanged (e p, c p, r p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	463	\<and> (HNext rmhist p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	464	\<longrightarrow> (S4 rmhist p)$ \<and> unchanged (rmhist!p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	465	by (auto simp: Write_def dest!: S4WriteInner [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	466
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	467	lemma WriteS4: "\<turnstile> $ImpInv rmhist p \<and> Write rmCh mm ires p l \<longrightarrow> $S4 rmhist p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	468	by (auto simp: Write_def WriteInner_def ImpInv_def
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	469	WrRequest_def S_def S1_def S2_def S3_def S4_def S5_def S6_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	470
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	471	lemma S4Return: "\<turnstile> MemReturn rmCh ires p \<and> $S4 rmhist p \<and> unchanged (e p, c p, r p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	472	\<and> HNext rmhist p
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	473	\<longrightarrow> (S5 rmhist p)$"
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	474	by (auto simp: HNext_def MemReturn_def AReturn_def e_def c_def r_def
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	475	rtrner_def caller_def MVNROKBA_def MVOKBA_def S_def S4_def S5_def Calling_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	476
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	477	lemma S4Hist: "\<turnstile> HNext rmhist p \<and> $S4 rmhist p \<and> (m p)$ = $(m p) \<longrightarrow> (rmhist!p)$ = $(rmhist!p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	478	by (auto simp: HNext_def MemReturn_def RPCFail_def MClkReply_def
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	479	AReturn_def m_def rtrner_def S_def S4_def Calling_def)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	480
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	481	(* ------------------------------ State S5 ---------------------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	482
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	483	lemma S5EnvUnch: "\<turnstile> [ENext p]_(e p) \<and> $(S5 rmhist p) \<longrightarrow> unchanged (e p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	484	by (auto simp: S_def S5_def dest!: Envbusy [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	485
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	486	lemma S5ClerkUnch: "\<turnstile> [MClkNext memCh crCh cst p]_(c p) \<and> $(S5 rmhist p) \<longrightarrow> unchanged (c p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	487	by (auto simp: S_def S5_def dest!: MClkbusy [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	488
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	489	lemma S5RPC: "\<turnstile> RPCNext crCh rmCh rst p \<and> $(S5 rmhist p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	490	\<longrightarrow> RPCReply crCh rmCh rst p \<or> RPCFail crCh rmCh rst p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	491	by (auto simp: RPCNext_def RPCReject_def RPCFwd_def S_def S5_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	492
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	493	lemma S5Reply: "\<turnstile> RPCReply crCh rmCh rst p \<and> $(S5 rmhist p) \<and> unchanged (e p, c p, m p,rmhist!p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	494	\<longrightarrow> (S6 rmhist p)$"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	495	by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm RPCReply_def},
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	496	@{thm AReturn_def}, @{thm e_def}, @{thm c_def}, @{thm m_def}, @{thm MVOKBA_def},
39159 0dec18004e75 more antiquotations; wenzelm parents: 36866 diff changeset	497	@{thm MVOKBARF_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm S_def},
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	498	@{thm S5_def}, @{thm S6_def}, @{thm Calling_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	499
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	500	lemma S5Fail: "\<turnstile> RPCFail crCh rmCh rst p \<and> $(S5 rmhist p) \<and> unchanged (e p, c p, m p,rmhist!p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	501	\<longrightarrow> (S6 rmhist p)$"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	502	by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm RPCFail_def},
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	503	@{thm AReturn_def}, @{thm e_def}, @{thm c_def}, @{thm m_def},
39159 0dec18004e75 more antiquotations; wenzelm parents: 36866 diff changeset	504	@{thm MVOKBARF_def}, @{thm caller_def}, @{thm rtrner_def},
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	505	@{thm S_def}, @{thm S5_def}, @{thm S6_def}, @{thm Calling_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	506
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	507	lemma S5MemUnch: "\<turnstile> [RNext rmCh mm ires p]_(m p) \<and> $(S5 rmhist p) \<longrightarrow> unchanged (m p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	508	by (auto simp: S_def S5_def dest!: Memoryidle [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	509
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	510	lemma S5Hist: "\<turnstile> [HNext rmhist p]_(c p, r p, m p, rmhist!p) \<and> $(S5 rmhist p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	511	\<longrightarrow> (rmhist!p)$ = $(rmhist!p)"
42771 b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	512	using [[fast_solver]]
b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	513	by (auto elim!: squareE [temp_use] simp: HNext_def MemReturn_def RPCFail_def
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	514	MClkReply_def AReturn_def S_def S5_def)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	515
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	516	(* ------------------------------ State S6 ---------------------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	517
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	518	lemma S6EnvUnch: "\<turnstile> [ENext p]_(e p) \<and> $(S6 rmhist p) \<longrightarrow> unchanged (e p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	519	by (auto simp: S_def S6_def dest!: Envbusy [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	520
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	521	lemma S6Clerk: "\<turnstile> MClkNext memCh crCh cst p \<and> $(S6 rmhist p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	522	\<longrightarrow> MClkRetry memCh crCh cst p \<or> MClkReply memCh crCh cst p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	523	by (auto simp: MClkNext_def MClkFwd_def S_def S6_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	524
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	525	lemma S6Retry: "\<turnstile> MClkRetry memCh crCh cst p \<and> HNext rmhist p \<and> $S6 rmhist p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	526	\<and> unchanged (e p,r p,m p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	527	\<longrightarrow> (S3 rmhist p)$ \<and> unchanged (rmhist!p)"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	528	by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm HNext_def},
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	529	@{thm MClkReply_def}, @{thm MClkRetry_def}, @{thm ACall_def}, @{thm AReturn_def},
39159 0dec18004e75 more antiquotations; wenzelm parents: 36866 diff changeset	530	@{thm e_def}, @{thm r_def}, @{thm m_def}, @{thm caller_def}, @{thm rtrner_def},
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	531	@{thm S_def}, @{thm S6_def}, @{thm S3_def}, @{thm Calling_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	532
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	533	lemma S6Reply: "\<turnstile> MClkReply memCh crCh cst p \<and> HNext rmhist p \<and> $S6 rmhist p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	534	\<and> unchanged (e p,r p,m p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	535	\<longrightarrow> (S1 rmhist p)$"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	536	by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm HNext_def},
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	537	@{thm MemReturn_def}, @{thm RPCFail_def}, @{thm AReturn_def}, @{thm MClkReply_def},
39159 0dec18004e75 more antiquotations; wenzelm parents: 36866 diff changeset	538	@{thm e_def}, @{thm r_def}, @{thm m_def}, @{thm caller_def}, @{thm rtrner_def},
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	539	@{thm S_def}, @{thm S6_def}, @{thm S1_def}, @{thm Calling_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	540
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	541	lemma S6RPCUnch: "\<turnstile> [RPCNext crCh rmCh rst p]_(r p) \<and> $S6 rmhist p \<longrightarrow> unchanged (r p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	542	by (auto simp: S_def S6_def dest!: RPCidle [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	543
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	544	lemma S6MemUnch: "\<turnstile> [RNext rmCh mm ires p]_(m p) \<and> $(S6 rmhist p) \<longrightarrow> unchanged (m p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	545	by (auto simp: S_def S6_def dest!: Memoryidle [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	546
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	547	lemma S6Hist: "\<turnstile> HNext rmhist p \<and> $S6 rmhist p \<and> (c p)$ = $(c p) \<longrightarrow> (rmhist!p)$ = $(rmhist!p)"
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	548	by (auto simp: HNext_def MClkReply_def AReturn_def c_def rtrner_def S_def S6_def Calling_def)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	549
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	550
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	551	section "Correctness of predicate-action diagram"
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	552
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	553
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	554	(* ========== Step 1.1 ================================================= *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	555	(* The implementation's initial condition implies the state predicate S1 *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	556
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	557	lemma Step1_1: "\<turnstile> ImpInit p \<and> HInit rmhist p \<longrightarrow> S1 rmhist p"
42771 b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	558	using [[fast_solver]]
b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	559	by (auto elim!: squareE [temp_use] simp: MVNROKBA_def
b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	560	MClkInit_def RPCInit_def PInit_def HInit_def ImpInit_def S_def S1_def)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	561
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	562	(* ========== Step 1.2 ================================================== *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	563	(* Figure 16 is a predicate-action diagram for the implementation. *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	564
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	565	lemma Step1_2_1: "\<turnstile> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> ImpNext p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	566	\<and> \<not>unchanged (e p, c p, r p, m p, rmhist!p) \<and> $S1 rmhist p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	567	\<longrightarrow> (S2 rmhist p)$ \<and> ENext p \<and> unchanged (c p, r p, m p)"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	568	apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
54742 7a86358a3c0b proper context for basic Simplifier operations: rewrite_rule, rewrite_goals_rule, rewrite_goals_tac etc.; wenzelm parents: 51717 diff changeset	569	(map (temp_elim @{context})
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	570	[@{thm S1ClerkUnch}, @{thm S1RPCUnch}, @{thm S1MemUnch}, @{thm S1Hist}]) 1\<close>)
42771 b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	571	using [[fast_solver]]
b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	572	apply (auto elim!: squareE [temp_use] intro!: S1Env [temp_use])
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	573	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	574
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	575	lemma Step1_2_2: "\<turnstile> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> ImpNext p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	576	\<and> \<not>unchanged (e p, c p, r p, m p, rmhist!p) \<and> $S2 rmhist p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	577	\<longrightarrow> (S3 rmhist p)$ \<and> MClkFwd memCh crCh cst p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	578	\<and> unchanged (e p, r p, m p, rmhist!p)"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	579	apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
54742 7a86358a3c0b proper context for basic Simplifier operations: rewrite_rule, rewrite_goals_rule, rewrite_goals_tac etc.; wenzelm parents: 51717 diff changeset	580	(map (temp_elim @{context})
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	581	[@{thm S2EnvUnch}, @{thm S2RPCUnch}, @{thm S2MemUnch}, @{thm S2Hist}]) 1\<close>)
42771 b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	582	using [[fast_solver]]
b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	583	apply (auto elim!: squareE [temp_use] intro!: S2Clerk [temp_use] S2Forward [temp_use])
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	584	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	585
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	586	lemma Step1_2_3: "\<turnstile> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> ImpNext p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	587	\<and> \<not>unchanged (e p, c p, r p, m p, rmhist!p) \<and> $S3 rmhist p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	588	\<longrightarrow> ((S4 rmhist p)$ \<and> RPCFwd crCh rmCh rst p \<and> unchanged (e p, c p, m p, rmhist!p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	589	\<or> ((S6 rmhist p)$ \<and> RPCFail crCh rmCh rst p \<and> unchanged (e p, c p, m p))"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	590	apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	591	(map (temp_elim @{context}) [@{thm S3EnvUnch}, @{thm S3ClerkUnch}, @{thm S3MemUnch}]) 1\<close>)
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	592	apply (tactic \<open>action_simp_tac @{context} []
54742 7a86358a3c0b proper context for basic Simplifier operations: rewrite_rule, rewrite_goals_rule, rewrite_goals_tac etc.; wenzelm parents: 51717 diff changeset	593	(@{thm squareE} ::
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	594	map (temp_elim @{context}) [@{thm S3RPC}, @{thm S3Forward}, @{thm S3Fail}]) 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	595	apply (auto dest!: S3Hist [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	596	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	597
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	598	lemma Step1_2_4: "\<turnstile> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> ImpNext p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	599	\<and> \<not>unchanged (e p, c p, r p, m p, rmhist!p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	600	\<and> $S4 rmhist p \<and> (\<forall>l. $(MemInv mm l))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	601	\<longrightarrow> ((S4 rmhist p)$ \<and> Read rmCh mm ires p \<and> unchanged (e p, c p, r p, rmhist!p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	602	\<or> ((S4 rmhist p)$ \<and> (\<exists>l. Write rmCh mm ires p l) \<and> unchanged (e p, c p, r p, rmhist!p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	603	\<or> ((S5 rmhist p)$ \<and> MemReturn rmCh ires p \<and> unchanged (e p, c p, r p))"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	604	apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	605	(map (temp_elim @{context}) [@{thm S4EnvUnch}, @{thm S4ClerkUnch}, @{thm S4RPCUnch}]) 1\<close>)
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	606	apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm RNext_def}]) []
54742 7a86358a3c0b proper context for basic Simplifier operations: rewrite_rule, rewrite_goals_rule, rewrite_goals_tac etc.; wenzelm parents: 51717 diff changeset	607	(@{thm squareE} ::
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	608	map (temp_elim @{context}) [@{thm S4Read}, @{thm S4Write}, @{thm S4Return}]) 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	609	apply (auto dest!: S4Hist [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	610	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	611
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	612	lemma Step1_2_5: "\<turnstile> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> ImpNext p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	613	\<and> \<not>unchanged (e p, c p, r p, m p, rmhist!p) \<and> $S5 rmhist p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	614	\<longrightarrow> ((S6 rmhist p)$ \<and> RPCReply crCh rmCh rst p \<and> unchanged (e p, c p, m p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	615	\<or> ((S6 rmhist p)$ \<and> RPCFail crCh rmCh rst p \<and> unchanged (e p, c p, m p))"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	616	apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	617	(map (temp_elim @{context}) [@{thm S5EnvUnch}, @{thm S5ClerkUnch}, @{thm S5MemUnch}, @{thm S5Hist}]) 1\<close>)
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	618	apply (tactic \<open>action_simp_tac @{context} [] [@{thm squareE}, temp_elim @{context} @{thm S5RPC}] 1\<close>)
42771 b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	619	using [[fast_solver]]
b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	620	apply (auto elim!: squareE [temp_use] dest!: S5Reply [temp_use] S5Fail [temp_use])
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	621	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	622
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	623	lemma Step1_2_6: "\<turnstile> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> ImpNext p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	624	\<and> \<not>unchanged (e p, c p, r p, m p, rmhist!p) \<and> $S6 rmhist p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	625	\<longrightarrow> ((S1 rmhist p)$ \<and> MClkReply memCh crCh cst p \<and> unchanged (e p, r p, m p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	626	\<or> ((S3 rmhist p)$ \<and> MClkRetry memCh crCh cst p \<and> unchanged (e p,r p,m p,rmhist!p))"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	627	apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	628	(map (temp_elim @{context}) [@{thm S6EnvUnch}, @{thm S6RPCUnch}, @{thm S6MemUnch}]) 1\<close>)
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	629	apply (tactic \<open>action_simp_tac @{context} []
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	630	(@{thm squareE} :: map (temp_elim @{context}) [@{thm S6Clerk}, @{thm S6Retry}, @{thm S6Reply}]) 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	631	apply (auto dest: S6Hist [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	632	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	633
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	634	(* --------------------------------------------------------------------------
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	635	Step 1.3: S1 implies the barred initial condition.
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	636	*)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	637
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	638	section "Initialization (Step 1.3)"
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	639
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	640	lemma Step1_3: "\<turnstile> S1 rmhist p \<longrightarrow> PInit (resbar rmhist) p"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	641	by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm resbar_def},
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	642	@{thm PInit_def}, @{thm S_def}, @{thm S1_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	643
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	644	(* ----------------------------------------------------------------------
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	645	Step 1.4: Implementation's next-state relation simulates specification's
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	646	next-state relation (with appropriate substitutions)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	647	*)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	648
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	649	section "Step simulation (Step 1.4)"
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	650
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	651	lemma Step1_4_1: "\<turnstile> ENext p \<and> $S1 rmhist p \<and> (S2 rmhist p)$ \<and> unchanged (c p, r p, m p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	652	\<longrightarrow> unchanged (rtrner memCh!p, resbar rmhist!p)"
42771 b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	653	using [[fast_solver]]
b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	654	by (auto elim!: squareE [temp_use] simp: c_def r_def m_def resbar_def)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	655
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	656	lemma Step1_4_2: "\<turnstile> MClkFwd memCh crCh cst p \<and> $S2 rmhist p \<and> (S3 rmhist p)$
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	657	\<and> unchanged (e p, r p, m p, rmhist!p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	658	\<longrightarrow> unchanged (rtrner memCh!p, resbar rmhist!p)"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	659	by (tactic \<open>action_simp_tac
51717 9e7d1c139569 simplifier uses proper Proof.context instead of historic type simpset; wenzelm parents: 45605 diff changeset	660	(@{context} addsimps [@{thm MClkFwd_def}, @{thm e_def}, @{thm r_def}, @{thm m_def},
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	661	@{thm resbar_def}, @{thm S_def}, @{thm S2_def}, @{thm S3_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	662
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	663	lemma Step1_4_3a: "\<turnstile> RPCFwd crCh rmCh rst p \<and> $S3 rmhist p \<and> (S4 rmhist p)$
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	664	\<and> unchanged (e p, c p, m p, rmhist!p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	665	\<longrightarrow> unchanged (rtrner memCh!p, resbar rmhist!p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	666	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	667	apply (drule S3_excl [temp_use] S4_excl [temp_use])+
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	668	apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm e_def},
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	669	@{thm c_def}, @{thm m_def}, @{thm resbar_def}, @{thm S_def}, @{thm S3_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	670	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	671
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	672	lemma Step1_4_3b: "\<turnstile> RPCFail crCh rmCh rst p \<and> $S3 rmhist p \<and> (S6 rmhist p)$
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	673	\<and> unchanged (e p, c p, m p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	674	\<longrightarrow> MemFail memCh (resbar rmhist) p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	675	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	676	apply (drule S6_excl [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	677	apply (auto simp: RPCFail_def MemFail_def e_def c_def m_def resbar_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	678	apply (force simp: S3_def S_def)
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	679	apply (auto simp: AReturn_def)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	680	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	681
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	682	lemma Step1_4_4a1: "\<turnstile> $S4 rmhist p \<and> (S4 rmhist p)$ \<and> ReadInner rmCh mm ires p l
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	683	\<and> unchanged (e p, c p, r p, rmhist!p) \<and> $MemInv mm l
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	684	\<longrightarrow> ReadInner memCh mm (resbar rmhist) p l"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	685	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	686	apply (drule S4_excl [temp_use])+
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	687	apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm ReadInner_def},
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	688	@{thm GoodRead_def}, @{thm BadRead_def}, @{thm e_def}, @{thm c_def}, @{thm m_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	689	apply (auto simp: resbar_def)
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	690	apply (tactic \<open>ALLGOALS (action_simp_tac
51717 9e7d1c139569 simplifier uses proper Proof.context instead of historic type simpset; wenzelm parents: 45605 diff changeset	691	(@{context} addsimps [@{thm RPCRelayArg_def}, @{thm MClkRelayArg_def},
39159 0dec18004e75 more antiquotations; wenzelm parents: 36866 diff changeset	692	@{thm S_def}, @{thm S4_def}, @{thm RdRequest_def}, @{thm MemInv_def}])
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	693	[] [@{thm impE}, @{thm MemValNotAResultE}])\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	694	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	695
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	696	lemma Step1_4_4a: "\<turnstile> Read rmCh mm ires p \<and> $S4 rmhist p \<and> (S4 rmhist p)$
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	697	\<and> unchanged (e p, c p, r p, rmhist!p) \<and> (\<forall>l. $(MemInv mm l))
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	698	\<longrightarrow> Read memCh mm (resbar rmhist) p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	699	by (force simp: Read_def elim!: Step1_4_4a1 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	700
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	701	lemma Step1_4_4b1: "\<turnstile> $S4 rmhist p \<and> (S4 rmhist p)$ \<and> WriteInner rmCh mm ires p l v
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	702	\<and> unchanged (e p, c p, r p, rmhist!p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	703	\<longrightarrow> WriteInner memCh mm (resbar rmhist) p l v"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	704	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	705	apply (drule S4_excl [temp_use])+
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	706	apply (tactic \<open>action_simp_tac (@{context} addsimps
39159 0dec18004e75 more antiquotations; wenzelm parents: 36866 diff changeset	707	[@{thm WriteInner_def}, @{thm GoodWrite_def}, @{thm BadWrite_def}, @{thm e_def},
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	708	@{thm c_def}, @{thm m_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	709	apply (auto simp: resbar_def)
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	710	apply (tactic \<open>ALLGOALS (action_simp_tac (@{context} addsimps
39159 0dec18004e75 more antiquotations; wenzelm parents: 36866 diff changeset	711	[@{thm RPCRelayArg_def}, @{thm MClkRelayArg_def}, @{thm S_def},
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	712	@{thm S4_def}, @{thm WrRequest_def}]) [] [])\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	713	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	714
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	715	lemma Step1_4_4b: "\<turnstile> Write rmCh mm ires p l \<and> $S4 rmhist p \<and> (S4 rmhist p)$
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	716	\<and> unchanged (e p, c p, r p, rmhist!p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	717	\<longrightarrow> Write memCh mm (resbar rmhist) p l"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	718	by (force simp: Write_def elim!: Step1_4_4b1 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	719
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	720	lemma Step1_4_4c: "\<turnstile> MemReturn rmCh ires p \<and> $S4 rmhist p \<and> (S5 rmhist p)$
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	721	\<and> unchanged (e p, c p, r p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	722	\<longrightarrow> unchanged (rtrner memCh!p, resbar rmhist!p)"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	723	apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm e_def},
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	724	@{thm c_def}, @{thm r_def}, @{thm resbar_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	725	apply (drule S4_excl [temp_use] S5_excl [temp_use])+
42771 b6037ae5027d eliminated old-style MI_fast_css -- replaced by fast_solver with config option; wenzelm parents: 42770 diff changeset	726	using [[fast_solver]]
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	727	apply (auto elim!: squareE [temp_use] simp: MemReturn_def AReturn_def)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	728	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	729
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	730	lemma Step1_4_5a: "\<turnstile> RPCReply crCh rmCh rst p \<and> $S5 rmhist p \<and> (S6 rmhist p)$
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	731	\<and> unchanged (e p, c p, m p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	732	\<longrightarrow> unchanged (rtrner memCh!p, resbar rmhist!p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	733	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	734	apply (drule S5_excl [temp_use] S6_excl [temp_use])+
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	735	apply (auto simp: e_def c_def m_def resbar_def)
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	736	apply (auto simp: RPCReply_def AReturn_def S5_def S_def dest!: MVOKBAnotRF [temp_use])
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	737	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	738
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	739	lemma Step1_4_5b: "\<turnstile> RPCFail crCh rmCh rst p \<and> $S5 rmhist p \<and> (S6 rmhist p)$
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	740	\<and> unchanged (e p, c p, m p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	741	\<longrightarrow> MemFail memCh (resbar rmhist) p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	742	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	743	apply (drule S6_excl [temp_use])
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	744	apply (auto simp: e_def c_def m_def RPCFail_def AReturn_def MemFail_def resbar_def)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	745	apply (auto simp: S5_def S_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	746	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	747
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	748	lemma Step1_4_6a: "\<turnstile> MClkReply memCh crCh cst p \<and> $S6 rmhist p \<and> (S1 rmhist p)$
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	749	\<and> unchanged (e p, r p, m p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	750	\<longrightarrow> MemReturn memCh (resbar rmhist) p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	751	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	752	apply (drule S6_excl [temp_use])+
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	753	apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm e_def},
39159 0dec18004e75 more antiquotations; wenzelm parents: 36866 diff changeset	754	@{thm r_def}, @{thm m_def}, @{thm MClkReply_def}, @{thm MemReturn_def},
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	755	@{thm AReturn_def}, @{thm resbar_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	756	apply simp_all (* simplify if-then-else *)
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	757	apply (tactic \<open>ALLGOALS (action_simp_tac (@{context} addsimps
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	758	[@{thm MClkReplyVal_def}, @{thm S6_def}, @{thm S_def}]) [] [@{thm MVOKBARFnotNR}])\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	759	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	760
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	761	lemma Step1_4_6b: "\<turnstile> MClkRetry memCh crCh cst p \<and> $S6 rmhist p \<and> (S3 rmhist p)$
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	762	\<and> unchanged (e p, r p, m p, rmhist!p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	763	\<longrightarrow> MemFail memCh (resbar rmhist) p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	764	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	765	apply (drule S3_excl [temp_use])+
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	766	apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm e_def}, @{thm r_def},
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	767	@{thm m_def}, @{thm MClkRetry_def}, @{thm MemFail_def}, @{thm resbar_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	768	apply (auto simp: S6_def S_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	769	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	770
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	771	lemma S_lemma: "\<turnstile> unchanged (e p, c p, r p, m p, rmhist!p)
750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	772	\<longrightarrow> unchanged (S rmhist ec cc rc cs rs hs1 hs2 p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	773	by (auto simp: e_def c_def r_def m_def caller_def rtrner_def S_def Calling_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	774
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	775	lemma Step1_4_7H: "\<turnstile> unchanged (e p, c p, r p, m p, rmhist!p)
750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	776	\<longrightarrow> unchanged (rtrner memCh!p, S1 rmhist p, S2 rmhist p, S3 rmhist p,
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	777	S4 rmhist p, S5 rmhist p, S6 rmhist p)"
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	778	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	779	apply (rule conjI)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	780	apply (force simp: c_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	781	apply (force simp: S1_def S2_def S3_def S4_def S5_def S6_def intro!: S_lemma [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	782	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	783
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	784	lemma Step1_4_7: "\<turnstile> unchanged (e p, c p, r p, m p, rmhist!p)
750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	785	\<longrightarrow> unchanged (rtrner memCh!p, resbar rmhist!p, S1 rmhist p, S2 rmhist p,
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	786	S3 rmhist p, S4 rmhist p, S5 rmhist p, S6 rmhist p)"
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	787	apply (rule actionI)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	788	apply (unfold action_rews)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	789	apply (rule impI)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	790	apply (frule Step1_4_7H [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	791	apply (auto simp: e_def c_def r_def m_def rtrner_def resbar_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	792	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	793
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	794	(* Frequently needed abbreviation: distinguish between idling and non-idling
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	795	steps of the implementation, and try to solve the idling case by simplification
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	796	*)
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	797	ML \<open>
42786 06a38b936342 proper method_setup "split_idle"; wenzelm parents: 42772 diff changeset	798	fun split_idle_tac ctxt =
06a38b936342 proper method_setup "split_idle"; wenzelm parents: 42772 diff changeset	799	SELECT_GOAL
60754 02924903a6fd prefer tactics with explicit context; wenzelm parents: 60592 diff changeset	800	(TRY (resolve_tac ctxt @{thms actionI} 1) THEN
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	801	Induct_Tacs.case_tac ctxt "(s,t) \<Turnstile> unchanged (e p, c p, r p, m p, rmhist!p)" [] NONE 1 THEN
54742 7a86358a3c0b proper context for basic Simplifier operations: rewrite_rule, rewrite_goals_rule, rewrite_goals_tac etc.; wenzelm parents: 51717 diff changeset	802	rewrite_goals_tac ctxt @{thms action_rews} THEN
59498 50b60f501b05 proper context for resolve_tac, eresolve_tac, dresolve_tac, forward_tac etc.; wenzelm parents: 58963 diff changeset	803	forward_tac ctxt [temp_use ctxt @{thm Step1_4_7}] 1 THEN
51717 9e7d1c139569 simplifier uses proper Proof.context instead of historic type simpset; wenzelm parents: 45605 diff changeset	804	asm_full_simp_tac ctxt 1);
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	805	\<close>
42786 06a38b936342 proper method_setup "split_idle"; wenzelm parents: 42772 diff changeset	806
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	807	method_setup split_idle = \<open>
42786 06a38b936342 proper method_setup "split_idle"; wenzelm parents: 42772 diff changeset	808	Method.sections (Simplifier.simp_modifiers @ Splitter.split_modifiers)
06a38b936342 proper method_setup "split_idle"; wenzelm parents: 42772 diff changeset	809	>> (K (SIMPLE_METHOD' o split_idle_tac))
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	810	\<close>
42786 06a38b936342 proper method_setup "split_idle"; wenzelm parents: 42772 diff changeset	811
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	812	(* ----------------------------------------------------------------------
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	813	Combine steps 1.2 and 1.4 to prove that the implementation satisfies
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	814	the specification's next-state relation.
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	815	*)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	816
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	817	(* Steps that leave all variables unchanged are safe, so I may assume
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	818	that some variable changes in the proof that a step is safe. *)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	819	lemma unchanged_safe: "\<turnstile> (\<not>unchanged (e p, c p, r p, m p, rmhist!p)
750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	820	\<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p))
750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	821	\<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
42786 06a38b936342 proper method_setup "split_idle"; wenzelm parents: 42772 diff changeset	822	apply (split_idle simp: square_def)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	823	apply force
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	824	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	825	(* turn into (unsafe, looping!) introduction rule *)
45605 a89b4bc311a5 eliminated obsolete "standard"; wenzelm parents: 45133 diff changeset	826	lemmas unchanged_safeI = impI [THEN unchanged_safe [action_use]]
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	827
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	828	lemma S1safe: "\<turnstile> $S1 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	829	\<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	830	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	831	apply (rule unchanged_safeI)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	832	apply (rule idle_squareI)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	833	apply (auto dest!: Step1_2_1 [temp_use] Step1_4_1 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	834	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	835
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	836	lemma S2safe: "\<turnstile> $S2 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	837	\<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	838	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	839	apply (rule unchanged_safeI)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	840	apply (rule idle_squareI)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	841	apply (auto dest!: Step1_2_2 [temp_use] Step1_4_2 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	842	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	843
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	844	lemma S3safe: "\<turnstile> $S3 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	845	\<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	846	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	847	apply (rule unchanged_safeI)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	848	apply (auto dest!: Step1_2_3 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	849	apply (auto simp: square_def UNext_def dest!: Step1_4_3a [temp_use] Step1_4_3b [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	850	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	851
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	852	lemma S4safe: "\<turnstile> $S4 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	853	\<and> (\<forall>l. $(MemInv mm l))
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	854	\<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	855	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	856	apply (rule unchanged_safeI)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	857	apply (auto dest!: Step1_2_4 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	858	apply (auto simp: square_def UNext_def RNext_def
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	859	dest!: Step1_4_4a [temp_use] Step1_4_4b [temp_use] Step1_4_4c [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	860	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	861
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	862	lemma S5safe: "\<turnstile> $S5 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	863	\<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	864	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	865	apply (rule unchanged_safeI)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	866	apply (auto dest!: Step1_2_5 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	867	apply (auto simp: square_def UNext_def dest!: Step1_4_5a [temp_use] Step1_4_5b [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	868	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	869
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	870	lemma S6safe: "\<turnstile> $S6 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	871	\<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	872	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	873	apply (rule unchanged_safeI)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	874	apply (auto dest!: Step1_2_6 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	875	apply (auto simp: square_def UNext_def RNext_def
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	876	dest!: Step1_4_6a [temp_use] Step1_4_6b [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	877	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	878
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	879	(* ----------------------------------------------------------------------
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	880	Step 1.5: Temporal refinement proof, based on previous steps.
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	881	*)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	882
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	883	section "The liveness part"
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	884
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	885	(* Liveness assertions for the different implementation states, based on the
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	886	fairness conditions. Prove subgoals of WF1 / SF1 rules as separate lemmas
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	887	for readability. Reuse action proofs from safety part.
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	888	*)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	889
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	890	(* ------------------------------ State S1 ------------------------------ *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	891
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	892	lemma S1_successors: "\<turnstile> $S1 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	893	\<longrightarrow> (S1 rmhist p)$ \<or> (S2 rmhist p)$"
42786 06a38b936342 proper method_setup "split_idle"; wenzelm parents: 42772 diff changeset	894	apply split_idle
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	895	apply (auto dest!: Step1_2_1 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	896	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	897
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	898	(* Show that the implementation can satisfy the high-level fairness requirements
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	899	by entering the state S1 infinitely often.
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	900	*)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	901
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	902	lemma S1_RNextdisabled: "\<turnstile> S1 rmhist p \<longrightarrow>
60587 0318b43ee95c more symbols; wenzelm parents: 59826 diff changeset	903	\<not>Enabled (<RNext memCh mm (resbar rmhist) p>_(rtrner memCh!p, resbar rmhist!p))"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	904	apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm angle_def},
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	905	@{thm S_def}, @{thm S1_def}]) [notI] [@{thm enabledE}, temp_elim @{context} @{thm Memoryidle}] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	906	apply force
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	907	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	908
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	909	lemma S1_Returndisabled: "\<turnstile> S1 rmhist p \<longrightarrow>
60587 0318b43ee95c more symbols; wenzelm parents: 59826 diff changeset	910	\<not>Enabled (<MemReturn memCh (resbar rmhist) p>_(rtrner memCh!p, resbar rmhist!p))"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	911	by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm angle_def}, @{thm MemReturn_def},
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	912	@{thm AReturn_def}, @{thm S_def}, @{thm S1_def}]) [notI] [@{thm enabledE}] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	913
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	914	lemma RNext_fair: "\<turnstile> \<box>\<diamond>S1 rmhist p
750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	915	\<longrightarrow> WF(RNext memCh mm (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	916	by (auto simp: WF_alt [try_rewrite] intro!: S1_RNextdisabled [temp_use]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	917	elim!: STL4E [temp_use] DmdImplE [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	918
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	919	lemma Return_fair: "\<turnstile> \<box>\<diamond>S1 rmhist p
750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	920	\<longrightarrow> WF(MemReturn memCh (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	921	by (auto simp: WF_alt [try_rewrite]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	922	intro!: S1_Returndisabled [temp_use] elim!: STL4E [temp_use] DmdImplE [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	923
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	924	(* ------------------------------ State S2 ------------------------------ *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	925
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	926	lemma S2_successors: "\<turnstile> $S2 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	927	\<longrightarrow> (S2 rmhist p)$ \<or> (S3 rmhist p)$"
42786 06a38b936342 proper method_setup "split_idle"; wenzelm parents: 42772 diff changeset	928	apply split_idle
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	929	apply (auto dest!: Step1_2_2 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	930	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	931
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	932	lemma S2MClkFwd_successors: "\<turnstile> ($S2 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	933	\<and> <MClkFwd memCh crCh cst p>_(c p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	934	\<longrightarrow> (S3 rmhist p)$"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	935	by (auto simp: angle_def dest!: Step1_2_2 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	936
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	937	lemma S2MClkFwd_enabled: "\<turnstile> $S2 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	938	\<longrightarrow> $Enabled (<MClkFwd memCh crCh cst p>_(c p))"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	939	apply (auto simp: c_def intro!: MClkFwd_ch_enabled [temp_use] MClkFwd_enabled [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	940	apply (cut_tac MI_base)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	941	apply (blast dest: base_pair)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	942	apply (simp_all add: S_def S2_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	943	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	944
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	945	lemma S2_live: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	946	\<and> WF(MClkFwd memCh crCh cst p)_(c p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	947	\<longrightarrow> (S2 rmhist p \<leadsto> S3 rmhist p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	948	by (rule WF1 S2_successors S2MClkFwd_successors S2MClkFwd_enabled)+
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	949
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	950	(* ------------------------------ State S3 ------------------------------ *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	951
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	952	lemma S3_successors: "\<turnstile> $S3 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	953	\<longrightarrow> (S3 rmhist p)$ \<or> (S4 rmhist p \<or> S6 rmhist p)$"
42786 06a38b936342 proper method_setup "split_idle"; wenzelm parents: 42772 diff changeset	954	apply split_idle
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	955	apply (auto dest!: Step1_2_3 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	956	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	957
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	958	lemma S3RPC_successors: "\<turnstile> ($S3 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	959	\<and> <RPCNext crCh rmCh rst p>_(r p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	960	\<longrightarrow> (S4 rmhist p \<or> S6 rmhist p)$"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	961	apply (auto simp: angle_def dest!: Step1_2_3 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	962	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	963
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	964	lemma S3RPC_enabled: "\<turnstile> $S3 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	965	\<longrightarrow> $Enabled (<RPCNext crCh rmCh rst p>_(r p))"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	966	apply (auto simp: r_def intro!: RPCFail_Next_enabled [temp_use] RPCFail_enabled [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	967	apply (cut_tac MI_base)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	968	apply (blast dest: base_pair)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	969	apply (simp_all add: S_def S3_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	970	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	971
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	972	lemma S3_live: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	973	\<and> WF(RPCNext crCh rmCh rst p)_(r p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	974	\<longrightarrow> (S3 rmhist p \<leadsto> S4 rmhist p \<or> S6 rmhist p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	975	by (rule WF1 S3_successors S3RPC_successors S3RPC_enabled)+
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	976
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	977	(* ------------- State S4 -------------------------------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	978
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	979	lemma S4_successors: "\<turnstile> $S4 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	980	\<and> (\<forall>l. $MemInv mm l)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	981	\<longrightarrow> (S4 rmhist p)$ \<or> (S5 rmhist p)$"
42786 06a38b936342 proper method_setup "split_idle"; wenzelm parents: 42772 diff changeset	982	apply split_idle
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	983	apply (auto dest!: Step1_2_4 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	984	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	985
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	986	(* --------- State S4a: S4 /\ (ires p = NotAResult) ------------------------ *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	987
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	988	lemma S4a_successors: "\<turnstile> $(S4 rmhist p \<and> ires!p = #NotAResult)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	989	\<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p,rmhist!p) \<and> (\<forall>l. $MemInv mm l)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	990	\<longrightarrow> (S4 rmhist p \<and> ires!p = #NotAResult)$
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	991	\<or> ((S4 rmhist p \<and> ires!p \<noteq> #NotAResult) \<or> S5 rmhist p)$"
42786 06a38b936342 proper method_setup "split_idle"; wenzelm parents: 42772 diff changeset	992	apply split_idle
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	993	apply (auto dest!: Step1_2_4 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	994	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	995
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	996	lemma S4aRNext_successors: "\<turnstile> ($(S4 rmhist p \<and> ires!p = #NotAResult)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	997	\<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p,rmhist!p) \<and> (\<forall>l. $MemInv mm l))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	998	\<and> <RNext rmCh mm ires p>_(m p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	999	\<longrightarrow> ((S4 rmhist p \<and> ires!p \<noteq> #NotAResult) \<or> S5 rmhist p)$"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1000	by (auto simp: angle_def
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1001	dest!: Step1_2_4 [temp_use] ReadResult [temp_use] WriteResult [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1002
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1003	lemma S4aRNext_enabled: "\<turnstile> $(S4 rmhist p \<and> ires!p = #NotAResult)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1004	\<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> (\<forall>l. $MemInv mm l)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1005	\<longrightarrow> $Enabled (<RNext rmCh mm ires p>_(m p))"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1006	apply (auto simp: m_def intro!: RNext_enabled [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1007	apply (cut_tac MI_base)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1008	apply (blast dest: base_pair)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1009	apply (simp add: S_def S4_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1010	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1011
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1012	lemma S4a_live: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1013	\<and> (\<forall>l. $MemInv mm l)) \<and> WF(RNext rmCh mm ires p)_(m p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1014	\<longrightarrow> (S4 rmhist p \<and> ires!p = #NotAResult
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1015	\<leadsto> (S4 rmhist p \<and> ires!p \<noteq> #NotAResult) \<or> S5 rmhist p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1016	by (rule WF1 S4a_successors S4aRNext_successors S4aRNext_enabled)+
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1017
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1018	(* ---------- State S4b: S4 /\ (ires p # NotAResult) --------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1019
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1020	lemma S4b_successors: "\<turnstile> $(S4 rmhist p \<and> ires!p \<noteq> #NotAResult)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1021	\<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> (\<forall>l. $MemInv mm l)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1022	\<longrightarrow> (S4 rmhist p \<and> ires!p \<noteq> #NotAResult)$ \<or> (S5 rmhist p)$"
42786 06a38b936342 proper method_setup "split_idle"; wenzelm parents: 42772 diff changeset	1023	apply (split_idle simp: m_def)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1024	apply (auto dest!: WriteResult [temp_use] Step1_2_4 [temp_use] ReadResult [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1025	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1026
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1027	lemma S4bReturn_successors: "\<turnstile> ($(S4 rmhist p \<and> ires!p \<noteq> #NotAResult)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1028	\<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1029	\<and> (\<forall>l. $MemInv mm l)) \<and> <MemReturn rmCh ires p>_(m p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1030	\<longrightarrow> (S5 rmhist p)$"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1031	by (force simp: angle_def dest!: Step1_2_4 [temp_use] dest: ReturnNotReadWrite [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1032
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1033	lemma S4bReturn_enabled: "\<turnstile> $(S4 rmhist p \<and> ires!p \<noteq> #NotAResult)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1034	\<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1035	\<and> (\<forall>l. $MemInv mm l)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1036	\<longrightarrow> $Enabled (<MemReturn rmCh ires p>_(m p))"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1037	apply (auto simp: m_def intro!: MemReturn_enabled [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1038	apply (cut_tac MI_base)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1039	apply (blast dest: base_pair)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1040	apply (simp add: S_def S4_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1041	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1042
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1043	lemma S4b_live: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> (\<forall>l. $MemInv mm l))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1044	\<and> WF(MemReturn rmCh ires p)_(m p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1045	\<longrightarrow> (S4 rmhist p \<and> ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1046	by (rule WF1 S4b_successors S4bReturn_successors S4bReturn_enabled)+
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1047
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1048	(* ------------------------------ State S5 ------------------------------ *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1049
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1050	lemma S5_successors: "\<turnstile> $S5 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1051	\<longrightarrow> (S5 rmhist p)$ \<or> (S6 rmhist p)$"
42786 06a38b936342 proper method_setup "split_idle"; wenzelm parents: 42772 diff changeset	1052	apply split_idle
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1053	apply (auto dest!: Step1_2_5 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1054	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1055
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1056	lemma S5RPC_successors: "\<turnstile> ($S5 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1057	\<and> <RPCNext crCh rmCh rst p>_(r p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1058	\<longrightarrow> (S6 rmhist p)$"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1059	by (auto simp: angle_def dest!: Step1_2_5 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1060
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1061	lemma S5RPC_enabled: "\<turnstile> $S5 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1062	\<longrightarrow> $Enabled (<RPCNext crCh rmCh rst p>_(r p))"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1063	apply (auto simp: r_def intro!: RPCFail_Next_enabled [temp_use] RPCFail_enabled [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1064	apply (cut_tac MI_base)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1065	apply (blast dest: base_pair)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1066	apply (simp_all add: S_def S5_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1067	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1068
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1069	lemma S5_live: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1070	\<and> WF(RPCNext crCh rmCh rst p)_(r p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1071	\<longrightarrow> (S5 rmhist p \<leadsto> S6 rmhist p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1072	by (rule WF1 S5_successors S5RPC_successors S5RPC_enabled)+
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1073
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1074	(* ------------------------------ State S6 ------------------------------ *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1075
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1076	lemma S6_successors: "\<turnstile> $S6 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1077	\<longrightarrow> (S1 rmhist p)$ \<or> (S3 rmhist p)$ \<or> (S6 rmhist p)$"
42786 06a38b936342 proper method_setup "split_idle"; wenzelm parents: 42772 diff changeset	1078	apply split_idle
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1079	apply (auto dest!: Step1_2_6 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1080	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1081
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1082	lemma S6MClkReply_successors:
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1083	"\<turnstile> ($S6 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1084	\<and> <MClkReply memCh crCh cst p>_(c p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1085	\<longrightarrow> (S1 rmhist p)$"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1086	by (auto simp: angle_def dest!: Step1_2_6 [temp_use] MClkReplyNotRetry [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1087
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1088	lemma MClkReplyS6:
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1089	"\<turnstile> $ImpInv rmhist p \<and> <MClkReply memCh crCh cst p>_(c p) \<longrightarrow> $S6 rmhist p"
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	1090	by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm angle_def},
62146 324bc1ffba12 eliminated old defs; wenzelm parents: 61941 diff changeset	1091	@{thm MClkReply_def}, @{thm AReturn_def}, @{thm ImpInv_def}, @{thm S_def},
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	1092	@{thm S1_def}, @{thm S2_def}, @{thm S3_def}, @{thm S4_def}, @{thm S5_def}]) [] [] 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1093
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1094	lemma S6MClkReply_enabled: "\<turnstile> S6 rmhist p \<longrightarrow> Enabled (<MClkReply memCh crCh cst p>_(c p))"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1095	apply (auto simp: c_def intro!: MClkReply_enabled [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1096	apply (cut_tac MI_base)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1097	apply (blast dest: base_pair)
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	1098	apply (tactic \<open>ALLGOALS (action_simp_tac (@{context}
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	1099	addsimps [@{thm S_def}, @{thm S6_def}]) [] [])\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1100	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1101
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1102	lemma S6_live: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> $(ImpInv rmhist p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1103	\<and> SF(MClkReply memCh crCh cst p)_(c p) \<and> \<box>\<diamond>(S6 rmhist p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1104	\<longrightarrow> \<box>\<diamond>(S1 rmhist p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1105	apply clarsimp
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1106	apply (subgoal_tac "sigma \<Turnstile> \<box>\<diamond> (<MClkReply memCh crCh cst p>_ (c p))")
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1107	apply (erule InfiniteEnsures)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1108	apply assumption
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	1109	apply (tactic \<open>action_simp_tac @{context} []
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	1110	(map (temp_elim @{context}) [@{thm MClkReplyS6}, @{thm S6MClkReply_successors}]) 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1111	apply (auto simp: SF_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1112	apply (erule contrapos_np)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1113	apply (auto intro!: S6MClkReply_enabled [temp_use] elim!: STL4E [temp_use] DmdImplE [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1114	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1115
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1116	(* --------------- aggregate leadsto properties----------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1117
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1118	lemma S5S6LeadstoS6: "sigma \<Turnstile> S5 rmhist p \<leadsto> S6 rmhist p
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1119	\<Longrightarrow> sigma \<Turnstile> (S5 rmhist p \<or> S6 rmhist p) \<leadsto> S6 rmhist p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1120	by (auto intro!: LatticeDisjunctionIntro [temp_use] LatticeReflexivity [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1121
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1122	lemma S4bS5S6LeadstoS6: "\<lbrakk> sigma \<Turnstile> S4 rmhist p \<and> ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1123	sigma \<Turnstile> S5 rmhist p \<leadsto> S6 rmhist p \<rbrakk>
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1124	\<Longrightarrow> sigma \<Turnstile> (S4 rmhist p \<and> ires!p \<noteq> #NotAResult) \<or> S5 rmhist p \<or> S6 rmhist p
60587 0318b43ee95c more symbols; wenzelm parents: 59826 diff changeset	1125	\<leadsto> S6 rmhist p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1126	by (auto intro!: LatticeDisjunctionIntro [temp_use]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1127	S5S6LeadstoS6 [temp_use] intro: LatticeTransitivity [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1128
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1129	lemma S4S5S6LeadstoS6: "\<lbrakk> sigma \<Turnstile> S4 rmhist p \<and> ires!p = #NotAResult
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1130	\<leadsto> (S4 rmhist p \<and> ires!p \<noteq> #NotAResult) \<or> S5 rmhist p;
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1131	sigma \<Turnstile> S4 rmhist p \<and> ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1132	sigma \<Turnstile> S5 rmhist p \<leadsto> S6 rmhist p \<rbrakk>
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1133	\<Longrightarrow> sigma \<Turnstile> S4 rmhist p \<or> S5 rmhist p \<or> S6 rmhist p \<leadsto> S6 rmhist p"
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1134	apply (subgoal_tac "sigma \<Turnstile> (S4 rmhist p \<and> ires!p = #NotAResult) \<or>
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1135	(S4 rmhist p \<and> ires!p \<noteq> #NotAResult) \<or> S5 rmhist p \<or> S6 rmhist p \<leadsto> S6 rmhist p")
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1136	apply (erule_tac G = "PRED ((S4 rmhist p \<and> ires!p = #NotAResult) \<or>
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1137	(S4 rmhist p \<and> ires!p \<noteq> #NotAResult) \<or> S5 rmhist p \<or> S6 rmhist p)" in
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1138	LatticeTransitivity [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1139	apply (force simp: Init_defs intro!: ImplLeadsto_gen [temp_use] necT [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1140	apply (rule LatticeDisjunctionIntro [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1141	apply (erule LatticeTransitivity [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1142	apply (erule LatticeTriangle2 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1143	apply assumption
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1144	apply (auto intro!: S4bS5S6LeadstoS6 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1145	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1146
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1147	lemma S3S4S5S6LeadstoS6: "\<lbrakk> sigma \<Turnstile> S3 rmhist p \<leadsto> S4 rmhist p \<or> S6 rmhist p;
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1148	sigma \<Turnstile> S4 rmhist p \<and> ires!p = #NotAResult
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1149	\<leadsto> (S4 rmhist p \<and> ires!p \<noteq> #NotAResult) \<or> S5 rmhist p;
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1150	sigma \<Turnstile> S4 rmhist p \<and> ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1151	sigma \<Turnstile> S5 rmhist p \<leadsto> S6 rmhist p \<rbrakk>
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1152	\<Longrightarrow> sigma \<Turnstile> S3 rmhist p \<or> S4 rmhist p \<or> S5 rmhist p \<or> S6 rmhist p \<leadsto> S6 rmhist p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1153	apply (rule LatticeDisjunctionIntro [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1154	apply (erule LatticeTriangle2 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1155	apply (rule S4S5S6LeadstoS6 [THEN LatticeTransitivity [temp_use]])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1156	apply (auto intro!: S4S5S6LeadstoS6 [temp_use] necT [temp_use]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1157	intro: ImplLeadsto_gen [temp_use] simp: Init_defs)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1158	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1159
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1160	lemma S2S3S4S5S6LeadstoS6: "\<lbrakk> sigma \<Turnstile> S2 rmhist p \<leadsto> S3 rmhist p;
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1161	sigma \<Turnstile> S3 rmhist p \<leadsto> S4 rmhist p \<or> S6 rmhist p;
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1162	sigma \<Turnstile> S4 rmhist p \<and> ires!p = #NotAResult
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1163	\<leadsto> S4 rmhist p \<and> ires!p \<noteq> #NotAResult \<or> S5 rmhist p;
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1164	sigma \<Turnstile> S4 rmhist p \<and> ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1165	sigma \<Turnstile> S5 rmhist p \<leadsto> S6 rmhist p \<rbrakk>
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1166	\<Longrightarrow> sigma \<Turnstile> S2 rmhist p \<or> S3 rmhist p \<or> S4 rmhist p \<or> S5 rmhist p \<or> S6 rmhist p
60587 0318b43ee95c more symbols; wenzelm parents: 59826 diff changeset	1167	\<leadsto> S6 rmhist p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1168	apply (rule LatticeDisjunctionIntro [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1169	apply (rule LatticeTransitivity [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1170	prefer 2 apply assumption
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1171	apply (rule S3S4S5S6LeadstoS6 [THEN LatticeTransitivity [temp_use]])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1172	apply (auto intro!: S3S4S5S6LeadstoS6 [temp_use] necT [temp_use]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1173	intro: ImplLeadsto_gen [temp_use] simp: Init_defs)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1174	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1175
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1176	lemma NotS1LeadstoS6: "\<lbrakk> sigma \<Turnstile> \<box>ImpInv rmhist p;
750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1177	sigma \<Turnstile> S2 rmhist p \<leadsto> S3 rmhist p;
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1178	sigma \<Turnstile> S3 rmhist p \<leadsto> S4 rmhist p \<or> S6 rmhist p;
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1179	sigma \<Turnstile> S4 rmhist p \<and> ires!p = #NotAResult
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1180	\<leadsto> S4 rmhist p \<and> ires!p \<noteq> #NotAResult \<or> S5 rmhist p;
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1181	sigma \<Turnstile> S4 rmhist p \<and> ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1182	sigma \<Turnstile> S5 rmhist p \<leadsto> S6 rmhist p \<rbrakk>
750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1183	\<Longrightarrow> sigma \<Turnstile> \<not>S1 rmhist p \<leadsto> S6 rmhist p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1184	apply (rule S2S3S4S5S6LeadstoS6 [THEN LatticeTransitivity [temp_use]])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1185	apply assumption+
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1186	apply (erule INV_leadsto [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1187	apply (rule ImplLeadsto_gen [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1188	apply (rule necT [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1189	apply (auto simp: ImpInv_def Init_defs intro!: necT [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1190	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1191
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1192	lemma S1Infinite: "\<lbrakk> sigma \<Turnstile> \<not>S1 rmhist p \<leadsto> S6 rmhist p;
750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1193	sigma \<Turnstile> \<box>\<diamond>S6 rmhist p \<longrightarrow> \<box>\<diamond>S1 rmhist p \<rbrakk>
750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1194	\<Longrightarrow> sigma \<Turnstile> \<box>\<diamond>S1 rmhist p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1195	apply (rule classical)
60592 c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	1196	apply (tactic \<open>asm_lr_simp_tac (@{context} addsimps
c9bd1d902f04 isabelle update_cartouches; wenzelm parents: 60591 diff changeset	1197	[temp_use @{context} @{thm NotBox}, temp_rewrite @{context} @{thm NotDmd}]) 1\<close>)
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1198	apply (auto elim!: leadsto_infinite [temp_use] mp dest!: DBImplBD [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1199	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1200
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1201	section "Refinement proof (step 1.5)"
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1202
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1203	(* Prove invariants of the implementation:
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1204	a. memory invariant
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1205	b. "implementation invariant": always in states S1,...,S6
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1206	*)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1207	lemma Step1_5_1a: "\<turnstile> IPImp p \<longrightarrow> (\<forall>l. \<box>$MemInv mm l)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1208	by (auto simp: IPImp_def box_stp_act [temp_use] intro!: MemoryInvariantAll [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1209
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1210	lemma Step1_5_1b: "\<turnstile> Init(ImpInit p \<and> HInit rmhist p) \<and> \<box>(ImpNext p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1211	\<and> \<box>[HNext rmhist p]_(c p, r p, m p, rmhist!p) \<and> \<box>(\<forall>l. $MemInv mm l)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1212	\<longrightarrow> \<box>ImpInv rmhist p"
42770 3ebce8d71a05 eliminated obsolete MI_css -- use current context directly; wenzelm parents: 42018 diff changeset	1213	apply invariant
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1214	apply (auto simp: Init_def ImpInv_def box_stp_act [temp_use]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1215	dest!: Step1_1 [temp_use] dest: S1_successors [temp_use] S2_successors [temp_use]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1216	S3_successors [temp_use] S4_successors [temp_use] S5_successors [temp_use]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1217	S6_successors [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1218	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1219
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1220	(* Initialization *)
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1221	lemma Step1_5_2a: "\<turnstile> Init(ImpInit p \<and> HInit rmhist p) \<longrightarrow> Init(PInit (resbar rmhist) p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1222	by (auto simp: Init_def intro!: Step1_1 [temp_use] Step1_3 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1223
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1224	(* step simulation *)
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1225	lemma Step1_5_2b: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p, r p, m p, rmhist!p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1226	\<and> $ImpInv rmhist p \<and> (\<forall>l. $MemInv mm l))
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1227	\<longrightarrow> \<box>[UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1228	by (auto simp: ImpInv_def elim!: STL4E [temp_use]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1229	dest!: S1safe [temp_use] S2safe [temp_use] S3safe [temp_use] S4safe [temp_use]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1230	S5safe [temp_use] S6safe [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1231
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1232	(* Liveness *)
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1233	lemma GoodImpl: "\<turnstile> IPImp p \<and> HistP rmhist p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1234	\<longrightarrow> Init(ImpInit p \<and> HInit rmhist p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1235	\<and> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p, r p, m p, rmhist!p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1236	\<and> \<box>(\<forall>l. $MemInv mm l) \<and> \<box>($ImpInv rmhist p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1237	\<and> ImpLive p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1238	apply clarsimp
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1239	apply (subgoal_tac "sigma \<Turnstile> Init (ImpInit p \<and> HInit rmhist p) \<and> \<box> (ImpNext p) \<and>
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1240	\<box>[HNext rmhist p]_ (c p, r p, m p, rmhist!p) \<and> \<box> (\<forall>l. $MemInv mm l)")
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1241	apply (auto simp: split_box_conj [try_rewrite] box_stp_act [try_rewrite]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1242	dest!: Step1_5_1b [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1243	apply (force simp: IPImp_def MClkIPSpec_def RPCIPSpec_def RPSpec_def
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1244	ImpLive_def c_def r_def m_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1245	apply (force simp: IPImp_def MClkIPSpec_def RPCIPSpec_def RPSpec_def
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1246	HistP_def Init_def ImpInit_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1247	apply (force simp: IPImp_def MClkIPSpec_def RPCIPSpec_def RPSpec_def
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1248	ImpNext_def c_def r_def m_def split_box_conj [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1249	apply (force simp: HistP_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1250	apply (force simp: allT [temp_use] dest!: Step1_5_1a [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1251	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1252
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1253	(* The implementation is infinitely often in state S1... *)
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1254	lemma Step1_5_3a: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p, r p, m p, rmhist!p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1255	\<and> \<box>(\<forall>l. $MemInv mm l)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1256	\<and> \<box>($ImpInv rmhist p) \<and> ImpLive p
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1257	\<longrightarrow> \<box>\<diamond>S1 rmhist p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1258	apply (clarsimp simp: ImpLive_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1259	apply (rule S1Infinite)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1260	apply (force simp: split_box_conj [try_rewrite] box_stp_act [try_rewrite]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1261	intro!: NotS1LeadstoS6 [temp_use] S2_live [temp_use] S3_live [temp_use]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1262	S4a_live [temp_use] S4b_live [temp_use] S5_live [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1263	apply (auto simp: split_box_conj [temp_use] intro!: S6_live [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1264	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1265
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1266	(* ... and therefore satisfies the fairness requirements of the specification *)
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1267	lemma Step1_5_3b: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p, r p, m p, rmhist!p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1268	\<and> \<box>(\<forall>l. $MemInv mm l) \<and> \<box>($ImpInv rmhist p) \<and> ImpLive p
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1269	\<longrightarrow> WF(RNext memCh mm (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1270	by (auto intro!: RNext_fair [temp_use] Step1_5_3a [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1271
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1272	lemma Step1_5_3c: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p, r p, m p, rmhist!p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1273	\<and> \<box>(\<forall>l. $MemInv mm l) \<and> \<box>($ImpInv rmhist p) \<and> ImpLive p
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1274	\<longrightarrow> WF(MemReturn memCh (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1275	by (auto intro!: Return_fair [temp_use] Step1_5_3a [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1276
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1277	(* QED step of step 1 *)
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1278	lemma Step1: "\<turnstile> IPImp p \<and> HistP rmhist p \<longrightarrow> UPSpec memCh mm (resbar rmhist) p"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1279	by (auto simp: UPSpec_def split_box_conj [temp_use]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1280	dest!: GoodImpl [temp_use] intro!: Step1_5_2a [temp_use] Step1_5_2b [temp_use]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1281	Step1_5_3b [temp_use] Step1_5_3c [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1282
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1283	(* ------------------------------ Step 2 ------------------------------ *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1284	section "Step 2"
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1285
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1286	lemma Step2_2a: "\<turnstile> Write rmCh mm ires p l \<and> ImpNext p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1287	\<and> [HNext rmhist p]_(c p, r p, m p, rmhist!p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1288	\<and> $ImpInv rmhist p
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1289	\<longrightarrow> (S4 rmhist p)$ \<and> unchanged (e p, c p, r p, rmhist!p)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1290	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1291	apply (drule WriteS4 [action_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1292	apply assumption
42786 06a38b936342 proper method_setup "split_idle"; wenzelm parents: 42772 diff changeset	1293	apply split_idle
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1294	apply (auto simp: ImpNext_def dest!: S4EnvUnch [temp_use] S4ClerkUnch [temp_use]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1295	S4RPCUnch [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1296	apply (auto simp: square_def dest: S4Write [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1297	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1298
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1299	lemma Step2_2: "\<turnstile> (\<forall>p. ImpNext p)
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1300	\<and> (\<forall>p. [HNext rmhist p]_(c p, r p, m p, rmhist!p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1301	\<and> (\<forall>p. $ImpInv rmhist p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1302	\<and> [\<exists>q. Write rmCh mm ires q l]_(mm!l)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1303	\<longrightarrow> [\<exists>q. Write memCh mm (resbar rmhist) q l]_(mm!l)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1304	apply (auto intro!: squareCI elim!: squareE)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1305	apply (assumption \| rule exI Step1_4_4b [action_use])+
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1306	apply (force intro!: WriteS4 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1307	apply (auto dest!: Step2_2a [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1308	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1309
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1310	lemma Step2_lemma: "\<turnstile> \<box>( (\<forall>p. ImpNext p)
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1311	\<and> (\<forall>p. [HNext rmhist p]_(c p, r p, m p, rmhist!p))
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1312	\<and> (\<forall>p. $ImpInv rmhist p)
e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1313	\<and> [\<exists>q. Write rmCh mm ires q l]_(mm!l))
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1314	\<longrightarrow> \<box>[\<exists>q. Write memCh mm (resbar rmhist) q l]_(mm!l)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1315	by (force elim!: STL4E [temp_use] dest!: Step2_2 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1316
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1317	lemma Step2: "\<turnstile> #l \<in> #MemLoc \<and> (\<forall>p. IPImp p \<and> HistP rmhist p)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1318	\<longrightarrow> MSpec memCh mm (resbar rmhist) l"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1319	apply (auto simp: MSpec_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1320	apply (force simp: IPImp_def MSpec_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1321	apply (auto intro!: Step2_lemma [temp_use] simp: split_box_conj [temp_use] all_box [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1322	prefer 4
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1323	apply (force simp: IPImp_def MSpec_def)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1324	apply (auto simp: split_box_conj [temp_use] elim!: allE dest!: GoodImpl [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1325	done
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1326
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1327	(* ----------------------------- Main theorem --------------------------------- *)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1328	section "Memory implementation"
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1329
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1330	(* The combination of a legal caller, the memory clerk, the RPC component,
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1331	and a reliable memory implement the unreliable memory.
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1332	*)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1333
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1334	(* Implementation of internal specification by combination of implementation
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1335	and history variable with explicit refinement mapping
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1336	*)
60591 e0b77517f9a9 more symbols; wenzelm parents: 60588 diff changeset	1337	lemma Impl_IUSpec: "\<turnstile> Implementation \<and> Hist rmhist \<longrightarrow> IUSpec memCh mm (resbar rmhist)"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1338	by (auto simp: IUSpec_def Implementation_def IPImp_def MClkISpec_def
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1339	RPCISpec_def IRSpec_def Hist_def intro!: Step1 [temp_use] Step2 [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1340
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1341	(* The main theorem: introduce hiding and eliminate history variable. *)
60588 750c533459b1 more symbols; wenzelm parents: 60587 diff changeset	1342	lemma Implementation: "\<turnstile> Implementation \<longrightarrow> USpec memCh"
21624 6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1343	apply clarsimp
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1344	apply (frule History [temp_use])
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1345	apply (auto simp: USpec_def intro: eexI [temp_use] Impl_IUSpec [temp_use]
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1346	MI_base [temp_use] elim!: eexE)
6f79647cf536 TLA: converted legacy ML scripts; wenzelm parents: 17309 diff changeset	1347	done
3807 82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	1348
82a99b090d9d A formalization of TLA in HOL -- by Stephan Merz; wenzelm parents: diff changeset	1349	end

author	wenzelm
	Thu, 15 Feb 2018 12:11:00 +0100
changeset 67613	ce654b0e6d69
parent 62146	324bc1ffba12
child 69597	ff784d5a5bfb
permissions	-rw-r--r--