|
3807
|
1 |
(*
|
|
|
2 |
File: MIsafe.ML
|
|
|
3 |
Author: Stephan Merz
|
|
|
4 |
Copyright: 1997 University of Munich
|
|
|
5 |
|
|
|
6 |
RPC-Memory example: Lower-level lemmas about memory implementation (safety)
|
|
|
7 |
*)
|
|
|
8 |
|
|
|
9 |
(* ========================= Lemmas about values ========================= *)
|
|
|
10 |
|
|
|
11 |
(* RPCFailure notin MemVals U {OK,BadArg} *)
|
|
|
12 |
|
|
6255
|
13 |
qed_goalw "MVOKBAnotRF" MemoryImplementation.thy [MVOKBA_def]
|
|
3807
|
14 |
"!!x. MVOKBA x ==> x ~= RPCFailure"
|
|
6255
|
15 |
(fn _ => [ Auto_tac ]);
|
|
3807
|
16 |
|
|
|
17 |
(* NotAResult notin MemVals U {OK,BadArg,RPCFailure} *)
|
|
|
18 |
|
|
6255
|
19 |
qed_goalw "MVOKBARFnotNR" MemoryImplementation.thy [MVOKBARF_def]
|
|
3807
|
20 |
"!!x. MVOKBARF x ==> x ~= NotAResult"
|
|
6255
|
21 |
(fn _ => [ Auto_tac ]);
|
|
3807
|
22 |
|
|
|
23 |
(* ========================= Si's are mutually exclusive ==================================== *)
|
|
|
24 |
(* Si and Sj are mutually exclusive for i # j. This helps to simplify the big
|
|
|
25 |
conditional in the definition of resbar when doing the step-simulation proof.
|
|
|
26 |
We prove a weaker result, which suffices for our purposes:
|
|
|
27 |
Si implies (not Sj), for j<i.
|
|
|
28 |
*)
|
|
|
29 |
|
|
|
30 |
(* --- not used ---
|
|
|
31 |
qed_goal "S1_excl" MemoryImplementation.thy
|
|
6255
|
32 |
"|- S1 rmhist p --> S1 rmhist p & ~S2 rmhist p & ~S3 rmhist p & \
|
|
|
33 |
\ ~S4 rmhist p & ~S5 rmhist p & ~S6 rmhist p"
|
|
3807
|
34 |
(fn _ => [ auto_tac (MI_css addsimps2 [S_def, S1_def, S2_def,
|
|
|
35 |
S3_def, S4_def, S5_def, S6_def])
|
|
|
36 |
]);
|
|
|
37 |
*)
|
|
|
38 |
|
|
|
39 |
qed_goal "S2_excl" MemoryImplementation.thy
|
|
6255
|
40 |
"|- S2 rmhist p --> S2 rmhist p & ~S1 rmhist p"
|
|
3807
|
41 |
(fn _ => [ auto_tac (MI_css addsimps2 [S_def, S1_def, S2_def]) ]);
|
|
|
42 |
|
|
|
43 |
qed_goal "S3_excl" MemoryImplementation.thy
|
|
6255
|
44 |
"|- S3 rmhist p --> S3 rmhist p & ~S1 rmhist p & ~S2 rmhist p"
|
|
3807
|
45 |
(fn _ => [ auto_tac (MI_css addsimps2 [S_def, S1_def, S2_def, S3_def]) ]);
|
|
|
46 |
|
|
|
47 |
qed_goal "S4_excl" MemoryImplementation.thy
|
|
6255
|
48 |
"|- S4 rmhist p --> S4 rmhist p & ~S1 rmhist p & ~S2 rmhist p & ~S3 rmhist p"
|
|
3807
|
49 |
(fn _ => [ auto_tac (MI_css addsimps2 [S_def,S1_def,S2_def,S3_def,S4_def]) ]);
|
|
|
50 |
|
|
|
51 |
qed_goal "S5_excl" MemoryImplementation.thy
|
|
6255
|
52 |
"|- S5 rmhist p --> S5 rmhist p & ~S1 rmhist p & ~S2 rmhist p \
|
|
|
53 |
\ & ~S3 rmhist p & ~S4 rmhist p"
|
|
3807
|
54 |
(fn _ => [ auto_tac (MI_css addsimps2 [S_def,S1_def,S2_def,S3_def,S4_def,S5_def]) ]);
|
|
|
55 |
|
|
|
56 |
qed_goal "S6_excl" MemoryImplementation.thy
|
|
6255
|
57 |
"|- S6 rmhist p --> S6 rmhist p & ~S1 rmhist p & ~S2 rmhist p \
|
|
|
58 |
\ & ~S3 rmhist p & ~S4 rmhist p & ~S5 rmhist p"
|
|
3807
|
59 |
(fn _ => [ auto_tac (MI_css addsimps2 [S_def,S1_def,S2_def,S3_def,S4_def,S5_def,S6_def]) ]);
|
|
|
60 |
|
|
|
61 |
|
|
|
62 |
(* ==================== Lemmas about the environment ============================== *)
|
|
|
63 |
|
|
|
64 |
qed_goal "Envbusy" MemoryImplementation.thy
|
|
6255
|
65 |
"|- $(Calling memCh p) --> ~ENext p"
|
|
3807
|
66 |
(fn _ => [ auto_tac (MI_css addsimps2 [ENext_def,Call_def]) ]);
|
|
|
67 |
|
|
|
68 |
(* ==================== Lemmas about the implementation's states ==================== *)
|
|
|
69 |
|
|
|
70 |
(* The following series of lemmas are used in establishing the implementation's
|
|
|
71 |
next-state relation (Step 1.2 of the proof in the paper). For each state Si, we
|
|
6255
|
72 |
determine which component actions are possible and what state they result in.
|
|
3807
|
73 |
*)
|
|
|
74 |
|
|
|
75 |
(* ------------------------------ State S1 ---------------------------------------- *)
|
|
|
76 |
|
|
|
77 |
qed_goal "S1Env" MemoryImplementation.thy
|
|
6255
|
78 |
"|- ENext p & $(S1 rmhist p) & unchanged (c p, r p, m p, rmhist!p) --> (S2 rmhist p)$"
|
|
|
79 |
(fn _ => [force_tac (MI_css
|
|
|
80 |
addsimps2 [ENext_def,Call_def,c_def,r_def,m_def,
|
|
|
81 |
caller_def,rtrner_def,MVNROKBA_def,
|
|
|
82 |
S_def,S1_def,S2_def,Calling_def]) 1
|
|
3807
|
83 |
]);
|
|
|
84 |
|
|
|
85 |
qed_goal "S1ClerkUnch" MemoryImplementation.thy
|
|
6255
|
86 |
"|- [MClkNext memCh crCh cst p]_(c p) & $(S1 rmhist p) --> unchanged (c p)"
|
|
|
87 |
(fn _ => [auto_tac (MI_fast_css addSDs2 [MClkidle] addsimps2 [S_def,S1_def]) ]);
|
|
3807
|
88 |
|
|
|
89 |
qed_goal "S1RPCUnch" MemoryImplementation.thy
|
|
6255
|
90 |
"|- [RPCNext crCh rmCh rst p]_(r p) & $(S1 rmhist p) --> unchanged (r p)"
|
|
|
91 |
(fn _ => [auto_tac (MI_fast_css addSDs2 [RPCidle] addsimps2 [S_def,S1_def]) ]);
|
|
3807
|
92 |
|
|
|
93 |
qed_goal "S1MemUnch" MemoryImplementation.thy
|
|
6255
|
94 |
"|- [RNext rmCh mm ires p]_(m p) & $(S1 rmhist p) --> unchanged (m p)"
|
|
|
95 |
(fn _ => [auto_tac (MI_fast_css addSDs2 [Memoryidle] addsimps2 [S_def,S1_def]) ]);
|
|
3807
|
96 |
|
|
|
97 |
qed_goal "S1Hist" MemoryImplementation.thy
|
|
6255
|
98 |
"|- [HNext rmhist p]_(c p,r p,m p,rmhist!p) & $(S1 rmhist p) --> unchanged (rmhist!p)"
|
|
|
99 |
(fn _ => [action_simp_tac (simpset() addsimps [HNext_def, S_def, S1_def, MemReturn_def,
|
|
|
100 |
RPCFail_def,MClkReply_def,Return_def])
|
|
|
101 |
[] [squareE] 1
|
|
3807
|
102 |
]);
|
|
|
103 |
|
|
|
104 |
(* ------------------------------ State S2 ---------------------------------------- *)
|
|
|
105 |
|
|
|
106 |
qed_goal "S2EnvUnch" MemoryImplementation.thy
|
|
6255
|
107 |
"|- [ENext p]_(e p) & $(S2 rmhist p) --> unchanged (e p)"
|
|
|
108 |
(fn _ => [auto_tac (MI_css addSDs2 [Envbusy] addsimps2 [S_def,S2_def]) ]);
|
|
3807
|
109 |
|
|
|
110 |
qed_goal "S2Clerk" MemoryImplementation.thy
|
|
6255
|
111 |
"|- MClkNext memCh crCh cst p & $(S2 rmhist p) --> MClkFwd memCh crCh cst p"
|
|
|
112 |
(fn _ => [auto_tac (MI_css addsimps2 [MClkNext_def,MClkRetry_def,MClkReply_def,
|
|
|
113 |
S_def,S2_def])
|
|
3807
|
114 |
]);
|
|
|
115 |
|
|
|
116 |
qed_goal "S2Forward" MemoryImplementation.thy
|
|
6255
|
117 |
"|- $(S2 rmhist p) & MClkFwd memCh crCh cst p & unchanged (e p, r p, m p, rmhist!p) \
|
|
|
118 |
\ --> (S3 rmhist p)$"
|
|
4089
|
119 |
(fn _ => [action_simp_tac (simpset() addsimps
|
|
3807
|
120 |
[MClkFwd_def,Call_def,e_def,r_def,m_def,caller_def,rtrner_def,
|
|
|
121 |
S_def,S2_def,S3_def,Calling_def])
|
|
|
122 |
[] [] 1
|
|
|
123 |
]);
|
|
|
124 |
|
|
|
125 |
qed_goal "S2RPCUnch" MemoryImplementation.thy
|
|
6255
|
126 |
"|- [RPCNext crCh rmCh rst p]_(r p) & $(S2 rmhist p) --> unchanged (r p)"
|
|
|
127 |
(fn _ => [auto_tac (MI_css addsimps2 [S_def,S2_def] addSDs2 [RPCidle]) ]);
|
|
3807
|
128 |
|
|
|
129 |
qed_goal "S2MemUnch" MemoryImplementation.thy
|
|
6255
|
130 |
"|- [RNext rmCh mm ires p]_(m p) & $(S2 rmhist p) --> unchanged (m p)"
|
|
|
131 |
(fn _ => [auto_tac (MI_css addsimps2 [S_def,S2_def] addSDs2 [Memoryidle]) ]);
|
|
3807
|
132 |
|
|
|
133 |
qed_goal "S2Hist" MemoryImplementation.thy
|
|
6255
|
134 |
"|- [HNext rmhist p]_(c p,r p,m p,rmhist!p) & $(S2 rmhist p) --> unchanged (rmhist!p)"
|
|
3807
|
135 |
(fn _ => [auto_tac (MI_fast_css
|
|
6255
|
136 |
addsimps2 [HNext_def,MemReturn_def,
|
|
3807
|
137 |
RPCFail_def,MClkReply_def,Return_def,S_def,S2_def])
|
|
|
138 |
]);
|
|
|
139 |
|
|
|
140 |
(* ------------------------------ State S3 ---------------------------------------- *)
|
|
|
141 |
|
|
|
142 |
qed_goal "S3EnvUnch" MemoryImplementation.thy
|
|
6255
|
143 |
"|- [ENext p]_(e p) & $(S3 rmhist p) --> unchanged (e p)"
|
|
|
144 |
(fn _ => [auto_tac (MI_css addSDs2 [Envbusy] addsimps2 [S_def,S3_def]) ]);
|
|
3807
|
145 |
|
|
|
146 |
qed_goal "S3ClerkUnch" MemoryImplementation.thy
|
|
6255
|
147 |
"|- [MClkNext memCh crCh cst p]_(c p) & $(S3 rmhist p) --> unchanged (c p)"
|
|
|
148 |
(fn _ => [auto_tac (MI_css addSDs2 [MClkbusy] addsimps2 [square_def,S_def,S3_def]) ]);
|
|
3807
|
149 |
|
|
|
150 |
qed_goal "S3LegalRcvArg" MemoryImplementation.thy
|
|
6255
|
151 |
"|- S3 rmhist p --> IsLegalRcvArg<arg<crCh!p>>"
|
|
|
152 |
(fn _ => [auto_tac (MI_css addsimps2 [IsLegalRcvArg_def,MClkRelayArg_def,S_def,S3_def]) ]);
|
|
3807
|
153 |
|
|
|
154 |
qed_goal "S3RPC" MemoryImplementation.thy
|
|
6255
|
155 |
"|- RPCNext crCh rmCh rst p & $(S3 rmhist p) \
|
|
|
156 |
\ --> RPCFwd crCh rmCh rst p | RPCFail crCh rmCh rst p"
|
|
|
157 |
(fn _ => [Clarsimp_tac 1,
|
|
|
158 |
forward_tac [action_use S3LegalRcvArg] 1,
|
|
3807
|
159 |
auto_tac (MI_css addsimps2 [RPCNext_def,RPCReject_def,RPCReply_def,S_def,S3_def])
|
|
|
160 |
]);
|
|
|
161 |
|
|
|
162 |
qed_goal "S3Forward" MemoryImplementation.thy
|
|
6255
|
163 |
"|- RPCFwd crCh rmCh rst p & HNext rmhist p & $(S3 rmhist p) & unchanged (e p, c p, m p) \
|
|
|
164 |
\ --> (S4 rmhist p)$ & unchanged (rmhist!p)"
|
|
3807
|
165 |
(fn _ => [action_simp_tac
|
|
4089
|
166 |
(simpset() addsimps [RPCFwd_def,HNext_def,MemReturn_def,RPCFail_def,MClkReply_def,
|
|
3807
|
167 |
Return_def,Call_def,e_def,c_def,m_def,caller_def,rtrner_def,
|
|
|
168 |
S_def,S3_def,S4_def,Calling_def])
|
|
|
169 |
[] [] 1
|
|
|
170 |
]);
|
|
|
171 |
|
|
|
172 |
qed_goal "S3Fail" MemoryImplementation.thy
|
|
6255
|
173 |
"|- RPCFail crCh rmCh rst p & $(S3 rmhist p) & HNext rmhist p & unchanged (e p, c p, m p) \
|
|
|
174 |
\ --> (S6 rmhist p)$"
|
|
3807
|
175 |
(fn _ => [action_simp_tac
|
|
4089
|
176 |
(simpset() addsimps [HNext_def,RPCFail_def,Return_def,e_def,c_def,m_def,
|
|
3807
|
177 |
caller_def,rtrner_def,MVOKBARF_def,
|
|
|
178 |
S_def,S3_def,S6_def,Calling_def])
|
|
|
179 |
[] [] 1
|
|
|
180 |
]);
|
|
|
181 |
|
|
|
182 |
qed_goal "S3MemUnch" MemoryImplementation.thy
|
|
6255
|
183 |
"|- [RNext rmCh mm ires p]_(m p) & $(S3 rmhist p) --> unchanged (m p)"
|
|
|
184 |
(fn _ => [auto_tac (MI_css addsimps2 [S_def,S3_def] addSDs2 [Memoryidle]) ]);
|
|
3807
|
185 |
|
|
|
186 |
qed_goal "S3Hist" MemoryImplementation.thy
|
|
6255
|
187 |
"|- HNext rmhist p & $(S3 rmhist p) & unchanged (r p) --> unchanged (rmhist!p)"
|
|
|
188 |
(fn _ => [auto_tac (MI_css
|
|
3807
|
189 |
addsimps2 [HNext_def,MemReturn_def,RPCFail_def,MClkReply_def,
|
|
|
190 |
Return_def,r_def,rtrner_def,S_def,S3_def,Calling_def])
|
|
|
191 |
]);
|
|
|
192 |
|
|
|
193 |
|
|
|
194 |
(* ------------------------------ State S4 ---------------------------------------- *)
|
|
|
195 |
|
|
|
196 |
qed_goal "S4EnvUnch" MemoryImplementation.thy
|
|
6255
|
197 |
"|- [ENext p]_(e p) & $(S4 rmhist p) --> unchanged (e p)"
|
|
|
198 |
(fn _ => [auto_tac (MI_css addsimps2 [S_def,S4_def] addSDs2 [Envbusy]) ]);
|
|
3807
|
199 |
|
|
|
200 |
qed_goal "S4ClerkUnch" MemoryImplementation.thy
|
|
6255
|
201 |
"|- [MClkNext memCh crCh cst p]_(c p) & $(S4 rmhist p) --> unchanged (c p)"
|
|
|
202 |
(fn _ => [auto_tac (MI_css addsimps2 [S_def,S4_def] addSDs2 [MClkbusy]) ]);
|
|
3807
|
203 |
|
|
|
204 |
qed_goal "S4RPCUnch" MemoryImplementation.thy
|
|
6255
|
205 |
"|- [RPCNext crCh rmCh rst p]_(r p) & $(S4 rmhist p) --> unchanged (r p)"
|
|
|
206 |
(fn _ => [auto_tac (MI_fast_css addsimps2 [S_def,S4_def] addSDs2 [RPCbusy]) ]);
|
|
3807
|
207 |
|
|
|
208 |
qed_goal "S4ReadInner" MemoryImplementation.thy
|
|
6255
|
209 |
"|- ReadInner rmCh mm ires p l & $(S4 rmhist p) & unchanged (e p, c p, r p) \
|
|
|
210 |
\ & HNext rmhist p & $(MemInv mm l) \
|
|
|
211 |
\ --> (S4 rmhist p)$ & unchanged (rmhist!p)"
|
|
3807
|
212 |
(fn _ => [action_simp_tac
|
|
4089
|
213 |
(simpset() addsimps [ReadInner_def,GoodRead_def, BadRead_def,HNext_def,
|
|
3807
|
214 |
MemReturn_def, RPCFail_def,MClkReply_def,Return_def,
|
|
|
215 |
e_def,c_def,r_def,rtrner_def,caller_def,MVNROKBA_def,
|
|
|
216 |
S_def,S4_def,RdRequest_def,Calling_def,MemInv_def])
|
|
|
217 |
[] [] 1
|
|
|
218 |
]);
|
|
|
219 |
|
|
|
220 |
qed_goal "S4Read" MemoryImplementation.thy
|
|
6255
|
221 |
"|- Read rmCh mm ires p & $(S4 rmhist p) & unchanged (e p, c p, r p) \
|
|
|
222 |
\ & HNext rmhist p & (!l. $MemInv mm l) \
|
|
|
223 |
\ --> (S4 rmhist p)$ & unchanged (rmhist!p)"
|
|
|
224 |
(fn _ => [auto_tac (MI_css addsimps2 [Read_def] addSDs2 [S4ReadInner]) ]);
|
|
3807
|
225 |
|
|
|
226 |
qed_goal "S4WriteInner" MemoryImplementation.thy
|
|
6255
|
227 |
"|- WriteInner rmCh mm ires p l v & $(S4 rmhist p) & unchanged (e p, c p, r p) \
|
|
|
228 |
\ & HNext rmhist p \
|
|
|
229 |
\ --> (S4 rmhist p)$ & unchanged (rmhist!p)"
|
|
3807
|
230 |
(fn _ => [action_simp_tac
|
|
4089
|
231 |
(simpset() addsimps [WriteInner_def,GoodWrite_def, BadWrite_def,HNext_def,
|
|
3807
|
232 |
MemReturn_def,RPCFail_def,MClkReply_def,Return_def,
|
|
|
233 |
e_def,c_def,r_def,rtrner_def,caller_def,MVNROKBA_def,
|
|
|
234 |
S_def,S4_def,WrRequest_def,Calling_def])
|
|
|
235 |
[] [] 1
|
|
|
236 |
]);
|
|
|
237 |
|
|
|
238 |
qed_goal "S4Write" MemoryImplementation.thy
|
|
6255
|
239 |
"|- Write rmCh mm ires p l & $(S4 rmhist p) & unchanged (e p, c p, r p) & (HNext rmhist p) \
|
|
|
240 |
\ --> (S4 rmhist p)$ & unchanged (rmhist!p)"
|
|
|
241 |
(fn _ => [ auto_tac (MI_css addsimps2 [Write_def] addSDs2 [S4WriteInner]) ]);
|
|
3807
|
242 |
|
|
|
243 |
qed_goal "WriteS4" MemoryImplementation.thy
|
|
6255
|
244 |
"|- $ImpInv rmhist p & Write rmCh mm ires p l --> $S4 rmhist p"
|
|
|
245 |
(fn _ => [auto_tac (MI_css
|
|
3807
|
246 |
addsimps2 [Write_def,WriteInner_def,ImpInv_def,WrRequest_def,
|
|
|
247 |
S_def,S1_def,S2_def,S3_def,S4_def,S5_def,S6_def])
|
|
|
248 |
]);
|
|
|
249 |
|
|
|
250 |
qed_goal "S4Return" MemoryImplementation.thy
|
|
6255
|
251 |
"|- MemReturn rmCh ires p & $S4 rmhist p & unchanged (e p, c p, r p) & HNext rmhist p \
|
|
|
252 |
\ --> (S5 rmhist p)$"
|
|
|
253 |
(fn _ => [auto_tac (MI_css
|
|
3807
|
254 |
addsimps2 [HNext_def,MemReturn_def,Return_def,e_def,c_def,r_def,
|
|
|
255 |
rtrner_def,caller_def,MVNROKBA_def,MVOKBA_def,
|
|
|
256 |
S_def,S4_def,S5_def,Calling_def])
|
|
|
257 |
]);
|
|
|
258 |
|
|
|
259 |
qed_goal "S4Hist" MemoryImplementation.thy
|
|
6255
|
260 |
"|- HNext rmhist p & $S4 rmhist p & (m p)$ = $(m p) --> (rmhist!p)$ = $(rmhist!p)"
|
|
|
261 |
(fn _ => [auto_tac (MI_css
|
|
3807
|
262 |
addsimps2 [HNext_def,MemReturn_def,RPCFail_def,MClkReply_def,
|
|
|
263 |
Return_def,m_def,rtrner_def,S_def,S4_def,Calling_def])
|
|
|
264 |
]);
|
|
|
265 |
|
|
|
266 |
(* ------------------------------ State S5 ---------------------------------------- *)
|
|
|
267 |
|
|
|
268 |
qed_goal "S5EnvUnch" MemoryImplementation.thy
|
|
6255
|
269 |
"|- [ENext p]_(e p) & $(S5 rmhist p) --> unchanged (e p)"
|
|
|
270 |
(fn _ => [auto_tac (MI_css addsimps2 [S_def,S5_def] addSDs2 [Envbusy]) ]);
|
|
3807
|
271 |
|
|
|
272 |
qed_goal "S5ClerkUnch" MemoryImplementation.thy
|
|
6255
|
273 |
"|- [MClkNext memCh crCh cst p]_(c p) & $(S5 rmhist p) --> unchanged (c p)"
|
|
|
274 |
(fn _ => [auto_tac (MI_css addsimps2 [S_def,S5_def] addSDs2 [MClkbusy]) ]);
|
|
3807
|
275 |
|
|
|
276 |
qed_goal "S5RPC" MemoryImplementation.thy
|
|
6255
|
277 |
"|- RPCNext crCh rmCh rst p & $(S5 rmhist p) \
|
|
|
278 |
\ --> RPCReply crCh rmCh rst p | RPCFail crCh rmCh rst p"
|
|
|
279 |
(fn _ => [auto_tac (MI_css
|
|
3807
|
280 |
addsimps2 [RPCNext_def,RPCReject_def,RPCFwd_def,S_def,S5_def])
|
|
|
281 |
]);
|
|
|
282 |
|
|
|
283 |
qed_goal "S5Reply" MemoryImplementation.thy
|
|
6255
|
284 |
"|- RPCReply crCh rmCh rst p & $(S5 rmhist p) & unchanged (e p, c p, m p,rmhist!p) \
|
|
|
285 |
\ --> (S6 rmhist p)$"
|
|
3807
|
286 |
(fn _ => [action_simp_tac
|
|
4089
|
287 |
(simpset()
|
|
3807
|
288 |
addsimps [RPCReply_def,Return_def,e_def,c_def,m_def,
|
|
|
289 |
MVOKBA_def,MVOKBARF_def,caller_def,rtrner_def,
|
|
|
290 |
S_def,S5_def,S6_def,Calling_def])
|
|
|
291 |
[] [] 1
|
|
|
292 |
]);
|
|
|
293 |
|
|
|
294 |
qed_goal "S5Fail" MemoryImplementation.thy
|
|
6255
|
295 |
"|- RPCFail crCh rmCh rst p & $(S5 rmhist p) & unchanged (e p, c p, m p,rmhist!p) \
|
|
|
296 |
\ --> (S6 rmhist p)$"
|
|
3807
|
297 |
(fn _ => [action_simp_tac
|
|
4089
|
298 |
(simpset()
|
|
3807
|
299 |
addsimps [RPCFail_def,Return_def,e_def,c_def,m_def,
|
|
|
300 |
MVOKBARF_def,caller_def,rtrner_def,
|
|
|
301 |
S_def,S5_def,S6_def,Calling_def])
|
|
|
302 |
[] [] 1
|
|
|
303 |
]);
|
|
|
304 |
|
|
|
305 |
qed_goal "S5MemUnch" MemoryImplementation.thy
|
|
6255
|
306 |
"|- [RNext rmCh mm ires p]_(m p) & $(S5 rmhist p) --> unchanged (m p)"
|
|
|
307 |
(fn _ => [auto_tac (MI_css addsimps2 [S_def,S5_def] addSDs2 [Memoryidle]) ]);
|
|
3807
|
308 |
|
|
|
309 |
qed_goal "S5Hist" MemoryImplementation.thy
|
|
6255
|
310 |
"|- [HNext rmhist p]_(c p, r p, m p, rmhist!p) & $(S5 rmhist p) --> (rmhist!p)$ = $(rmhist!p)"
|
|
3807
|
311 |
(fn _ => [auto_tac (MI_fast_css
|
|
6255
|
312 |
addsimps2 [HNext_def,MemReturn_def,
|
|
3807
|
313 |
RPCFail_def,MClkReply_def,Return_def,S_def,S5_def])
|
|
|
314 |
]);
|
|
|
315 |
|
|
|
316 |
(* ------------------------------ State S6 ---------------------------------------- *)
|
|
|
317 |
|
|
|
318 |
qed_goal "S6EnvUnch" MemoryImplementation.thy
|
|
6255
|
319 |
"|- [ENext p]_(e p) & $(S6 rmhist p) --> unchanged (e p)"
|
|
|
320 |
(fn _ => [auto_tac (MI_css addsimps2 [S_def,S6_def] addSDs2 [Envbusy]) ]);
|
|
3807
|
321 |
|
|
|
322 |
qed_goal "S6Clerk" MemoryImplementation.thy
|
|
6255
|
323 |
"|- MClkNext memCh crCh cst p & $(S6 rmhist p) \
|
|
|
324 |
\ --> MClkRetry memCh crCh cst p | MClkReply memCh crCh cst p"
|
|
|
325 |
(fn _ => [ auto_tac (MI_css addsimps2 [MClkNext_def,MClkFwd_def,S_def,S6_def]) ]);
|
|
3807
|
326 |
|
|
|
327 |
qed_goal "S6Retry" MemoryImplementation.thy
|
|
6255
|
328 |
"|- MClkRetry memCh crCh cst p & HNext rmhist p & $S6 rmhist p & unchanged (e p,r p,m p) \
|
|
|
329 |
\ --> (S3 rmhist p)$ & unchanged (rmhist!p)"
|
|
3807
|
330 |
(fn _ => [action_simp_tac
|
|
4089
|
331 |
(simpset() addsimps [HNext_def,MClkReply_def,MClkRetry_def,Call_def,
|
|
3807
|
332 |
Return_def,e_def,r_def,m_def,caller_def,rtrner_def,
|
|
|
333 |
S_def,S6_def,S3_def,Calling_def])
|
|
|
334 |
[] [] 1]);
|
|
|
335 |
|
|
|
336 |
qed_goal "S6Reply" MemoryImplementation.thy
|
|
6255
|
337 |
"|- MClkReply memCh crCh cst p & HNext rmhist p & $S6 rmhist p & unchanged (e p,r p,m p) \
|
|
|
338 |
\ --> (S1 rmhist p)$"
|
|
4089
|
339 |
(fn _ => [action_simp_tac (simpset()
|
|
3807
|
340 |
addsimps [HNext_def,MemReturn_def,RPCFail_def,Return_def,
|
|
|
341 |
MClkReply_def,e_def,r_def,m_def,caller_def,rtrner_def,
|
|
|
342 |
S_def,S6_def,S1_def,Calling_def])
|
|
|
343 |
[] [] 1
|
|
|
344 |
]);
|
|
|
345 |
|
|
|
346 |
qed_goal "S6RPCUnch" MemoryImplementation.thy
|
|
6255
|
347 |
"|- [RPCNext crCh rmCh rst p]_(r p) & $S6 rmhist p --> unchanged (r p)"
|
|
|
348 |
(fn _ => [auto_tac (MI_css addsimps2 [S_def,S6_def] addSDs2 [RPCidle]) ]);
|
|
3807
|
349 |
|
|
|
350 |
qed_goal "S6MemUnch" MemoryImplementation.thy
|
|
6255
|
351 |
"|- [RNext rmCh mm ires p]_(m p) & $(S6 rmhist p) --> unchanged (m p)"
|
|
|
352 |
(fn _ => [auto_tac (MI_css addsimps2 [S_def,S6_def] addSDs2 [Memoryidle]) ]);
|
|
3807
|
353 |
|
|
|
354 |
qed_goal "S6Hist" MemoryImplementation.thy
|
|
6255
|
355 |
"|- HNext rmhist p & $S6 rmhist p & (c p)$ = $(c p) --> (rmhist!p)$ = $(rmhist!p)"
|
|
|
356 |
(fn _ => [auto_tac (MI_css
|
|
3807
|
357 |
addsimps2 [HNext_def,MClkReply_def,Return_def,c_def,rtrner_def,
|
|
|
358 |
S_def,S6_def,Calling_def])
|
|
|
359 |
]);
|
|
6255
|
360 |
|