isabelle: src/HOL/HOLCF/IOA/NTP/Overview.thy@99a720d3ed8f (annotated)

72834 a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	1	chapter \<open>Isabelle Verification of a protocol using IOA\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	2
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	3	theory Overview
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	4	imports IOA.IOA
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	5	begin
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	6
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	7	section \<open>The System\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	8
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	9	text \<open>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	10	The system being proved correct is a parallel composition of 4 processes:
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	11
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	12	Sender \|\| Schannel \|\| Receiver \|\| Rchannel
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	13
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	14	Accordingly, the system state is a 4-tuple:
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	15
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	16	(Sender_state, Schannel_state, Receiver_state, Rchannel_state)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	17	\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	18
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	19
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	20	section \<open>Packets\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	21
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	22	text \<open>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	23	The objects going over the medium from Sender to Receiver are modelled
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	24	with the type
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	25
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	26	'm packet = bool \<times> 'm
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	27
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	28	This expresses that messages (modelled by polymorphic type \<open>'m\<close>) are
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	29	sent with a single header bit. Packet fields are accessed by
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	30
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	31	hdr<b,m> = b
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	32	mesg<b,m> = m
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	33	\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	34
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	35
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	36	section \<open>The Sender\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	37
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	38	text \<open>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	39	The state of the process "Sender" is a 5-tuple:
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	40
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	41	1. messages : 'm list (* sq *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	42	2. sent : bool multiset (* ssent *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	43	3. received : bool multiset (* srcvd *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	44	4. header : bool (* sbit *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	45	5. mode : bool (* ssending *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	46	\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	47
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	48
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	49	section \<open>The Receiver\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	50
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	51	text \<open>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	52	The state of the process "Receiver" is a 5-tuple:
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	53
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	54	1. messages : 'm list (* rq *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	55	2. replies : bool multiset (* rsent *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	56	3. received : 'm packet multiset (* rrcvd *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	57	4. header : bool (* rbit *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	58	5. mode : bool (* rsending *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	59	\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	60
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	61
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	62	section \<open>The Channels\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	63
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	64	text \<open>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	65	The Sender and Receiver each have a proprietary channel, named
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	66	"Schannel" and "Rchannel" respectively. The messages sent by the Sender
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	67	and Receiver are never lost, but the channels may mix them
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	68	up. Accordingly, multisets are used in modelling the state of the
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	69	channels. The state of "Schannel" is modelled with the following type:
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	70
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	71	'm packet multiset
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	72
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	73	The state of "Rchannel" is modelled with the following type:
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	74
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	75	bool multiset
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	76
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	77	This expresses that replies from the Receiver are just one bit.
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	78
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	79	Both Channels are instances of an abstract channel, that is modelled with
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	80	the type
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	81
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	82	'a multiset.
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	83	\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	84
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	85
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	86	section \<open>The events\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	87
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	88	text \<open>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	89	An `execution' of the system is modelled by a sequence of
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	90
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	91	<system_state, action, system_state>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	92
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	93	transitions. The actions, or events, of the system are described by the
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	94	following ML-style datatype declaration:
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	95
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	96	'm action = S_msg ('m) (* Rqt for Sender to send mesg *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	97	\| R_msg ('m) (* Mesg taken from Receiver's queue *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	98	\| S_pkt_sr ('m packet) (* Packet arrives in Schannel *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	99	\| R_pkt_sr ('m packet) (* Packet leaves Schannel *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	100	\| S_pkt_rs (bool) (* Packet arrives in Rchannel *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	101	\| R_pkt_rs (bool) (* Packet leaves Rchannel *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	102	\| C_m_s (* Change mode in Sender *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	103	\| C_m_r (* Change mode in Receiver *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	104	\| C_r_s (* Change round in Sender *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	105	\| C_r_r ('m) (* Change round in Receiver *)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	106	\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	107
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	108
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	109	section \<open>The Specification\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	110
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	111	text \<open>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	112	The abstract description of system behaviour is given by defining an
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	113	IO/automaton named "Spec". The state of Spec is a message queue,
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	114	modelled as an "'m list". The only actions performed in the abstract
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	115	system are: "S_msg(m)" (putting message "m" at the end of the queue);
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	116	and "R_msg(m)" (taking message "m" from the head of the queue).
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	117	\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	118
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	119
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	120	section \<open>The Verification\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	121
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	122	text \<open>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	123	The verification proceeds by showing that a certain mapping ("hom") from
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	124	the concrete system state to the abstract system state is a `weak
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	125	possibilities map` from "Impl" to "Spec".
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	126
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	127	hom : (S_state * Sch_state * R_state * Rch_state) -> queue
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	128
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	129	The verification depends on several system invariants that relate the
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	130	states of the 4 processes. These invariants must hold in all reachable
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	131	states of the system. These invariants are difficult to make sense of;
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	132	however, we attempt to give loose English paraphrases of them.
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	133	\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	134
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	135
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	136	subsection \<open>Invariant 1\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	137
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	138	text \<open>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	139	This expresses that no packets from the Receiver to the Sender are
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	140	dropped by Rchannel. The analogous statement for Schannel is also true.
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	141
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	142	\<forall>b. R.replies b = S.received b + Rch b
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	143	\<and>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	144	\<forall>pkt. S.sent(hdr(pkt)) = R.received(hdr(b)) + Sch(pkt)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	145	\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	146
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	147
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	148	subsection \<open>Invariant 2\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	149
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	150	text \<open>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	151	This expresses a complicated relationship about how many messages are
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	152	sent and header bits.
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	153
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	154	R.header = S.header
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	155	\<and> S.mode = SENDING
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	156	\<and> R.replies (flip S.header) \<subseteq> S.sent (flip S.header)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	157	\<and> S.sent (flip S.header) \<subseteq> R.replies header
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	158	OR
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	159	R.header = flip S.header
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	160	\<and> R.mode = SENDING
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	161	\<and> S.sent (flip S.header) \<subseteq> R.replies S.header
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	162	\<and> R.replies S.header \<subseteq> S.sent S.header
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	163	\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	164
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	165
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	166	subsection \<open>Invariant 3\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	167
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	168	text \<open>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	169	The number of incoming messages in the Receiver plus the number of those
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	170	messages in transit (in Schannel) is not greater than the number of
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	171	replies, provided the message isn't current and the header bits agree.
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	172
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	173	let mesg = <S.header, m>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	174	in
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	175	R.header = S.header
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	176	\<Longrightarrow>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	177	\<forall>m. (S.messages = [] \<or> m \<noteq> hd S.messages)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	178	\<Longrightarrow> R.received mesg + Sch mesg \<subseteq> R.replies (flip S.header)
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	179	\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	180
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	181
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	182	subsection \<open>Invariant 4\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	183
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	184	text \<open>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	185	If the headers are opposite, then the Sender queue has a message in it.
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	186
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	187	R.header = flip S.header \<Longrightarrow> S.messages \<noteq> []
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	188	\<close>
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	189
a025f845fd41 eliminated odd "Read_me"; wenzelm parents: diff changeset	190	end

author	haftmann
	Thu, 24 Jul 2025 17:46:29 +0200
changeset 82902	99a720d3ed8f
parent 72834	a025f845fd41
permissions	-rw-r--r--