21 Addsimps [rename_image_constrains, rename_image_stable, |
22 Addsimps [rename_image_constrains, rename_image_stable, |
22 rename_image_increasing, rename_image_invariant, |
23 rename_image_increasing, rename_image_invariant, |
23 rename_image_Constrains, rename_image_Stable, |
24 rename_image_Constrains, rename_image_Stable, |
24 rename_image_Increasing, rename_image_Always, |
25 rename_image_Increasing, rename_image_Always, |
25 rename_image_leadsTo, rename_image_LeadsTo, |
26 rename_image_leadsTo, rename_image_LeadsTo, |
26 rename_preserves, |
27 rename_preserves, rename_image_preserves, lift_image_preserves, |
27 bij_image_INT, bij_is_inj RS image_Int, bij_image_Collect_eq]; |
28 bij_image_INT, bij_is_inj RS image_Int, bij_image_Collect_eq]; |
28 |
29 |
29 (*Splits up conjunctions & intersections: like CONJUNCTS in the HOL system*) |
30 (*Splits up conjunctions & intersections: like CONJUNCTS in the HOL system*) |
30 fun list_of_Int th = |
31 fun list_of_Int th = |
31 (list_of_Int (th RS conjunct1) @ list_of_Int (th RS conjunct2)) |
32 (list_of_Int (th RS conjunct1) @ list_of_Int (th RS conjunct2)) |
32 handle THM _ => (list_of_Int (th RS IntD1) @ list_of_Int (th RS IntD2)) |
33 handle THM _ => (list_of_Int (th RS IntD1) @ list_of_Int (th RS IntD2)) |
33 handle THM _ => (list_of_Int (th RS INT_D)) |
34 handle THM _ => (list_of_Int (th RS INT_D)) |
|
35 handle THM _ => (list_of_Int (th RS bspec)) |
34 handle THM _ => [th]; |
36 handle THM _ => [th]; |
35 |
37 |
36 (*Used just once, for Alloc_Increasing*) |
38 (*Used just once, for Alloc_Increasing*) |
37 val lessThanBspec = lessThan_iff RS iffD2 RSN (2, bspec); |
39 val lessThanBspec = lessThan_iff RS iffD2 RSN (2, bspec); |
38 fun normalize th = |
40 fun normalize th = |
194 Goal "allocRel o sysOfClient = allocRel o snd "; |
196 Goal "allocRel o sysOfClient = allocRel o snd "; |
195 by record_auto_tac; |
197 by record_auto_tac; |
196 qed "allocRel_o_sysOfClient_eq"; |
198 qed "allocRel_o_sysOfClient_eq"; |
197 Addsimps (make_o_equivs allocRel_o_sysOfClient_eq); |
199 Addsimps (make_o_equivs allocRel_o_sysOfClient_eq); |
198 |
200 |
199 |
201 Goal "allocGiv o inv sysOfAlloc = allocGiv"; |
|
202 by (simp_tac (simpset() addsimps [o_def]) 1); |
|
203 qed "allocGiv_o_inv_sysOfAlloc_eq"; |
|
204 Addsimps (make_o_equivs allocGiv_o_inv_sysOfAlloc_eq); |
|
205 |
|
206 Goal "allocAsk o inv sysOfAlloc = allocAsk"; |
|
207 by (simp_tac (simpset() addsimps [o_def]) 1); |
|
208 qed "allocAsk_o_inv_sysOfAlloc_eq"; |
|
209 Addsimps (make_o_equivs allocAsk_o_inv_sysOfAlloc_eq); |
|
210 |
|
211 Goal "allocRel o inv sysOfAlloc = allocRel"; |
|
212 by (simp_tac (simpset() addsimps [o_def]) 1); |
|
213 qed "allocRel_o_inv_sysOfAlloc_eq"; |
|
214 Addsimps (make_o_equivs allocRel_o_inv_sysOfAlloc_eq); |
|
215 |
|
216 Goal "(rel o inv client_map o drop_map i o inv sysOfClient) = \ |
|
217 \ rel o sub i o client"; |
|
218 by (simp_tac (simpset() addsimps [o_def, drop_map_def]) 1); |
|
219 qed "rel_inv_client_map_drop_map"; |
|
220 Addsimps (make_o_equivs rel_inv_client_map_drop_map); |
|
221 |
|
222 Goal "(ask o inv client_map o drop_map i o inv sysOfClient) = \ |
|
223 \ ask o sub i o client"; |
|
224 by (simp_tac (simpset() addsimps [o_def, drop_map_def]) 1); |
|
225 qed "ask_inv_client_map_drop_map"; |
|
226 Addsimps (make_o_equivs ask_inv_client_map_drop_map); |
200 |
227 |
201 (** |
228 (** |
202 Open_locale "System"; |
229 Open_locale "System"; |
203 |
230 |
204 val Alloc = thm "Alloc"; |
231 val Alloc = thm "Alloc"; |
205 val Client = thm "Client"; |
232 val Client = thm "Client"; |
206 val Network = thm "Network"; |
233 val Network = thm "Network"; |
207 val System_def = thm "System_def"; |
234 val System_def = thm "System_def"; |
208 |
235 |
209 (*CANNOT use bind_thm: it puts the theorem into standard form, in effect |
236 CANNOT use bind_thm: it puts the theorem into standard form, in effect |
210 exporting it from the locale*) |
237 exporting it from the locale |
211 **) |
238 **) |
212 |
239 |
213 AddIffs [finite_lessThan]; |
240 AddIffs [finite_lessThan]; |
214 |
241 |
215 (*Client : <unfolded specification> *) |
242 (*Client : <unfolded specification> *) |
216 val Client_Spec = |
243 val client_spec_simps = |
217 rewrite_rule [client_spec_def, client_increasing_def, |
244 [client_spec_def, client_increasing_def, client_bounded_def, |
218 client_bounded_def, client_progress_def, |
245 client_progress_def, client_allowed_acts_def, client_preserves_def, |
219 client_preserves_def] Client; |
246 guarantees_Int_right]; |
220 |
247 |
221 val [Client_Increasing_ask, Client_Increasing_rel, |
248 val [Client_Increasing_ask, Client_Increasing_rel, |
222 Client_Bounded, Client_Progress, Client_preserves_giv, |
249 Client_Bounded, Client_Progress, Client_AllowedActs, |
223 Client_preserves_dummy] = |
250 Client_preserves_giv, Client_preserves_dummy] = |
224 Client_Spec |
251 Client |> simplify (simpset() addsimps client_spec_simps) |
225 |> simplify (simpset() addsimps [guarantees_Int_right]) |
252 |> list_of_Int; |
226 |> list_of_Int; |
|
227 |
253 |
228 AddIffs [Client_Increasing_ask, Client_Increasing_rel, Client_Bounded, |
254 AddIffs [Client_Increasing_ask, Client_Increasing_rel, Client_Bounded, |
229 Client_preserves_giv, Client_preserves_dummy]; |
255 Client_preserves_giv, Client_preserves_dummy]; |
230 |
256 |
231 |
257 |
232 (*Network : <unfolded specification> *) |
258 (*Network : <unfolded specification> *) |
233 val Network_Spec = |
259 val network_spec_simps = |
234 rewrite_rule [network_spec_def, network_ask_def, network_giv_def, |
260 [network_spec_def, network_ask_def, network_giv_def, |
235 network_rel_def, network_preserves_def] Network; |
261 network_rel_def, network_allowed_acts_def, network_preserves_def, |
236 |
262 ball_conj_distrib]; |
237 val [Network_Ask, Network_Giv, Network_Rel, |
263 |
238 Network_preserves_allocGiv, Network_preserves_rel_ask] = |
264 val [Network_Ask, Network_Giv, Network_Rel, Network_AllowedActs, |
239 list_of_Int Network_Spec; |
265 Network_preserves_allocGiv, Network_preserves_rel, |
|
266 Network_preserves_ask] = |
|
267 Network |> simplify (simpset() addsimps network_spec_simps) |
|
268 |> list_of_Int; |
240 |
269 |
241 AddIffs [Network_preserves_allocGiv]; |
270 AddIffs [Network_preserves_allocGiv]; |
242 |
271 |
243 Addsimps (Network_preserves_rel_ask |> simplify (simpset()) |> list_of_Int); |
272 Addsimps [Network_preserves_rel, Network_preserves_ask]; |
|
273 Addsimps [o_simp Network_preserves_rel, o_simp Network_preserves_ask]; |
244 |
274 |
245 |
275 |
246 (*Alloc : <unfolded specification> *) |
276 (*Alloc : <unfolded specification> *) |
247 val Alloc_Spec = |
277 val alloc_spec_simps = |
248 rewrite_rule [alloc_spec_def, alloc_increasing_def, alloc_safety_def, |
278 [alloc_spec_def, alloc_increasing_def, alloc_safety_def, |
249 alloc_progress_def, alloc_preserves_def] Alloc; |
279 alloc_progress_def, alloc_allowed_acts_def, |
250 |
280 alloc_preserves_def]; |
251 val [Alloc_Increasing_0, Alloc_Safety, |
281 |
252 Alloc_Progress, Alloc_preserves] = list_of_Int Alloc_Spec; |
282 val [Alloc_Increasing_0, Alloc_Safety, Alloc_Progress, Alloc_AllowedActs, |
|
283 Alloc_preserves_allocRel, Alloc_preserves_allocAsk, |
|
284 Alloc_preserves_dummy] = |
|
285 Alloc |> simplify (simpset() addsimps alloc_spec_simps) |
|
286 |> list_of_Int; |
253 |
287 |
254 (*Strip off the INT in the guarantees postcondition*) |
288 (*Strip off the INT in the guarantees postcondition*) |
255 val Alloc_Increasing = normalize Alloc_Increasing_0; |
289 val Alloc_Increasing = normalize Alloc_Increasing_0; |
256 |
290 |
257 AddIffs (Alloc_preserves |> simplify (simpset()) |> list_of_Int); |
291 AddIffs [Alloc_preserves_allocRel, Alloc_preserves_allocAsk, |
|
292 Alloc_preserves_dummy]; |
258 |
293 |
259 (** Components lemmas [MUST BE AUTOMATED] **) |
294 (** Components lemmas [MUST BE AUTOMATED] **) |
260 |
295 |
261 Goal "Network Join \ |
296 Goal "Network Join \ |
262 \ ((rename sysOfClient \ |
297 \ ((rename sysOfClient \ |
281 AddIffs [Client_component_System, Network_component_System, |
316 AddIffs [Client_component_System, Network_component_System, |
282 Alloc_component_System]; |
317 Alloc_component_System]; |
283 |
318 |
284 (** These preservation laws should be generated automatically **) |
319 (** These preservation laws should be generated automatically **) |
285 |
320 |
286 AddIs [impOfSubs subset_preserves_o]; |
321 Goal "Allowed Client = preserves rel Int preserves ask"; |
287 Addsimps [impOfSubs subset_preserves_o]; |
322 by (auto_tac (claset(), |
288 |
323 simpset() addsimps [Allowed_def, Client_AllowedActs, |
|
324 safety_prop_Acts_iff])); |
|
325 qed "Client_Allowed"; |
|
326 Addsimps [Client_Allowed]; |
|
327 |
|
328 Goal "Allowed Network = \ |
|
329 \ preserves allocRel Int \ |
|
330 \ (INT i: lessThan Nclients. preserves(giv o sub i o client))"; |
|
331 by (auto_tac (claset(), |
|
332 simpset() addsimps [Allowed_def, Network_AllowedActs, |
|
333 safety_prop_Acts_iff])); |
|
334 qed "Network_Allowed"; |
|
335 Addsimps [Network_Allowed]; |
|
336 |
|
337 Goal "Allowed Alloc = preserves allocGiv"; |
|
338 by (auto_tac (claset(), |
|
339 simpset() addsimps [Allowed_def, Alloc_AllowedActs, |
|
340 safety_prop_Acts_iff])); |
|
341 qed "Alloc_Allowed"; |
|
342 Addsimps [Alloc_Allowed]; |
|
343 |
|
344 Goal "OK I (%i. lift i (rename client_map Client))"; |
|
345 by (rtac OK_lift_I 1); |
|
346 by Auto_tac; |
|
347 by (dres_inst_tac [("w1", "rel")] (impOfSubs subset_preserves_o) 1); |
|
348 by (dres_inst_tac [("w1", "ask")] (impOfSubs subset_preserves_o) 2); |
|
349 by (auto_tac (claset(), simpset() addsimps [o_def, split_def])); |
|
350 qed "OK_lift_rename_Client"; |
|
351 Addsimps [OK_lift_rename_Client]; (*needed in rename_client_map_tac* |
289 |
352 |
290 (*The proofs of rename_Client_Increasing, rename_Client_Bounded and |
353 (*The proofs of rename_Client_Increasing, rename_Client_Bounded and |
291 rename_Client_Progress are similar. All require copying out the original |
354 rename_Client_Progress are similar. All require copying out the original |
292 Client property. A forward proof can be constructed as follows: |
355 Client property. A forward proof can be constructed as follows: |
293 |
356 |
319 bij_imp_bij_inv, surj_rename RS surj_range, |
382 bij_imp_bij_inv, surj_rename RS surj_range, |
320 inv_inv_eq]) 1, |
383 inv_inv_eq]) 1, |
321 asm_simp_tac |
384 asm_simp_tac |
322 (simpset() addsimps [o_def, non_dummy_def, guarantees_Int_right]) 1]; |
385 (simpset() addsimps [o_def, non_dummy_def, guarantees_Int_right]) 1]; |
323 |
386 |
324 |
387 |
325 (*Lifting Client_Increasing to systemState*) |
388 (*Lifting Client_Increasing to systemState*) |
326 Goal "i : I \ |
389 Goal "i : I \ |
327 \ ==> rename sysOfClient (plam x: I. rename client_map Client) : \ |
390 \ ==> rename sysOfClient (plam x: I. rename client_map Client) : \ |
328 \ UNIV \ |
391 \ UNIV guarantees \ |
329 \ guarantees[(funPair rel ask) o sub i o client] \ |
392 \ Increasing (ask o sub i o client) Int \ |
330 \ Increasing (ask o sub i o client) Int \ |
393 \ Increasing (rel o sub i o client)"; |
331 \ Increasing (rel o sub i o client)"; |
|
332 by rename_client_map_tac; |
394 by rename_client_map_tac; |
333 qed "rename_Client_Increasing"; |
395 qed "rename_Client_Increasing"; |
|
396 |
|
397 Goal "[| F : preserves w; i ~= j |] \ |
|
398 \ ==> F : preserves (sub i o fst o lift_map j o funPair v w)"; |
|
399 by (auto_tac (claset(), |
|
400 simpset() addsimps [lift_map_def, split_def, linorder_neq_iff, o_def])); |
|
401 by (ALLGOALS (dtac (impOfSubs subset_preserves_o))); |
|
402 by (auto_tac (claset(), simpset() addsimps [o_def])); |
|
403 qed "preserves_sub_fst_lift_map"; |
|
404 |
|
405 Goal "[| i < Nclients; j < Nclients |] \ |
|
406 \ ==> Client : preserves (giv o sub i o fst o lift_map j o client_map)"; |
|
407 by (case_tac "i=j" 1); |
|
408 by (asm_full_simp_tac (simpset() addsimps [o_def, non_dummy_def]) 1); |
|
409 by (dtac (Client_preserves_dummy RS preserves_sub_fst_lift_map) 1); |
|
410 by (ALLGOALS (dtac (impOfSubs subset_preserves_o))); |
|
411 by (asm_full_simp_tac (simpset() addsimps [o_def, client_map_def]) 1); |
|
412 qed "client_preserves_giv_oo_client_map"; |
|
413 |
|
414 Goal "rename sysOfClient (plam x: lessThan Nclients. rename client_map Client)\ |
|
415 \ ok Network"; |
|
416 by (auto_tac (claset(), simpset() addsimps [ok_iff_Allowed, |
|
417 client_preserves_giv_oo_client_map])); |
|
418 qed "rename_sysOfClient_ok_Network"; |
|
419 |
|
420 Goal "rename sysOfClient (plam x: lessThan Nclients. rename client_map Client)\ |
|
421 \ ok rename sysOfAlloc Alloc"; |
|
422 by (simp_tac (simpset() addsimps [ok_iff_Allowed]) 1); |
|
423 qed "rename_sysOfClient_ok_Alloc"; |
|
424 |
|
425 Goal "rename sysOfAlloc Alloc ok Network"; |
|
426 by (simp_tac (simpset() addsimps [ok_iff_Allowed]) 1); |
|
427 qed "rename_sysOfAlloc_ok_Network"; |
|
428 |
|
429 AddIffs [rename_sysOfClient_ok_Network, rename_sysOfClient_ok_Alloc, |
|
430 rename_sysOfAlloc_ok_Network]; |
|
431 |
|
432 (*The "ok" laws, re-oriented*) |
|
433 AddIffs [rename_sysOfClient_ok_Network RS ok_sym, |
|
434 rename_sysOfClient_ok_Alloc RS ok_sym, |
|
435 rename_sysOfAlloc_ok_Network RS ok_sym]; |
334 |
436 |
335 Goal "i < Nclients \ |
437 Goal "i < Nclients \ |
336 \ ==> System : Increasing (ask o sub i o client) Int \ |
438 \ ==> System : Increasing (ask o sub i o client) Int \ |
337 \ Increasing (rel o sub i o client)"; |
439 \ Increasing (rel o sub i o client)"; |
338 by (rtac ([rename_Client_Increasing, |
440 by (rtac ([rename_Client_Increasing, |
339 Client_component_System] MRS component_guaranteesD) 1); |
441 Client_component_System] MRS component_guaranteesD) 1); |
340 by Auto_tac; |
442 by Auto_tac; |
341 qed "System_Increasing"; |
443 qed "System_Increasing"; |
342 |
444 |
343 bind_thm ("rename_guarantees_sysOfAlloc_I", |
445 bind_thm ("rename_guarantees_sysOfAlloc_I", |
344 bij_sysOfAlloc RS rename_rename_guarantees_eq RS iffD2); |
446 bij_sysOfAlloc RS rename_rename_guarantees_eq RS iffD2); |
345 |
447 |
614 Goalw [system_spec_def] "System : system_spec"; |
715 Goalw [system_spec_def] "System : system_spec"; |
615 by (blast_tac (claset() addIs [System_safety, System_Progress]) 1); |
716 by (blast_tac (claset() addIs [System_safety, System_Progress]) 1); |
616 qed "System_correct"; |
717 qed "System_correct"; |
617 |
718 |
618 |
719 |
|
720 (** Some lemmas no longer used **) |
|
721 |
|
722 Goal "non_dummy = (% (g,a,r). (| giv = g, ask = a, rel = r |)) o \ |
|
723 \ (funPair giv (funPair ask rel))"; |
|
724 by (rtac ext 1); |
|
725 by (auto_tac (claset(), simpset() addsimps [o_def, non_dummy_def])); |
|
726 qed "non_dummy_eq_o_funPair"; |
|
727 |
|
728 Goal "(preserves non_dummy) = \ |
|
729 \ (preserves rel Int preserves ask Int preserves giv)"; |
|
730 by (simp_tac (simpset() addsimps [non_dummy_eq_o_funPair]) 1); |
|
731 by Auto_tac; |
|
732 by (dres_inst_tac [("w1", "rel")] (impOfSubs subset_preserves_o) 1); |
|
733 by (dres_inst_tac [("w1", "ask")] (impOfSubs subset_preserves_o) 2); |
|
734 by (dres_inst_tac [("w1", "giv")] (impOfSubs subset_preserves_o) 3); |
|
735 by (auto_tac (claset(), simpset() addsimps [o_def])); |
|
736 qed "preserves_non_dummy_eq"; |
|
737 |
|
738 (*Could go to Extend.ML*) |
|
739 Goal "bij f ==> fst (inv (%(x, u). inv f x) z) = f z"; |
|
740 by (rtac fst_inv_equalityI 1); |
|
741 by (res_inst_tac [("f","%z. (f z, ?h z)")] surjI 1); |
|
742 by (asm_full_simp_tac (simpset() addsimps [bij_is_inj, inv_f_f]) 1); |
|
743 by (asm_full_simp_tac (simpset() addsimps [bij_is_surj, surj_f_inv_f]) 1); |
|
744 qed "bij_fst_inv_inv_eq"; |