4 Copyright 1998 University of Cambridge |
4 Copyright 1998 University of Cambridge |
5 |
5 |
6 Distributed Resource Management System: the Client |
6 Distributed Resource Management System: the Client |
7 *) |
7 *) |
8 |
8 |
9 Addsimps [Client_def RS def_prg_Init]; |
9 Addsimps [Client_def RS def_prg_Init, |
|
10 Client_def RS def_prg_AllowedActs]; |
10 program_defs_ref := [Client_def]; |
11 program_defs_ref := [Client_def]; |
11 |
12 |
12 Addsimps (map simp_of_act [rel_act_def, tok_act_def, ask_act_def]); |
13 Addsimps (map simp_of_act [rel_act_def, tok_act_def, ask_act_def]); |
13 |
14 |
|
15 Goal "(Client ok G) = \ |
|
16 \ (G : preserves rel & G : preserves ask & G : preserves tok &\ |
|
17 \ Client : Allowed G)"; |
|
18 by (auto_tac (claset(), |
|
19 simpset() addsimps [ok_iff_Allowed, Client_def RS def_prg_Allowed])); |
|
20 qed "Client_ok_iff"; |
|
21 AddIffs [Client_ok_iff]; |
|
22 |
14 |
23 |
15 (*Safety property 1: ask, rel are increasing*) |
24 (*Safety property 1: ask, rel are increasing*) |
16 Goal "Client: UNIV guarantees[funPair rel ask] \ |
25 Goal "Client: UNIV guarantees Increasing ask Int Increasing rel"; |
17 \ Increasing ask Int Increasing rel"; |
|
18 by (auto_tac |
26 by (auto_tac |
19 (claset() addSIs [increasing_imp_Increasing], |
27 (claset() addSIs [increasing_imp_Increasing], |
20 simpset() addsimps [guar_def, impOfSubs preserves_subset_increasing])); |
28 simpset() addsimps [guar_def, impOfSubs preserves_subset_increasing])); |
21 by (auto_tac (claset(), simpset() addsimps [increasing_def])); |
29 by (auto_tac (claset(), simpset() addsimps [increasing_def])); |
22 by (ALLGOALS constrains_tac); |
30 by (ALLGOALS constrains_tac); |
23 by Auto_tac; |
31 by Auto_tac; |
24 qed "increasing_ask_rel"; |
32 qed "increasing_ask_rel"; |
25 |
33 |
26 |
|
27 Addsimps [nth_append, append_one_prefix]; |
34 Addsimps [nth_append, append_one_prefix]; |
28 |
35 |
29 |
36 |
30 (*Safety property 2: the client never requests too many tokens. |
37 (*Safety property 2: the client never requests too many tokens. |
31 With no Substitution Axiom, we must prove the two invariants |
38 With no Substitution Axiom, we must prove the two invariants |
32 simultaneously. |
39 simultaneously. |
33 *) |
40 *) |
34 Goal "G : preserves (funPair ask tok) \ |
41 Goal "Client ok G \ |
35 \ ==> Client Join G : \ |
42 \ ==> Client Join G : \ |
36 \ Always ({s. tok s <= NbT} Int \ |
43 \ Always ({s. tok s <= NbT} Int \ |
37 \ {s. ALL elt : set (ask s). elt <= NbT})"; |
44 \ {s. ALL elt : set (ask s). elt <= NbT})"; |
|
45 by Auto_tac; |
38 by (rtac (invariantI RS stable_Join_Always2) 1); |
46 by (rtac (invariantI RS stable_Join_Always2) 1); |
39 by (fast_tac (claset() addSEs [impOfSubs preserves_subset_stable] |
47 by (fast_tac (claset() addSEs [impOfSubs preserves_subset_stable] |
40 addSIs [stable_Int]) 3); |
48 addSIs [stable_Int]) 3); |
41 by (constrains_tac 2); |
49 by (constrains_tac 2); |
42 by (cut_inst_tac [("m", "tok s")] (NbT_pos RS mod_less_divisor) 2); |
50 by (cut_inst_tac [("m", "tok s")] (NbT_pos RS mod_less_divisor) 2); |
43 by Auto_tac; |
51 by Auto_tac; |
44 qed "ask_bounded_lemma"; |
52 qed "ask_bounded_lemma"; |
45 |
53 |
46 (*export version, with no mention of tok in the postcondition, but |
54 (*export version, with no mention of tok in the postcondition, but |
47 unfortunately tok must be declared local.*) |
55 unfortunately tok must be declared local.*) |
48 Goal "Client: UNIV guarantees[funPair ask tok] \ |
56 Goal "Client: UNIV guarantees Always {s. ALL elt : set (ask s). elt <= NbT}"; |
49 \ Always {s. ALL elt : set (ask s). elt <= NbT}"; |
|
50 by (rtac guaranteesI 1); |
57 by (rtac guaranteesI 1); |
51 by (etac (ask_bounded_lemma RS Always_weaken) 1); |
58 by (etac (ask_bounded_lemma RS Always_weaken) 1); |
52 by (rtac Int_lower2 1); |
59 by (rtac Int_lower2 1); |
53 qed "ask_bounded"; |
60 qed "ask_bounded"; |
54 |
61 |
81 simpset() addsimps [prefix_def, genPrefix_iff_nth, Ge_def])); |
88 simpset() addsimps [prefix_def, genPrefix_iff_nth, Ge_def])); |
82 by (blast_tac (claset() addIs [strict_prefix_length_less]) 1); |
89 by (blast_tac (claset() addIs [strict_prefix_length_less]) 1); |
83 qed "transient_lemma"; |
90 qed "transient_lemma"; |
84 |
91 |
85 |
92 |
86 Goal "[| Client Join G : Increasing giv; G : preserves (funPair rel ask) |] \ |
93 Goal "[| Client Join G : Increasing giv; Client ok G |] \ |
87 \ ==> Client Join G : {s. rel s = k & k<h & h <= giv s & h pfixGe ask s} \ |
94 \ ==> Client Join G : {s. rel s = k & k<h & h <= giv s & h pfixGe ask s} \ |
88 \ LeadsTo {s. k < rel s & rel s <= giv s & \ |
95 \ LeadsTo {s. k < rel s & rel s <= giv s & \ |
89 \ h <= giv s & h pfixGe ask s}"; |
96 \ h <= giv s & h pfixGe ask s}"; |
90 by (rtac single_LeadsTo_I 1); |
97 by (rtac single_LeadsTo_I 1); |
91 by (ftac (increasing_ask_rel RS guaranteesD) 1); |
98 by (ftac (increasing_ask_rel RS guaranteesD) 1); |
103 pfixGe_trans]) 2); |
110 pfixGe_trans]) 2); |
104 by (blast_tac (claset() addIs [order_less_imp_le, order_trans]) 1); |
111 by (blast_tac (claset() addIs [order_less_imp_le, order_trans]) 1); |
105 qed "induct_lemma"; |
112 qed "induct_lemma"; |
106 |
113 |
107 |
114 |
108 Goal "[| Client Join G : Increasing giv; G : preserves (funPair rel ask) |] \ |
115 Goal "[| Client Join G : Increasing giv; Client ok G |] \ |
109 \ ==> Client Join G : {s. rel s < h & h <= giv s & h pfixGe ask s} \ |
116 \ ==> Client Join G : {s. rel s < h & h <= giv s & h pfixGe ask s} \ |
110 \ LeadsTo {s. h <= rel s}"; |
117 \ LeadsTo {s. h <= rel s}"; |
111 by (res_inst_tac [("f", "%s. size h - size (rel s)")] LessThan_induct 1); |
118 by (res_inst_tac [("f", "%s. size h - size (rel s)")] LessThan_induct 1); |
112 by (auto_tac (claset(), simpset() addsimps [vimage_def])); |
119 by (auto_tac (claset(), simpset() addsimps [vimage_def])); |
113 by (rtac single_LeadsTo_I 1); |
120 by (rtac single_LeadsTo_I 1); |
118 by (REPEAT (dtac strict_prefix_length_less 1)); |
125 by (REPEAT (dtac strict_prefix_length_less 1)); |
119 by (arith_tac 1); |
126 by (arith_tac 1); |
120 qed "rel_progress_lemma"; |
127 qed "rel_progress_lemma"; |
121 |
128 |
122 |
129 |
123 Goal "[| Client Join G : Increasing giv; G : preserves (funPair rel ask) |] \ |
130 Goal "[| Client Join G : Increasing giv; Client ok G |] \ |
124 \ ==> Client Join G : {s. h <= giv s & h pfixGe ask s} \ |
131 \ ==> Client Join G : {s. h <= giv s & h pfixGe ask s} \ |
125 \ LeadsTo {s. h <= rel s}"; |
132 \ LeadsTo {s. h <= rel s}"; |
126 by (rtac (Join_Always_rel_le_giv RS Always_LeadsToI) 1); |
133 by (rtac (Join_Always_rel_le_giv RS Always_LeadsToI) 1); |
127 by (rtac ([rel_progress_lemma, subset_refl RS subset_imp_LeadsTo] MRS |
134 by (rtac ([rel_progress_lemma, subset_refl RS subset_imp_LeadsTo] MRS |
128 LeadsTo_Un RS LeadsTo_weaken_L) 3); |
135 LeadsTo_Un RS LeadsTo_weaken_L) 3); |