9 |
9 |
10 From Misra, "A Logic for Concurrent Programming" (1994), sections 5.1 and 13.1. |
10 From Misra, "A Logic for Concurrent Programming" (1994), sections 5.1 and 13.1. |
11 *) |
11 *) |
12 |
12 |
13 (*Misra's property CMT4: t exceeds no common meeting time*) |
13 (*Misra's property CMT4: t exceeds no common meeting time*) |
14 Goal "[| ALL m. F : Constrains {m} (maxfg m); n: common |] \ |
14 Goal "[| ALL m. F : {m} Co (maxfg m); n: common |] \ |
15 \ ==> F : Stable (atMost n)"; |
15 \ ==> F : Stable (atMost n)"; |
16 by (dres_inst_tac [("M", "{t. t<=n}")] Elimination_sing 1); |
16 by (dres_inst_tac [("M", "{t. t<=n}")] Elimination_sing 1); |
17 by (asm_full_simp_tac |
17 by (asm_full_simp_tac |
18 (simpset() addsimps [atMost_def, Stable_def, common_def, maxfg_def, |
18 (simpset() addsimps [atMost_def, Stable_def, common_def, maxfg_def, |
19 le_max_iff_disj]) 1); |
19 le_max_iff_disj]) 1); |
20 by (etac Constrains_weaken_R 1); |
20 by (etac Constrains_weaken_R 1); |
21 by (blast_tac (claset() addIs [order_eq_refl, fmono, gmono, le_trans]) 1); |
21 by (blast_tac (claset() addIs [order_eq_refl, fmono, gmono, le_trans]) 1); |
22 qed "common_stable"; |
22 qed "common_stable"; |
23 |
23 |
24 Goal "[| Init F <= atMost n; \ |
24 Goal "[| Init F <= atMost n; \ |
25 \ ALL m. F : Constrains {m} (maxfg m); n: common |] \ |
25 \ ALL m. F : {m} Co (maxfg m); n: common |] \ |
26 \ ==> F : Invariant (atMost n)"; |
26 \ ==> F : Invariant (atMost n)"; |
27 by (asm_simp_tac (simpset() addsimps [InvariantI, common_stable]) 1); |
27 by (asm_simp_tac (simpset() addsimps [InvariantI, common_stable]) 1); |
28 qed "common_Invariant"; |
28 qed "common_Invariant"; |
29 |
29 |
30 |
30 |
31 (*** Some programs that implement the safety property above ***) |
31 (*** Some programs that implement the safety property above ***) |
32 |
32 |
33 Goal "SKIP : constrains {m} (maxfg m)"; |
33 Goal "SKIP : {m} co (maxfg m)"; |
34 by (simp_tac (simpset() addsimps [constrains_def, maxfg_def, le_max_iff_disj, |
34 by (simp_tac (simpset() addsimps [constrains_def, maxfg_def, le_max_iff_disj, |
35 fasc]) 1); |
35 fasc]) 1); |
36 result(); |
36 result(); |
37 |
37 |
38 (*This one is t := ftime t || t := gtime t*) |
38 (*This one is t := ftime t || t := gtime t*) |
39 Goal "mk_program (UNIV, {range(%t.(t,ftime t)), range(%t.(t,gtime t))}) \ |
39 Goal "mk_program (UNIV, {range(%t.(t,ftime t)), range(%t.(t,gtime t))}) \ |
40 \ : constrains {m} (maxfg m)"; |
40 \ : {m} co (maxfg m)"; |
41 by (simp_tac (simpset() addsimps [constrains_def, maxfg_def, |
41 by (simp_tac (simpset() addsimps [constrains_def, maxfg_def, |
42 le_max_iff_disj, fasc]) 1); |
42 le_max_iff_disj, fasc]) 1); |
43 by (Blast_tac 1); |
43 by (Blast_tac 1); |
44 result(); |
44 result(); |
45 |
45 |
46 (*This one is t := max (ftime t) (gtime t)*) |
46 (*This one is t := max (ftime t) (gtime t)*) |
47 Goal "mk_program (UNIV, {range(%t.(t, max (ftime t) (gtime t)))}) \ |
47 Goal "mk_program (UNIV, {range(%t.(t, max (ftime t) (gtime t)))}) \ |
48 \ : constrains {m} (maxfg m)"; |
48 \ : {m} co (maxfg m)"; |
49 by (simp_tac |
49 by (simp_tac |
50 (simpset() addsimps [constrains_def, maxfg_def, max_def, gasc]) 1); |
50 (simpset() addsimps [constrains_def, maxfg_def, max_def, gasc]) 1); |
51 by (Blast_tac 1); |
51 by (Blast_tac 1); |
52 result(); |
52 result(); |
53 |
53 |
54 (*This one is t := t+1 if t <max (ftime t) (gtime t) *) |
54 (*This one is t := t+1 if t <max (ftime t) (gtime t) *) |
55 Goal "mk_program (UNIV, { {(t, Suc t) | t. t < max (ftime t) (gtime t)} }) \ |
55 Goal "mk_program (UNIV, { {(t, Suc t) | t. t < max (ftime t) (gtime t)} }) \ |
56 \ : constrains {m} (maxfg m)"; |
56 \ : {m} co (maxfg m)"; |
57 by (simp_tac |
57 by (simp_tac |
58 (simpset() addsimps [constrains_def, maxfg_def, max_def, gasc]) 1); |
58 (simpset() addsimps [constrains_def, maxfg_def, max_def, gasc]) 1); |
59 by (blast_tac (claset() addIs [Suc_leI]) 1); |
59 by (blast_tac (claset() addIs [Suc_leI]) 1); |
60 result(); |
60 result(); |
61 |
61 |
66 |
66 |
67 (*** Progress under weak fairness ***) |
67 (*** Progress under weak fairness ***) |
68 |
68 |
69 Addsimps [atMost_Int_atLeast]; |
69 Addsimps [atMost_Int_atLeast]; |
70 |
70 |
71 Goal "[| ALL m. F : Constrains {m} (maxfg m); \ |
71 Goal "[| ALL m. F : {m} Co (maxfg m); \ |
72 \ ALL m: lessThan n. F : LeadsTo {m} (greaterThan m); \ |
72 \ ALL m: lessThan n. F : {m} LeadsTo (greaterThan m); \ |
73 \ n: common |] \ |
73 \ n: common |] \ |
74 \ ==> F : LeadsTo (atMost n) common"; |
74 \ ==> F : (atMost n) LeadsTo common"; |
75 by (rtac LeadsTo_weaken_R 1); |
75 by (rtac LeadsTo_weaken_R 1); |
76 by (res_inst_tac [("f","%x. x"), ("l", "n")] GreaterThan_bounded_induct 1); |
76 by (res_inst_tac [("f","%x. x"), ("l", "n")] GreaterThan_bounded_induct 1); |
77 by (ALLGOALS Asm_simp_tac); |
77 by (ALLGOALS Asm_simp_tac); |
78 by (rtac subset_refl 2); |
78 by (rtac subset_refl 2); |
79 by (blast_tac (claset() addDs [PSP_stable2] |
79 by (blast_tac (claset() addDs [PSP_stable2] |
80 addIs [common_stable, LeadsTo_weaken_R]) 1); |
80 addIs [common_stable, LeadsTo_weaken_R]) 1); |
81 val lemma = result(); |
81 val lemma = result(); |
82 |
82 |
83 (*The "ALL m: -common" form echoes CMT6.*) |
83 (*The "ALL m: -common" form echoes CMT6.*) |
84 Goal "[| ALL m. F : Constrains {m} (maxfg m); \ |
84 Goal "[| ALL m. F : {m} Co (maxfg m); \ |
85 \ ALL m: -common. F : LeadsTo {m} (greaterThan m); \ |
85 \ ALL m: -common. F : {m} LeadsTo (greaterThan m); \ |
86 \ n: common |] \ |
86 \ n: common |] \ |
87 \ ==> F : LeadsTo (atMost (LEAST n. n: common)) common"; |
87 \ ==> F : (atMost (LEAST n. n: common)) LeadsTo common"; |
88 by (rtac lemma 1); |
88 by (rtac lemma 1); |
89 by (ALLGOALS Asm_simp_tac); |
89 by (ALLGOALS Asm_simp_tac); |
90 by (etac LeastI 2); |
90 by (etac LeastI 2); |
91 by (blast_tac (claset() addSDs [not_less_Least]) 1); |
91 by (blast_tac (claset() addSDs [not_less_Least]) 1); |
92 qed "leadsTo_common"; |
92 qed "leadsTo_common"; |