46 DBuffer_def: "DBuffer == TEMP Init DBInit |
43 DBuffer_def: "DBuffer == TEMP Init DBInit |
47 & [][DBNext]_(inp,mid,out,q1,q2) |
44 & [][DBNext]_(inp,mid,out,q1,q2) |
48 & WF(DBDeq)_(inp,mid,out,q1,q2) |
45 & WF(DBDeq)_(inp,mid,out,q1,q2) |
49 & WF(DBPass)_(inp,mid,out,q1,q2)" |
46 & WF(DBPass)_(inp,mid,out,q1,q2)" |
50 |
47 |
51 ML {* use_legacy_bindings (the_context ()) *} |
48 |
|
49 declare qc_def [simp] |
|
50 |
|
51 lemmas db_defs = |
|
52 BInit_def Enq_def Deq_def Next_def IBuffer_def Buffer_def |
|
53 DBInit_def DBEnq_def DBDeq_def DBPass_def DBNext_def DBuffer_def |
|
54 |
|
55 |
|
56 (*** Proper initialization ***) |
|
57 lemma DBInit: "|- Init DBInit --> Init (BInit inp qc out)" |
|
58 by (auto simp: Init_def DBInit_def BInit_def) |
|
59 |
|
60 |
|
61 (*** Step simulation ***) |
|
62 lemma DB_step_simulation: "|- [DBNext]_(inp,mid,out,q1,q2) --> [Next inp qc out]_(inp,qc,out)" |
|
63 apply (rule square_simulation) |
|
64 apply clarsimp |
|
65 apply (tactic |
|
66 {* action_simp_tac (simpset () addsimps (thm "hd_append" :: thms "db_defs")) [] [] 1 *}) |
|
67 done |
|
68 |
|
69 |
|
70 (*** Simulation of fairness ***) |
|
71 |
|
72 (* Compute enabledness predicates for DBDeq and DBPass actions *) |
|
73 lemma DBDeq_visible: "|- <DBDeq>_(inp,mid,out,q1,q2) = DBDeq" |
|
74 apply (unfold angle_def DBDeq_def Deq_def) |
|
75 apply (safe, simp (asm_lr))+ |
|
76 done |
|
77 |
|
78 lemma DBDeq_enabled: |
|
79 "|- Enabled (<DBDeq>_(inp,mid,out,q1,q2)) = (q2 ~= #[])" |
|
80 apply (unfold DBDeq_visible [action_rewrite]) |
|
81 apply (force intro!: DB_base [THEN base_enabled, temp_use] |
|
82 elim!: enabledE simp: angle_def DBDeq_def Deq_def) |
|
83 done |
|
84 |
|
85 lemma DBPass_visible: "|- <DBPass>_(inp,mid,out,q1,q2) = DBPass" |
|
86 by (auto simp: angle_def DBPass_def Deq_def) |
|
87 |
|
88 lemma DBPass_enabled: |
|
89 "|- Enabled (<DBPass>_(inp,mid,out,q1,q2)) = (q1 ~= #[])" |
|
90 apply (unfold DBPass_visible [action_rewrite]) |
|
91 apply (force intro!: DB_base [THEN base_enabled, temp_use] |
|
92 elim!: enabledE simp: angle_def DBPass_def Deq_def) |
|
93 done |
|
94 |
|
95 |
|
96 (* The plan for proving weak fairness at the higher level is to prove |
|
97 (0) DBuffer => (Enabled (Deq inp qc out) ~> (Deq inp qc out)) |
|
98 which is in turn reduced to the two leadsto conditions |
|
99 (1) DBuffer => (Enabled (Deq inp qc out) ~> q2 ~= []) |
|
100 (2) DBuffer => (q2 ~= [] ~> DBDeq) |
|
101 and the fact that DBDeq implies <Deq inp qc out>_(inp,qc,out) |
|
102 (and therefore DBDeq ~> <Deq inp qc out>_(inp,qc,out) trivially holds). |
|
103 |
|
104 Condition (1) is reduced to |
|
105 (1a) DBuffer => (qc ~= [] /\ q2 = [] ~> q2 ~= []) |
|
106 by standard leadsto rules (leadsto_classical) and rule Deq_enabledE. |
|
107 |
|
108 Both (1a) and (2) are proved from DBuffer's WF conditions by standard |
|
109 WF reasoning (Lamport's WF1 and WF_leadsto). |
|
110 The condition WF(Deq inp qc out) follows from (0) by rule leadsto_WF. |
|
111 |
|
112 One could use Lamport's WF2 instead. |
|
113 *) |
|
114 |
|
115 (* Condition (1a) *) |
|
116 lemma DBFair_1a: "|- [][DBNext]_(inp,mid,out,q1,q2) & WF(DBPass)_(inp,mid,out,q1,q2) |
|
117 --> (qc ~= #[] & q2 = #[] ~> q2 ~= #[])" |
|
118 apply (rule WF1) |
|
119 apply (force simp: db_defs) |
|
120 apply (force simp: angle_def DBPass_def) |
|
121 apply (force simp: DBPass_enabled [temp_use]) |
|
122 done |
|
123 |
|
124 (* Condition (1) *) |
|
125 lemma DBFair_1: "|- [][DBNext]_(inp,mid,out,q1,q2) & WF(DBPass)_(inp,mid,out,q1,q2) |
|
126 --> (Enabled (<Deq inp qc out>_(inp,qc,out)) ~> q2 ~= #[])" |
|
127 apply clarsimp |
|
128 apply (rule leadsto_classical [temp_use]) |
|
129 apply (rule DBFair_1a [temp_use, THEN LatticeTransitivity [temp_use]]) |
|
130 apply assumption+ |
|
131 apply (rule ImplLeadsto_gen [temp_use]) |
|
132 apply (force intro!: necT [temp_use] dest!: STL2_gen [temp_use] Deq_enabledE [temp_use] |
|
133 simp add: Init_defs) |
|
134 done |
|
135 |
|
136 (* Condition (2) *) |
|
137 lemma DBFair_2: "|- [][DBNext]_(inp,mid,out,q1,q2) & WF(DBDeq)_(inp,mid,out,q1,q2) |
|
138 --> (q2 ~= #[] ~> DBDeq)" |
|
139 apply (rule WF_leadsto) |
|
140 apply (force simp: DBDeq_enabled [temp_use]) |
|
141 apply (force simp: angle_def) |
|
142 apply (force simp: db_defs elim!: Stable [temp_use]) |
|
143 done |
|
144 |
|
145 (* High-level fairness *) |
|
146 lemma DBFair: "|- [][DBNext]_(inp,mid,out,q1,q2) & WF(DBPass)_(inp,mid,out,q1,q2) |
|
147 & WF(DBDeq)_(inp,mid,out,q1,q2) |
|
148 --> WF(Deq inp qc out)_(inp,qc,out)" |
|
149 apply (auto simp del: qc_def intro!: leadsto_WF [temp_use] |
|
150 DBFair_1 [temp_use, THEN [2] LatticeTransitivity [temp_use]] |
|
151 DBFair_2 [temp_use, THEN [2] LatticeTransitivity [temp_use]]) |
|
152 apply (auto intro!: ImplLeadsto_simple [temp_use] |
|
153 simp: angle_def DBDeq_def Deq_def hd_append [try_rewrite]) |
|
154 done |
|
155 |
|
156 (*** Main theorem ***) |
|
157 lemma DBuffer_impl_Buffer: "|- DBuffer --> Buffer inp out" |
|
158 apply (unfold DBuffer_def Buffer_def IBuffer_def) |
|
159 apply (force intro!: eexI [temp_use] DBInit [temp_use] |
|
160 DB_step_simulation [THEN STL4, temp_use] DBFair [temp_use]) |
|
161 done |
52 |
162 |
53 end |
163 end |