77 expanding it is extremely expensive!*) |
77 expanding it is extremely expensive!*) |
78 program_defs_ref := []; |
78 program_defs_ref := []; |
79 |
79 |
80 (*Safety property 2: clients return the right number of tokens*) |
80 (*Safety property 2: clients return the right number of tokens*) |
81 Goal "Cli_prg : (Increasing giv Int (rel localTo Cli_prg)) \ |
81 Goal "Cli_prg : (Increasing giv Int (rel localTo Cli_prg)) \ |
82 \ guarantees Invariant {s. rel s <= giv s}"; |
82 \ guarantees Always {s. rel s <= giv s}"; |
83 by (rtac guaranteesI 1); |
83 by (rtac guaranteesI 1); |
84 by (rtac InvariantI 1); |
84 by (rtac AlwaysI 1); |
85 by (Force_tac 1); |
85 by (Force_tac 1); |
86 by (blast_tac (claset() addIs [Increasing_localTo_Stable, |
86 by (blast_tac (claset() addIs [Increasing_localTo_Stable, |
87 stable_rel_le_giv]) 1); |
87 stable_rel_le_giv]) 1); |
88 qed "ok_guar_rel_prefix_giv"; |
88 qed "ok_guar_rel_prefix_giv"; |
89 |
89 |
102 |
102 |
103 val rewrite_o = rewrite_rule [o_def]; |
103 val rewrite_o = rewrite_rule [o_def]; |
104 |
104 |
105 Goal "Cli_prg : \ |
105 Goal "Cli_prg : \ |
106 \ (Increasing giv Int (rel localTo Cli_prg) Int (ask localTo Cli_prg)) \ |
106 \ (Increasing giv Int (rel localTo Cli_prg) Int (ask localTo Cli_prg)) \ |
107 \ guarantees Invariant ({s. size (ask s) <= Suc (size (rel s))} Int \ |
107 \ guarantees Always ({s. size (ask s) <= Suc (size (rel s))} Int \ |
108 \ {s. size (rel s) <= size (giv s)})"; |
108 \ {s. size (rel s) <= size (giv s)})"; |
109 by (rtac guaranteesI 1); |
109 by (rtac guaranteesI 1); |
110 by (Clarify_tac 1); |
110 by (Clarify_tac 1); |
111 by (dtac (impOfSubs (rewrite_o Increasing_size)) 1); |
111 by (dtac (impOfSubs (rewrite_o Increasing_size)) 1); |
112 by (rtac InvariantI 1); |
112 by (rtac AlwaysI 1); |
113 by (Force_tac 1); |
113 by (Force_tac 1); |
114 by (rtac Stable_Int 1); |
114 by (rtac Stable_Int 1); |
115 by (fast_tac (claset() addEs [impOfSubs (rewrite_o localTo_imp_o_localTo)] |
115 by (fast_tac (claset() addEs [impOfSubs (rewrite_o localTo_imp_o_localTo)] |
116 addIs [Increasing_localTo_Stable, |
116 addIs [Increasing_localTo_Stable, |
117 stable_size_rel_le_giv]) 2); |
117 stable_size_rel_le_giv]) 2); |
121 val lemma1 = result(); |
121 val lemma1 = result(); |
122 |
122 |
123 |
123 |
124 Goal "Cli_prg : \ |
124 Goal "Cli_prg : \ |
125 \ (Increasing giv Int (rel localTo Cli_prg) Int (ask localTo Cli_prg) \ |
125 \ (Increasing giv Int (rel localTo Cli_prg) Int (ask localTo Cli_prg) \ |
126 \ Int Invariant giv_meets_ask) \ |
126 \ Int Always giv_meets_ask) \ |
127 \ guarantees ({s. k < size (giv s)} LeadsTo {s. k < size (rel s)})"; |
127 \ guarantees ({s. k < size (giv s)} LeadsTo {s. k < size (rel s)})"; |
128 by (rtac guaranteesI 1); |
128 by (rtac guaranteesI 1); |
129 by (Clarify_tac 1); |
129 by (Clarify_tac 1); |
130 by (rtac Stable_transient_reachable_LeadsTo 1); |
130 by (rtac Stable_transient_Always_LeadsTo 1); |
131 by (res_inst_tac [("k", "k")] transient_lemma 2); |
131 by (res_inst_tac [("k", "k")] transient_lemma 2); |
132 by (force_tac (claset() addDs [impOfSubs Increasing_size, |
132 by (force_tac (claset() addDs [impOfSubs Increasing_size, |
133 impOfSubs Increasing_Stable_less], |
133 impOfSubs Increasing_Stable_less], |
134 simpset()) 1); |
134 simpset()) 1); |
135 by (rtac (make_elim (lemma1 RS guaranteesD)) 1); |
135 by (rtac (make_elim (lemma1 RS guaranteesD)) 1); |
136 by (Blast_tac 1); |
136 by (Blast_tac 1); |
137 by (auto_tac (claset(), |
137 by (auto_tac (claset(), |
138 simpset() addsimps [Invariant_eq_always, giv_meets_ask_def])); |
138 simpset() addsimps [Always_eq_includes_reachable, giv_meets_ask_def])); |
139 by (ALLGOALS Force_tac); |
139 by (ALLGOALS Force_tac); |
140 qed "client_correct"; |
140 qed "client_correct"; |