1 (* |
1 (* |
2 File: Memory.ML |
2 File: Memory.ML |
|
3 ID: $Id$ |
3 Author: Stephan Merz |
4 Author: Stephan Merz |
4 Copyright: 1997 University of Munich |
5 Copyright: 1997 University of Munich |
5 |
6 |
6 RPC-Memory example: Memory specification (theorems and proofs) |
7 RPC-Memory example: Memory specification (theorems and proofs) |
7 *) |
8 *) |
8 |
9 |
9 val RM_action_defs = |
10 val RM_action_defs = |
10 [MInit_def, PInit_def, RdRequest_def, WrRequest_def, MemInv_def, |
11 [MInit_def, PInit_def, RdRequest_def, WrRequest_def, MemInv_def, |
11 GoodRead_def, BadRead_def, ReadInner_def, Read_def, |
12 GoodRead_def, BadRead_def, ReadInner_def, Read_def, |
12 GoodWrite_def, BadWrite_def, WriteInner_def, Write_def, |
13 GoodWrite_def, BadWrite_def, WriteInner_def, Write_def, |
13 MemReturn_def, RNext_def]; |
14 MemReturn_def, RNext_def]; |
14 |
15 |
22 (* -------------------- Proofs ---------------------------------------------- *) |
23 (* -------------------- Proofs ---------------------------------------------- *) |
23 |
24 |
24 (* The reliable memory is an implementation of the unreliable one *) |
25 (* The reliable memory is an implementation of the unreliable one *) |
25 Goal "|- IRSpec ch mm rs --> IUSpec ch mm rs"; |
26 Goal "|- IRSpec ch mm rs --> IUSpec ch mm rs"; |
26 by (force_tac (temp_css addsimps2 ([UNext_def,UPSpec_def,IUSpec_def] @ RM_temp_defs) |
27 by (force_tac (temp_css addsimps2 ([UNext_def,UPSpec_def,IUSpec_def] @ RM_temp_defs) |
27 addSEs2 [STL4E,squareE]) 1); |
28 addSEs2 [STL4E,squareE]) 1); |
28 qed "ReliableImplementsUnReliable"; |
29 qed "ReliableImplementsUnReliable"; |
29 |
30 |
30 (* The memory spec implies the memory invariant *) |
31 (* The memory spec implies the memory invariant *) |
31 Goal "|- MSpec ch mm rs l --> [](MemInv mm l)"; |
32 Goal "|- MSpec ch mm rs l --> [](MemInv mm l)"; |
32 by (auto_inv_tac (simpset() addsimps RM_temp_defs @ RM_action_defs) 1); |
33 by (auto_inv_tac (simpset() addsimps RM_temp_defs @ RM_action_defs) 1); |
41 by (step_tac temp_cs 1); |
42 by (step_tac temp_cs 1); |
42 by (case_tac "l : MemLoc" 1); |
43 by (case_tac "l : MemLoc" 1); |
43 by (auto_tac (temp_css addSEs2 [MemoryInvariant,NonMemLocInvariant])); |
44 by (auto_tac (temp_css addSEs2 [MemoryInvariant,NonMemLocInvariant])); |
44 qed "MemoryInvariantAll"; |
45 qed "MemoryInvariantAll"; |
45 |
46 |
46 (* The memory engages in an action for process p only if there is an |
47 (* The memory engages in an action for process p only if there is an |
47 unanswered call from p. |
48 unanswered call from p. |
48 We need this only for the reliable memory. |
49 We need this only for the reliable memory. |
49 *) |
50 *) |
50 |
51 |
51 Goal "|- ~$(Calling ch p) --> ~ RNext ch mm rs p"; |
52 Goal "|- ~$(Calling ch p) --> ~ RNext ch mm rs p"; |
77 |
78 |
78 Goal "!!p. basevars (mm!l, rtrner ch ! p, rs!p) ==> \ |
79 Goal "!!p. basevars (mm!l, rtrner ch ! p, rs!p) ==> \ |
79 \ |- Calling ch p & (arg<ch!p> = #(write l v)) \ |
80 \ |- Calling ch p & (arg<ch!p> = #(write l v)) \ |
80 \ --> Enabled (WriteInner ch mm rs p l v)"; |
81 \ --> Enabled (WriteInner ch mm rs p l v)"; |
81 by (case_tac "l:MemLoc & v:MemVal" 1); |
82 by (case_tac "l:MemLoc & v:MemVal" 1); |
82 by (ALLGOALS |
83 by (ALLGOALS |
83 (force_tac (mem_css addsimps2 [WriteInner_def,GoodWrite_def, |
84 (force_tac (mem_css addsimps2 [WriteInner_def,GoodWrite_def, |
84 BadWrite_def,WrRequest_def] |
85 BadWrite_def,WrRequest_def] |
85 addSIs2 [exI] addSEs2 [base_enabled]))); |
86 addSIs2 [exI] addSEs2 [base_enabled]))); |
86 qed "WriteInner_enabled"; |
87 qed "WriteInner_enabled"; |
87 |
88 |
88 Goal "|- Read ch mm rs p & (!l. $(MemInv mm l)) --> (rs!p)` ~= #NotAResult"; |
89 Goal "|- Read ch mm rs p & (!l. $(MemInv mm l)) --> (rs!p)` ~= #NotAResult"; |
89 by (force_tac (mem_css addsimps2 |
90 by (force_tac (mem_css addsimps2 |
90 [Read_def,ReadInner_def,GoodRead_def,BadRead_def,MemInv_def]) 1); |
91 [Read_def,ReadInner_def,GoodRead_def,BadRead_def,MemInv_def]) 1); |
91 qed "ReadResult"; |
92 qed "ReadResult"; |
92 |
93 |
93 Goal "|- Write ch mm rs p l --> (rs!p)` ~= #NotAResult"; |
94 Goal "|- Write ch mm rs p l --> (rs!p)` ~= #NotAResult"; |
94 by (auto_tac (mem_css addsimps2 ([Write_def,WriteInner_def,GoodWrite_def,BadWrite_def]))); |
95 by (auto_tac (mem_css addsimps2 ([Write_def,WriteInner_def,GoodWrite_def,BadWrite_def]))); |
101 |
102 |
102 Goal "|- (rs!p = #NotAResult) & (!l. MemInv mm l) \ |
103 Goal "|- (rs!p = #NotAResult) & (!l. MemInv mm l) \ |
103 \ & Enabled (Read ch mm rs p | (? l. Write ch mm rs p l)) \ |
104 \ & Enabled (Read ch mm rs p | (? l. Write ch mm rs p l)) \ |
104 \ --> Enabled (<RNext ch mm rs p>_(rtrner ch ! p, rs!p))"; |
105 \ --> Enabled (<RNext ch mm rs p>_(rtrner ch ! p, rs!p))"; |
105 by (force_tac (mem_css addsimps2 [RNext_def,angle_def] |
106 by (force_tac (mem_css addsimps2 [RNext_def,angle_def] |
106 addSEs2 [enabled_mono2] |
107 addSEs2 [enabled_mono2] |
107 addDs2 [ReadResult, WriteResult]) 1); |
108 addDs2 [ReadResult, WriteResult]) 1); |
108 qed "RWRNext_enabled"; |
109 qed "RWRNext_enabled"; |
109 |
110 |
110 |
111 |
111 (* Combine previous lemmas: the memory can make a visible step if there is an |
112 (* Combine previous lemmas: the memory can make a visible step if there is an |
112 outstanding call for which no result has been produced. |
113 outstanding call for which no result has been produced. |
119 by (action_simp_tac (simpset()addsimps[Read_def,enabled_ex]) |
120 by (action_simp_tac (simpset()addsimps[Read_def,enabled_ex]) |
120 [ReadInner_enabled,exI] [] 1); |
121 [ReadInner_enabled,exI] [] 1); |
121 by (force_tac (mem_css addDs2 [base_pair]) 1); |
122 by (force_tac (mem_css addDs2 [base_pair]) 1); |
122 by (etac contrapos_np 1); |
123 by (etac contrapos_np 1); |
123 by (action_simp_tac (simpset() addsimps [Write_def,enabled_ex]) |
124 by (action_simp_tac (simpset() addsimps [Write_def,enabled_ex]) |
124 [WriteInner_enabled,exI] [] 1); |
125 [WriteInner_enabled,exI] [] 1); |
125 qed "RNext_enabled"; |
126 qed "RNext_enabled"; |