13 |
13 |
14 Variables' types are introduced globally so that type verification reduces to |
14 Variables' types are introduced globally so that type verification reduces to |
15 the usual ZF typechecking: an ill-tyed expressions reduce to the empty set. |
15 the usual ZF typechecking: an ill-tyed expressions reduce to the empty set. |
16 *} |
16 *} |
17 |
17 |
18 consts |
18 abbreviation "p == Var([0])" |
19 p :: i |
19 abbreviation "m == Var([1])" |
20 m :: i |
20 abbreviation "n == Var([0,0])" |
21 n :: i |
21 abbreviation "u == Var([0,1])" |
22 u :: i |
22 abbreviation "v == Var([1,0])" |
23 v :: i |
23 |
24 |
|
25 translations |
|
26 "p" == "Var([0])" |
|
27 "m" == "Var([1])" |
|
28 "n" == "Var([0,0])" |
|
29 "u" == "Var([0,1])" |
|
30 "v" == "Var([1,0])" |
|
31 |
|
32 axioms --{** Type declarations **} |
24 axioms --{** Type declarations **} |
33 p_type: "type_of(p)=bool & default_val(p)=0" |
25 p_type: "type_of(p)=bool & default_val(p)=0" |
34 m_type: "type_of(m)=int & default_val(m)=#0" |
26 m_type: "type_of(m)=int & default_val(m)=#0" |
35 n_type: "type_of(n)=int & default_val(n)=#0" |
27 n_type: "type_of(n)=int & default_val(n)=#0" |
36 u_type: "type_of(u)=bool & default_val(u)=0" |
28 u_type: "type_of(u)=bool & default_val(u)=0" |
37 v_type: "type_of(v)=bool & default_val(v)=0" |
29 v_type: "type_of(v)=bool & default_val(v)=0" |
38 |
30 |
39 constdefs |
31 constdefs |
40 (** The program for process U **) |
32 (** The program for process U **) |
41 U0 :: i |
33 U0 :: i |
42 "U0 == {<s,t>:state*state. t = s(u:=1, m:=#1) & s`m = #0}" |
34 "U0 == {<s,t>:state*state. t = s(u:=1, m:=#1) & s`m = #0}" |
43 |
35 |
51 "U3 == {<s,t>:state*state. t=s(u:=0, m:=#4) & s`m = #3}" |
43 "U3 == {<s,t>:state*state. t=s(u:=0, m:=#4) & s`m = #3}" |
52 |
44 |
53 U4 :: i |
45 U4 :: i |
54 "U4 == {<s,t>:state*state. t = s(p:=1, m:=#0) & s`m = #4}" |
46 "U4 == {<s,t>:state*state. t = s(p:=1, m:=#0) & s`m = #4}" |
55 |
47 |
56 |
48 |
57 (** The program for process V **) |
49 (** The program for process V **) |
58 |
50 |
59 V0 :: i |
51 V0 :: i |
60 "V0 == {<s,t>:state*state. t = s (v:=1, n:=#1) & s`n = #0}" |
52 "V0 == {<s,t>:state*state. t = s (v:=1, n:=#1) & s`n = #0}" |
61 |
53 |
62 V1 :: i |
54 V1 :: i |
63 "V1 == {<s,t>:state*state. t = s(p:=not(s`u), n:=#2) & s`n = #1}" |
55 "V1 == {<s,t>:state*state. t = s(p:=not(s`u), n:=#2) & s`n = #1}" |
178 declare IU_def [THEN def_set_simp, simp] |
170 declare IU_def [THEN def_set_simp, simp] |
179 declare IV_def [THEN def_set_simp, simp] |
171 declare IV_def [THEN def_set_simp, simp] |
180 declare bad_IU_def [THEN def_set_simp, simp] |
172 declare bad_IU_def [THEN def_set_simp, simp] |
181 |
173 |
182 lemma IU: "Mutex \<in> Always(IU)" |
174 lemma IU: "Mutex \<in> Always(IU)" |
183 apply (rule AlwaysI, force) |
175 apply (rule AlwaysI, force) |
184 apply (unfold Mutex_def, safety, auto) |
176 apply (unfold Mutex_def, safety, auto) |
185 done |
177 done |
186 |
178 |
187 lemma IV: "Mutex \<in> Always(IV)" |
179 lemma IV: "Mutex \<in> Always(IV)" |
188 apply (rule AlwaysI, force) |
180 apply (rule AlwaysI, force) |
189 apply (unfold Mutex_def, safety) |
181 apply (unfold Mutex_def, safety) |
190 done |
182 done |
191 |
183 |
192 (*The safety property: mutual exclusion*) |
184 (*The safety property: mutual exclusion*) |
193 lemma mutual_exclusion: "Mutex \<in> Always({s \<in> state. ~(s`m = #3 & s`n = #3)})" |
185 lemma mutual_exclusion: "Mutex \<in> Always({s \<in> state. ~(s`m = #3 & s`n = #3)})" |
194 apply (rule Always_weaken) |
186 apply (rule Always_weaken) |
195 apply (rule Always_Int_I [OF IU IV], auto) |
187 apply (rule Always_Int_I [OF IU IV], auto) |
196 done |
188 done |
197 |
189 |
198 (*The bad invariant FAILS in V1*) |
190 (*The bad invariant FAILS in V1*) |
199 |
191 |
201 apply (drule_tac j = "#1" and k = "#3" in zless_zle_trans) |
193 apply (drule_tac j = "#1" and k = "#3" in zless_zle_trans) |
202 apply (drule_tac [2] j = x in zle_zless_trans, auto) |
194 apply (drule_tac [2] j = x in zle_zless_trans, auto) |
203 done |
195 done |
204 |
196 |
205 lemma "Mutex \<in> Always(bad_IU)" |
197 lemma "Mutex \<in> Always(bad_IU)" |
206 apply (rule AlwaysI, force) |
198 apply (rule AlwaysI, force) |
207 apply (unfold Mutex_def, safety, auto) |
199 apply (unfold Mutex_def, safety, auto) |
208 apply (subgoal_tac "#1 $<= #3") |
200 apply (subgoal_tac "#1 $<= #3") |
209 apply (drule_tac x = "#1" and y = "#3" in zle_trans, auto) |
201 apply (drule_tac x = "#1" and y = "#3" in zle_trans, auto) |
210 apply (simp (no_asm) add: not_zless_iff_zle [THEN iff_sym]) |
202 apply (simp (no_asm) add: not_zless_iff_zle [THEN iff_sym]) |
211 apply auto |
203 apply auto |
212 (*Resulting state: n=1, p=false, m=4, u=false. |
204 (*Resulting state: n=1, p=false, m=4, u=false. |
213 Execution of V1 (the command of process v guarded by n=1) sets p:=true, |
205 Execution of V1 (the command of process v guarded by n=1) sets p:=true, |
214 violating the invariant!*) |
206 violating the invariant!*) |
215 oops |
207 oops |
216 |
208 |
217 |
209 |
289 done |
281 done |
290 |
282 |
291 lemma V_lemma2: "Mutex \<in> {s \<in> state. s`n = #2} LeadsTo {s \<in> state. s`p=0}" |
283 lemma V_lemma2: "Mutex \<in> {s \<in> state. s`n = #2} LeadsTo {s \<in> state. s`p=0}" |
292 apply (rule LeadsTo_Diff [OF LeadsTo_weaken_L |
284 apply (rule LeadsTo_Diff [OF LeadsTo_weaken_L |
293 Int_lower2 [THEN subset_imp_LeadsTo]]) |
285 Int_lower2 [THEN subset_imp_LeadsTo]]) |
294 apply (rule LeadsTo_Trans [OF V_F2 V_F3], auto) |
286 apply (rule LeadsTo_Trans [OF V_F2 V_F3], auto) |
295 apply (auto dest!: p_value_type simp add: bool_def) |
287 apply (auto dest!: p_value_type simp add: bool_def) |
296 done |
288 done |
297 |
289 |
298 lemma V_lemma1: "Mutex \<in> {s \<in> state. s`n = #1} LeadsTo {s \<in> state. s`p = 0}" |
290 lemma V_lemma1: "Mutex \<in> {s \<in> state. s`n = #1} LeadsTo {s \<in> state. s`p = 0}" |
299 by (rule LeadsTo_Trans [OF V_F1 [THEN LeadsTo_weaken_R] V_lemma2], blast) |
291 by (rule LeadsTo_Trans [OF V_F1 [THEN LeadsTo_weaken_R] V_lemma2], blast) |