77 where "client_increasing = UNIV guarantees Increasing ask Int Increasing rel" |
77 where "client_increasing = UNIV guarantees Increasing ask Int Increasing rel" |
78 |
78 |
79 definition |
79 definition |
80 \<comment> \<open>spec (4)\<close> |
80 \<comment> \<open>spec (4)\<close> |
81 client_bounded :: "'a clientState_d program set" |
81 client_bounded :: "'a clientState_d program set" |
82 where "client_bounded = UNIV guarantees Always {s. ALL elt : set (ask s). elt \<le> NbT}" |
82 where "client_bounded = UNIV guarantees Always {s. \<forall>elt \<in> set (ask s). elt \<le> NbT}" |
83 |
83 |
84 definition |
84 definition |
85 \<comment> \<open>spec (5)\<close> |
85 \<comment> \<open>spec (5)\<close> |
86 client_progress :: "'a clientState_d program set" |
86 client_progress :: "'a clientState_d program set" |
87 where "client_progress = |
87 where "client_progress = |
130 alloc_progress :: "'a allocState_d program set" |
130 alloc_progress :: "'a allocState_d program set" |
131 where "alloc_progress = |
131 where "alloc_progress = |
132 (INT i : lessThan Nclients. Increasing (sub i o allocAsk) Int |
132 (INT i : lessThan Nclients. Increasing (sub i o allocAsk) Int |
133 Increasing (sub i o allocRel)) |
133 Increasing (sub i o allocRel)) |
134 Int |
134 Int |
135 Always {s. ALL i<Nclients. |
135 Always {s. \<forall>i<Nclients. |
136 ALL elt : set ((sub i o allocAsk) s). elt \<le> NbT} |
136 \<forall>elt \<in> set ((sub i o allocAsk) s). elt \<le> NbT} |
137 Int |
137 Int |
138 (INT i : lessThan Nclients. |
138 (INT i : lessThan Nclients. |
139 INT h. {s. h \<le> (sub i o allocGiv)s & h pfixGe (sub i o allocAsk)s} |
139 INT h. {s. h \<le> (sub i o allocGiv)s & h pfixGe (sub i o allocAsk)s} |
140 LeadsTo |
140 LeadsTo |
141 {s. tokens h \<le> (tokens o sub i o allocRel)s}) |
141 {s. tokens h \<le> (tokens o sub i o allocRel)s}) |
240 allocRel = allocRel al, |
240 allocRel = allocRel al, |
241 client = cl, |
241 client = cl, |
242 systemState.dummy = allocState_d.dummy al|))" |
242 systemState.dummy = allocState_d.dummy al|))" |
243 |
243 |
244 axiomatization Alloc :: "'a allocState_d program" |
244 axiomatization Alloc :: "'a allocState_d program" |
245 where Alloc: "Alloc : alloc_spec" |
245 where Alloc: "Alloc \<in> alloc_spec" |
246 |
246 |
247 axiomatization Client :: "'a clientState_d program" |
247 axiomatization Client :: "'a clientState_d program" |
248 where Client: "Client : client_spec" |
248 where Client: "Client \<in> client_spec" |
249 |
249 |
250 axiomatization Network :: "'a systemState program" |
250 axiomatization Network :: "'a systemState program" |
251 where Network: "Network : network_spec" |
251 where Network: "Network \<in> network_spec" |
252 |
252 |
253 definition System :: "'a systemState program" |
253 definition System :: "'a systemState program" |
254 where "System = rename sysOfAlloc Alloc \<squnion> Network \<squnion> |
254 where "System = rename sysOfAlloc Alloc \<squnion> Network \<squnion> |
255 (rename sysOfClient |
255 (rename sysOfClient |
256 (plam x: lessThan Nclients. rename client_map Client))" |
256 (plam x: lessThan Nclients. rename client_map Client))" |
733 method_setup rename_client_map = \<open> |
733 method_setup rename_client_map = \<open> |
734 Scan.succeed (fn ctxt => SIMPLE_METHOD (rename_client_map_tac ctxt)) |
734 Scan.succeed (fn ctxt => SIMPLE_METHOD (rename_client_map_tac ctxt)) |
735 \<close> |
735 \<close> |
736 |
736 |
737 text\<open>Lifting \<open>Client_Increasing\<close> to @{term systemState}\<close> |
737 text\<open>Lifting \<open>Client_Increasing\<close> to @{term systemState}\<close> |
738 lemma rename_Client_Increasing: "i : I |
738 lemma rename_Client_Increasing: "i \<in> I |
739 ==> rename sysOfClient (plam x: I. rename client_map Client) : |
739 ==> rename sysOfClient (plam x: I. rename client_map Client) \<in> |
740 UNIV guarantees |
740 UNIV guarantees |
741 Increasing (ask o sub i o client) Int |
741 Increasing (ask o sub i o client) Int |
742 Increasing (rel o sub i o client)" |
742 Increasing (rel o sub i o client)" |
743 by rename_client_map |
743 by rename_client_map |
744 |
744 |
745 lemma preserves_sub_fst_lift_map: "[| F : preserves w; i ~= j |] |
745 lemma preserves_sub_fst_lift_map: "[| F \<in> preserves w; i \<noteq> j |] |
746 ==> F : preserves (sub i o fst o lift_map j o funPair v w)" |
746 ==> F \<in> preserves (sub i o fst o lift_map j o funPair v w)" |
747 apply (auto simp add: lift_map_def split_def linorder_neq_iff o_def) |
747 apply (auto simp add: lift_map_def split_def linorder_neq_iff o_def) |
748 apply (drule_tac [!] subset_preserves_o [THEN [2] rev_subsetD]) |
748 apply (drule_tac [!] subset_preserves_o [THEN [2] rev_subsetD]) |
749 apply (auto simp add: o_def) |
749 apply (auto simp add: o_def) |
750 done |
750 done |
751 |
751 |
752 lemma client_preserves_giv_oo_client_map: "[| i < Nclients; j < Nclients |] |
752 lemma client_preserves_giv_oo_client_map: "[| i < Nclients; j < Nclients |] |
753 ==> Client : preserves (giv o sub i o fst o lift_map j o client_map)" |
753 ==> Client \<in> preserves (giv o sub i o fst o lift_map j o client_map)" |
754 apply (cases "i=j") |
754 apply (cases "i=j") |
755 apply (simp, simp add: o_def non_dummy_def) |
755 apply (simp, simp add: o_def non_dummy_def) |
756 apply (drule Client_preserves_dummy [THEN preserves_sub_fst_lift_map]) |
756 apply (drule Client_preserves_dummy [THEN preserves_sub_fst_lift_map]) |
757 apply (drule_tac [!] subset_preserves_o [THEN [2] rev_subsetD]) |
757 apply (drule_tac [!] subset_preserves_o [THEN [2] rev_subsetD]) |
758 apply (simp add: o_def client_map_def) |
758 apply (simp add: o_def client_map_def) |
782 rename_sysOfClient_ok_Network [THEN ok_sym, iff] |
782 rename_sysOfClient_ok_Network [THEN ok_sym, iff] |
783 rename_sysOfClient_ok_Alloc [THEN ok_sym, iff] |
783 rename_sysOfClient_ok_Alloc [THEN ok_sym, iff] |
784 rename_sysOfAlloc_ok_Network [THEN ok_sym] |
784 rename_sysOfAlloc_ok_Network [THEN ok_sym] |
785 |
785 |
786 lemma System_Increasing: "i < Nclients |
786 lemma System_Increasing: "i < Nclients |
787 ==> System : Increasing (ask o sub i o client) Int |
787 ==> System \<in> Increasing (ask o sub i o client) Int |
788 Increasing (rel o sub i o client)" |
788 Increasing (rel o sub i o client)" |
789 apply (rule component_guaranteesD [OF rename_Client_Increasing Client_component_System]) |
789 apply (rule component_guaranteesD [OF rename_Client_Increasing Client_component_System]) |
790 apply auto |
790 apply auto |
791 done |
791 done |
792 |
792 |
801 simplified surj_rename o_def sub_apply |
801 simplified surj_rename o_def sub_apply |
802 rename_image_Increasing bij_sysOfAlloc |
802 rename_image_Increasing bij_sysOfAlloc |
803 allocGiv_o_inv_sysOfAlloc_eq'] |
803 allocGiv_o_inv_sysOfAlloc_eq'] |
804 |
804 |
805 lemma System_Increasing_allocGiv: |
805 lemma System_Increasing_allocGiv: |
806 "i < Nclients ==> System : Increasing (sub i o allocGiv)" |
806 "i < Nclients \<Longrightarrow> System \<in> Increasing (sub i o allocGiv)" |
807 apply (unfold System_def) |
807 apply (unfold System_def) |
808 apply (simp add: o_def) |
808 apply (simp add: o_def) |
809 apply (rule rename_Alloc_Increasing [THEN guarantees_Join_I1, THEN guaranteesD]) |
809 apply (rule rename_Alloc_Increasing [THEN guarantees_Join_I1, THEN guaranteesD]) |
810 apply auto |
810 apply auto |
811 done |
811 done |
820 text\<open>Follows consequences. |
820 text\<open>Follows consequences. |
821 The "Always (INT ...) formulation expresses the general safety property |
821 The "Always (INT ...) formulation expresses the general safety property |
822 and allows it to be combined using \<open>Always_Int_rule\<close> below.\<close> |
822 and allows it to be combined using \<open>Always_Int_rule\<close> below.\<close> |
823 |
823 |
824 lemma System_Follows_rel: |
824 lemma System_Follows_rel: |
825 "i < Nclients ==> System : ((sub i o allocRel) Fols (rel o sub i o client))" |
825 "i < Nclients ==> System \<in> ((sub i o allocRel) Fols (rel o sub i o client))" |
826 apply (auto intro!: Network_Rel [THEN component_guaranteesD]) |
826 apply (auto intro!: Network_Rel [THEN component_guaranteesD]) |
827 apply (simp add: ok_commute [of Network]) |
827 apply (simp add: ok_commute [of Network]) |
828 done |
828 done |
829 |
829 |
830 lemma System_Follows_ask: |
830 lemma System_Follows_ask: |
831 "i < Nclients ==> System : ((sub i o allocAsk) Fols (ask o sub i o client))" |
831 "i < Nclients ==> System \<in> ((sub i o allocAsk) Fols (ask o sub i o client))" |
832 apply (auto intro!: Network_Ask [THEN component_guaranteesD]) |
832 apply (auto intro!: Network_Ask [THEN component_guaranteesD]) |
833 apply (simp add: ok_commute [of Network]) |
833 apply (simp add: ok_commute [of Network]) |
834 done |
834 done |
835 |
835 |
836 lemma System_Follows_allocGiv: |
836 lemma System_Follows_allocGiv: |
837 "i < Nclients ==> System : (giv o sub i o client) Fols (sub i o allocGiv)" |
837 "i < Nclients ==> System \<in> (giv o sub i o client) Fols (sub i o allocGiv)" |
838 apply (auto intro!: Network_Giv [THEN component_guaranteesD] |
838 apply (auto intro!: Network_Giv [THEN component_guaranteesD] |
839 rename_Alloc_Increasing [THEN component_guaranteesD]) |
839 rename_Alloc_Increasing [THEN component_guaranteesD]) |
840 apply (simp_all add: o_def non_dummy_def ok_commute [of Network]) |
840 apply (simp_all add: o_def non_dummy_def ok_commute [of Network]) |
841 apply (auto intro!: rename_Alloc_Increasing [THEN component_guaranteesD]) |
841 apply (auto intro!: rename_Alloc_Increasing [THEN component_guaranteesD]) |
842 done |
842 done |
843 |
843 |
844 |
844 |
845 lemma Always_giv_le_allocGiv: "System : Always (INT i: lessThan Nclients. |
845 lemma Always_giv_le_allocGiv: "System \<in> Always (INT i: lessThan Nclients. |
846 {s. (giv o sub i o client) s \<le> (sub i o allocGiv) s})" |
846 {s. (giv o sub i o client) s \<le> (sub i o allocGiv) s})" |
847 apply auto |
847 apply auto |
848 apply (erule System_Follows_allocGiv [THEN Follows_Bounded]) |
848 apply (erule System_Follows_allocGiv [THEN Follows_Bounded]) |
849 done |
849 done |
850 |
850 |
851 |
851 |
852 lemma Always_allocAsk_le_ask: "System : Always (INT i: lessThan Nclients. |
852 lemma Always_allocAsk_le_ask: "System \<in> Always (INT i: lessThan Nclients. |
853 {s. (sub i o allocAsk) s \<le> (ask o sub i o client) s})" |
853 {s. (sub i o allocAsk) s \<le> (ask o sub i o client) s})" |
854 apply auto |
854 apply auto |
855 apply (erule System_Follows_ask [THEN Follows_Bounded]) |
855 apply (erule System_Follows_ask [THEN Follows_Bounded]) |
856 done |
856 done |
857 |
857 |
858 |
858 |
859 lemma Always_allocRel_le_rel: "System : Always (INT i: lessThan Nclients. |
859 lemma Always_allocRel_le_rel: "System \<in> Always (INT i: lessThan Nclients. |
860 {s. (sub i o allocRel) s \<le> (rel o sub i o client) s})" |
860 {s. (sub i o allocRel) s \<le> (rel o sub i o client) s})" |
861 by (auto intro!: Follows_Bounded System_Follows_rel) |
861 by (auto intro!: Follows_Bounded System_Follows_rel) |
862 |
862 |
863 |
863 |
864 subsection\<open>Proof of the safety property (1)\<close> |
864 subsection\<open>Proof of the safety property (1)\<close> |
873 Simplifying with o_def gets rid of the translations but it unfortunately |
873 Simplifying with o_def gets rid of the translations but it unfortunately |
874 gets rid of the other "o"s too.*) |
874 gets rid of the other "o"s too.*) |
875 |
875 |
876 text\<open>safety (1), step 3\<close> |
876 text\<open>safety (1), step 3\<close> |
877 lemma System_sum_bounded: |
877 lemma System_sum_bounded: |
878 "System : Always {s. (\<Sum>i \<in> lessThan Nclients. (tokens o sub i o allocGiv) s) |
878 "System \<in> Always {s. (\<Sum>i \<in> lessThan Nclients. (tokens o sub i o allocGiv) s) |
879 \<le> NbT + (\<Sum>i \<in> lessThan Nclients. (tokens o sub i o allocRel) s)}" |
879 \<le> NbT + (\<Sum>i \<in> lessThan Nclients. (tokens o sub i o allocRel) s)}" |
880 apply (simp add: o_apply) |
880 apply (simp add: o_apply) |
881 apply (insert Alloc_Safety [THEN rename_guarantees_sysOfAlloc_I]) |
881 apply (insert Alloc_Safety [THEN rename_guarantees_sysOfAlloc_I]) |
882 apply (simp add: o_def) |
882 apply (simp add: o_def) |
883 apply (erule component_guaranteesD) |
883 apply (erule component_guaranteesD) |
884 apply (auto simp add: System_Increasing_allocRel [simplified sub_apply o_def]) |
884 apply (auto simp add: System_Increasing_allocRel [simplified sub_apply o_def]) |
885 done |
885 done |
886 |
886 |
887 text\<open>Follows reasoning\<close> |
887 text\<open>Follows reasoning\<close> |
888 |
888 |
889 lemma Always_tokens_giv_le_allocGiv: "System : Always (INT i: lessThan Nclients. |
889 lemma Always_tokens_giv_le_allocGiv: "System \<in> Always (INT i: lessThan Nclients. |
890 {s. (tokens o giv o sub i o client) s |
890 {s. (tokens o giv o sub i o client) s |
891 \<le> (tokens o sub i o allocGiv) s})" |
891 \<le> (tokens o sub i o allocGiv) s})" |
892 apply (rule Always_giv_le_allocGiv [THEN Always_weaken]) |
892 apply (rule Always_giv_le_allocGiv [THEN Always_weaken]) |
893 apply (auto intro: tokens_mono_prefix simp add: o_apply) |
893 apply (auto intro: tokens_mono_prefix simp add: o_apply) |
894 done |
894 done |
895 |
895 |
896 lemma Always_tokens_allocRel_le_rel: "System : Always (INT i: lessThan Nclients. |
896 lemma Always_tokens_allocRel_le_rel: "System \<in> Always (INT i: lessThan Nclients. |
897 {s. (tokens o sub i o allocRel) s |
897 {s. (tokens o sub i o allocRel) s |
898 \<le> (tokens o rel o sub i o client) s})" |
898 \<le> (tokens o rel o sub i o client) s})" |
899 apply (rule Always_allocRel_le_rel [THEN Always_weaken]) |
899 apply (rule Always_allocRel_le_rel [THEN Always_weaken]) |
900 apply (auto intro: tokens_mono_prefix simp add: o_apply) |
900 apply (auto intro: tokens_mono_prefix simp add: o_apply) |
901 done |
901 done |
902 |
902 |
903 text\<open>safety (1), step 4 (final result!)\<close> |
903 text\<open>safety (1), step 4 (final result!)\<close> |
904 theorem System_safety: "System : system_safety" |
904 theorem System_safety: "System \<in> system_safety" |
905 apply (unfold system_safety_def) |
905 apply (unfold system_safety_def) |
906 apply (tactic \<open>resolve_tac @{context} [Always_Int_rule [@{thm System_sum_bounded}, |
906 apply (tactic \<open>resolve_tac @{context} [Always_Int_rule [@{thm System_sum_bounded}, |
907 @{thm Always_tokens_giv_le_allocGiv}, @{thm Always_tokens_allocRel_le_rel}] RS |
907 @{thm Always_tokens_giv_le_allocGiv}, @{thm Always_tokens_allocRel_le_rel}] RS |
908 @{thm Always_weaken}] 1\<close>) |
908 @{thm Always_weaken}] 1\<close>) |
909 apply auto |
909 apply auto |
922 text\<open>progress (2), step 2; see also \<open>System_Increasing_allocRel\<close>\<close> |
922 text\<open>progress (2), step 2; see also \<open>System_Increasing_allocRel\<close>\<close> |
923 (* i < Nclients ==> System : Increasing (sub i o allocAsk) *) |
923 (* i < Nclients ==> System : Increasing (sub i o allocAsk) *) |
924 lemmas System_Increasing_allocAsk = System_Follows_ask [THEN Follows_Increasing1] |
924 lemmas System_Increasing_allocAsk = System_Follows_ask [THEN Follows_Increasing1] |
925 |
925 |
926 text\<open>progress (2), step 3: lifting \<open>Client_Bounded\<close> to systemState\<close> |
926 text\<open>progress (2), step 3: lifting \<open>Client_Bounded\<close> to systemState\<close> |
927 lemma rename_Client_Bounded: "i : I |
927 lemma rename_Client_Bounded: "i \<in> I |
928 ==> rename sysOfClient (plam x: I. rename client_map Client) : |
928 ==> rename sysOfClient (plam x: I. rename client_map Client) \<in> |
929 UNIV guarantees |
929 UNIV guarantees |
930 Always {s. ALL elt : set ((ask o sub i o client) s). elt \<le> NbT}" |
930 Always {s. \<forall>elt \<in> set ((ask o sub i o client) s). elt \<le> NbT}" |
931 by rename_client_map |
931 by rename_client_map |
932 |
932 |
933 |
933 |
934 lemma System_Bounded_ask: "i < Nclients |
934 lemma System_Bounded_ask: "i < Nclients |
935 ==> System : Always |
935 ==> System \<in> Always |
936 {s. ALL elt : set ((ask o sub i o client) s). elt \<le> NbT}" |
936 {s. \<forall>elt \<in> set ((ask o sub i o client) s). elt \<le> NbT}" |
937 apply (rule component_guaranteesD [OF rename_Client_Bounded Client_component_System]) |
937 apply (rule component_guaranteesD [OF rename_Client_Bounded Client_component_System]) |
938 apply auto |
938 apply auto |
939 done |
939 done |
940 |
940 |
941 lemma Collect_all_imp_eq: "{x. ALL y. P y --> Q x y} = (INT y: {y. P y}. {x. Q x y})" |
941 lemma Collect_all_imp_eq: "{x. \<forall>y. P y \<longrightarrow> Q x y} = (INT y: {y. P y}. {x. Q x y})" |
942 apply blast |
942 apply blast |
943 done |
943 done |
944 |
944 |
945 text\<open>progress (2), step 4\<close> |
945 text\<open>progress (2), step 4\<close> |
946 lemma System_Bounded_allocAsk: "System : Always {s. ALL i<Nclients. |
946 lemma System_Bounded_allocAsk: "System \<in> Always {s. ALL i<Nclients. |
947 ALL elt : set ((sub i o allocAsk) s). elt \<le> NbT}" |
947 \<forall>elt \<in> set ((sub i o allocAsk) s). elt \<le> NbT}" |
948 apply (auto simp add: Collect_all_imp_eq) |
948 apply (auto simp add: Collect_all_imp_eq) |
949 apply (tactic \<open>resolve_tac @{context} [Always_Int_rule [@{thm Always_allocAsk_le_ask}, |
949 apply (tactic \<open>resolve_tac @{context} [Always_Int_rule [@{thm Always_allocAsk_le_ask}, |
950 @{thm System_Bounded_ask}] RS @{thm Always_weaken}] 1\<close>) |
950 @{thm System_Bounded_ask}] RS @{thm Always_weaken}] 1\<close>) |
951 apply (auto dest: set_mono) |
951 apply (auto dest: set_mono) |
952 done |
952 done |
956 text\<open>progress (2), step 6\<close> |
956 text\<open>progress (2), step 6\<close> |
957 (* i < Nclients ==> System : Increasing (giv o sub i o client) *) |
957 (* i < Nclients ==> System : Increasing (giv o sub i o client) *) |
958 lemmas System_Increasing_giv = System_Follows_allocGiv [THEN Follows_Increasing1] |
958 lemmas System_Increasing_giv = System_Follows_allocGiv [THEN Follows_Increasing1] |
959 |
959 |
960 |
960 |
961 lemma rename_Client_Progress: "i: I |
961 lemma rename_Client_Progress: "i \<in> I |
962 ==> rename sysOfClient (plam x: I. rename client_map Client) |
962 ==> rename sysOfClient (plam x: I. rename client_map Client) |
963 : Increasing (giv o sub i o client) |
963 \<in> Increasing (giv o sub i o client) |
964 guarantees |
964 guarantees |
965 (INT h. {s. h \<le> (giv o sub i o client) s & |
965 (INT h. {s. h \<le> (giv o sub i o client) s & |
966 h pfixGe (ask o sub i o client) s} |
966 h pfixGe (ask o sub i o client) s} |
967 LeadsTo {s. tokens h \<le> (tokens o rel o sub i o client) s})" |
967 LeadsTo {s. tokens h \<le> (tokens o rel o sub i o client) s})" |
968 apply rename_client_map |
968 apply rename_client_map |
970 done |
970 done |
971 |
971 |
972 |
972 |
973 text\<open>progress (2), step 7\<close> |
973 text\<open>progress (2), step 7\<close> |
974 lemma System_Client_Progress: |
974 lemma System_Client_Progress: |
975 "System : (INT i : (lessThan Nclients). |
975 "System \<in> (INT i : (lessThan Nclients). |
976 INT h. {s. h \<le> (giv o sub i o client) s & |
976 INT h. {s. h \<le> (giv o sub i o client) s & |
977 h pfixGe (ask o sub i o client) s} |
977 h pfixGe (ask o sub i o client) s} |
978 LeadsTo {s. tokens h \<le> (tokens o rel o sub i o client) s})" |
978 LeadsTo {s. tokens h \<le> (tokens o rel o sub i o client) s})" |
979 apply (rule INT_I) |
979 apply (rule INT_I) |
980 (*Couldn't have just used Auto_tac since the "INT h" must be kept*) |
980 (*Couldn't have just used Auto_tac since the "INT h" must be kept*) |
996 PSP_Stable [OF System_lemma1 |
996 PSP_Stable [OF System_lemma1 |
997 System_Follows_ask [THEN Follows_Increasing1, THEN IncreasingD]] |
997 System_Follows_ask [THEN Follows_Increasing1, THEN IncreasingD]] |
998 |
998 |
999 |
999 |
1000 lemma System_lemma3: "i < Nclients |
1000 lemma System_lemma3: "i < Nclients |
1001 ==> System : {s. h \<le> (sub i o allocGiv) s & |
1001 ==> System \<in> {s. h \<le> (sub i o allocGiv) s & |
1002 h pfixGe (sub i o allocAsk) s} |
1002 h pfixGe (sub i o allocAsk) s} |
1003 LeadsTo |
1003 LeadsTo |
1004 {s. h \<le> (giv o sub i o client) s & |
1004 {s. h \<le> (giv o sub i o client) s & |
1005 h pfixGe (ask o sub i o client) s}" |
1005 h pfixGe (ask o sub i o client) s}" |
1006 apply (rule single_LeadsTo_I) |
1006 apply (rule single_LeadsTo_I) |
1011 done |
1011 done |
1012 |
1012 |
1013 |
1013 |
1014 text\<open>progress (2), step 8: Client i's "release" action is visible system-wide\<close> |
1014 text\<open>progress (2), step 8: Client i's "release" action is visible system-wide\<close> |
1015 lemma System_Alloc_Client_Progress: "i < Nclients |
1015 lemma System_Alloc_Client_Progress: "i < Nclients |
1016 ==> System : {s. h \<le> (sub i o allocGiv) s & |
1016 ==> System \<in> {s. h \<le> (sub i o allocGiv) s & |
1017 h pfixGe (sub i o allocAsk) s} |
1017 h pfixGe (sub i o allocAsk) s} |
1018 LeadsTo {s. tokens h \<le> (tokens o sub i o allocRel) s}" |
1018 LeadsTo {s. tokens h \<le> (tokens o sub i o allocRel) s}" |
1019 apply (rule LeadsTo_Trans) |
1019 apply (rule LeadsTo_Trans) |
1020 prefer 2 |
1020 prefer 2 |
1021 apply (drule System_Follows_rel [THEN |
1021 apply (drule System_Follows_rel [THEN |
1031 |
1031 |
1032 text\<open>Lifting \<open>Alloc_Progress\<close> up to the level of systemState\<close> |
1032 text\<open>Lifting \<open>Alloc_Progress\<close> up to the level of systemState\<close> |
1033 |
1033 |
1034 text\<open>progress (2), step 9\<close> |
1034 text\<open>progress (2), step 9\<close> |
1035 lemma System_Alloc_Progress: |
1035 lemma System_Alloc_Progress: |
1036 "System : (INT i : (lessThan Nclients). |
1036 "System \<in> (INT i : (lessThan Nclients). |
1037 INT h. {s. h \<le> (sub i o allocAsk) s} |
1037 INT h. {s. h \<le> (sub i o allocAsk) s} |
1038 LeadsTo {s. h pfixLe (sub i o allocGiv) s})" |
1038 LeadsTo {s. h pfixLe (sub i o allocGiv) s})" |
1039 apply (simp only: o_apply sub_def) |
1039 apply (simp only: o_apply sub_def) |
1040 apply (insert Alloc_Progress [THEN rename_guarantees_sysOfAlloc_I]) |
1040 apply (insert Alloc_Progress [THEN rename_guarantees_sysOfAlloc_I]) |
1041 apply (simp add: o_def del: INT_iff) |
1041 apply (simp add: o_def del: INT_iff) |
1046 System_Bounded_allocAsk [simplified sub_apply o_def] |
1046 System_Bounded_allocAsk [simplified sub_apply o_def] |
1047 System_Alloc_Client_Progress [simplified sub_apply o_def]) |
1047 System_Alloc_Client_Progress [simplified sub_apply o_def]) |
1048 done |
1048 done |
1049 |
1049 |
1050 text\<open>progress (2), step 10 (final result!)\<close> |
1050 text\<open>progress (2), step 10 (final result!)\<close> |
1051 lemma System_Progress: "System : system_progress" |
1051 lemma System_Progress: "System \<in> system_progress" |
1052 apply (unfold system_progress_def) |
1052 apply (unfold system_progress_def) |
1053 apply (cut_tac System_Alloc_Progress) |
1053 apply (cut_tac System_Alloc_Progress) |
1054 apply auto |
1054 apply auto |
1055 apply (blast intro: LeadsTo_Trans |
1055 apply (blast intro: LeadsTo_Trans |
1056 System_Follows_allocGiv [THEN Follows_LeadsTo_pfixLe] |
1056 System_Follows_allocGiv [THEN Follows_LeadsTo_pfixLe] |
1057 System_Follows_ask [THEN Follows_LeadsTo]) |
1057 System_Follows_ask [THEN Follows_LeadsTo]) |
1058 done |
1058 done |
1059 |
1059 |
1060 |
1060 |
1061 theorem System_correct: "System : system_spec" |
1061 theorem System_correct: "System \<in> system_spec" |
1062 apply (unfold system_spec_def) |
1062 apply (unfold system_spec_def) |
1063 apply (blast intro: System_safety System_Progress) |
1063 apply (blast intro: System_safety System_Progress) |
1064 done |
1064 done |
1065 |
1065 |
1066 |
1066 |
1081 apply (drule_tac [3] w1 = giv in subset_preserves_o [THEN [2] rev_subsetD]) |
1081 apply (drule_tac [3] w1 = giv in subset_preserves_o [THEN [2] rev_subsetD]) |
1082 apply (auto simp add: o_def) |
1082 apply (auto simp add: o_def) |
1083 done |
1083 done |
1084 |
1084 |
1085 text\<open>Could go to Extend.ML\<close> |
1085 text\<open>Could go to Extend.ML\<close> |
1086 lemma bij_fst_inv_inv_eq: "bij f ==> fst (inv (%(x, u). inv f x) z) = f z" |
1086 lemma bij_fst_inv_inv_eq: "bij f \<Longrightarrow> fst (inv (%(x, u). inv f x) z) = f z" |
1087 apply (rule fst_inv_equalityI) |
1087 apply (rule fst_inv_equalityI) |
1088 apply (rule_tac f = "%z. (f z, h z)" for h in surjI) |
1088 apply (rule_tac f = "%z. (f z, h z)" for h in surjI) |
1089 apply (simp add: bij_is_inj inv_f_f) |
1089 apply (simp add: bij_is_inj inv_f_f) |
1090 apply (simp add: bij_is_surj surj_f_inv_f) |
1090 apply (simp add: bij_is_surj surj_f_inv_f) |
1091 done |
1091 done |