39 "nodeOrder j == (inv_image less_than (%i. ((j+N)-i) mod N)) Int |
39 "nodeOrder j == (inv_image less_than (%i. ((j+N)-i) mod N)) Int |
40 (lessThan N <*> lessThan N)" |
40 (lessThan N <*> lessThan N)" |
41 and next_def: |
41 and next_def: |
42 "next i == (Suc i) mod N" |
42 "next i == (Suc i) mod N" |
43 assumes N_positive [iff]: "0<N" |
43 assumes N_positive [iff]: "0<N" |
44 and TR2: "F : (T i) co (T i Un H i)" |
44 and TR2: "F \<in> (T i) co (T i \<union> H i)" |
45 and TR3: "F : (H i) co (H i Un E i)" |
45 and TR3: "F \<in> (H i) co (H i \<union> E i)" |
46 and TR4: "F : (H i - HasTok i) co (H i)" |
46 and TR4: "F \<in> (H i - HasTok i) co (H i)" |
47 and TR5: "F : (HasTok i) co (HasTok i Un -(E i))" |
47 and TR5: "F \<in> (HasTok i) co (HasTok i \<union> -(E i))" |
48 and TR6: "F : (H i Int HasTok i) leadsTo (E i)" |
48 and TR6: "F \<in> (H i \<inter> HasTok i) leadsTo (E i)" |
49 and TR7: "F : (HasTok i) leadsTo (HasTok (next i))" |
49 and TR7: "F \<in> (HasTok i) leadsTo (HasTok (next i))" |
50 |
50 |
51 |
51 |
52 lemma HasToK_partition: "[| s: HasTok i; s: HasTok j |] ==> i=j" |
52 lemma HasToK_partition: "[| s \<in> HasTok i; s \<in> HasTok j |] ==> i=j" |
53 by (unfold HasTok_def, auto) |
53 by (unfold HasTok_def, auto) |
54 |
54 |
55 lemma not_E_eq: "(s ~: E i) = (s : H i | s : T i)" |
55 lemma not_E_eq: "(s \<notin> E i) = (s \<in> H i | s \<in> T i)" |
56 apply (simp add: H_def E_def T_def) |
56 apply (simp add: H_def E_def T_def) |
57 apply (case_tac "proc s i", auto) |
57 apply (case_tac "proc s i", auto) |
58 done |
58 done |
59 |
59 |
60 lemma (in Token) token_stable: "F : stable (-(E i) Un (HasTok i))" |
60 lemma (in Token) token_stable: "F \<in> stable (-(E i) \<union> (HasTok i))" |
61 apply (unfold stable_def) |
61 apply (unfold stable_def) |
62 apply (rule constrains_weaken) |
62 apply (rule constrains_weaken) |
63 apply (rule constrains_Un [OF constrains_Un [OF TR2 TR4] TR5]) |
63 apply (rule constrains_Un [OF constrains_Un [OF TR2 TR4] TR5]) |
64 apply (auto simp add: not_E_eq) |
64 apply (auto simp add: not_E_eq) |
65 apply (simp_all add: H_def E_def T_def) |
65 apply (simp_all add: H_def E_def T_def) |
72 apply (unfold nodeOrder_def) |
72 apply (unfold nodeOrder_def) |
73 apply (rule wf_less_than [THEN wf_inv_image, THEN wf_subset], blast) |
73 apply (rule wf_less_than [THEN wf_inv_image, THEN wf_subset], blast) |
74 done |
74 done |
75 |
75 |
76 lemma (in Token) nodeOrder_eq: |
76 lemma (in Token) nodeOrder_eq: |
77 "[| i<N; j<N |] ==> ((next i, i) : nodeOrder j) = (i ~= j)" |
77 "[| i<N; j<N |] ==> ((next i, i) \<in> nodeOrder j) = (i \<noteq> j)" |
78 apply (unfold nodeOrder_def next_def inv_image_def) |
78 apply (unfold nodeOrder_def next_def inv_image_def) |
79 apply (auto simp add: mod_Suc mod_geq) |
79 apply (auto simp add: mod_Suc mod_geq) |
80 apply (auto split add: nat_diff_split simp add: linorder_neq_iff mod_geq) |
80 apply (auto split add: nat_diff_split simp add: linorder_neq_iff mod_geq) |
81 done |
81 done |
82 |
82 |
83 (*From "A Logic for Concurrent Programming", but not used in Chapter 4. |
83 (*From "A Logic for Concurrent Programming", but not used in Chapter 4. |
84 Note the use of case_tac. Reasoning about leadsTo takes practice!*) |
84 Note the use of case_tac. Reasoning about leadsTo takes practice!*) |
85 lemma (in Token) TR7_nodeOrder: |
85 lemma (in Token) TR7_nodeOrder: |
86 "[| i<N; j<N |] ==> |
86 "[| i<N; j<N |] ==> |
87 F : (HasTok i) leadsTo ({s. (token s, i) : nodeOrder j} Un HasTok j)" |
87 F \<in> (HasTok i) leadsTo ({s. (token s, i) \<in> nodeOrder j} \<union> HasTok j)" |
88 apply (case_tac "i=j") |
88 apply (case_tac "i=j") |
89 apply (blast intro: subset_imp_leadsTo) |
89 apply (blast intro: subset_imp_leadsTo) |
90 apply (rule TR7 [THEN leadsTo_weaken_R]) |
90 apply (rule TR7 [THEN leadsTo_weaken_R]) |
91 apply (auto simp add: HasTok_def nodeOrder_eq) |
91 apply (auto simp add: HasTok_def nodeOrder_eq) |
92 done |
92 done |
93 |
93 |
94 |
94 |
95 (*Chapter 4 variant, the one actually used below.*) |
95 (*Chapter 4 variant, the one actually used below.*) |
96 lemma (in Token) TR7_aux: "[| i<N; j<N; i~=j |] |
96 lemma (in Token) TR7_aux: "[| i<N; j<N; i\<noteq>j |] |
97 ==> F : (HasTok i) leadsTo {s. (token s, i) : nodeOrder j}" |
97 ==> F \<in> (HasTok i) leadsTo {s. (token s, i) \<in> nodeOrder j}" |
98 apply (rule TR7 [THEN leadsTo_weaken_R]) |
98 apply (rule TR7 [THEN leadsTo_weaken_R]) |
99 apply (auto simp add: HasTok_def nodeOrder_eq) |
99 apply (auto simp add: HasTok_def nodeOrder_eq) |
100 done |
100 done |
101 |
101 |
102 lemma (in Token) token_lemma: |
102 lemma (in Token) token_lemma: |
103 "({s. token s < N} Int token -` {m}) = (if m<N then token -` {m} else {})" |
103 "({s. token s < N} \<inter> token -` {m}) = (if m<N then token -` {m} else {})" |
104 by auto |
104 by auto |
105 |
105 |
106 |
106 |
107 (*Misra's TR9: the token reaches an arbitrary node*) |
107 (*Misra's TR9: the token reaches an arbitrary node*) |
108 lemma (in Token) leadsTo_j: "j<N ==> F : {s. token s < N} leadsTo (HasTok j)" |
108 lemma (in Token) leadsTo_j: "j<N ==> F \<in> {s. token s < N} leadsTo (HasTok j)" |
109 apply (rule leadsTo_weaken_R) |
109 apply (rule leadsTo_weaken_R) |
110 apply (rule_tac I = "-{j}" and f = token and B = "{}" |
110 apply (rule_tac I = "-{j}" and f = token and B = "{}" |
111 in wf_nodeOrder [THEN bounded_induct]) |
111 in wf_nodeOrder [THEN bounded_induct]) |
112 apply (simp_all (no_asm_simp) add: token_lemma vimage_Diff HasTok_def) |
112 apply (simp_all (no_asm_simp) add: token_lemma vimage_Diff HasTok_def) |
113 prefer 2 apply blast |
113 prefer 2 apply blast |
116 apply (auto simp add: HasTok_def nodeOrder_def) |
116 apply (auto simp add: HasTok_def nodeOrder_def) |
117 done |
117 done |
118 |
118 |
119 (*Misra's TR8: a hungry process eventually eats*) |
119 (*Misra's TR8: a hungry process eventually eats*) |
120 lemma (in Token) token_progress: |
120 lemma (in Token) token_progress: |
121 "j<N ==> F : ({s. token s < N} Int H j) leadsTo (E j)" |
121 "j<N ==> F \<in> ({s. token s < N} \<inter> H j) leadsTo (E j)" |
122 apply (rule leadsTo_cancel1 [THEN leadsTo_Un_duplicate]) |
122 apply (rule leadsTo_cancel1 [THEN leadsTo_Un_duplicate]) |
123 apply (rule_tac [2] TR6) |
123 apply (rule_tac [2] TR6) |
124 apply (rule psp [OF leadsTo_j TR3, THEN leadsTo_weaken], blast+) |
124 apply (rule psp [OF leadsTo_j TR3, THEN leadsTo_weaken], blast+) |
125 done |
125 done |
126 |
126 |