# HG changeset patch # User wenzelm # Date 1435326944 -7200 # Node ID e0b77517f9a9b2bdc032aad46c621640a20a9159 # Parent 479071e8778f54dff4bda63842e80a43267bc1ff more symbols; eliminated alternative syntax; diff -r 479071e8778f -r e0b77517f9a9 src/HOL/TLA/Action.thy --- a/src/HOL/TLA/Action.thy Fri Jun 26 15:03:54 2015 +0200 +++ b/src/HOL/TLA/Action.thy Fri Jun 26 15:55:44 2015 +0200 @@ -53,10 +53,10 @@ "_SqAct" == "CONST SqAct" "_AnAct" == "CONST AnAct" "_Enabled" == "CONST enabled" - "w |= [A]_v" <= "_SqAct A v w" - "w |= _v" <= "_AnAct A v w" - "s |= Enabled A" <= "_Enabled A s" - "w |= unchanged f" <= "_unchanged f w" + "w \ [A]_v" <= "_SqAct A v w" + "w \ _v" <= "_AnAct A v w" + "s \ Enabled A" <= "_Enabled A s" + "w \ unchanged f" <= "_unchanged f w" axiomatization where unl_before: "(ACT $v) (s,t) \ v s" and @@ -161,8 +161,8 @@ done lemma square_simulation: - "\f. \ \ unchanged f & \B \ unchanged g; - \ A & \unchanged g \ B + "\f. \ \ unchanged f \ \B \ unchanged g; + \ A \ \unchanged g \ B \ \ \ [A]_f \ [B]_g" apply clarsimp apply (erule squareE) @@ -210,29 +210,29 @@ apply (erule maj) done -lemma enabled_disj1: "\ Enabled F \ Enabled (F | G)" +lemma enabled_disj1: "\ Enabled F \ Enabled (F \ G)" by (auto elim!: enabled_mono) -lemma enabled_disj2: "\ Enabled G \ Enabled (F | G)" +lemma enabled_disj2: "\ Enabled G \ Enabled (F \ G)" by (auto elim!: enabled_mono) -lemma enabled_conj1: "\ Enabled (F & G) \ Enabled F" +lemma enabled_conj1: "\ Enabled (F \ G) \ Enabled F" by (auto elim!: enabled_mono) -lemma enabled_conj2: "\ Enabled (F & G) \ Enabled G" +lemma enabled_conj2: "\ Enabled (F \ G) \ Enabled G" by (auto elim!: enabled_mono) lemma enabled_conjE: - "\ s \ Enabled (F & G); \ s \ Enabled F; s \ Enabled G \ \ Q \ \ Q" + "\ s \ Enabled (F \ G); \ s \ Enabled F; s \ Enabled G \ \ Q \ \ Q" apply (frule enabled_conj1 [action_use]) apply (drule enabled_conj2 [action_use]) apply simp done -lemma enabled_disjD: "\ Enabled (F | G) \ Enabled F | Enabled G" +lemma enabled_disjD: "\ Enabled (F \ G) \ Enabled F \ Enabled G" by (auto simp add: enabled_def) -lemma enabled_disj: "\ Enabled (F | G) = (Enabled F | Enabled G)" +lemma enabled_disj: "\ Enabled (F \ G) = (Enabled F \ Enabled G)" apply clarsimp apply (rule iffI) apply (erule enabled_disjD [action_use]) @@ -294,7 +294,7 @@ lemma assumes "basevars (x,y,z)" - shows "\ x \ Enabled ($x & (y$ = #False))" + shows "\ x \ Enabled ($x \ (y$ = #False))" apply (enabled assms) apply auto done diff -r 479071e8778f -r e0b77517f9a9 src/HOL/TLA/Buffer/Buffer.thy --- a/src/HOL/TLA/Buffer/Buffer.thy Fri Jun 26 15:03:54 2015 +0200 +++ b/src/HOL/TLA/Buffer/Buffer.thy Fri Jun 26 15:55:44 2015 +0200 @@ -5,7 +5,7 @@ section {* A simple FIFO buffer (synchronous communication, interleaving) *} theory Buffer -imports TLA +imports "../TLA" begin consts @@ -22,16 +22,16 @@ defs BInit_def: "BInit ic q oc == PRED q = #[]" Enq_def: "Enq ic q oc == ACT (ic$ \ $ic) - & (q$ = $q @ [ ic$ ]) - & (oc$ = $oc)" + \ (q$ = $q @ [ ic$ ]) + \ (oc$ = $oc)" Deq_def: "Deq ic q oc == ACT ($q \ #[]) - & (oc$ = hd< $q >) - & (q$ = tl< $q >) - & (ic$ = $ic)" - Next_def: "Next ic q oc == ACT (Enq ic q oc | Deq ic q oc)" + \ (oc$ = hd< $q >) + \ (q$ = tl< $q >) + \ (ic$ = $ic)" + Next_def: "Next ic q oc == ACT (Enq ic q oc \ Deq ic q oc)" IBuffer_def: "IBuffer ic q oc == TEMP Init (BInit ic q oc) - & \[Next ic q oc]_(ic,q,oc) - & WF(Deq ic q oc)_(ic,q,oc)" + \ \[Next ic q oc]_(ic,q,oc) + \ WF(Deq ic q oc)_(ic,q,oc)" Buffer_def: "Buffer ic oc == TEMP (\\q. IBuffer ic q oc)" diff -r 479071e8778f -r e0b77517f9a9 src/HOL/TLA/Buffer/DBuffer.thy --- a/src/HOL/TLA/Buffer/DBuffer.thy Fri Jun 26 15:03:54 2015 +0200 +++ b/src/HOL/TLA/Buffer/DBuffer.thy Fri Jun 26 15:55:44 2015 +0200 @@ -29,17 +29,17 @@ (* the concatenation of the two buffers *) qc_def: "PRED qc == PRED (q2 @ q1)" and - DBInit_def: "DBInit == PRED (BInit inp q1 mid & BInit mid q2 out)" and - DBEnq_def: "DBEnq == ACT Enq inp q1 mid & unchanged (q2,out)" and - DBDeq_def: "DBDeq == ACT Deq mid q2 out & unchanged (inp,q1)" and + DBInit_def: "DBInit == PRED (BInit inp q1 mid \ BInit mid q2 out)" and + DBEnq_def: "DBEnq == ACT Enq inp q1 mid \ unchanged (q2,out)" and + DBDeq_def: "DBDeq == ACT Deq mid q2 out \ unchanged (inp,q1)" and DBPass_def: "DBPass == ACT Deq inp q1 mid - & (q2$ = $q2 @ [ mid$ ]) - & (out$ = $out)" and - DBNext_def: "DBNext == ACT (DBEnq | DBDeq | DBPass)" and + \ (q2$ = $q2 @ [ mid$ ]) + \ (out$ = $out)" and + DBNext_def: "DBNext == ACT (DBEnq \ DBDeq \ DBPass)" and DBuffer_def: "DBuffer == TEMP Init DBInit - & \[DBNext]_(inp,mid,out,q1,q2) - & WF(DBDeq)_(inp,mid,out,q1,q2) - & WF(DBPass)_(inp,mid,out,q1,q2)" + \ \[DBNext]_(inp,mid,out,q1,q2) + \ WF(DBDeq)_(inp,mid,out,q1,q2) + \ WF(DBPass)_(inp,mid,out,q1,q2)" declare qc_def [simp] @@ -109,8 +109,8 @@ *) (* Condition (1a) *) -lemma DBFair_1a: "\ \[DBNext]_(inp,mid,out,q1,q2) & WF(DBPass)_(inp,mid,out,q1,q2) - \ (qc \ #[] & q2 = #[] \ q2 \ #[])" +lemma DBFair_1a: "\ \[DBNext]_(inp,mid,out,q1,q2) \ WF(DBPass)_(inp,mid,out,q1,q2) + \ (qc \ #[] \ q2 = #[] \ q2 \ #[])" apply (rule WF1) apply (force simp: db_defs) apply (force simp: angle_def DBPass_def) @@ -118,7 +118,7 @@ done (* Condition (1) *) -lemma DBFair_1: "\ \[DBNext]_(inp,mid,out,q1,q2) & WF(DBPass)_(inp,mid,out,q1,q2) +lemma DBFair_1: "\ \[DBNext]_(inp,mid,out,q1,q2) \ WF(DBPass)_(inp,mid,out,q1,q2) \ (Enabled (_(inp,qc,out)) \ q2 \ #[])" apply clarsimp apply (rule leadsto_classical [temp_use]) @@ -130,7 +130,7 @@ done (* Condition (2) *) -lemma DBFair_2: "\ \[DBNext]_(inp,mid,out,q1,q2) & WF(DBDeq)_(inp,mid,out,q1,q2) +lemma DBFair_2: "\ \[DBNext]_(inp,mid,out,q1,q2) \ WF(DBDeq)_(inp,mid,out,q1,q2) \ (q2 \ #[] \ DBDeq)" apply (rule WF_leadsto) apply (force simp: DBDeq_enabled [temp_use]) @@ -139,8 +139,8 @@ done (* High-level fairness *) -lemma DBFair: "\ \[DBNext]_(inp,mid,out,q1,q2) & WF(DBPass)_(inp,mid,out,q1,q2) - & WF(DBDeq)_(inp,mid,out,q1,q2) +lemma DBFair: "\ \[DBNext]_(inp,mid,out,q1,q2) \ WF(DBPass)_(inp,mid,out,q1,q2) + \ WF(DBDeq)_(inp,mid,out,q1,q2) \ WF(Deq inp qc out)_(inp,qc,out)" apply (auto simp del: qc_def intro!: leadsto_WF [temp_use] DBFair_1 [temp_use, THEN [2] LatticeTransitivity [temp_use]] diff -r 479071e8778f -r e0b77517f9a9 src/HOL/TLA/Inc/Inc.thy --- a/src/HOL/TLA/Inc/Inc.thy Fri Jun 26 15:03:54 2015 +0200 +++ b/src/HOL/TLA/Inc/Inc.thy Fri Jun 26 15:55:44 2015 +0200 @@ -5,7 +5,7 @@ section {* Lamport's "increment" example *} theory Inc -imports TLA +imports "../TLA" begin (* program counter as an enumeration type *) @@ -45,38 +45,38 @@ Inc_base: "basevars (x, y, sem, pc1, pc2)" and (* definitions for high-level program *) - InitPhi_def: "InitPhi == PRED x = # 0 & y = # 0" and - M1_def: "M1 == ACT x$ = Suc<$x> & y$ = $y" and - M2_def: "M2 == ACT y$ = Suc<$y> & x$ = $x" and - Phi_def: "Phi == TEMP Init InitPhi & \[M1 | M2]_(x,y) - & WF(M1)_(x,y) & WF(M2)_(x,y)" and + InitPhi_def: "InitPhi == PRED x = # 0 \ y = # 0" and + M1_def: "M1 == ACT x$ = Suc<$x> \ y$ = $y" and + M2_def: "M2 == ACT y$ = Suc<$y> \ x$ = $x" and + Phi_def: "Phi == TEMP Init InitPhi \ \[M1 \ M2]_(x,y) + \ WF(M1)_(x,y) \ WF(M2)_(x,y)" and (* definitions for low-level program *) - InitPsi_def: "InitPsi == PRED pc1 = #a & pc2 = #a - & x = # 0 & y = # 0 & sem = # 1" and - alpha1_def: "alpha1 == ACT $pc1 = #a & pc1$ = #b & $sem = Suc - & unchanged(x,y,pc2)" and - alpha2_def: "alpha2 == ACT $pc2 = #a & pc2$ = #b & $sem = Suc - & unchanged(x,y,pc1)" and - beta1_def: "beta1 == ACT $pc1 = #b & pc1$ = #g & x$ = Suc<$x> - & unchanged(y,sem,pc2)" and - beta2_def: "beta2 == ACT $pc2 = #b & pc2$ = #g & y$ = Suc<$y> - & unchanged(x,sem,pc1)" and - gamma1_def: "gamma1 == ACT $pc1 = #g & pc1$ = #a & sem$ = Suc<$sem> - & unchanged(x,y,pc2)" and - gamma2_def: "gamma2 == ACT $pc2 = #g & pc2$ = #a & sem$ = Suc<$sem> - & unchanged(x,y,pc1)" and - N1_def: "N1 == ACT (alpha1 | beta1 | gamma1)" and - N2_def: "N2 == ACT (alpha2 | beta2 | gamma2)" and + InitPsi_def: "InitPsi == PRED pc1 = #a \ pc2 = #a + \ x = # 0 \ y = # 0 \ sem = # 1" and + alpha1_def: "alpha1 == ACT $pc1 = #a \ pc1$ = #b \ $sem = Suc + \ unchanged(x,y,pc2)" and + alpha2_def: "alpha2 == ACT $pc2 = #a \ pc2$ = #b \ $sem = Suc + \ unchanged(x,y,pc1)" and + beta1_def: "beta1 == ACT $pc1 = #b \ pc1$ = #g \ x$ = Suc<$x> + \ unchanged(y,sem,pc2)" and + beta2_def: "beta2 == ACT $pc2 = #b \ pc2$ = #g \ y$ = Suc<$y> + \ unchanged(x,sem,pc1)" and + gamma1_def: "gamma1 == ACT $pc1 = #g \ pc1$ = #a \ sem$ = Suc<$sem> + \ unchanged(x,y,pc2)" and + gamma2_def: "gamma2 == ACT $pc2 = #g \ pc2$ = #a \ sem$ = Suc<$sem> + \ unchanged(x,y,pc1)" and + N1_def: "N1 == ACT (alpha1 \ beta1 \ gamma1)" and + N2_def: "N2 == ACT (alpha2 \ beta2 \ gamma2)" and Psi_def: "Psi == TEMP Init InitPsi - & \[N1 | N2]_(x,y,sem,pc1,pc2) - & SF(N1)_(x,y,sem,pc1,pc2) - & SF(N2)_(x,y,sem,pc1,pc2)" and + \ \[N1 \ N2]_(x,y,sem,pc1,pc2) + \ SF(N1)_(x,y,sem,pc1,pc2) + \ SF(N2)_(x,y,sem,pc1,pc2)" and - PsiInv1_def: "PsiInv1 == PRED sem = # 1 & pc1 = #a & pc2 = #a" and - PsiInv2_def: "PsiInv2 == PRED sem = # 0 & pc1 = #a & (pc2 = #b | pc2 = #g)" and - PsiInv3_def: "PsiInv3 == PRED sem = # 0 & pc2 = #a & (pc1 = #b | pc1 = #g)" and - PsiInv_def: "PsiInv == PRED (PsiInv1 | PsiInv2 | PsiInv3)" + PsiInv1_def: "PsiInv1 == PRED sem = # 1 \ pc1 = #a \ pc2 = #a" and + PsiInv2_def: "PsiInv2 == PRED sem = # 0 \ pc1 = #a \ (pc2 = #b \ pc2 = #g)" and + PsiInv3_def: "PsiInv3 == PRED sem = # 0 \ pc2 = #a \ (pc1 = #b \ pc1 = #g)" and + PsiInv_def: "PsiInv == PRED (PsiInv1 \ PsiInv2 \ PsiInv3)" lemmas PsiInv_defs = PsiInv_def PsiInv1_def PsiInv2_def PsiInv3_def @@ -89,25 +89,25 @@ lemma PsiInv_Init: "\ InitPsi \ PsiInv" by (auto simp: InitPsi_def PsiInv_defs) -lemma PsiInv_alpha1: "\ alpha1 & $PsiInv \ PsiInv$" +lemma PsiInv_alpha1: "\ alpha1 \ $PsiInv \ PsiInv$" by (auto simp: alpha1_def PsiInv_defs) -lemma PsiInv_alpha2: "\ alpha2 & $PsiInv \ PsiInv$" +lemma PsiInv_alpha2: "\ alpha2 \ $PsiInv \ PsiInv$" by (auto simp: alpha2_def PsiInv_defs) -lemma PsiInv_beta1: "\ beta1 & $PsiInv \ PsiInv$" +lemma PsiInv_beta1: "\ beta1 \ $PsiInv \ PsiInv$" by (auto simp: beta1_def PsiInv_defs) -lemma PsiInv_beta2: "\ beta2 & $PsiInv \ PsiInv$" +lemma PsiInv_beta2: "\ beta2 \ $PsiInv \ PsiInv$" by (auto simp: beta2_def PsiInv_defs) -lemma PsiInv_gamma1: "\ gamma1 & $PsiInv \ PsiInv$" +lemma PsiInv_gamma1: "\ gamma1 \ $PsiInv \ PsiInv$" by (auto simp: gamma1_def PsiInv_defs) -lemma PsiInv_gamma2: "\ gamma2 & $PsiInv \ PsiInv$" +lemma PsiInv_gamma2: "\ gamma2 \ $PsiInv \ PsiInv$" by (auto simp: gamma2_def PsiInv_defs) -lemma PsiInv_stutter: "\ unchanged (x,y,sem,pc1,pc2) & $PsiInv \ PsiInv$" +lemma PsiInv_stutter: "\ unchanged (x,y,sem,pc1,pc2) \ $PsiInv \ PsiInv$" by (auto simp: PsiInv_defs) lemma PsiInv: "\ Psi \ \PsiInv" @@ -132,7 +132,7 @@ lemma Init_sim: "\ Psi \ Init InitPhi" by (auto simp: InitPhi_def Psi_def InitPsi_def Init_def) -lemma Step_sim: "\ Psi \ \[M1 | M2]_(x,y)" +lemma Step_sim: "\ Psi \ \[M1 \ M2]_(x,y)" by (auto simp: square_def M1_def M2_def Psi_defs elim!: STL4E [temp_use]) @@ -154,7 +154,7 @@ the auxiliary lemmas are very similar. *) -lemma Stuck_at_b: "\ \[(N1 | N2) & \ beta1]_(x,y,sem,pc1,pc2) \ stable(pc1 = #b)" +lemma Stuck_at_b: "\ \[(N1 \ N2) \ \ beta1]_(x,y,sem,pc1,pc2) \ stable(pc1 = #b)" by (auto elim!: Stable squareE simp: Psi_defs) lemma N1_enabled_at_g: "\ pc1 = #g \ Enabled (_(x,y,sem,pc1,pc2))" @@ -166,7 +166,7 @@ done lemma g1_leadsto_a1: - "\ \[(N1 | N2) & \beta1]_(x,y,sem,pc1,pc2) & SF(N1)_(x,y,sem,pc1,pc2) & \#True + "\ \[(N1 \ N2) \ \beta1]_(x,y,sem,pc1,pc2) \ SF(N1)_(x,y,sem,pc1,pc2) \ \#True \ (pc1 = #g \ pc1 = #a)" apply (rule SF1) apply (tactic @@ -188,7 +188,7 @@ done lemma g2_leadsto_a2: - "\ \[(N1 | N2) & \beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & \#True + "\ \[(N1 \ N2) \ \beta1]_(x,y,sem,pc1,pc2) \ SF(N2)_(x,y,sem,pc1,pc2) \ \#True \ (pc2 = #g \ pc2 = #a)" apply (rule SF1) apply (tactic {* action_simp_tac (@{context} addsimps @{thms Psi_defs}) [] [@{thm squareE}] 1 *}) @@ -207,7 +207,7 @@ done lemma b2_leadsto_g2: - "\ \[(N1 | N2) & \beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & \#True + "\ \[(N1 \ N2) \ \beta1]_(x,y,sem,pc1,pc2) \ SF(N2)_(x,y,sem,pc1,pc2) \ \#True \ (pc2 = #b \ pc2 = #g)" apply (rule SF1) apply (tactic @@ -220,8 +220,8 @@ (* Combine above lemmas: the second component will eventually reach pc2 = a *) lemma N2_leadsto_a: - "\ \[(N1 | N2) & \beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & \#True - \ (pc2 = #a | pc2 = #b | pc2 = #g \ pc2 = #a)" + "\ \[(N1 \ N2) \ \beta1]_(x,y,sem,pc1,pc2) \ SF(N2)_(x,y,sem,pc1,pc2) \ \#True + \ (pc2 = #a \ pc2 = #b \ pc2 = #g \ pc2 = #a)" apply (auto intro!: LatticeDisjunctionIntro [temp_use]) apply (rule LatticeReflexivity [temp_use]) apply (rule LatticeTransitivity [temp_use]) @@ -230,7 +230,7 @@ (* Get rid of disjunction on the left-hand side of \ above. *) lemma N2_live: - "\ \[(N1 | N2) & \beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) + "\ \[(N1 \ N2) \ \beta1]_(x,y,sem,pc1,pc2) \ SF(N2)_(x,y,sem,pc1,pc2) \ \(pc2 = #a)" apply (auto simp: Init_defs intro!: N2_leadsto_a [temp_use, THEN [2] leadsto_init [temp_use]]) apply (case_tac "pc2 (st1 sigma)") @@ -240,7 +240,7 @@ (* Now prove that the first component will eventually reach pc1 = b from pc1 = a *) lemma N1_enabled_at_both_a: - "\ pc2 = #a & (PsiInv & pc1 = #a) \ Enabled (_(x,y,sem,pc1,pc2))" + "\ pc2 = #a \ (PsiInv \ pc1 = #a) \ Enabled (_(x,y,sem,pc1,pc2))" apply clarsimp apply (rule_tac F = alpha1 in enabled_mono) apply (enabled Inc_base) @@ -249,8 +249,8 @@ done lemma a1_leadsto_b1: - "\ \($PsiInv & [(N1 | N2) & \beta1]_(x,y,sem,pc1,pc2)) - & SF(N1)_(x,y,sem,pc1,pc2) & \ SF(N2)_(x,y,sem,pc1,pc2) + "\ \($PsiInv \ [(N1 \ N2) \ \beta1]_(x,y,sem,pc1,pc2)) + \ SF(N1)_(x,y,sem,pc1,pc2) \ \ SF(N2)_(x,y,sem,pc1,pc2) \ (pc1 = #a \ pc1 = #b)" apply (rule SF1) apply (tactic {* action_simp_tac (@{context} addsimps @{thms Psi_defs}) [] [@{thm squareE}] 1 *}) @@ -263,9 +263,9 @@ (* Combine the leadsto properties for N1: it will arrive at pc1 = b *) -lemma N1_leadsto_b: "\ \($PsiInv & [(N1 | N2) & \beta1]_(x,y,sem,pc1,pc2)) - & SF(N1)_(x,y,sem,pc1,pc2) & \ SF(N2)_(x,y,sem,pc1,pc2) - \ (pc1 = #b | pc1 = #g | pc1 = #a \ pc1 = #b)" +lemma N1_leadsto_b: "\ \($PsiInv \ [(N1 \ N2) \ \beta1]_(x,y,sem,pc1,pc2)) + \ SF(N1)_(x,y,sem,pc1,pc2) \ \ SF(N2)_(x,y,sem,pc1,pc2) + \ (pc1 = #b \ pc1 = #g \ pc1 = #a \ pc1 = #b)" apply (auto intro!: LatticeDisjunctionIntro [temp_use]) apply (rule LatticeReflexivity [temp_use]) apply (rule LatticeTransitivity [temp_use]) @@ -273,8 +273,8 @@ simp: split_box_conj) done -lemma N1_live: "\ \($PsiInv & [(N1 | N2) & \beta1]_(x,y,sem,pc1,pc2)) - & SF(N1)_(x,y,sem,pc1,pc2) & \ SF(N2)_(x,y,sem,pc1,pc2) +lemma N1_live: "\ \($PsiInv \ [(N1 \ N2) \ \beta1]_(x,y,sem,pc1,pc2)) + \ SF(N1)_(x,y,sem,pc1,pc2) \ \ SF(N2)_(x,y,sem,pc1,pc2) \ \(pc1 = #b)" apply (auto simp: Init_defs intro!: N1_leadsto_b [temp_use, THEN [2] leadsto_init [temp_use]]) apply (case_tac "pc1 (st1 sigma)") @@ -291,8 +291,8 @@ (* Now assemble the bits and pieces to prove that Psi is fair. *) -lemma Fair_M1_lemma: "\ \($PsiInv & [(N1 | N2)]_(x,y,sem,pc1,pc2)) - & SF(N1)_(x,y,sem,pc1,pc2) & \SF(N2)_(x,y,sem,pc1,pc2) +lemma Fair_M1_lemma: "\ \($PsiInv \ [(N1 \ N2)]_(x,y,sem,pc1,pc2)) + \ SF(N1)_(x,y,sem,pc1,pc2) \ \SF(N2)_(x,y,sem,pc1,pc2) \ SF(M1)_(x,y)" apply (rule_tac B = beta1 and P = "PRED pc1 = #b" in SF2) (* action premises *) diff -r 479071e8778f -r e0b77517f9a9 src/HOL/TLA/Init.thy --- a/src/HOL/TLA/Init.thy Fri Jun 26 15:03:54 2015 +0200 +++ b/src/HOL/TLA/Init.thy Fri Jun 26 15:55:44 2015 +0200 @@ -30,7 +30,7 @@ translations "TEMP F" => "(F::behavior \ _)" "_Init" == "CONST Initial" - "sigma |= Init F" <= "_Init F sigma" + "sigma \ Init F" <= "_Init F sigma" defs Init_def: "sigma \ Init F == (first_world sigma) \ F" @@ -48,8 +48,8 @@ lemma Init_simps1 [int_rewrite]: "\F. \ (Init \F) = (\ Init F)" "\ (Init (P \ Q)) = (Init P \ Init Q)" - "\ (Init (P & Q)) = (Init P & Init Q)" - "\ (Init (P | Q)) = (Init P | Init Q)" + "\ (Init (P \ Q)) = (Init P \ Init Q)" + "\ (Init (P \ Q)) = (Init P \ Init Q)" "\ (Init (P = Q)) = ((Init P) = (Init Q))" "\ (Init (\x. F x)) = (\x. (Init F x))" "\ (Init (\x. F x)) = (\x. (Init F x))" diff -r 479071e8778f -r e0b77517f9a9 src/HOL/TLA/Intensional.thy --- a/src/HOL/TLA/Intensional.thy Fri Jun 26 15:03:54 2015 +0200 +++ b/src/HOL/TLA/Intensional.thy Fri Jun 26 15:55:44 2015 +0200 @@ -43,8 +43,8 @@ "_constrain" :: "[lift, type] \ lift" ("(_::_)" [4, 0] 3) "" :: "lift \ liftargs" ("_") "_liftargs" :: "[lift, liftargs] \ liftargs" ("_,/ _") - "_Valid" :: "lift \ bool" ("(|- _)" 5) - "_holdsAt" :: "['a, lift] \ bool" ("(_ |= _)" [100,10] 10) + "_Valid" :: "lift \ bool" ("(\ _)" 5) + "_holdsAt" :: "['a, lift] \ bool" ("(_ \ _)" [100,10] 10) (* Syntax for lifted expressions outside the scope of \ or |= *) "_LIFT" :: "lift \ 'a" ("LIFT _") @@ -57,11 +57,11 @@ (* concrete syntax for common infix functions: reuse same symbol *) "_liftEqu" :: "[lift, lift] \ lift" ("(_ =/ _)" [50,51] 50) - "_liftNeq" :: "[lift, lift] \ lift" ("(_ ~=/ _)" [50,51] 50) - "_liftNot" :: "lift \ lift" ("(~ _)" [40] 40) - "_liftAnd" :: "[lift, lift] \ lift" ("(_ &/ _)" [36,35] 35) - "_liftOr" :: "[lift, lift] \ lift" ("(_ |/ _)" [31,30] 30) - "_liftImp" :: "[lift, lift] \ lift" ("(_ -->/ _)" [26,25] 25) + "_liftNeq" :: "[lift, lift] \ lift" ("(_ \/ _)" [50,51] 50) + "_liftNot" :: "lift \ lift" ("(\ _)" [40] 40) + "_liftAnd" :: "[lift, lift] \ lift" ("(_ \/ _)" [36,35] 35) + "_liftOr" :: "[lift, lift] \ lift" ("(_ \/ _)" [31,30] 30) + "_liftImp" :: "[lift, lift] \ lift" ("(_ \/ _)" [26,25] 25) "_liftIf" :: "[lift, lift, lift] \ lift" ("(if (_)/ then (_)/ else (_))" 10) "_liftPlus" :: "[lift, lift] \ lift" ("(_ +/ _)" [66,65] 65) "_liftMinus" :: "[lift, lift] \ lift" ("(_ -/ _)" [66,65] 65) @@ -69,9 +69,9 @@ "_liftDiv" :: "[lift, lift] \ lift" ("(_ div _)" [71,70] 70) "_liftMod" :: "[lift, lift] \ lift" ("(_ mod _)" [71,70] 70) "_liftLess" :: "[lift, lift] \ lift" ("(_/ < _)" [50, 51] 50) - "_liftLeq" :: "[lift, lift] \ lift" ("(_/ <= _)" [50, 51] 50) - "_liftMem" :: "[lift, lift] \ lift" ("(_/ : _)" [50, 51] 50) - "_liftNotMem" :: "[lift, lift] \ lift" ("(_/ ~: _)" [50, 51] 50) + "_liftLeq" :: "[lift, lift] \ lift" ("(_/ \ _)" [50, 51] 50) + "_liftMem" :: "[lift, lift] \ lift" ("(_/ \ _)" [50, 51] 50) + "_liftNotMem" :: "[lift, lift] \ lift" ("(_/ \ _)" [50, 51] 50) "_liftFinset" :: "liftargs \ lift" ("{(_)}") (** TODO: syntax for lifted collection / comprehension **) "_liftPair" :: "[lift,liftargs] \ lift" ("(1'(_,/ _'))") @@ -81,12 +81,9 @@ "_liftList" :: "liftargs \ lift" ("[(_)]") (* Rigid quantification (syntax level) *) - "_ARAll" :: "[idts, lift] \ lift" ("(3! _./ _)" [0, 10] 10) - "_AREx" :: "[idts, lift] \ lift" ("(3? _./ _)" [0, 10] 10) - "_AREx1" :: "[idts, lift] \ lift" ("(3?! _./ _)" [0, 10] 10) - "_RAll" :: "[idts, lift] \ lift" ("(3ALL _./ _)" [0, 10] 10) - "_REx" :: "[idts, lift] \ lift" ("(3EX _./ _)" [0, 10] 10) - "_REx1" :: "[idts, lift] \ lift" ("(3EX! _./ _)" [0, 10] 10) + "_RAll" :: "[idts, lift] \ lift" ("(3\_./ _)" [0, 10] 10) + "_REx" :: "[idts, lift] \ lift" ("(3\_./ _)" [0, 10] 10) + "_REx1" :: "[idts, lift] \ lift" ("(3\!_./ _)" [0, 10] 10) translations "_const" == "CONST const" @@ -97,19 +94,16 @@ "_RAll x A" == "Rall x. A" "_REx x A" == "Rex x. A" "_REx1 x A" == "Rex! x. A" - "_ARAll" => "_RAll" - "_AREx" => "_REx" - "_AREx1" => "_REx1" - "w |= A" => "A w" - "LIFT A" => "A::_=>_" + "w \ A" => "A w" + "LIFT A" => "A::_\_" "_liftEqu" == "_lift2 (op =)" "_liftNeq u v" == "_liftNot (_liftEqu u v)" "_liftNot" == "_lift (CONST Not)" - "_liftAnd" == "_lift2 (op &)" - "_liftOr" == "_lift2 (op | )" - "_liftImp" == "_lift2 (op -->)" + "_liftAnd" == "_lift2 (op \)" + "_liftOr" == "_lift2 (op \)" + "_liftImp" == "_lift2 (op \)" "_liftIf" == "_lift3 (CONST If)" "_liftPlus" == "_lift2 (op +)" "_liftMinus" == "_lift2 (op -)" @@ -117,8 +111,8 @@ "_liftDiv" == "_lift2 (op div)" "_liftMod" == "_lift2 (op mod)" "_liftLess" == "_lift2 (op <)" - "_liftLeq" == "_lift2 (op <=)" - "_liftMem" == "_lift2 (op :)" + "_liftLeq" == "_lift2 (op \)" + "_liftMem" == "_lift2 (op \)" "_liftNotMem x xs" == "_liftNot (_liftMem x xs)" "_liftFinset (_liftargs x xs)" == "_lift2 (CONST insert) x (_liftFinset xs)" "_liftFinset x" == "_lift2 (CONST insert) x (_const {})" @@ -131,29 +125,14 @@ - "w |= ~A" <= "_liftNot A w" - "w |= A & B" <= "_liftAnd A B w" - "w |= A | B" <= "_liftOr A B w" - "w |= A --> B" <= "_liftImp A B w" - "w |= u = v" <= "_liftEqu u v w" - "w |= ALL x. A" <= "_RAll x A w" - "w |= EX x. A" <= "_REx x A w" - "w |= EX! x. A" <= "_REx1 x A w" - -syntax (xsymbols) - "_Valid" :: "lift \ bool" ("(\ _)" 5) - "_holdsAt" :: "['a, lift] \ bool" ("(_ \ _)" [100,10] 10) - "_liftNeq" :: "[lift, lift] \ lift" (infixl "\" 50) - "_liftNot" :: "lift \ lift" ("\ _" [40] 40) - "_liftAnd" :: "[lift, lift] \ lift" (infixr "\" 35) - "_liftOr" :: "[lift, lift] \ lift" (infixr "\" 30) - "_liftImp" :: "[lift, lift] \ lift" (infixr "\" 25) - "_RAll" :: "[idts, lift] \ lift" ("(3\_./ _)" [0, 10] 10) - "_REx" :: "[idts, lift] \ lift" ("(3\_./ _)" [0, 10] 10) - "_REx1" :: "[idts, lift] \ lift" ("(3\!_./ _)" [0, 10] 10) - "_liftLeq" :: "[lift, lift] \ lift" ("(_/ \ _)" [50, 51] 50) - "_liftMem" :: "[lift, lift] \ lift" ("(_/ \ _)" [50, 51] 50) - "_liftNotMem" :: "[lift, lift] \ lift" ("(_/ \ _)" [50, 51] 50) + "w \ \A" <= "_liftNot A w" + "w \ A \ B" <= "_liftAnd A B w" + "w \ A \ B" <= "_liftOr A B w" + "w \ A \ B" <= "_liftImp A B w" + "w \ u = v" <= "_liftEqu u v w" + "w \ \x. A" <= "_RAll x A w" + "w \ \x. A" <= "_REx x A w" + "w \ \!x. A" <= "_REx1 x A w" defs Valid_def: "\ A == \w. w \ A" @@ -164,7 +143,7 @@ unl_lift3: "LIFT f w == f (x w) (y w) (z w)" unl_Rall: "w \ \x. A x == \x. (w \ A x)" - unl_Rex: "w \ \x. A x == \ x. (w \ A x)" + unl_Rex: "w \ \x. A x == \x. (w \ A x)" unl_Rex1: "w \ \!x. A x == \!x. (w \ A x)" @@ -202,15 +181,15 @@ "\ (#True \ P) = P" "\ (#False \ P) = #True" "\ (P \ #True) = #True" "\ (P \ P) = #True" "\ (P \ #False) = (\P)" "\ (P \ \P) = (\P)" - "\ (P & #True) = P" "\ (#True & P) = P" - "\ (P & #False) = #False" "\ (#False & P) = #False" - "\ (P & P) = P" "\ (P & \P) = #False" "\ (\P & P) = #False" - "\ (P | #True) = #True" "\ (#True | P) = #True" - "\ (P | #False) = P" "\ (#False | P) = P" - "\ (P | P) = P" "\ (P | \P) = #True" "\ (\P | P) = #True" + "\ (P \ #True) = P" "\ (#True \ P) = P" + "\ (P \ #False) = #False" "\ (#False \ P) = #False" + "\ (P \ P) = P" "\ (P \ \P) = #False" "\ (\P \ P) = #False" + "\ (P \ #True) = #True" "\ (#True \ P) = #True" + "\ (P \ #False) = P" "\ (#False \ P) = P" + "\ (P \ P) = P" "\ (P \ \P) = #True" "\ (\P \ P) = #True" "\ (\x. P) = P" "\ (\x. P) = P" "\ (\Q \ \P) = (P \ Q)" - "\ (P|Q \ R) = ((P\R)&(Q\R))" + "\ (P\Q \ R) = ((P\R)\(Q\R))" apply (unfold Valid_def intensional_rews) apply blast+ done diff -r 479071e8778f -r e0b77517f9a9 src/HOL/TLA/Memory/MemClerk.thy --- a/src/HOL/TLA/Memory/MemClerk.thy Fri Jun 26 15:03:54 2015 +0200 +++ b/src/HOL/TLA/Memory/MemClerk.thy Fri Jun 26 15:55:44 2015 +0200 @@ -16,50 +16,50 @@ definition (* state predicates *) MClkInit :: "mClkRcvChType \ mClkStType \ PrIds \ stpred" - where "MClkInit rcv cst p = PRED (cst!p = #clkA & \Calling rcv p)" + where "MClkInit rcv cst p = PRED (cst!p = #clkA \ \Calling rcv p)" definition (* actions *) MClkFwd :: "mClkSndChType \ mClkRcvChType \ mClkStType \ PrIds \ action" where "MClkFwd send rcv cst p = ACT $Calling send p - & $(cst!p) = #clkA - & Call rcv p MClkRelayArg> - & (cst!p)$ = #clkB - & unchanged (rtrner send!p)" + \ $(cst!p) = #clkA + \ Call rcv p MClkRelayArg> + \ (cst!p)$ = #clkB + \ unchanged (rtrner send!p)" definition MClkRetry :: "mClkSndChType \ mClkRcvChType \ mClkStType \ PrIds \ action" where "MClkRetry send rcv cst p = ACT $(cst!p) = #clkB - & res<$(rcv!p)> = #RPCFailure - & Call rcv p MClkRelayArg> - & unchanged (cst!p, rtrner send!p)" + \ res<$(rcv!p)> = #RPCFailure + \ Call rcv p MClkRelayArg> + \ unchanged (cst!p, rtrner send!p)" definition MClkReply :: "mClkSndChType \ mClkRcvChType \ mClkStType \ PrIds \ action" where "MClkReply send rcv cst p = ACT \$Calling rcv p - & $(cst!p) = #clkB - & Return send p MClkReplyVal> - & (cst!p)$ = #clkA - & unchanged (caller rcv!p)" + \ $(cst!p) = #clkB + \ Return send p MClkReplyVal> + \ (cst!p)$ = #clkA + \ unchanged (caller rcv!p)" definition MClkNext :: "mClkSndChType \ mClkRcvChType \ mClkStType \ PrIds \ action" where "MClkNext send rcv cst p = ACT ( MClkFwd send rcv cst p - | MClkRetry send rcv cst p - | MClkReply send rcv cst p)" + \ MClkRetry send rcv cst p + \ MClkReply send rcv cst p)" definition (* temporal *) MClkIPSpec :: "mClkSndChType \ mClkRcvChType \ mClkStType \ PrIds \ temporal" where "MClkIPSpec send rcv cst p = TEMP Init MClkInit rcv cst p - & \[ MClkNext send rcv cst p ]_(cst!p, rtrner send!p, caller rcv!p) - & WF(MClkFwd send rcv cst p)_(cst!p, rtrner send!p, caller rcv!p) - & SF(MClkReply send rcv cst p)_(cst!p, rtrner send!p, caller rcv!p)" + \ \[ MClkNext send rcv cst p ]_(cst!p, rtrner send!p, caller rcv!p) + \ WF(MClkFwd send rcv cst p)_(cst!p, rtrner send!p, caller rcv!p) + \ SF(MClkReply send rcv cst p)_(cst!p, rtrner send!p, caller rcv!p)" definition MClkISpec :: "mClkSndChType \ mClkRcvChType \ mClkStType \ temporal" @@ -73,7 +73,7 @@ (* The Clerk engages in an action for process p only if there is an outstanding, unanswered call for that process. *) -lemma MClkidle: "\ \$Calling send p & $(cst!p) = #clkA \ \MClkNext send rcv cst p" +lemma MClkidle: "\ \$Calling send p \ $(cst!p) = #clkA \ \MClkNext send rcv cst p" by (auto simp: Return_def MC_action_defs) lemma MClkbusy: "\ $Calling rcv p \ \MClkNext send rcv cst p" @@ -83,7 +83,7 @@ (* Enabledness of actions *) lemma MClkFwd_enabled: "\p. basevars (rtrner send!p, caller rcv!p, cst!p) \ - \ Calling send p & \Calling rcv p & cst!p = #clkA + \ Calling send p \ \Calling rcv p \ cst!p = #clkA \ Enabled (MClkFwd send rcv cst p)" by (tactic {* action_simp_tac (@{context} addsimps [@{thm MClkFwd_def}, @{thm Call_def}, @{thm caller_def}, @{thm rtrner_def}]) [exI] @@ -98,7 +98,7 @@ by (auto simp: angle_def MClkReply_def elim: Return_changed [temp_use]) lemma MClkReply_enabled: "\p. basevars (rtrner send!p, caller rcv!p, cst!p) \ - \ Calling send p & \Calling rcv p & cst!p = #clkB + \ Calling send p \ \Calling rcv p \ cst!p = #clkB \ Enabled (_(cst!p, rtrner send!p, caller rcv!p))" apply (tactic {* action_simp_tac @{context} [@{thm MClkReply_change} RSN (2, @{thm enabled_mono})] [] 1 *}) diff -r 479071e8778f -r e0b77517f9a9 src/HOL/TLA/Memory/Memory.thy --- a/src/HOL/TLA/Memory/Memory.thy Fri Jun 26 15:03:54 2015 +0200 +++ b/src/HOL/TLA/Memory/Memory.thy Fri Jun 26 15:55:44 2015 +0200 @@ -55,79 +55,79 @@ PInit_def: "PInit rs p == PRED rs!p = #NotAResult" RdRequest_def: "RdRequest ch p l == PRED - Calling ch p & (arg = #(read l))" + Calling ch p \ (arg = #(read l))" WrRequest_def: "WrRequest ch p l v == PRED - Calling ch p & (arg = #(write l v))" + Calling ch p \ (arg = #(write l v))" (* a read that doesn't raise BadArg *) GoodRead_def: "GoodRead mm rs p l == ACT - #l : #MemLoc & ((rs!p)$ = $(mm!l))" + #l \ #MemLoc \ ((rs!p)$ = $(mm!l))" (* a read that raises BadArg *) BadRead_def: "BadRead mm rs p l == ACT - #l \ #MemLoc & ((rs!p)$ = #BadArg)" + #l \ #MemLoc \ ((rs!p)$ = #BadArg)" (* the read action with l visible *) ReadInner_def: "ReadInner ch mm rs p l == ACT $(RdRequest ch p l) - & (GoodRead mm rs p l | BadRead mm rs p l) - & unchanged (rtrner ch ! p)" + \ (GoodRead mm rs p l \ BadRead mm rs p l) + \ unchanged (rtrner ch ! p)" (* the read action with l quantified *) Read_def: "Read ch mm rs p == ACT (\l. ReadInner ch mm rs p l)" (* similar definitions for the write action *) GoodWrite_def: "GoodWrite mm rs p l v == ACT - #l : #MemLoc & #v : #MemVal - & ((mm!l)$ = #v) & ((rs!p)$ = #OK)" + #l \ #MemLoc \ #v \ #MemVal + \ ((mm!l)$ = #v) \ ((rs!p)$ = #OK)" BadWrite_def: "BadWrite mm rs p l v == ACT - \ (#l : #MemLoc & #v : #MemVal) - & ((rs!p)$ = #BadArg) & unchanged (mm!l)" + \ (#l \ #MemLoc \ #v \ #MemVal) + \ ((rs!p)$ = #BadArg) \ unchanged (mm!l)" WriteInner_def: "WriteInner ch mm rs p l v == ACT $(WrRequest ch p l v) - & (GoodWrite mm rs p l v | BadWrite mm rs p l v) - & unchanged (rtrner ch ! p)" + \ (GoodWrite mm rs p l v \ BadWrite mm rs p l v) + \ unchanged (rtrner ch ! p)" Write_def: "Write ch mm rs p l == ACT (\v. WriteInner ch mm rs p l v)" (* the return action *) MemReturn_def: "MemReturn ch rs p == ACT ( ($(rs!p) \ #NotAResult) - & ((rs!p)$ = #NotAResult) - & Return ch p (rs!p))" + \ ((rs!p)$ = #NotAResult) + \ Return ch p (rs!p))" (* the failure action of the unreliable memory *) MemFail_def: "MemFail ch rs p == ACT $(Calling ch p) - & ((rs!p)$ = #MemFailure) - & unchanged (rtrner ch ! p)" + \ ((rs!p)$ = #MemFailure) + \ unchanged (rtrner ch ! p)" (* next-state relations for reliable / unreliable memory *) RNext_def: "RNext ch mm rs p == ACT ( Read ch mm rs p - | (\l. Write ch mm rs p l) - | MemReturn ch rs p)" + \ (\l. Write ch mm rs p l) + \ MemReturn ch rs p)" UNext_def: "UNext ch mm rs p == ACT - (RNext ch mm rs p | MemFail ch rs p)" + (RNext ch mm rs p \ MemFail ch rs p)" RPSpec_def: "RPSpec ch mm rs p == TEMP Init(PInit rs p) - & \[ RNext ch mm rs p ]_(rtrner ch ! p, rs!p) - & WF(RNext ch mm rs p)_(rtrner ch ! p, rs!p) - & WF(MemReturn ch rs p)_(rtrner ch ! p, rs!p)" + \ \[ RNext ch mm rs p ]_(rtrner ch ! p, rs!p) + \ WF(RNext ch mm rs p)_(rtrner ch ! p, rs!p) + \ WF(MemReturn ch rs p)_(rtrner ch ! p, rs!p)" UPSpec_def: "UPSpec ch mm rs p == TEMP Init(PInit rs p) - & \[ UNext ch mm rs p ]_(rtrner ch ! p, rs!p) - & WF(RNext ch mm rs p)_(rtrner ch ! p, rs!p) - & WF(MemReturn ch rs p)_(rtrner ch ! p, rs!p)" + \ \[ UNext ch mm rs p ]_(rtrner ch ! p, rs!p) + \ WF(RNext ch mm rs p)_(rtrner ch ! p, rs!p) + \ WF(MemReturn ch rs p)_(rtrner ch ! p, rs!p)" MSpec_def: "MSpec ch mm rs l == TEMP Init(MInit mm l) - & \[ \p. Write ch mm rs p l ]_(mm!l)" + \ \[ \p. Write ch mm rs p l ]_(mm!l)" IRSpec_def: "IRSpec ch mm rs == TEMP (\p. RPSpec ch mm rs p) - & (\l. #l : #MemLoc \ MSpec ch mm rs l)" + \ (\l. #l \ #MemLoc \ MSpec ch mm rs l)" IUSpec_def: "IUSpec ch mm rs == TEMP (\p. UPSpec ch mm rs p) - & (\l. #l : #MemLoc \ MSpec ch mm rs l)" + \ (\l. #l \ #MemLoc \ MSpec ch mm rs l)" RSpec_def: "RSpec ch rs == TEMP (\\mm. IRSpec ch mm rs)" USpec_def: "USpec ch == TEMP (\\mm rs. IUSpec ch mm rs)" - MemInv_def: "MemInv mm l == PRED #l : #MemLoc \ mm!l : #MemVal" + MemInv_def: "MemInv mm l == PRED #l \ #MemLoc \ mm!l \ #MemVal" lemmas RM_action_defs = MInit_def PInit_def RdRequest_def WrRequest_def MemInv_def @@ -154,7 +154,7 @@ by (auto simp: MemInv_def intro!: necT [temp_use]) lemma MemoryInvariantAll: - "\ (\l. #l : #MemLoc \ MSpec ch mm rs l) \ (\l. \(MemInv mm l))" + "\ (\l. #l \ #MemLoc \ MSpec ch mm rs l) \ (\l. \(MemInv mm l))" apply clarify apply (auto elim!: MemoryInvariant [temp_use] NonMemLocInvariant [temp_use]) done @@ -173,7 +173,7 @@ by (force simp: MemReturn_def angle_def) lemma MemReturn_enabled: "\p. basevars (rtrner ch ! p, rs!p) \ - \ Calling ch p & (rs!p \ #NotAResult) + \ Calling ch p \ (rs!p \ #NotAResult) \ Enabled (_(rtrner ch ! p, rs!p))" apply (tactic {* action_simp_tac @{context} [@{thm MemReturn_change} RSN (2, @{thm enabled_mono}) ] [] 1 *}) @@ -183,32 +183,32 @@ done lemma ReadInner_enabled: "\p. basevars (rtrner ch ! p, rs!p) \ - \ Calling ch p & (arg = #(read l)) \ Enabled (ReadInner ch mm rs p l)" + \ Calling ch p \ (arg = #(read l)) \ Enabled (ReadInner ch mm rs p l)" apply (case_tac "l : MemLoc") apply (force simp: ReadInner_def GoodRead_def BadRead_def RdRequest_def intro!: exI elim!: base_enabled [temp_use])+ done lemma WriteInner_enabled: "\p. basevars (mm!l, rtrner ch ! p, rs!p) \ - \ Calling ch p & (arg = #(write l v)) + \ Calling ch p \ (arg = #(write l v)) \ Enabled (WriteInner ch mm rs p l v)" apply (case_tac "l:MemLoc & v:MemVal") apply (force simp: WriteInner_def GoodWrite_def BadWrite_def WrRequest_def intro!: exI elim!: base_enabled [temp_use])+ done -lemma ReadResult: "\ Read ch mm rs p & (\l. $(MemInv mm l)) \ (rs!p)` \ #NotAResult" +lemma ReadResult: "\ Read ch mm rs p \ (\l. $(MemInv mm l)) \ (rs!p)` \ #NotAResult" by (force simp: Read_def ReadInner_def GoodRead_def BadRead_def MemInv_def) lemma WriteResult: "\ Write ch mm rs p l \ (rs!p)` \ #NotAResult" by (auto simp: Write_def WriteInner_def GoodWrite_def BadWrite_def) -lemma ReturnNotReadWrite: "\ (\l. $MemInv mm l) & MemReturn ch rs p - \ \ Read ch mm rs p & (\l. \ Write ch mm rs p l)" +lemma ReturnNotReadWrite: "\ (\l. $MemInv mm l) \ MemReturn ch rs p + \ \ Read ch mm rs p \ (\l. \ Write ch mm rs p l)" by (auto simp: MemReturn_def dest!: WriteResult [temp_use] ReadResult [temp_use]) -lemma RWRNext_enabled: "\ (rs!p = #NotAResult) & (!l. MemInv mm l) - & Enabled (Read ch mm rs p | (\l. Write ch mm rs p l)) +lemma RWRNext_enabled: "\ (rs!p = #NotAResult) \ (\l. MemInv mm l) + \ Enabled (Read ch mm rs p \ (\l. Write ch mm rs p l)) \ Enabled (_(rtrner ch ! p, rs!p))" by (force simp: RNext_def angle_def elim!: enabled_mono2 dest: ReadResult [temp_use] WriteResult [temp_use]) @@ -218,7 +218,7 @@ outstanding call for which no result has been produced. *) lemma RNext_enabled: "\p. \l. basevars (mm!l, rtrner ch!p, rs!p) \ - \ (rs!p = #NotAResult) & Calling ch p & (\l. MemInv mm l) + \ (rs!p = #NotAResult) \ Calling ch p \ (\l. MemInv mm l) \ Enabled (_(rtrner ch ! p, rs!p))" apply (auto simp: enabled_disj [try_rewrite] intro!: RWRNext_enabled [temp_use]) apply (case_tac "arg (ch w p)") diff -r 479071e8778f -r e0b77517f9a9 src/HOL/TLA/Memory/MemoryImplementation.thy --- a/src/HOL/TLA/Memory/MemoryImplementation.thy Fri Jun 26 15:03:54 2015 +0200 +++ b/src/HOL/TLA/Memory/MemoryImplementation.thy Fri Jun 26 15:55:44 2015 +0200 @@ -63,7 +63,7 @@ definition (* the environment action *) ENext :: "PrIds \ action" - where "ENext p = ACT (\l. #l : #MemLoc & Call memCh p #(read l))" + where "ENext p = ACT (\l. #l \ #MemLoc \ Call memCh p #(read l))" definition @@ -74,7 +74,7 @@ definition HNext :: "histType \ PrIds \ action" where "HNext rmhist p = ACT (rmhist!p)$ = - (if (MemReturn rmCh ires p | RPCFail crCh rmCh rst p) + (if (MemReturn rmCh ires p \ RPCFail crCh rmCh rst p) then #histB else if (MClkReply memCh crCh cst p) then #histA @@ -83,7 +83,7 @@ definition HistP :: "histType \ PrIds \ temporal" where "HistP rmhist p = (TEMP Init HInit rmhist p - & \[HNext rmhist p]_(c p,r p,m p, rmhist!p))" + \ \[HNext rmhist p]_(c p,r p,m p, rmhist!p))" definition Hist :: "histType \ temporal" @@ -92,40 +92,40 @@ definition (* the implementation *) IPImp :: "PrIds \ temporal" - where "IPImp p = (TEMP ( Init \Calling memCh p & \[ENext p]_(e p) - & MClkIPSpec memCh crCh cst p - & RPCIPSpec crCh rmCh rst p - & RPSpec rmCh mm ires p - & (\l. #l : #MemLoc \ MSpec rmCh mm ires l)))" + where "IPImp p = (TEMP ( Init \Calling memCh p \ \[ENext p]_(e p) + \ MClkIPSpec memCh crCh cst p + \ RPCIPSpec crCh rmCh rst p + \ RPSpec rmCh mm ires p + \ (\l. #l \ #MemLoc \ MSpec rmCh mm ires l)))" definition ImpInit :: "PrIds \ stpred" where "ImpInit p = PRED ( \Calling memCh p - & MClkInit crCh cst p - & RPCInit rmCh rst p - & PInit ires p)" + \ MClkInit crCh cst p + \ RPCInit rmCh rst p + \ PInit ires p)" definition ImpNext :: "PrIds \ action" where "ImpNext p = (ACT [ENext p]_(e p) - & [MClkNext memCh crCh cst p]_(c p) - & [RPCNext crCh rmCh rst p]_(r p) - & [RNext rmCh mm ires p]_(m p))" + \ [MClkNext memCh crCh cst p]_(c p) + \ [RPCNext crCh rmCh rst p]_(r p) + \ [RNext rmCh mm ires p]_(m p))" definition ImpLive :: "PrIds \ temporal" where "ImpLive p = (TEMP WF(MClkFwd memCh crCh cst p)_(c p) - & SF(MClkReply memCh crCh cst p)_(c p) - & WF(RPCNext crCh rmCh rst p)_(r p) - & WF(RNext rmCh mm ires p)_(m p) - & WF(MemReturn rmCh ires p)_(m p))" + \ SF(MClkReply memCh crCh cst p)_(c p) + \ WF(RPCNext crCh rmCh rst p)_(r p) + \ WF(RNext rmCh mm ires p)_(m p) + \ WF(MemReturn rmCh ires p)_(m p))" definition Implementation :: "temporal" - where "Implementation = (TEMP ( (\p. Init (\Calling memCh p) & \[ENext p]_(e p)) - & MClkISpec memCh crCh cst - & RPCISpec crCh rmCh rst - & IRSpec rmCh mm ires))" + where "Implementation = (TEMP ( (\p. Init (\Calling memCh p) \ \[ENext p]_(e p)) + \ MClkISpec memCh crCh cst + \ RPCISpec crCh rmCh rst + \ IRSpec rmCh mm ires))" definition (* the predicate S describes the states of the implementation. @@ -137,17 +137,17 @@ S :: "histType \ bool \ bool \ bool \ mClkState \ rpcState \ histState \ histState \ PrIds \ stpred" where "S rmhist ecalling ccalling rcalling cs rs hs1 hs2 p = (PRED Calling memCh p = #ecalling - & Calling crCh p = #ccalling - & (#ccalling \ arg = MClkRelayArg>) - & (\ #ccalling & cst!p = #clkB \ MVOKBARF>) - & Calling rmCh p = #rcalling - & (#rcalling \ arg = RPCRelayArg>) - & (\ #rcalling \ ires!p = #NotAResult) - & (\ #rcalling & rst!p = #rpcB \ MVOKBA>) - & cst!p = #cs - & rst!p = #rs - & (rmhist!p = #hs1 | rmhist!p = #hs2) - & MVNROKBA)" + \ Calling crCh p = #ccalling + \ (#ccalling \ arg = MClkRelayArg>) + \ (\ #ccalling \ cst!p = #clkB \ MVOKBARF>) + \ Calling rmCh p = #rcalling + \ (#rcalling \ arg = RPCRelayArg>) + \ (\ #rcalling \ ires!p = #NotAResult) + \ (\ #rcalling \ rst!p = #rpcB \ MVOKBA>) + \ cst!p = #cs + \ rst!p = #rs + \ (rmhist!p = #hs1 \ rmhist!p = #hs2) + \ MVNROKBA)" definition (* predicates S1 -- S6 define special instances of S *) @@ -177,8 +177,8 @@ definition (* The invariant asserts that the system is always in one of S1 - S6, for every p *) ImpInv :: "histType \ PrIds \ stpred" - where "ImpInv rmhist p = (PRED (S1 rmhist p | S2 rmhist p | S3 rmhist p - | S4 rmhist p | S5 rmhist p | S6 rmhist p))" + where "ImpInv rmhist p = (PRED (S1 rmhist p \ S2 rmhist p \ S3 rmhist p + \ S4 rmhist p \ S5 rmhist p \ S6 rmhist p))" definition resbar :: "histType \ resType" (* refinement mapping *) @@ -241,9 +241,9 @@ section "History variable" -lemma HistoryLemma: "\ Init(\p. ImpInit p) & \(\p. ImpNext p) +lemma HistoryLemma: "\ Init(\p. ImpInit p) \ \(\p. ImpNext p) \ (\\rmhist. Init(\p. HInit rmhist p) - & \(\p. [HNext rmhist p]_(c p, r p, m p, rmhist!p)))" + \ \(\p. [HNext rmhist p]_(c p, r p, m p, rmhist!p)))" apply clarsimp apply (rule historyI) apply assumption+ @@ -299,21 +299,21 @@ by (auto simp: S_def S1_def S2_def S3_def S4_def S5_def S6_def) *) -lemma S2_excl: "\ S2 rmhist p \ S2 rmhist p & \S1 rmhist p" +lemma S2_excl: "\ S2 rmhist p \ S2 rmhist p \ \S1 rmhist p" by (auto simp: S_def S1_def S2_def) -lemma S3_excl: "\ S3 rmhist p \ S3 rmhist p & \S1 rmhist p & \S2 rmhist p" +lemma S3_excl: "\ S3 rmhist p \ S3 rmhist p \ \S1 rmhist p \ \S2 rmhist p" by (auto simp: S_def S1_def S2_def S3_def) -lemma S4_excl: "\ S4 rmhist p \ S4 rmhist p & \S1 rmhist p & \S2 rmhist p & \S3 rmhist p" +lemma S4_excl: "\ S4 rmhist p \ S4 rmhist p \ \S1 rmhist p \ \S2 rmhist p \ \S3 rmhist p" by (auto simp: S_def S1_def S2_def S3_def S4_def) -lemma S5_excl: "\ S5 rmhist p \ S5 rmhist p & \S1 rmhist p & \S2 rmhist p - & \S3 rmhist p & \S4 rmhist p" +lemma S5_excl: "\ S5 rmhist p \ S5 rmhist p \ \S1 rmhist p \ \S2 rmhist p + \ \S3 rmhist p \ \S4 rmhist p" by (auto simp: S_def S1_def S2_def S3_def S4_def S5_def) -lemma S6_excl: "\ S6 rmhist p \ S6 rmhist p & \S1 rmhist p & \S2 rmhist p - & \S3 rmhist p & \S4 rmhist p & \S5 rmhist p" +lemma S6_excl: "\ S6 rmhist p \ S6 rmhist p \ \S1 rmhist p \ \S2 rmhist p + \ \S3 rmhist p \ \S4 rmhist p \ \S5 rmhist p" by (auto simp: S_def S1_def S2_def S3_def S4_def S5_def S6_def) @@ -331,24 +331,24 @@ (* ------------------------------ State S1 ---------------------------------------- *) -lemma S1Env: "\ ENext p & $(S1 rmhist p) & unchanged (c p, r p, m p, rmhist!p) +lemma S1Env: "\ ENext p \ $(S1 rmhist p) \ unchanged (c p, r p, m p, rmhist!p) \ (S2 rmhist p)$" by (force simp: ENext_def Call_def c_def r_def m_def caller_def rtrner_def MVNROKBA_def S_def S1_def S2_def Calling_def) -lemma S1ClerkUnch: "\ [MClkNext memCh crCh cst p]_(c p) & $(S1 rmhist p) \ unchanged (c p)" +lemma S1ClerkUnch: "\ [MClkNext memCh crCh cst p]_(c p) \ $(S1 rmhist p) \ unchanged (c p)" using [[fast_solver]] by (auto elim!: squareE [temp_use] dest!: MClkidle [temp_use] simp: S_def S1_def) -lemma S1RPCUnch: "\ [RPCNext crCh rmCh rst p]_(r p) & $(S1 rmhist p) \ unchanged (r p)" +lemma S1RPCUnch: "\ [RPCNext crCh rmCh rst p]_(r p) \ $(S1 rmhist p) \ unchanged (r p)" using [[fast_solver]] by (auto elim!: squareE [temp_use] dest!: RPCidle [temp_use] simp: S_def S1_def) -lemma S1MemUnch: "\ [RNext rmCh mm ires p]_(m p) & $(S1 rmhist p) \ unchanged (m p)" +lemma S1MemUnch: "\ [RNext rmCh mm ires p]_(m p) \ $(S1 rmhist p) \ unchanged (m p)" using [[fast_solver]] by (auto elim!: squareE [temp_use] dest!: Memoryidle [temp_use] simp: S_def S1_def) -lemma S1Hist: "\ [HNext rmhist p]_(c p,r p,m p,rmhist!p) & $(S1 rmhist p) +lemma S1Hist: "\ [HNext rmhist p]_(c p,r p,m p,rmhist!p) \ $(S1 rmhist p) \ unchanged (rmhist!p)" by (tactic {* action_simp_tac (@{context} addsimps [@{thm HNext_def}, @{thm S_def}, @{thm S1_def}, @{thm MemReturn_def}, @{thm RPCFail_def}, @{thm MClkReply_def}, @@ -357,26 +357,26 @@ (* ------------------------------ State S2 ---------------------------------------- *) -lemma S2EnvUnch: "\ [ENext p]_(e p) & $(S2 rmhist p) \ unchanged (e p)" +lemma S2EnvUnch: "\ [ENext p]_(e p) \ $(S2 rmhist p) \ unchanged (e p)" by (auto dest!: Envbusy [temp_use] simp: S_def S2_def) -lemma S2Clerk: "\ MClkNext memCh crCh cst p & $(S2 rmhist p) \ MClkFwd memCh crCh cst p" +lemma S2Clerk: "\ MClkNext memCh crCh cst p \ $(S2 rmhist p) \ MClkFwd memCh crCh cst p" by (auto simp: MClkNext_def MClkRetry_def MClkReply_def S_def S2_def) -lemma S2Forward: "\ $(S2 rmhist p) & MClkFwd memCh crCh cst p - & unchanged (e p, r p, m p, rmhist!p) +lemma S2Forward: "\ $(S2 rmhist p) \ MClkFwd memCh crCh cst p + \ unchanged (e p, r p, m p, rmhist!p) \ (S3 rmhist p)$" by (tactic {* action_simp_tac (@{context} addsimps [@{thm MClkFwd_def}, @{thm Call_def}, @{thm e_def}, @{thm r_def}, @{thm m_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm S_def}, @{thm S2_def}, @{thm S3_def}, @{thm Calling_def}]) [] [] 1 *}) -lemma S2RPCUnch: "\ [RPCNext crCh rmCh rst p]_(r p) & $(S2 rmhist p) \ unchanged (r p)" +lemma S2RPCUnch: "\ [RPCNext crCh rmCh rst p]_(r p) \ $(S2 rmhist p) \ unchanged (r p)" by (auto simp: S_def S2_def dest!: RPCidle [temp_use]) -lemma S2MemUnch: "\ [RNext rmCh mm ires p]_(m p) & $(S2 rmhist p) \ unchanged (m p)" +lemma S2MemUnch: "\ [RNext rmCh mm ires p]_(m p) \ $(S2 rmhist p) \ unchanged (m p)" by (auto simp: S_def S2_def dest!: Memoryidle [temp_use]) -lemma S2Hist: "\ [HNext rmhist p]_(c p,r p,m p,rmhist!p) & $(S2 rmhist p) +lemma S2Hist: "\ [HNext rmhist p]_(c p,r p,m p,rmhist!p) \ $(S2 rmhist p) \ unchanged (rmhist!p)" using [[fast_solver]] by (auto elim!: squareE [temp_use] simp: HNext_def MemReturn_def RPCFail_def @@ -384,61 +384,61 @@ (* ------------------------------ State S3 ---------------------------------------- *) -lemma S3EnvUnch: "\ [ENext p]_(e p) & $(S3 rmhist p) \ unchanged (e p)" +lemma S3EnvUnch: "\ [ENext p]_(e p) \ $(S3 rmhist p) \ unchanged (e p)" by (auto dest!: Envbusy [temp_use] simp: S_def S3_def) -lemma S3ClerkUnch: "\ [MClkNext memCh crCh cst p]_(c p) & $(S3 rmhist p) \ unchanged (c p)" +lemma S3ClerkUnch: "\ [MClkNext memCh crCh cst p]_(c p) \ $(S3 rmhist p) \ unchanged (c p)" by (auto dest!: MClkbusy [temp_use] simp: square_def S_def S3_def) lemma S3LegalRcvArg: "\ S3 rmhist p \ IsLegalRcvArg>" by (auto simp: IsLegalRcvArg_def MClkRelayArg_def S_def S3_def) -lemma S3RPC: "\ RPCNext crCh rmCh rst p & $(S3 rmhist p) - \ RPCFwd crCh rmCh rst p | RPCFail crCh rmCh rst p" +lemma S3RPC: "\ RPCNext crCh rmCh rst p \ $(S3 rmhist p) + \ RPCFwd crCh rmCh rst p \ RPCFail crCh rmCh rst p" apply clarsimp apply (frule S3LegalRcvArg [action_use]) apply (auto simp: RPCNext_def RPCReject_def RPCReply_def S_def S3_def) done -lemma S3Forward: "\ RPCFwd crCh rmCh rst p & HNext rmhist p & $(S3 rmhist p) - & unchanged (e p, c p, m p) - \ (S4 rmhist p)$ & unchanged (rmhist!p)" +lemma S3Forward: "\ RPCFwd crCh rmCh rst p \ HNext rmhist p \ $(S3 rmhist p) + \ unchanged (e p, c p, m p) + \ (S4 rmhist p)$ \ unchanged (rmhist!p)" by (tactic {* action_simp_tac (@{context} addsimps [@{thm RPCFwd_def}, @{thm HNext_def}, @{thm MemReturn_def}, @{thm RPCFail_def}, @{thm MClkReply_def}, @{thm Return_def}, @{thm Call_def}, @{thm e_def}, @{thm c_def}, @{thm m_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm S_def}, @{thm S3_def}, @{thm S4_def}, @{thm Calling_def}]) [] [] 1 *}) -lemma S3Fail: "\ RPCFail crCh rmCh rst p & $(S3 rmhist p) & HNext rmhist p - & unchanged (e p, c p, m p) +lemma S3Fail: "\ RPCFail crCh rmCh rst p \ $(S3 rmhist p) \ HNext rmhist p + \ unchanged (e p, c p, m p) \ (S6 rmhist p)$" by (tactic {* action_simp_tac (@{context} addsimps [@{thm HNext_def}, @{thm RPCFail_def}, @{thm Return_def}, @{thm e_def}, @{thm c_def}, @{thm m_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm MVOKBARF_def}, @{thm S_def}, @{thm S3_def}, @{thm S6_def}, @{thm Calling_def}]) [] [] 1 *}) -lemma S3MemUnch: "\ [RNext rmCh mm ires p]_(m p) & $(S3 rmhist p) \ unchanged (m p)" +lemma S3MemUnch: "\ [RNext rmCh mm ires p]_(m p) \ $(S3 rmhist p) \ unchanged (m p)" by (auto simp: S_def S3_def dest!: Memoryidle [temp_use]) -lemma S3Hist: "\ HNext rmhist p & $(S3 rmhist p) & unchanged (r p) \ unchanged (rmhist!p)" +lemma S3Hist: "\ HNext rmhist p \ $(S3 rmhist p) \ unchanged (r p) \ unchanged (rmhist!p)" by (auto simp: HNext_def MemReturn_def RPCFail_def MClkReply_def Return_def r_def rtrner_def S_def S3_def Calling_def) (* ------------------------------ State S4 ---------------------------------------- *) -lemma S4EnvUnch: "\ [ENext p]_(e p) & $(S4 rmhist p) \ unchanged (e p)" +lemma S4EnvUnch: "\ [ENext p]_(e p) \ $(S4 rmhist p) \ unchanged (e p)" by (auto simp: S_def S4_def dest!: Envbusy [temp_use]) -lemma S4ClerkUnch: "\ [MClkNext memCh crCh cst p]_(c p) & $(S4 rmhist p) \ unchanged (c p)" +lemma S4ClerkUnch: "\ [MClkNext memCh crCh cst p]_(c p) \ $(S4 rmhist p) \ unchanged (c p)" by (auto simp: S_def S4_def dest!: MClkbusy [temp_use]) -lemma S4RPCUnch: "\ [RPCNext crCh rmCh rst p]_(r p) & $(S4 rmhist p) \ unchanged (r p)" +lemma S4RPCUnch: "\ [RPCNext crCh rmCh rst p]_(r p) \ $(S4 rmhist p) \ unchanged (r p)" using [[fast_solver]] by (auto elim!: squareE [temp_use] dest!: RPCbusy [temp_use] simp: S_def S4_def) -lemma S4ReadInner: "\ ReadInner rmCh mm ires p l & $(S4 rmhist p) & unchanged (e p, c p, r p) - & HNext rmhist p & $(MemInv mm l) - \ (S4 rmhist p)$ & unchanged (rmhist!p)" +lemma S4ReadInner: "\ ReadInner rmCh mm ires p l \ $(S4 rmhist p) \ unchanged (e p, c p, r p) + \ HNext rmhist p \ $(MemInv mm l) + \ (S4 rmhist p)$ \ unchanged (rmhist!p)" by (tactic {* action_simp_tac (@{context} addsimps [@{thm ReadInner_def}, @{thm GoodRead_def}, @{thm BadRead_def}, @{thm HNext_def}, @{thm MemReturn_def}, @{thm RPCFail_def}, @{thm MClkReply_def}, @{thm Return_def}, @{thm e_def}, @@ -446,68 +446,68 @@ @{thm MVNROKBA_def}, @{thm S_def}, @{thm S4_def}, @{thm RdRequest_def}, @{thm Calling_def}, @{thm MemInv_def}]) [] [] 1 *}) -lemma S4Read: "\ Read rmCh mm ires p & $(S4 rmhist p) & unchanged (e p, c p, r p) - & HNext rmhist p & (\l. $MemInv mm l) - \ (S4 rmhist p)$ & unchanged (rmhist!p)" +lemma S4Read: "\ Read rmCh mm ires p \ $(S4 rmhist p) \ unchanged (e p, c p, r p) + \ HNext rmhist p \ (\l. $MemInv mm l) + \ (S4 rmhist p)$ \ unchanged (rmhist!p)" by (auto simp: Read_def dest!: S4ReadInner [temp_use]) -lemma S4WriteInner: "\ WriteInner rmCh mm ires p l v & $(S4 rmhist p) & unchanged (e p, c p, r p) & HNext rmhist p - \ (S4 rmhist p)$ & unchanged (rmhist!p)" +lemma S4WriteInner: "\ WriteInner rmCh mm ires p l v \ $(S4 rmhist p) \ unchanged (e p, c p, r p) \ HNext rmhist p + \ (S4 rmhist p)$ \ unchanged (rmhist!p)" by (tactic {* action_simp_tac (@{context} addsimps [@{thm WriteInner_def}, @{thm GoodWrite_def}, @{thm BadWrite_def}, @{thm HNext_def}, @{thm MemReturn_def}, @{thm RPCFail_def}, @{thm MClkReply_def}, @{thm Return_def}, @{thm e_def}, @{thm c_def}, @{thm r_def}, @{thm rtrner_def}, @{thm caller_def}, @{thm MVNROKBA_def}, @{thm S_def}, @{thm S4_def}, @{thm WrRequest_def}, @{thm Calling_def}]) [] [] 1 *}) -lemma S4Write: "\ Write rmCh mm ires p l & $(S4 rmhist p) & unchanged (e p, c p, r p) - & (HNext rmhist p) - \ (S4 rmhist p)$ & unchanged (rmhist!p)" +lemma S4Write: "\ Write rmCh mm ires p l \ $(S4 rmhist p) \ unchanged (e p, c p, r p) + \ (HNext rmhist p) + \ (S4 rmhist p)$ \ unchanged (rmhist!p)" by (auto simp: Write_def dest!: S4WriteInner [temp_use]) -lemma WriteS4: "\ $ImpInv rmhist p & Write rmCh mm ires p l \ $S4 rmhist p" +lemma WriteS4: "\ $ImpInv rmhist p \ Write rmCh mm ires p l \ $S4 rmhist p" by (auto simp: Write_def WriteInner_def ImpInv_def WrRequest_def S_def S1_def S2_def S3_def S4_def S5_def S6_def) -lemma S4Return: "\ MemReturn rmCh ires p & $S4 rmhist p & unchanged (e p, c p, r p) - & HNext rmhist p +lemma S4Return: "\ MemReturn rmCh ires p \ $S4 rmhist p \ unchanged (e p, c p, r p) + \ HNext rmhist p \ (S5 rmhist p)$" by (auto simp: HNext_def MemReturn_def Return_def e_def c_def r_def rtrner_def caller_def MVNROKBA_def MVOKBA_def S_def S4_def S5_def Calling_def) -lemma S4Hist: "\ HNext rmhist p & $S4 rmhist p & (m p)$ = $(m p) \ (rmhist!p)$ = $(rmhist!p)" +lemma S4Hist: "\ HNext rmhist p \ $S4 rmhist p \ (m p)$ = $(m p) \ (rmhist!p)$ = $(rmhist!p)" by (auto simp: HNext_def MemReturn_def RPCFail_def MClkReply_def Return_def m_def rtrner_def S_def S4_def Calling_def) (* ------------------------------ State S5 ---------------------------------------- *) -lemma S5EnvUnch: "\ [ENext p]_(e p) & $(S5 rmhist p) \ unchanged (e p)" +lemma S5EnvUnch: "\ [ENext p]_(e p) \ $(S5 rmhist p) \ unchanged (e p)" by (auto simp: S_def S5_def dest!: Envbusy [temp_use]) -lemma S5ClerkUnch: "\ [MClkNext memCh crCh cst p]_(c p) & $(S5 rmhist p) \ unchanged (c p)" +lemma S5ClerkUnch: "\ [MClkNext memCh crCh cst p]_(c p) \ $(S5 rmhist p) \ unchanged (c p)" by (auto simp: S_def S5_def dest!: MClkbusy [temp_use]) -lemma S5RPC: "\ RPCNext crCh rmCh rst p & $(S5 rmhist p) - \ RPCReply crCh rmCh rst p | RPCFail crCh rmCh rst p" +lemma S5RPC: "\ RPCNext crCh rmCh rst p \ $(S5 rmhist p) + \ RPCReply crCh rmCh rst p \ RPCFail crCh rmCh rst p" by (auto simp: RPCNext_def RPCReject_def RPCFwd_def S_def S5_def) -lemma S5Reply: "\ RPCReply crCh rmCh rst p & $(S5 rmhist p) & unchanged (e p, c p, m p,rmhist!p) +lemma S5Reply: "\ RPCReply crCh rmCh rst p \ $(S5 rmhist p) \ unchanged (e p, c p, m p,rmhist!p) \ (S6 rmhist p)$" by (tactic {* action_simp_tac (@{context} addsimps [@{thm RPCReply_def}, @{thm Return_def}, @{thm e_def}, @{thm c_def}, @{thm m_def}, @{thm MVOKBA_def}, @{thm MVOKBARF_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm S_def}, @{thm S5_def}, @{thm S6_def}, @{thm Calling_def}]) [] [] 1 *}) -lemma S5Fail: "\ RPCFail crCh rmCh rst p & $(S5 rmhist p) & unchanged (e p, c p, m p,rmhist!p) +lemma S5Fail: "\ RPCFail crCh rmCh rst p \ $(S5 rmhist p) \ unchanged (e p, c p, m p,rmhist!p) \ (S6 rmhist p)$" by (tactic {* action_simp_tac (@{context} addsimps [@{thm RPCFail_def}, @{thm Return_def}, @{thm e_def}, @{thm c_def}, @{thm m_def}, @{thm MVOKBARF_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm S_def}, @{thm S5_def}, @{thm S6_def}, @{thm Calling_def}]) [] [] 1 *}) -lemma S5MemUnch: "\ [RNext rmCh mm ires p]_(m p) & $(S5 rmhist p) \ unchanged (m p)" +lemma S5MemUnch: "\ [RNext rmCh mm ires p]_(m p) \ $(S5 rmhist p) \ unchanged (m p)" by (auto simp: S_def S5_def dest!: Memoryidle [temp_use]) -lemma S5Hist: "\ [HNext rmhist p]_(c p, r p, m p, rmhist!p) & $(S5 rmhist p) +lemma S5Hist: "\ [HNext rmhist p]_(c p, r p, m p, rmhist!p) \ $(S5 rmhist p) \ (rmhist!p)$ = $(rmhist!p)" using [[fast_solver]] by (auto elim!: squareE [temp_use] simp: HNext_def MemReturn_def RPCFail_def @@ -515,36 +515,36 @@ (* ------------------------------ State S6 ---------------------------------------- *) -lemma S6EnvUnch: "\ [ENext p]_(e p) & $(S6 rmhist p) \ unchanged (e p)" +lemma S6EnvUnch: "\ [ENext p]_(e p) \ $(S6 rmhist p) \ unchanged (e p)" by (auto simp: S_def S6_def dest!: Envbusy [temp_use]) -lemma S6Clerk: "\ MClkNext memCh crCh cst p & $(S6 rmhist p) - \ MClkRetry memCh crCh cst p | MClkReply memCh crCh cst p" +lemma S6Clerk: "\ MClkNext memCh crCh cst p \ $(S6 rmhist p) + \ MClkRetry memCh crCh cst p \ MClkReply memCh crCh cst p" by (auto simp: MClkNext_def MClkFwd_def S_def S6_def) -lemma S6Retry: "\ MClkRetry memCh crCh cst p & HNext rmhist p & $S6 rmhist p - & unchanged (e p,r p,m p) - \ (S3 rmhist p)$ & unchanged (rmhist!p)" +lemma S6Retry: "\ MClkRetry memCh crCh cst p \ HNext rmhist p \ $S6 rmhist p + \ unchanged (e p,r p,m p) + \ (S3 rmhist p)$ \ unchanged (rmhist!p)" by (tactic {* action_simp_tac (@{context} addsimps [@{thm HNext_def}, @{thm MClkReply_def}, @{thm MClkRetry_def}, @{thm Call_def}, @{thm Return_def}, @{thm e_def}, @{thm r_def}, @{thm m_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm S_def}, @{thm S6_def}, @{thm S3_def}, @{thm Calling_def}]) [] [] 1 *}) -lemma S6Reply: "\ MClkReply memCh crCh cst p & HNext rmhist p & $S6 rmhist p - & unchanged (e p,r p,m p) +lemma S6Reply: "\ MClkReply memCh crCh cst p \ HNext rmhist p \ $S6 rmhist p + \ unchanged (e p,r p,m p) \ (S1 rmhist p)$" by (tactic {* action_simp_tac (@{context} addsimps [@{thm HNext_def}, @{thm MemReturn_def}, @{thm RPCFail_def}, @{thm Return_def}, @{thm MClkReply_def}, @{thm e_def}, @{thm r_def}, @{thm m_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm S_def}, @{thm S6_def}, @{thm S1_def}, @{thm Calling_def}]) [] [] 1 *}) -lemma S6RPCUnch: "\ [RPCNext crCh rmCh rst p]_(r p) & $S6 rmhist p \ unchanged (r p)" +lemma S6RPCUnch: "\ [RPCNext crCh rmCh rst p]_(r p) \ $S6 rmhist p \ unchanged (r p)" by (auto simp: S_def S6_def dest!: RPCidle [temp_use]) -lemma S6MemUnch: "\ [RNext rmCh mm ires p]_(m p) & $(S6 rmhist p) \ unchanged (m p)" +lemma S6MemUnch: "\ [RNext rmCh mm ires p]_(m p) \ $(S6 rmhist p) \ unchanged (m p)" by (auto simp: S_def S6_def dest!: Memoryidle [temp_use]) -lemma S6Hist: "\ HNext rmhist p & $S6 rmhist p & (c p)$ = $(c p) \ (rmhist!p)$ = $(rmhist!p)" +lemma S6Hist: "\ HNext rmhist p \ $S6 rmhist p \ (c p)$ = $(c p) \ (rmhist!p)$ = $(rmhist!p)" by (auto simp: HNext_def MClkReply_def Return_def c_def rtrner_def S_def S6_def Calling_def) @@ -554,7 +554,7 @@ (* ========== Step 1.1 ================================================= *) (* The implementation's initial condition implies the state predicate S1 *) -lemma Step1_1: "\ ImpInit p & HInit rmhist p \ S1 rmhist p" +lemma Step1_1: "\ ImpInit p \ HInit rmhist p \ S1 rmhist p" using [[fast_solver]] by (auto elim!: squareE [temp_use] simp: MVNROKBA_def MClkInit_def RPCInit_def PInit_def HInit_def ImpInit_def S_def S1_def) @@ -562,9 +562,9 @@ (* ========== Step 1.2 ================================================== *) (* Figure 16 is a predicate-action diagram for the implementation. *) -lemma Step1_2_1: "\ [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p - & \unchanged (e p, c p, r p, m p, rmhist!p) & $S1 rmhist p - \ (S2 rmhist p)$ & ENext p & unchanged (c p, r p, m p)" +lemma Step1_2_1: "\ [HNext rmhist p]_(c p,r p,m p, rmhist!p) \ ImpNext p + \ \unchanged (e p, c p, r p, m p, rmhist!p) \ $S1 rmhist p + \ (S2 rmhist p)$ \ ENext p \ unchanged (c p, r p, m p)" apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) [] (map (temp_elim @{context}) [@{thm S1ClerkUnch}, @{thm S1RPCUnch}, @{thm S1MemUnch}, @{thm S1Hist}]) 1 *}) @@ -572,10 +572,10 @@ apply (auto elim!: squareE [temp_use] intro!: S1Env [temp_use]) done -lemma Step1_2_2: "\ [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p - & \unchanged (e p, c p, r p, m p, rmhist!p) & $S2 rmhist p - \ (S3 rmhist p)$ & MClkFwd memCh crCh cst p - & unchanged (e p, r p, m p, rmhist!p)" +lemma Step1_2_2: "\ [HNext rmhist p]_(c p,r p,m p, rmhist!p) \ ImpNext p + \ \unchanged (e p, c p, r p, m p, rmhist!p) \ $S2 rmhist p + \ (S3 rmhist p)$ \ MClkFwd memCh crCh cst p + \ unchanged (e p, r p, m p, rmhist!p)" apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) [] (map (temp_elim @{context}) [@{thm S2EnvUnch}, @{thm S2RPCUnch}, @{thm S2MemUnch}, @{thm S2Hist}]) 1 *}) @@ -583,10 +583,10 @@ apply (auto elim!: squareE [temp_use] intro!: S2Clerk [temp_use] S2Forward [temp_use]) done -lemma Step1_2_3: "\ [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p - & \unchanged (e p, c p, r p, m p, rmhist!p) & $S3 rmhist p - \ ((S4 rmhist p)$ & RPCFwd crCh rmCh rst p & unchanged (e p, c p, m p, rmhist!p)) - | ((S6 rmhist p)$ & RPCFail crCh rmCh rst p & unchanged (e p, c p, m p))" +lemma Step1_2_3: "\ [HNext rmhist p]_(c p,r p,m p, rmhist!p) \ ImpNext p + \ \unchanged (e p, c p, r p, m p, rmhist!p) \ $S3 rmhist p + \ ((S4 rmhist p)$ \ RPCFwd crCh rmCh rst p \ unchanged (e p, c p, m p, rmhist!p)) + \ ((S6 rmhist p)$ \ RPCFail crCh rmCh rst p \ unchanged (e p, c p, m p))" apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) [] (map (temp_elim @{context}) [@{thm S3EnvUnch}, @{thm S3ClerkUnch}, @{thm S3MemUnch}]) 1 *}) apply (tactic {* action_simp_tac @{context} [] @@ -595,12 +595,12 @@ apply (auto dest!: S3Hist [temp_use]) done -lemma Step1_2_4: "\ [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p - & \unchanged (e p, c p, r p, m p, rmhist!p) - & $S4 rmhist p & (\l. $(MemInv mm l)) - \ ((S4 rmhist p)$ & Read rmCh mm ires p & unchanged (e p, c p, r p, rmhist!p)) - | ((S4 rmhist p)$ & (\l. Write rmCh mm ires p l) & unchanged (e p, c p, r p, rmhist!p)) - | ((S5 rmhist p)$ & MemReturn rmCh ires p & unchanged (e p, c p, r p))" +lemma Step1_2_4: "\ [HNext rmhist p]_(c p,r p,m p, rmhist!p) \ ImpNext p + \ \unchanged (e p, c p, r p, m p, rmhist!p) + \ $S4 rmhist p \ (\l. $(MemInv mm l)) + \ ((S4 rmhist p)$ \ Read rmCh mm ires p \ unchanged (e p, c p, r p, rmhist!p)) + \ ((S4 rmhist p)$ \ (\l. Write rmCh mm ires p l) \ unchanged (e p, c p, r p, rmhist!p)) + \ ((S5 rmhist p)$ \ MemReturn rmCh ires p \ unchanged (e p, c p, r p))" apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) [] (map (temp_elim @{context}) [@{thm S4EnvUnch}, @{thm S4ClerkUnch}, @{thm S4RPCUnch}]) 1 *}) apply (tactic {* action_simp_tac (@{context} addsimps [@{thm RNext_def}]) [] @@ -609,10 +609,10 @@ apply (auto dest!: S4Hist [temp_use]) done -lemma Step1_2_5: "\ [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p - & \unchanged (e p, c p, r p, m p, rmhist!p) & $S5 rmhist p - \ ((S6 rmhist p)$ & RPCReply crCh rmCh rst p & unchanged (e p, c p, m p)) - | ((S6 rmhist p)$ & RPCFail crCh rmCh rst p & unchanged (e p, c p, m p))" +lemma Step1_2_5: "\ [HNext rmhist p]_(c p,r p,m p, rmhist!p) \ ImpNext p + \ \unchanged (e p, c p, r p, m p, rmhist!p) \ $S5 rmhist p + \ ((S6 rmhist p)$ \ RPCReply crCh rmCh rst p \ unchanged (e p, c p, m p)) + \ ((S6 rmhist p)$ \ RPCFail crCh rmCh rst p \ unchanged (e p, c p, m p))" apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) [] (map (temp_elim @{context}) [@{thm S5EnvUnch}, @{thm S5ClerkUnch}, @{thm S5MemUnch}, @{thm S5Hist}]) 1 *}) apply (tactic {* action_simp_tac @{context} [] [@{thm squareE}, temp_elim @{context} @{thm S5RPC}] 1 *}) @@ -620,10 +620,10 @@ apply (auto elim!: squareE [temp_use] dest!: S5Reply [temp_use] S5Fail [temp_use]) done -lemma Step1_2_6: "\ [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p - & \unchanged (e p, c p, r p, m p, rmhist!p) & $S6 rmhist p - \ ((S1 rmhist p)$ & MClkReply memCh crCh cst p & unchanged (e p, r p, m p)) - | ((S3 rmhist p)$ & MClkRetry memCh crCh cst p & unchanged (e p,r p,m p,rmhist!p))" +lemma Step1_2_6: "\ [HNext rmhist p]_(c p,r p,m p, rmhist!p) \ ImpNext p + \ \unchanged (e p, c p, r p, m p, rmhist!p) \ $S6 rmhist p + \ ((S1 rmhist p)$ \ MClkReply memCh crCh cst p \ unchanged (e p, r p, m p)) + \ ((S3 rmhist p)$ \ MClkRetry memCh crCh cst p \ unchanged (e p,r p,m p,rmhist!p))" apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) [] (map (temp_elim @{context}) [@{thm S6EnvUnch}, @{thm S6RPCUnch}, @{thm S6MemUnch}]) 1 *}) apply (tactic {* action_simp_tac @{context} [] @@ -648,20 +648,20 @@ section "Step simulation (Step 1.4)" -lemma Step1_4_1: "\ ENext p & $S1 rmhist p & (S2 rmhist p)$ & unchanged (c p, r p, m p) +lemma Step1_4_1: "\ ENext p \ $S1 rmhist p \ (S2 rmhist p)$ \ unchanged (c p, r p, m p) \ unchanged (rtrner memCh!p, resbar rmhist!p)" using [[fast_solver]] by (auto elim!: squareE [temp_use] simp: c_def r_def m_def resbar_def) -lemma Step1_4_2: "\ MClkFwd memCh crCh cst p & $S2 rmhist p & (S3 rmhist p)$ - & unchanged (e p, r p, m p, rmhist!p) +lemma Step1_4_2: "\ MClkFwd memCh crCh cst p \ $S2 rmhist p \ (S3 rmhist p)$ + \ unchanged (e p, r p, m p, rmhist!p) \ unchanged (rtrner memCh!p, resbar rmhist!p)" by (tactic {* action_simp_tac (@{context} addsimps [@{thm MClkFwd_def}, @{thm e_def}, @{thm r_def}, @{thm m_def}, @{thm resbar_def}, @{thm S_def}, @{thm S2_def}, @{thm S3_def}]) [] [] 1 *}) -lemma Step1_4_3a: "\ RPCFwd crCh rmCh rst p & $S3 rmhist p & (S4 rmhist p)$ - & unchanged (e p, c p, m p, rmhist!p) +lemma Step1_4_3a: "\ RPCFwd crCh rmCh rst p \ $S3 rmhist p \ (S4 rmhist p)$ + \ unchanged (e p, c p, m p, rmhist!p) \ unchanged (rtrner memCh!p, resbar rmhist!p)" apply clarsimp apply (drule S3_excl [temp_use] S4_excl [temp_use])+ @@ -669,8 +669,8 @@ @{thm c_def}, @{thm m_def}, @{thm resbar_def}, @{thm S_def}, @{thm S3_def}]) [] [] 1 *}) done -lemma Step1_4_3b: "\ RPCFail crCh rmCh rst p & $S3 rmhist p & (S6 rmhist p)$ - & unchanged (e p, c p, m p) +lemma Step1_4_3b: "\ RPCFail crCh rmCh rst p \ $S3 rmhist p \ (S6 rmhist p)$ + \ unchanged (e p, c p, m p) \ MemFail memCh (resbar rmhist) p" apply clarsimp apply (drule S6_excl [temp_use]) @@ -679,8 +679,8 @@ apply (auto simp: Return_def) done -lemma Step1_4_4a1: "\ $S4 rmhist p & (S4 rmhist p)$ & ReadInner rmCh mm ires p l - & unchanged (e p, c p, r p, rmhist!p) & $MemInv mm l +lemma Step1_4_4a1: "\ $S4 rmhist p \ (S4 rmhist p)$ \ ReadInner rmCh mm ires p l + \ unchanged (e p, c p, r p, rmhist!p) \ $MemInv mm l \ ReadInner memCh mm (resbar rmhist) p l" apply clarsimp apply (drule S4_excl [temp_use])+ @@ -693,13 +693,13 @@ [] [@{thm impE}, @{thm MemValNotAResultE}]) *}) done -lemma Step1_4_4a: "\ Read rmCh mm ires p & $S4 rmhist p & (S4 rmhist p)$ - & unchanged (e p, c p, r p, rmhist!p) & (\l. $(MemInv mm l)) +lemma Step1_4_4a: "\ Read rmCh mm ires p \ $S4 rmhist p \ (S4 rmhist p)$ + \ unchanged (e p, c p, r p, rmhist!p) \ (\l. $(MemInv mm l)) \ Read memCh mm (resbar rmhist) p" by (force simp: Read_def elim!: Step1_4_4a1 [temp_use]) -lemma Step1_4_4b1: "\ $S4 rmhist p & (S4 rmhist p)$ & WriteInner rmCh mm ires p l v - & unchanged (e p, c p, r p, rmhist!p) +lemma Step1_4_4b1: "\ $S4 rmhist p \ (S4 rmhist p)$ \ WriteInner rmCh mm ires p l v + \ unchanged (e p, c p, r p, rmhist!p) \ WriteInner memCh mm (resbar rmhist) p l v" apply clarsimp apply (drule S4_excl [temp_use])+ @@ -712,13 +712,13 @@ @{thm S4_def}, @{thm WrRequest_def}]) [] []) *}) done -lemma Step1_4_4b: "\ Write rmCh mm ires p l & $S4 rmhist p & (S4 rmhist p)$ - & unchanged (e p, c p, r p, rmhist!p) +lemma Step1_4_4b: "\ Write rmCh mm ires p l \ $S4 rmhist p \ (S4 rmhist p)$ + \ unchanged (e p, c p, r p, rmhist!p) \ Write memCh mm (resbar rmhist) p l" by (force simp: Write_def elim!: Step1_4_4b1 [temp_use]) -lemma Step1_4_4c: "\ MemReturn rmCh ires p & $S4 rmhist p & (S5 rmhist p)$ - & unchanged (e p, c p, r p) +lemma Step1_4_4c: "\ MemReturn rmCh ires p \ $S4 rmhist p \ (S5 rmhist p)$ + \ unchanged (e p, c p, r p) \ unchanged (rtrner memCh!p, resbar rmhist!p)" apply (tactic {* action_simp_tac (@{context} addsimps [@{thm e_def}, @{thm c_def}, @{thm r_def}, @{thm resbar_def}]) [] [] 1 *}) @@ -727,8 +727,8 @@ apply (auto elim!: squareE [temp_use] simp: MemReturn_def Return_def) done -lemma Step1_4_5a: "\ RPCReply crCh rmCh rst p & $S5 rmhist p & (S6 rmhist p)$ - & unchanged (e p, c p, m p) +lemma Step1_4_5a: "\ RPCReply crCh rmCh rst p \ $S5 rmhist p \ (S6 rmhist p)$ + \ unchanged (e p, c p, m p) \ unchanged (rtrner memCh!p, resbar rmhist!p)" apply clarsimp apply (drule S5_excl [temp_use] S6_excl [temp_use])+ @@ -736,8 +736,8 @@ apply (auto simp: RPCReply_def Return_def S5_def S_def dest!: MVOKBAnotRF [temp_use]) done -lemma Step1_4_5b: "\ RPCFail crCh rmCh rst p & $S5 rmhist p & (S6 rmhist p)$ - & unchanged (e p, c p, m p) +lemma Step1_4_5b: "\ RPCFail crCh rmCh rst p \ $S5 rmhist p \ (S6 rmhist p)$ + \ unchanged (e p, c p, m p) \ MemFail memCh (resbar rmhist) p" apply clarsimp apply (drule S6_excl [temp_use]) @@ -745,8 +745,8 @@ apply (auto simp: S5_def S_def) done -lemma Step1_4_6a: "\ MClkReply memCh crCh cst p & $S6 rmhist p & (S1 rmhist p)$ - & unchanged (e p, r p, m p) +lemma Step1_4_6a: "\ MClkReply memCh crCh cst p \ $S6 rmhist p \ (S1 rmhist p)$ + \ unchanged (e p, r p, m p) \ MemReturn memCh (resbar rmhist) p" apply clarsimp apply (drule S6_excl [temp_use])+ @@ -758,8 +758,8 @@ [@{thm MClkReplyVal_def}, @{thm S6_def}, @{thm S_def}]) [] [@{thm MVOKBARFnotNR}]) *}) done -lemma Step1_4_6b: "\ MClkRetry memCh crCh cst p & $S6 rmhist p & (S3 rmhist p)$ - & unchanged (e p, r p, m p, rmhist!p) +lemma Step1_4_6b: "\ MClkRetry memCh crCh cst p \ $S6 rmhist p \ (S3 rmhist p)$ + \ unchanged (e p, r p, m p, rmhist!p) \ MemFail memCh (resbar rmhist) p" apply clarsimp apply (drule S3_excl [temp_use])+ @@ -825,7 +825,7 @@ (* turn into (unsafe, looping!) introduction rule *) lemmas unchanged_safeI = impI [THEN unchanged_safe [action_use]] -lemma S1safe: "\ $S1 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) +lemma S1safe: "\ $S1 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) \ [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)" apply clarsimp apply (rule unchanged_safeI) @@ -833,7 +833,7 @@ apply (auto dest!: Step1_2_1 [temp_use] Step1_4_1 [temp_use]) done -lemma S2safe: "\ $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) +lemma S2safe: "\ $S2 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) \ [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)" apply clarsimp apply (rule unchanged_safeI) @@ -841,7 +841,7 @@ apply (auto dest!: Step1_2_2 [temp_use] Step1_4_2 [temp_use]) done -lemma S3safe: "\ $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) +lemma S3safe: "\ $S3 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) \ [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)" apply clarsimp apply (rule unchanged_safeI) @@ -849,8 +849,8 @@ apply (auto simp: square_def UNext_def dest!: Step1_4_3a [temp_use] Step1_4_3b [temp_use]) done -lemma S4safe: "\ $S4 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) - & (\l. $(MemInv mm l)) +lemma S4safe: "\ $S4 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) + \ (\l. $(MemInv mm l)) \ [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)" apply clarsimp apply (rule unchanged_safeI) @@ -859,7 +859,7 @@ dest!: Step1_4_4a [temp_use] Step1_4_4b [temp_use] Step1_4_4c [temp_use]) done -lemma S5safe: "\ $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) +lemma S5safe: "\ $S5 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) \ [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)" apply clarsimp apply (rule unchanged_safeI) @@ -867,7 +867,7 @@ apply (auto simp: square_def UNext_def dest!: Step1_4_5a [temp_use] Step1_4_5b [temp_use]) done -lemma S6safe: "\ $S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) +lemma S6safe: "\ $S6 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) \ [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)" apply clarsimp apply (rule unchanged_safeI) @@ -889,8 +889,8 @@ (* ------------------------------ State S1 ------------------------------ *) -lemma S1_successors: "\ $S1 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) - \ (S1 rmhist p)$ | (S2 rmhist p)$" +lemma S1_successors: "\ $S1 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) + \ (S1 rmhist p)$ \ (S2 rmhist p)$" apply split_idle apply (auto dest!: Step1_2_1 [temp_use]) done @@ -923,18 +923,18 @@ (* ------------------------------ State S2 ------------------------------ *) -lemma S2_successors: "\ $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) - \ (S2 rmhist p)$ | (S3 rmhist p)$" +lemma S2_successors: "\ $S2 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) + \ (S2 rmhist p)$ \ (S3 rmhist p)$" apply split_idle apply (auto dest!: Step1_2_2 [temp_use]) done -lemma S2MClkFwd_successors: "\ ($S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)) - & _(c p) +lemma S2MClkFwd_successors: "\ ($S2 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p)) + \ _(c p) \ (S3 rmhist p)$" by (auto simp: angle_def dest!: Step1_2_2 [temp_use]) -lemma S2MClkFwd_enabled: "\ $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) +lemma S2MClkFwd_enabled: "\ $S2 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) \ $Enabled (_(c p))" apply (auto simp: c_def intro!: MClkFwd_ch_enabled [temp_use] MClkFwd_enabled [temp_use]) apply (cut_tac MI_base) @@ -942,26 +942,26 @@ apply (simp_all add: S_def S2_def) done -lemma S2_live: "\ \(ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)) - & WF(MClkFwd memCh crCh cst p)_(c p) +lemma S2_live: "\ \(ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p)) + \ WF(MClkFwd memCh crCh cst p)_(c p) \ (S2 rmhist p \ S3 rmhist p)" by (rule WF1 S2_successors S2MClkFwd_successors S2MClkFwd_enabled)+ (* ------------------------------ State S3 ------------------------------ *) -lemma S3_successors: "\ $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) - \ (S3 rmhist p)$ | (S4 rmhist p | S6 rmhist p)$" +lemma S3_successors: "\ $S3 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) + \ (S3 rmhist p)$ \ (S4 rmhist p \ S6 rmhist p)$" apply split_idle apply (auto dest!: Step1_2_3 [temp_use]) done -lemma S3RPC_successors: "\ ($S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)) - & _(r p) - \ (S4 rmhist p | S6 rmhist p)$" +lemma S3RPC_successors: "\ ($S3 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p)) + \ _(r p) + \ (S4 rmhist p \ S6 rmhist p)$" apply (auto simp: angle_def dest!: Step1_2_3 [temp_use]) done -lemma S3RPC_enabled: "\ $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) +lemma S3RPC_enabled: "\ $S3 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) \ $Enabled (_(r p))" apply (auto simp: r_def intro!: RPCFail_Next_enabled [temp_use] RPCFail_enabled [temp_use]) apply (cut_tac MI_base) @@ -969,39 +969,39 @@ apply (simp_all add: S_def S3_def) done -lemma S3_live: "\ \(ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)) - & WF(RPCNext crCh rmCh rst p)_(r p) - \ (S3 rmhist p \ S4 rmhist p | S6 rmhist p)" +lemma S3_live: "\ \(ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p)) + \ WF(RPCNext crCh rmCh rst p)_(r p) + \ (S3 rmhist p \ S4 rmhist p \ S6 rmhist p)" by (rule WF1 S3_successors S3RPC_successors S3RPC_enabled)+ (* ------------- State S4 -------------------------------------------------- *) -lemma S4_successors: "\ $S4 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) - & (\l. $MemInv mm l) - \ (S4 rmhist p)$ | (S5 rmhist p)$" +lemma S4_successors: "\ $S4 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) + \ (\l. $MemInv mm l) + \ (S4 rmhist p)$ \ (S5 rmhist p)$" apply split_idle apply (auto dest!: Step1_2_4 [temp_use]) done (* --------- State S4a: S4 /\ (ires p = NotAResult) ------------------------ *) -lemma S4a_successors: "\ $(S4 rmhist p & ires!p = #NotAResult) - & ImpNext p & [HNext rmhist p]_(c p,r p,m p,rmhist!p) & (\l. $MemInv mm l) - \ (S4 rmhist p & ires!p = #NotAResult)$ - | ((S4 rmhist p & ires!p \ #NotAResult) | S5 rmhist p)$" +lemma S4a_successors: "\ $(S4 rmhist p \ ires!p = #NotAResult) + \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p,rmhist!p) \ (\l. $MemInv mm l) + \ (S4 rmhist p \ ires!p = #NotAResult)$ + \ ((S4 rmhist p \ ires!p \ #NotAResult) \ S5 rmhist p)$" apply split_idle apply (auto dest!: Step1_2_4 [temp_use]) done -lemma S4aRNext_successors: "\ ($(S4 rmhist p & ires!p = #NotAResult) - & ImpNext p & [HNext rmhist p]_(c p,r p,m p,rmhist!p) & (\l. $MemInv mm l)) - & _(m p) - \ ((S4 rmhist p & ires!p \ #NotAResult) | S5 rmhist p)$" +lemma S4aRNext_successors: "\ ($(S4 rmhist p \ ires!p = #NotAResult) + \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p,rmhist!p) \ (\l. $MemInv mm l)) + \ _(m p) + \ ((S4 rmhist p \ ires!p \ #NotAResult) \ S5 rmhist p)$" by (auto simp: angle_def dest!: Step1_2_4 [temp_use] ReadResult [temp_use] WriteResult [temp_use]) -lemma S4aRNext_enabled: "\ $(S4 rmhist p & ires!p = #NotAResult) - & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (\l. $MemInv mm l) +lemma S4aRNext_enabled: "\ $(S4 rmhist p \ ires!p = #NotAResult) + \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) \ (\l. $MemInv mm l) \ $Enabled (_(m p))" apply (auto simp: m_def intro!: RNext_enabled [temp_use]) apply (cut_tac MI_base) @@ -1009,30 +1009,30 @@ apply (simp add: S_def S4_def) done -lemma S4a_live: "\ \(ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) - & (\l. $MemInv mm l)) & WF(RNext rmCh mm ires p)_(m p) - \ (S4 rmhist p & ires!p = #NotAResult - \ (S4 rmhist p & ires!p \ #NotAResult) | S5 rmhist p)" +lemma S4a_live: "\ \(ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) + \ (\l. $MemInv mm l)) \ WF(RNext rmCh mm ires p)_(m p) + \ (S4 rmhist p \ ires!p = #NotAResult + \ (S4 rmhist p \ ires!p \ #NotAResult) \ S5 rmhist p)" by (rule WF1 S4a_successors S4aRNext_successors S4aRNext_enabled)+ (* ---------- State S4b: S4 /\ (ires p # NotAResult) --------------------------- *) -lemma S4b_successors: "\ $(S4 rmhist p & ires!p \ #NotAResult) - & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (\l. $MemInv mm l) - \ (S4 rmhist p & ires!p \ #NotAResult)$ | (S5 rmhist p)$" +lemma S4b_successors: "\ $(S4 rmhist p \ ires!p \ #NotAResult) + \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) \ (\l. $MemInv mm l) + \ (S4 rmhist p \ ires!p \ #NotAResult)$ \ (S5 rmhist p)$" apply (split_idle simp: m_def) apply (auto dest!: WriteResult [temp_use] Step1_2_4 [temp_use] ReadResult [temp_use]) done -lemma S4bReturn_successors: "\ ($(S4 rmhist p & ires!p \ #NotAResult) - & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) - & (\l. $MemInv mm l)) & _(m p) +lemma S4bReturn_successors: "\ ($(S4 rmhist p \ ires!p \ #NotAResult) + \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) + \ (\l. $MemInv mm l)) \ _(m p) \ (S5 rmhist p)$" by (force simp: angle_def dest!: Step1_2_4 [temp_use] dest: ReturnNotReadWrite [temp_use]) -lemma S4bReturn_enabled: "\ $(S4 rmhist p & ires!p \ #NotAResult) - & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) - & (\l. $MemInv mm l) +lemma S4bReturn_enabled: "\ $(S4 rmhist p \ ires!p \ #NotAResult) + \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) + \ (\l. $MemInv mm l) \ $Enabled (_(m p))" apply (auto simp: m_def intro!: MemReturn_enabled [temp_use]) apply (cut_tac MI_base) @@ -1040,25 +1040,25 @@ apply (simp add: S_def S4_def) done -lemma S4b_live: "\ \(ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (\l. $MemInv mm l)) - & WF(MemReturn rmCh ires p)_(m p) - \ (S4 rmhist p & ires!p \ #NotAResult \ S5 rmhist p)" +lemma S4b_live: "\ \(ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) \ (\l. $MemInv mm l)) + \ WF(MemReturn rmCh ires p)_(m p) + \ (S4 rmhist p \ ires!p \ #NotAResult \ S5 rmhist p)" by (rule WF1 S4b_successors S4bReturn_successors S4bReturn_enabled)+ (* ------------------------------ State S5 ------------------------------ *) -lemma S5_successors: "\ $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) - \ (S5 rmhist p)$ | (S6 rmhist p)$" +lemma S5_successors: "\ $S5 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) + \ (S5 rmhist p)$ \ (S6 rmhist p)$" apply split_idle apply (auto dest!: Step1_2_5 [temp_use]) done -lemma S5RPC_successors: "\ ($S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)) - & _(r p) +lemma S5RPC_successors: "\ ($S5 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p)) + \ _(r p) \ (S6 rmhist p)$" by (auto simp: angle_def dest!: Step1_2_5 [temp_use]) -lemma S5RPC_enabled: "\ $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) +lemma S5RPC_enabled: "\ $S5 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) \ $Enabled (_(r p))" apply (auto simp: r_def intro!: RPCFail_Next_enabled [temp_use] RPCFail_enabled [temp_use]) apply (cut_tac MI_base) @@ -1066,27 +1066,27 @@ apply (simp_all add: S_def S5_def) done -lemma S5_live: "\ \(ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)) - & WF(RPCNext crCh rmCh rst p)_(r p) +lemma S5_live: "\ \(ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p)) + \ WF(RPCNext crCh rmCh rst p)_(r p) \ (S5 rmhist p \ S6 rmhist p)" by (rule WF1 S5_successors S5RPC_successors S5RPC_enabled)+ (* ------------------------------ State S6 ------------------------------ *) -lemma S6_successors: "\ $S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) - \ (S1 rmhist p)$ | (S3 rmhist p)$ | (S6 rmhist p)$" +lemma S6_successors: "\ $S6 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) + \ (S1 rmhist p)$ \ (S3 rmhist p)$ \ (S6 rmhist p)$" apply split_idle apply (auto dest!: Step1_2_6 [temp_use]) done lemma S6MClkReply_successors: - "\ ($S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)) - & _(c p) + "\ ($S6 rmhist p \ ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p)) + \ _(c p) \ (S1 rmhist p)$" by (auto simp: angle_def dest!: Step1_2_6 [temp_use] MClkReplyNotRetry [temp_use]) lemma MClkReplyS6: - "\ $ImpInv rmhist p & _(c p) \ $S6 rmhist p" + "\ $ImpInv rmhist p \ _(c p) \ $S6 rmhist p" by (tactic {* action_simp_tac (@{context} addsimps [@{thm angle_def}, @{thm MClkReply_def}, @{thm Return_def}, @{thm ImpInv_def}, @{thm S_def}, @{thm S1_def}, @{thm S2_def}, @{thm S3_def}, @{thm S4_def}, @{thm S5_def}]) [] [] 1 *}) @@ -1099,8 +1099,8 @@ addsimps [@{thm S_def}, @{thm S6_def}]) [] []) *}) done -lemma S6_live: "\ \(ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & $(ImpInv rmhist p)) - & SF(MClkReply memCh crCh cst p)_(c p) & \\(S6 rmhist p) +lemma S6_live: "\ \(ImpNext p \ [HNext rmhist p]_(c p,r p,m p, rmhist!p) \ $(ImpInv rmhist p)) + \ SF(MClkReply memCh crCh cst p)_(c p) \ \\(S6 rmhist p) \ \\(S1 rmhist p)" apply clarsimp apply (subgoal_tac "sigma \ \\ (_ (c p))") @@ -1116,25 +1116,25 @@ (* --------------- aggregate leadsto properties----------------------------- *) lemma S5S6LeadstoS6: "sigma \ S5 rmhist p \ S6 rmhist p - \ sigma \ (S5 rmhist p | S6 rmhist p) \ S6 rmhist p" + \ sigma \ (S5 rmhist p \ S6 rmhist p) \ S6 rmhist p" by (auto intro!: LatticeDisjunctionIntro [temp_use] LatticeReflexivity [temp_use]) -lemma S4bS5S6LeadstoS6: "\ sigma \ S4 rmhist p & ires!p \ #NotAResult \ S5 rmhist p; +lemma S4bS5S6LeadstoS6: "\ sigma \ S4 rmhist p \ ires!p \ #NotAResult \ S5 rmhist p; sigma \ S5 rmhist p \ S6 rmhist p \ - \ sigma \ (S4 rmhist p & ires!p \ #NotAResult) | S5 rmhist p | S6 rmhist p + \ sigma \ (S4 rmhist p \ ires!p \ #NotAResult) \ S5 rmhist p \ S6 rmhist p \ S6 rmhist p" by (auto intro!: LatticeDisjunctionIntro [temp_use] S5S6LeadstoS6 [temp_use] intro: LatticeTransitivity [temp_use]) -lemma S4S5S6LeadstoS6: "\ sigma \ S4 rmhist p & ires!p = #NotAResult - \ (S4 rmhist p & ires!p \ #NotAResult) | S5 rmhist p; - sigma \ S4 rmhist p & ires!p \ #NotAResult \ S5 rmhist p; +lemma S4S5S6LeadstoS6: "\ sigma \ S4 rmhist p \ ires!p = #NotAResult + \ (S4 rmhist p \ ires!p \ #NotAResult) \ S5 rmhist p; + sigma \ S4 rmhist p \ ires!p \ #NotAResult \ S5 rmhist p; sigma \ S5 rmhist p \ S6 rmhist p \ - \ sigma \ S4 rmhist p | S5 rmhist p | S6 rmhist p \ S6 rmhist p" - apply (subgoal_tac "sigma \ (S4 rmhist p & ires!p = #NotAResult) | - (S4 rmhist p & ires!p \ #NotAResult) | S5 rmhist p | S6 rmhist p \ S6 rmhist p") - apply (erule_tac G = "PRED ((S4 rmhist p & ires!p = #NotAResult) | - (S4 rmhist p & ires!p \ #NotAResult) | S5 rmhist p | S6 rmhist p)" in + \ sigma \ S4 rmhist p \ S5 rmhist p \ S6 rmhist p \ S6 rmhist p" + apply (subgoal_tac "sigma \ (S4 rmhist p \ ires!p = #NotAResult) \ + (S4 rmhist p \ ires!p \ #NotAResult) \ S5 rmhist p \ S6 rmhist p \ S6 rmhist p") + apply (erule_tac G = "PRED ((S4 rmhist p \ ires!p = #NotAResult) \ + (S4 rmhist p \ ires!p \ #NotAResult) \ S5 rmhist p \ S6 rmhist p)" in LatticeTransitivity [temp_use]) apply (force simp: Init_defs intro!: ImplLeadsto_gen [temp_use] necT [temp_use]) apply (rule LatticeDisjunctionIntro [temp_use]) @@ -1144,12 +1144,12 @@ apply (auto intro!: S4bS5S6LeadstoS6 [temp_use]) done -lemma S3S4S5S6LeadstoS6: "\ sigma \ S3 rmhist p \ S4 rmhist p | S6 rmhist p; - sigma \ S4 rmhist p & ires!p = #NotAResult - \ (S4 rmhist p & ires!p \ #NotAResult) | S5 rmhist p; - sigma \ S4 rmhist p & ires!p \ #NotAResult \ S5 rmhist p; +lemma S3S4S5S6LeadstoS6: "\ sigma \ S3 rmhist p \ S4 rmhist p \ S6 rmhist p; + sigma \ S4 rmhist p \ ires!p = #NotAResult + \ (S4 rmhist p \ ires!p \ #NotAResult) \ S5 rmhist p; + sigma \ S4 rmhist p \ ires!p \ #NotAResult \ S5 rmhist p; sigma \ S5 rmhist p \ S6 rmhist p \ - \ sigma \ S3 rmhist p | S4 rmhist p | S5 rmhist p | S6 rmhist p \ S6 rmhist p" + \ sigma \ S3 rmhist p \ S4 rmhist p \ S5 rmhist p \ S6 rmhist p \ S6 rmhist p" apply (rule LatticeDisjunctionIntro [temp_use]) apply (erule LatticeTriangle2 [temp_use]) apply (rule S4S5S6LeadstoS6 [THEN LatticeTransitivity [temp_use]]) @@ -1158,12 +1158,12 @@ done lemma S2S3S4S5S6LeadstoS6: "\ sigma \ S2 rmhist p \ S3 rmhist p; - sigma \ S3 rmhist p \ S4 rmhist p | S6 rmhist p; - sigma \ S4 rmhist p & ires!p = #NotAResult - \ S4 rmhist p & ires!p \ #NotAResult | S5 rmhist p; - sigma \ S4 rmhist p & ires!p \ #NotAResult \ S5 rmhist p; + sigma \ S3 rmhist p \ S4 rmhist p \ S6 rmhist p; + sigma \ S4 rmhist p \ ires!p = #NotAResult + \ S4 rmhist p \ ires!p \ #NotAResult \ S5 rmhist p; + sigma \ S4 rmhist p \ ires!p \ #NotAResult \ S5 rmhist p; sigma \ S5 rmhist p \ S6 rmhist p \ - \ sigma \ S2 rmhist p | S3 rmhist p | S4 rmhist p | S5 rmhist p | S6 rmhist p + \ sigma \ S2 rmhist p \ S3 rmhist p \ S4 rmhist p \ S5 rmhist p \ S6 rmhist p \ S6 rmhist p" apply (rule LatticeDisjunctionIntro [temp_use]) apply (rule LatticeTransitivity [temp_use]) @@ -1175,10 +1175,10 @@ lemma NotS1LeadstoS6: "\ sigma \ \ImpInv rmhist p; sigma \ S2 rmhist p \ S3 rmhist p; - sigma \ S3 rmhist p \ S4 rmhist p | S6 rmhist p; - sigma \ S4 rmhist p & ires!p = #NotAResult - \ S4 rmhist p & ires!p \ #NotAResult | S5 rmhist p; - sigma \ S4 rmhist p & ires!p \ #NotAResult \ S5 rmhist p; + sigma \ S3 rmhist p \ S4 rmhist p \ S6 rmhist p; + sigma \ S4 rmhist p \ ires!p = #NotAResult + \ S4 rmhist p \ ires!p \ #NotAResult \ S5 rmhist p; + sigma \ S4 rmhist p \ ires!p \ #NotAResult \ S5 rmhist p; sigma \ S5 rmhist p \ S6 rmhist p \ \ sigma \ \S1 rmhist p \ S6 rmhist p" apply (rule S2S3S4S5S6LeadstoS6 [THEN LatticeTransitivity [temp_use]]) @@ -1207,8 +1207,8 @@ lemma Step1_5_1a: "\ IPImp p \ (\l. \$MemInv mm l)" by (auto simp: IPImp_def box_stp_act [temp_use] intro!: MemoryInvariantAll [temp_use]) -lemma Step1_5_1b: "\ Init(ImpInit p & HInit rmhist p) & \(ImpNext p) - & \[HNext rmhist p]_(c p, r p, m p, rmhist!p) & \(\l. $MemInv mm l) +lemma Step1_5_1b: "\ Init(ImpInit p \ HInit rmhist p) \ \(ImpNext p) + \ \[HNext rmhist p]_(c p, r p, m p, rmhist!p) \ \(\l. $MemInv mm l) \ \ImpInv rmhist p" apply invariant apply (auto simp: Init_def ImpInv_def box_stp_act [temp_use] @@ -1218,26 +1218,26 @@ done (*** Initialization ***) -lemma Step1_5_2a: "\ Init(ImpInit p & HInit rmhist p) \ Init(PInit (resbar rmhist) p)" +lemma Step1_5_2a: "\ Init(ImpInit p \ HInit rmhist p) \ Init(PInit (resbar rmhist) p)" by (auto simp: Init_def intro!: Step1_1 [temp_use] Step1_3 [temp_use]) (*** step simulation ***) -lemma Step1_5_2b: "\ \(ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p) - & $ImpInv rmhist p & (\l. $MemInv mm l)) +lemma Step1_5_2b: "\ \(ImpNext p \ [HNext rmhist p]_(c p, r p, m p, rmhist!p) + \ $ImpInv rmhist p \ (\l. $MemInv mm l)) \ \[UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)" by (auto simp: ImpInv_def elim!: STL4E [temp_use] dest!: S1safe [temp_use] S2safe [temp_use] S3safe [temp_use] S4safe [temp_use] S5safe [temp_use] S6safe [temp_use]) (*** Liveness ***) -lemma GoodImpl: "\ IPImp p & HistP rmhist p - \ Init(ImpInit p & HInit rmhist p) - & \(ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p)) - & \(\l. $MemInv mm l) & \($ImpInv rmhist p) - & ImpLive p" +lemma GoodImpl: "\ IPImp p \ HistP rmhist p + \ Init(ImpInit p \ HInit rmhist p) + \ \(ImpNext p \ [HNext rmhist p]_(c p, r p, m p, rmhist!p)) + \ \(\l. $MemInv mm l) \ \($ImpInv rmhist p) + \ ImpLive p" apply clarsimp - apply (subgoal_tac "sigma \ Init (ImpInit p & HInit rmhist p) & \ (ImpNext p) & - \[HNext rmhist p]_ (c p, r p, m p, rmhist!p) & \ (\l. $MemInv mm l)") + apply (subgoal_tac "sigma \ Init (ImpInit p \ HInit rmhist p) \ \ (ImpNext p) \ + \[HNext rmhist p]_ (c p, r p, m p, rmhist!p) \ \ (\l. $MemInv mm l)") apply (auto simp: split_box_conj [try_rewrite] box_stp_act [try_rewrite] dest!: Step1_5_1b [temp_use]) apply (force simp: IPImp_def MClkIPSpec_def RPCIPSpec_def RPSpec_def @@ -1251,9 +1251,9 @@ done (* The implementation is infinitely often in state S1... *) -lemma Step1_5_3a: "\ \(ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p)) - & \(\l. $MemInv mm l) - & \($ImpInv rmhist p) & ImpLive p +lemma Step1_5_3a: "\ \(ImpNext p \ [HNext rmhist p]_(c p, r p, m p, rmhist!p)) + \ \(\l. $MemInv mm l) + \ \($ImpInv rmhist p) \ ImpLive p \ \\S1 rmhist p" apply (clarsimp simp: ImpLive_def) apply (rule S1Infinite) @@ -1264,18 +1264,18 @@ done (* ... and therefore satisfies the fairness requirements of the specification *) -lemma Step1_5_3b: "\ \(ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p)) - & \(\l. $MemInv mm l) & \($ImpInv rmhist p) & ImpLive p +lemma Step1_5_3b: "\ \(ImpNext p \ [HNext rmhist p]_(c p, r p, m p, rmhist!p)) + \ \(\l. $MemInv mm l) \ \($ImpInv rmhist p) \ ImpLive p \ WF(RNext memCh mm (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)" by (auto intro!: RNext_fair [temp_use] Step1_5_3a [temp_use]) -lemma Step1_5_3c: "\ \(ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p)) - & \(\l. $MemInv mm l) & \($ImpInv rmhist p) & ImpLive p +lemma Step1_5_3c: "\ \(ImpNext p \ [HNext rmhist p]_(c p, r p, m p, rmhist!p)) + \ \(\l. $MemInv mm l) \ \($ImpInv rmhist p) \ ImpLive p \ WF(MemReturn memCh (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)" by (auto intro!: Return_fair [temp_use] Step1_5_3a [temp_use]) (* QED step of step 1 *) -lemma Step1: "\ IPImp p & HistP rmhist p --> UPSpec memCh mm (resbar rmhist) p" +lemma Step1: "\ IPImp p \ HistP rmhist p \ UPSpec memCh mm (resbar rmhist) p" by (auto simp: UPSpec_def split_box_conj [temp_use] dest!: GoodImpl [temp_use] intro!: Step1_5_2a [temp_use] Step1_5_2b [temp_use] Step1_5_3b [temp_use] Step1_5_3c [temp_use]) @@ -1283,10 +1283,10 @@ (* ------------------------------ Step 2 ------------------------------ *) section "Step 2" -lemma Step2_2a: "\ Write rmCh mm ires p l & ImpNext p - & [HNext rmhist p]_(c p, r p, m p, rmhist!p) - & $ImpInv rmhist p - \ (S4 rmhist p)$ & unchanged (e p, c p, r p, rmhist!p)" +lemma Step2_2a: "\ Write rmCh mm ires p l \ ImpNext p + \ [HNext rmhist p]_(c p, r p, m p, rmhist!p) + \ $ImpInv rmhist p + \ (S4 rmhist p)$ \ unchanged (e p, c p, r p, rmhist!p)" apply clarsimp apply (drule WriteS4 [action_use]) apply assumption @@ -1297,9 +1297,9 @@ done lemma Step2_2: "\ (\p. ImpNext p) - & (\p. [HNext rmhist p]_(c p, r p, m p, rmhist!p)) - & (\p. $ImpInv rmhist p) - & [\q. Write rmCh mm ires q l]_(mm!l) + \ (\p. [HNext rmhist p]_(c p, r p, m p, rmhist!p)) + \ (\p. $ImpInv rmhist p) + \ [\q. Write rmCh mm ires q l]_(mm!l) \ [\q. Write memCh mm (resbar rmhist) q l]_(mm!l)" apply (auto intro!: squareCI elim!: squareE) apply (assumption | rule exI Step1_4_4b [action_use])+ @@ -1308,13 +1308,13 @@ done lemma Step2_lemma: "\ \( (\p. ImpNext p) - & (\p. [HNext rmhist p]_(c p, r p, m p, rmhist!p)) - & (\p. $ImpInv rmhist p) - & [\q. Write rmCh mm ires q l]_(mm!l)) + \ (\p. [HNext rmhist p]_(c p, r p, m p, rmhist!p)) + \ (\p. $ImpInv rmhist p) + \ [\q. Write rmCh mm ires q l]_(mm!l)) \ \[\q. Write memCh mm (resbar rmhist) q l]_(mm!l)" by (force elim!: STL4E [temp_use] dest!: Step2_2 [temp_use]) -lemma Step2: "\ #l : #MemLoc & (\p. IPImp p & HistP rmhist p) +lemma Step2: "\ #l \ #MemLoc \ (\p. IPImp p \ HistP rmhist p) \ MSpec memCh mm (resbar rmhist) l" apply (auto simp: MSpec_def) apply (force simp: IPImp_def MSpec_def) @@ -1334,7 +1334,7 @@ (* Implementation of internal specification by combination of implementation and history variable with explicit refinement mapping *) -lemma Impl_IUSpec: "\ Implementation & Hist rmhist \ IUSpec memCh mm (resbar rmhist)" +lemma Impl_IUSpec: "\ Implementation \ Hist rmhist \ IUSpec memCh mm (resbar rmhist)" by (auto simp: IUSpec_def Implementation_def IPImp_def MClkISpec_def RPCISpec_def IRSpec_def Hist_def intro!: Step1 [temp_use] Step2 [temp_use]) diff -r 479071e8778f -r e0b77517f9a9 src/HOL/TLA/Memory/ProcedureInterface.thy --- a/src/HOL/TLA/Memory/ProcedureInterface.thy Fri Jun 26 15:03:54 2015 +0200 +++ b/src/HOL/TLA/Memory/ProcedureInterface.thy Fri Jun 26 15:55:44 2015 +0200 @@ -63,14 +63,14 @@ Calling_def: "Calling ch p == PRED cbit< ch!p > \ rbit< ch!p >" Call_def: "(ACT Call ch p v) == ACT \ $Calling ch p - & (cbit$ \ $rbit) - & (arg$ = $v)" + \ (cbit$ \ $rbit) + \ (arg$ = $v)" Return_def: "(ACT Return ch p v) == ACT $Calling ch p - & (rbit$ = $cbit) - & (res$ = $v)" + \ (rbit$ = $cbit) + \ (res$ = $v)" PLegalCaller_def: "PLegalCaller ch p == TEMP Init(\ Calling ch p) - & \[\a. Call ch p a ]_((caller ch)!p)" + \ \[\a. Call ch p a ]_((caller ch)!p)" LegalCaller_def: "LegalCaller ch == TEMP (\p. PLegalCaller ch p)" PLegalReturner_def: "PLegalReturner ch p == TEMP \[\v. Return ch p v ]_((rtrner ch)!p)" diff -r 479071e8778f -r e0b77517f9a9 src/HOL/TLA/Memory/RPC.thy --- a/src/HOL/TLA/Memory/RPC.thy Fri Jun 26 15:03:54 2015 +0200 +++ b/src/HOL/TLA/Memory/RPC.thy Fri Jun 26 15:55:44 2015 +0200 @@ -28,45 +28,45 @@ RPCISpec :: "rpcSndChType \ rpcRcvChType \ rpcStType \ temporal" defs - RPCInit_def: "RPCInit rcv rst p == PRED ((rst!p = #rpcA) & \Calling rcv p)" + RPCInit_def: "RPCInit rcv rst p == PRED ((rst!p = #rpcA) \ \Calling rcv p)" RPCFwd_def: "RPCFwd send rcv rst p == ACT $(Calling send p) - & $(rst!p) = # rpcA - & IsLegalRcvArg> - & Call rcv p RPCRelayArg> - & (rst!p)$ = # rpcB - & unchanged (rtrner send!p)" + \ $(rst!p) = # rpcA + \ IsLegalRcvArg> + \ Call rcv p RPCRelayArg> + \ (rst!p)$ = # rpcB + \ unchanged (rtrner send!p)" RPCReject_def: "RPCReject send rcv rst p == ACT $(rst!p) = # rpcA - & \IsLegalRcvArg> - & Return send p #BadCall - & unchanged ((rst!p), (caller rcv!p))" + \ \IsLegalRcvArg> + \ Return send p #BadCall + \ unchanged ((rst!p), (caller rcv!p))" RPCFail_def: "RPCFail send rcv rst p == ACT \$(Calling rcv p) - & Return send p #RPCFailure - & (rst!p)$ = #rpcA - & unchanged (caller rcv!p)" + \ Return send p #RPCFailure + \ (rst!p)$ = #rpcA + \ unchanged (caller rcv!p)" RPCReply_def: "RPCReply send rcv rst p == ACT \$(Calling rcv p) - & $(rst!p) = #rpcB - & Return send p res - & (rst!p)$ = #rpcA - & unchanged (caller rcv!p)" + \ $(rst!p) = #rpcB + \ Return send p res + \ (rst!p)$ = #rpcA + \ unchanged (caller rcv!p)" RPCNext_def: "RPCNext send rcv rst p == ACT ( RPCFwd send rcv rst p - | RPCReject send rcv rst p - | RPCFail send rcv rst p - | RPCReply send rcv rst p)" + \ RPCReject send rcv rst p + \ RPCFail send rcv rst p + \ RPCReply send rcv rst p)" RPCIPSpec_def: "RPCIPSpec send rcv rst p == TEMP Init RPCInit rcv rst p - & \[ RPCNext send rcv rst p ]_(rst!p, rtrner send!p, caller rcv!p) - & WF(RPCNext send rcv rst p)_(rst!p, rtrner send!p, caller rcv!p)" + \ \[ RPCNext send rcv rst p ]_(rst!p, rtrner send!p, caller rcv!p) + \ WF(RPCNext send rcv rst p)_(rst!p, rtrner send!p, caller rcv!p)" RPCISpec_def: "RPCISpec send rcv rst == TEMP (\p. RPCIPSpec send rcv rst p)" @@ -84,7 +84,7 @@ lemma RPCidle: "\ \$(Calling send p) \ \RPCNext send rcv rst p" by (auto simp: Return_def RPC_action_defs) -lemma RPCbusy: "\ $(Calling rcv p) & $(rst!p) = #rpcB \ \RPCNext send rcv rst p" +lemma RPCbusy: "\ $(Calling rcv p) \ $(rst!p) = #rpcB \ \RPCNext send rcv rst p" by (auto simp: RPC_action_defs) (* RPC failure actions are visible. *) @@ -98,13 +98,13 @@ (* Enabledness of some actions *) lemma RPCFail_enabled: "\p. basevars (rtrner send!p, caller rcv!p, rst!p) \ - \ \Calling rcv p & Calling send p \ Enabled (RPCFail send rcv rst p)" + \ \Calling rcv p \ Calling send p \ Enabled (RPCFail send rcv rst p)" by (tactic {* action_simp_tac (@{context} addsimps [@{thm RPCFail_def}, @{thm Return_def}, @{thm caller_def}, @{thm rtrner_def}]) [exI] [@{thm base_enabled}, @{thm Pair_inject}] 1 *}) lemma RPCReply_enabled: "\p. basevars (rtrner send!p, caller rcv!p, rst!p) \ - \ \Calling rcv p & Calling send p & rst!p = #rpcB + \ \Calling rcv p \ Calling send p \ rst!p = #rpcB \ Enabled (RPCReply send rcv rst p)" by (tactic {* action_simp_tac (@{context} addsimps [@{thm RPCReply_def}, @{thm Return_def}, @{thm caller_def}, @{thm rtrner_def}]) [exI] diff -r 479071e8778f -r e0b77517f9a9 src/HOL/TLA/TLA.thy --- a/src/HOL/TLA/TLA.thy Fri Jun 26 15:03:54 2015 +0200 +++ b/src/HOL/TLA/TLA.thy Fri Jun 26 15:55:44 2015 +0200 @@ -24,15 +24,15 @@ (** concrete syntax **) syntax - "_Box" :: "lift \ lift" ("([]_)" [40] 40) - "_Dmd" :: "lift \ lift" ("(<>_)" [40] 40) - "_leadsto" :: "[lift,lift] \ lift" ("(_ ~> _)" [23,22] 22) + "_Box" :: "lift \ lift" ("(\_)" [40] 40) + "_Dmd" :: "lift \ lift" ("(\_)" [40] 40) + "_leadsto" :: "[lift,lift] \ lift" ("(_ \ _)" [23,22] 22) "_stable" :: "lift \ lift" ("(stable/ _)") "_WF" :: "[lift,lift] \ lift" ("(WF'(_')'_(_))" [0,60] 55) "_SF" :: "[lift,lift] \ lift" ("(SF'(_')'_(_))" [0,60] 55) - "_EEx" :: "[idts, lift] \ lift" ("(3EEX _./ _)" [0,10] 10) - "_AAll" :: "[idts, lift] \ lift" ("(3AALL _./ _)" [0,10] 10) + "_EEx" :: "[idts, lift] \ lift" ("(3\\ _./ _)" [0,10] 10) + "_AAll" :: "[idts, lift] \ lift" ("(3\\ _./ _)" [0,10] 10) translations "_Box" == "CONST Box" @@ -44,21 +44,14 @@ "_EEx v A" == "Eex v. A" "_AAll v A" == "Aall v. A" - "sigma |= []F" <= "_Box F sigma" - "sigma |= <>F" <= "_Dmd F sigma" - "sigma |= F ~> G" <= "_leadsto F G sigma" - "sigma |= stable P" <= "_stable P sigma" - "sigma |= WF(A)_v" <= "_WF A v sigma" - "sigma |= SF(A)_v" <= "_SF A v sigma" - "sigma |= EEX x. F" <= "_EEx x F sigma" - "sigma |= AALL x. F" <= "_AAll x F sigma" - -syntax (xsymbols) - "_Box" :: "lift \ lift" ("(\_)" [40] 40) - "_Dmd" :: "lift \ lift" ("(\_)" [40] 40) - "_leadsto" :: "[lift,lift] \ lift" ("(_ \ _)" [23,22] 22) - "_EEx" :: "[idts, lift] \ lift" ("(3\\ _./ _)" [0,10] 10) - "_AAll" :: "[idts, lift] \ lift" ("(3\\ _./ _)" [0,10] 10) + "sigma \ \F" <= "_Box F sigma" + "sigma \ \F" <= "_Dmd F sigma" + "sigma \ F \ G" <= "_leadsto F G sigma" + "sigma \ stable P" <= "_stable P sigma" + "sigma \ WF(A)_v" <= "_WF A v sigma" + "sigma \ SF(A)_v" <= "_SF A v sigma" + "sigma \ \\x. F" <= "_EEx x F sigma" + "sigma \ \\x. F" <= "_AAll x F sigma" axiomatization where (* Definitions of derived operators *) @@ -77,11 +70,11 @@ normalT: "\F G. \ \(F \ G) \ (\F \ \G)" and (* polymorphic *) reflT: "\F. \ \F \ F" and (* F::temporal *) transT: "\F. \ \F \ \\F" and (* polymorphic *) - linT: "\F G. \ \F & \G \ (\(F & \G)) | (\(G & \F))" and - discT: "\F. \ \(F \ \(\F & \F)) \ (F \ \\F)" and + linT: "\F G. \ \F \ \G \ (\(F \ \G)) \ (\(G \ \F))" and + discT: "\F. \ \(F \ \(\F \ \F)) \ (F \ \\F)" and primeI: "\P. \ \P \ Init P`" and primeE: "\P F. \ \(Init P \ \F) \ Init P` \ (F \ \F)" and - indT: "\P F. \ \(Init P & \\F \ Init P` & F) \ Init P \ \F" and + indT: "\P F. \ \(Init P \ \\F \ Init P` \ F) \ Init P \ \F" and allT: "\F. \ (\x. \(F x)) = (\(\ x. F x))" axiomatization where @@ -93,7 +86,7 @@ eexE: "\ sigma \ (\\x. F x); basevars vs; (\x. \ basevars (x, vs); sigma \ F x \ \ (G sigma)::bool) \ \ G sigma" and - history: "\ \\h. Init(h = ha) & \(\x. $h = #x \ h` = hb x)" + history: "\ \\h. Init(h = ha) \ \(\x. $h = #x \ h` = hb x)" (* Specialize intensional introduction/elimination rules for temporal formulas *) @@ -255,9 +248,9 @@ by (erule (1) DmdImpl [temp_use]) (* ------------------------ STL5 ------------------------------------------- *) -lemma STL5: "\ (\F & \G) = (\(F & G))" +lemma STL5: "\ (\F \ \G) = (\(F \ G))" apply auto - apply (subgoal_tac "sigma \ \ (G \ (F & G))") + apply (subgoal_tac "sigma \ \ (G \ (F \ G))") apply (erule normalT [temp_use]) apply (fastforce elim!: STL4E [temp_use])+ done @@ -273,7 +266,7 @@ lemma box_conjE: assumes "sigma \ \F" and "sigma \ \G" - and "sigma \ \(F&G) \ PROP R" + and "sigma \ \(F\G) \ PROP R" shows "PROP R" by (rule assms STL5 [temp_unlift, THEN iffD1] conjI)+ @@ -317,7 +310,7 @@ *) lemmas all_box = allT [temp_unlift, symmetric] -lemma DmdOr: "\ (\(F | G)) = (\F | \G)" +lemma DmdOr: "\ (\(F \ G)) = (\F \ \G)" apply (auto simp add: dmd_def split_box_conj [try_rewrite]) apply (erule contrapos_np, merge_box, fastforce elim!: STL4E [temp_use])+ done @@ -327,7 +320,7 @@ lemmas ex_dmd = exT [temp_unlift, symmetric] -lemma STL4Edup: "\sigma. \ sigma \ \A; sigma \ \F; \ F & \A \ G \ \ sigma \ \G" +lemma STL4Edup: "\sigma. \ sigma \ \A; sigma \ \F; \ F \ \A \ G \ \ sigma \ \G" apply (erule dup_boxE) apply merge_box apply (erule STL4E) @@ -346,7 +339,7 @@ lemma InfImpl: assumes 1: "sigma \ \\F" and 2: "sigma \ \G" - and 3: "\ F & G \ H" + and 3: "\ F \ G \ H" shows "sigma \ \\H" apply (insert 1 2) apply (erule_tac F = G in dup_boxE) @@ -356,7 +349,7 @@ (* ------------------------ STL6 ------------------------------------------- *) (* Used in the proof of STL6, but useful in itself. *) -lemma BoxDmd: "\ \F & \G \ \(\F & G)" +lemma BoxDmd: "\ \F \ \G \ \(\F \ G)" apply (unfold dmd_def) apply clarsimp apply (erule dup_boxE) @@ -366,14 +359,14 @@ done (* weaker than BoxDmd, but more polymorphic (and often just right) *) -lemma BoxDmd_simple: "\ \F & \G \ \(F & G)" +lemma BoxDmd_simple: "\ \F \ \G \ \(F \ G)" apply (unfold dmd_def) apply clarsimp apply merge_box apply (fastforce elim!: notE STL4E [temp_use]) done -lemma BoxDmd2_simple: "\ \F & \G \ \(G & F)" +lemma BoxDmd2_simple: "\ \F \ \G \ \(G \ F)" apply (unfold dmd_def) apply clarsimp apply merge_box @@ -383,13 +376,13 @@ lemma DmdImpldup: assumes 1: "sigma \ \A" and 2: "sigma \ \F" - and 3: "\ \A & F \ G" + and 3: "\ \A \ F \ G" shows "sigma \ \G" apply (rule 2 [THEN 1 [THEN BoxDmd [temp_use]], THEN DmdImplE]) apply (rule 3) done -lemma STL6: "\ \\F & \\G \ \\(F & G)" +lemma STL6: "\ \\F \ \\G \ \\(F \ G)" apply (auto simp: STL5 [temp_rewrite, symmetric]) apply (drule linT [temp_use]) apply assumption @@ -444,7 +437,7 @@ lemma BoxDmdBox: "\ (\\\F) = (\\F)" apply (auto dest!: STL2 [temp_use]) apply (rule ccontr) - apply (subgoal_tac "sigma \ \\\F & \\\\F") + apply (subgoal_tac "sigma \ \\\F \ \\\\F") apply (erule thin_rl) apply auto apply (drule STL6 [temp_use]) @@ -463,7 +456,7 @@ (* ------------------------ Miscellaneous ----------------------------------- *) -lemma BoxOr: "\sigma. \ sigma \ \F | \G \ \ sigma \ \(F | G)" +lemma BoxOr: "\sigma. \ sigma \ \F \ \G \ \ sigma \ \(F \ G)" by (fastforce elim!: STL4E [temp_use]) (* "persistently implies infinitely often" *) @@ -476,7 +469,7 @@ apply simp done -lemma BoxDmdDmdBox: "\ \\F & \\G \ \\(F & G)" +lemma BoxDmdDmdBox: "\ \\F \ \\G \ \\(F \ G)" apply clarsimp apply (rule ccontr) apply (unfold more_temp_simps2) @@ -494,11 +487,11 @@ section "priming" (* ------------------------ TLA2 ------------------------------------------- *) -lemma STL2_pr: "\ \P \ Init P & Init P`" +lemma STL2_pr: "\ \P \ Init P \ Init P`" by (fastforce intro!: STL2_gen [temp_use] primeI [temp_use]) (* Auxiliary lemma allows priming of boxed actions *) -lemma BoxPrime: "\ \P \ \($P & P$)" +lemma BoxPrime: "\ \P \ \($P \ P$)" apply clarsimp apply (erule dup_boxE) apply (unfold boxInit_act) @@ -507,7 +500,7 @@ done lemma TLA2: - assumes "\ $P & P$ \ A" + assumes "\ $P \ P$ \ A" shows "\ \P \ \A" apply clarsimp apply (drule BoxPrime [temp_use]) @@ -515,7 +508,7 @@ elim!: STL4E [temp_use]) done -lemma TLA2E: "\ sigma \ \P; \ $P & P$ \ A \ \ sigma \ \A" +lemma TLA2E: "\ sigma \ \P; \ $P \ P$ \ A \ \ sigma \ \A" by (erule (1) TLA2 [temp_use]) lemma DmdPrime: "\ (\P`) \ (\P)" @@ -529,7 +522,7 @@ section "stable, invariant" lemma ind_rule: - "\ sigma \ \H; sigma \ Init P; \ H \ (Init P & \\F \ Init(P`) & F) \ + "\ sigma \ \H; sigma \ Init P; \ H \ (Init P \ \\F \ Init(P`) \ F) \ \ sigma \ \F" apply (rule indT [temp_use]) apply (erule (2) STL4E) @@ -552,12 +545,12 @@ done lemma StableT: - "\P. \ $P & A \ P` \ \ \A \ stable P" + "\P. \ $P \ A \ P` \ \ \A \ stable P" apply (unfold stable_def) apply (fastforce elim!: STL4E [temp_use]) done -lemma Stable: "\ sigma \ \A; \ $P & A --> P` \ \ sigma \ stable P" +lemma Stable: "\ sigma \ \A; \ $P \ A \ P` \ \ sigma \ stable P" by (erule (1) StableT [temp_use]) (* Generalization of INV1 *) @@ -568,7 +561,7 @@ apply (force simp: stable_def elim: STL4E [temp_use] INV1 [temp_use]) done -lemma DmdStable: "\ (stable P) & \P \ \\P" +lemma DmdStable: "\ (stable P) \ \P \ \\P" apply clarsimp apply (rule DmdImpl2) prefer 2 @@ -609,7 +602,7 @@ Method.sections Clasimp.clasimp_modifiers >> (K (SIMPLE_METHOD' o auto_inv_tac)) *} -lemma unless: "\ \($P \ P` | Q`) \ (stable P) | \Q" +lemma unless: "\ \($P \ P` \ Q`) \ (stable P) \ \Q" apply (unfold dmd_def) apply (clarsimp dest!: BoxPrime [temp_use]) apply merge_box @@ -622,13 +615,13 @@ section "recursive expansions" (* Recursive expansions of \ and \ for state predicates *) -lemma BoxRec: "\ (\P) = (Init P & \P`)" +lemma BoxRec: "\ (\P) = (Init P \ \P`)" apply (auto intro!: STL2_gen [temp_use]) apply (fastforce elim!: TLA2E [temp_use]) apply (auto simp: stable_def elim!: INV1 [temp_use] STL4E [temp_use]) done -lemma DmdRec: "\ (\P) = (Init P | \P`)" +lemma DmdRec: "\ (\P) = (Init P \ \P`)" apply (unfold dmd_def BoxRec [temp_rewrite]) apply (auto simp: Init_simps) done @@ -643,7 +636,7 @@ apply (rule DBImplBD [temp_use]) apply (subgoal_tac "sigma \ \\P") apply (fastforce elim!: DmdImplE [temp_use] TLA2E [temp_use]) - apply (subgoal_tac "sigma \ \\ (\P & \\P`)") + apply (subgoal_tac "sigma \ \\ (\P \ \\P`)") apply (force simp: boxInit_stp [temp_use] elim!: DmdImplE [temp_use] STL4E [temp_use] DmdRec2 [temp_use]) apply (force intro!: STL6 [temp_use] simp: more_temp_simps3) @@ -651,7 +644,7 @@ done lemma InfiniteEnsures: - "\ sigma \ \N; sigma \ \\A; \ A & N \ P` \ \ sigma \ \\P" + "\ sigma \ \N; sigma \ \\A; \ A \ N \ P` \ \ sigma \ \\P" apply (unfold InfinitePrime [temp_rewrite]) apply (rule InfImpl) apply assumption+ @@ -661,12 +654,12 @@ section "fairness" (* alternative definitions of fairness *) -lemma WF_alt: "\ WF(A)_v = (\\\Enabled(_v) | \\_v)" +lemma WF_alt: "\ WF(A)_v = (\\\Enabled(_v) \ \\_v)" apply (unfold WF_def dmd_def) apply fastforce done -lemma SF_alt: "\ SF(A)_v = (\\\Enabled(_v) | \\_v)" +lemma SF_alt: "\ SF(A)_v = (\\\Enabled(_v) \ \\_v)" apply (unfold SF_def dmd_def) apply fastforce done @@ -702,7 +695,7 @@ section "\" -lemma leadsto_init: "\ (Init F) & (F \ G) \ \G" +lemma leadsto_init: "\ (Init F) \ (F \ G) \ \G" apply (unfold leadsto_def) apply (auto dest!: STL2 [temp_use]) done @@ -723,7 +716,7 @@ apply (fastforce elim!: DmdImplE [temp_use] STL4E [temp_use]) done -lemma leadsto_infinite: "\ \\F & (F \ G) \ \\G" +lemma leadsto_infinite: "\ \\F \ (F \ G) \ \\G" apply clarsimp apply (erule InitDmd [temp_use, THEN streett_leadsto [temp_unlift, THEN iffD2, THEN mp]]) apply (simp add: dmdInitD) @@ -743,7 +736,7 @@ (* introduce an invariant into the proof of a leadsto assertion. \I \ ((P \ Q) = (P /\ I \ Q)) *) -lemma INV_leadsto: "\ \I & (P & I \ Q) \ (P \ Q)" +lemma INV_leadsto: "\ \I \ (P \ I \ Q) \ (P \ Q)" apply (unfold leadsto_def) apply clarsimp apply (erule STL4Edup) @@ -751,12 +744,12 @@ apply (auto simp: Init_simps dest!: STL2_gen [temp_use]) done -lemma leadsto_classical: "\ (Init F & \\G \ G) \ (F \ G)" +lemma leadsto_classical: "\ (Init F \ \\G \ G) \ (F \ G)" apply (unfold leadsto_def dmd_def) apply (force simp: Init_simps elim!: STL4E [temp_use]) done -lemma leadsto_false: "\ (F \ #False) = (\~F)" +lemma leadsto_false: "\ (F \ #False) = (\\F)" apply (unfold leadsto_def) apply (simp add: boxNotInitD) done @@ -781,7 +774,7 @@ by (auto simp: Init_def intro!: ImplLeadsto_gen [temp_use] necT [temp_use]) lemma EnsuresLeadsto: - assumes "\ A & $P \ Q`" + assumes "\ A \ $P \ Q`" shows "\ \A \ (P \ Q)" apply (unfold leadsto_def) apply (clarsimp elim!: INV_leadsto [temp_use]) @@ -797,15 +790,15 @@ done lemma ensures: - assumes 1: "\ $P & N \ P` | Q`" - and 2: "\ ($P & N) & A \ Q`" - shows "\ \N & \(\P \ \A) \ (P \ Q)" + assumes 1: "\ $P \ N \ P` \ Q`" + and 2: "\ ($P \ N) \ A \ Q`" + shows "\ \N \ \(\P \ \A) \ (P \ Q)" apply (unfold leadsto_def) apply clarsimp apply (erule STL4Edup) apply assumption apply clarsimp - apply (subgoal_tac "sigmaa \ \($P \ P` | Q`) ") + apply (subgoal_tac "sigmaa \ \($P \ P` \ Q`) ") apply (drule unless [temp_use]) apply (clarsimp dest!: INV1 [temp_use]) apply (rule 2 [THEN DmdImpl, temp_use, THEN DmdPrime [temp_use]]) @@ -815,16 +808,16 @@ done lemma ensures_simple: - "\ \ $P & N \ P` | Q`; - \ ($P & N) & A \ Q` - \ \ \ \N & \\A \ (P \ Q)" + "\ \ $P \ N \ P` \ Q`; + \ ($P \ N) \ A \ Q` + \ \ \ \N \ \\A \ (P \ Q)" apply clarsimp apply (erule (2) ensures [temp_use]) apply (force elim!: STL4E [temp_use]) done lemma EnsuresInfinite: - "\ sigma \ \\P; sigma \ \A; \ A & $P \ Q` \ \ sigma \ \\Q" + "\ sigma \ \\P; sigma \ \A; \ A \ $P \ Q` \ \ sigma \ \\Q" apply (erule leadsto_infinite [temp_use]) apply (erule EnsuresLeadsto [temp_use]) apply assumption @@ -839,7 +832,7 @@ apply (rule necT InitDmd_gen)+ done -lemma LatticeTransitivity: "\ (G \ H) & (F \ G) \ (F \ H)" +lemma LatticeTransitivity: "\ (G \ H) \ (F \ G) \ (F \ H)" apply (unfold leadsto_def) apply clarsimp apply (erule dup_boxE) (* \\(Init G \ H) *) @@ -852,47 +845,47 @@ apply (simp add: dmdInitD) done -lemma LatticeDisjunctionElim1: "\ (F | G \ H) \ (F \ H)" +lemma LatticeDisjunctionElim1: "\ (F \ G \ H) \ (F \ H)" apply (unfold leadsto_def) apply (auto simp: Init_simps elim!: STL4E [temp_use]) done -lemma LatticeDisjunctionElim2: "\ (F | G \ H) \ (G \ H)" +lemma LatticeDisjunctionElim2: "\ (F \ G \ H) \ (G \ H)" apply (unfold leadsto_def) apply (auto simp: Init_simps elim!: STL4E [temp_use]) done -lemma LatticeDisjunctionIntro: "\ (F \ H) & (G \ H) \ (F | G \ H)" +lemma LatticeDisjunctionIntro: "\ (F \ H) \ (G \ H) \ (F \ G \ H)" apply (unfold leadsto_def) apply clarsimp apply merge_box apply (auto simp: Init_simps elim!: STL4E [temp_use]) done -lemma LatticeDisjunction: "\ (F | G \ H) = ((F \ H) & (G \ H))" +lemma LatticeDisjunction: "\ (F \ G \ H) = ((F \ H) \ (G \ H))" by (auto intro: LatticeDisjunctionIntro [temp_use] LatticeDisjunctionElim1 [temp_use] LatticeDisjunctionElim2 [temp_use]) -lemma LatticeDiamond: "\ (A \ B | C) & (B \ D) & (C \ D) \ (A \ D)" +lemma LatticeDiamond: "\ (A \ B \ C) \ (B \ D) \ (C \ D) \ (A \ D)" apply clarsimp - apply (subgoal_tac "sigma \ (B | C) \ D") - apply (erule_tac G = "LIFT (B | C)" in LatticeTransitivity [temp_use]) + apply (subgoal_tac "sigma \ (B \ C) \ D") + apply (erule_tac G = "LIFT (B \ C)" in LatticeTransitivity [temp_use]) apply (fastforce intro!: LatticeDisjunctionIntro [temp_use])+ done -lemma LatticeTriangle: "\ (A \ D | B) & (B \ D) \ (A \ D)" +lemma LatticeTriangle: "\ (A \ D \ B) \ (B \ D) \ (A \ D)" apply clarsimp - apply (subgoal_tac "sigma \ (D | B) \ D") - apply (erule_tac G = "LIFT (D | B)" in LatticeTransitivity [temp_use]) + apply (subgoal_tac "sigma \ (D \ B) \ D") + apply (erule_tac G = "LIFT (D \ B)" in LatticeTransitivity [temp_use]) apply assumption apply (auto intro: LatticeDisjunctionIntro [temp_use] LatticeReflexivity [temp_use]) done -lemma LatticeTriangle2: "\ (A \ B | D) & (B \ D) \ (A \ D)" +lemma LatticeTriangle2: "\ (A \ B \ D) \ (B \ D) \ (A \ D)" apply clarsimp - apply (subgoal_tac "sigma \ B | D \ D") - apply (erule_tac G = "LIFT (B | D)" in LatticeTransitivity [temp_use]) + apply (subgoal_tac "sigma \ B \ D \ D") + apply (erule_tac G = "LIFT (B \ D)" in LatticeTransitivity [temp_use]) apply assumption apply (auto intro: LatticeDisjunctionIntro [temp_use] LatticeReflexivity [temp_use]) done @@ -901,10 +894,10 @@ section "Fairness rules" lemma WF1: - "\ \ $P & N \ P` | Q`; - \ ($P & N) & _v \ Q`; - \ $P & N \ $(Enabled(_v)) \ - \ \ \N & WF(A)_v \ (P \ Q)" + "\ \ $P \ N \ P` \ Q`; + \ ($P \ N) \ _v \ Q`; + \ $P \ N \ $(Enabled(_v)) \ + \ \ \N \ WF(A)_v \ (P \ Q)" apply (clarsimp dest!: BoxWFI [temp_use]) apply (erule (2) ensures [temp_use]) apply (erule (1) STL4Edup) @@ -917,10 +910,10 @@ (* Sometimes easier to use; designed for action B rather than state predicate Q *) lemma WF_leadsto: - assumes 1: "\ N & $P \ $Enabled (_v)" - and 2: "\ N & _v \ B" - and 3: "\ \(N & [~A]_v) \ stable P" - shows "\ \N & WF(A)_v \ (P \ B)" + assumes 1: "\ N \ $P \ $Enabled (_v)" + and 2: "\ N \ _v \ B" + and 3: "\ \(N \ [\A]_v) \ stable P" + shows "\ \N \ WF(A)_v \ (P \ B)" apply (unfold leadsto_def) apply (clarsimp dest!: BoxWFI [temp_use]) apply (erule (1) STL4Edup) @@ -939,10 +932,10 @@ done lemma SF1: - "\ \ $P & N \ P` | Q`; - \ ($P & N) & _v \ Q`; - \ \P & \N & \F \ \Enabled(_v) \ - \ \ \N & SF(A)_v & \F \ (P \ Q)" + "\ \ $P \ N \ P` \ Q`; + \ ($P \ N) \ _v \ Q`; + \ \P \ \N \ \F \ \Enabled(_v) \ + \ \ \N \ SF(A)_v \ \F \ (P \ Q)" apply (clarsimp dest!: BoxSFI [temp_use]) apply (erule (2) ensures [temp_use]) apply (erule_tac F = F in dup_boxE) @@ -957,11 +950,11 @@ done lemma WF2: - assumes 1: "\ N & _f \ _g" - and 2: "\ $P & P` & _f \ B" - and 3: "\ P & Enabled(_g) \ Enabled(_f)" - and 4: "\ \(N & [~B]_f) & WF(A)_f & \F & \\Enabled(_g) \ \\P" - shows "\ \N & WF(A)_f & \F \ WF(M)_g" + assumes 1: "\ N \ _f \ _g" + and 2: "\ $P \ P` \ A>_f \ B" + and 3: "\ P \ Enabled(_g) \ Enabled(_f)" + and 4: "\ \(N \ [\B]_f) \ WF(A)_f \ \F \ \\Enabled(_g) \ \\P" + shows "\ \N \ WF(A)_f \ \F \ WF(M)_g" apply (clarsimp dest!: BoxWFI [temp_use] BoxDmdBox [temp_use, THEN iffD2] simp: WF_def [where A = M]) apply (erule_tac F = F in dup_boxE) @@ -970,7 +963,7 @@ apply assumption apply (clarsimp intro!: BoxDmd_simple [temp_use, THEN 1 [THEN DmdImpl, temp_use]]) apply (rule classical) - apply (subgoal_tac "sigmaa \ \ (($P & P` & N) & _f)") + apply (subgoal_tac "sigmaa \ \ (($P \ P` \ N) \ _f)") apply (force simp: angle_def intro!: 2 [temp_use] elim!: DmdImplE [temp_use]) apply (rule BoxDmd_simple [THEN DmdImpl, unfolded DmdDmd [temp_rewrite], temp_use]) apply (simp add: NotDmd [temp_use] not_angle [try_rewrite]) @@ -982,7 +975,7 @@ apply (erule_tac V = "sigmaa \ \\P" in thin_rl) apply (erule_tac V = "sigmaa \ \F" in thin_rl) apply (drule BoxWFI [temp_use]) - apply (erule_tac F = "ACT N & [~B]_f" in dup_boxE) + apply (erule_tac F = "ACT N \ [\B]_f" in dup_boxE) apply merge_temp_box apply (erule DmdImpldup) apply assumption @@ -995,11 +988,11 @@ done lemma SF2: - assumes 1: "\ N & _f \ _g" - and 2: "\ $P & P` & _f \ B" - and 3: "\ P & Enabled(_g) \ Enabled(_f)" - and 4: "\ \(N & [~B]_f) & SF(A)_f & \F & \\Enabled(_g) \ \\P" - shows "\ \N & SF(A)_f & \F \ SF(M)_g" + assumes 1: "\ N \ _f \ _g" + and 2: "\ $P \ P` \ A>_f \ B" + and 3: "\ P \ Enabled(_g) \ Enabled(_f)" + and 4: "\ \(N \ [\B]_f) \ SF(A)_f \ \F \ \\Enabled(_g) \ \\P" + shows "\ \N \ SF(A)_f \ \F \ SF(M)_g" apply (clarsimp dest!: BoxSFI [temp_use] simp: 2 [try_rewrite] SF_def [where A = M]) apply (erule_tac F = F in dup_boxE) apply (erule_tac F = "TEMP \Enabled (_g) " in dup_boxE) @@ -1008,7 +1001,7 @@ apply assumption apply (clarsimp intro!: BoxDmd_simple [temp_use, THEN 1 [THEN DmdImpl, temp_use]]) apply (rule classical) - apply (subgoal_tac "sigmaa \ \ (($P & P` & N) & _f)") + apply (subgoal_tac "sigmaa \ \ (($P \ P` \ N) \ _f)") apply (force simp: angle_def intro!: 2 [temp_use] elim!: DmdImplE [temp_use]) apply (rule BoxDmd_simple [THEN DmdImpl, unfolded DmdDmd [temp_rewrite], temp_use]) apply (simp add: NotDmd [temp_use] not_angle [try_rewrite]) @@ -1018,7 +1011,7 @@ apply (erule_tac V = "sigmaa \ \F" in thin_rl) apply (drule BoxSFI [temp_use]) apply (erule_tac F = "TEMP \Enabled (_g)" in dup_boxE) - apply (erule_tac F = "ACT N & [~B]_f" in dup_boxE) + apply (erule_tac F = "ACT N \ [\B]_f" in dup_boxE) apply merge_temp_box apply (erule DmdImpldup) apply assumption @@ -1037,19 +1030,19 @@ lemma wf_leadsto: assumes 1: "wf r" - and 2: "\x. sigma \ F x \ (G | (\y. #((y,x):r) & F y)) " + and 2: "\x. sigma \ F x \ (G \ (\y. #((y,x)\r) \ F y)) " shows "sigma \ F x \ G" apply (rule 1 [THEN wf_induct]) apply (rule LatticeTriangle [temp_use]) apply (rule 2) apply (auto simp: leadsto_exists [try_rewrite]) - apply (case_tac "(y,x) :r") + apply (case_tac "(y,x) \ r") apply force apply (force simp: leadsto_def Init_simps intro!: necT [temp_use]) done (* If r is well-founded, state function v cannot decrease forever *) -lemma wf_not_box_decrease: "\r. wf r \ \ \[ (v`, $v) : #r ]_v \ \\[#False]_v" +lemma wf_not_box_decrease: "\r. wf r \ \ \[ (v`, $v) \ #r ]_v \ \\[#False]_v" apply clarsimp apply (rule ccontr) apply (subgoal_tac "sigma \ (\x. v=#x) \ #False") @@ -1070,7 +1063,7 @@ *) lemma wf_box_dmd_decrease: assumes 1: "wf r" - shows "\ \\((v`, $v) : #r) \ \\<(v`, $v) \ #r>_v" + shows "\ \\((v`, $v) \ #r) \ \\<(v`, $v) \ #r>_v" apply clarsimp apply (rule ccontr) apply (simp add: not_angle [try_rewrite] more_temp_simps) @@ -1089,7 +1082,7 @@ *) lemma nat_box_dmd_decrease: "\n::nat stfun. \ \\(n` < $n) \ \\($n < n`)" apply clarsimp - apply (subgoal_tac "sigma \ \\<~ ((n`,$n) : #less_than) >_n") + apply (subgoal_tac "sigma \ \\<\ ((n`,$n) \ #less_than)>_n") apply (erule thin_rl) apply (erule STL4E) apply (rule DmdImpl) @@ -1141,9 +1134,9 @@ assumes 1: "sigma \ Init I" and 2: "sigma \ \N" and 3: "basevars vs" - and 4: "\h. basevars(h,vs) \ \ I & h = ha \ HI h" + and 4: "\h. basevars(h,vs) \ \ I \ h = ha \ HI h" and 5: "\h s t. \ basevars(h,vs); N (s,t); h t = hb (h s) (s,t) \ \ HN h (s,t)" - shows "sigma \ \\h. Init (HI h) & \(HN h)" + shows "sigma \ \\h. Init (HI h) \ \(HN h)" apply (rule history [temp_use, THEN eexE]) apply (rule 3) apply (rule eexI [temp_use]) @@ -1161,7 +1154,7 @@ example of a history variable: existence of a clock *) -lemma "\ \\h. Init(h = #True) & \(h` = (~$h))" +lemma "\ \\h. Init(h = #True) \ \(h` = (\$h))" apply (rule tempI) apply (rule historyI) apply (force simp: Init_defs intro!: unit_base [temp_use] necT [temp_use])+