pip: comparison CpsG.thy

equal deleted inserted replaced

-:f1b39d77db00
+:ad57323fd4d6
 *}
 theory CpsG
 imports PrioG Max RTree
 begin
-locale pip =
+definition "wRAG (s::state) = {(Th th, Cs cs) | th cs. waiting s th cs}"
-fixes s
-assumes vt: "vt s"
+definition "hRAG (s::state) =  {(Cs cs, Th th) | th cs. holding s th cs}"
-context pip
+definition "tRAG s = wRAG s O hRAG s"
-begin
+lemma RAG_split: "RAG s = (wRAG s \<union> hRAG s)"
-interpretation rtree_RAG: rtree "RAG s"
+by (unfold s_RAG_abv wRAG_def hRAG_def s_waiting_abv
+s_holding_abv cs_RAG_def, auto)
+lemma tRAG_alt_def:
+"tRAG s = {(Th th1, Th th2) | th1 th2.
+\<exists> cs. (Th th1, Cs cs) \<in> RAG s \<and> (Cs cs, Th th2) \<in> RAG s}"
+by (auto simp:tRAG_def RAG_split wRAG_def hRAG_def)
+lemma tRAG_mono:
+assumes "RAG s' \<subseteq> RAG s"
+shows "tRAG s' \<subseteq> tRAG s"
+using assms
+by (unfold tRAG_alt_def, auto)
+lemma holding_next_thI:
+assumes "holding s th cs"
+and "length (wq s cs) > 1"
+obtains th' where "next_th s th cs th'"
+proof -
+from assms(1)[folded eq_holding, unfolded cs_holding_def]
+have " th \<in> set (wq s cs) \<and> th = hd (wq s cs)" .
+then obtain rest where h1: "wq s cs = th#rest"
+by (cases "wq s cs", auto)
+with assms(2) have h2: "rest \<noteq> []" by auto
+let ?th' = "hd (SOME q. distinct q \<and> set q = set rest)"
+have "next_th s th cs ?th'" using  h1(1) h2
+by (unfold next_th_def, auto)
+from that[OF this] show ?thesis .
+qed
+lemma RAG_tRAG_transfer:
+assumes "vt s'"
+assumes "RAG s = RAG s' \<union> {(Th th, Cs cs)}"
+and "(Cs cs, Th th'') \<in> RAG s'"
+shows "tRAG s = tRAG s' \<union> {(Th th, Th th'')}" (is "?L = ?R")
+proof -
+interpret rtree: rtree "RAG s'"
+proof
+show "single_valued (RAG s')"
+apply (intro_locales)
+by (unfold single_valued_def,
+auto intro:unique_RAG[OF assms(1)])
+show "acyclic (RAG s')"
+by (rule acyclic_RAG[OF assms(1)])
+qed
+{ fix n1 n2
+assume "(n1, n2) \<in> ?L"
+from this[unfolded tRAG_alt_def]
+obtain th1 th2 cs' where
+h: "n1 = Th th1" "n2 = Th th2"
+"(Th th1, Cs cs') \<in> RAG s"
+"(Cs cs', Th th2) \<in> RAG s" by auto
+from h(4) and assms(2) have cs_in: "(Cs cs', Th th2) \<in> RAG s'" by auto
+from h(3) and assms(2)
+have "(Th th1, Cs cs') = (Th th, Cs cs) \<or>
+(Th th1, Cs cs') \<in> RAG s'" by auto
+hence "(n1, n2) \<in> ?R"
+proof
+assume h1: "(Th th1, Cs cs') = (Th th, Cs cs)"
+hence eq_th1: "th1 = th" by simp
+moreover have "th2 = th''"
+proof -
+from h1 have "cs' = cs" by simp
+from assms(3) cs_in[unfolded this] rtree.sgv
+show ?thesis
+by (unfold single_valued_def, auto)
+qed
+ultimately show ?thesis using h(1,2) by auto
+next
+assume "(Th th1, Cs cs') \<in> RAG s'"
+with cs_in have "(Th th1, Th th2) \<in> tRAG s'"
+by (unfold tRAG_alt_def, auto)
+from this[folded h(1, 2)] show ?thesis by auto
+qed
+} moreover {
+fix n1 n2
+assume "(n1, n2) \<in> ?R"
+hence "(n1, n2) \<in>tRAG s' \<or> (n1, n2) = (Th th, Th th'')" by auto
+hence "(n1, n2) \<in> ?L"
+proof
+assume "(n1, n2) \<in> tRAG s'"
+moreover have "... \<subseteq> ?L"
+proof(rule tRAG_mono)
+show "RAG s' \<subseteq> RAG s" by (unfold assms(2), auto)
+qed
+ultimately show ?thesis by auto
+next
+assume eq_n: "(n1, n2) = (Th th, Th th'')"
+from assms(2, 3) have "(Cs cs, Th th'') \<in> RAG s" by auto
+moreover have "(Th th, Cs cs) \<in> RAG s" using assms(2) by auto
+ultimately show ?thesis
+by (unfold eq_n tRAG_alt_def, auto)
+qed
+} ultimately show ?thesis by auto
+qed
+lemma readys_root:
+assumes "vt s"
+and "th \<in> readys s"
+shows "root (RAG s) (Th th)"
+proof -
+{ fix x
+assume "x \<in> ancestors (RAG s) (Th th)"
+hence h: "(Th th, x) \<in> (RAG s)^+" by (auto simp:ancestors_def)
+from tranclD[OF this]
+obtain z where "(Th th, z) \<in> RAG s" by auto
+with assms(2) have False
+apply (case_tac z, auto simp:readys_def s_RAG_def s_waiting_def cs_waiting_def)
+by (fold wq_def, blast)
+} thus ?thesis by (unfold root_def, auto)
+qed
+lemma readys_in_no_subtree:
+assumes "vt s"
+and "th \<in> readys s"
+and "th' \<noteq> th"
+shows "Th th \<notin> subtree (RAG s) (Th th')"
 proof
-show "single_valued (RAG s)"
+assume "Th th \<in> subtree (RAG s) (Th th')"
-apply (intro_locales)
+thus False
-by (unfold single_valued_def, auto intro: unique_RAG[OF vt])
+proof(cases rule:subtreeE)
+case 1
-show "acyclic (RAG s)"
+with assms show ?thesis by auto
-by (rule acyclic_RAG[OF vt])
+next
-qed
+case 2
+with readys_root[OF assms(1,2)]
-end
+show ?thesis by (auto simp:root_def)
+qed
+qed
+lemma image_id:
+assumes "\<And> x. x \<in> A \<Longrightarrow> f x = x"
+shows "f ` A = A"
+using assms by (auto simp:image_def)
 definition "the_preced s th = preced th s"
 lemma cp_alt_def:
 "cp s th =
 thus ?thesis by simp
 qed
 thus ?thesis by (unfold cp_eq_cpreced cpreced_def, fold the_preced_def, simp)
 qed
+fun the_thread :: "node \<Rightarrow> thread" where
+"the_thread (Th th) = th"
+definition "cp_gen s x =
+Max ((the_preced s \<circ> the_thread) ` subtree (tRAG s) x)"
+lemma cp_gen_alt_def:
+"cp_gen s = (Max \<circ> (\<lambda>x. (the_preced s \<circ> the_thread) ` subtree (tRAG s) x))"
+by (auto simp:cp_gen_def)
+lemma tRAG_nodeE:
+assumes "(n1, n2) \<in> tRAG s"
+obtains th1 th2 where "n1 = Th th1" "n2 = Th th2"
+using assms
+by (auto simp: tRAG_def wRAG_def hRAG_def tRAG_def)
+lemma subtree_nodeE:
+assumes "n \<in> subtree (tRAG s) (Th th)"
+obtains th1 where "n = Th th1"
+proof -
+show ?thesis
+proof(rule subtreeE[OF assms])
+assume "n = Th th"
+from that[OF this] show ?thesis .
+next
+assume "Th th \<in> ancestors (tRAG s) n"
+hence "(n, Th th) \<in> (tRAG s)^+" by (auto simp:ancestors_def)
+hence "\<exists> th1. n = Th th1"
+proof(induct)
+case (base y)
+from tRAG_nodeE[OF this] show ?case by metis
+next
+case (step y z)
+thus ?case by auto
+qed
+with that show ?thesis by auto
+qed
+qed
+lemma threads_set_eq:
+"the_thread ` (subtree (tRAG s) (Th th)) =
+{th'. Th th' \<in> (subtree (RAG s) (Th th))}" (is "?L = ?R")
+proof -
+{ fix th'
+assume "th' \<in> ?L"
+then obtain n where h: "th' = the_thread n" "n \<in>  subtree (tRAG s) (Th th)" by auto
+from subtree_nodeE[OF this(2)]
+obtain th1 where "n = Th th1" by auto
+with h have "Th th' \<in>  subtree (tRAG s) (Th th)" by auto
+hence "Th th' \<in>  subtree (RAG s) (Th th)"
+proof(cases rule:subtreeE[consumes 1])
+case 1
+thus ?thesis by (auto simp:subtree_def)
+next
+case 2
+hence "(Th th', Th th) \<in> (tRAG s)^+" by (auto simp:ancestors_def)
+thus ?thesis
+proof(induct)
+case (step y z)
+from this(2)[unfolded tRAG_alt_def]
+obtain u where
+h: "(y, u) \<in> RAG s" "(u, z) \<in> RAG s"
+by auto
+hence "y \<in> subtree (RAG s) z" by (auto simp:subtree_def)
+with step(3)
+show ?case by (auto simp:subtree_def)
+next
+case (base y)
+from this[unfolded tRAG_alt_def]
+show ?case by (auto simp:subtree_def)
+qed
+qed
+hence "th' \<in> ?R" by auto
+} moreover {
+fix th'
+assume "th' \<in> ?R"
+hence "(Th th', Th th) \<in> (RAG s)^*" by (auto simp:subtree_def)
+from star_rpath[OF this]
+obtain xs where "rpath (RAG s) (Th th') xs (Th th)" by auto
+hence "Th th' \<in> subtree (tRAG s) (Th th)"
+proof(induct xs arbitrary:th' th rule:length_induct)
+case (1 xs th' th)
+show ?case
+proof(cases xs)
+case Nil
+from rpath_nilE[OF 1(2)[unfolded this]]
+have "th' = th" by auto
+thus ?thesis by (auto simp:subtree_def)
+next
+case (Cons x1 xs1) note Cons1 = Cons
+show ?thesis
+proof(cases "xs1")
+case Nil
+from 1(2)[unfolded Cons[unfolded this]]
+have rp: "rpath (RAG s) (Th th') [x1] (Th th)" .
+hence "(Th th', x1) \<in> (RAG s)" by (cases, simp)
+then obtain cs where "x1 = Cs cs"
+by (unfold s_RAG_def, auto)
+find_theorems rpath "_ = _@[_]"
+from rpath_nnl_lastE[OF rp[unfolded this]]
+show ?thesis by auto
+next
+case (Cons x2 xs2)
+from 1(2)[unfolded Cons1[unfolded this]]
+have rp: "rpath (RAG s) (Th th') (x1 # x2 # xs2) (Th th)" .
+from rpath_edges_on[OF this]
+have eds: "edges_on (Th th' # x1 # x2 # xs2) \<subseteq> RAG s" .
+have "(Th th', x1) \<in> edges_on (Th th' # x1 # x2 # xs2)"
+by (simp add: edges_on_unfold)
+with eds have rg1: "(Th th', x1) \<in> RAG s" by auto
+then obtain cs1 where eq_x1: "x1 = Cs cs1" by (unfold s_RAG_def, auto)
+have "(x1, x2) \<in> edges_on (Th th' # x1 # x2 # xs2)"
+by (simp add: edges_on_unfold)
+from this eds
+have rg2: "(x1, x2) \<in> RAG s" by auto
+from this[unfolded eq_x1]
+obtain th1 where eq_x2: "x2 = Th th1" by (unfold s_RAG_def, auto)
+from rp have "rpath (RAG s) x2 xs2 (Th th)"
+by  (elim rpath_ConsE, simp)
+from this[unfolded eq_x2] have rp': "rpath (RAG s) (Th th1) xs2 (Th th)" .
+from 1(1)[rule_format, OF _ this, unfolded Cons1 Cons]
+have "Th th1 \<in> subtree (tRAG s) (Th th)" by simp
+moreover have "(Th th', Th th1) \<in> (tRAG s)^*"
+proof -
+from rg1[unfolded eq_x1] rg2[unfolded eq_x1 eq_x2]
+show ?thesis by (unfold RAG_split tRAG_def wRAG_def hRAG_def, auto)
+qed
+ultimately show ?thesis by (auto simp:subtree_def)
+qed
+qed
+qed
+from imageI[OF this, of the_thread]
+have "th' \<in> ?L" by simp
+} ultimately show ?thesis by auto
+qed
+lemma cp_alt_def1:
+"cp s th = Max ((the_preced s o the_thread) ` (subtree (tRAG s) (Th th)))"
+proof -
+have "(the_preced s ` the_thread ` subtree (tRAG s) (Th th)) =
+((the_preced s \<circ> the_thread) ` subtree (tRAG s) (Th th))"
+by auto
+thus ?thesis by (unfold cp_alt_def, fold threads_set_eq, auto)
+qed
+lemma cp_gen_def_cond:
+assumes "x = Th th"
+shows "cp s th = cp_gen s (Th th)"
+by (unfold cp_alt_def1 cp_gen_def, simp)
+lemma cp_gen_over_set:
+assumes "\<forall> x \<in> A. \<exists> th. x = Th th"
+shows "cp_gen s ` A = (cp s \<circ> the_thread) ` A"
+proof(rule f_image_eq)
+fix a
+assume "a \<in> A"
+from assms[rule_format, OF this]
+obtain th where eq_a: "a = Th th" by auto
+show "cp_gen s a = (cp s \<circ> the_thread) a"
+by  (unfold eq_a, simp, unfold cp_gen_def_cond[OF refl[of "Th th"]], simp)
+qed
+locale valid_trace =
+fixes s
+assumes vt : "vt s"
+context valid_trace
+begin
+lemma wf_RAG: "wf (RAG s)"
+proof(rule finite_acyclic_wf)
+from finite_RAG[OF vt] show "finite (RAG s)" .
+next
+from acyclic_RAG[OF vt] show "acyclic (RAG s)" .
+qed
+end
+context valid_trace
+begin
+lemma sgv_wRAG: "single_valued (wRAG s)"
+using waiting_unique[OF vt]
+by (unfold single_valued_def wRAG_def, auto)
+lemma sgv_hRAG: "single_valued (hRAG s)"
+using holding_unique
+by (unfold single_valued_def hRAG_def, auto)
+lemma sgv_tRAG: "single_valued (tRAG s)"
+by (unfold tRAG_def, rule single_valued_relcomp,
+insert sgv_wRAG sgv_hRAG, auto)
+lemma acyclic_tRAG: "acyclic (tRAG s)"
+proof(unfold tRAG_def, rule acyclic_compose)
+show "acyclic (RAG s)" using acyclic_RAG[OF vt] .
+next
+show "wRAG s \<subseteq> RAG s" unfolding RAG_split by auto
+next
+show "hRAG s \<subseteq> RAG s" unfolding RAG_split by auto
+qed
+lemma sgv_RAG: "single_valued (RAG s)"
+using unique_RAG[OF vt] by (auto simp:single_valued_def)
+lemma rtree_RAG: "rtree (RAG s)"
+using sgv_RAG acyclic_RAG[OF vt]
+by (unfold rtree_def rtree_axioms_def sgv_def, auto)
+end
+sublocale valid_trace < rtree_s: rtree "tRAG s"
+proof(unfold_locales)
+from sgv_tRAG show "single_valued (tRAG s)" .
+next
+from acyclic_tRAG show "acyclic (tRAG s)" .
+qed
+sublocale valid_trace < fsbtRAGs : fsubtree "RAG s"
+proof -
+show "fsubtree (RAG s)"
+proof(intro_locales)
+show "fbranch (RAG s)" using finite_fbranchI[OF finite_RAG[OF vt]] .
+next
+show "fsubtree_axioms (RAG s)"
+proof(unfold fsubtree_axioms_def)
+find_theorems wf RAG
+from wf_RAG show "wf (RAG s)" .
+qed
+qed
+qed
+sublocale valid_trace < fsbttRAGs: fsubtree "tRAG s"
+proof -
+have "fsubtree (tRAG s)"
+proof -
+have "fbranch (tRAG s)"
+proof(unfold tRAG_def, rule fbranch_compose)
+show "fbranch (wRAG s)"
+proof(rule finite_fbranchI)
+from finite_RAG[OF vt] show "finite (wRAG s)"
+by (unfold RAG_split, auto)
+qed
+next
+show "fbranch (hRAG s)"
+proof(rule finite_fbranchI)
+from finite_RAG[OF vt]
+show "finite (hRAG s)" by (unfold RAG_split, auto)
+qed
+qed
+moreover have "wf (tRAG s)"
+proof(rule wf_subset)
+show "wf (RAG s O RAG s)" using wf_RAG
+by (fold wf_comp_self, simp)
+next
+show "tRAG s \<subseteq> (RAG s O RAG s)"
+by (unfold tRAG_alt_def, auto)
+qed
+ultimately show ?thesis
+by (unfold fsubtree_def fsubtree_axioms_def,auto)
+qed
+from this[folded tRAG_def] show "fsubtree (tRAG s)" .
+qed
+lemma Max_UNION:
+assumes "finite A"
+and "A \<noteq> {}"
+and "\<forall> M \<in> f ` A. finite M"
+and "\<forall> M \<in> f ` A. M \<noteq> {}"
+shows "Max (\<Union>x\<in> A. f x) = Max (Max ` f ` A)" (is "?L = ?R")
+using assms[simp]
+proof -
+have "?L = Max (\<Union>(f ` A))"
+by (fold Union_image_eq, simp)
+also have "... = ?R"
+by (subst Max_Union, simp+)
+finally show ?thesis .
+qed
+lemma max_Max_eq:
+assumes "finite A"
+and "A \<noteq> {}"
+and "x = y"
+shows "max x (Max A) = Max ({y} \<union> A)" (is "?L = ?R")
+proof -
+have "?R = Max (insert y A)" by simp
+also from assms have "... = ?L"
+by (subst Max.insert, simp+)
+finally show ?thesis by simp
+qed
+context valid_trace
+begin
+(* ddd *)
+lemma cp_gen_rec:
+assumes "x = Th th"
+shows "cp_gen s x = Max ({the_preced s th} \<union> (cp_gen s) ` children (tRAG s) x)"
+proof(cases "children (tRAG s) x = {}")
+case True
+show ?thesis
+by (unfold True cp_gen_def subtree_children, simp add:assms)
+next
+case False
+hence [simp]: "children (tRAG s) x \<noteq> {}" by auto
+note fsbttRAGs.finite_subtree[simp]
+have [simp]: "finite (children (tRAG s) x)"
+by (intro rev_finite_subset[OF fsbttRAGs.finite_subtree],
+rule children_subtree)
+{ fix r x
+have "subtree r x \<noteq> {}" by (auto simp:subtree_def)
+} note this[simp]
+have [simp]: "\<exists>x\<in>children (tRAG s) x. subtree (tRAG s) x \<noteq> {}"
+proof -
+from False obtain q where "q \<in> children (tRAG s) x" by blast
+moreover have "subtree (tRAG s) q \<noteq> {}" by simp
+ultimately show ?thesis by blast
+qed
+have h: "Max ((the_preced s \<circ> the_thread) `
+({x} \<union> \<Union>(subtree (tRAG s) ` children (tRAG s) x))) =
+Max ({the_preced s th} \<union> cp_gen s ` children (tRAG s) x)"
+(is "?L = ?R")
+proof -
+let "Max (?f ` (?A \<union> \<Union> (?g ` ?B)))" = ?L
+let "Max (_ \<union> (?h ` ?B))" = ?R
+let ?L1 = "?f ` \<Union>(?g ` ?B)"
+have eq_Max_L1: "Max ?L1 = Max (?h ` ?B)"
+proof -
+have "?L1 = ?f ` (\<Union> x \<in> ?B.(?g x))" by simp
+also have "... =  (\<Union> x \<in> ?B. ?f ` (?g x))" by auto
+finally have "Max ?L1 = Max ..." by simp
+also have "... = Max (Max ` (\<lambda>x. ?f ` subtree (tRAG s) x) ` ?B)"
+by (subst Max_UNION, simp+)
+also have "... = Max (cp_gen s ` children (tRAG s) x)"
+by (unfold image_comp cp_gen_alt_def, simp)
+finally show ?thesis .
+qed
+show ?thesis
+proof -
+have "?L = Max (?f ` ?A \<union> ?L1)" by simp
+also have "... = max (the_preced s (the_thread x)) (Max ?L1)"
+by (subst Max_Un, simp+)
+also have "... = max (?f x) (Max (?h ` ?B))"
+by (unfold eq_Max_L1, simp)
+also have "... =?R"
+by (rule max_Max_eq, (simp)+, unfold assms, simp)
+finally show ?thesis .
+qed
+qed  thus ?thesis
+by (fold h subtree_children, unfold cp_gen_def, simp)
+qed
+lemma cp_rec:
+"cp s th = Max ({the_preced s th} \<union>
+(cp s o the_thread) ` children (tRAG s) (Th th))"
+proof -
+have "Th th = Th th" by simp
+note h =  cp_gen_def_cond[OF this] cp_gen_rec[OF this]
+show ?thesis
+proof -
+have "cp_gen s ` children (tRAG s) (Th th) =
+(cp s \<circ> the_thread) ` children (tRAG s) (Th th)"
+proof(rule cp_gen_over_set)
+show " \<forall>x\<in>children (tRAG s) (Th th). \<exists>th. x = Th th"
+by (unfold tRAG_alt_def, auto simp:children_def)
+qed
+thus ?thesis by (subst (1) h(1), unfold h(2), simp)
+qed
+qed
+end
 lemma eq_dependants: "dependants (wq s) = dependants s"
 by (simp add: s_dependants_abv wq_def)
 (* obvious lemma *)
 lemma not_thread_holdents:
 fixes th s
 assumes vt: "vt s"
 and not_in: "th \<notin> threads s"
 by (simp add: UN_exists)
 (* moving in Max *)
 also have "\<dots> = max (Max {preced th s})
 (Max ((\<lambda>th. Max (preceds s ({th} \<union> (dependants (wq s) th)))) ` children s th))"
 by (subst Max_Union) (auto simp add: image_image)
 (* folding cp + moving out Max *)
 also have "\<dots> = ?RHS"
 unfolding eq_cp by (simp add: Max_insert)
 finally show "?LHS = ?RHS" .
 qed
 qed
-lemma next_waiting:
+lemma next_th_holding:
 assumes vt: "vt s"
 and nxt: "next_th s th cs th'"
-shows "waiting s th' cs"
+shows "holding (wq s) th cs"
 proof -
-from assms show ?thesis
+from nxt[unfolded next_th_def]
-apply (auto simp:next_th_def s_waiting_def[folded wq_def])
+obtain rest where h: "wq s cs = th # rest"
-proof -
+"rest \<noteq> []"
-fix rest
+"th' = hd (SOME q. distinct q \<and> set q = set rest)" by auto
-assume ni: "hd (SOME q. distinct q \<and> set q = set rest) \<notin> set rest"
+thus ?thesis
-and eq_wq: "wq s cs = th # rest"
+by (unfold cs_holding_def, auto)
-and ne: "rest \<noteq> []"
+qed
-have "set (SOME q. distinct q \<and> set q = set rest) = set rest"
-proof(rule someI2)
+lemma next_th_waiting:
-from wq_distinct[OF vt, of cs] eq_wq
+assumes vt: "vt s"
-show "distinct rest \<and> set rest = set rest" by auto
+and nxt: "next_th s th cs th'"
-next
+shows "waiting (wq s) th' cs"
-show "\<And>x. distinct x \<and> set x = set rest \<Longrightarrow> set x = set rest" by auto
+proof -
-qed
+from nxt[unfolded next_th_def]
-with ni
+obtain rest where h: "wq s cs = th # rest"
-have "hd (SOME q. distinct q \<and> set q = set rest) \<notin>  set (SOME q. distinct q \<and> set q = set rest)"
+"rest \<noteq> []"
-by simp
+"th' = hd (SOME q. distinct q \<and> set q = set rest)" by auto
-moreover have "(SOME q. distinct q \<and> set q = set rest) \<noteq> []"
+from wq_distinct[OF vt, of cs, unfolded h]
-proof(rule someI2)
+have dst: "distinct (th # rest)" .
-from wq_distinct[OF vt, of cs] eq_wq
+have in_rest: "th' \<in> set rest"
-show "distinct rest \<and> set rest = set rest" by auto
+proof(unfold h, rule someI2)
-next
+show "distinct rest \<and> set rest = set rest" using dst by auto
-from ne show "\<And>x. distinct x \<and> set x = set rest \<Longrightarrow> x \<noteq> []" by auto
-qed
-ultimately show "hd (SOME q. distinct q \<and> set q = set rest) = th" by auto
 next
-fix rest
+fix x assume "distinct x \<and> set x = set rest"
-assume eq_wq: "wq s cs = hd (SOME q. distinct q \<and> set q = set rest) # rest"
+with h(2)
-and ne: "rest \<noteq> []"
+show "hd x \<in> set (rest)" by (cases x, auto)
-have "(SOME q. distinct q \<and> set q = set rest) \<noteq> []"
+qed
-proof(rule someI2)
+hence "th' \<in> set (wq s cs)" by (unfold h(1), auto)
-from wq_distinct[OF vt, of cs] eq_wq
+moreover have "th' \<noteq> hd (wq s cs)"
-show "distinct rest \<and> set rest = set rest" by auto
+by (unfold h(1), insert in_rest dst, auto)
-next
+ultimately show ?thesis by (auto simp:cs_waiting_def)
-from ne show "\<And>x. distinct x \<and> set x = set rest \<Longrightarrow> x \<noteq> []" by auto
+qed
-qed
-hence "hd (SOME q. distinct q \<and> set q = set rest) \<in> set (SOME q. distinct q \<and> set q = set rest)"
+lemma next_th_RAG:
-by auto
+assumes vt: "vt s"
-moreover have "set (SOME q. distinct q \<and> set q = set rest) = set rest"
+and nxt: "next_th s th cs th'"
-proof(rule someI2)
+shows "{(Cs cs, Th th), (Th th', Cs cs)} \<subseteq> RAG s"
-from wq_distinct[OF vt, of cs] eq_wq
+using assms next_th_holding next_th_waiting
-show "distinct rest \<and> set rest = set rest" by auto
+by (unfold s_RAG_def, simp)
-next
-show "\<And>x. distinct x \<and> set x = set rest \<Longrightarrow> set x = set rest" by auto
-qed
-ultimately have "hd (SOME q. distinct q \<and> set q = set rest) \<in> set rest" by simp
-with eq_wq and wq_distinct[OF vt, of cs]
-show False by auto
-qed
-qed
 -- {* A useless definition *}
 definition cps:: "state \<Rightarrow> (thread \<times> precedence) set"
 where "cps s = {(th, cp s th) | th . th \<in> threads s}"
 assumes vt_s: "vt s"
 context step_set_cps
 begin
-interpretation rtree_RAGs: rtree "RAG s"
-proof
-show "single_valued (RAG s)"
-apply (intro_locales)
-by (unfold single_valued_def, auto intro: unique_RAG[OF vt_s])
-show "acyclic (RAG s)"
-by (rule acyclic_RAG[OF vt_s])
-qed
-interpretation rtree_RAGs': rtree "RAG s'"
-proof
-show "single_valued (RAG s')"
-apply (intro_locales)
-by (unfold single_valued_def,
-auto intro: unique_RAG[OF step_back_vt[OF vt_s[unfolded s_def]]])
-show "acyclic (RAG s')"
-by (rule acyclic_RAG[OF step_back_vt[OF vt_s[unfolded s_def]]])
-qed
 text {* (* ddd *)
-The following lemma confirms that @{text "Set"}-operating only changes the precedence
+The following two lemmas confirm that @{text "Set"}-operating only changes the precedence
-of initiating thread.
+of the initiating thread.
 *}
 lemma eq_preced:
 fixes th'
 assumes "th' \<noteq> th"
 proof -
 from assms show ?thesis
 by (unfold s_def, auto simp:preced_def)
 qed
-text {* (* ddd *)
+lemma eq_the_preced:
+fixes th'
+assumes "th' \<noteq> th"
+shows "the_preced s th' = the_preced s' th'"
+using assms
+by (unfold the_preced_def, intro eq_preced, simp)
+text {*
 The following lemma assures that the resetting of priority does not change the RAG.
 *}
 lemma eq_dep: "RAG s = RAG s'"
 by (unfold s_def RAG_set_unchanged, auto)
-text {*
+text {* (* ddd *)
-Th following lemma @{text "eq_cp_pre"} circumscribe a rough range of recalculation.
+Th following lemma @{text "eq_cp_pre"} says the priority change of @{text "th"}
-It says, thread other than the initiating thread @{text "th"} does not need recalculation
+only affects those threads, which as @{text "Th th"} in their sub-trees.
-unless it lies upstream of @{text "th"} in the RAG.
+The proof of this lemma is simplified by using the alternative definition of @{text "cp"}.
-The reason behind this lemma is that:
-the change of precedence of one thread can only affect it's upstream threads, according to
-lemma @{text "eq_preced"}. Since the only thread which might change precedence is
-@{text "th"}, so only @{text "th"} and its upstream threads need recalculation.
-(* ccc *)
 *}
 lemma eq_cp_pre:
 fixes th'
-assumes neq_th: "th' \<noteq> th"
+assumes nd: "Th th \<notin> subtree (RAG s') (Th th')"
-and nd: "th \<notin> dependants s th'"
 shows "cp s th' = cp s' th'"
 proof -
--- {* This is what we need to prove after expanding the definition of @{text "cp"} *}
+-- {* After unfolding using the alternative definition, elements
-have "Max ((\<lambda>th. preced th s) ` ({th'} \<union> dependants (wq s) th')) =
+affecting the @{term "cp"}-value of threads become explicit.
-Max ((\<lambda>th. preced th s') ` ({th'} \<union> dependants (wq s') th'))"
+We only need to prove the following: *}
-(is "Max (?f1 ` ({th'} \<union> ?A)) = Max (?f2 ` ({th'} \<union> ?B))")
+have "Max (the_preced s ` {th'a. Th th'a \<in> subtree (RAG s) (Th th')}) =
+Max (the_preced s' ` {th'a. Th th'a \<in> subtree (RAG s') (Th th')})"
+(is "Max (?f ` ?S1) = Max (?g ` ?S2)")
 proof -
--- {* Since RAG is not changed by @{text "Set"}-operation, the dependants of
+-- {* The base sets are equal. *}
-any threads are not changed, this is one of key facts underpinning this
+have "?S1 = ?S2" using eq_dep by simp
-lemma *}
+-- {* The function values on the base set are equal as well. *}
-have eq_ab: "?A = ?B" by (unfold cs_dependants_def, auto simp:eq_dep eq_RAG)
+moreover have "\<forall> e \<in> ?S2. ?f e = ?g e"
-have "(?f1 ` ({th'} \<union> ?A)) =  (?f2 ` ({th'} \<union> ?B))"
+proof
-proof(rule image_cong)
+fix th1
-show "{th'} \<union> ?A = {th'} \<union> ?B" by (simp only:eq_ab)
+assume "th1 \<in> ?S2"
-next
+with nd have "th1 \<noteq> th" by (auto)
-fix x
+from eq_the_preced[OF this]
-assume x_in: "x \<in> {th'} \<union> ?B"
+show "the_preced s th1 = the_preced s' th1" .
-show "?f1 x = ?f2 x"
+qed
-proof(rule eq_preced) -- {* The other key fact underpinning this lemma is @{text "eq_preced"} *}
+-- {* Therefore, the image of the functions are equal. *}
-from x_in[folded eq_ab, unfolded eq_dependants]
+ultimately have "(?f ` ?S1) = (?g ` ?S2)" by (auto intro!:f_image_eq)
-have "x \<in> {th'} \<union> dependants s th'" .
+thus ?thesis by simp
-thus "x \<noteq> th"
+qed
-proof
+thus ?thesis by (simp add:cp_alt_def)
-assume "x \<in> {th'}"
-with `th' \<noteq> th` show ?thesis by simp
-next
-assume "x \<in> dependants s th'"
-with `th \<notin> dependants s th'` show ?thesis by auto
-qed
-qed
-qed
-thus ?thesis by simp
-qed
-thus ?thesis by (unfold cp_eq_cpreced cpreced_def)
 qed
 text {*
-The following lemma shows that no thread lies upstream of the initiating thread @{text "th"}.
+The following lemma shows that @{term "th"} is not in the
-The reason for this is that only no-blocked thread can initiate
+sub-tree of any other thread.
-a system call. Since thread @{text "th"} is non-blocked, it is not waiting for any
-critical resource. Therefore, there is edge leading out of @{text "th"} in the RAG.
-Consequently, there is no node (neither resource nor thread) upstream of @{text "th"}.
 *}
-lemma no_dependants:
+lemma th_in_no_subtree:
-shows "th \<notin> dependants s th'"
+assumes "th' \<noteq> th"
-proof
+shows "Th th \<notin> subtree (RAG s') (Th th')"
-assume "th \<in> dependants s th'"
+proof -
-from `th \<in> dependants s th'` have "(Th th, Th th') \<in> (RAG s')\<^sup>+"
+have "th \<in> readys s'"
-by (unfold s_dependants_def, unfold eq_RAG, unfold eq_dep, auto)
-from tranclD[OF this]
-obtain z where "(Th th, z) \<in> RAG s'" by auto
-moreover have "th \<in> readys s'"
 proof -
 from step_back_step [OF vt_s[unfolded s_def]]
 have "step s' (Set th prio)" .
 hence "th \<in> runing s'" by (cases, simp)
 thus ?thesis by (simp add:readys_def runing_def)
 qed
-ultimately show "False"
+from readys_in_no_subtree[OF step_back_vt[OF vt_s[unfolded s_def]] this assms(1)]
-apply (case_tac z, auto simp:readys_def s_RAG_def s_waiting_def cs_waiting_def)
+show ?thesis by blast
-by (fold wq_def, blast)
+qed
-qed
-(* Result improved *)
 text {*
-A simple combination of @{text "eq_cp_pre"} and @{text "no_dependants"}
+By combining @{thm "eq_cp_pre"} and @{thm "th_in_no_subtree"},
-gives the main lemma of this locale, which shows that
+it is obvious that the change of priority only affects the @{text "cp"}-value
-only the initiating thread needs a recalculation of current precedence.
+of the initiating thread @{text "th"}.
 *}
 lemma eq_cp:
 fixes th'
 assumes "th' \<noteq> th"
 shows "cp s th' = cp s' th'"
-by (rule eq_cp_pre[OF assms no_dependants])
+by (rule eq_cp_pre[OF th_in_no_subtree[OF assms]])
 end
 text {*
 The following @{text "step_v_cps"} is the locale for @{text "V"}-operation.
 -- {* @{text "cs"} is the critical resource release by the @{text "V"}-operation *}
 fixes s' th cs s    -- {* @{text "s'"} is the state before operation*}
 defines s_def : "s \<equiv> (V th cs#s')" -- {* @{text "s"} is the state after operation*}
 -- {* @{text "s"} is assumed to be valid, which implies the validity of @{text "s'"} *}
 assumes vt_s: "vt s"
+context step_v_cps
+begin
+lemma rtree_RAGs: "rtree (RAG s)"
+proof
+show "single_valued (RAG s)"
+apply (intro_locales)
+by (unfold single_valued_def, auto intro: unique_RAG[OF vt_s])
+show "acyclic (RAG s)"
+by (rule acyclic_RAG[OF vt_s])
+qed
+lemma rtree_RAGs': "rtree (RAG s')"
+proof
+show "single_valued (RAG s')"
+apply (intro_locales)
+by (unfold single_valued_def,
+auto intro:unique_RAG[OF step_back_vt[OF vt_s[unfolded s_def]]])
+show "acyclic (RAG s')"
+by (rule acyclic_RAG[OF step_back_vt[OF vt_s[unfolded s_def]]])
+qed
+lemmas vt_s' = step_back_vt[OF vt_s[unfolded s_def]]
+lemma ready_th_s': "th \<in> readys s'"
+using step_back_step[OF vt_s[unfolded s_def]]
+by (cases, simp add:runing_def)
+lemma ancestors_th: "ancestors (RAG s') (Th th) = {}"
+proof -
+from readys_root[OF vt_s' ready_th_s']
+show ?thesis
+by (unfold root_def, simp)
+qed
+lemma holding_th: "holding s' th cs"
+proof -
+from vt_s[unfolded s_def]
+have " PIP s' (V th cs)" by (cases, simp)
+thus ?thesis by (cases, auto)
+qed
+lemma edge_of_th:
+"(Cs cs, Th th) \<in> RAG s'"
+proof -
+from holding_th
+show ?thesis
+by (unfold s_RAG_def holding_eq, auto)
+qed
+lemma ancestors_cs:
+"ancestors (RAG s') (Cs cs) = {Th th}"
+proof -
+find_theorems ancestors
+have "ancestors (RAG s') (Cs cs) = ancestors (RAG s') (Th th)  \<union>  {Th th}"
+proof(rule RTree.rtree.ancestors_accum[OF rtree_RAGs'])
+from vt_s[unfolded s_def]
+have " PIP s' (V th cs)" by (cases, simp)
+thus "(Cs cs, Th th) \<in> RAG s'"
+proof(cases)
+assume "holding s' th cs"
+from this[unfolded holding_eq]
+show ?thesis by (unfold s_RAG_def, auto)
+qed
+qed
+from this[unfolded ancestors_th] show ?thesis by simp
+qed
+lemma preced_kept: "the_preced s = the_preced s'"
+by (auto simp: s_def the_preced_def preced_def)
+end
 text {*
 The following @{text "step_v_cps_nt"} is the sub-locale for @{text "V"}-operation,
 which represents the case when there is another thread @{text "th'"}
 to take over the critical resource released by the initiating thread @{text "th"}.
 th6 ----|
 |
 th7 ----|
 *)
+lemma sub_RAGs': "{(Cs cs, Th th), (Th th', Cs cs)} \<subseteq> RAG s'"
+using next_th_RAG[OF vt_s' nt] .
+lemma ancestors_th':
+"ancestors (RAG s') (Th th') = {Th th, Cs cs}"
+proof -
+have "ancestors (RAG s') (Th th') = ancestors (RAG s') (Cs cs) \<union> {Cs cs}"
+proof(rule  RTree.rtree.ancestors_accum[OF rtree_RAGs'])
+from sub_RAGs' show "(Th th', Cs cs) \<in> RAG s'" by auto
+qed
+thus ?thesis using ancestors_th ancestors_cs by auto
+qed
 lemma RAG_s:
 "RAG s = (RAG s' - {(Cs cs, Th th), (Th th', Cs cs)}) \<union>
 {(Cs cs, Th th')}"
 proof -
 from step_RAG_v[OF vt_s[unfolded s_def], folded s_def]
 and nt show ?thesis  by (auto intro:next_th_unique)
 qed
-text {*
+lemma subtree_kept:
-Lemma @{text "dependants_kept"} shows only @{text "th"} and @{text "th'"}
+assumes "th1 \<notin> {th, th'}"
-have their dependants changed.
+shows "subtree (RAG s) (Th th1) = subtree (RAG s') (Th th1)" (is "_ = ?R")
-*}
+proof -
-lemma dependants_kept:
+let ?RAG' = "(RAG s' - {(Cs cs, Th th), (Th th', Cs cs)})"
-fixes th''
+let ?RAG'' = "?RAG' \<union> {(Cs cs, Th th')}"
-assumes neq1: "th'' \<noteq> th"
+have "subtree ?RAG' (Th th1) = ?R"
-and neq2: "th'' \<noteq> th'"
+proof(rule subset_del_subtree_outside)
-shows "dependants (wq s) th'' = dependants (wq s') th''"
+show "Range {(Cs cs, Th th), (Th th', Cs cs)} \<inter> subtree (RAG s') (Th th1) = {}"
-proof(auto) (* ccc *)
+proof -
-fix x
+have "(Th th) \<notin> subtree (RAG s') (Th th1)"
-assume "x \<in> dependants (wq s) th''"
+proof(rule subtree_refute)
-hence dp: "(Th x, Th th'') \<in> (RAG s)^+"
+show "Th th1 \<notin> ancestors (RAG s') (Th th)"
-by (auto simp:cs_dependants_def eq_RAG)
+by (unfold ancestors_th, simp)
-{ fix n
+next
-have "(n, Th th'') \<in> (RAG s)^+ \<Longrightarrow>  (n, Th th'') \<in> (RAG s')^+"
+from assms show "Th th1 \<noteq> Th th" by simp
-proof(induct rule:converse_trancl_induct)
+qed
-fix y
+moreover have "(Cs cs) \<notin>  subtree (RAG s') (Th th1)"
-assume "(y, Th th'') \<in> RAG s"
+proof(rule subtree_refute)
-with RAG_s neq1 neq2
+show "Th th1 \<notin> ancestors (RAG s') (Cs cs)"
-have "(y, Th th'') \<in> RAG s'" by auto
+by (unfold ancestors_cs, insert assms, auto)
-thus "(y, Th th'') \<in> (RAG s')\<^sup>+" by auto
+qed simp
+ultimately have "{Th th, Cs cs} \<inter> subtree (RAG s') (Th th1) = {}" by auto
+thus ?thesis by simp
+qed
+qed
+moreover have "subtree ?RAG'' (Th th1) =  subtree ?RAG' (Th th1)"
+proof(rule subtree_insert_next)
+show "Th th' \<notin> subtree (RAG s' - {(Cs cs, Th th), (Th th', Cs cs)}) (Th th1)"
+proof(rule subtree_refute)
+show "Th th1 \<notin> ancestors (RAG s' - {(Cs cs, Th th), (Th th', Cs cs)}) (Th th')"
+(is "_ \<notin> ?R")
+proof -
+have "?R \<subseteq> ancestors (RAG s') (Th th')" by (rule ancestors_mono, auto)
+moreover have "Th th1 \<notin> ..." using ancestors_th' assms by simp
+ultimately show ?thesis by auto
+qed
 next
-fix y z
+from assms show "Th th1 \<noteq> Th th'" by simp
-assume yz: "(y, z) \<in> RAG s"
+qed
-and ztp: "(z, Th th'') \<in> (RAG s)\<^sup>+"
+qed
-and ztp': "(z, Th th'') \<in> (RAG s')\<^sup>+"
+ultimately show ?thesis by (unfold RAG_s, simp)
-have "y \<noteq> Cs cs \<and> y \<noteq> Th th'"
-proof
-show "y \<noteq> Cs cs"
-proof
-assume eq_y: "y = Cs cs"
-with yz have dp_yz: "(Cs cs, z) \<in> RAG s" by simp
-from RAG_s
-have cst': "(Cs cs, Th th') \<in> RAG s" by simp
-from unique_RAG[OF vt_s this dp_yz]
-have eq_z: "z = Th th'" by simp
-with ztp have "(Th th', Th th'') \<in> (RAG s)^+" by simp
-from converse_tranclE[OF this]
-obtain cs' where dp'': "(Th th', Cs cs') \<in> RAG s"
-by (auto simp:s_RAG_def)
-with RAG_s have dp': "(Th th', Cs cs') \<in> RAG s'" by auto
-from dp'' eq_y yz eq_z have "(Cs cs, Cs cs') \<in> (RAG s)^+" by auto
-moreover have "cs' = cs"
-proof -
-from next_waiting[OF step_back_vt[OF vt_s[unfolded s_def]] nt]
-have "(Th th', Cs cs) \<in> RAG s'"
-by (auto simp:s_waiting_def wq_def s_RAG_def cs_waiting_def)
-from unique_RAG[OF step_back_vt[OF vt_s[unfolded s_def]] this dp']
-show ?thesis by simp
-qed
-ultimately have "(Cs cs, Cs cs) \<in> (RAG s)^+" by simp
-moreover note wf_trancl[OF wf_RAG[OF vt_s]]
-ultimately show False by auto
-qed
-next
-show "y \<noteq> Th th'"
-proof
-assume eq_y: "y = Th th'"
-with yz have dps: "(Th th', z) \<in> RAG s" by simp
-with RAG_s have dps': "(Th th', z) \<in> RAG s'" by auto
-have "z = Cs cs"
-proof -
-from next_waiting[OF step_back_vt[OF vt_s[unfolded s_def]] nt]
-have "(Th th', Cs cs) \<in> RAG s'"
-by (auto simp:s_waiting_def wq_def s_RAG_def cs_waiting_def)
-from unique_RAG[OF step_back_vt[OF vt_s[unfolded s_def]] dps' this]
-show ?thesis .
-qed
-with dps RAG_s show False by auto
-qed
-qed
-with RAG_s yz have "(y, z) \<in> RAG s'" by auto
-with ztp'
-show "(y, Th th'') \<in> (RAG s')\<^sup>+" by auto
-qed
-}
-from this[OF dp]
-show "x \<in> dependants (wq s') th''"
-by (auto simp:cs_dependants_def eq_RAG)
-next
-fix x
-assume "x \<in> dependants (wq s') th''"
-hence dp: "(Th x, Th th'') \<in> (RAG s')^+"
-by (auto simp:cs_dependants_def eq_RAG)
-{ fix n
-have "(n, Th th'') \<in> (RAG s')^+ \<Longrightarrow>  (n, Th th'') \<in> (RAG s)^+"
-proof(induct rule:converse_trancl_induct)
-fix y
-assume "(y, Th th'') \<in> RAG s'"
-with RAG_s neq1 neq2
-have "(y, Th th'') \<in> RAG s" by auto
-thus "(y, Th th'') \<in> (RAG s)\<^sup>+" by auto
-next
-fix y z
-assume yz: "(y, z) \<in> RAG s'"
-and ztp: "(z, Th th'') \<in> (RAG s')\<^sup>+"
-and ztp': "(z, Th th'') \<in> (RAG s)\<^sup>+"
-have "y \<noteq> Cs cs \<and> y \<noteq> Th th'"
-proof
-show "y \<noteq> Cs cs"
-proof
-assume eq_y: "y = Cs cs"
-with yz have dp_yz: "(Cs cs, z) \<in> RAG s'" by simp
-from this have eq_z: "z = Th th"
-proof -
-from step_back_step[OF vt_s[unfolded s_def]]
-have "(Cs cs, Th th) \<in> RAG s'"
-by(cases, auto simp: wq_def s_RAG_def cs_holding_def s_holding_def)
-from unique_RAG[OF step_back_vt[OF vt_s[unfolded s_def]] this dp_yz]
-show ?thesis by simp
-qed
-from converse_tranclE[OF ztp]
-obtain u where "(z, u) \<in> RAG s'" by auto
-moreover
-from step_back_step[OF vt_s[unfolded s_def]]
-have "th \<in> readys s'" by (cases, simp add:runing_def)
-moreover note eq_z
-ultimately show False
-by (auto simp:readys_def wq_def s_RAG_def s_waiting_def cs_waiting_def)
-qed
-next
-show "y \<noteq> Th th'"
-proof
-assume eq_y: "y = Th th'"
-with yz have dps: "(Th th', z) \<in> RAG s'" by simp
-have "z = Cs cs"
-proof -
-from next_waiting[OF step_back_vt[OF vt_s[unfolded s_def]] nt]
-have "(Th th', Cs cs) \<in> RAG s'"
-by (auto simp:s_waiting_def wq_def s_RAG_def cs_waiting_def)
-from unique_RAG[OF step_back_vt[OF vt_s[unfolded s_def]] dps this]
-show ?thesis .
-qed
-with ztp have cs_i: "(Cs cs, Th th'') \<in>  (RAG s')\<^sup>+" by simp
-from step_back_step[OF vt_s[unfolded s_def]]
-have cs_th: "(Cs cs, Th th) \<in> RAG s'"
-by(cases, auto simp: s_RAG_def wq_def cs_holding_def s_holding_def)
-have "(Cs cs, Th th'') \<notin>  RAG s'"
-proof
-assume "(Cs cs, Th th'') \<in> RAG s'"
-from unique_RAG[OF step_back_vt[OF vt_s[unfolded s_def]] this cs_th]
-and neq1 show "False" by simp
-qed
-with converse_tranclE[OF cs_i]
-obtain u where cu: "(Cs cs, u) \<in> RAG s'"
-and u_t: "(u, Th th'') \<in> (RAG s')\<^sup>+" by auto
-have "u = Th th"
-proof -
-from unique_RAG[OF step_back_vt[OF vt_s[unfolded s_def]] cu cs_th]
-show ?thesis .
-qed
-with u_t have "(Th th, Th th'') \<in> (RAG s')\<^sup>+" by simp
-from converse_tranclE[OF this]
-obtain v where "(Th th, v) \<in> (RAG s')" by auto
-moreover from step_back_step[OF vt_s[unfolded s_def]]
-have "th \<in> readys s'" by (cases, simp add:runing_def)
-ultimately show False
-by (auto simp:readys_def wq_def s_RAG_def s_waiting_def cs_waiting_def)
-qed
-qed
-with RAG_s yz have "(y, z) \<in> RAG s" by auto
-with ztp'
-show "(y, Th th'') \<in> (RAG s)\<^sup>+" by auto
-qed
-}
-from this[OF dp]
-show "x \<in> dependants (wq s) th''"
-by (auto simp:cs_dependants_def eq_RAG)
 qed
 lemma cp_kept:
-fixes th''
+assumes "th1 \<notin> {th, th'}"
-assumes neq1: "th'' \<noteq> th"
+shows "cp s th1 = cp s' th1"
-and neq2: "th'' \<noteq> th'"
+by (unfold cp_alt_def preced_kept subtree_kept[OF assms], simp)
-shows "cp s th'' = cp s' th''"
-proof -
-from dependants_kept[OF neq1 neq2]
-have "dependants (wq s) th'' = dependants (wq s') th''" .
-moreover {
-fix th1
-assume "th1 \<in> dependants (wq s) th''"
-have "preced th1 s = preced th1 s'"
-by (unfold s_def, auto simp:preced_def)
-}
-moreover have "preced th'' s = preced th'' s'"
-by (unfold s_def, auto simp:preced_def)
-ultimately have "((\<lambda>th. preced th s) ` ({th''} \<union> dependants (wq s) th'')) =
-((\<lambda>th. preced th s') ` ({th''} \<union> dependants (wq s') th''))"
-by (auto simp:image_def)
-thus ?thesis
-by (unfold cp_eq_cpreced cpreced_def, simp)
-qed
 end
 locale step_v_cps_nnt = step_v_cps +
 assumes nnt: "\<And> th'. (\<not> next_th s' th cs th')"
 context step_v_cps_nnt
 begin
-lemma nw_cs: "(Th th1, Cs cs) \<notin> RAG s'"
-proof
-assume "(Th th1, Cs cs) \<in> RAG s'"
-thus "False"
-apply (auto simp:s_RAG_def cs_waiting_def)
-proof -
-assume h1: "th1 \<in> set (wq s' cs)"
-and h2: "th1 \<noteq> hd (wq s' cs)"
-from step_back_step[OF vt_s[unfolded s_def]]
-show "False"
-proof(cases)
-assume "holding s' th cs"
-then obtain rest where
-eq_wq: "wq s' cs = th#rest"
-apply (unfold s_holding_def wq_def[symmetric])
-by (case_tac "(wq s' cs)", auto)
-with h1 h2 have ne: "rest \<noteq> []" by auto
-with eq_wq
-have "next_th s' th cs (hd (SOME q. distinct q \<and> set q = set rest))"
-by(unfold next_th_def, rule_tac x = "rest" in exI, auto)
-with nnt show ?thesis by auto
-qed
-qed
-qed
 lemma RAG_s: "RAG s = RAG s' - {(Cs cs, Th th)}"
 proof -
 from nnt and  step_RAG_v[OF vt_s[unfolded s_def], folded s_def]
 show ?thesis by auto
 qed
-lemma child_kept_left:
+lemma subtree_kept:
-assumes
+assumes "th1 \<noteq> th"
-"(n1, n2) \<in> (child s')^+"
+shows "subtree (RAG s) (Th th1) = subtree (RAG s') (Th th1)"
-shows "(n1, n2) \<in> (child s)^+"
+proof(unfold RAG_s, rule subset_del_subtree_outside)
-proof -
+show "Range {(Cs cs, Th th)} \<inter> subtree (RAG s') (Th th1) = {}"
-from assms show ?thesis
+proof -
-proof(induct rule: converse_trancl_induct)
+have "(Th th) \<notin> subtree (RAG s') (Th th1)"
-case (base y)
+proof(rule subtree_refute)
-from base obtain th1 cs1 th2
+show "Th th1 \<notin> ancestors (RAG s') (Th th)"
-where h1: "(Th th1, Cs cs1) \<in> RAG s'"
+by (unfold ancestors_th, simp)
-and h2: "(Cs cs1, Th th2) \<in> RAG s'"
+next
-and eq_y: "y = Th th1" and eq_n2: "n2 = Th th2"  by (auto simp:child_def)
+from assms show "Th th1 \<noteq> Th th" by simp
-have "cs1 \<noteq> cs"
+qed
+thus ?thesis by auto
+qed
+qed
+lemma cp_kept_1:
+assumes "th1 \<noteq> th"
+shows "cp s th1 = cp s' th1"
+by (unfold cp_alt_def preced_kept subtree_kept[OF assms], simp)
+lemma subtree_cs: "subtree (RAG s') (Cs cs) = {Cs cs}"
+proof -
+{ fix n
+have "(Cs cs) \<notin> ancestors (RAG s') n"
 proof
-assume eq_cs: "cs1 = cs"
+assume "Cs cs \<in> ancestors (RAG s') n"
-with h1 have "(Th th1, Cs cs1) \<in> RAG s'" by simp
+hence "(n, Cs cs) \<in> (RAG s')^+" by (auto simp:ancestors_def)
-with nw_cs eq_cs show False by auto
+from tranclE[OF this] obtain nn where h: "(nn, Cs cs) \<in> RAG s'" by auto
-qed
+then obtain th' where "nn = Th th'"
-with h1 h2 RAG_s have
+by (unfold s_RAG_def, auto)
-h1': "(Th th1, Cs cs1) \<in> RAG s" and
+from h[unfolded this] have "(Th th', Cs cs) \<in> RAG s'" .
-h2': "(Cs cs1, Th th2) \<in> RAG s" by auto
+from this[unfolded s_RAG_def]
-hence "(Th th1, Th th2) \<in> child s" by (auto simp:child_def)
+have "waiting (wq s') th' cs" by auto
-with eq_y eq_n2 have "(y, n2) \<in> child s" by simp
+from this[unfolded cs_waiting_def]
-thus ?case by auto
+have "1 < length (wq s' cs)"
-next
+by (cases "wq s' cs", auto)
-case (step y z)
+from holding_next_thI[OF holding_th this]
-have "(y, z) \<in> child s'" by fact
+obtain th' where "next_th s' th cs th'" by auto
-then obtain th1 cs1 th2
+with nnt show False by auto
-where h1: "(Th th1, Cs cs1) \<in> RAG s'"
+qed
-and h2: "(Cs cs1, Th th2) \<in> RAG s'"
+} note h = this
-and eq_y: "y = Th th1" and eq_z: "z = Th th2"  by (auto simp:child_def)
+{  fix n
-have "cs1 \<noteq> cs"
+assume "n \<in> subtree (RAG s') (Cs cs)"
-proof
+hence "n = (Cs cs)"
-assume eq_cs: "cs1 = cs"
+by (elim subtreeE, insert h, auto)
-with h1 have "(Th th1, Cs cs1) \<in> RAG s'" by simp
+} moreover have "(Cs cs) \<in> subtree (RAG s') (Cs cs)"
-with nw_cs eq_cs show False by auto
+by (auto simp:subtree_def)
-qed
+ultimately show ?thesis by auto
-with h1 h2 RAG_s have
+qed
-h1': "(Th th1, Cs cs1) \<in> RAG s" and
-h2': "(Cs cs1, Th th2) \<in> RAG s" by auto
+lemma subtree_th:
-hence "(Th th1, Th th2) \<in> child s" by (auto simp:child_def)
+"subtree (RAG s) (Th th) = subtree (RAG s') (Th th) - {Cs cs}"
-with eq_y eq_z have "(y, z) \<in> child s" by simp
+proof(unfold RAG_s, fold subtree_cs, rule RTree.rtree.subtree_del_inside[OF rtree_RAGs'])
-moreover have "(z, n2) \<in> (child s)^+" by fact
+from edge_of_th
-ultimately show ?case by auto
+show "(Cs cs, Th th) \<in> edges_in (RAG s') (Th th)"
-qed
+by (unfold edges_in_def, auto simp:subtree_def)
 qed
-lemma  child_kept_right:
+lemma cp_kept_2:
-assumes
+shows "cp s th = cp s' th"
-"(n1, n2) \<in> (child s)^+"
+by (unfold cp_alt_def subtree_th preced_kept, auto)
-shows "(n1, n2) \<in> (child s')^+"
-proof -
-from assms show ?thesis
-proof(induct)
-case (base y)
-from base and RAG_s
-have "(n1, y) \<in> child s'"
-by (auto simp:child_def)
-thus ?case by auto
-next
-case (step y z)
-have "(y, z) \<in> child s" by fact
-with RAG_s have "(y, z) \<in> child s'"
-by (auto simp:child_def)
-moreover have "(n1, y) \<in> (child s')\<^sup>+" by fact
-ultimately show ?case by auto
-qed
-qed
-lemma eq_child: "(child s)^+ = (child s')^+"
-by (insert child_kept_left child_kept_right, auto)
 lemma eq_cp:
 fixes th'
 shows "cp s th' = cp s' th'"
-apply (unfold cp_eq_cpreced cpreced_def)
+using cp_kept_1 cp_kept_2
-proof -
+by (cases "th' = th", auto)
-have eq_dp: "\<And> th. dependants (wq s) th = dependants (wq s') th"
-apply (unfold cs_dependants_def, unfold eq_RAG)
-proof -
-from eq_child
-have "\<And>th. {th'. (Th th', Th th) \<in> (child s)\<^sup>+} = {th'. (Th th', Th th) \<in> (child s')\<^sup>+}"
-by simp
-with child_RAG_eq[OF vt_s] child_RAG_eq[OF step_back_vt[OF vt_s[unfolded s_def]]]
-show "\<And>th. {th'. (Th th', Th th) \<in> (RAG s)\<^sup>+} = {th'. (Th th', Th th) \<in> (RAG s')\<^sup>+}"
-by simp
-qed
-moreover {
-fix th1
-assume "th1 \<in> {th'} \<union> dependants (wq s') th'"
-hence "th1 = th' \<or> th1 \<in> dependants (wq s') th'" by auto
-hence "preced th1 s = preced th1 s'"
-proof
-assume "th1 = th'"
-show "preced th1 s = preced th1 s'" by (simp add:s_def preced_def)
-next
-assume "th1 \<in> dependants (wq s') th'"
-show "preced th1 s = preced th1 s'" by (simp add:s_def preced_def)
-qed
-} ultimately have "((\<lambda>th. preced th s) ` ({th'} \<union> dependants (wq s) th')) =
-((\<lambda>th. preced th s') ` ({th'} \<union> dependants (wq s') th'))"
-by (auto simp:image_def)
-thus "Max ((\<lambda>th. preced th s) ` ({th'} \<union> dependants (wq s) th')) =
-Max ((\<lambda>th. preced th s') ` ({th'} \<union> dependants (wq s') th'))" by simp
-qed
 end
+find_theorems "_`_" "\<Union> _"
+find_theorems "Max" "\<Union> _"
+find_theorems wf RAG
+thm wf_def
+thm image_Union
 locale step_P_cps =
 fixes s' th cs s
 defines s_def : "s \<equiv> (P th cs#s')"
 assumes vt_s: "vt s"
+sublocale step_P_cps < vat_s : valid_trace "s"
+proof
+from vt_s show "vt s" .
+qed
+sublocale step_P_cps < vat_s' : valid_trace "s'"
+proof
+from step_back_vt[OF vt_s[unfolded s_def]] show "vt s'" .
+qed
+context step_P_cps
+begin
+lemma rtree_RAGs: "rtree (RAG s)"
+proof
+show "single_valued (RAG s)"
+apply (intro_locales)
+by (unfold single_valued_def, auto intro: unique_RAG[OF vt_s])
+show "acyclic (RAG s)"
+by (rule acyclic_RAG[OF vt_s])
+qed
+lemma rtree_RAGs': "rtree (RAG s')"
+proof
+show "single_valued (RAG s')"
+apply (intro_locales)
+by (unfold single_valued_def,
+auto intro:unique_RAG[OF step_back_vt[OF vt_s[unfolded s_def]]])
+show "acyclic (RAG s')"
+by (rule acyclic_RAG[OF step_back_vt[OF vt_s[unfolded s_def]]])
+qed
+lemma preced_kept: "the_preced s = the_preced s'"
+by (auto simp: s_def the_preced_def preced_def)
+end
 locale step_P_cps_ne =step_P_cps +
+fixes th'
 assumes ne: "wq s' cs \<noteq> []"
+defines th'_def: "th' \<equiv> hd (wq s' cs)"
 locale step_P_cps_e =step_P_cps +
 assumes ee: "wq s' cs = []"
 context step_P_cps_e
 Max ((\<lambda>th. preced th s') ` ({th'} \<union> dependants (wq s') th'))" by simp
 qed
 end
-context step_P_cps_ne
+lemma tRAG_ancestorsE:
+assumes "x \<in> ancestors (tRAG s) u"
+obtains th where "x = Th th"
+proof -
+from assms have "(u, x) \<in> (tRAG s)^+"
+by (unfold ancestors_def, auto)
+from tranclE[OF this] obtain c where "(c, x) \<in> tRAG s" by auto
+then obtain th where "x = Th th"
+by (unfold tRAG_alt_def, auto)
+from that[OF this] show ?thesis .
+qed
+context step_P_cps_ne
 begin
 lemma RAG_s: "RAG s = RAG s' \<union> {(Th th, Cs cs)}"
 proof -
 from step_RAG_p[OF vt_s[unfolded s_def]] and ne
 show ?thesis by (simp add:s_def)
 qed
+lemma cs_held: "(Cs cs, Th th') \<in> RAG s'"
+proof -
+have "(Cs cs, Th th') \<in> hRAG s'"
+proof -
+from ne
+have " holding s' th' cs"
+by (unfold th'_def holding_eq cs_holding_def, auto)
+thus ?thesis
+by (unfold hRAG_def, auto)
+qed
+thus ?thesis by (unfold RAG_split, auto)
+qed
+lemma tRAG_s:
+"tRAG s = tRAG s' \<union> {(Th th, Th th')}"
+using RAG_tRAG_transfer[OF step_back_vt[OF vt_s[unfolded s_def]] RAG_s cs_held] .
+lemma cp_kept:
+assumes "Th th'' \<notin> ancestors (tRAG s) (Th th)"
+shows "cp s th'' = cp s' th''"
+proof -
+have h: "subtree (tRAG s) (Th th'') = subtree (tRAG s') (Th th'')"
+proof -
+have "Th th' \<notin> subtree (tRAG s') (Th th'')"
+proof
+assume "Th th' \<in> subtree (tRAG s') (Th th'')"
+thus False
+proof(rule subtreeE)
+assume "Th th' = Th th''"
+from assms[unfolded tRAG_s ancestors_def, folded this]
+show ?thesis by auto
+next
+assume "Th th'' \<in> ancestors (tRAG s') (Th th')"
+moreover have "... \<subseteq> ancestors (tRAG s) (Th th')"
+proof(rule ancestors_mono)
+show "tRAG s' \<subseteq> tRAG s" by (unfold tRAG_s, auto)
+qed
+ultimately have "Th th'' \<in> ancestors (tRAG s) (Th th')" by auto
+moreover have "Th th' \<in> ancestors (tRAG s) (Th th)"
+by (unfold tRAG_s, auto simp:ancestors_def)
+ultimately have "Th th'' \<in> ancestors (tRAG s) (Th th)"
+by (auto simp:ancestors_def)
+with assms show ?thesis by auto
+qed
+qed
+from subtree_insert_next[OF this]
+have "subtree (tRAG s' \<union> {(Th th, Th th')}) (Th th'') = subtree (tRAG s') (Th th'')" .
+from this[folded tRAG_s] show ?thesis .
+qed
+show ?thesis by (unfold cp_alt_def1 h preced_kept, simp)
+qed
+lemma set_prop_split:
+"A = {x. x \<in> A \<and> PP x} \<union> {x. x \<in> A \<and> \<not> PP x}"
+by auto
+lemma f_image_union_eq:
+assumes "f ` A = g ` A"
+and "f ` B = g ` B"
+shows "f ` (A \<union> B) = g ` (A \<union> B)"
+using assms by auto
+(* ccc *)
+lemma cp_gen_update_stop:
+assumes "u \<in> ancestors (tRAG s) (Th th)"
+and "cp_gen s u = cp_gen s' u"
+and "y \<in> ancestors (tRAG s) u"
+shows "cp_gen s y = cp_gen s' y"
+using assms(3)
+proof(induct rule:wf_induct[OF vat_s.fsbttRAGs.wf])
+case (1 x)
+show ?case (is "?L = ?R")
+proof -
+from tRAG_ancestorsE[OF 1(2)]
+obtain th2 where eq_x: "x = Th th2" by blast
+from vat_s.cp_gen_rec[OF this]
+have "?L =
+Max ({the_preced s th2} \<union> cp_gen s ` RTree.children (tRAG s) x)" .
+also have "... =
+Max ({the_preced s' th2} \<union> cp_gen s' ` RTree.children (tRAG s') x)"
+proof -
+from preced_kept have "the_preced s th2 = the_preced s' th2" by simp
+moreover have "cp_gen s ` RTree.children (tRAG s) x =
+cp_gen s' ` RTree.children (tRAG s') x"
+proof -
+have "RTree.children (tRAG s) x =  RTree.children (tRAG s') x"
+proof(unfold tRAG_s, rule children_union_kept)
+have start: "(Th th, Th th') \<in> tRAG s"
+by (unfold tRAG_s, auto)
+note x_u = 1(2)
+show "x \<notin> Range {(Th th, Th th')}"
+proof
+assume "x \<in> Range {(Th th, Th th')}"
+hence eq_x: "x = Th th'" using RangeE by auto
+show False
+proof(cases rule:vat_s.rtree_s.ancestors_headE[OF assms(1) start])
+case 1
+from x_u[folded this, unfolded eq_x] vat_s.acyclic_tRAG
+show ?thesis by (auto simp:ancestors_def acyclic_def)
+next
+case 2
+with x_u[unfolded eq_x]
+have "(Th th', Th th') \<in> (tRAG s)^+" by (auto simp:ancestors_def)
+with vat_s.acyclic_tRAG show ?thesis by (auto simp:acyclic_def)
+qed
+qed
+qed
+moreover have "cp_gen s ` RTree.children (tRAG s) x =
+cp_gen s' ` RTree.children (tRAG s) x" (is "?f ` ?A = ?g ` ?A")
+proof(rule f_image_eq)
+fix a
+assume a_in: "a \<in> ?A"
+from 1(2)
+show "?f a = ?g a"
+proof(cases rule:vat_s.rtree_s.ancestors_childrenE[case_names in_ch out_ch])
+case in_ch
+show ?thesis
+proof(cases "a = u")
+case True
+from assms(2)[folded this] show ?thesis .
+next
+case False
+have a_not_in: "a \<notin> ancestors (tRAG s) (Th th)"
+proof
+assume a_in': "a \<in> ancestors (tRAG s) (Th th)"
+have "a = u"
+proof(rule vat_s.rtree_s.ancestors_children_unique)
+from a_in' a_in show "a \<in> ancestors (tRAG s) (Th th) \<inter>
+RTree.children (tRAG s) x" by auto
+next
+from assms(1) in_ch show "u \<in> ancestors (tRAG s) (Th th) \<inter>
+RTree.children (tRAG s) x" by auto
+qed
+with False show False by simp
+qed
+from a_in obtain th_a where eq_a: "a = Th th_a"
+by (unfold RTree.children_def tRAG_alt_def, auto)
+from cp_kept[OF a_not_in[unfolded eq_a]]
+have "cp s th_a = cp s' th_a" .
+from this [unfolded cp_gen_def_cond[OF eq_a], folded eq_a]
+show ?thesis .
+qed
+next
+case (out_ch z)
+hence h: "z \<in> ancestors (tRAG s) u" "z \<in> RTree.children (tRAG s) x" by auto
+show ?thesis
+proof(cases "a = z")
+case True
+from h(2) have zx_in: "(z, x) \<in> (tRAG s)" by (auto simp:RTree.children_def)
+from 1(1)[rule_format, OF this h(1)]
+have eq_cp_gen: "cp_gen s z = cp_gen s' z" .
+with True show ?thesis by metis
+next
+case False
+from a_in obtain th_a where eq_a: "a = Th th_a"
+by (auto simp:RTree.children_def tRAG_alt_def)
+have "a \<notin> ancestors (tRAG s) (Th th)" sorry
+from cp_kept[OF this[unfolded eq_a]]
+have "cp s th_a = cp s' th_a" .
+from this[unfolded cp_gen_def_cond[OF eq_a], folded eq_a]
+show ?thesis .
+qed
+qed
+qed
+ultimately show ?thesis by metis
+qed
+ultimately show ?thesis by simp
+qed
+also have "... = ?R"
+by (fold vat_s'.cp_gen_rec[OF eq_x], simp)
+finally show ?thesis .
+qed
+qed
+(* ccc *)
 lemma eq_child_left:
 assumes nd: "(Th th, Th th') \<notin> (child s)^+"
 shows "(n1, Th th') \<in> (child s)^+ \<Longrightarrow> (n1, Th th') \<in> (child s')^+"
 proof(induct rule:converse_trancl_induct)

changeset 58	ad57323fd4d6
parent 56	0fd478e14e87
child 59	0a069a667301