pip: comparison PIPBasics.thy

equal deleted inserted replaced

-:3d2b59f15f26
+:c7db2ccba18a
 by  (unfold s_waiting_def cs_waiting_def wq_def, auto)
 lemma holding_eq: "holding (s::state) th cs = holding (wq s) th cs"
 by (unfold s_holding_def wq_def cs_holding_def, simp)
+lemma children_RAG_alt_def:
+"children (RAG (s::state)) (Th th) = Cs ` {cs. holding s th cs}"
+by (unfold s_RAG_def, auto simp:children_def holding_eq)
+lemma holdents_alt_def:
+"holdents s th = the_cs ` (children (RAG (s::state)) (Th th))"
+by (unfold children_RAG_alt_def holdents_def, simp add: image_image)
+lemma cntCS_alt_def:
+"cntCS s th = card (children (RAG s) (Th th))"
+apply (unfold children_RAG_alt_def cntCS_def holdents_def)
+by (rule card_image[symmetric], auto simp:inj_on_def)
 lemma runing_ready:
 shows "runing s \<subseteq> readys s"
 unfolding runing_def readys_def
 by auto
 assumes "(n1, n2) \<in> RAG (s::state)"
 obtains (waiting) th cs where "n1 = Th th" "n2 = Cs cs" "waiting s th cs"
 | (holding) th cs where "n1 = Cs cs" "n2 = Th th" "holding s th cs"
 using assms[unfolded s_RAG_def, folded waiting_eq holding_eq]
 by auto
+lemma count_rec1 [simp]:
+assumes "Q e"
+shows "count Q (e#es) = Suc (count Q es)"
+using assms
+by (unfold count_def, auto)
+lemma count_rec2 [simp]:
+assumes "\<not>Q e"
+shows "count Q (e#es) = (count Q es)"
+using assms
+by (unfold count_def, auto)
+lemma count_rec3 [simp]:
+shows "count Q [] =  0"
+by (unfold count_def, auto)
+lemma cntP_simp1[simp]:
+"cntP (P th cs'#s) th = cntP s th + 1"
+by (unfold cntP_def, simp)
+lemma cntP_simp2[simp]:
+assumes "th' \<noteq> th"
+shows "cntP (P th cs'#s) th' = cntP s th'"
+using assms
+by (unfold cntP_def, simp)
+lemma cntP_simp3[simp]:
+assumes "\<not> isP e"
+shows "cntP (e#s) th' = cntP s th'"
+using assms
+by (unfold cntP_def, cases e, simp+)
+lemma cntV_simp1[simp]:
+"cntV (V th cs'#s) th = cntV s th + 1"
+by (unfold cntV_def, simp)
+lemma cntV_simp2[simp]:
+assumes "th' \<noteq> th"
+shows "cntV (V th cs'#s) th' = cntV s th'"
+using assms
+by (unfold cntV_def, simp)
+lemma cntV_simp3[simp]:
+assumes "\<not> isV e"
+shows "cntV (e#s) th' = cntV s th'"
+using assms
+by (unfold cntV_def, cases e, simp+)
+lemma cntP_diff_inv:
+assumes "cntP (e#s) th \<noteq> cntP s th"
+shows "isP e \<and> actor e = th"
+proof(cases e)
+case (P th' pty)
+show ?thesis
+by (cases "(\<lambda>e. \<exists>cs. e = P th cs) (P th' pty)",
+insert assms P, auto simp:cntP_def)
+qed (insert assms, auto simp:cntP_def)
+lemma cntV_diff_inv:
+assumes "cntV (e#s) th \<noteq> cntV s th"
+shows "isV e \<and> actor e = th"
+proof(cases e)
+case (V th' pty)
+show ?thesis
+by (cases "(\<lambda>e. \<exists>cs. e = V th cs) (V th' pty)",
+insert assms V, auto simp:cntV_def)
+qed (insert assms, auto simp:cntV_def)
+lemma eq_dependants: "dependants (wq s) = dependants s"
+by (simp add: s_dependants_abv wq_def)
+lemma inj_the_preced:
+"inj_on (the_preced s) (threads s)"
+by (metis inj_onI preced_unique the_preced_def)
 (* ccc *)
 section {* Locales used to investigate the execution of PIP *}
 using assms by simp
 end
 context valid_trace
 begin
+lemma  finite_threads:
+shows "finite (threads s)"
+using vt by (induct) (auto elim: step.cases)
+lemma finite_readys [simp]: "finite (readys s)"
+using finite_threads readys_threads rev_finite_subset by blast
 lemma wq_distinct: "distinct (wq s cs)"
 proof(induct rule:ind)
 case (Cons s e)
 interpret vt_e: valid_trace_e s e using Cons by simp
 from tranclD[OF this]
 obtain cs' where h: "(Th th, Cs cs') \<in> RAG s"
 by (unfold s_RAG_def, auto)
 hence "waiting s th cs'"
 by (unfold s_RAG_def, fold waiting_eq, auto)
-with th_not_waiting show False by auto (* ccc *)
+with th_not_waiting show False by auto
 qed
 ultimately show ?thesis by auto
 qed
 thus ?thesis by (unfold RAG_es, simp)
 qed
 from wf_RAG show "wf (RAG s)" .
 qed
 qed
 qed
 section {* Derived properties for parts of RAG *}
 context valid_trace
 begin
 by (unfold fsubtree_def fsubtree_axioms_def,auto)
 qed
 from this[folded tRAG_def] show "fsubtree (tRAG s)" .
 qed
-(* ccc *)
-context valid_trace_p
-begin
-lemma ready_th_s: "th \<in> readys s"
-using runing_th_s
-by (unfold runing_def, auto)
-lemma live_th_s: "th \<in> threads s"
-using readys_threads ready_th_s by auto
-lemma live_th_es: "th \<in> threads (e#s)"
-using live_th_s
-by (unfold is_p, simp)
-lemma waiting_neq_th:
-assumes "waiting s t c"
-shows "t \<noteq> th"
-using assms using th_not_waiting by blast
-end
-context valid_trace_v
-begin
-lemma th_not_waiting:
-"\<not> waiting s th c"
-proof -
-have "th \<in> readys s"
-using runing_ready runing_th_s by blast
-thus ?thesis
-by (unfold readys_def, auto)
-qed
-lemma waiting_neq_th:
-assumes "waiting s t c"
-shows "t \<noteq> th"
-using assms using th_not_waiting by blast
-end
-context valid_trace_e
-begin
-lemma actor_inv:
-assumes "\<not> isCreate e"
-shows "actor e \<in> runing s"
-using pip_e assms
-by (induct, auto)
-end
-(* ccc *)
-(* drag more from before to here *)
-section {* ccc *}
-context valid_trace
-begin
-lemma finite_subtree_threads:
-"finite {th'. Th th' \<in> subtree (RAG s) (Th th)}" (is "finite ?A")
-proof -
-have "?A = the_thread ` {Th th' | th' . Th th' \<in> subtree (RAG s) (Th th)}"
-by (auto, insert image_iff, fastforce)
-moreover have "finite {Th th' | th' . Th th' \<in> subtree (RAG s) (Th th)}"
-(is "finite ?B")
-proof -
-have "?B = (subtree (RAG s) (Th th)) \<inter> {Th th' | th'. True}"
-by auto
-moreover have "... \<subseteq> (subtree (RAG s) (Th th))" by auto
-moreover have "finite ..." by (simp add: fsbtRAGs.finite_subtree)
-ultimately show ?thesis by auto
-qed
-ultimately show ?thesis by auto
-qed
-lemma le_cp:
-shows "preced th s \<le> cp s th"
-proof(unfold cp_alt_def, rule Max_ge)
-show "finite (the_preced s ` {th'. Th th' \<in> subtree (RAG s) (Th th)})"
-by (simp add: finite_subtree_threads)
-next
-show "preced th s \<in> the_preced s ` {th'. Th th' \<in> subtree (RAG s) (Th th)}"
-by (simp add: subtree_def the_preced_def)
-qed
-lemma  finite_threads:
-shows "finite (threads s)"
-using vt by (induct) (auto elim: step.cases)
-lemma cp_le:
-assumes th_in: "th \<in> threads s"
-shows "cp s th \<le> Max (the_preced s ` threads s)"
-proof(unfold cp_alt_def, rule Max_f_mono)
-show "finite (threads s)" by (simp add: finite_threads)
-next
-show " {th'. Th th' \<in> subtree (RAG s) (Th th)} \<noteq> {}"
-using subtree_def by fastforce
-next
-show "{th'. Th th' \<in> subtree (RAG s) (Th th)} \<subseteq> threads s"
-using assms
-by (smt Domain.DomainI dm_RAG_threads mem_Collect_eq
-node.inject(1) rtranclD subsetI subtree_def trancl_domain)
-qed
-lemma max_cp_eq:
-shows "Max ((cp s) ` threads s) = Max (the_preced s ` threads s)"
-(is "?L = ?R")
-proof -
-have "?L \<le> ?R"
-proof(cases "threads s = {}")
-case False
-show ?thesis
-by (rule Max.boundedI,
-insert cp_le,
-auto simp:finite_threads False)
-qed auto
-moreover have "?R \<le> ?L"
-by (rule Max_fg_mono,
-simp add: finite_threads,
-simp add: le_cp the_preced_def)
-ultimately show ?thesis by auto
-qed
-lemma chain_building:
-assumes "node \<in> Domain (RAG s)"
-obtains th' where "th' \<in> readys s" "(node, Th th') \<in> (RAG s)^+"
-proof -
-from assms have "node \<in> Range ((RAG s)^-1)" by auto
-from wf_base[OF wf_RAG_converse this]
-obtain b where h_b: "(b, node) \<in> ((RAG s)\<inverse>)\<^sup>+" "\<forall>c. (c, b) \<notin> (RAG s)\<inverse>" by auto
-obtain th' where eq_b: "b = Th th'"
-proof(cases b)
-case (Cs cs)
-from h_b(1)[unfolded trancl_converse]
-have "(node, b) \<in> ((RAG s)\<^sup>+)" by auto
-from tranclE[OF this]
-obtain n where "(n, b) \<in> RAG s" by auto
-from this[unfolded Cs]
-obtain th1 where "waiting s th1 cs"
-by (unfold s_RAG_def, fold waiting_eq, auto)
-from waiting_holding[OF this]
-obtain th2 where "holding s th2 cs" .
-hence "(Cs cs, Th th2) \<in> RAG s"
-by (unfold s_RAG_def, fold holding_eq, auto)
-with h_b(2)[unfolded Cs, rule_format]
-have False by auto
-thus ?thesis by auto
-qed auto
-have "th' \<in> readys s"
-proof -
-from h_b(2)[unfolded eq_b]
-have "\<forall>cs. \<not> waiting s th' cs"
-by (unfold s_RAG_def, fold waiting_eq, auto)
-moreover have "th' \<in> threads s"
-proof(rule rg_RAG_threads)
-from tranclD[OF h_b(1), unfolded eq_b]
-obtain z where "(z, Th th') \<in> (RAG s)" by auto
-thus "Th th' \<in> Range (RAG s)" by auto
-qed
-ultimately show ?thesis by (auto simp:readys_def)
-qed
-moreover have "(node, Th th') \<in> (RAG s)^+"
-using h_b(1)[unfolded trancl_converse] eq_b by auto
-ultimately show ?thesis using that by metis
-qed
-text {* \noindent
-The following is just an instance of @{text "chain_building"}.
-*}
-lemma th_chain_to_ready:
-assumes th_in: "th \<in> threads s"
-shows "th \<in> readys s \<or> (\<exists> th'. th' \<in> readys s \<and> (Th th, Th th') \<in> (RAG s)^+)"
-proof(cases "th \<in> readys s")
-case True
-thus ?thesis by auto
-next
-case False
-from False and th_in have "Th th \<in> Domain (RAG s)"
-by (auto simp:readys_def s_waiting_def s_RAG_def wq_def cs_waiting_def Domain_def)
-from chain_building [rule_format, OF this]
-show ?thesis by auto
-qed
-end
-lemma count_rec1 [simp]:
-assumes "Q e"
-shows "count Q (e#es) = Suc (count Q es)"
-using assms
-by (unfold count_def, auto)
-lemma count_rec2 [simp]:
-assumes "\<not>Q e"
-shows "count Q (e#es) = (count Q es)"
-using assms
-by (unfold count_def, auto)
-lemma count_rec3 [simp]:
-shows "count Q [] =  0"
-by (unfold count_def, auto)
-lemma cntP_simp1[simp]:
-"cntP (P th cs'#s) th = cntP s th + 1"
-by (unfold cntP_def, simp)
-lemma cntP_simp2[simp]:
-assumes "th' \<noteq> th"
-shows "cntP (P th cs'#s) th' = cntP s th'"
-using assms
-by (unfold cntP_def, simp)
-lemma cntP_simp3[simp]:
-assumes "\<not> isP e"
-shows "cntP (e#s) th' = cntP s th'"
-using assms
-by (unfold cntP_def, cases e, simp+)
-lemma cntV_simp1[simp]:
-"cntV (V th cs'#s) th = cntV s th + 1"
-by (unfold cntV_def, simp)
-lemma cntV_simp2[simp]:
-assumes "th' \<noteq> th"
-shows "cntV (V th cs'#s) th' = cntV s th'"
-using assms
-by (unfold cntV_def, simp)
-lemma cntV_simp3[simp]:
-assumes "\<not> isV e"
-shows "cntV (e#s) th' = cntV s th'"
-using assms
-by (unfold cntV_def, cases e, simp+)
-lemma cntP_diff_inv:
-assumes "cntP (e#s) th \<noteq> cntP s th"
-shows "isP e \<and> actor e = th"
-proof(cases e)
-case (P th' pty)
-show ?thesis
-by (cases "(\<lambda>e. \<exists>cs. e = P th cs) (P th' pty)",
-insert assms P, auto simp:cntP_def)
-qed (insert assms, auto simp:cntP_def)
-lemma cntV_diff_inv:
-assumes "cntV (e#s) th \<noteq> cntV s th"
-shows "isV e \<and> actor e = th"
-proof(cases e)
-case (V th' pty)
-show ?thesis
-by (cases "(\<lambda>e. \<exists>cs. e = V th cs) (V th' pty)",
-insert assms V, auto simp:cntV_def)
-qed (insert assms, auto simp:cntV_def)
-lemma children_RAG_alt_def:
-"children (RAG (s::state)) (Th th) = Cs ` {cs. holding s th cs}"
-by (unfold s_RAG_def, auto simp:children_def holding_eq)
-lemma holdents_alt_def:
-"holdents s th = the_cs ` (children (RAG (s::state)) (Th th))"
-by (unfold children_RAG_alt_def holdents_def, simp add: image_image)
-lemma cntCS_alt_def:
-"cntCS s th = card (children (RAG s) (Th th))"
-apply (unfold children_RAG_alt_def cntCS_def holdents_def)
-by (rule card_image[symmetric], auto simp:inj_on_def)
-context valid_trace_p_w
-begin
-lemma holding_s_holder: "holding s holder cs"
-by (unfold s_holding_def, fold wq_def, unfold wq_s_cs, auto)
-lemma holding_es_holder: "holding (e#s) holder cs"
-by (unfold s_holding_def, fold wq_def, unfold wq_es_cs wq_s_cs, auto)
-lemma holdents_es:
-shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")
-proof -
-{ fix cs'
-assume "cs' \<in> ?L"
-hence h: "holding (e#s) th' cs'" by (auto simp:holdents_def)
-have "holding s th' cs'"
-proof(cases "cs' = cs")
-case True
-from held_unique[OF h[unfolded True] holding_es_holder]
-have "th' = holder" .
-thus ?thesis
-by (unfold True holdents_def, insert holding_s_holder, simp)
-next
-case False
-hence "wq (e#s) cs' = wq s cs'" by simp
-from h[unfolded s_holding_def, folded wq_def, unfolded this]
-show ?thesis
-by (unfold s_holding_def, fold wq_def, auto)
-qed
-hence "cs' \<in> ?R" by (auto simp:holdents_def)
-} moreover {
-fix cs'
-assume "cs' \<in> ?R"
-hence h: "holding s th' cs'" by (auto simp:holdents_def)
-have "holding (e#s) th' cs'"
-proof(cases "cs' = cs")
-case True
-from held_unique[OF h[unfolded True] holding_s_holder]
-have "th' = holder" .
-thus ?thesis
-by (unfold True holdents_def, insert holding_es_holder, simp)
-next
-case False
-hence "wq s cs' = wq (e#s) cs'" by simp
-from h[unfolded s_holding_def, folded wq_def, unfolded this]
-show ?thesis
-by (unfold s_holding_def, fold wq_def, auto)
-qed
-hence "cs' \<in> ?L" by (auto simp:holdents_def)
-} ultimately show ?thesis by auto
-qed
-lemma cntCS_es_th[simp]: "cntCS (e#s) th' = cntCS s th'"
-by (unfold cntCS_def holdents_es, simp)
-lemma th_not_ready_es:
-shows "th \<notin> readys (e#s)"
-using waiting_es_th_cs
-by (unfold readys_def, auto)
-end
-lemma (in valid_trace) finite_holdents: "finite (holdents s th)"
-by (unfold holdents_alt_def, insert fsbtRAGs.finite_children, auto)
-context valid_trace_p_h
-begin
-lemma th_not_waiting':
-"\<not> waiting (e#s) th cs'"
-proof(cases "cs' = cs")
-case True
-show ?thesis
-by (unfold True s_waiting_def, fold wq_def, unfold wq_es_cs', auto)
-next
-case False
-from th_not_waiting[of cs', unfolded s_waiting_def, folded wq_def]
-show ?thesis
-by (unfold s_waiting_def, fold wq_def, insert False, simp)
-qed
-lemma ready_th_es:
-shows "th \<in> readys (e#s)"
-using th_not_waiting'
-by (unfold readys_def, insert live_th_es, auto)
-lemma holdents_es_th:
-"holdents (e#s) th = (holdents s th) \<union> {cs}" (is "?L = ?R")
-proof -
-{ fix cs'
-assume "cs' \<in> ?L"
-hence "holding (e#s) th cs'"
-by (unfold holdents_def, auto)
-hence "cs' \<in> ?R"
-by (cases rule:holding_esE, auto simp:holdents_def)
-} moreover {
-fix cs'
-assume "cs' \<in> ?R"
-hence "holding s th cs' \<or> cs' = cs"
-by (auto simp:holdents_def)
-hence "cs' \<in> ?L"
-proof
-assume "holding s th cs'"
-from holding_kept[OF this]
-show ?thesis by (auto simp:holdents_def)
-next
-assume "cs' = cs"
-thus ?thesis using holding_es_th_cs
-by (unfold holdents_def, auto)
-qed
-} ultimately show ?thesis by auto
-qed
-lemma cntCS_es_th: "cntCS (e#s) th = cntCS s th + 1"
-proof -
-have "card (holdents s th \<union> {cs}) = card (holdents s th) + 1"
-proof(subst card_Un_disjoint)
-show "holdents s th \<inter> {cs} = {}"
-using not_holding_s_th_cs by (auto simp:holdents_def)
-qed (auto simp:finite_holdents)
-thus ?thesis
-by (unfold cntCS_def holdents_es_th, simp)
-qed
-lemma no_holder:
-"\<not> holding s th' cs"
-proof
-assume otherwise: "holding s th' cs"
-from this[unfolded s_holding_def, folded wq_def, unfolded we]
-show False by auto
-qed
-lemma holdents_es_th':
-assumes "th' \<noteq> th"
-shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")
-proof -
-{ fix cs'
-assume "cs' \<in> ?L"
-hence h_e: "holding (e#s) th' cs'" by (auto simp:holdents_def)
-have "cs' \<noteq> cs"
-proof
-assume "cs' = cs"
-from held_unique[OF h_e[unfolded this] holding_es_th_cs]
-have "th' = th" .
-with assms show False by simp
-qed
-from h_e[unfolded s_holding_def, folded wq_def, unfolded wq_neq_simp[OF this]]
-have "th' \<in> set (wq s cs') \<and> th' = hd (wq s cs')" .
-hence "cs' \<in> ?R"
-by (unfold holdents_def s_holding_def, fold wq_def, auto)
-} moreover {
-fix cs'
-assume "cs' \<in> ?R"
-hence "holding s th' cs'" by (auto simp:holdents_def)
-from holding_kept[OF this]
-have "holding (e # s) th' cs'" .
-hence "cs' \<in> ?L"
-by (unfold holdents_def, auto)
-} ultimately show ?thesis by auto
-qed
-lemma cntCS_es_th'[simp]:
-assumes "th' \<noteq> th"
-shows "cntCS (e#s) th' = cntCS s th'"
-by (unfold cntCS_def holdents_es_th'[OF assms], simp)
-end
-context valid_trace_p
-begin
-lemma readys_kept1:
-assumes "th' \<noteq> th"
-and "th' \<in> readys (e#s)"
-shows "th' \<in> readys s"
-proof -
-{ fix cs'
-assume wait: "waiting s th' cs'"
-have n_wait: "\<not> waiting (e#s) th' cs'"
-using assms(2)[unfolded readys_def] by auto
-have False
-proof(cases "cs' = cs")
-case False
-with n_wait wait
-show ?thesis
-by (unfold s_waiting_def, fold wq_def, auto)
-next
-case True
-show ?thesis
-proof(cases "wq s cs = []")
-case True
-then interpret vt: valid_trace_p_h
-by (unfold_locales, simp)
-show ?thesis using n_wait wait waiting_kept by auto
-next
-case False
-then interpret vt: valid_trace_p_w by (unfold_locales, simp)
-show ?thesis using n_wait wait waiting_kept by blast
-qed
-qed
-} with assms(2) show ?thesis
-by (unfold readys_def, auto)
-qed
-lemma readys_kept2:
-assumes "th' \<noteq> th"
-and "th' \<in> readys s"
-shows "th' \<in> readys (e#s)"
-proof -
-{ fix cs'
-assume wait: "waiting (e#s) th' cs'"
-have n_wait: "\<not> waiting s th' cs'"
-using assms(2)[unfolded readys_def] by auto
-have False
-proof(cases "cs' = cs")
-case False
-with n_wait wait
-show ?thesis
-by (unfold s_waiting_def, fold wq_def, auto)
-next
-case True
-show ?thesis
-proof(cases "wq s cs = []")
-case True
-then interpret vt: valid_trace_p_h
-by (unfold_locales, simp)
-show ?thesis using n_wait vt.waiting_esE wait by blast
-next
-case False
-then interpret vt: valid_trace_p_w by (unfold_locales, simp)
-show ?thesis using assms(1) n_wait vt.waiting_esE wait by auto
-qed
-qed
-} with assms(2) show ?thesis
-by (unfold readys_def, auto)
-qed
-lemma readys_simp [simp]:
-assumes "th' \<noteq> th"
-shows "(th' \<in> readys (e#s)) = (th' \<in> readys s)"
-using readys_kept1[OF assms] readys_kept2[OF assms]
-by metis
-lemma cnp_cnv_cncs_kept: (* ddd *)
-assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'"
-shows "cntP (e#s) th' = cntV (e#s) th' +  cntCS (e#s) th' + pvD (e#s) th'"
-proof(cases "th' = th")
-case True
-note eq_th' = this
-show ?thesis
-proof(cases "wq s cs = []")
-case True
-then interpret vt: valid_trace_p_h by (unfold_locales, simp)
-show ?thesis
-using assms eq_th' is_p ready_th_s vt.cntCS_es_th vt.ready_th_es pvD_def by auto
-next
-case False
-then interpret vt: valid_trace_p_w by (unfold_locales, simp)
-show ?thesis
-using add.commute add.left_commute assms eq_th' is_p live_th_s
-ready_th_s vt.th_not_ready_es pvD_def
-apply (auto)
-by (fold is_p, simp)
-qed
-next
-case False
-note h_False = False
-thus ?thesis
-proof(cases "wq s cs = []")
-case True
-then interpret vt: valid_trace_p_h by (unfold_locales, simp)
-show ?thesis using assms
-by (insert True h_False pvD_def, auto split:if_splits,unfold is_p, auto)
-next
-case False
-then interpret vt: valid_trace_p_w by (unfold_locales, simp)
-show ?thesis using assms
-by (insert False h_False pvD_def, auto split:if_splits,unfold is_p, auto)
-qed
-qed
-end
-context valid_trace_v
-begin
-lemma holding_th_cs_s:
-"holding s th cs"
-by  (unfold s_holding_def, fold wq_def, unfold wq_s_cs, auto)
-lemma th_ready_s [simp]: "th \<in> readys s"
-using runing_th_s
-by (unfold runing_def readys_def, auto)
-lemma th_live_s [simp]: "th \<in> threads s"
-using th_ready_s by (unfold readys_def, auto)
-lemma th_ready_es [simp]: "th \<in> readys (e#s)"
-using runing_th_s neq_t_th
-by (unfold is_v runing_def readys_def, auto)
-lemma th_live_es [simp]: "th \<in> threads (e#s)"
-using th_ready_es by (unfold readys_def, auto)
-lemma pvD_th_s[simp]: "pvD s th = 0"
-by (unfold pvD_def, simp)
-lemma pvD_th_es[simp]: "pvD (e#s) th = 0"
-by (unfold pvD_def, simp)
-lemma cntCS_s_th [simp]: "cntCS s th > 0"
-proof -
-have "cs \<in> holdents s th" using holding_th_cs_s
-by (unfold holdents_def, simp)
-moreover have "finite (holdents s th)" using finite_holdents (* ccc *)
-by simp
-ultimately show ?thesis
-by (unfold cntCS_def,
-auto intro!:card_gt_0_iff[symmetric, THEN iffD1])
-qed
-end
-context valid_trace_v_n
-begin
-lemma not_ready_taker_s[simp]:
-"taker \<notin> readys s"
-using waiting_taker
-by (unfold readys_def, auto)
-lemma taker_live_s [simp]: "taker \<in> threads s"
-proof -
-have "taker \<in> set wq'" by (simp add: eq_wq')
-from th'_in_inv[OF this]
-have "taker \<in> set rest" .
-hence "taker \<in> set (wq s cs)" by (simp add: wq_s_cs)
-thus ?thesis using wq_threads by auto
-qed
-lemma taker_live_es [simp]: "taker \<in> threads (e#s)"
-using taker_live_s threads_es by blast
-lemma taker_ready_es [simp]:
-shows "taker \<in> readys (e#s)"
-proof -
-{ fix cs'
-assume "waiting (e#s) taker cs'"
-hence False
-proof(cases rule:waiting_esE)
-case 1
-thus ?thesis using waiting_taker waiting_unique by auto
-qed simp
-} thus ?thesis by (unfold readys_def, auto)
-qed
-lemma neq_taker_th: "taker \<noteq> th"
-using th_not_waiting waiting_taker by blast
-lemma not_holding_taker_s_cs:
-shows "\<not> holding s taker cs"
-using holding_cs_eq_th neq_taker_th by auto
-lemma holdents_es_taker:
-"holdents (e#s) taker = holdents s taker \<union> {cs}" (is "?L = ?R")
-proof -
-{ fix cs'
-assume "cs' \<in> ?L"
-hence "holding (e#s) taker cs'" by (auto simp:holdents_def)
-hence "cs' \<in> ?R"
-proof(cases rule:holding_esE)
-case 2
-thus ?thesis by (auto simp:holdents_def)
-qed auto
-} moreover {
-fix cs'
-assume "cs' \<in> ?R"
-hence "holding s taker cs' \<or> cs' = cs" by (auto simp:holdents_def)
-hence "cs' \<in> ?L"
-proof
-assume "holding s taker cs'"
-hence "holding (e#s) taker cs'"
-using holding_esI2 holding_taker by fastforce
-thus ?thesis by (auto simp:holdents_def)
-next
-assume "cs' = cs"
-with holding_taker
-show ?thesis by (auto simp:holdents_def)
-qed
-} ultimately show ?thesis by auto
-qed
-lemma cntCS_es_taker [simp]: "cntCS (e#s) taker = cntCS s taker + 1"
-proof -
-have "card (holdents s taker \<union> {cs}) = card (holdents s taker) + 1"
-proof(subst card_Un_disjoint)
-show "holdents s taker \<inter> {cs} = {}"
-using not_holding_taker_s_cs by (auto simp:holdents_def)
-qed (auto simp:finite_holdents)
-thus ?thesis
-by (unfold cntCS_def, insert holdents_es_taker, simp)
-qed
-lemma pvD_taker_s[simp]: "pvD s taker = 1"
-by (unfold pvD_def, simp)
-lemma pvD_taker_es[simp]: "pvD (e#s) taker = 0"
-by (unfold pvD_def, simp)
-lemma pvD_th_s[simp]: "pvD s th = 0"
-by (unfold pvD_def, simp)
-lemma pvD_th_es[simp]: "pvD (e#s) th = 0"
-by (unfold pvD_def, simp)
-lemma holdents_es_th:
-"holdents (e#s) th = holdents s th - {cs}" (is "?L = ?R")
-proof -
-{ fix cs'
-assume "cs' \<in> ?L"
-hence "holding (e#s) th cs'" by (auto simp:holdents_def)
-hence "cs' \<in> ?R"
-proof(cases rule:holding_esE)
-case 2
-thus ?thesis by (auto simp:holdents_def)
-qed (insert neq_taker_th, auto)
-} moreover {
-fix cs'
-assume "cs' \<in> ?R"
-hence "cs' \<noteq> cs" "holding s th cs'" by (auto simp:holdents_def)
-from holding_esI2[OF this]
-have "cs' \<in> ?L" by (auto simp:holdents_def)
-} ultimately show ?thesis by auto
-qed
-lemma cntCS_es_th [simp]: "cntCS (e#s) th = cntCS s th - 1"
-proof -
-have "card (holdents s th - {cs}) = card (holdents s th) - 1"
-proof -
-have "cs \<in> holdents s th" using holding_th_cs_s
-by (auto simp:holdents_def)
-moreover have "finite (holdents s th)"
-by (simp add: finite_holdents)
-ultimately show ?thesis by auto
-qed
-thus ?thesis by (unfold cntCS_def holdents_es_th)
-qed
-lemma holdents_kept:
-assumes "th' \<noteq> taker"
-and "th' \<noteq> th"
-shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")
-proof -
-{ fix cs'
-assume h: "cs' \<in> ?L"
-have "cs' \<in> ?R"
-proof(cases "cs' = cs")
-case False
-hence eq_wq: "wq (e#s) cs' = wq s cs'" by simp
-from h have "holding (e#s) th' cs'" by (auto simp:holdents_def)
-from this[unfolded s_holding_def, folded wq_def, unfolded eq_wq]
-show ?thesis
-by (unfold holdents_def s_holding_def, fold wq_def, auto)
-next
-case True
-from h[unfolded this]
-have "holding (e#s) th' cs" by (auto simp:holdents_def)
-from held_unique[OF this holding_taker]
-have "th' = taker" .
-with assms show ?thesis by auto
-qed
-} moreover {
-fix cs'
-assume h: "cs' \<in> ?R"
-have "cs' \<in> ?L"
-proof(cases "cs' = cs")
-case False
-hence eq_wq: "wq (e#s) cs' = wq s cs'" by simp
-from h have "holding s th' cs'" by (auto simp:holdents_def)
-from this[unfolded s_holding_def, folded wq_def, unfolded eq_wq]
-show ?thesis
-by (unfold holdents_def s_holding_def, fold wq_def, insert eq_wq, simp)
-next
-case True
-from h[unfolded this]
-have "holding s th' cs" by (auto simp:holdents_def)
-from held_unique[OF this holding_th_cs_s]
-have "th' = th" .
-with assms show ?thesis by auto
-qed
-} ultimately show ?thesis by auto
-qed
-lemma cntCS_kept [simp]:
-assumes "th' \<noteq> taker"
-and "th' \<noteq> th"
-shows "cntCS (e#s) th' = cntCS s th'"
-by (unfold cntCS_def holdents_kept[OF assms], simp)
-lemma readys_kept1:
-assumes "th' \<noteq> taker"
-and "th' \<in> readys (e#s)"
-shows "th' \<in> readys s"
-proof -
-{ fix cs'
-assume wait: "waiting s th' cs'"
-have n_wait: "\<not> waiting (e#s) th' cs'"
-using assms(2)[unfolded readys_def] by auto
-have False
-proof(cases "cs' = cs")
-case False
-with n_wait wait
-show ?thesis
-by (unfold s_waiting_def, fold wq_def, auto)
-next
-case True
-have "th' \<in> set (th # rest) \<and> th' \<noteq> hd (th # rest)"
-using wait[unfolded True s_waiting_def, folded wq_def, unfolded wq_s_cs] .
-moreover have "\<not> (th' \<in> set rest \<and> th' \<noteq> hd (taker # rest'))"
-using n_wait[unfolded True s_waiting_def, folded wq_def,
-unfolded wq_es_cs set_wq', unfolded eq_wq'] .
-ultimately have "th' = taker" by auto
-with assms(1)
-show ?thesis by simp
-qed
-} with assms(2) show ?thesis
-by (unfold readys_def, auto)
-qed
-lemma readys_kept2:
-assumes "th' \<noteq> taker"
-and "th' \<in> readys s"
-shows "th' \<in> readys (e#s)"
-proof -
-{ fix cs'
-assume wait: "waiting (e#s) th' cs'"
-have n_wait: "\<not> waiting s th' cs'"
-using assms(2)[unfolded readys_def] by auto
-have False
-proof(cases "cs' = cs")
-case False
-with n_wait wait
-show ?thesis
-by (unfold s_waiting_def, fold wq_def, auto)
-next
-case True
-have "th' \<in> set rest \<and> th' \<noteq> hd (taker # rest')"
-using  wait [unfolded True s_waiting_def, folded wq_def,
-unfolded wq_es_cs set_wq', unfolded eq_wq']  .
-moreover have "\<not> (th' \<in> set (th # rest) \<and> th' \<noteq> hd (th # rest))"
-using n_wait[unfolded True s_waiting_def, folded wq_def, unfolded wq_s_cs] .
-ultimately have "th' = taker" by auto
-with assms(1)
-show ?thesis by simp
-qed
-} with assms(2) show ?thesis
-by (unfold readys_def, auto)
-qed
-lemma readys_simp [simp]:
-assumes "th' \<noteq> taker"
-shows "(th' \<in> readys (e#s)) = (th' \<in> readys s)"
-using readys_kept1[OF assms] readys_kept2[OF assms]
-by metis
-lemma cnp_cnv_cncs_kept:
-assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'"
-shows "cntP (e#s) th' = cntV (e#s) th' +  cntCS (e#s) th' + pvD (e#s) th'"
-proof -
-{ assume eq_th': "th' = taker"
-have ?thesis
-apply (unfold eq_th' pvD_taker_es cntCS_es_taker)
-by (insert neq_taker_th assms[unfolded eq_th'], unfold is_v, simp)
-} moreover {
-assume eq_th': "th' = th"
-have ?thesis
-apply (unfold eq_th' pvD_th_es cntCS_es_th)
-by (insert assms[unfolded eq_th'], unfold is_v, simp)
-} moreover {
-assume h: "th' \<noteq> taker" "th' \<noteq> th"
-have ?thesis using assms
-apply (unfold cntCS_kept[OF h], insert h, unfold is_v, simp)
-by (fold is_v, unfold pvD_def, simp)
-} ultimately show ?thesis by metis
-qed
-end
-context valid_trace_v_e
-begin
-lemma holdents_es_th:
-"holdents (e#s) th = holdents s th - {cs}" (is "?L = ?R")
-proof -
-{ fix cs'
-assume "cs' \<in> ?L"
-hence "holding (e#s) th cs'" by (auto simp:holdents_def)
-hence "cs' \<in> ?R"
-proof(cases rule:holding_esE)
-case 1
-thus ?thesis by (auto simp:holdents_def)
-qed
-} moreover {
-fix cs'
-assume "cs' \<in> ?R"
-hence "cs' \<noteq> cs" "holding s th cs'" by (auto simp:holdents_def)
-from holding_esI2[OF this]
-have "cs' \<in> ?L" by (auto simp:holdents_def)
-} ultimately show ?thesis by auto
-qed
-lemma cntCS_es_th [simp]: "cntCS (e#s) th = cntCS s th - 1"
-proof -
-have "card (holdents s th - {cs}) = card (holdents s th) - 1"
-proof -
-have "cs \<in> holdents s th" using holding_th_cs_s
-by (auto simp:holdents_def)
-moreover have "finite (holdents s th)"
-by (simp add: finite_holdents)
-ultimately show ?thesis by auto
-qed
-thus ?thesis by (unfold cntCS_def holdents_es_th)
-qed
-lemma holdents_kept:
-assumes "th' \<noteq> th"
-shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")
-proof -
-{ fix cs'
-assume h: "cs' \<in> ?L"
-have "cs' \<in> ?R"
-proof(cases "cs' = cs")
-case False
-hence eq_wq: "wq (e#s) cs' = wq s cs'" by simp
-from h have "holding (e#s) th' cs'" by (auto simp:holdents_def)
-from this[unfolded s_holding_def, folded wq_def, unfolded eq_wq]
-show ?thesis
-by (unfold holdents_def s_holding_def, fold wq_def, auto)
-next
-case True
-from h[unfolded this]
-have "holding (e#s) th' cs" by (auto simp:holdents_def)
-from this[unfolded s_holding_def, folded wq_def,
-unfolded wq_es_cs nil_wq']
-show ?thesis by auto
-qed
-} moreover {
-fix cs'
-assume h: "cs' \<in> ?R"
-have "cs' \<in> ?L"
-proof(cases "cs' = cs")
-case False
-hence eq_wq: "wq (e#s) cs' = wq s cs'" by simp
-from h have "holding s th' cs'" by (auto simp:holdents_def)
-from this[unfolded s_holding_def, folded wq_def, unfolded eq_wq]
-show ?thesis
-by (unfold holdents_def s_holding_def, fold wq_def, insert eq_wq, simp)
-next
-case True
-from h[unfolded this]
-have "holding s th' cs" by (auto simp:holdents_def)
-from held_unique[OF this holding_th_cs_s]
-have "th' = th" .
-with assms show ?thesis by auto
-qed
-} ultimately show ?thesis by auto
-qed
-lemma cntCS_kept [simp]:
-assumes "th' \<noteq> th"
-shows "cntCS (e#s) th' = cntCS s th'"
-by (unfold cntCS_def holdents_kept[OF assms], simp)
-lemma readys_kept1:
-assumes "th' \<in> readys (e#s)"
-shows "th' \<in> readys s"
-proof -
-{ fix cs'
-assume wait: "waiting s th' cs'"
-have n_wait: "\<not> waiting (e#s) th' cs'"
-using assms(1)[unfolded readys_def] by auto
-have False
-proof(cases "cs' = cs")
-case False
-with n_wait wait
-show ?thesis
-by (unfold s_waiting_def, fold wq_def, auto)
-next
-case True
-have "th' \<in> set (th # rest) \<and> th' \<noteq> hd (th # rest)"
-using wait[unfolded True s_waiting_def, folded wq_def, unfolded wq_s_cs] .
-hence "th' \<in> set rest" by auto
-with set_wq' have "th' \<in> set wq'" by metis
-with nil_wq' show ?thesis by simp
-qed
-} thus ?thesis using assms
-by (unfold readys_def, auto)
-qed
-lemma readys_kept2:
-assumes "th' \<in> readys s"
-shows "th' \<in> readys (e#s)"
-proof -
-{ fix cs'
-assume wait: "waiting (e#s) th' cs'"
-have n_wait: "\<not> waiting s th' cs'"
-using assms[unfolded readys_def] by auto
-have False
-proof(cases "cs' = cs")
-case False
-with n_wait wait
-show ?thesis
-by (unfold s_waiting_def, fold wq_def, auto)
-next
-case True
-have "th' \<in> set [] \<and> th' \<noteq> hd []"
-using wait[unfolded True s_waiting_def, folded wq_def,
-unfolded wq_es_cs nil_wq'] .
-thus ?thesis by simp
-qed
-} with assms show ?thesis
-by (unfold readys_def, auto)
-qed
-lemma readys_simp [simp]:
-shows "(th' \<in> readys (e#s)) = (th' \<in> readys s)"
-using readys_kept1[OF assms] readys_kept2[OF assms]
-by metis
-lemma cnp_cnv_cncs_kept:
-assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'"
-shows "cntP (e#s) th' = cntV (e#s) th' +  cntCS (e#s) th' + pvD (e#s) th'"
-proof -
-{
-assume eq_th': "th' = th"
-have ?thesis
-apply (unfold eq_th' pvD_th_es cntCS_es_th)
-by (insert assms[unfolded eq_th'], unfold is_v, simp)
-} moreover {
-assume h: "th' \<noteq> th"
-have ?thesis using assms
-apply (unfold cntCS_kept[OF h], insert h, unfold is_v, simp)
-by (fold is_v, unfold pvD_def, simp)
-} ultimately show ?thesis by metis
-qed
-end
-context valid_trace_v
-begin
-lemma cnp_cnv_cncs_kept:
-assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'"
-shows "cntP (e#s) th' = cntV (e#s) th' +  cntCS (e#s) th' + pvD (e#s) th'"
-proof(cases "rest = []")
-case True
-then interpret vt: valid_trace_v_e by (unfold_locales, simp)
-show ?thesis using assms using vt.cnp_cnv_cncs_kept by blast
-next
-case False
-then interpret vt: valid_trace_v_n by (unfold_locales, simp)
-show ?thesis using assms using vt.cnp_cnv_cncs_kept by blast
-qed
-end
-context valid_trace_create
-begin
-lemma th_not_live_s [simp]: "th \<notin> threads s"
-proof -
-from pip_e[unfolded is_create]
-show ?thesis by (cases, simp)
-qed
-lemma th_not_ready_s [simp]: "th \<notin> readys s"
-using th_not_live_s by (unfold readys_def, simp)
-lemma th_live_es [simp]: "th \<in> threads (e#s)"
-by (unfold is_create, simp)
-lemma not_waiting_th_s [simp]: "\<not> waiting s th cs'"
-proof
-assume "waiting s th cs'"
-from this[unfolded s_waiting_def, folded wq_def, unfolded wq_kept]
-have "th \<in> set (wq s cs')" by auto
-from wq_threads[OF this] have "th \<in> threads s" .
-with th_not_live_s show False by simp
-qed
-lemma not_holding_th_s [simp]: "\<not> holding s th cs'"
-proof
-assume "holding s th cs'"
-from this[unfolded s_holding_def, folded wq_def, unfolded wq_kept]
-have "th \<in> set (wq s cs')" by auto
-from wq_threads[OF this] have "th \<in> threads s" .
-with th_not_live_s show False by simp
-qed
-lemma not_waiting_th_es [simp]: "\<not> waiting (e#s) th cs'"
-proof
-assume "waiting (e # s) th cs'"
-from this[unfolded s_waiting_def, folded wq_def, unfolded wq_kept]
-have "th \<in> set (wq s cs')" by auto
-from wq_threads[OF this] have "th \<in> threads s" .
-with th_not_live_s show False by simp
-qed
-lemma not_holding_th_es [simp]: "\<not> holding (e#s) th cs'"
-proof
-assume "holding (e # s) th cs'"
-from this[unfolded s_holding_def, folded wq_def, unfolded wq_kept]
-have "th \<in> set (wq s cs')" by auto
-from wq_threads[OF this] have "th \<in> threads s" .
-with th_not_live_s show False by simp
-qed
-lemma ready_th_es [simp]: "th \<in> readys (e#s)"
-by (simp add:readys_def)
-lemma holdents_th_s: "holdents s th = {}"
-by (unfold holdents_def, auto)
-lemma holdents_th_es: "holdents (e#s) th = {}"
-by (unfold holdents_def, auto)
-lemma cntCS_th_s [simp]: "cntCS s th = 0"
-by (unfold cntCS_def, simp add:holdents_th_s)
-lemma cntCS_th_es [simp]: "cntCS (e#s) th = 0"
-by (unfold cntCS_def, simp add:holdents_th_es)
-lemma pvD_th_s [simp]: "pvD s th = 0"
-by (unfold pvD_def, simp)
-lemma pvD_th_es [simp]: "pvD (e#s) th = 0"
-by (unfold pvD_def, simp)
-lemma holdents_kept:
-assumes "th' \<noteq> th"
-shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")
-proof -
-{ fix cs'
-assume h: "cs' \<in> ?L"
-hence "cs' \<in> ?R"
-by (unfold holdents_def s_holding_def, fold wq_def,
-unfold wq_kept, auto)
-} moreover {
-fix cs'
-assume h: "cs' \<in> ?R"
-hence "cs' \<in> ?L"
-by (unfold holdents_def s_holding_def, fold wq_def,
-unfold wq_kept, auto)
-} ultimately show ?thesis by auto
-qed
-lemma cntCS_kept [simp]:
-assumes "th' \<noteq> th"
-shows "cntCS (e#s) th' = cntCS s th'" (is "?L = ?R")
-using holdents_kept[OF assms]
-by (unfold cntCS_def, simp)
-lemma readys_kept1:
-assumes "th' \<noteq> th"
-and "th' \<in> readys (e#s)"
-shows "th' \<in> readys s"
-proof -
-{ fix cs'
-assume wait: "waiting s th' cs'"
-have n_wait: "\<not> waiting (e#s) th' cs'"
-using assms by (auto simp:readys_def)
-from wait[unfolded s_waiting_def, folded wq_def]
-n_wait[unfolded s_waiting_def, folded wq_def, unfolded wq_kept]
-have False by auto
-} thus ?thesis using assms
-by (unfold readys_def, auto)
-qed
-lemma readys_kept2:
-assumes "th' \<noteq> th"
-and "th' \<in> readys s"
-shows "th' \<in> readys (e#s)"
-proof -
-{ fix cs'
-assume wait: "waiting (e#s) th' cs'"
-have n_wait: "\<not> waiting s th' cs'"
-using assms(2) by (auto simp:readys_def)
-from wait[unfolded s_waiting_def, folded wq_def, unfolded wq_kept]
-n_wait[unfolded s_waiting_def, folded wq_def]
-have False by auto
-} with assms show ?thesis
-by (unfold readys_def, auto)
-qed
-lemma readys_simp [simp]:
-assumes "th' \<noteq> th"
-shows "(th' \<in> readys (e#s)) = (th' \<in> readys s)"
-using readys_kept1[OF assms] readys_kept2[OF assms]
-by metis
-lemma pvD_kept [simp]:
-assumes "th' \<noteq> th"
-shows "pvD (e#s) th' = pvD s th'"
-using assms
-by (unfold pvD_def, simp)
-lemma cnp_cnv_cncs_kept:
-assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'"
-shows "cntP (e#s) th' = cntV (e#s) th' +  cntCS (e#s) th' + pvD (e#s) th'"
-proof -
-{
-assume eq_th': "th' = th"
-have ?thesis using assms
-by (unfold eq_th', simp, unfold is_create, simp)
-} moreover {
-assume h: "th' \<noteq> th"
-hence ?thesis using assms
-by (simp, simp add:is_create)
-} ultimately show ?thesis by metis
-qed
-end
-context valid_trace_exit
-begin
-lemma th_live_s [simp]: "th \<in> threads s"
-proof -
-from pip_e[unfolded is_exit]
-show ?thesis
-by (cases, unfold runing_def readys_def, simp)
-qed
-lemma th_ready_s [simp]: "th \<in> readys s"
-proof -
-from pip_e[unfolded is_exit]
-show ?thesis
-by (cases, unfold runing_def, simp)
-qed
-lemma th_not_live_es [simp]: "th \<notin> threads (e#s)"
-by (unfold is_exit, simp)
-lemma not_holding_th_s [simp]: "\<not> holding s th cs'"
-proof -
-from pip_e[unfolded is_exit]
-show ?thesis
-by (cases, unfold holdents_def, auto)
-qed
-lemma cntCS_th_s [simp]: "cntCS s th = 0"
-proof -
-from pip_e[unfolded is_exit]
-show ?thesis
-by (cases, unfold cntCS_def, simp)
-qed
-lemma not_holding_th_es [simp]: "\<not> holding (e#s) th cs'"
-proof
-assume "holding (e # s) th cs'"
-from this[unfolded s_holding_def, folded wq_def, unfolded wq_kept]
-have "holding s th cs'"
-by (unfold s_holding_def, fold wq_def, auto)
-with not_holding_th_s
-show False by simp
-qed
-lemma ready_th_es [simp]: "th \<notin> readys (e#s)"
-by (simp add:readys_def)
-lemma holdents_th_s: "holdents s th = {}"
-by (unfold holdents_def, auto)
-lemma holdents_th_es: "holdents (e#s) th = {}"
-by (unfold holdents_def, auto)
-lemma cntCS_th_es [simp]: "cntCS (e#s) th = 0"
-by (unfold cntCS_def, simp add:holdents_th_es)
-lemma pvD_th_s [simp]: "pvD s th = 0"
-by (unfold pvD_def, simp)
-lemma pvD_th_es [simp]: "pvD (e#s) th = 0"
-by (unfold pvD_def, simp)
-lemma holdents_kept:
-assumes "th' \<noteq> th"
-shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")
-proof -
-{ fix cs'
-assume h: "cs' \<in> ?L"
-hence "cs' \<in> ?R"
-by (unfold holdents_def s_holding_def, fold wq_def,
-unfold wq_kept, auto)
-} moreover {
-fix cs'
-assume h: "cs' \<in> ?R"
-hence "cs' \<in> ?L"
-by (unfold holdents_def s_holding_def, fold wq_def,
-unfold wq_kept, auto)
-} ultimately show ?thesis by auto
-qed
-lemma cntCS_kept [simp]:
-assumes "th' \<noteq> th"
-shows "cntCS (e#s) th' = cntCS s th'" (is "?L = ?R")
-using holdents_kept[OF assms]
-by (unfold cntCS_def, simp)
-lemma readys_kept1:
-assumes "th' \<noteq> th"
-and "th' \<in> readys (e#s)"
-shows "th' \<in> readys s"
-proof -
-{ fix cs'
-assume wait: "waiting s th' cs'"
-have n_wait: "\<not> waiting (e#s) th' cs'"
-using assms by (auto simp:readys_def)
-from wait[unfolded s_waiting_def, folded wq_def]
-n_wait[unfolded s_waiting_def, folded wq_def, unfolded wq_kept]
-have False by auto
-} thus ?thesis using assms
-by (unfold readys_def, auto)
-qed
-lemma readys_kept2:
-assumes "th' \<noteq> th"
-and "th' \<in> readys s"
-shows "th' \<in> readys (e#s)"
-proof -
-{ fix cs'
-assume wait: "waiting (e#s) th' cs'"
-have n_wait: "\<not> waiting s th' cs'"
-using assms(2) by (auto simp:readys_def)
-from wait[unfolded s_waiting_def, folded wq_def, unfolded wq_kept]
-n_wait[unfolded s_waiting_def, folded wq_def]
-have False by auto
-} with assms show ?thesis
-by (unfold readys_def, auto)
-qed
-lemma readys_simp [simp]:
-assumes "th' \<noteq> th"
-shows "(th' \<in> readys (e#s)) = (th' \<in> readys s)"
-using readys_kept1[OF assms] readys_kept2[OF assms]
-by metis
-lemma pvD_kept [simp]:
-assumes "th' \<noteq> th"
-shows "pvD (e#s) th' = pvD s th'"
-using assms
-by (unfold pvD_def, simp)
-lemma cnp_cnv_cncs_kept:
-assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'"
-shows "cntP (e#s) th' = cntV (e#s) th' +  cntCS (e#s) th' + pvD (e#s) th'"
-proof -
-{
-assume eq_th': "th' = th"
-have ?thesis using assms
-by (unfold eq_th', simp, unfold is_exit, simp)
-} moreover {
-assume h: "th' \<noteq> th"
-hence ?thesis using assms
-by (simp, simp add:is_exit)
-} ultimately show ?thesis by metis
-qed
-end
-context valid_trace_set
-begin
-lemma th_live_s [simp]: "th \<in> threads s"
-proof -
-from pip_e[unfolded is_set]
-show ?thesis
-by (cases, unfold runing_def readys_def, simp)
-qed
-lemma th_ready_s [simp]: "th \<in> readys s"
-proof -
-from pip_e[unfolded is_set]
-show ?thesis
-by (cases, unfold runing_def, simp)
-qed
-lemma th_not_live_es [simp]: "th \<in> threads (e#s)"
-by (unfold is_set, simp)
-lemma holdents_kept:
-shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")
-proof -
-{ fix cs'
-assume h: "cs' \<in> ?L"
-hence "cs' \<in> ?R"
-by (unfold holdents_def s_holding_def, fold wq_def,
-unfold wq_kept, auto)
-} moreover {
-fix cs'
-assume h: "cs' \<in> ?R"
-hence "cs' \<in> ?L"
-by (unfold holdents_def s_holding_def, fold wq_def,
-unfold wq_kept, auto)
-} ultimately show ?thesis by auto
-qed
-lemma cntCS_kept [simp]:
-shows "cntCS (e#s) th' = cntCS s th'" (is "?L = ?R")
-using holdents_kept
-by (unfold cntCS_def, simp)
-lemma threads_kept[simp]:
-"threads (e#s) = threads s"
-by (unfold is_set, simp)
-lemma readys_kept1:
-assumes "th' \<in> readys (e#s)"
-shows "th' \<in> readys s"
-proof -
-{ fix cs'
-assume wait: "waiting s th' cs'"
-have n_wait: "\<not> waiting (e#s) th' cs'"
-using assms by (auto simp:readys_def)
-from wait[unfolded s_waiting_def, folded wq_def]
-n_wait[unfolded s_waiting_def, folded wq_def, unfolded wq_kept]
-have False by auto
-} moreover have "th' \<in> threads s"
-using assms[unfolded readys_def] by auto
-ultimately show ?thesis
-by (unfold readys_def, auto)
-qed
-lemma readys_kept2:
-assumes "th' \<in> readys s"
-shows "th' \<in> readys (e#s)"
-proof -
-{ fix cs'
-assume wait: "waiting (e#s) th' cs'"
-have n_wait: "\<not> waiting s th' cs'"
-using assms by (auto simp:readys_def)
-from wait[unfolded s_waiting_def, folded wq_def, unfolded wq_kept]
-n_wait[unfolded s_waiting_def, folded wq_def]
-have False by auto
-} with assms show ?thesis
-by (unfold readys_def, auto)
-qed
-lemma readys_simp [simp]:
-shows "(th' \<in> readys (e#s)) = (th' \<in> readys s)"
-using readys_kept1 readys_kept2
-by metis
-lemma pvD_kept [simp]:
-shows "pvD (e#s) th' = pvD s th'"
-by (unfold pvD_def, simp)
-lemma cnp_cnv_cncs_kept:
-assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'"
-shows "cntP (e#s) th' = cntV (e#s) th' +  cntCS (e#s) th' + pvD (e#s) th'"
-using assms
-by (unfold is_set, simp, fold is_set, simp)
-end
-context valid_trace
-begin
-lemma cnp_cnv_cncs: "cntP s th' = cntV s th' + cntCS s th' + pvD s th'"
-proof(induct rule:ind)
-case Nil
-thus ?case
-by (unfold cntP_def cntV_def pvD_def cntCS_def holdents_def
-s_holding_def, simp)
-next
-case (Cons s e)
-interpret vt_e: valid_trace_e s e using Cons by simp
-show ?case
-proof(cases e)
-case (Create th prio)
-interpret vt_create: valid_trace_create s e th prio
-using Create by (unfold_locales, simp)
-show ?thesis using Cons by (simp add: vt_create.cnp_cnv_cncs_kept)
-next
-case (Exit th)
-interpret vt_exit: valid_trace_exit s e th
-using Exit by (unfold_locales, simp)
-show ?thesis using Cons by (simp add: vt_exit.cnp_cnv_cncs_kept)
-next
-case (P th cs)
-interpret vt_p: valid_trace_p s e th cs using P by (unfold_locales, simp)
-show ?thesis using Cons by (simp add: vt_p.cnp_cnv_cncs_kept)
-next
-case (V th cs)
-interpret vt_v: valid_trace_v s e th cs using V by (unfold_locales, simp)
-show ?thesis using Cons by (simp add: vt_v.cnp_cnv_cncs_kept)
-next
-case (Set th prio)
-interpret vt_set: valid_trace_set s e th prio
-using Set by (unfold_locales, simp)
-show ?thesis using Cons by (simp add: vt_set.cnp_cnv_cncs_kept)
-qed
-qed
-lemma not_thread_holdents:
-assumes not_in: "th \<notin> threads s"
-shows "holdents s th = {}"
-proof -
-{ fix cs
-assume "cs \<in> holdents s th"
-hence "holding s th cs" by (auto simp:holdents_def)
-from this[unfolded s_holding_def, folded wq_def]
-have "th \<in> set (wq s cs)" by auto
-with wq_threads have "th \<in> threads s" by auto
-with assms
-have False by simp
-} thus ?thesis by auto
-qed
-lemma not_thread_cncs:
-assumes not_in: "th \<notin> threads s"
-shows "cntCS s th = 0"
-using not_thread_holdents[OF assms]
-by (simp add:cntCS_def)
-lemma cnp_cnv_eq:
-assumes "th \<notin> threads s"
-shows "cntP s th = cntV s th"
-using assms cnp_cnv_cncs not_thread_cncs pvD_def
-by (auto)
-lemma runing_unique:
-assumes runing_1: "th1 \<in> runing s"
-and runing_2: "th2 \<in> runing s"
-shows "th1 = th2"
-proof -
-from runing_1 and runing_2 have "cp s th1 = cp s th2"
-unfolding runing_def by auto
-from this[unfolded cp_alt_def]
-have eq_max:
-"Max (the_preced s ` {th'. Th th' \<in> subtree (RAG s) (Th th1)}) =
-Max (the_preced s ` {th'. Th th' \<in> subtree (RAG s) (Th th2)})"
-(is "Max ?L = Max ?R") .
-have "Max ?L \<in> ?L"
-proof(rule Max_in)
-show "finite ?L" by (simp add: finite_subtree_threads)
-next
-show "?L \<noteq> {}" using subtree_def by fastforce
-qed
-then obtain th1' where
-h_1: "Th th1' \<in> subtree (RAG s) (Th th1)" "the_preced s th1' = Max ?L"
-by auto
-have "Max ?R \<in> ?R"
-proof(rule Max_in)
-show "finite ?R" by (simp add: finite_subtree_threads)
-next
-show "?R \<noteq> {}" using subtree_def by fastforce
-qed
-then obtain th2' where
-h_2: "Th th2' \<in> subtree (RAG s) (Th th2)" "the_preced s th2' = Max ?R"
-by auto
-have "th1' = th2'"
-proof(rule preced_unique)
-from h_1(1)
-show "th1' \<in> threads s"
-proof(cases rule:subtreeE)
-case 1
-hence "th1' = th1" by simp
-with runing_1 show ?thesis by (auto simp:runing_def readys_def)
-next
-case 2
-from this(2)
-have "(Th th1', Th th1) \<in> (RAG s)^+" by (auto simp:ancestors_def)
-from tranclD[OF this]
-have "(Th th1') \<in> Domain (RAG s)" by auto
-from dm_RAG_threads[OF this] show ?thesis .
-qed
-next
-from h_2(1)
-show "th2' \<in> threads s"
-proof(cases rule:subtreeE)
-case 1
-hence "th2' = th2" by simp
-with runing_2 show ?thesis by (auto simp:runing_def readys_def)
-next
-case 2
-from this(2)
-have "(Th th2', Th th2) \<in> (RAG s)^+" by (auto simp:ancestors_def)
-from tranclD[OF this]
-have "(Th th2') \<in> Domain (RAG s)" by auto
-from dm_RAG_threads[OF this] show ?thesis .
-qed
-next
-have "the_preced s th1' = the_preced s th2'"
-using eq_max h_1(2) h_2(2) by metis
-thus "preced th1' s = preced th2' s" by (simp add:the_preced_def)
-qed
-from h_1(1)[unfolded this]
-have star1: "(Th th2', Th th1) \<in> (RAG s)^*" by (auto simp:subtree_def)
-from h_2(1)[unfolded this]
-have star2: "(Th th2', Th th2) \<in> (RAG s)^*" by (auto simp:subtree_def)
-from star_rpath[OF star1] obtain xs1
-where rp1: "rpath (RAG s) (Th th2') xs1 (Th th1)"
-by auto
-from star_rpath[OF star2] obtain xs2
-where rp2: "rpath (RAG s) (Th th2') xs2 (Th th2)"
-by auto
-from rp1 rp2
-show ?thesis
-proof(cases)
-case (less_1 xs')
-moreover have "xs' = []"
-proof(rule ccontr)
-assume otherwise: "xs' \<noteq> []"
-from rpath_plus[OF less_1(3) this]
-have "(Th th1, Th th2) \<in> (RAG s)\<^sup>+" .
-from tranclD[OF this]
-obtain cs where "waiting s th1 cs"
-by (unfold s_RAG_def, fold waiting_eq, auto)
-with runing_1 show False
-by (unfold runing_def readys_def, auto)
-qed
-ultimately have "xs2 = xs1" by simp
-from rpath_dest_eq[OF rp1 rp2[unfolded this]]
-show ?thesis by simp
-next
-case (less_2 xs')
-moreover have "xs' = []"
-proof(rule ccontr)
-assume otherwise: "xs' \<noteq> []"
-from rpath_plus[OF less_2(3) this]
-have "(Th th2, Th th1) \<in> (RAG s)\<^sup>+" .
-from tranclD[OF this]
-obtain cs where "waiting s th2 cs"
-by (unfold s_RAG_def, fold waiting_eq, auto)
-with runing_2 show False
-by (unfold runing_def readys_def, auto)
-qed
-ultimately have "xs2 = xs1" by simp
-from rpath_dest_eq[OF rp1 rp2[unfolded this]]
-show ?thesis by simp
-qed
-qed
-lemma card_runing: "card (runing s) \<le> 1"
-proof(cases "runing s = {}")
-case True
-thus ?thesis by auto
-next
-case False
-then obtain th where [simp]: "th \<in> runing s" by auto
-from runing_unique[OF this]
-have "runing s = {th}" by auto
-thus ?thesis by auto
-qed
-lemma create_pre:
-assumes stp: "step s e"
-and not_in: "th \<notin> threads s"
-and is_in: "th \<in> threads (e#s)"
-obtains prio where "e = Create th prio"
-proof -
-from assms
-show ?thesis
-proof(cases)
-case (thread_create thread prio)
-with is_in not_in have "e = Create th prio" by simp
-from that[OF this] show ?thesis .
-next
-case (thread_exit thread)
-with assms show ?thesis by (auto intro!:that)
-next
-case (thread_P thread)
-with assms show ?thesis by (auto intro!:that)
-next
-case (thread_V thread)
-with assms show ?thesis by (auto intro!:that)
-next
-case (thread_set thread)
-with assms show ?thesis by (auto intro!:that)
-qed
-qed
-lemma eq_pv_children:
-assumes eq_pv: "cntP s th = cntV s th"
-shows "children (RAG s) (Th th) = {}"
-proof -
-from cnp_cnv_cncs and eq_pv
-have "cntCS s th = 0"
-by (auto split:if_splits)
-from this[unfolded cntCS_def holdents_alt_def]
-have card_0: "card (the_cs ` children (RAG s) (Th th)) = 0" .
-have "finite (the_cs ` children (RAG s) (Th th))"
-by (simp add: fsbtRAGs.finite_children)
-from card_0[unfolded card_0_eq[OF this]]
-show ?thesis by auto
-qed
-lemma eq_pv_holdents:
-assumes eq_pv: "cntP s th = cntV s th"
-shows "holdents s th = {}"
-by (unfold holdents_alt_def eq_pv_children[OF assms], simp)
-lemma eq_pv_subtree:
-assumes eq_pv: "cntP s th = cntV s th"
-shows "subtree (RAG s) (Th th) = {Th th}"
-using eq_pv_children[OF assms]
-by (unfold subtree_children, simp)
-end
-lemma cp_gen_alt_def:
-"cp_gen s = (Max \<circ> (\<lambda>x. (the_preced s \<circ> the_thread) ` subtree (tRAG s) x))"
-by (auto simp:cp_gen_def)
 lemma tRAG_nodeE:
 assumes "(n1, n2) \<in> tRAG s"
 obtains th1 th2 where "n1 = Th th1" "n2 = Th th2"
 using assms
-by (auto simp: tRAG_def wRAG_def hRAG_def tRAG_def)
+by (auto simp: tRAG_def wRAG_def hRAG_def)
+lemma tRAG_ancestorsE:
+assumes "x \<in> ancestors (tRAG s) u"
+obtains th where "x = Th th"
+proof -
+from assms have "(u, x) \<in> (tRAG s)^+"
+by (unfold ancestors_def, auto)
+from tranclE[OF this] obtain c where "(c, x) \<in> tRAG s" by auto
+then obtain th where "x = Th th"
+by (unfold tRAG_alt_def, auto)
+from that[OF this] show ?thesis .
+qed
 lemma subtree_nodeE:
 assumes "n \<in> subtree (tRAG s) (Th th)"
 obtains th1 where "n = Th th1"
 proof -
 show ?thesis
 lemma tRAG_trancl_eq_Th:
 "{Th th' | th'. (Th th', Th th)  \<in> (tRAG s)^+} =
 {Th th' | th'. (Th th', Th th)  \<in> (RAG s)^+}"
 using tRAG_trancl_eq by auto
+lemma tRAG_Field:
+"Field (tRAG s) \<subseteq> Field (RAG s)"
+by (unfold tRAG_alt_def Field_def, auto)
+lemma tRAG_mono:
+assumes "RAG s' \<subseteq> RAG s"
+shows "tRAG s' \<subseteq> tRAG s"
+using assms
+by (unfold tRAG_alt_def, auto)
+lemma tRAG_subtree_eq:
+"(subtree (tRAG s) (Th th)) = {Th th' | th'. Th th'  \<in> (subtree (RAG s) (Th th))}"
+(is "?L = ?R")
+proof -
+{ fix n
+assume h: "n \<in> ?L"
+hence "n \<in> ?R"
+by (smt mem_Collect_eq subsetCE subtree_def subtree_nodeE tRAG_subtree_RAG)
+} moreover {
+fix n
+assume "n \<in> ?R"
+then obtain th' where h: "n = Th th'" "(Th th', Th th) \<in> (RAG s)^*"
+by (auto simp:subtree_def)
+from rtranclD[OF this(2)]
+have "n \<in> ?L"
+proof
+assume "Th th' \<noteq> Th th \<and> (Th th', Th th) \<in> (RAG s)\<^sup>+"
+with h have "n \<in> {Th th' | th'. (Th th', Th th)  \<in> (RAG s)^+}" by auto
+thus ?thesis using subtree_def tRAG_trancl_eq by fastforce
+qed (insert h, auto simp:subtree_def)
+} ultimately show ?thesis by auto
+qed
+lemma threads_set_eq:
+"the_thread ` (subtree (tRAG s) (Th th)) =
+{th'. Th th' \<in> (subtree (RAG s) (Th th))}" (is "?L = ?R")
+by (auto intro:rev_image_eqI simp:tRAG_subtree_eq)
 lemma dependants_alt_def:
 "dependants s th = {th'. (Th th', Th th) \<in> (tRAG s)^+}"
 by (metis eq_RAG s_dependants_def tRAG_trancl_eq)
 lemma dependants_alt_def1:
 "dependants (s::state) th = {th'. (Th th', Th th) \<in> (RAG s)^+}"
 using dependants_alt_def tRAG_trancl_eq by auto
+section {* Chain to readys *}
 context valid_trace
 begin
+lemma chain_building:
+assumes "node \<in> Domain (RAG s)"
+obtains th' where "th' \<in> readys s" "(node, Th th') \<in> (RAG s)^+"
+proof -
+from assms have "node \<in> Range ((RAG s)^-1)" by auto
+from wf_base[OF wf_RAG_converse this]
+obtain b where h_b: "(b, node) \<in> ((RAG s)\<inverse>)\<^sup>+" "\<forall>c. (c, b) \<notin> (RAG s)\<inverse>" by auto
+obtain th' where eq_b: "b = Th th'"
+proof(cases b)
+case (Cs cs)
+from h_b(1)[unfolded trancl_converse]
+have "(node, b) \<in> ((RAG s)\<^sup>+)" by auto
+from tranclE[OF this]
+obtain n where "(n, b) \<in> RAG s" by auto
+from this[unfolded Cs]
+obtain th1 where "waiting s th1 cs"
+by (unfold s_RAG_def, fold waiting_eq, auto)
+from waiting_holding[OF this]
+obtain th2 where "holding s th2 cs" .
+hence "(Cs cs, Th th2) \<in> RAG s"
+by (unfold s_RAG_def, fold holding_eq, auto)
+with h_b(2)[unfolded Cs, rule_format]
+have False by auto
+thus ?thesis by auto
+qed auto
+have "th' \<in> readys s"
+proof -
+from h_b(2)[unfolded eq_b]
+have "\<forall>cs. \<not> waiting s th' cs"
+by (unfold s_RAG_def, fold waiting_eq, auto)
+moreover have "th' \<in> threads s"
+proof(rule rg_RAG_threads)
+from tranclD[OF h_b(1), unfolded eq_b]
+obtain z where "(z, Th th') \<in> (RAG s)" by auto
+thus "Th th' \<in> Range (RAG s)" by auto
+qed
+ultimately show ?thesis by (auto simp:readys_def)
+qed
+moreover have "(node, Th th') \<in> (RAG s)^+"
+using h_b(1)[unfolded trancl_converse] eq_b by auto
+ultimately show ?thesis using that by metis
+qed
+text {* \noindent
+The following is just an instance of @{text "chain_building"}.
+*}
+lemma th_chain_to_ready:
+assumes th_in: "th \<in> threads s"
+shows "th \<in> readys s \<or> (\<exists> th'. th' \<in> readys s \<and> (Th th, Th th') \<in> (RAG s)^+)"
+proof(cases "th \<in> readys s")
+case True
+thus ?thesis by auto
+next
+case False
+from False and th_in have "Th th \<in> Domain (RAG s)"
+by (auto simp:readys_def s_waiting_def s_RAG_def wq_def cs_waiting_def Domain_def)
+from chain_building [rule_format, OF this]
+show ?thesis by auto
+qed
+lemma finite_subtree_threads:
+"finite {th'. Th th' \<in> subtree (RAG s) (Th th)}" (is "finite ?A")
+proof -
+have "?A = the_thread ` {Th th' | th' . Th th' \<in> subtree (RAG s) (Th th)}"
+by (auto, insert image_iff, fastforce)
+moreover have "finite {Th th' | th' . Th th' \<in> subtree (RAG s) (Th th)}"
+(is "finite ?B")
+proof -
+have "?B = (subtree (RAG s) (Th th)) \<inter> {Th th' | th'. True}"
+by auto
+moreover have "... \<subseteq> (subtree (RAG s) (Th th))" by auto
+moreover have "finite ..." by (simp add: fsbtRAGs.finite_subtree)
+ultimately show ?thesis by auto
+qed
+ultimately show ?thesis by auto
+qed
+lemma runing_unique:
+assumes runing_1: "th1 \<in> runing s"
+and runing_2: "th2 \<in> runing s"
+shows "th1 = th2"
+proof -
+from runing_1 and runing_2 have "cp s th1 = cp s th2"
+unfolding runing_def by auto
+from this[unfolded cp_alt_def]
+have eq_max:
+"Max (the_preced s ` {th'. Th th' \<in> subtree (RAG s) (Th th1)}) =
+Max (the_preced s ` {th'. Th th' \<in> subtree (RAG s) (Th th2)})"
+(is "Max ?L = Max ?R") .
+have "Max ?L \<in> ?L"
+proof(rule Max_in)
+show "finite ?L" by (simp add: finite_subtree_threads)
+next
+show "?L \<noteq> {}" using subtree_def by fastforce
+qed
+then obtain th1' where
+h_1: "Th th1' \<in> subtree (RAG s) (Th th1)" "the_preced s th1' = Max ?L"
+by auto
+have "Max ?R \<in> ?R"
+proof(rule Max_in)
+show "finite ?R" by (simp add: finite_subtree_threads)
+next
+show "?R \<noteq> {}" using subtree_def by fastforce
+qed
+then obtain th2' where
+h_2: "Th th2' \<in> subtree (RAG s) (Th th2)" "the_preced s th2' = Max ?R"
+by auto
+have "th1' = th2'"
+proof(rule preced_unique)
+from h_1(1)
+show "th1' \<in> threads s"
+proof(cases rule:subtreeE)
+case 1
+hence "th1' = th1" by simp
+with runing_1 show ?thesis by (auto simp:runing_def readys_def)
+next
+case 2
+from this(2)
+have "(Th th1', Th th1) \<in> (RAG s)^+" by (auto simp:ancestors_def)
+from tranclD[OF this]
+have "(Th th1') \<in> Domain (RAG s)" by auto
+from dm_RAG_threads[OF this] show ?thesis .
+qed
+next
+from h_2(1)
+show "th2' \<in> threads s"
+proof(cases rule:subtreeE)
+case 1
+hence "th2' = th2" by simp
+with runing_2 show ?thesis by (auto simp:runing_def readys_def)
+next
+case 2
+from this(2)
+have "(Th th2', Th th2) \<in> (RAG s)^+" by (auto simp:ancestors_def)
+from tranclD[OF this]
+have "(Th th2') \<in> Domain (RAG s)" by auto
+from dm_RAG_threads[OF this] show ?thesis .
+qed
+next
+have "the_preced s th1' = the_preced s th2'"
+using eq_max h_1(2) h_2(2) by metis
+thus "preced th1' s = preced th2' s" by (simp add:the_preced_def)
+qed
+from h_1(1)[unfolded this]
+have star1: "(Th th2', Th th1) \<in> (RAG s)^*" by (auto simp:subtree_def)
+from h_2(1)[unfolded this]
+have star2: "(Th th2', Th th2) \<in> (RAG s)^*" by (auto simp:subtree_def)
+from star_rpath[OF star1] obtain xs1
+where rp1: "rpath (RAG s) (Th th2') xs1 (Th th1)"
+by auto
+from star_rpath[OF star2] obtain xs2
+where rp2: "rpath (RAG s) (Th th2') xs2 (Th th2)"
+by auto
+from rp1 rp2
+show ?thesis
+proof(cases)
+case (less_1 xs')
+moreover have "xs' = []"
+proof(rule ccontr)
+assume otherwise: "xs' \<noteq> []"
+from rpath_plus[OF less_1(3) this]
+have "(Th th1, Th th2) \<in> (RAG s)\<^sup>+" .
+from tranclD[OF this]
+obtain cs where "waiting s th1 cs"
+by (unfold s_RAG_def, fold waiting_eq, auto)
+with runing_1 show False
+by (unfold runing_def readys_def, auto)
+qed
+ultimately have "xs2 = xs1" by simp
+from rpath_dest_eq[OF rp1 rp2[unfolded this]]
+show ?thesis by simp
+next
+case (less_2 xs')
+moreover have "xs' = []"
+proof(rule ccontr)
+assume otherwise: "xs' \<noteq> []"
+from rpath_plus[OF less_2(3) this]
+have "(Th th2, Th th1) \<in> (RAG s)\<^sup>+" .
+from tranclD[OF this]
+obtain cs where "waiting s th2 cs"
+by (unfold s_RAG_def, fold waiting_eq, auto)
+with runing_2 show False
+by (unfold runing_def readys_def, auto)
+qed
+ultimately have "xs2 = xs1" by simp
+from rpath_dest_eq[OF rp1 rp2[unfolded this]]
+show ?thesis by simp
+qed
+qed
+lemma card_runing: "card (runing s) \<le> 1"
+proof(cases "runing s = {}")
+case True
+thus ?thesis by auto
+next
+case False
+then obtain th where [simp]: "th \<in> runing s" by auto
+from runing_unique[OF this]
+have "runing s = {th}" by auto
+thus ?thesis by auto
+qed
+end
+section {* Relating @{term cp} and @{term the_preced} and @{term preced} *}
+context valid_trace
+begin
+lemma le_cp:
+shows "preced th s \<le> cp s th"
+proof(unfold cp_alt_def, rule Max_ge)
+show "finite (the_preced s ` {th'. Th th' \<in> subtree (RAG s) (Th th)})"
+by (simp add: finite_subtree_threads)
+next
+show "preced th s \<in> the_preced s ` {th'. Th th' \<in> subtree (RAG s) (Th th)}"
+by (simp add: subtree_def the_preced_def)
+qed
+lemma cp_le:
+assumes th_in: "th \<in> threads s"
+shows "cp s th \<le> Max (the_preced s ` threads s)"
+proof(unfold cp_alt_def, rule Max_f_mono)
+show "finite (threads s)" by (simp add: finite_threads)
+next
+show " {th'. Th th' \<in> subtree (RAG s) (Th th)} \<noteq> {}"
+using subtree_def by fastforce
+next
+show "{th'. Th th' \<in> subtree (RAG s) (Th th)} \<subseteq> threads s"
+using assms
+by (smt Domain.DomainI dm_RAG_threads mem_Collect_eq
+node.inject(1) rtranclD subsetI subtree_def trancl_domain)
+qed
+lemma max_cp_eq:
+shows "Max ((cp s) ` threads s) = Max (the_preced s ` threads s)"
+(is "?L = ?R")
+proof -
+have "?L \<le> ?R"
+proof(cases "threads s = {}")
+case False
+show ?thesis
+by (rule Max.boundedI,
+insert cp_le,
+auto simp:finite_threads False)
+qed auto
+moreover have "?R \<le> ?L"
+by (rule Max_fg_mono,
+simp add: finite_threads,
+simp add: le_cp the_preced_def)
+ultimately show ?thesis by auto
+qed
+end
+section {* Relating @{term cntP}, @{term cntV}, @{term cntCS} and @{term pvD} *}
+context valid_trace_p_w
+begin
+lemma holding_s_holder: "holding s holder cs"
+by (unfold s_holding_def, fold wq_def, unfold wq_s_cs, auto)
+lemma holding_es_holder: "holding (e#s) holder cs"
+by (unfold s_holding_def, fold wq_def, unfold wq_es_cs wq_s_cs, auto)
+lemma holdents_es:
+shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")
+proof -
+{ fix cs'
+assume "cs' \<in> ?L"
+hence h: "holding (e#s) th' cs'" by (auto simp:holdents_def)
+have "holding s th' cs'"
+proof(cases "cs' = cs")
+case True
+from held_unique[OF h[unfolded True] holding_es_holder]
+have "th' = holder" .
+thus ?thesis
+by (unfold True holdents_def, insert holding_s_holder, simp)
+next
+case False
+hence "wq (e#s) cs' = wq s cs'" by simp
+from h[unfolded s_holding_def, folded wq_def, unfolded this]
+show ?thesis
+by (unfold s_holding_def, fold wq_def, auto)
+qed
+hence "cs' \<in> ?R" by (auto simp:holdents_def)
+} moreover {
+fix cs'
+assume "cs' \<in> ?R"
+hence h: "holding s th' cs'" by (auto simp:holdents_def)
+have "holding (e#s) th' cs'"
+proof(cases "cs' = cs")
+case True
+from held_unique[OF h[unfolded True] holding_s_holder]
+have "th' = holder" .
+thus ?thesis
+by (unfold True holdents_def, insert holding_es_holder, simp)
+next
+case False
+hence "wq s cs' = wq (e#s) cs'" by simp
+from h[unfolded s_holding_def, folded wq_def, unfolded this]
+show ?thesis
+by (unfold s_holding_def, fold wq_def, auto)
+qed
+hence "cs' \<in> ?L" by (auto simp:holdents_def)
+} ultimately show ?thesis by auto
+qed
+lemma cntCS_es_th[simp]: "cntCS (e#s) th' = cntCS s th'"
+by (unfold cntCS_def holdents_es, simp)
+lemma th_not_ready_es:
+shows "th \<notin> readys (e#s)"
+using waiting_es_th_cs
+by (unfold readys_def, auto)
+end
+lemma (in valid_trace) finite_holdents: "finite (holdents s th)"
+by (unfold holdents_alt_def, insert fsbtRAGs.finite_children, auto)
+context valid_trace_p
+begin
+lemma ready_th_s: "th \<in> readys s"
+using runing_th_s
+by (unfold runing_def, auto)
+lemma live_th_s: "th \<in> threads s"
+using readys_threads ready_th_s by auto
+lemma live_th_es: "th \<in> threads (e#s)"
+using live_th_s
+by (unfold is_p, simp)
+lemma waiting_neq_th:
+assumes "waiting s t c"
+shows "t \<noteq> th"
+using assms using th_not_waiting by blast
+end
+context valid_trace_p_h
+begin
+lemma th_not_waiting':
+"\<not> waiting (e#s) th cs'"
+proof(cases "cs' = cs")
+case True
+show ?thesis
+by (unfold True s_waiting_def, fold wq_def, unfold wq_es_cs', auto)
+next
+case False
+from th_not_waiting[of cs', unfolded s_waiting_def, folded wq_def]
+show ?thesis
+by (unfold s_waiting_def, fold wq_def, insert False, simp)
+qed
+lemma ready_th_es:
+shows "th \<in> readys (e#s)"
+using th_not_waiting'
+by (unfold readys_def, insert live_th_es, auto)
+lemma holdents_es_th:
+"holdents (e#s) th = (holdents s th) \<union> {cs}" (is "?L = ?R")
+proof -
+{ fix cs'
+assume "cs' \<in> ?L"
+hence "holding (e#s) th cs'"
+by (unfold holdents_def, auto)
+hence "cs' \<in> ?R"
+by (cases rule:holding_esE, auto simp:holdents_def)
+} moreover {
+fix cs'
+assume "cs' \<in> ?R"
+hence "holding s th cs' \<or> cs' = cs"
+by (auto simp:holdents_def)
+hence "cs' \<in> ?L"
+proof
+assume "holding s th cs'"
+from holding_kept[OF this]
+show ?thesis by (auto simp:holdents_def)
+next
+assume "cs' = cs"
+thus ?thesis using holding_es_th_cs
+by (unfold holdents_def, auto)
+qed
+} ultimately show ?thesis by auto
+qed
+lemma cntCS_es_th: "cntCS (e#s) th = cntCS s th + 1"
+proof -
+have "card (holdents s th \<union> {cs}) = card (holdents s th) + 1"
+proof(subst card_Un_disjoint)
+show "holdents s th \<inter> {cs} = {}"
+using not_holding_s_th_cs by (auto simp:holdents_def)
+qed (auto simp:finite_holdents)
+thus ?thesis
+by (unfold cntCS_def holdents_es_th, simp)
+qed
+lemma no_holder:
+"\<not> holding s th' cs"
+proof
+assume otherwise: "holding s th' cs"
+from this[unfolded s_holding_def, folded wq_def, unfolded we]
+show False by auto
+qed
+lemma holdents_es_th':
+assumes "th' \<noteq> th"
+shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")
+proof -
+{ fix cs'
+assume "cs' \<in> ?L"
+hence h_e: "holding (e#s) th' cs'" by (auto simp:holdents_def)
+have "cs' \<noteq> cs"
+proof
+assume "cs' = cs"
+from held_unique[OF h_e[unfolded this] holding_es_th_cs]
+have "th' = th" .
+with assms show False by simp
+qed
+from h_e[unfolded s_holding_def, folded wq_def, unfolded wq_neq_simp[OF this]]
+have "th' \<in> set (wq s cs') \<and> th' = hd (wq s cs')" .
+hence "cs' \<in> ?R"
+by (unfold holdents_def s_holding_def, fold wq_def, auto)
+} moreover {
+fix cs'
+assume "cs' \<in> ?R"
+hence "holding s th' cs'" by (auto simp:holdents_def)
+from holding_kept[OF this]
+have "holding (e # s) th' cs'" .
+hence "cs' \<in> ?L"
+by (unfold holdents_def, auto)
+} ultimately show ?thesis by auto
+qed
+lemma cntCS_es_th'[simp]:
+assumes "th' \<noteq> th"
+shows "cntCS (e#s) th' = cntCS s th'"
+by (unfold cntCS_def holdents_es_th'[OF assms], simp)
+end
+context valid_trace_p
+begin
+lemma readys_kept1:
+assumes "th' \<noteq> th"
+and "th' \<in> readys (e#s)"
+shows "th' \<in> readys s"
+proof -
+{ fix cs'
+assume wait: "waiting s th' cs'"
+have n_wait: "\<not> waiting (e#s) th' cs'"
+using assms(2)[unfolded readys_def] by auto
+have False
+proof(cases "cs' = cs")
+case False
+with n_wait wait
+show ?thesis
+by (unfold s_waiting_def, fold wq_def, auto)
+next
+case True
+show ?thesis
+proof(cases "wq s cs = []")
+case True
+then interpret vt: valid_trace_p_h
+by (unfold_locales, simp)
+show ?thesis using n_wait wait waiting_kept by auto
+next
+case False
+then interpret vt: valid_trace_p_w by (unfold_locales, simp)
+show ?thesis using n_wait wait waiting_kept by blast
+qed
+qed
+} with assms(2) show ?thesis
+by (unfold readys_def, auto)
+qed
+lemma readys_kept2:
+assumes "th' \<noteq> th"
+and "th' \<in> readys s"
+shows "th' \<in> readys (e#s)"
+proof -
+{ fix cs'
+assume wait: "waiting (e#s) th' cs'"
+have n_wait: "\<not> waiting s th' cs'"
+using assms(2)[unfolded readys_def] by auto
+have False
+proof(cases "cs' = cs")
+case False
+with n_wait wait
+show ?thesis
+by (unfold s_waiting_def, fold wq_def, auto)
+next
+case True
+show ?thesis
+proof(cases "wq s cs = []")
+case True
+then interpret vt: valid_trace_p_h
+by (unfold_locales, simp)
+show ?thesis using n_wait vt.waiting_esE wait by blast
+next
+case False
+then interpret vt: valid_trace_p_w by (unfold_locales, simp)
+show ?thesis using assms(1) n_wait vt.waiting_esE wait by auto
+qed
+qed
+} with assms(2) show ?thesis
+by (unfold readys_def, auto)
+qed
+lemma readys_simp [simp]:
+assumes "th' \<noteq> th"
+shows "(th' \<in> readys (e#s)) = (th' \<in> readys s)"
+using readys_kept1[OF assms] readys_kept2[OF assms]
+by metis
+lemma cnp_cnv_cncs_kept: (* ddd *)
+assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'"
+shows "cntP (e#s) th' = cntV (e#s) th' +  cntCS (e#s) th' + pvD (e#s) th'"
+proof(cases "th' = th")
+case True
+note eq_th' = this
+show ?thesis
+proof(cases "wq s cs = []")
+case True
+then interpret vt: valid_trace_p_h by (unfold_locales, simp)
+show ?thesis
+using assms eq_th' is_p ready_th_s vt.cntCS_es_th vt.ready_th_es pvD_def by auto
+next
+case False
+then interpret vt: valid_trace_p_w by (unfold_locales, simp)
+show ?thesis
+using add.commute add.left_commute assms eq_th' is_p live_th_s
+ready_th_s vt.th_not_ready_es pvD_def
+apply (auto)
+by (fold is_p, simp)
+qed
+next
+case False
+note h_False = False
+thus ?thesis
+proof(cases "wq s cs = []")
+case True
+then interpret vt: valid_trace_p_h by (unfold_locales, simp)
+show ?thesis using assms
+by (insert True h_False pvD_def, auto split:if_splits,unfold is_p, auto)
+next
+case False
+then interpret vt: valid_trace_p_w by (unfold_locales, simp)
+show ?thesis using assms
+by (insert False h_False pvD_def, auto split:if_splits,unfold is_p, auto)
+qed
+qed
+end
+context valid_trace_v
+begin
+lemma holding_th_cs_s:
+"holding s th cs"
+by  (unfold s_holding_def, fold wq_def, unfold wq_s_cs, auto)
+lemma th_ready_s [simp]: "th \<in> readys s"
+using runing_th_s
+by (unfold runing_def readys_def, auto)
+lemma th_live_s [simp]: "th \<in> threads s"
+using th_ready_s by (unfold readys_def, auto)
+lemma th_ready_es [simp]: "th \<in> readys (e#s)"
+using runing_th_s neq_t_th
+by (unfold is_v runing_def readys_def, auto)
+lemma th_live_es [simp]: "th \<in> threads (e#s)"
+using th_ready_es by (unfold readys_def, auto)
+lemma pvD_th_s[simp]: "pvD s th = 0"
+by (unfold pvD_def, simp)
+lemma pvD_th_es[simp]: "pvD (e#s) th = 0"
+by (unfold pvD_def, simp)
+lemma cntCS_s_th [simp]: "cntCS s th > 0"
+proof -
+have "cs \<in> holdents s th" using holding_th_cs_s
+by (unfold holdents_def, simp)
+moreover have "finite (holdents s th)" using finite_holdents
+by simp
+ultimately show ?thesis
+by (unfold cntCS_def,
+auto intro!:card_gt_0_iff[symmetric, THEN iffD1])
+qed
+end
+context valid_trace_v
+begin
+lemma th_not_waiting:
+"\<not> waiting s th c"
+proof -
+have "th \<in> readys s"
+using runing_ready runing_th_s by blast
+thus ?thesis
+by (unfold readys_def, auto)
+qed
+lemma waiting_neq_th:
+assumes "waiting s t c"
+shows "t \<noteq> th"
+using assms using th_not_waiting by blast
+end
+context valid_trace_v_n
+begin
+lemma not_ready_taker_s[simp]:
+"taker \<notin> readys s"
+using waiting_taker
+by (unfold readys_def, auto)
+lemma taker_live_s [simp]: "taker \<in> threads s"
+proof -
+have "taker \<in> set wq'" by (simp add: eq_wq')
+from th'_in_inv[OF this]
+have "taker \<in> set rest" .
+hence "taker \<in> set (wq s cs)" by (simp add: wq_s_cs)
+thus ?thesis using wq_threads by auto
+qed
+lemma taker_live_es [simp]: "taker \<in> threads (e#s)"
+using taker_live_s threads_es by blast
+lemma taker_ready_es [simp]:
+shows "taker \<in> readys (e#s)"
+proof -
+{ fix cs'
+assume "waiting (e#s) taker cs'"
+hence False
+proof(cases rule:waiting_esE)
+case 1
+thus ?thesis using waiting_taker waiting_unique by auto
+qed simp
+} thus ?thesis by (unfold readys_def, auto)
+qed
+lemma neq_taker_th: "taker \<noteq> th"
+using th_not_waiting waiting_taker by blast
+lemma not_holding_taker_s_cs:
+shows "\<not> holding s taker cs"
+using holding_cs_eq_th neq_taker_th by auto
+lemma holdents_es_taker:
+"holdents (e#s) taker = holdents s taker \<union> {cs}" (is "?L = ?R")
+proof -
+{ fix cs'
+assume "cs' \<in> ?L"
+hence "holding (e#s) taker cs'" by (auto simp:holdents_def)
+hence "cs' \<in> ?R"
+proof(cases rule:holding_esE)
+case 2
+thus ?thesis by (auto simp:holdents_def)
+qed auto
+} moreover {
+fix cs'
+assume "cs' \<in> ?R"
+hence "holding s taker cs' \<or> cs' = cs" by (auto simp:holdents_def)
+hence "cs' \<in> ?L"
+proof
+assume "holding s taker cs'"
+hence "holding (e#s) taker cs'"
+using holding_esI2 holding_taker by fastforce
+thus ?thesis by (auto simp:holdents_def)
+next
+assume "cs' = cs"
+with holding_taker
+show ?thesis by (auto simp:holdents_def)
+qed
+} ultimately show ?thesis by auto
+qed
+lemma cntCS_es_taker [simp]: "cntCS (e#s) taker = cntCS s taker + 1"
+proof -
+have "card (holdents s taker \<union> {cs}) = card (holdents s taker) + 1"
+proof(subst card_Un_disjoint)
+show "holdents s taker \<inter> {cs} = {}"
+using not_holding_taker_s_cs by (auto simp:holdents_def)
+qed (auto simp:finite_holdents)
+thus ?thesis
+by (unfold cntCS_def, insert holdents_es_taker, simp)
+qed
+lemma pvD_taker_s[simp]: "pvD s taker = 1"
+by (unfold pvD_def, simp)
+lemma pvD_taker_es[simp]: "pvD (e#s) taker = 0"
+by (unfold pvD_def, simp)
+lemma pvD_th_s[simp]: "pvD s th = 0"
+by (unfold pvD_def, simp)
+lemma pvD_th_es[simp]: "pvD (e#s) th = 0"
+by (unfold pvD_def, simp)
+lemma holdents_es_th:
+"holdents (e#s) th = holdents s th - {cs}" (is "?L = ?R")
+proof -
+{ fix cs'
+assume "cs' \<in> ?L"
+hence "holding (e#s) th cs'" by (auto simp:holdents_def)
+hence "cs' \<in> ?R"
+proof(cases rule:holding_esE)
+case 2
+thus ?thesis by (auto simp:holdents_def)
+qed (insert neq_taker_th, auto)
+} moreover {
+fix cs'
+assume "cs' \<in> ?R"
+hence "cs' \<noteq> cs" "holding s th cs'" by (auto simp:holdents_def)
+from holding_esI2[OF this]
+have "cs' \<in> ?L" by (auto simp:holdents_def)
+} ultimately show ?thesis by auto
+qed
+lemma cntCS_es_th [simp]: "cntCS (e#s) th = cntCS s th - 1"
+proof -
+have "card (holdents s th - {cs}) = card (holdents s th) - 1"
+proof -
+have "cs \<in> holdents s th" using holding_th_cs_s
+by (auto simp:holdents_def)
+moreover have "finite (holdents s th)"
+by (simp add: finite_holdents)
+ultimately show ?thesis by auto
+qed
+thus ?thesis by (unfold cntCS_def holdents_es_th)
+qed
+lemma holdents_kept:
+assumes "th' \<noteq> taker"
+and "th' \<noteq> th"
+shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")
+proof -
+{ fix cs'
+assume h: "cs' \<in> ?L"
+have "cs' \<in> ?R"
+proof(cases "cs' = cs")
+case False
+hence eq_wq: "wq (e#s) cs' = wq s cs'" by simp
+from h have "holding (e#s) th' cs'" by (auto simp:holdents_def)
+from this[unfolded s_holding_def, folded wq_def, unfolded eq_wq]
+show ?thesis
+by (unfold holdents_def s_holding_def, fold wq_def, auto)
+next
+case True
+from h[unfolded this]
+have "holding (e#s) th' cs" by (auto simp:holdents_def)
+from held_unique[OF this holding_taker]
+have "th' = taker" .
+with assms show ?thesis by auto
+qed
+} moreover {
+fix cs'
+assume h: "cs' \<in> ?R"
+have "cs' \<in> ?L"
+proof(cases "cs' = cs")
+case False
+hence eq_wq: "wq (e#s) cs' = wq s cs'" by simp
+from h have "holding s th' cs'" by (auto simp:holdents_def)
+from this[unfolded s_holding_def, folded wq_def, unfolded eq_wq]
+show ?thesis
+by (unfold holdents_def s_holding_def, fold wq_def, insert eq_wq, simp)
+next
+case True
+from h[unfolded this]
+have "holding s th' cs" by (auto simp:holdents_def)
+from held_unique[OF this holding_th_cs_s]
+have "th' = th" .
+with assms show ?thesis by auto
+qed
+} ultimately show ?thesis by auto
+qed
+lemma cntCS_kept [simp]:
+assumes "th' \<noteq> taker"
+and "th' \<noteq> th"
+shows "cntCS (e#s) th' = cntCS s th'"
+by (unfold cntCS_def holdents_kept[OF assms], simp)
+lemma readys_kept1:
+assumes "th' \<noteq> taker"
+and "th' \<in> readys (e#s)"
+shows "th' \<in> readys s"
+proof -
+{ fix cs'
+assume wait: "waiting s th' cs'"
+have n_wait: "\<not> waiting (e#s) th' cs'"
+using assms(2)[unfolded readys_def] by auto
+have False
+proof(cases "cs' = cs")
+case False
+with n_wait wait
+show ?thesis
+by (unfold s_waiting_def, fold wq_def, auto)
+next
+case True
+have "th' \<in> set (th # rest) \<and> th' \<noteq> hd (th # rest)"
+using wait[unfolded True s_waiting_def, folded wq_def, unfolded wq_s_cs] .
+moreover have "\<not> (th' \<in> set rest \<and> th' \<noteq> hd (taker # rest'))"
+using n_wait[unfolded True s_waiting_def, folded wq_def,
+unfolded wq_es_cs set_wq', unfolded eq_wq'] .
+ultimately have "th' = taker" by auto
+with assms(1)
+show ?thesis by simp
+qed
+} with assms(2) show ?thesis
+by (unfold readys_def, auto)
+qed
+lemma readys_kept2:
+assumes "th' \<noteq> taker"
+and "th' \<in> readys s"
+shows "th' \<in> readys (e#s)"
+proof -
+{ fix cs'
+assume wait: "waiting (e#s) th' cs'"
+have n_wait: "\<not> waiting s th' cs'"
+using assms(2)[unfolded readys_def] by auto
+have False
+proof(cases "cs' = cs")
+case False
+with n_wait wait
+show ?thesis
+by (unfold s_waiting_def, fold wq_def, auto)
+next
+case True
+have "th' \<in> set rest \<and> th' \<noteq> hd (taker # rest')"
+using  wait [unfolded True s_waiting_def, folded wq_def,
+unfolded wq_es_cs set_wq', unfolded eq_wq']  .
+moreover have "\<not> (th' \<in> set (th # rest) \<and> th' \<noteq> hd (th # rest))"
+using n_wait[unfolded True s_waiting_def, folded wq_def, unfolded wq_s_cs] .
+ultimately have "th' = taker" by auto
+with assms(1)
+show ?thesis by simp
+qed
+} with assms(2) show ?thesis
+by (unfold readys_def, auto)
+qed
+lemma readys_simp [simp]:
+assumes "th' \<noteq> taker"
+shows "(th' \<in> readys (e#s)) = (th' \<in> readys s)"
+using readys_kept1[OF assms] readys_kept2[OF assms]
+by metis
+lemma cnp_cnv_cncs_kept:
+assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'"
+shows "cntP (e#s) th' = cntV (e#s) th' +  cntCS (e#s) th' + pvD (e#s) th'"
+proof -
+{ assume eq_th': "th' = taker"
+have ?thesis
+apply (unfold eq_th' pvD_taker_es cntCS_es_taker)
+by (insert neq_taker_th assms[unfolded eq_th'], unfold is_v, simp)
+} moreover {
+assume eq_th': "th' = th"
+have ?thesis
+apply (unfold eq_th' pvD_th_es cntCS_es_th)
+by (insert assms[unfolded eq_th'], unfold is_v, simp)
+} moreover {
+assume h: "th' \<noteq> taker" "th' \<noteq> th"
+have ?thesis using assms
+apply (unfold cntCS_kept[OF h], insert h, unfold is_v, simp)
+by (fold is_v, unfold pvD_def, simp)
+} ultimately show ?thesis by metis
+qed
+end
+context valid_trace_v_e
+begin
+lemma holdents_es_th:
+"holdents (e#s) th = holdents s th - {cs}" (is "?L = ?R")
+proof -
+{ fix cs'
+assume "cs' \<in> ?L"
+hence "holding (e#s) th cs'" by (auto simp:holdents_def)
+hence "cs' \<in> ?R"
+proof(cases rule:holding_esE)
+case 1
+thus ?thesis by (auto simp:holdents_def)
+qed
+} moreover {
+fix cs'
+assume "cs' \<in> ?R"
+hence "cs' \<noteq> cs" "holding s th cs'" by (auto simp:holdents_def)
+from holding_esI2[OF this]
+have "cs' \<in> ?L" by (auto simp:holdents_def)
+} ultimately show ?thesis by auto
+qed
+lemma cntCS_es_th [simp]: "cntCS (e#s) th = cntCS s th - 1"
+proof -
+have "card (holdents s th - {cs}) = card (holdents s th) - 1"
+proof -
+have "cs \<in> holdents s th" using holding_th_cs_s
+by (auto simp:holdents_def)
+moreover have "finite (holdents s th)"
+by (simp add: finite_holdents)
+ultimately show ?thesis by auto
+qed
+thus ?thesis by (unfold cntCS_def holdents_es_th)
+qed
+lemma holdents_kept:
+assumes "th' \<noteq> th"
+shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")
+proof -
+{ fix cs'
+assume h: "cs' \<in> ?L"
+have "cs' \<in> ?R"
+proof(cases "cs' = cs")
+case False
+hence eq_wq: "wq (e#s) cs' = wq s cs'" by simp
+from h have "holding (e#s) th' cs'" by (auto simp:holdents_def)
+from this[unfolded s_holding_def, folded wq_def, unfolded eq_wq]
+show ?thesis
+by (unfold holdents_def s_holding_def, fold wq_def, auto)
+next
+case True
+from h[unfolded this]
+have "holding (e#s) th' cs" by (auto simp:holdents_def)
+from this[unfolded s_holding_def, folded wq_def,
+unfolded wq_es_cs nil_wq']
+show ?thesis by auto
+qed
+} moreover {
+fix cs'
+assume h: "cs' \<in> ?R"
+have "cs' \<in> ?L"
+proof(cases "cs' = cs")
+case False
+hence eq_wq: "wq (e#s) cs' = wq s cs'" by simp
+from h have "holding s th' cs'" by (auto simp:holdents_def)
+from this[unfolded s_holding_def, folded wq_def, unfolded eq_wq]
+show ?thesis
+by (unfold holdents_def s_holding_def, fold wq_def, insert eq_wq, simp)
+next
+case True
+from h[unfolded this]
+have "holding s th' cs" by (auto simp:holdents_def)
+from held_unique[OF this holding_th_cs_s]
+have "th' = th" .
+with assms show ?thesis by auto
+qed
+} ultimately show ?thesis by auto
+qed
+lemma cntCS_kept [simp]:
+assumes "th' \<noteq> th"
+shows "cntCS (e#s) th' = cntCS s th'"
+by (unfold cntCS_def holdents_kept[OF assms], simp)
+lemma readys_kept1:
+assumes "th' \<in> readys (e#s)"
+shows "th' \<in> readys s"
+proof -
+{ fix cs'
+assume wait: "waiting s th' cs'"
+have n_wait: "\<not> waiting (e#s) th' cs'"
+using assms(1)[unfolded readys_def] by auto
+have False
+proof(cases "cs' = cs")
+case False
+with n_wait wait
+show ?thesis
+by (unfold s_waiting_def, fold wq_def, auto)
+next
+case True
+have "th' \<in> set (th # rest) \<and> th' \<noteq> hd (th # rest)"
+using wait[unfolded True s_waiting_def, folded wq_def, unfolded wq_s_cs] .
+hence "th' \<in> set rest" by auto
+with set_wq' have "th' \<in> set wq'" by metis
+with nil_wq' show ?thesis by simp
+qed
+} thus ?thesis using assms
+by (unfold readys_def, auto)
+qed
+lemma readys_kept2:
+assumes "th' \<in> readys s"
+shows "th' \<in> readys (e#s)"
+proof -
+{ fix cs'
+assume wait: "waiting (e#s) th' cs'"
+have n_wait: "\<not> waiting s th' cs'"
+using assms[unfolded readys_def] by auto
+have False
+proof(cases "cs' = cs")
+case False
+with n_wait wait
+show ?thesis
+by (unfold s_waiting_def, fold wq_def, auto)
+next
+case True
+have "th' \<in> set [] \<and> th' \<noteq> hd []"
+using wait[unfolded True s_waiting_def, folded wq_def,
+unfolded wq_es_cs nil_wq'] .
+thus ?thesis by simp
+qed
+} with assms show ?thesis
+by (unfold readys_def, auto)
+qed
+lemma readys_simp [simp]:
+shows "(th' \<in> readys (e#s)) = (th' \<in> readys s)"
+using readys_kept1[OF assms] readys_kept2[OF assms]
+by metis
+lemma cnp_cnv_cncs_kept:
+assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'"
+shows "cntP (e#s) th' = cntV (e#s) th' +  cntCS (e#s) th' + pvD (e#s) th'"
+proof -
+{
+assume eq_th': "th' = th"
+have ?thesis
+apply (unfold eq_th' pvD_th_es cntCS_es_th)
+by (insert assms[unfolded eq_th'], unfold is_v, simp)
+} moreover {
+assume h: "th' \<noteq> th"
+have ?thesis using assms
+apply (unfold cntCS_kept[OF h], insert h, unfold is_v, simp)
+by (fold is_v, unfold pvD_def, simp)
+} ultimately show ?thesis by metis
+qed
+end
+context valid_trace_v
+begin
+lemma cnp_cnv_cncs_kept:
+assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'"
+shows "cntP (e#s) th' = cntV (e#s) th' +  cntCS (e#s) th' + pvD (e#s) th'"
+proof(cases "rest = []")
+case True
+then interpret vt: valid_trace_v_e by (unfold_locales, simp)
+show ?thesis using assms using vt.cnp_cnv_cncs_kept by blast
+next
+case False
+then interpret vt: valid_trace_v_n by (unfold_locales, simp)
+show ?thesis using assms using vt.cnp_cnv_cncs_kept by blast
+qed
+end
+context valid_trace_create
+begin
+lemma th_not_live_s [simp]: "th \<notin> threads s"
+proof -
+from pip_e[unfolded is_create]
+show ?thesis by (cases, simp)
+qed
+lemma th_not_ready_s [simp]: "th \<notin> readys s"
+using th_not_live_s by (unfold readys_def, simp)
+lemma th_live_es [simp]: "th \<in> threads (e#s)"
+by (unfold is_create, simp)
+lemma not_waiting_th_s [simp]: "\<not> waiting s th cs'"
+proof
+assume "waiting s th cs'"
+from this[unfolded s_waiting_def, folded wq_def, unfolded wq_kept]
+have "th \<in> set (wq s cs')" by auto
+from wq_threads[OF this] have "th \<in> threads s" .
+with th_not_live_s show False by simp
+qed
+lemma not_holding_th_s [simp]: "\<not> holding s th cs'"
+proof
+assume "holding s th cs'"
+from this[unfolded s_holding_def, folded wq_def, unfolded wq_kept]
+have "th \<in> set (wq s cs')" by auto
+from wq_threads[OF this] have "th \<in> threads s" .
+with th_not_live_s show False by simp
+qed
+lemma not_waiting_th_es [simp]: "\<not> waiting (e#s) th cs'"
+proof
+assume "waiting (e # s) th cs'"
+from this[unfolded s_waiting_def, folded wq_def, unfolded wq_kept]
+have "th \<in> set (wq s cs')" by auto
+from wq_threads[OF this] have "th \<in> threads s" .
+with th_not_live_s show False by simp
+qed
+lemma not_holding_th_es [simp]: "\<not> holding (e#s) th cs'"
+proof
+assume "holding (e # s) th cs'"
+from this[unfolded s_holding_def, folded wq_def, unfolded wq_kept]
+have "th \<in> set (wq s cs')" by auto
+from wq_threads[OF this] have "th \<in> threads s" .
+with th_not_live_s show False by simp
+qed
+lemma ready_th_es [simp]: "th \<in> readys (e#s)"
+by (simp add:readys_def)
+lemma holdents_th_s: "holdents s th = {}"
+by (unfold holdents_def, auto)
+lemma holdents_th_es: "holdents (e#s) th = {}"
+by (unfold holdents_def, auto)
+lemma cntCS_th_s [simp]: "cntCS s th = 0"
+by (unfold cntCS_def, simp add:holdents_th_s)
+lemma cntCS_th_es [simp]: "cntCS (e#s) th = 0"
+by (unfold cntCS_def, simp add:holdents_th_es)
+lemma pvD_th_s [simp]: "pvD s th = 0"
+by (unfold pvD_def, simp)
+lemma pvD_th_es [simp]: "pvD (e#s) th = 0"
+by (unfold pvD_def, simp)
+lemma holdents_kept:
+assumes "th' \<noteq> th"
+shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")
+proof -
+{ fix cs'
+assume h: "cs' \<in> ?L"
+hence "cs' \<in> ?R"
+by (unfold holdents_def s_holding_def, fold wq_def,
+unfold wq_kept, auto)
+} moreover {
+fix cs'
+assume h: "cs' \<in> ?R"
+hence "cs' \<in> ?L"
+by (unfold holdents_def s_holding_def, fold wq_def,
+unfold wq_kept, auto)
+} ultimately show ?thesis by auto
+qed
+lemma cntCS_kept [simp]:
+assumes "th' \<noteq> th"
+shows "cntCS (e#s) th' = cntCS s th'" (is "?L = ?R")
+using holdents_kept[OF assms]
+by (unfold cntCS_def, simp)
+lemma readys_kept1:
+assumes "th' \<noteq> th"
+and "th' \<in> readys (e#s)"
+shows "th' \<in> readys s"
+proof -
+{ fix cs'
+assume wait: "waiting s th' cs'"
+have n_wait: "\<not> waiting (e#s) th' cs'"
+using assms by (auto simp:readys_def)
+from wait[unfolded s_waiting_def, folded wq_def]
+n_wait[unfolded s_waiting_def, folded wq_def, unfolded wq_kept]
+have False by auto
+} thus ?thesis using assms
+by (unfold readys_def, auto)
+qed
+lemma readys_kept2:
+assumes "th' \<noteq> th"
+and "th' \<in> readys s"
+shows "th' \<in> readys (e#s)"
+proof -
+{ fix cs'
+assume wait: "waiting (e#s) th' cs'"
+have n_wait: "\<not> waiting s th' cs'"
+using assms(2) by (auto simp:readys_def)
+from wait[unfolded s_waiting_def, folded wq_def, unfolded wq_kept]
+n_wait[unfolded s_waiting_def, folded wq_def]
+have False by auto
+} with assms show ?thesis
+by (unfold readys_def, auto)
+qed
+lemma readys_simp [simp]:
+assumes "th' \<noteq> th"
+shows "(th' \<in> readys (e#s)) = (th' \<in> readys s)"
+using readys_kept1[OF assms] readys_kept2[OF assms]
+by metis
+lemma pvD_kept [simp]:
+assumes "th' \<noteq> th"
+shows "pvD (e#s) th' = pvD s th'"
+using assms
+by (unfold pvD_def, simp)
+lemma cnp_cnv_cncs_kept:
+assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'"
+shows "cntP (e#s) th' = cntV (e#s) th' +  cntCS (e#s) th' + pvD (e#s) th'"
+proof -
+{
+assume eq_th': "th' = th"
+have ?thesis using assms
+by (unfold eq_th', simp, unfold is_create, simp)
+} moreover {
+assume h: "th' \<noteq> th"
+hence ?thesis using assms
+by (simp, simp add:is_create)
+} ultimately show ?thesis by metis
+qed
+end
+context valid_trace_exit
+begin
+lemma th_live_s [simp]: "th \<in> threads s"
+proof -
+from pip_e[unfolded is_exit]
+show ?thesis
+by (cases, unfold runing_def readys_def, simp)
+qed
+lemma th_ready_s [simp]: "th \<in> readys s"
+proof -
+from pip_e[unfolded is_exit]
+show ?thesis
+by (cases, unfold runing_def, simp)
+qed
+lemma th_not_live_es [simp]: "th \<notin> threads (e#s)"
+by (unfold is_exit, simp)
+lemma not_holding_th_s [simp]: "\<not> holding s th cs'"
+proof -
+from pip_e[unfolded is_exit]
+show ?thesis
+by (cases, unfold holdents_def, auto)
+qed
+lemma cntCS_th_s [simp]: "cntCS s th = 0"
+proof -
+from pip_e[unfolded is_exit]
+show ?thesis
+by (cases, unfold cntCS_def, simp)
+qed
+lemma not_holding_th_es [simp]: "\<not> holding (e#s) th cs'"
+proof
+assume "holding (e # s) th cs'"
+from this[unfolded s_holding_def, folded wq_def, unfolded wq_kept]
+have "holding s th cs'"
+by (unfold s_holding_def, fold wq_def, auto)
+with not_holding_th_s
+show False by simp
+qed
+lemma ready_th_es [simp]: "th \<notin> readys (e#s)"
+by (simp add:readys_def)
+lemma holdents_th_s: "holdents s th = {}"
+by (unfold holdents_def, auto)
+lemma holdents_th_es: "holdents (e#s) th = {}"
+by (unfold holdents_def, auto)
+lemma cntCS_th_es [simp]: "cntCS (e#s) th = 0"
+by (unfold cntCS_def, simp add:holdents_th_es)
+lemma pvD_th_s [simp]: "pvD s th = 0"
+by (unfold pvD_def, simp)
+lemma pvD_th_es [simp]: "pvD (e#s) th = 0"
+by (unfold pvD_def, simp)
+lemma holdents_kept:
+assumes "th' \<noteq> th"
+shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")
+proof -
+{ fix cs'
+assume h: "cs' \<in> ?L"
+hence "cs' \<in> ?R"
+by (unfold holdents_def s_holding_def, fold wq_def,
+unfold wq_kept, auto)
+} moreover {
+fix cs'
+assume h: "cs' \<in> ?R"
+hence "cs' \<in> ?L"
+by (unfold holdents_def s_holding_def, fold wq_def,
+unfold wq_kept, auto)
+} ultimately show ?thesis by auto
+qed
+lemma cntCS_kept [simp]:
+assumes "th' \<noteq> th"
+shows "cntCS (e#s) th' = cntCS s th'" (is "?L = ?R")
+using holdents_kept[OF assms]
+by (unfold cntCS_def, simp)
+lemma readys_kept1:
+assumes "th' \<noteq> th"
+and "th' \<in> readys (e#s)"
+shows "th' \<in> readys s"
+proof -
+{ fix cs'
+assume wait: "waiting s th' cs'"
+have n_wait: "\<not> waiting (e#s) th' cs'"
+using assms by (auto simp:readys_def)
+from wait[unfolded s_waiting_def, folded wq_def]
+n_wait[unfolded s_waiting_def, folded wq_def, unfolded wq_kept]
+have False by auto
+} thus ?thesis using assms
+by (unfold readys_def, auto)
+qed
+lemma readys_kept2:
+assumes "th' \<noteq> th"
+and "th' \<in> readys s"
+shows "th' \<in> readys (e#s)"
+proof -
+{ fix cs'
+assume wait: "waiting (e#s) th' cs'"
+have n_wait: "\<not> waiting s th' cs'"
+using assms(2) by (auto simp:readys_def)
+from wait[unfolded s_waiting_def, folded wq_def, unfolded wq_kept]
+n_wait[unfolded s_waiting_def, folded wq_def]
+have False by auto
+} with assms show ?thesis
+by (unfold readys_def, auto)
+qed
+lemma readys_simp [simp]:
+assumes "th' \<noteq> th"
+shows "(th' \<in> readys (e#s)) = (th' \<in> readys s)"
+using readys_kept1[OF assms] readys_kept2[OF assms]
+by metis
+lemma pvD_kept [simp]:
+assumes "th' \<noteq> th"
+shows "pvD (e#s) th' = pvD s th'"
+using assms
+by (unfold pvD_def, simp)
+lemma cnp_cnv_cncs_kept:
+assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'"
+shows "cntP (e#s) th' = cntV (e#s) th' +  cntCS (e#s) th' + pvD (e#s) th'"
+proof -
+{
+assume eq_th': "th' = th"
+have ?thesis using assms
+by (unfold eq_th', simp, unfold is_exit, simp)
+} moreover {
+assume h: "th' \<noteq> th"
+hence ?thesis using assms
+by (simp, simp add:is_exit)
+} ultimately show ?thesis by metis
+qed
+end
+context valid_trace_set
+begin
+lemma th_live_s [simp]: "th \<in> threads s"
+proof -
+from pip_e[unfolded is_set]
+show ?thesis
+by (cases, unfold runing_def readys_def, simp)
+qed
+lemma th_ready_s [simp]: "th \<in> readys s"
+proof -
+from pip_e[unfolded is_set]
+show ?thesis
+by (cases, unfold runing_def, simp)
+qed
+lemma th_not_live_es [simp]: "th \<in> threads (e#s)"
+by (unfold is_set, simp)
+lemma holdents_kept:
+shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")
+proof -
+{ fix cs'
+assume h: "cs' \<in> ?L"
+hence "cs' \<in> ?R"
+by (unfold holdents_def s_holding_def, fold wq_def,
+unfold wq_kept, auto)
+} moreover {
+fix cs'
+assume h: "cs' \<in> ?R"
+hence "cs' \<in> ?L"
+by (unfold holdents_def s_holding_def, fold wq_def,
+unfold wq_kept, auto)
+} ultimately show ?thesis by auto
+qed
+lemma cntCS_kept [simp]:
+shows "cntCS (e#s) th' = cntCS s th'" (is "?L = ?R")
+using holdents_kept
+by (unfold cntCS_def, simp)
+lemma threads_kept[simp]:
+"threads (e#s) = threads s"
+by (unfold is_set, simp)
+lemma readys_kept1:
+assumes "th' \<in> readys (e#s)"
+shows "th' \<in> readys s"
+proof -
+{ fix cs'
+assume wait: "waiting s th' cs'"
+have n_wait: "\<not> waiting (e#s) th' cs'"
+using assms by (auto simp:readys_def)
+from wait[unfolded s_waiting_def, folded wq_def]
+n_wait[unfolded s_waiting_def, folded wq_def, unfolded wq_kept]
+have False by auto
+} moreover have "th' \<in> threads s"
+using assms[unfolded readys_def] by auto
+ultimately show ?thesis
+by (unfold readys_def, auto)
+qed
+lemma readys_kept2:
+assumes "th' \<in> readys s"
+shows "th' \<in> readys (e#s)"
+proof -
+{ fix cs'
+assume wait: "waiting (e#s) th' cs'"
+have n_wait: "\<not> waiting s th' cs'"
+using assms by (auto simp:readys_def)
+from wait[unfolded s_waiting_def, folded wq_def, unfolded wq_kept]
+n_wait[unfolded s_waiting_def, folded wq_def]
+have False by auto
+} with assms show ?thesis
+by (unfold readys_def, auto)
+qed
+lemma readys_simp [simp]:
+shows "(th' \<in> readys (e#s)) = (th' \<in> readys s)"
+using readys_kept1 readys_kept2
+by metis
+lemma pvD_kept [simp]:
+shows "pvD (e#s) th' = pvD s th'"
+by (unfold pvD_def, simp)
+lemma cnp_cnv_cncs_kept:
+assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'"
+shows "cntP (e#s) th' = cntV (e#s) th' +  cntCS (e#s) th' + pvD (e#s) th'"
+using assms
+by (unfold is_set, simp, fold is_set, simp)
+end
+context valid_trace
+begin
+lemma cnp_cnv_cncs: "cntP s th' = cntV s th' + cntCS s th' + pvD s th'"
+proof(induct rule:ind)
+case Nil
+thus ?case
+by (unfold cntP_def cntV_def pvD_def cntCS_def holdents_def
+s_holding_def, simp)
+next
+case (Cons s e)
+interpret vt_e: valid_trace_e s e using Cons by simp
+show ?case
+proof(cases e)
+case (Create th prio)
+interpret vt_create: valid_trace_create s e th prio
+using Create by (unfold_locales, simp)
+show ?thesis using Cons by (simp add: vt_create.cnp_cnv_cncs_kept)
+next
+case (Exit th)
+interpret vt_exit: valid_trace_exit s e th
+using Exit by (unfold_locales, simp)
+show ?thesis using Cons by (simp add: vt_exit.cnp_cnv_cncs_kept)
+next
+case (P th cs)
+interpret vt_p: valid_trace_p s e th cs using P by (unfold_locales, simp)
+show ?thesis using Cons by (simp add: vt_p.cnp_cnv_cncs_kept)
+next
+case (V th cs)
+interpret vt_v: valid_trace_v s e th cs using V by (unfold_locales, simp)
+show ?thesis using Cons by (simp add: vt_v.cnp_cnv_cncs_kept)
+next
+case (Set th prio)
+interpret vt_set: valid_trace_set s e th prio
+using Set by (unfold_locales, simp)
+show ?thesis using Cons by (simp add: vt_set.cnp_cnv_cncs_kept)
+qed
+qed
+end
+section {* Corollaries of @{thm valid_trace.cnp_cnv_cncs} *}
+context valid_trace
+begin
+lemma not_thread_holdents:
+assumes not_in: "th \<notin> threads s"
+shows "holdents s th = {}"
+proof -
+{ fix cs
+assume "cs \<in> holdents s th"
+hence "holding s th cs" by (auto simp:holdents_def)
+from this[unfolded s_holding_def, folded wq_def]
+have "th \<in> set (wq s cs)" by auto
+with wq_threads have "th \<in> threads s" by auto
+with assms
+have False by simp
+} thus ?thesis by auto
+qed
+lemma not_thread_cncs:
+assumes not_in: "th \<notin> threads s"
+shows "cntCS s th = 0"
+using not_thread_holdents[OF assms]
+by (simp add:cntCS_def)
+lemma cnp_cnv_eq:
+assumes "th \<notin> threads s"
+shows "cntP s th = cntV s th"
+using assms cnp_cnv_cncs not_thread_cncs pvD_def
+by (auto)
+lemma eq_pv_children:
+assumes eq_pv: "cntP s th = cntV s th"
+shows "children (RAG s) (Th th) = {}"
+proof -
+from cnp_cnv_cncs and eq_pv
+have "cntCS s th = 0"
+by (auto split:if_splits)
+from this[unfolded cntCS_def holdents_alt_def]
+have card_0: "card (the_cs ` children (RAG s) (Th th)) = 0" .
+have "finite (the_cs ` children (RAG s) (Th th))"
+by (simp add: fsbtRAGs.finite_children)
+from card_0[unfolded card_0_eq[OF this]]
+show ?thesis by auto
+qed
+lemma eq_pv_holdents:
+assumes eq_pv: "cntP s th = cntV s th"
+shows "holdents s th = {}"
+by (unfold holdents_alt_def eq_pv_children[OF assms], simp)
+lemma eq_pv_subtree:
+assumes eq_pv: "cntP s th = cntV s th"
+shows "subtree (RAG s) (Th th) = {Th th}"
+using eq_pv_children[OF assms]
+by (unfold subtree_children, simp)
 lemma count_eq_RAG_plus:
 assumes "cntP s th = cntV s th"
 shows "{th'. (Th th', Th th) \<in> (RAG s)^+} = {}"
 proof(rule ccontr)
 assume otherwise: "{th'. (Th th', Th th) \<in> (RAG s)\<^sup>+} \<noteq> {}"
 proof -
 from count_eq_RAG_plus[OF assms, folded dependants_alt_def1]
 show ?thesis .
 qed
-end
-lemma eq_dependants: "dependants (wq s) = dependants s"
-by (simp add: s_dependants_abv wq_def)
-context valid_trace
-begin
 lemma count_eq_tRAG_plus:
 assumes "cntP s th = cntV s th"
 shows "{th'. (Th th', Th th) \<in> (tRAG s)^+} = {}"
 using assms eq_pv_dependants dependants_alt_def eq_dependants by auto
 lemma count_eq_tRAG_plus_Th:
 assumes "cntP s th = cntV s th"
 shows "{Th th' | th'. (Th th', Th th) \<in> (tRAG s)^+} = {}"
 using count_eq_tRAG_plus[OF assms] by auto
-end
+end
-lemma inj_the_preced:
-"inj_on (the_preced s) (threads s)"
+section {* hhh *}
-by (metis inj_onI preced_unique the_preced_def)
-lemma tRAG_Field:
-"Field (tRAG s) \<subseteq> Field (RAG s)"
-by (unfold tRAG_alt_def Field_def, auto)
-lemma tRAG_ancestorsE:
-assumes "x \<in> ancestors (tRAG s) u"
-obtains th where "x = Th th"
-proof -
-from assms have "(u, x) \<in> (tRAG s)^+"
-by (unfold ancestors_def, auto)
-from tranclE[OF this] obtain c where "(c, x) \<in> tRAG s" by auto
-then obtain th where "x = Th th"
-by (unfold tRAG_alt_def, auto)
-from that[OF this] show ?thesis .
-qed
-lemma tRAG_mono:
-assumes "RAG s' \<subseteq> RAG s"
-shows "tRAG s' \<subseteq> tRAG s"
-using assms
-by (unfold tRAG_alt_def, auto)
-lemma holding_next_thI:
-assumes "holding s th cs"
-and "length (wq s cs) > 1"
-obtains th' where "next_th s th cs th'"
-proof -
-from assms(1)[folded holding_eq, unfolded cs_holding_def]
-have " th \<in> set (wq s cs) \<and> th = hd (wq s cs)"
-by (unfold s_holding_def, fold wq_def, auto)
-then obtain rest where h1: "wq s cs = th#rest"
-by (cases "wq s cs", auto)
-with assms(2) have h2: "rest \<noteq> []" by auto
-let ?th' = "hd (SOME q. distinct q \<and> set q = set rest)"
-have "next_th s th cs ?th'" using  h1(1) h2
-by (unfold next_th_def, auto)
-from that[OF this] show ?thesis .
-qed
 lemma RAG_tRAG_transfer:
 assumes "vt s'"
 assumes "RAG s = RAG s' \<union> {(Th th, Cs cs)}"
 and "(Cs cs, Th th'') \<in> RAG s'"
 lemmas RAG_tRAG_transfer = RAG_tRAG_transfer[OF vt]
 end
-lemma tRAG_subtree_eq:
-"(subtree (tRAG s) (Th th)) = {Th th' | th'. Th th'  \<in> (subtree (RAG s) (Th th))}"
-(is "?L = ?R")
-proof -
-{ fix n
-assume h: "n \<in> ?L"
-hence "n \<in> ?R"
-by (smt mem_Collect_eq subsetCE subtree_def subtree_nodeE tRAG_subtree_RAG)
-} moreover {
-fix n
-assume "n \<in> ?R"
-then obtain th' where h: "n = Th th'" "(Th th', Th th) \<in> (RAG s)^*"
-by (auto simp:subtree_def)
-from rtranclD[OF this(2)]
-have "n \<in> ?L"
-proof
-assume "Th th' \<noteq> Th th \<and> (Th th', Th th) \<in> (RAG s)\<^sup>+"
-with h have "n \<in> {Th th' | th'. (Th th', Th th)  \<in> (RAG s)^+}" by auto
-thus ?thesis using subtree_def tRAG_trancl_eq by fastforce
-qed (insert h, auto simp:subtree_def)
-} ultimately show ?thesis by auto
-qed
-lemma threads_set_eq:
-"the_thread ` (subtree (tRAG s) (Th th)) =
-{th'. Th th' \<in> (subtree (RAG s) (Th th))}" (is "?L = ?R")
-by (auto intro:rev_image_eqI simp:tRAG_subtree_eq)
 lemma cp_alt_def1:
 "cp s th = Max ((the_preced s o the_thread) ` (subtree (tRAG s) (Th th)))"
 proof -
 have "(the_preced s ` the_thread ` subtree (tRAG s) (Th th)) =
 ((the_preced s \<circ> the_thread) ` subtree (tRAG s) (Th th))"
 show ?thesis .
 qed
 } ultimately show ?thesis by auto
 qed
-lemma finite_readys [simp]: "finite (readys s)"
-using finite_threads readys_threads rev_finite_subset by blast
 text {* (* ccc *) \noindent
 Since the current precedence of the threads in ready queue will always be boosted,
 there must be one inside it has the maximum precedence of the whole system.
 *}
 thus ?thesis by simp
 qed
 finally show ?thesis by simp
 qed (auto simp:threads_alt_def)
-end
+lemma create_pre:
+assumes stp: "step s e"
-end
+and not_in: "th \<notin> threads s"
+and is_in: "th \<in> threads (e#s)"
+obtains prio where "e = Create th prio"
+proof -
+from assms
+show ?thesis
+proof(cases)
+case (thread_create thread prio)
+with is_in not_in have "e = Create th prio" by simp
+from that[OF this] show ?thesis .
+next
+case (thread_exit thread)
+with assms show ?thesis by (auto intro!:that)
+next
+case (thread_P thread)
+with assms show ?thesis by (auto intro!:that)
+next
+case (thread_V thread)
+with assms show ?thesis by (auto intro!:that)
+next
+case (thread_set thread)
+with assms show ?thesis by (auto intro!:that)
+qed
+qed
+end
+section {* Pending properties *}
+lemma holding_next_thI:
+assumes "holding s th cs"
+and "length (wq s cs) > 1"
+obtains th' where "next_th s th cs th'"
+proof -
+from assms(1)[folded holding_eq, unfolded cs_holding_def]
+have " th \<in> set (wq s cs) \<and> th = hd (wq s cs)"
+by (unfold s_holding_def, fold wq_def, auto)
+then obtain rest where h1: "wq s cs = th#rest"
+by (cases "wq s cs", auto)
+with assms(2) have h2: "rest \<noteq> []" by auto
+let ?th' = "hd (SOME q. distinct q \<and> set q = set rest)"
+have "next_th s th cs ?th'" using  h1(1) h2
+by (unfold next_th_def, auto)
+from that[OF this] show ?thesis .
+qed
+context valid_trace_e
+begin
+lemma actor_inv:
+assumes "\<not> isCreate e"
+shows "actor e \<in> runing s"
+using pip_e assms
+by (induct, auto)
+end
+end

changeset 101	c7db2ccba18a
parent 100	3d2b59f15f26
child 102	3a801bbd2687