pip: comparison PIPBasics.thy

equal deleted inserted replaced

-:25fd656667a7
+:db196b066b97
 by auto
 lemma wq_v_neq:
 "cs \<noteq> cs' \<Longrightarrow> wq (V thread cs#s) cs' = wq s cs'"
 by (auto simp:wq_def Let_def cp_def split:list.splits)
+lemma runing_head:
+assumes "th \<in> runing s"
+and "th \<in> set (wq_fun (schs s) cs)"
+shows "th = hd (wq_fun (schs s) cs)"
+using assms
+by (simp add:runing_def readys_def s_waiting_def wq_def)
 context valid_trace
 begin
 lemma actor_inv:
 thus "valid_trace (e # s)" by (unfold_locales, simp)
 qed (insert h, auto)
 qed
 lemma wq_distinct: "distinct (wq s cs)"
-proof(rule ind, simp add:wq_def)
+proof(induct rule:ind)
-fix s e
+case (Cons s e)
-assume h1: "step s e"
+from Cons(4,3)
-and h2: "distinct (wq s cs)"
+show ?case
-thus "distinct (wq (e # s) cs)"
+proof(induct)
-proof(induct rule:step.induct, auto simp: wq_def Let_def split:list.splits)
+case (thread_P th s cs1)
-fix thread s
+show ?case
-assume h1: "(Cs cs, Th thread) \<notin> (RAG s)\<^sup>+"
+proof(cases "cs = cs1")
-and h2: "thread \<in> set (wq_fun (schs s) cs)"
+case True
-and h3: "thread \<in> runing s"
+thus ?thesis (is "distinct ?L")
-show "False"
+proof -
-proof -
+have "?L = wq_fun (schs s) cs1 @ [th]" using True
-from h3 have "\<And> cs. thread \<in>  set (wq_fun (schs s) cs) \<Longrightarrow>
+by (simp add:wq_def wf_def Let_def split:list.splits)
-thread = hd ((wq_fun (schs s) cs))"
+moreover have "distinct ..."
-by (simp add:runing_def readys_def s_waiting_def wq_def)
+proof -
-from this [OF h2] have "thread = hd (wq_fun (schs s) cs)" .
+have "th \<notin> set (wq_fun (schs s) cs1)"
-with h2
+proof
-have "(Cs cs, Th thread) \<in> (RAG s)"
+assume otherwise: "th \<in> set (wq_fun (schs s) cs1)"
-by (simp add:s_RAG_def s_holding_def wq_def cs_holding_def)
+from runing_head[OF thread_P(1) this]
-with h1 show False by auto
+have "th = hd (wq_fun (schs s) cs1)" .
+hence "(Cs cs1, Th th) \<in> (RAG s)" using otherwise
+by (simp add:s_RAG_def s_holding_def wq_def cs_holding_def)
+with thread_P(2) show False by auto
+qed
+moreover have "distinct (wq_fun (schs s) cs1)"
+using True thread_P wq_def by auto
+ultimately show ?thesis by auto
+qed
+ultimately show ?thesis by simp
+qed
+next
+case False
+with thread_P(3)
+show ?thesis
+by (auto simp:wq_def wf_def Let_def split:list.splits)
 qed
 next
-fix thread s a list
+case (thread_V th s cs1)
-assume dst: "distinct list"
+thus ?case
-show "distinct (SOME q. distinct q \<and> set q = set list)"
+proof(cases "cs = cs1")
-proof(rule someI2)
+case True
-from dst show  "distinct list \<and> set list = set list" by auto
+show ?thesis (is "distinct ?L")
-next
+proof(cases "(wq s cs)")
-fix q assume "distinct q \<and> set q = set list"
+case Nil
-thus "distinct q" by auto
+thus ?thesis
-qed
+by (auto simp:wq_def wf_def Let_def split:list.splits)
-qed
+next
-qed
+case (Cons w_hd w_tl)
+moreover have "distinct (SOME q. distinct q \<and> set q = set w_tl)"
+proof(rule someI2)
+from thread_V(3)[unfolded Cons]
+show  "distinct w_tl \<and> set w_tl = set w_tl" by auto
+qed auto
+ultimately show ?thesis
+by (auto simp:wq_def wf_def Let_def True split:list.splits)
+qed
+next
+case False
+with thread_V(3)
+show ?thesis
+by (auto simp:wq_def wf_def Let_def split:list.splits)
+qed
+qed (insert Cons, auto simp: wq_def Let_def split:list.splits)
+qed (unfold wq_def Let_def, simp)
 end
 context valid_trace_e
 Such kind of lemmas are very obvious, but need to be checked formally.
 This is a kind of confirmation that our modelling is correct.
 *}
 lemma block_pre:
-assumes s_ni: "thread \<notin>  set (wq s cs)"
+assumes s_ni: "thread \<notin> set (wq s cs)"
 and s_i: "thread \<in> set (wq (e#s) cs)"
 shows "e = P thread cs"
-proof -
+proof(cases e)
-show ?thesis
+-- {* This is the only non-trivial case: *}
-proof(cases e)
+case (V th cs1)
-case (P th cs)
+have False
-with assms
+proof(cases "cs1 = cs")
+case True
 show ?thesis
-by (auto simp:wq_def Let_def split:if_splits)
+proof(cases "(wq s cs1)")
-next
+case (Cons w_hd w_tl)
-case (Create th prio)
+have "set (wq (e#s) cs) \<subseteq> set (wq s cs)"
-with assms show ?thesis
-by (auto simp:wq_def Let_def split:if_splits)
-next
-case (Exit th)
-with assms show ?thesis
-by (auto simp:wq_def Let_def split:if_splits)
-next
-case (Set th prio)
-with assms show ?thesis
-by (auto simp:wq_def Let_def split:if_splits)
-next
-case (V th cs)
-with vt_e assms show ?thesis
-apply (auto simp:wq_def Let_def split:if_splits)
-proof -
-fix q qs
-assume h1: "thread \<notin> set (wq_fun (schs s) cs)"
-and h2: "q # qs = wq_fun (schs s) cs"
-and h3: "thread \<in> set (SOME q. distinct q \<and> set q = set qs)"
-and vt: "vt (V th cs # s)"
-from h1 and h2[symmetric] have "thread \<notin> set (q # qs)" by simp
-moreover have "thread \<in> set qs"
 proof -
-have "set (SOME q. distinct q \<and> set q = set qs) = set qs"
+have "(wq (e#s) cs) = (SOME q. distinct q \<and> set q = set w_tl)"
+using  Cons V by (auto simp:wq_def Let_def True split:if_splits)
+moreover have "set ... \<subseteq> set (wq s cs)"
 proof(rule someI2)
-from wq_distinct [of cs]
+show "distinct w_tl \<and> set w_tl = set w_tl"
-and h2[symmetric, folded wq_def]
+by (metis distinct.simps(2) local.Cons wq_distinct)
-show "distinct qs \<and> set qs = set qs" by auto
+qed (insert Cons True, auto)
-next
+ultimately show ?thesis by simp
-fix x assume "distinct x \<and> set x = set qs"
+qed
-thus "set x = set qs" by auto
+with assms show ?thesis by auto
-qed
+qed (insert assms V True, auto simp:wq_def Let_def split:if_splits)
-with h3 show ?thesis by simp
+qed (insert assms V, auto simp:wq_def Let_def split:if_splits)
-qed
+thus ?thesis by auto
-ultimately show "False" by auto
+qed (insert assms, auto simp:wq_def Let_def split:if_splits)
-qed
-qed
-qed
 end
 text {*
 The following lemmas is also obvious and shallow. It says
 qed
 qed
 end
 context valid_trace
 begin
+lemma  vt_moment: "\<And> t. vt (moment t s)"
-lemma vt_moment: "\<And> t. vt (moment t s)"
 proof(induct rule:ind)
 case Nil
 thus ?case by (simp add:vt_nil)
 next
 case (Cons s e t)
 show ?thesis by simp
 qed
 ultimately show ?thesis by simp
 qed
 qed
+end
-(* Wrong:
-lemma \<lbrakk>thread \<in> set (wq_fun cs1 s); thread \<in> set (wq_fun cs2 s)\<rbrakk> \<Longrightarrow> cs1 = cs2"
+locale valid_moment = valid_trace +
-*)
+fixes i :: nat
+sublocale valid_moment < vat_moment: valid_trace "(moment i s)"
+by (unfold_locales, insert vt_moment, auto)
+context valid_trace
+begin
 text {* (* ddd *)
 The nature of the work is like this: since it starts from a very simple and basic
 model, even intuitively very `basic` and `obvious` properties need to derived from scratch.
 For instance, the fact
 @{text "p_split"} to these two blocking facts, there exist
 two moments @{text "t1"} and @{text "t2"}  in @{text "s"}, such that
 @{text "th"} got blocked on @{text "cs1"} and @{text "cs2"}
 and kept on blocked on them respectively ever since.
-Without lose of generality, we assume @{text "t1"} is earlier than @{text "t2"}.
+Without lost of generality, we assume @{text "t1"} is earlier than @{text "t2"}.
 However, since @{text "th"} was blocked ever since memonent @{text "t1"}, so it was still
 in blocked state at moment @{text "t2"} and could not
 make any request and get blocked the second time: Contradiction.
 *}
-lemma waiting_unique_pre:
+lemma waiting_unique_pre: (* ccc *)
 assumes h11: "thread \<in> set (wq s cs1)"
 and h12: "thread \<noteq> hd (wq s cs1)"
 assumes h21: "thread \<in> set (wq s cs2)"
 and h22: "thread \<noteq> hd (wq s cs2)"
 and neq12: "cs1 \<noteq> cs2"
 thus ?thesis by auto
 qed
 (* An aux lemma used later *)
 lemma unique_minus:
-fixes x y z r
 assumes unique: "\<And> a b c. \<lbrakk>(a, b) \<in> r; (a, c) \<in> r\<rbrakk> \<Longrightarrow> b = c"
 and xy: "(x, y) \<in> r"
 and xz: "(x, z) \<in> r^+"
 and neq: "y \<noteq> z"
 shows "(y, z) \<in> r^+"
 qed
 qed
 qed
 lemma unique_base:
-fixes r x y z
 assumes unique: "\<And> a b c. \<lbrakk>(a, b) \<in> r; (a, c) \<in> r\<rbrakk> \<Longrightarrow> b = c"
 and xy: "(x, y) \<in> r"
 and xz: "(x, z) \<in> r^+"
 and neq_yz: "y \<noteq> z"
 shows "(y, z) \<in> r^+"
 qed
 qed
 qed
 lemma unique_chain:
-fixes r x y z
 assumes unique: "\<And> a b c. \<lbrakk>(a, b) \<in> r; (a, c) \<in> r\<rbrakk> \<Longrightarrow> b = c"
 and xy: "(x, y) \<in> r^+"
 and xz: "(x, z) \<in> r^+"
 and neq_yz: "y \<noteq> z"
 shows "(y, z) \<in> r^+ \<or> (z, y) \<in> r^+"
 text {* (* ddd *)
 The following @{text "step_RAG_v"} lemma charaterizes how @{text "RAG"} is changed
 with the happening of @{text "V"}-events:
 *}
 lemma step_RAG_v:
-fixes th::thread
 assumes vt:
 "vt (V th cs#s)"
 shows "
 RAG (V th cs # s) =
 RAG s - {(Cs cs, Th th)} -
 lemma range_in: "\<lbrakk>(Th th) \<in> Range (RAG (s::state))\<rbrakk> \<Longrightarrow> th \<in> threads s"
 apply(unfold s_RAG_def cs_waiting_def cs_holding_def)
 by (auto intro:wq_threads)
 lemma readys_v_eq:
-fixes th thread cs rest
 assumes neq_th: "th \<noteq> thread"
 and eq_wq: "wq s cs = thread#rest"
 and not_in: "th \<notin>  set rest"
 shows "(th \<in> readys (V thread cs#s)) = (th \<in> readys s)"
 proof -
 end
 lemma step_holdents_p_add:
-fixes th cs s
 assumes vt: "vt (P th cs#s)"
 and "wq s cs = []"
 shows "holdents (P th cs#s) th = holdents s th \<union> {cs}"
 proof -
 from assms show ?thesis
 unfolding  holdents_test step_RAG_p[OF vt] by (auto)
 qed
 lemma step_holdents_p_eq:
-fixes th cs s
 assumes vt: "vt (P th cs#s)"
 and "wq s cs \<noteq> []"
 shows "holdents (P th cs#s) th = holdents s th"
 proof -
 from assms show ?thesis
 qed
 ultimately show ?thesis by (unfold holdents_test, auto intro:finite_subset)
 qed
 lemma cntCS_v_dec:
-fixes s thread cs
 assumes vtv: "vt (V thread cs#s)"
 shows "(cntCS (V thread cs#s) thread + 1) = cntCS s thread"
 proof -
 from vtv interpret vt_s: valid_trace s
 by (cases, unfold_locales, simp)

changeset 68	db196b066b97
parent 67	25fd656667a7
child 69	1dc801552dfd