theory CpsGimports PIPDefs beginlemma Max_f_mono: assumes seq: "A \<subseteq> B" and np: "A \<noteq> {}" and fnt: "finite B" shows "Max (f ` A) \<le> Max (f ` B)"proof(rule Max_mono) from seq show "f ` A \<subseteq> f ` B" by autonext from np show "f ` A \<noteq> {}" by autonext from fnt and seq show "finite (f ` B)" by autoqedlocale valid_trace = fixes s assumes vt : "vt s"locale valid_trace_e = valid_trace + fixes e assumes vt_e: "vt (e#s)"beginlemma pip_e: "PIP s e" using vt_e by (cases, simp) endlocale valid_trace_create = valid_trace_e + fixes th prio assumes is_create: "e = Create th prio"locale valid_trace_exit = valid_trace_e + fixes th assumes is_exit: "e = Exit th"locale valid_trace_p = valid_trace_e + fixes th cs assumes is_p: "e = P th cs"locale valid_trace_v = valid_trace_e + fixes th cs assumes is_v: "e = V th cs"begin definition "rest = tl (wq s cs)" definition "wq' = (SOME q. distinct q \<and> set q = set rest)"endlocale valid_trace_v_n = valid_trace_v + assumes rest_nnl: "rest \<noteq> []"locale valid_trace_v_e = valid_trace_v + assumes rest_nil: "rest = []"locale valid_trace_set= valid_trace_e + fixes th prio assumes is_set: "e = Set th prio"context valid_tracebeginlemma ind [consumes 0, case_names Nil Cons, induct type]: assumes "PP []" and "(\<And>s e. valid_trace_e s e \<Longrightarrow> PP s \<Longrightarrow> PIP s e \<Longrightarrow> PP (e # s))" shows "PP s"proof(induct rule:vt.induct[OF vt, case_names Init Step]) case Init from assms(1) show ?case .next case (Step s e) show ?case proof(rule assms(2)) show "valid_trace_e s e" using Step by (unfold_locales, auto) next show "PP s" using Step by simp next show "PIP s e" using Step by simp qedqedlemma vt_moment: "\<And> t. vt (moment t s)"proof(induct rule:ind) case Nil thus ?case by (simp add:vt_nil)next case (Cons s e t) show ?case proof(cases "t \<ge> length (e#s)") case True from True have "moment t (e#s) = e#s" by simp thus ?thesis using Cons by (simp add:valid_trace_def valid_trace_e_def, auto) next case False from Cons have "vt (moment t s)" by simp moreover have "moment t (e#s) = moment t s" proof - from False have "t \<le> length s" by simp from moment_app [OF this, of "[e]"] show ?thesis by simp qed ultimately show ?thesis by simp qedqedlemma finite_threads: shows "finite (threads s)"using vt by (induct) (auto elim: step.cases)endlemma cp_eq_cpreced: "cp s th = cpreced (wq s) s th"unfolding cp_def wq_defapply(induct s rule: schs.induct)apply(simp add: Let_def cpreced_initial)apply(simp add: Let_def)apply(simp add: Let_def)apply(simp add: Let_def)apply(subst (2) schs.simps)apply(simp add: Let_def)apply(subst (2) schs.simps)apply(simp add: Let_def)donelemma RAG_target_th: "(Th th, x) \<in> RAG (s::state) \<Longrightarrow> \<exists> cs. x = Cs cs" by (unfold s_RAG_def, auto)locale valid_moment = valid_trace + fixes i :: natsublocale valid_moment < vat_moment: valid_trace "(moment i s)" by (unfold_locales, insert vt_moment, auto)lemma waiting_eq: "waiting s th cs = waiting (wq s) th cs" by (unfold s_waiting_def cs_waiting_def wq_def, auto)lemma holding_eq: "holding (s::state) th cs = holding (wq s) th cs" by (unfold s_holding_def wq_def cs_holding_def, simp)lemma runing_ready: shows "runing s \<subseteq> readys s" unfolding runing_def readys_def by auto lemma readys_threads: shows "readys s \<subseteq> threads s" unfolding readys_def by autolemma wq_v_neq [simp]: "cs \<noteq> cs' \<Longrightarrow> wq (V thread cs#s) cs' = wq s cs'" by (auto simp:wq_def Let_def cp_def split:list.splits)lemma runing_head: assumes "th \<in> runing s" and "th \<in> set (wq_fun (schs s) cs)" shows "th = hd (wq_fun (schs s) cs)" using assms by (simp add:runing_def readys_def s_waiting_def wq_def)context valid_tracebeginlemma runing_wqE: assumes "th \<in> runing s" and "th \<in> set (wq s cs)" obtains rest where "wq s cs = th#rest"proof - from assms(2) obtain th' rest where eq_wq: "wq s cs = th'#rest" by (meson list.set_cases) have "th' = th" proof(rule ccontr) assume "th' \<noteq> th" hence "th \<noteq> hd (wq s cs)" using eq_wq by auto with assms(2) have "waiting s th cs" by (unfold s_waiting_def, fold wq_def, auto) with assms show False by (unfold runing_def readys_def, auto) qed with eq_wq that show ?thesis by metisqedendcontext valid_trace_createbeginlemma wq_neq_simp [simp]: shows "wq (e#s) cs' = wq s cs'" using assms unfolding is_create wq_def by (auto simp:Let_def)lemma wq_distinct_kept: assumes "distinct (wq s cs')" shows "distinct (wq (e#s) cs')" using assms by simpendcontext valid_trace_exitbeginlemma wq_neq_simp [simp]: shows "wq (e#s) cs' = wq s cs'" using assms unfolding is_exit wq_def by (auto simp:Let_def)lemma wq_distinct_kept: assumes "distinct (wq s cs')" shows "distinct (wq (e#s) cs')" using assms by simpendcontext valid_trace_pbeginlemma wq_neq_simp [simp]: assumes "cs' \<noteq> cs" shows "wq (e#s) cs' = wq s cs'" using assms unfolding is_p wq_def by (auto simp:Let_def)lemma runing_th_s: shows "th \<in> runing s"proof - from pip_e[unfolded is_p] show ?thesis by (cases, simp)qedlemma th_not_waiting: "\<not> waiting s th c"proof - have "th \<in> readys s" using runing_ready runing_th_s by blast thus ?thesis by (unfold readys_def, auto)qedlemma waiting_neq_th: assumes "waiting s t c" shows "t \<noteq> th" using assms using th_not_waiting by blast lemma th_not_in_wq: shows "th \<notin> set (wq s cs)"proof assume otherwise: "th \<in> set (wq s cs)" from runing_wqE[OF runing_th_s this] obtain rest where eq_wq: "wq s cs = th#rest" by blast with otherwise have "holding s th cs" by (unfold s_holding_def, fold wq_def, simp) hence cs_th_RAG: "(Cs cs, Th th) \<in> RAG s" by (unfold s_RAG_def, fold holding_eq, auto) from pip_e[unfolded is_p] show False proof(cases) case (thread_P) with cs_th_RAG show ?thesis by auto qedqedlemma wq_es_cs: "wq (e#s) cs = wq s cs @ [th]" by (unfold is_p wq_def, auto simp:Let_def)lemma wq_distinct_kept: assumes "distinct (wq s cs')" shows "distinct (wq (e#s) cs')"proof(cases "cs' = cs") case True show ?thesis using True assms th_not_in_wq by (unfold True wq_es_cs, auto)qed (insert assms, simp)endcontext valid_trace_vbeginlemma wq_neq_simp [simp]: assumes "cs' \<noteq> cs" shows "wq (e#s) cs' = wq s cs'" using assms unfolding is_v wq_def by (auto simp:Let_def)lemma runing_th_s: shows "th \<in> runing s"proof - from pip_e[unfolded is_v] show ?thesis by (cases, simp)qedlemma th_not_waiting: "\<not> waiting s th c"proof - have "th \<in> readys s" using runing_ready runing_th_s by blast thus ?thesis by (unfold readys_def, auto)qedlemma waiting_neq_th: assumes "waiting s t c" shows "t \<noteq> th" using assms using th_not_waiting by blast lemma wq_s_cs: "wq s cs = th#rest"proof - from pip_e[unfolded is_v] show ?thesis proof(cases) case (thread_V) from this(2) show ?thesis by (unfold rest_def s_holding_def, fold wq_def, metis empty_iff list.collapse list.set(1)) qedqedlemma wq_es_cs: "wq (e#s) cs = wq'" using wq_s_cs[unfolded wq_def] by (auto simp:Let_def wq_def rest_def wq'_def is_v, simp) lemma wq_distinct_kept: assumes "distinct (wq s cs')" shows "distinct (wq (e#s) cs')"proof(cases "cs' = cs") case True show ?thesis proof(unfold True wq_es_cs wq'_def, rule someI2) show "distinct rest \<and> set rest = set rest" using assms[unfolded True wq_s_cs] by auto qed simpqed (insert assms, simp)endcontext valid_trace_setbeginlemma wq_neq_simp [simp]: shows "wq (e#s) cs' = wq s cs'" using assms unfolding is_set wq_def by (auto simp:Let_def)lemma wq_distinct_kept: assumes "distinct (wq s cs')" shows "distinct (wq (e#s) cs')" using assms by simpendcontext valid_tracebeginlemma actor_inv: assumes "PIP s e" and "\<not> isCreate e" shows "actor e \<in> runing s" using assms by (induct, auto)lemma isP_E: assumes "isP e" obtains cs where "e = P (actor e) cs" using assms by (cases e, auto)lemma isV_E: assumes "isV e" obtains cs where "e = V (actor e) cs" using assms by (cases e, auto) lemma wq_distinct: "distinct (wq s cs)"proof(induct rule:ind) case (Cons s e) interpret vt_e: valid_trace_e s e using Cons by simp show ?case proof(cases e) case (Create th prio) interpret vt_create: valid_trace_create s e th prio using Create by (unfold_locales, simp) show ?thesis using Cons by (simp add: vt_create.wq_distinct_kept) next case (Exit th) interpret vt_exit: valid_trace_exit s e th using Exit by (unfold_locales, simp) show ?thesis using Cons by (simp add: vt_exit.wq_distinct_kept) next case (P th cs) interpret vt_p: valid_trace_p s e th cs using P by (unfold_locales, simp) show ?thesis using Cons by (simp add: vt_p.wq_distinct_kept) next case (V th cs) interpret vt_v: valid_trace_v s e th cs using V by (unfold_locales, simp) show ?thesis using Cons by (simp add: vt_v.wq_distinct_kept) next case (Set th prio) interpret vt_set: valid_trace_set s e th prio using Set by (unfold_locales, simp) show ?thesis using Cons by (simp add: vt_set.wq_distinct_kept) qedqed (unfold wq_def Let_def, simp)endcontext valid_trace_ebegintext {* The following lemma shows that only the @{text "P"} operation can add new thread into waiting queues. Such kind of lemmas are very obvious, but need to be checked formally. This is a kind of confirmation that our modelling is correct.*}lemma wq_in_inv: assumes s_ni: "thread \<notin> set (wq s cs)" and s_i: "thread \<in> set (wq (e#s) cs)" shows "e = P thread cs"proof(cases e) -- {* This is the only non-trivial case: *} case (V th cs1) have False proof(cases "cs1 = cs") case True show ?thesis proof(cases "(wq s cs1)") case (Cons w_hd w_tl) have "set (wq (e#s) cs) \<subseteq> set (wq s cs)" proof - have "(wq (e#s) cs) = (SOME q. distinct q \<and> set q = set w_tl)" using Cons V by (auto simp:wq_def Let_def True split:if_splits) moreover have "set ... \<subseteq> set (wq s cs)" proof(rule someI2) show "distinct w_tl \<and> set w_tl = set w_tl" by (metis distinct.simps(2) local.Cons wq_distinct) qed (insert Cons True, auto) ultimately show ?thesis by simp qed with assms show ?thesis by auto qed (insert assms V True, auto simp:wq_def Let_def split:if_splits) qed (insert assms V, auto simp:wq_def Let_def split:if_splits) thus ?thesis by autoqed (insert assms, auto simp:wq_def Let_def split:if_splits)lemma wq_out_inv: assumes s_in: "thread \<in> set (wq s cs)" and s_hd: "thread = hd (wq s cs)" and s_i: "thread \<noteq> hd (wq (e#s) cs)" shows "e = V thread cs"proof(cases e)-- {* There are only two non-trivial cases: *} case (V th cs1) show ?thesis proof(cases "cs1 = cs") case True have "PIP s (V th cs)" using pip_e[unfolded V[unfolded True]] . thus ?thesis proof(cases) case (thread_V) moreover have "th = thread" using thread_V(2) s_hd by (unfold s_holding_def wq_def, simp) ultimately show ?thesis using V True by simp qed qed (insert assms V, auto simp:wq_def Let_def split:if_splits)next case (P th cs1) show ?thesis proof(cases "cs1 = cs") case True with P have "wq (e#s) cs = wq_fun (schs s) cs @ [th]" by (auto simp:wq_def Let_def split:if_splits) with s_i s_hd s_in have False by (metis empty_iff hd_append2 list.set(1) wq_def) thus ?thesis by simp qed (insert assms P, auto simp:wq_def Let_def split:if_splits)qed (insert assms, auto simp:wq_def Let_def split:if_splits)endcontext valid_tracebegintext {* (* ddd *) The nature of the work is like this: since it starts from a very simple and basic model, even intuitively very `basic` and `obvious` properties need to derived from scratch. For instance, the fact that one thread can not be blocked by two critical resources at the same time is obvious, because only running threads can make new requests, if one is waiting for a critical resource and get blocked, it can not make another resource request and get blocked the second time (because it is not running). To derive this fact, one needs to prove by contraction and reason about time (or @{text "moement"}). The reasoning is based on a generic theorem named @{text "p_split"}, which is about status changing along the time axis. It says if a condition @{text "Q"} is @{text "True"} at a state @{text "s"}, but it was @{text "False"} at the very beginning, then there must exits a moment @{text "t"} in the history of @{text "s"} (notice that @{text "s"} itself is essentially the history of events leading to it), such that @{text "Q"} switched from being @{text "False"} to @{text "True"} and kept being @{text "True"} till the last moment of @{text "s"}. Suppose a thread @{text "th"} is blocked on @{text "cs1"} and @{text "cs2"} in some state @{text "s"}, since no thread is blocked at the very beginning, by applying @{text "p_split"} to these two blocking facts, there exist two moments @{text "t1"} and @{text "t2"} in @{text "s"}, such that @{text "th"} got blocked on @{text "cs1"} and @{text "cs2"} and kept on blocked on them respectively ever since. Without lost of generality, we assume @{text "t1"} is earlier than @{text "t2"}. However, since @{text "th"} was blocked ever since memonent @{text "t1"}, so it was still in blocked state at moment @{text "t2"} and could not make any request and get blocked the second time: Contradiction.*}lemma waiting_unique_pre: (* ddd *) assumes h11: "thread \<in> set (wq s cs1)" and h12: "thread \<noteq> hd (wq s cs1)" assumes h21: "thread \<in> set (wq s cs2)" and h22: "thread \<noteq> hd (wq s cs2)" and neq12: "cs1 \<noteq> cs2" shows "False"proof - let "?Q" = "\<lambda> cs s. thread \<in> set (wq s cs) \<and> thread \<noteq> hd (wq s cs)" from h11 and h12 have q1: "?Q cs1 s" by simp from h21 and h22 have q2: "?Q cs2 s" by simp have nq1: "\<not> ?Q cs1 []" by (simp add:wq_def) have nq2: "\<not> ?Q cs2 []" by (simp add:wq_def) from p_split [of "?Q cs1", OF q1 nq1] obtain t1 where lt1: "t1 < length s" and np1: "\<not> ?Q cs1 (moment t1 s)" and nn1: "(\<forall>i'>t1. ?Q cs1 (moment i' s))" by auto from p_split [of "?Q cs2", OF q2 nq2] obtain t2 where lt2: "t2 < length s" and np2: "\<not> ?Q cs2 (moment t2 s)" and nn2: "(\<forall>i'>t2. ?Q cs2 (moment i' s))" by auto { fix s cs assume q: "?Q cs s" have "thread \<notin> runing s" proof assume "thread \<in> runing s" hence " \<forall>cs. \<not> (thread \<in> set (wq_fun (schs s) cs) \<and> thread \<noteq> hd (wq_fun (schs s) cs))" by (unfold runing_def s_waiting_def readys_def, auto) from this[rule_format, of cs] q show False by (simp add: wq_def) qed } note q_not_runing = this { fix t1 t2 cs1 cs2 assume lt1: "t1 < length s" and np1: "\<not> ?Q cs1 (moment t1 s)" and nn1: "(\<forall>i'>t1. ?Q cs1 (moment i' s))" and lt2: "t2 < length s" and np2: "\<not> ?Q cs2 (moment t2 s)" and nn2: "(\<forall>i'>t2. ?Q cs2 (moment i' s))" and lt12: "t1 < t2" let ?t3 = "Suc t2" from lt2 have le_t3: "?t3 \<le> length s" by auto from moment_plus [OF this] obtain e where eq_m: "moment ?t3 s = e#moment t2 s" by auto have "t2 < ?t3" by simp from nn2 [rule_format, OF this] and eq_m have h1: "thread \<in> set (wq (e#moment t2 s) cs2)" and h2: "thread \<noteq> hd (wq (e#moment t2 s) cs2)" by auto have "vt (e#moment t2 s)" proof - from vt_moment have "vt (moment ?t3 s)" . with eq_m show ?thesis by simp qed then interpret vt_e: valid_trace_e "moment t2 s" "e" by (unfold_locales, auto, cases, simp) have ?thesis proof - have "thread \<in> runing (moment t2 s)" proof(cases "thread \<in> set (wq (moment t2 s) cs2)") case True have "e = V thread cs2" proof - have eq_th: "thread = hd (wq (moment t2 s) cs2)" using True and np2 by auto from vt_e.wq_out_inv[OF True this h2] show ?thesis . qed thus ?thesis using vt_e.actor_inv[OF vt_e.pip_e] by auto next case False have "e = P thread cs2" using vt_e.wq_in_inv[OF False h1] . with vt_e.actor_inv[OF vt_e.pip_e] show ?thesis by auto qed moreover have "thread \<notin> runing (moment t2 s)" by (rule q_not_runing[OF nn1[rule_format, OF lt12]]) ultimately show ?thesis by simp qed } note lt_case = this show ?thesis proof - { assume "t1 < t2" from lt_case[OF lt1 np1 nn1 lt2 np2 nn2 this] have ?thesis . } moreover { assume "t2 < t1" from lt_case[OF lt2 np2 nn2 lt1 np1 nn1 this] have ?thesis . } moreover { assume eq_12: "t1 = t2" let ?t3 = "Suc t2" from lt2 have le_t3: "?t3 \<le> length s" by auto from moment_plus [OF this] obtain e where eq_m: "moment ?t3 s = e#moment t2 s" by auto have lt_2: "t2 < ?t3" by simp from nn2 [rule_format, OF this] and eq_m have h1: "thread \<in> set (wq (e#moment t2 s) cs2)" and h2: "thread \<noteq> hd (wq (e#moment t2 s) cs2)" by auto from nn1[rule_format, OF lt_2[folded eq_12]] eq_m[folded eq_12] have g1: "thread \<in> set (wq (e#moment t1 s) cs1)" and g2: "thread \<noteq> hd (wq (e#moment t1 s) cs1)" by auto have "vt (e#moment t2 s)" proof - from vt_moment have "vt (moment ?t3 s)" . with eq_m show ?thesis by simp qed then interpret vt_e: valid_trace_e "moment t2 s" "e" by (unfold_locales, auto, cases, simp) have "e = V thread cs2 \<or> e = P thread cs2" proof(cases "thread \<in> set (wq (moment t2 s) cs2)") case True have "e = V thread cs2" proof - have eq_th: "thread = hd (wq (moment t2 s) cs2)" using True and np2 by auto from vt_e.wq_out_inv[OF True this h2] show ?thesis . qed thus ?thesis by auto next case False have "e = P thread cs2" using vt_e.wq_in_inv[OF False h1] . thus ?thesis by auto qed moreover have "e = V thread cs1 \<or> e = P thread cs1" proof(cases "thread \<in> set (wq (moment t1 s) cs1)") case True have eq_th: "thread = hd (wq (moment t1 s) cs1)" using True and np1 by auto from vt_e.wq_out_inv[folded eq_12, OF True this g2] have "e = V thread cs1" . thus ?thesis by auto next case False have "e = P thread cs1" using vt_e.wq_in_inv[folded eq_12, OF False g1] . thus ?thesis by auto qed ultimately have ?thesis using neq12 by auto } ultimately show ?thesis using nat_neq_iff by blast qedqedtext {* This lemma is a simple corrolary of @{text "waiting_unique_pre"}.*}lemma waiting_unique: assumes "waiting s th cs1" and "waiting s th cs2" shows "cs1 = cs2" using waiting_unique_pre assms unfolding wq_def s_waiting_def by autoend(* not used *)text {* Every thread can only be blocked on one critical resource, symmetrically, every critical resource can only be held by one thread. This fact is much more easier according to our definition. *}lemma held_unique: assumes "holding (s::event list) th1 cs" and "holding s th2 cs" shows "th1 = th2" by (insert assms, unfold s_holding_def, auto)lemma last_set_lt: "th \<in> threads s \<Longrightarrow> last_set th s < length s" apply (induct s, auto) by (case_tac a, auto split:if_splits)lemma last_set_unique: "\<lbrakk>last_set th1 s = last_set th2 s; th1 \<in> threads s; th2 \<in> threads s\<rbrakk> \<Longrightarrow> th1 = th2" apply (induct s, auto) by (case_tac a, auto split:if_splits dest:last_set_lt)lemma preced_unique : assumes pcd_eq: "preced th1 s = preced th2 s" and th_in1: "th1 \<in> threads s" and th_in2: " th2 \<in> threads s" shows "th1 = th2"proof - from pcd_eq have "last_set th1 s = last_set th2 s" by (simp add:preced_def) from last_set_unique [OF this th_in1 th_in2] show ?thesis .qedlemma preced_linorder: assumes neq_12: "th1 \<noteq> th2" and th_in1: "th1 \<in> threads s" and th_in2: " th2 \<in> threads s" shows "preced th1 s < preced th2 s \<or> preced th1 s > preced th2 s"proof - from preced_unique [OF _ th_in1 th_in2] and neq_12 have "preced th1 s \<noteq> preced th2 s" by auto thus ?thesis by autoqedtext {* The following three lemmas show that @{text "RAG"} does not change by the happening of @{text "Set"}, @{text "Create"} and @{text "Exit"} events, respectively.*}lemma RAG_set_unchanged: "(RAG (Set th prio # s)) = RAG s"apply (unfold s_RAG_def s_waiting_def wq_def)by (simp add:Let_def)lemma RAG_create_unchanged: "(RAG (Create th prio # s)) = RAG s"apply (unfold s_RAG_def s_waiting_def wq_def)by (simp add:Let_def)lemma RAG_exit_unchanged: "(RAG (Exit th # s)) = RAG s"apply (unfold s_RAG_def s_waiting_def wq_def)by (simp add:Let_def)context valid_trace_vbeginlemma distinct_rest: "distinct rest" by (simp add: distinct_tl rest_def wq_distinct)lemma holding_cs_eq_th: assumes "holding s t cs" shows "t = th"proof - from pip_e[unfolded is_v] show ?thesis proof(cases) case (thread_V) from held_unique[OF this(2) assms] show ?thesis by simp qedqedlemma distinct_wq': "distinct wq'" by (metis (mono_tags, lifting) distinct_rest some_eq_ex wq'_def)lemma th'_in_inv: assumes "th' \<in> set wq'" shows "th' \<in> set rest" using assms by (metis (mono_tags, lifting) distinct.simps(2) rest_def some_eq_ex wq'_def wq_distinct wq_s_cs) lemma neq_t_th: assumes "waiting (e#s) t c" shows "t \<noteq> th"proof assume otherwise: "t = th" show False proof(cases "c = cs") case True have "t \<in> set wq'" using assms[unfolded True s_waiting_def, folded wq_def, unfolded wq_es_cs] by simp from th'_in_inv[OF this] have "t \<in> set rest" . with wq_s_cs[folded otherwise] wq_distinct[of cs] show ?thesis by simp next case False have "wq (e#s) c = wq s c" using False by (unfold is_v, simp) hence "waiting s t c" using assms by (simp add: cs_waiting_def waiting_eq) hence "t \<notin> readys s" by (unfold readys_def, auto) hence "t \<notin> runing s" using runing_ready by auto with runing_th_s[folded otherwise] show ?thesis by auto qedqedlemma waiting_esI1: assumes "waiting s t c" and "c \<noteq> cs" shows "waiting (e#s) t c" proof - have "wq (e#s) c = wq s c" using assms(2) is_v by auto with assms(1) show ?thesis using cs_waiting_def waiting_eq by auto qedlemma holding_esI2: assumes "c \<noteq> cs" and "holding s t c" shows "holding (e#s) t c"proof - from assms(1) have "wq (e#s) c = wq s c" using is_v by auto from assms(2)[unfolded s_holding_def, folded wq_def, folded this, unfolded wq_def, folded s_holding_def] show ?thesis .qedlemma holding_esI1: assumes "holding s t c" and "t \<noteq> th" shows "holding (e#s) t c"proof - have "c \<noteq> cs" using assms using holding_cs_eq_th by blast from holding_esI2[OF this assms(1)] show ?thesis .qedendcontext valid_trace_v_nbeginlemma neq_wq': "wq' \<noteq> []" proof (unfold wq'_def, rule someI2) show "distinct rest \<and> set rest = set rest" by (simp add: distinct_rest) next fix x assume " distinct x \<and> set x = set rest" thus "x \<noteq> []" using rest_nnl by autoqed definition "taker = hd wq'"definition "rest' = tl wq'"lemma eq_wq': "wq' = taker # rest'" by (simp add: neq_wq' rest'_def taker_def)lemma next_th_taker: shows "next_th s th cs taker" using rest_nnl taker_def wq'_def wq_s_cs by (auto simp:next_th_def)lemma taker_unique: assumes "next_th s th cs taker'" shows "taker' = taker"proof - from assms obtain rest' where h: "wq s cs = th # rest'" "taker' = hd (SOME q. distinct q \<and> set q = set rest')" by (unfold next_th_def, auto) with wq_s_cs have "rest' = rest" by auto thus ?thesis using h(2) taker_def wq'_def by auto qedlemma waiting_set_eq: "{(Th th', Cs cs) |th'. next_th s th cs th'} = {(Th taker, Cs cs)}" by (smt all_not_in_conv bot.extremum insertI1 insert_subset mem_Collect_eq next_th_taker subsetI subset_antisym taker_def taker_unique)lemma holding_set_eq: "{(Cs cs, Th th') |th'. next_th s th cs th'} = {(Cs cs, Th taker)}" using next_th_taker taker_def waiting_set_eq by fastforcelemma holding_taker: shows "holding (e#s) taker cs" by (unfold s_holding_def, fold wq_def, unfold wq_es_cs, auto simp:neq_wq' taker_def)lemma waiting_esI2: assumes "waiting s t cs" and "t \<noteq> taker" shows "waiting (e#s) t cs" proof - have "t \<in> set wq'" proof(unfold wq'_def, rule someI2) show "distinct rest \<and> set rest = set rest" by (simp add: distinct_rest) next fix x assume "distinct x \<and> set x = set rest" moreover have "t \<in> set rest" using assms(1) cs_waiting_def waiting_eq wq_s_cs by auto ultimately show "t \<in> set x" by simp qed moreover have "t \<noteq> hd wq'" using assms(2) taker_def by auto ultimately show ?thesis by (unfold s_waiting_def, fold wq_def, unfold wq_es_cs, simp)qedlemma waiting_esE: assumes "waiting (e#s) t c" obtains "c \<noteq> cs" "waiting s t c" | "c = cs" "t \<noteq> taker" "waiting s t cs" "t \<in> set rest'"proof(cases "c = cs") case False hence "wq (e#s) c = wq s c" using is_v by auto with assms have "waiting s t c" using cs_waiting_def waiting_eq by auto from that(1)[OF False this] show ?thesis .next case True from assms[unfolded s_waiting_def True, folded wq_def, unfolded wq_es_cs] have "t \<noteq> hd wq'" "t \<in> set wq'" by auto hence "t \<noteq> taker" by (simp add: taker_def) moreover hence "t \<noteq> th" using assms neq_t_th by blast moreover have "t \<in> set rest" by (simp add: `t \<in> set wq'` th'_in_inv) ultimately have "waiting s t cs" by (metis cs_waiting_def list.distinct(2) list.sel(1) list.set_sel(2) rest_def waiting_eq wq_s_cs) show ?thesis using that(2) using True `t \<in> set wq'` `t \<noteq> taker` `waiting s t cs` eq_wq' by auto qedlemma holding_esI1: assumes "c = cs" and "t = taker" shows "holding (e#s) t c" by (unfold assms, simp add: holding_taker)lemma holding_esE: assumes "holding (e#s) t c" obtains "c = cs" "t = taker" | "c \<noteq> cs" "holding s t c"proof(cases "c = cs") case True from assms[unfolded True, unfolded s_holding_def, folded wq_def, unfolded wq_es_cs] have "t = taker" by (simp add: taker_def) from that(1)[OF True this] show ?thesis .next case False hence "wq (e#s) c = wq s c" using is_v by auto from assms[unfolded s_holding_def, folded wq_def, unfolded this, unfolded wq_def, folded s_holding_def] have "holding s t c" . from that(2)[OF False this] show ?thesis .qedend context valid_trace_v_ebeginlemma nil_wq': "wq' = []" proof (unfold wq'_def, rule someI2) show "distinct rest \<and> set rest = set rest" by (simp add: distinct_rest) next fix x assume " distinct x \<and> set x = set rest" thus "x = []" using rest_nil by autoqed lemma no_taker: assumes "next_th s th cs taker" shows "False"proof - from assms[unfolded next_th_def] obtain rest' where "wq s cs = th # rest'" "rest' \<noteq> []" by auto thus ?thesis using rest_def rest_nil by auto qedlemma waiting_set_eq: "{(Th th', Cs cs) |th'. next_th s th cs th'} = {}" using no_taker by autolemma holding_set_eq: "{(Cs cs, Th th') |th'. next_th s th cs th'} = {}" using no_taker by autolemma no_holding: assumes "holding (e#s) taker cs" shows Falseproof - from wq_es_cs[unfolded nil_wq'] have " wq (e # s) cs = []" . from assms[unfolded s_holding_def, folded wq_def, unfolded this] show ?thesis by autoqedlemma no_waiting: assumes "waiting (e#s) t cs" shows Falseproof - from wq_es_cs[unfolded nil_wq'] have " wq (e # s) cs = []" . from assms[unfolded s_waiting_def, folded wq_def, unfolded this] show ?thesis by autoqedlemma waiting_esI2: assumes "waiting s t c" shows "waiting (e#s) t c"proof - have "c \<noteq> cs" using assms using cs_waiting_def rest_nil waiting_eq wq_s_cs by auto from waiting_esI1[OF assms this] show ?thesis .qedlemma waiting_esE: assumes "waiting (e#s) t c" obtains "c \<noteq> cs" "waiting s t c"proof(cases "c = cs") case False hence "wq (e#s) c = wq s c" using is_v by auto with assms have "waiting s t c" using cs_waiting_def waiting_eq by auto from that(1)[OF False this] show ?thesis .next case True from no_waiting[OF assms[unfolded True]] show ?thesis by autoqedlemma holding_esE: assumes "holding (e#s) t c" obtains "c \<noteq> cs" "holding s t c"proof(cases "c = cs") case True from no_holding[OF assms[unfolded True]] show ?thesis by autonext case False hence "wq (e#s) c = wq s c" using is_v by auto from assms[unfolded s_holding_def, folded wq_def, unfolded this, unfolded wq_def, folded s_holding_def] have "holding s t c" . from that[OF False this] show ?thesis .qedend lemma rel_eqI: assumes "\<And> x y. (x,y) \<in> A \<Longrightarrow> (x,y) \<in> B" and "\<And> x y. (x,y) \<in> B \<Longrightarrow> (x, y) \<in> A" shows "A = B" using assms by autolemma in_RAG_E: assumes "(n1, n2) \<in> RAG (s::state)" obtains (waiting) th cs where "n1 = Th th" "n2 = Cs cs" "waiting s th cs" | (holding) th cs where "n1 = Cs cs" "n2 = Th th" "holding s th cs" using assms[unfolded s_RAG_def, folded waiting_eq holding_eq] by autocontext valid_trace_vbeginlemma RAG_es: "RAG (e # s) = RAG s - {(Cs cs, Th th)} - {(Th th', Cs cs) |th'. next_th s th cs th'} \<union> {(Cs cs, Th th') |th'. next_th s th cs th'}" (is "?L = ?R")proof(rule rel_eqI) fix n1 n2 assume "(n1, n2) \<in> ?L" thus "(n1, n2) \<in> ?R" proof(cases rule:in_RAG_E) case (waiting th' cs') show ?thesis proof(cases "rest = []") case False interpret h_n: valid_trace_v_n s e th cs by (unfold_locales, insert False, simp) from waiting(3) show ?thesis proof(cases rule:h_n.waiting_esE) case 1 with waiting(1,2) show ?thesis by (unfold h_n.waiting_set_eq h_n.holding_set_eq s_RAG_def, fold waiting_eq, auto) next case 2 with waiting(1,2) show ?thesis by (unfold h_n.waiting_set_eq h_n.holding_set_eq s_RAG_def, fold waiting_eq, auto) qed next case True interpret h_e: valid_trace_v_e s e th cs by (unfold_locales, insert True, simp) from waiting(3) show ?thesis proof(cases rule:h_e.waiting_esE) case 1 with waiting(1,2) show ?thesis by (unfold h_e.waiting_set_eq h_e.holding_set_eq s_RAG_def, fold waiting_eq, auto) qed qed next case (holding th' cs') show ?thesis proof(cases "rest = []") case False interpret h_n: valid_trace_v_n s e th cs by (unfold_locales, insert False, simp) from holding(3) show ?thesis proof(cases rule:h_n.holding_esE) case 1 with holding(1,2) show ?thesis by (unfold h_n.waiting_set_eq h_n.holding_set_eq s_RAG_def, fold waiting_eq, auto) next case 2 with holding(1,2) show ?thesis by (unfold h_n.waiting_set_eq h_n.holding_set_eq s_RAG_def, fold holding_eq, auto) qed next case True interpret h_e: valid_trace_v_e s e th cs by (unfold_locales, insert True, simp) from holding(3) show ?thesis proof(cases rule:h_e.holding_esE) case 1 with holding(1,2) show ?thesis by (unfold h_e.waiting_set_eq h_e.holding_set_eq s_RAG_def, fold holding_eq, auto) qed qed qednext fix n1 n2 assume h: "(n1, n2) \<in> ?R" show "(n1, n2) \<in> ?L" proof(cases "rest = []") case False interpret h_n: valid_trace_v_n s e th cs by (unfold_locales, insert False, simp) from h[unfolded h_n.waiting_set_eq h_n.holding_set_eq] have "((n1, n2) \<in> RAG s \<and> (n1 \<noteq> Cs cs \<or> n2 \<noteq> Th th) \<and> (n1 \<noteq> Th h_n.taker \<or> n2 \<noteq> Cs cs)) \<or> (n2 = Th h_n.taker \<and> n1 = Cs cs)" by auto thus ?thesis proof assume "n2 = Th h_n.taker \<and> n1 = Cs cs" with h_n.holding_taker show ?thesis by (unfold s_RAG_def, fold holding_eq, auto) next assume h: "(n1, n2) \<in> RAG s \<and> (n1 \<noteq> Cs cs \<or> n2 \<noteq> Th th) \<and> (n1 \<noteq> Th h_n.taker \<or> n2 \<noteq> Cs cs)" hence "(n1, n2) \<in> RAG s" by simp thus ?thesis proof(cases rule:in_RAG_E) case (waiting th' cs') from h and this(1,2) have "th' \<noteq> h_n.taker \<or> cs' \<noteq> cs" by auto hence "waiting (e#s) th' cs'" proof assume "cs' \<noteq> cs" from waiting_esI1[OF waiting(3) this] show ?thesis . next assume neq_th': "th' \<noteq> h_n.taker" show ?thesis proof(cases "cs' = cs") case False from waiting_esI1[OF waiting(3) this] show ?thesis . next case True from h_n.waiting_esI2[OF waiting(3)[unfolded True] neq_th', folded True] show ?thesis . qed qed thus ?thesis using waiting(1,2) by (unfold s_RAG_def, fold waiting_eq, auto) next case (holding th' cs') from h this(1,2) have "cs' \<noteq> cs \<or> th' \<noteq> th" by auto hence "holding (e#s) th' cs'" proof assume "cs' \<noteq> cs" from holding_esI2[OF this holding(3)] show ?thesis . next assume "th' \<noteq> th" from holding_esI1[OF holding(3) this] show ?thesis . qed thus ?thesis using holding(1,2) by (unfold s_RAG_def, fold holding_eq, auto) qed qed next case True interpret h_e: valid_trace_v_e s e th cs by (unfold_locales, insert True, simp) from h[unfolded h_e.waiting_set_eq h_e.holding_set_eq] have h_s: "(n1, n2) \<in> RAG s" "(n1, n2) \<noteq> (Cs cs, Th th)" by auto from h_s(1) show ?thesis proof(cases rule:in_RAG_E) case (waiting th' cs') from h_e.waiting_esI2[OF this(3)] show ?thesis using waiting(1,2) by (unfold s_RAG_def, fold waiting_eq, auto) next case (holding th' cs') with h_s(2) have "cs' \<noteq> cs \<or> th' \<noteq> th" by auto thus ?thesis proof assume neq_cs: "cs' \<noteq> cs" from holding_esI2[OF this holding(3)] show ?thesis using holding(1,2) by (unfold s_RAG_def, fold holding_eq, auto) next assume "th' \<noteq> th" from holding_esI1[OF holding(3) this] show ?thesis using holding(1,2) by (unfold s_RAG_def, fold holding_eq, auto) qed qed qedqedendlemma step_RAG_v: assumes vt: "vt (V th cs#s)"shows " RAG (V th cs # s) = RAG s - {(Cs cs, Th th)} - {(Th th', Cs cs) |th'. next_th s th cs th'} \<union> {(Cs cs, Th th') |th'. next_th s th cs th'}" (is "?L = ?R")proof - interpret vt_v: valid_trace_v s "V th cs" using assms step_back_vt by (unfold_locales, auto) show ?thesis using vt_v.RAG_es .qedlemma (in valid_trace_create) th_not_in_threads: "th \<notin> threads s"proof - from pip_e[unfolded is_create] show ?thesis by (cases, simp)qedlemma (in valid_trace_create) threads_es [simp]: "threads (e#s) = threads s \<union> {th}" by (unfold is_create, simp)lemma (in valid_trace_exit) threads_es [simp]: "threads (e#s) = threads s - {th}" by (unfold is_exit, simp)lemma (in valid_trace_p) threads_es [simp]: "threads (e#s) = threads s" by (unfold is_p, simp)lemma (in valid_trace_v) threads_es [simp]: "threads (e#s) = threads s" by (unfold is_v, simp)lemma (in valid_trace_v) th_not_in_rest[simp]: "th \<notin> set rest"proof assume otherwise: "th \<in> set rest" have "distinct (wq s cs)" by (simp add: wq_distinct) from this[unfolded wq_s_cs] and otherwise show False by autoqedlemma (in valid_trace_v) set_wq_es_cs [simp]: "set (wq (e#s) cs) = set (wq s cs) - {th}"proof(unfold wq_es_cs wq'_def, rule someI2) show "distinct rest \<and> set rest = set rest" by (simp add: distinct_rest)next fix x assume "distinct x \<and> set x = set rest" thus "set x = set (wq s cs) - {th}" by (unfold wq_s_cs, simp)qedlemma (in valid_trace_exit) th_not_in_wq: "th \<notin> set (wq s cs)"proof - from pip_e[unfolded is_exit] show ?thesis by (cases, unfold holdents_def s_holding_def, fold wq_def, auto elim!:runing_wqE)qedlemma (in valid_trace) wq_threads: assumes "th \<in> set (wq s cs)" shows "th \<in> threads s" using assmsproof(induct rule:ind) case (Nil) thus ?case by (auto simp:wq_def)next case (Cons s e) interpret vt_e: valid_trace_e s e using Cons by simp show ?case proof(cases e) case (Create th' prio') interpret vt: valid_trace_create s e th' prio' using Create by (unfold_locales, simp) show ?thesis using Cons.hyps(2) Cons.prems by auto next case (Exit th') interpret vt: valid_trace_exit s e th' using Exit by (unfold_locales, simp) show ?thesis using Cons.hyps(2) Cons.prems vt.th_not_in_wq by auto next case (P th' cs') interpret vt: valid_trace_p s e th' cs' using P by (unfold_locales, simp) show ?thesis using Cons.hyps(2) Cons.prems readys_threads runing_ready vt.is_p vt.runing_th_s vt_e.wq_in_inv by fastforce next case (V th' cs') interpret vt: valid_trace_v s e th' cs' using V by (unfold_locales, simp) show ?thesis using Cons using vt.is_v vt.threads_es vt_e.wq_in_inv by blast next case (Set th' prio) interpret vt: valid_trace_set s e th' prio using Set by (unfold_locales, simp) show ?thesis using Cons.hyps(2) Cons.prems vt.is_set by (auto simp:wq_def Let_def) qedqed context valid_tracebeginlemma dm_RAG_threads: assumes in_dom: "(Th th) \<in> Domain (RAG s)" shows "th \<in> threads s"proof - from in_dom obtain n where "(Th th, n) \<in> RAG s" by auto moreover from RAG_target_th[OF this] obtain cs where "n = Cs cs" by auto ultimately have "(Th th, Cs cs) \<in> RAG s" by simp hence "th \<in> set (wq s cs)" by (unfold s_RAG_def, auto simp:cs_waiting_def) from wq_threads [OF this] show ?thesis .qedlemma cp_le: assumes th_in: "th \<in> threads s" shows "cp s th \<le> Max ((\<lambda> th. (preced th s)) ` threads s)"proof(unfold cp_eq_cpreced cpreced_def cs_dependants_def) show "Max ((\<lambda>th. preced th s) ` ({th} \<union> {th'. (Th th', Th th) \<in> (RAG (wq s))\<^sup>+})) \<le> Max ((\<lambda>th. preced th s) ` threads s)" (is "Max (?f ` ?A) \<le> Max (?f ` ?B)") proof(rule Max_f_mono) show "{th} \<union> {th'. (Th th', Th th) \<in> (RAG (wq s))\<^sup>+} \<noteq> {}" by simp next from finite_threads show "finite (threads s)" . next from th_in show "{th} \<union> {th'. (Th th', Th th) \<in> (RAG (wq s))\<^sup>+} \<subseteq> threads s" apply (auto simp:Domain_def) apply (rule_tac dm_RAG_threads) apply (unfold trancl_domain [of "RAG s", symmetric]) by (unfold cs_RAG_def s_RAG_def, auto simp:Domain_def) qedqedlemma max_cp_eq: shows "Max ((cp s) ` threads s) = Max ((\<lambda> th. (preced th s)) ` threads s)" (is "?l = ?r")proof(cases "threads s = {}") case True thus ?thesis by autonext case False have "?l \<in> ((cp s) ` threads s)" proof(rule Max_in) from finite_threads show "finite (cp s ` threads s)" by auto next from False show "cp s ` threads s \<noteq> {}" by auto qed then obtain th where th_in: "th \<in> threads s" and eq_l: "?l = cp s th" by auto have "\<dots> \<le> ?r" by (rule cp_le[OF th_in]) moreover have "?r \<le> cp s th" (is "Max (?f ` ?A) \<le> cp s th") proof - have "?r \<in> (?f ` ?A)" proof(rule Max_in) from finite_threads show " finite ((\<lambda>th. preced th s) ` threads s)" by auto next from False show " (\<lambda>th. preced th s) ` threads s \<noteq> {}" by auto qed then obtain th' where th_in': "th' \<in> ?A " and eq_r: "?r = ?f th'" by auto from le_cp [of th'] eq_r have "?r \<le> cp s th'" moreover have "\<dots> \<le> cp s th" proof(fold eq_l) show " cp s th' \<le> Max (cp s ` threads s)" proof(rule Max_ge) from th_in' show "cp s th' \<in> cp s ` threads s" by auto next from finite_threads show "finite (cp s ` threads s)" by auto qed qed ultimately show ?thesis by auto qed ultimately show ?thesis using eq_l by autoqedlemma max_cp_eq_the_preced: shows "Max ((cp s) ` threads s) = Max (the_preced s ` threads s)" using max_cp_eq using the_preced_def by presburger endlemma preced_v [simp]: "preced th' (V th cs#s) = preced th' s" by (unfold preced_def, simp)lemma (in valid_trace_v) preced_es: "preced th (e#s) = preced th s" by (unfold is_v preced_def, simp)lemma the_preced_v[simp]: "the_preced (V th cs#s) = the_preced s"proof fix th' show "the_preced (V th cs # s) th' = the_preced s th'" by (unfold the_preced_def preced_def, simp)qedlemma (in valid_trace_v) the_preced_es: "the_preced (e#s) = the_preced s" by (unfold is_v preced_def, simp)context valid_trace_pbeginlemma not_holding_es_th_cs: "\<not> holding s th cs"proof assume otherwise: "holding s th cs" from pip_e[unfolded is_p] show False proof(cases) case (thread_P) moreover have "(Cs cs, Th th) \<in> RAG s" using otherwise cs_holding_def holding_eq th_not_in_wq by auto ultimately show ?thesis by auto qedqedlemma waiting_kept: assumes "waiting s th' cs'" shows "waiting (e#s) th' cs'" using assms by (metis cs_waiting_def hd_append2 list.sel(1) list.set_intros(2) rotate1.simps(2) self_append_conv2 set_rotate1 th_not_in_wq waiting_eq wq_es_cs wq_neq_simp)lemma holding_kept: assumes "holding s th' cs'" shows "holding (e#s) th' cs'"proof(cases "cs' = cs") case False hence "wq (e#s) cs' = wq s cs'" by simp with assms show ?thesis using cs_holding_def holding_eq by auto next case True from assms[unfolded s_holding_def, folded wq_def] obtain rest where eq_wq: "wq s cs' = th'#rest" by (metis empty_iff list.collapse list.set(1)) hence "wq (e#s) cs' = th'#(rest@[th])" by (simp add: True wq_es_cs) thus ?thesis by (simp add: cs_holding_def holding_eq) qedendlocale valid_trace_p_h = valid_trace_p + assumes we: "wq s cs = []"locale valid_trace_p_w = valid_trace_p + assumes wne: "wq s cs \<noteq> []"begindefinition "holder = hd (wq s cs)"definition "waiters = tl (wq s cs)"definition "waiters' = waiters @ [th]"lemma wq_s_cs: "wq s cs = holder#waiters" by (simp add: holder_def waiters_def wne)lemma wq_es_cs': "wq (e#s) cs = holder#waiters@[th]" by (simp add: wq_es_cs wq_s_cs)lemma waiting_es_th_cs: "waiting (e#s) th cs" using cs_waiting_def th_not_in_wq waiting_eq wq_es_cs' wq_s_cs by autolemma RAG_edge: "(Th th, Cs cs) \<in> RAG (e#s)" by (unfold s_RAG_def, fold waiting_eq, insert waiting_es_th_cs, auto)lemma holding_esE: assumes "holding (e#s) th' cs'" obtains "holding s th' cs'" using assms proof(cases "cs' = cs") case False hence "wq (e#s) cs' = wq s cs'" by simp with assms show ?thesis using cs_holding_def holding_eq that by auto next case True with assms show ?thesis by (metis cs_holding_def holding_eq list.sel(1) list.set_intros(1) that wq_es_cs' wq_s_cs) qedlemma waiting_esE: assumes "waiting (e#s) th' cs'" obtains "th' \<noteq> th" "waiting s th' cs'" | "th' = th" "cs' = cs"proof(cases "waiting s th' cs'") case True have "th' \<noteq> th" proof assume otherwise: "th' = th" from True[unfolded this] show False by (simp add: th_not_waiting) qed from that(1)[OF this True] show ?thesis .next case False hence "th' = th \<and> cs' = cs" by (metis assms cs_waiting_def holder_def list.sel(1) rotate1.simps(2) set_ConsD set_rotate1 waiting_eq wq_es_cs wq_es_cs' wq_neq_simp) with that(2) show ?thesis by metisqedlemma RAG_es: "RAG (e # s) = RAG s \<union> {(Th th, Cs cs)}" (is "?L = ?R")proof(rule rel_eqI) fix n1 n2 assume "(n1, n2) \<in> ?L" thus "(n1, n2) \<in> ?R" proof(cases rule:in_RAG_E) case (waiting th' cs') from this(3) show ?thesis proof(cases rule:waiting_esE) case 1 thus ?thesis using waiting(1,2) by (unfold s_RAG_def, fold waiting_eq, auto) next case 2 thus ?thesis using waiting(1,2) by auto qed next case (holding th' cs') from this(3) show ?thesis proof(cases rule:holding_esE) case 1 with holding(1,2) show ?thesis by (unfold s_RAG_def, fold holding_eq, auto) qed qednext fix n1 n2 assume "(n1, n2) \<in> ?R" hence "(n1, n2) \<in> RAG s \<or> (n1 = Th th \<and> n2 = Cs cs)" by auto thus "(n1, n2) \<in> ?L" proof assume "(n1, n2) \<in> RAG s" thus ?thesis proof(cases rule:in_RAG_E) case (waiting th' cs') from waiting_kept[OF this(3)] show ?thesis using waiting(1,2) by (unfold s_RAG_def, fold waiting_eq, auto) next case (holding th' cs') from holding_kept[OF this(3)] show ?thesis using holding(1,2) by (unfold s_RAG_def, fold holding_eq, auto) qed next assume "n1 = Th th \<and> n2 = Cs cs" thus ?thesis using RAG_edge by auto qedqedendcontext valid_trace_p_hbeginlemma wq_es_cs': "wq (e#s) cs = [th]" using wq_es_cs[unfolded we] by simplemma holding_es_th_cs: shows "holding (e#s) th cs"proof - from wq_es_cs' have "th \<in> set (wq (e#s) cs)" "th = hd (wq (e#s) cs)" by auto thus ?thesis using cs_holding_def holding_eq by blast qedlemma RAG_edge: "(Cs cs, Th th) \<in> RAG (e#s)" by (unfold s_RAG_def, fold holding_eq, insert holding_es_th_cs, auto)lemma waiting_esE: assumes "waiting (e#s) th' cs'" obtains "waiting s th' cs'" using assms by (metis cs_waiting_def event.distinct(15) is_p list.sel(1) set_ConsD waiting_eq we wq_es_cs' wq_neq_simp wq_out_inv)lemma holding_esE: assumes "holding (e#s) th' cs'" obtains "cs' \<noteq> cs" "holding s th' cs'" | "cs' = cs" "th' = th"proof(cases "cs' = cs") case True from held_unique[OF holding_es_th_cs assms[unfolded True]] have "th' = th" by simp from that(2)[OF True this] show ?thesis .next case False have "holding s th' cs'" using assms using False cs_holding_def holding_eq by auto from that(1)[OF False this] show ?thesis .qedlemma RAG_es: "RAG (e # s) = RAG s \<union> {(Cs cs, Th th)}" (is "?L = ?R")proof(rule rel_eqI) fix n1 n2 assume "(n1, n2) \<in> ?L" thus "(n1, n2) \<in> ?R" proof(cases rule:in_RAG_E) case (waiting th' cs') from this(3) show ?thesis proof(cases rule:waiting_esE) case 1 thus ?thesis using waiting(1,2) by (unfold s_RAG_def, fold waiting_eq, auto) qed next case (holding th' cs') from this(3) show ?thesis proof(cases rule:holding_esE) case 1 with holding(1,2) show ?thesis by (unfold s_RAG_def, fold holding_eq, auto) next case 2 with holding(1,2) show ?thesis by auto qed qednext fix n1 n2 assume "(n1, n2) \<in> ?R" hence "(n1, n2) \<in> RAG s \<or> (n1 = Cs cs \<and> n2 = Th th)" by auto thus "(n1, n2) \<in> ?L" proof assume "(n1, n2) \<in> RAG s" thus ?thesis proof(cases rule:in_RAG_E) case (waiting th' cs') from waiting_kept[OF this(3)] show ?thesis using waiting(1,2) by (unfold s_RAG_def, fold waiting_eq, auto) next case (holding th' cs') from holding_kept[OF this(3)] show ?thesis using holding(1,2) by (unfold s_RAG_def, fold holding_eq, auto) qed next assume "n1 = Cs cs \<and> n2 = Th th" with holding_es_th_cs show ?thesis by (unfold s_RAG_def, fold holding_eq, auto) qedqedendcontext valid_trace_pbeginlemma RAG_es': "RAG (e # s) = (if (wq s cs = []) then RAG s \<union> {(Cs cs, Th th)} else RAG s \<union> {(Th th, Cs cs)})"proof(cases "wq s cs = []") case True interpret vt_p: valid_trace_p_h using True by (unfold_locales, simp) show ?thesis by (simp add: vt_p.RAG_es vt_p.we) next case False interpret vt_p: valid_trace_p_w using False by (unfold_locales, simp) show ?thesis by (simp add: vt_p.RAG_es vt_p.wne) qedendend