theory PIPBasicsimports PIPDefs RTreebegintext {* (* ddd *) Following the HOL convention of {\em definitional extension}, we have given a concise and miniature model of PIP. To assure ourselves of the correctness of this model, we are going to derive a series of expected properties out of it. This file contains the very basic properties, useful for self-assurance, as well as for deriving more advance properties concerning the correctness and implementation of PIP. *}section {* Generic auxiliary lemmas *}lemma rel_eqI: assumes "\<And> x y. (x,y) \<in> A \<Longrightarrow> (x,y) \<in> B" and "\<And> x y. (x,y) \<in> B \<Longrightarrow> (x, y) \<in> A" shows "A = B" using assms by autolemma f_image_eq: assumes h: "\<And> a. a \<in> A \<Longrightarrow> f a = g a" shows "f ` A = g ` A"proof show "f ` A \<subseteq> g ` A" by(rule image_subsetI, auto intro:h)next show "g ` A \<subseteq> f ` A" by (rule image_subsetI, auto intro:h[symmetric])qedsection {* Lemmas do not depend on trace validity *}text {* The following lemma serves to proof @{text "preced_tm_lt"} *}lemma birth_time_lt: assumes "s \<noteq> []" shows "last_set th s < length s" using assmsproof(induct s) case (Cons a s) show ?case proof(cases "s \<noteq> []") case False thus ?thesis by (cases a, auto) next case True show ?thesis using Cons(1)[OF True] by (cases a, auto) qedqed simptext {* The following lemma also serves to proof @{text "preced_tm_lt"} *}lemma th_in_ne: "th \<in> threads s \<Longrightarrow> s \<noteq> []" by (induct s, auto)text {* The following lemma is used in Correctness.thy *}lemma preced_tm_lt: "th \<in> threads s \<Longrightarrow> preced th s = Prc x y \<Longrightarrow> y < length s" by (drule_tac th_in_ne, unfold preced_def, auto intro: birth_time_lt)text {* The following lemma says that if a resource is waited for, it must be held by someone else. *}lemma waiting_holding: assumes "waiting (s::state) th cs" obtains th' where "holding s th' cs"proof - from assms[unfolded s_waiting_def, folded wq_def] obtain th' where "th' \<in> set (wq s cs)" "th' = hd (wq s cs)" by (metis empty_iff hd_in_set list.set(1)) hence "holding s th' cs" unfolding s_holding_def by auto from that[OF this] show ?thesis .qedtext {* The following @{text "children_RAG_alt_def"} relates @{term children} in @{term RAG} to the notion of @{term holding}. It is a technical lemmas used to prove the two following lemmas.*}lemma children_RAG_alt_def: "children (RAG (s::state)) (Th th) = Cs ` {cs. holding s th cs}" by (unfold s_RAG_def, auto simp:children_def s_holding_abv)text {* The following two lemmas relate @{term holdents} and @{term cntCS} to @{term children} in @{term RAG}, so that proofs about @{term holdents} and @{term cntCS} can be carried out under the support of the abstract theory of {\em relational graph} (and specifically {\em relational tree} and {\em relational forest}).*}lemma holdents_alt_def: "holdents s th = the_cs ` (children (RAG (s::state)) (Th th))" by (unfold children_RAG_alt_def holdents_def, simp add: image_image)lemma cntCS_alt_def: "cntCS s th = card (children (RAG s) (Th th))" apply (unfold children_RAG_alt_def cntCS_def holdents_def) by (rule card_image[symmetric], auto simp:inj_on_def)text {* The following two lemmas show the inclusion relations among three key sets, namely @{term running}, @{term readys} and @{term threads}.*}lemma running_ready: shows "running s \<subseteq> readys s" unfolding running_def readys_def by auto lemma readys_threads: shows "readys s \<subseteq> threads s" unfolding readys_def by autotext {* The following lemma says that if a thread is running, it must be the head of every waiting queue it is in. In other words, a running thread must have got every resource it has requested.*}lemma running_wqE: assumes "th \<in> running s" and "th \<in> set (wq s cs)" obtains rest where "wq s cs = th#rest"proof - from assms(2) obtain th' rest where eq_wq: "wq s cs = th'#rest" by (metis empty_iff list.exhaust list.set(1)) have "th' = th" proof(rule ccontr) assume "th' \<noteq> th" hence "th \<noteq> hd (wq s cs)" using eq_wq by auto with assms(2) have "waiting s th cs" by (unfold s_waiting_def, fold wq_def, auto) with assms show False by (unfold running_def readys_def, auto) qed with eq_wq that show ?thesis by metisqedtext {* Every thread can only be blocked on one critical resource, symmetrically, every critical resource can only be held by one thread. This fact is much more easier according to our definition. *}lemma held_unique: assumes "holding (s::event list) th1 cs" and "holding s th2 cs" shows "th1 = th2" by (insert assms, unfold s_holding_def, auto)text {* The following three lemmas establishes the uniqueness of precedence, a key property about precedence. The first two are just technical lemmas to assist the proof of the third.*}lemma last_set_lt: "th \<in> threads s \<Longrightarrow> last_set th s < length s" apply (induct s, auto) by (case_tac a, auto split:if_splits)lemma last_set_unique: "\<lbrakk>last_set th1 s = last_set th2 s; th1 \<in> threads s; th2 \<in> threads s\<rbrakk> \<Longrightarrow> th1 = th2" apply (induct s, auto) by (case_tac a, auto split:if_splits dest:last_set_lt)lemma preced_unique : assumes pcd_eq: "preced th1 s = preced th2 s" and th_in1: "th1 \<in> threads s" and th_in2: " th2 \<in> threads s" shows "th1 = th2"proof - from pcd_eq have "last_set th1 s = last_set th2 s" by (simp add:preced_def) from last_set_unique [OF this th_in1 th_in2] show ?thesis .qedtext {* The following lemma shows that there exits a linear order on precedences, which is crucial for the notion of @{term Max} to be applicable.*}lemma preced_linorder: assumes neq_12: "th1 \<noteq> th2" and th_in1: "th1 \<in> threads s" and th_in2: " th2 \<in> threads s" shows "preced th1 s < preced th2 s \<or> preced th1 s > preced th2 s"proof - from preced_unique [OF _ th_in1 th_in2] and neq_12 have "preced th1 s \<noteq> preced th2 s" by auto thus ?thesis by autoqedtext {* The following lemma case analysis the situations when two nodes are in @{term RAG}.*}lemma in_RAG_E: assumes "(n1, n2) \<in> RAG (s::state)" obtains (waiting) th cs where "n1 = Th th" "n2 = Cs cs" "waiting s th cs" | (holding) th cs where "n1 = Cs cs" "n2 = Th th" "holding s th cs" using assms[unfolded s_RAG_def, folded s_waiting_abv s_holding_abv] by autotext {* The following lemmas are the simplification rules for @{term count}, @{term cntP}, @{term cntV}. It is part of the scheme to use the counting of @{term "P"} and @{term "V"} operations to reason about the number of resources occupied by one thread.*}lemma count_rec1 [simp]: assumes "Q e" shows "count Q (e#es) = Suc (count Q es)" using assms by (unfold count_def, auto)lemma count_rec2 [simp]: assumes "\<not>Q e" shows "count Q (e#es) = (count Q es)" using assms by (unfold count_def, auto)lemma count_rec3 [simp]: shows "count Q [] = 0" by (unfold count_def, auto)lemma cntP_simp1[simp]: "cntP (P th cs'#s) th = cntP s th + 1" by (unfold cntP_def, simp)lemma cntP_simp2[simp]: assumes "th' \<noteq> th" shows "cntP (P th cs'#s) th' = cntP s th'" using assms by (unfold cntP_def, simp)lemma cntP_simp3[simp]: assumes "\<not> isP e" shows "cntP (e#s) th' = cntP s th'" using assms by (unfold cntP_def, cases e, simp+)lemma cntV_simp1[simp]: "cntV (V th cs'#s) th = cntV s th + 1" by (unfold cntV_def, simp)lemma cntV_simp2[simp]: assumes "th' \<noteq> th" shows "cntV (V th cs'#s) th' = cntV s th'" using assms by (unfold cntV_def, simp)lemma cntV_simp3[simp]: assumes "\<not> isV e" shows "cntV (e#s) th' = cntV s th'" using assms by (unfold cntV_def, cases e, simp+)text {* The following two lemmas show that only @{term P} and @{term V} operation can change the value of @{term cntP} and @{term cntV}, which is true obviously.*}lemma cntP_diff_inv: assumes "cntP (e#s) th \<noteq> cntP s th" obtains cs where "e = P th cs"proof(cases e) case (P th' pty) show ?thesis using that by (cases "(\<lambda>e. \<exists>cs. e = P th cs) (P th' pty)", insert assms P, auto simp:cntP_def)qed (insert assms, auto simp:cntP_def)lemma cntV_diff_inv: assumes "cntV (e#s) th \<noteq> cntV s th" obtains cs' where "e = V th cs'"proof(cases e) case (V th' pty) show ?thesis using that by (cases "(\<lambda>e. \<exists>cs. e = V th cs) (V th' pty)", insert assms V, auto simp:cntV_def)qed (insert assms, auto simp:cntV_def)text {* The following three lemmas shows the shape of nodes in @{term tRAG}.*}lemma tRAG_nodeE: assumes "(n1, n2) \<in> tRAG s" obtains th1 th2 where "n1 = Th th1" "n2 = Th th2" using assms by (auto simp: tRAG_def wRAG_def hRAG_def)lemma tRAG_tG: assumes "(n1, n2) \<in> tRAG s" shows "n1 = Th (the_thread n1)" "n2 = Th (the_thread n2)" "(the_thread n1, the_thread n2) \<in> tG s" using assms by (unfold tRAG_def_tG tG_alt_def, auto)lemma tG_tRAG: assumes "(th1, th2) \<in> tG s" shows "(Th th1, Th th2) \<in> tRAG s" using assms by (unfold tRAG_def_tG, auto)lemma tRAG_ancestorsE: assumes "x \<in> ancestors (tRAG s) u" obtains th where "x = Th th"proof - from assms have "(u, x) \<in> (tRAG s)^+" by (unfold ancestors_def, auto) from tranclE[OF this] obtain c where "(c, x) \<in> tRAG s" by auto then obtain th where "x = Th th" by (unfold tRAG_alt_def, auto) from that[OF this] show ?thesis .qedlemma map_prod_RE: assumes "(u, v) \<in> (map_prod f f ` R)" obtains u' v' where "u = (f u')" "v = (f v')" "(u', v') \<in> R" using assms by autolemma map_prod_tranclE: assumes "(u, v) \<in> (map_prod f f ` R)^+" and "inj_on f (Field R)" obtains u' v' where "u = (f u')" "v = (f v')" "(u', v') \<in> R^+"proof - from assms(1) have "\<exists>u' v'. u = f u' \<and> v = f v' \<and> (u', v') \<in> R\<^sup>+" proof(induct rule:trancl_induct) case (base y) thus ?case by auto next case (step y z) then obtain u' v' where h1: "u = f u'" "y = f v'" "(u', v') \<in> R\<^sup>+" by auto from map_prod_RE[OF step(2)] obtain v'' u'' where h2: "y = f v''" "z = f u''" "(v'', u'') \<in> R" by auto from h1 h2 have "f v' = f v''" by simp hence eq_v': "v' = v''" proof(cases rule:inj_onD[OF assms(2), consumes 1]) case 1 from h1(3) show ?case using trancl_subset_Field2[of R] by auto next case 2 from h2(3) show ?case by (simp add: Domain.DomainI Field_def) qed let ?u = "u'" and ?v = "u''" have "(?u, ?v) \<in> R^+" using h1(3)[unfolded eq_v'] h2(3) by auto with h1 h2 show ?case by auto qed thus ?thesis using that by metisqedlemma map_prod_rtranclE: assumes "(u, v) \<in> (map_prod f f ` R)^*" and "inj_on f (Field R)" obtains (root) "u = v" | (trancl) u' v' where "u = (f u')" "v = (f v')" "(u', v') \<in> R^*"proof - from rtranclD[OF assms(1)] have "u = v \<or> (\<exists>u' v'. u = f u' \<and> v = f v' \<and> (u', v') \<in> R\<^sup>*)" proof assume "u = v" thus ?thesis by auto next assume "u \<noteq> v \<and> (u, v) \<in> (map_prod f f ` R)\<^sup>+" hence "(u, v) \<in> (map_prod f f ` R)\<^sup>+" by auto thus ?thesis by (rule map_prod_tranclE[OF _ assms(2)], auto dest!:trancl_into_rtrancl) qed with that show ?thesis by autoqedlemma Field_tRAGE: assumes "n \<in> (Field (tRAG s))" obtains th where "n = Th th"proof - from assms[unfolded tRAG_alt_def Field_def Domain_def Range_def] show ?thesis using that by autoqedlemma trancl_tG_tRAG: assumes "(th1, th2) \<in> (tG s)^+" shows "(Th th1, Th th2) \<in> (tRAG s)^+" using assms unfolding tRAG_def_tGproof(induct rule:trancl_induct) case (step y z) from step(2) have "(Th y, Th z) \<in> map_prod Th Th ` (tG s)" by auto with step(3) show ?case by autoqed autolemma rtrancl_tG_tRAG: assumes "(th1, th2) \<in> (tG s)^*" shows "(Th th1, Th th2) \<in> (tRAG s)^*"proof - from rtranclD[OF assms] show ?thesis proof assume "th1 = th2" thus "(Th th1, Th th2) \<in> (tRAG s)\<^sup>*" by auto next assume "th1 \<noteq> th2 \<and> (th1, th2) \<in> (tG s)\<^sup>+" hence "(th1, th2) \<in> (tG s)\<^sup>+" by auto from trancl_into_rtrancl[OF trancl_tG_tRAG[OF this]] show "(Th th1, Th th2) \<in> (tRAG s)\<^sup>*" . qedqedlemma trancl_tRAG_tG: assumes "(n1, n2) \<in> (tRAG s)^+" obtains "n1 = Th (the_thread n1)" "n2 = Th (the_thread n2)" "(the_thread n1, the_thread n2) \<in> (tG s)^+"proof - have inj: "inj_on Th (Field (tG s))" by (unfold inj_on_def Field_def, auto) show ?thesis by (rule map_prod_tranclE[OF assms[unfolded tRAG_def_tG] inj], auto intro!:that)qedlemma rtrancl_tRAG_tG: assumes "(n1, n2) \<in> (tRAG s)^*" obtains "n1 = n2" | "n1 = Th (the_thread n1)" "n2 = Th (the_thread n2)" "the_thread n1 \<noteq> the_thread n2" "(the_thread n1, the_thread n2) \<in> (tG s)^*"proof - from rtranclD[OF assms] have "n1 = n2 \<or> n1 = Th (the_thread n1) \<and> n2 = Th (the_thread n2) \<and> the_thread n1 \<noteq> the_thread n2 \<and> (the_thread n1, the_thread n2) \<in> (tG s)^*" proof assume h: "n1 \<noteq> n2 \<and> (n1, n2) \<in> (tRAG s)\<^sup>+" hence "(n1, n2) \<in> (tRAG s)\<^sup>+" by auto from trancl_tRAG_tG[OF this] have "n1 = Th (the_thread n1)" "n2 = Th (the_thread n2)" "(the_thread n1, the_thread n2) \<in> (tG s)\<^sup>+" by auto with h show ?thesis by auto qed auto with that show ?thesis by autoqedlemma ancestors_imageE: assumes "u \<in> ancestors ((map_prod f f) ` R) v" and "inj_on f (Field R)" obtains u' v' where "u = (f u')" "v = (f v')" "u' \<in> ancestors R v'" using assms unfolding ancestors_def by (metis map_prod_tranclE mem_Collect_eq)lemma tRAG_ancestorsE_tG: assumes "x \<in> ancestors (tRAG s) u" obtains "x = Th (the_thread x)" "u = Th (the_thread u)" "the_thread x \<in> ancestors (tG s) (the_thread u)"proof - from assms[unfolded ancestors_def] have "(u, x) \<in> (tRAG s)\<^sup>+" by simp from trancl_tRAG_tG[OF this] show ?thesis using that by (auto simp:ancestors_def)qedlemma ancestors_tG_tRAG: assumes "th1 \<in> ancestors (tG s) th2" shows "Th th1 \<in> ancestors (tRAG s) (Th th2)"proof - from assms[unfolded ancestors_def] have "(th2, th1) \<in> (tG s)\<^sup>+" by simp from trancl_tG_tRAG[OF this] show ?thesis by (simp add:ancestors_def)qedlemma subtree_nodeE: assumes "n \<in> subtree (tRAG s) (Th th)" obtains th1 where "n = Th th1"proof - show ?thesis proof(rule subtreeE[OF assms]) assume "n = Th th" from that[OF this] show ?thesis . next assume "Th th \<in> ancestors (tRAG s) n" hence "(n, Th th) \<in> (tRAG s)^+" by (auto simp:ancestors_def) hence "\<exists> th1. n = Th th1" proof(induct) case (base y) from tRAG_nodeE[OF this] show ?case by metis next case (step y z) thus ?case by auto qed with that show ?thesis by auto qedqedlemma subtree_nodeE_tG: assumes "n \<in> subtree (tRAG s) (Th th)" obtains "n = Th (the_thread n)" "the_thread n \<in> subtree (tG s) th" proof - from assms[unfolded subtree_def] have "(n, Th th) \<in> (tRAG s)\<^sup>*" by simp hence "n = Th (the_thread n) \<and> the_thread n \<in> subtree (tG s) th" by (cases rule:rtrancl_tRAG_tG, auto simp:subtree_def) thus ?thesis using that by autoqedlemma subtree_tRAG_tG: "subtree (tRAG s) (Th th) = Th ` (subtree (tG s) th)" (is "?L = ?R")proof - { fix n assume "n \<in> ?L" from subtree_nodeE_tG[OF this] have "n \<in> ?R" by auto } moreover { fix n assume "n \<in> ?R" then obtain th' where h: "th' \<in> subtree (tG s) th" "n = Th th'" by auto hence "(th', th) \<in> (tG s)^*" by (auto simp:subtree_def) from rtrancl_tG_tRAG[OF this] and h have "n \<in> ?L" by (auto simp:subtree_def) } ultimately show ?thesis by autoqedlemma subtree_tG_tRAG: "(subtree (tG s) th) = the_thread ` (subtree (tRAG s) (Th th))" (is "?L = ?R")proof - have "?R = (the_thread \<circ> Th) ` subtree (tG s) th" by (unfold subtree_tRAG_tG image_comp, simp) also have "... = id ` ?L" by (rule image_cong, auto) finally show ?thesis by simpqedtext {* The following lemmas relate @{term tRAG} with @{term RAG} from different perspectives. *}lemma tRAG_star_RAG: "(tRAG s)^* \<subseteq> (RAG s)^*"proof - have "(wRAG s O hRAG s)^* \<subseteq> (RAG s O RAG s)^*" by (rule rtrancl_mono, auto simp:RAG_split) also have "... \<subseteq> ((RAG s)^*)^*" by (rule rtrancl_mono, auto) also have "... = (RAG s)^*" by simp finally show ?thesis by (unfold tRAG_def, simp)qedlemma tRAG_subtree_RAG: "subtree (tRAG s) x \<subseteq> subtree (RAG s) x"proof - { fix a assume "a \<in> subtree (tRAG s) x" hence "(a, x) \<in> (tRAG s)^*" by (auto simp:subtree_def) with tRAG_star_RAG have "(a, x) \<in> (RAG s)^*" by auto hence "a \<in> subtree (RAG s) x" by (auto simp:subtree_def) } thus ?thesis by autoqedlemma tRAG_trancl_eq: "{th'. (Th th', Th th) \<in> (tRAG s)^+} = {th'. (Th th', Th th) \<in> (RAG s)^+}" (is "?L = ?R")proof - { fix th' assume "th' \<in> ?L" hence "(Th th', Th th) \<in> (tRAG s)^+" by auto from tranclD[OF this] obtain z where h: "(Th th', z) \<in> tRAG s" "(z, Th th) \<in> (tRAG s)\<^sup>*" by auto from tRAG_subtree_RAG and this(2) have "(z, Th th) \<in> (RAG s)^*" by (meson subsetCE tRAG_star_RAG) moreover from h(1) have "(Th th', z) \<in> (RAG s)^+" using tRAG_alt_def by auto ultimately have "th' \<in> ?R" by auto } moreover { fix th' assume "th' \<in> ?R" hence "(Th th', Th th) \<in> (RAG s)^+" by (auto) from plus_rpath[OF this] obtain xs where rp: "rpath (RAG s) (Th th') xs (Th th)" "xs \<noteq> []" by auto hence "(Th th', Th th) \<in> (tRAG s)^+" proof(induct xs arbitrary:th' th rule:length_induct) case (1 xs th' th) then obtain x1 xs1 where Cons1: "xs = x1#xs1" by (cases xs, auto) show ?case proof(cases "xs1") case Nil from 1(2)[unfolded Cons1 Nil] have rp: "rpath (RAG s) (Th th') [x1] (Th th)" . hence "(Th th', x1) \<in> (RAG s)" by (cases, auto) then obtain cs where "x1 = Cs cs" by (unfold s_RAG_def, auto) from rpath_nnl_lastE[OF rp[unfolded this]] show ?thesis by auto next case (Cons x2 xs2) from 1(2)[unfolded Cons1[unfolded this]] have rp: "rpath (RAG s) (Th th') (x1 # x2 # xs2) (Th th)" . from rpath_edges_on[OF this] have eds: "edges_on (Th th' # x1 # x2 # xs2) \<subseteq> RAG s" . have "(Th th', x1) \<in> edges_on (Th th' # x1 # x2 # xs2)" by (simp add: edges_on_unfold) with eds have rg1: "(Th th', x1) \<in> RAG s" by auto then obtain cs1 where eq_x1: "x1 = Cs cs1" by (unfold s_RAG_def, auto) have "(x1, x2) \<in> edges_on (Th th' # x1 # x2 # xs2)" by (simp add: edges_on_unfold) from this eds have rg2: "(x1, x2) \<in> RAG s" by auto from this[unfolded eq_x1] obtain th1 where eq_x2: "x2 = Th th1" by (unfold s_RAG_def, auto) from rg1[unfolded eq_x1] rg2[unfolded eq_x1 eq_x2] have rt1: "(Th th', Th th1) \<in> tRAG s" by (unfold tRAG_alt_def, auto) from rp have "rpath (RAG s) x2 xs2 (Th th)" by (elim rpath_ConsE, simp) from this[unfolded eq_x2] have rp': "rpath (RAG s) (Th th1) xs2 (Th th)" . show ?thesis proof(cases "xs2 = []") case True from rpath_nilE[OF rp'[unfolded this]] have "th1 = th" by auto from rt1[unfolded this] show ?thesis by auto next case False from 1(1)[rule_format, OF _ rp' this, unfolded Cons1 Cons] have "(Th th1, Th th) \<in> (tRAG s)\<^sup>+" by simp with rt1 show ?thesis by auto qed qed qed hence "th' \<in> ?L" by auto } ultimately show ?thesis by blastqedlemma tRAG_trancl_eq_Th: "{Th th' | th'. (Th th', Th th) \<in> (tRAG s)^+} = {Th th' | th'. (Th th', Th th) \<in> (RAG s)^+}" using tRAG_trancl_eq by autolemma tRAG_Field: "Field (tRAG s) \<subseteq> Field (RAG s)" by (unfold tRAG_alt_def Field_def, auto)lemma tRAG_mono: assumes "RAG s' \<subseteq> RAG s" shows "tRAG s' \<subseteq> tRAG s" using assms by (unfold tRAG_alt_def, auto)lemma tRAG_subtree_eq: "(subtree (tRAG s) (Th th)) = {Th th' | th'. Th th' \<in> (subtree (RAG s) (Th th))}" (is "?L = ?R")proof - { fix n assume h: "n \<in> ?L" hence "n \<in> ?R" by (smt mem_Collect_eq subsetCE subtree_def subtree_nodeE tRAG_subtree_RAG) } moreover { fix n assume "n \<in> ?R" then obtain th' where h: "n = Th th'" "(Th th', Th th) \<in> (RAG s)^*" by (auto simp:subtree_def) from rtranclD[OF this(2)] have "n \<in> ?L" proof assume "Th th' \<noteq> Th th \<and> (Th th', Th th) \<in> (RAG s)\<^sup>+" with h have "n \<in> {Th th' | th'. (Th th', Th th) \<in> (RAG s)^+}" by auto thus ?thesis using subtree_def tRAG_trancl_eq by fastforce (* ccc *) qed (insert h, auto simp:subtree_def) } ultimately show ?thesis by autoqedlemma threads_set_eq: "the_thread ` (subtree (tRAG s) (Th th)) = {th'. Th th' \<in> (subtree (RAG s) (Th th))}" (is "?L = ?R") by (auto intro:rev_image_eqI simp:tRAG_subtree_eq)text {* The following lemmas is an alternative definition of @{term cp}, which is based on the notion of subtrees in @{term RAG} and is handy to use once the abstract theory of {\em relational graph} (and specifically {\em relational tree} and {\em relational forest}) are in place.*}lemma cp_s_def: "cp s th = Max (preceds (subtree (tG s) th) s)" by (unfold cp_eq cpreced_def s_tG_abv, simp)lemma cp_alt_def: "cp s th = Max ((the_preced s) ` {th'. Th th' \<in> (subtree (RAG s) (Th th))})" apply (unfold cp_s_def subtree_tG_tRAG threads_set_eq) by (smt Collect_cong Setcompr_eq_image the_preced_def)text {* The following is another definition of @{term cp}.*}lemma cp_alt_def1: "cp s th = Max ((the_preced s o the_thread) ` (subtree (tRAG s) (Th th)))"proof - have "(the_preced s ` the_thread ` subtree (tRAG s) (Th th)) = ((the_preced s \<circ> the_thread) ` subtree (tRAG s) (Th th))" by auto thus ?thesis by (unfold cp_alt_def, fold threads_set_eq, auto)qedtext {* The following is another definition of @{term cp} based on @{term tG}:*}lemma cp_alt_def2: "cp s th = Max (the_preced s ` (subtree (tG s) th))" by (unfold cp_alt_def1 subtree_tG_tRAG image_comp, simp)lemma RAG_tRAG_transfer: assumes "RAG s' = RAG s \<union> {(Th th, Cs cs)}" and "(Cs cs, Th th'') \<in> RAG s" shows "tRAG s' = tRAG s \<union> {(Th th, Th th'')}" (is "?L = ?R")proof - { fix n1 n2 assume "(n1, n2) \<in> ?L" from this[unfolded tRAG_alt_def] obtain th1 th2 cs' where h: "n1 = Th th1" "n2 = Th th2" "(Th th1, Cs cs') \<in> RAG s'" "(Cs cs', Th th2) \<in> RAG s'" by auto from h(4) and assms(1) have cs_in: "(Cs cs', Th th2) \<in> RAG s" by auto from h(3) and assms(1) have "(Th th1, Cs cs') = (Th th, Cs cs) \<or> (Th th1, Cs cs') \<in> RAG s" by auto hence "(n1, n2) \<in> ?R" proof assume h1: "(Th th1, Cs cs') = (Th th, Cs cs)" with assms(1) have "(Th th1, Cs cs) \<in> RAG s'" by auto moreover have "th2 = th''" proof - from h1 have "cs' = cs" by simp from assms(2) cs_in[unfolded this] have "holding s th'' cs" "holding s th2 cs" by (unfold s_RAG_def, fold s_holding_abv, auto) from held_unique[OF this] show ?thesis by simp qed ultimately show ?thesis using h(1,2) h1 by auto next assume "(Th th1, Cs cs') \<in> RAG s" with cs_in have "(Th th1, Th th2) \<in> tRAG s" by (unfold tRAG_alt_def, auto) from this[folded h(1, 2)] show ?thesis by auto qed } moreover { fix n1 n2 assume "(n1, n2) \<in> ?R" hence "(n1, n2) \<in>tRAG s \<or> (n1, n2) = (Th th, Th th'')" by auto hence "(n1, n2) \<in> ?L" proof assume "(n1, n2) \<in> tRAG s" moreover have "... \<subseteq> ?L" proof(rule tRAG_mono) show "RAG s \<subseteq> RAG s'" by (unfold assms(1), auto) qed ultimately show ?thesis by auto next assume eq_n: "(n1, n2) = (Th th, Th th'')" from assms(1, 2) have "(Cs cs, Th th'') \<in> RAG s'" by auto moreover have "(Th th, Cs cs) \<in> RAG s'" using assms(1) by auto ultimately show ?thesis by (unfold eq_n tRAG_alt_def, auto) qed } ultimately show ?thesis by autoqedsection {* Locales used to investigate the execution of PIP *}text {* The following locale @{text valid_trace} is used to constrain the trace to be valid. All properties hold for valid traces are derived under this locale. *}locale valid_trace = fixes s assumes vt : "vt s"text {* The following locale @{text valid_trace_e} describes the valid extension of a valid trace. The event @{text "e"} represents an event in the system, which corresponds to a one step operation of the PIP protocol. It is required that @{text "e"} is an event eligible to happen under state @{text "s"}, which is already required to be valid by the parent locale @{text "valid_trace"}. This locale is used to investigate one step execution of PIP, properties concerning the effects of @{text "e"}'s execution, for example, how the values of observation functions are changed, or how desirable properties are kept invariant, are derived under this locale. The state before execution is @{text "s"}, while the state after execution is @{text "e#s"}. Therefore, the lemmas derived usually relate observations on @{text "e#s"} to those on @{text "s"}.*}locale valid_trace_e = valid_trace + fixes e assumes vt_e: "vt (e#s)"begintext {* The following lemma shows that @{text "e"} must be a eligible event (or a valid step) to be taken under the state represented by @{text "s"}.*}lemma pip_e: "PIP s e" using vt_e by (cases, simp) endtext {* Because @{term "e#s"} is also a valid trace, properties derived for valid trace @{term s} also hold on @{term "e#s"}.*}sublocale valid_trace_e < vat_es: valid_trace "e#s" using vt_e by (unfold_locales, simp)text {* For each specific event (or operation), there is a sublocale further constraining that the event @{text e} to be that particular event. For example, the following locale @{text "valid_trace_create"} is the sublocale for event @{term "Create"}:*}locale valid_trace_create = valid_trace_e + fixes th prio assumes is_create: "e = Create th prio"locale valid_trace_exit = valid_trace_e + fixes th assumes is_exit: "e = Exit th"locale valid_trace_p = valid_trace_e + fixes th cs assumes is_p: "e = P th cs"text {* locale @{text "valid_trace_p"} is divided further into two sublocales, namely, @{text "valid_trace_p_h"} and @{text "valid_trace_p_w"}.*}text {* The following two sublocales @{text "valid_trace_p_h"} and @{text "valid_trace_p_w"} represent two complementary cases under @{text "valid_trace_p"}, where @{text "valid_trace_p_h"} further constraints that @{text "wq s cs = []"}, which means the waiting queue of the requested resource @{text "cs"} is empty, in which case, the requesting thread @{text "th"} will take hold of @{text "cs"}. Opposite to @{text "valid_trace_p_h"}, @{text "valid_trace_p_w"} constraints that @{text "wq s cs \<noteq> []"}, which means the waiting queue of the requested resource @{text "cs"} is nonempty, in which case, the requesting thread @{text "th"} will be blocked on @{text "cs"}: Peculiar properties will be derived under respective locales.*}locale valid_trace_p_h = valid_trace_p + assumes we: "wq s cs = []"locale valid_trace_p_w = valid_trace_p + assumes wne: "wq s cs \<noteq> []"begintext {* The following @{text "holder"} designates the holder of @{text "cs"} before the @{text "P"}-operation.*}definition "holder = hd (wq s cs)"text {* The following @{text "waiters"} designates the list of threads waiting for @{text "cs"} before the @{text "P"}-operation.*}definition "waiters = tl (wq s cs)"endtext {* @{text "valid_trace_v"} is set for the @{term V}-operation.*}locale valid_trace_v = valid_trace_e + fixes th cs assumes is_v: "e = V th cs"begin -- {* The following @{text "rest"} is the tail of waiting queue of the resource @{text "cs"} to be released by this @{text "V"}-operation. *} definition "rest = tl (wq s cs)" text {* The following @{text "wq'"} is the waiting queue of @{term "cs"} after the @{text "V"}-operation, which is simply a reordering of @{term "rest"}. The effect of this reordering needs to be understood by two cases: \begin{enumerate} \item When @{text "rest = []"}, the reordering gives rise to an empty list as well, which means there is no thread holding or waiting for resource @{term "cs"}, therefore, it is free. \item When @{text "rest \<noteq> []"}, the effect of this reordering is to arbitrarily switch one thread in @{term "rest"} to the head, which, by definition take over the hold of @{term "cs"} and is designated by @{text "taker"} in the following sublocale @{text "valid_trace_v_n"}. *} definition "wq' = (SOME q. distinct q \<and> set q = set rest)" text {* The following @{text "rest'"} is the tail of the waiting queue after the @{text "V"}-operation. It plays only auxiliary role to ease reasoning. *} definition "rest' = tl wq'"endtext {* In the following, @{text "valid_trace_v"} is also divided into two sublocales: when @{text "rest"} is empty (represented by @{text "valid_trace_v_e"}), which means, there is no thread waiting for @{text "cs"}, therefore, after the @{text "V"}-operation, it will become free; otherwise (represented by @{text "valid_trace_v_n"}), one thread will be picked from those in @{text "rest"} to take over @{text "cs"}.*}locale valid_trace_v_e = valid_trace_v + assumes rest_nil: "rest = []"locale valid_trace_v_n = valid_trace_v + assumes rest_nnl: "rest \<noteq> []"begintext {* The following @{text "taker"} is the thread to take over @{text "cs"}. *} definition "taker = hd wq'"endlocale valid_trace_set = valid_trace_e + fixes th prio assumes is_set: "e = Set th prio"context valid_tracebegintext {* Induction rule introduced to easy the derivation of properties for valid trace @{term "s"}. One more premises, namely @{term "valid_trace_e s e"} is added, so that an interpretation of @{text "valid_trace_e"} can be instantiated so that all properties derived so far becomes available in the proof of induction step. You will see its use in the proofs that follows.*}lemma ind [consumes 0, case_names Nil Cons, induct type]: assumes "PP []" and "(\<And>s e. valid_trace_e s e \<Longrightarrow> PP s \<Longrightarrow> PIP s e \<Longrightarrow> PP (e # s))" shows "PP s"proof(induct rule:vt.induct[OF vt, case_names Init Step]) case Init from assms(1) show ?case .next case (Step s e) show ?case proof(rule assms(2)) show "valid_trace_e s e" using Step by (unfold_locales, auto) next show "PP s" using Step by simp next show "PIP s e" using Step by simp qedqedlemma finite_threads: shows "finite (threads s)" using vt by (induct) (auto elim: step.cases)lemma finite_readys: "finite (readys s)" using finite_threads readys_threads rev_finite_subset by blastendsection {* Waiting queues are distinct *}text {* This section proves that every waiting queue in the system is distinct, given in lemma @{text wq_distinct}. The proof is split into the locales for events (or operations), all contain a lemma named @{text "wq_distinct_kept"} to show that the distinctiveness is preserved by the respective operation. All lemmas before are to facilitate the proof of @{text "wq_distinct_kept"}. The proof also demonstrates the common pattern to prove invariant properties over valid traces, i.e. to spread the invariant proof into locales and to assemble the results of all locales to complete the final proof.*}context valid_trace_createbeginlemma wq_kept [simp]: shows "wq (e#s) cs' = wq s cs'" unfolding is_create wq_def by (auto simp:Let_def)lemma wq_distinct_kept: assumes "distinct (wq s cs')" shows "distinct (wq (e#s) cs')" using assms by simpendcontext valid_trace_exitbeginlemma wq_kept [simp]: shows "wq (e#s) cs' = wq s cs'" unfolding is_exit wq_def by (auto simp:Let_def)lemma wq_distinct_kept: assumes "distinct (wq s cs')" shows "distinct (wq (e#s) cs')" using assms by simpendcontext valid_trace_p beginlemma wq_neq_simp [simp]: assumes "cs' \<noteq> cs" shows "wq (e#s) cs' = wq s cs'" using assms unfolding is_p wq_def by (auto simp:Let_def)lemma running_th_s: shows "th \<in> running s"proof - from pip_e[unfolded is_p] show ?thesis by (cases, simp)qedlemma th_not_in_wq: shows "th \<notin> set (wq s cs)"proof assume otherwise: "th \<in> set (wq s cs)" from running_wqE[OF running_th_s this] obtain rest where eq_wq: "wq s cs = th#rest" by blast with otherwise have "holding s th cs" unfolding s_holding_def by auto hence cs_th_RAG: "(Cs cs, Th th) \<in> RAG s" by (unfold s_RAG_def, fold s_holding_abv, auto) from pip_e[unfolded is_p] show False proof(cases) case (thread_P) with cs_th_RAG show ?thesis by auto qedqedlemma wq_es_cs: "wq (e#s) cs = wq s cs @ [th]" by (unfold is_p wq_def, auto simp:Let_def)lemma wq_distinct_kept: assumes "distinct (wq s cs')" shows "distinct (wq (e#s) cs')"proof(cases "cs' = cs") case True show ?thesis using True assms th_not_in_wq by (unfold True wq_es_cs, auto)qed (insert assms, simp)endcontext valid_trace_vbeginlemma wq_neq_simp [simp]: assumes "cs' \<noteq> cs" shows "wq (e#s) cs' = wq s cs'" using assms unfolding is_v wq_def by (auto simp:Let_def)lemma wq_s_cs: "wq s cs = th#rest"proof - from pip_e[unfolded is_v] show ?thesis proof(cases) case (thread_V) from this(2) show ?thesis unfolding s_holding_def by (metis empty_iff empty_set hd_Cons_tl rest_def) qedqedlemma wq_es_cs: "wq (e#s) cs = wq'" using wq_s_cs[unfolded wq_def] by (auto simp:Let_def wq_def rest_def wq'_def is_v, simp) lemma wq_distinct_kept: assumes "distinct (wq s cs')" shows "distinct (wq (e#s) cs')"proof(cases "cs' = cs") case True show ?thesis proof(unfold True wq_es_cs wq'_def, rule someI2) show "distinct rest \<and> set rest = set rest" using assms[unfolded True wq_s_cs] by auto qed simpqed (insert assms, simp)endcontext valid_trace_setbeginlemma wq_kept [simp]: shows "wq (e#s) cs' = wq s cs'" unfolding is_set wq_def by (auto simp:Let_def)lemma wq_distinct_kept: assumes "distinct (wq s cs')" shows "distinct (wq (e#s) cs')" using assms by simpendcontext valid_tracebegintext {* The proof of @{text "wq_distinct"} shows how the results proved in the foregoing locales are assembled in a overall structure of induction and case analysis to get the final conclusion. This scheme will be used repeatedly in the following.*}lemma wq_distinct: "distinct (wq s cs)"proof(induct rule:ind) case (Cons s e) interpret vt_e: valid_trace_e s e using Cons by simp show ?case proof(cases e) case (Create th prio) interpret vt_create: valid_trace_create s e th prio using Create by (unfold_locales, simp) show ?thesis using Cons by (simp add: vt_create.wq_distinct_kept) next case (Exit th) interpret vt_exit: valid_trace_exit s e th using Exit by (unfold_locales, simp) show ?thesis using Cons by (simp add: vt_exit.wq_distinct_kept) next case (P th cs) interpret vt_p: valid_trace_p s e th cs using P by (unfold_locales, simp) show ?thesis using Cons by (simp add: vt_p.wq_distinct_kept) next case (V th cs) interpret vt_v: valid_trace_v s e th cs using V by (unfold_locales, simp) show ?thesis using Cons by (simp add: vt_v.wq_distinct_kept) next case (Set th prio) interpret vt_set: valid_trace_set s e th prio using Set by (unfold_locales, simp) show ?thesis using Cons by (simp add: vt_set.wq_distinct_kept) qedqed (unfold wq_def Let_def, simp)endsection {* Waiting queues and threads *}text {* This section shows that all threads withing waiting queues are in the @{term threads}-set. In other words, @{term threads} covers all the threads in waiting queue. The proof follows the same pattern as @{thm valid_trace.wq_distinct}. The desired property is shown to be kept by all operations (or events) in their respective locales, and finally the main lemmas is derived by assembling the invariant keeping results of the locales. *}context valid_trace_createbeginlemma th_not_in_threads: "th \<notin> threads s"proof - from pip_e[unfolded is_create] show ?thesis by (cases, simp)qedlemma threads_es [simp]: "threads (e#s) = threads s \<union> {th}" by (unfold is_create, simp)lemma wq_threads_kept: assumes "\<And> th' cs'. th' \<in> set (wq s cs') \<Longrightarrow> th' \<in> threads s" and "th' \<in> set (wq (e#s) cs')" shows "th' \<in> threads (e#s)"proof - have "th' \<in> threads s" proof - from assms(2)[unfolded wq_kept] have "th' \<in> set (wq s cs')" . from assms(1)[OF this] show ?thesis . qed with threads_es show ?thesis by simpqedendcontext valid_trace_exitbeginlemma threads_es [simp]: "threads (e#s) = threads s - {th}" by (unfold is_exit, simp)lemma th_not_in_wq: "th \<notin> set (wq s cs)"proof - from pip_e[unfolded is_exit] show ?thesis apply(cases) unfolding holdents_def s_holding_def by (metis (mono_tags, lifting) empty_iff list.sel(1) mem_Collect_eq running_wqE)qedlemma wq_threads_kept: assumes "\<And> th' cs'. th' \<in> set (wq s cs') \<Longrightarrow> th' \<in> threads s" and "th' \<in> set (wq (e#s) cs')" shows "th' \<in> threads (e#s)"proof - have "th' \<in> threads s" proof - from assms(2)[unfolded wq_kept] have "th' \<in> set (wq s cs')" . from assms(1)[OF this] show ?thesis . qed moreover have "th' \<noteq> th" proof assume otherwise: "th' = th" from assms(2)[unfolded wq_kept] have "th' \<in> set (wq s cs')" . with th_not_in_wq[folded otherwise] show False by simp qed ultimately show ?thesis by (unfold threads_es, simp)qedendcontext valid_trace_vbeginlemma threads_es [simp]: "threads (e#s) = threads s" by (unfold is_v, simp)lemma th_not_in_rest: "th \<notin> set rest"proof assume otherwise: "th \<in> set rest" have "distinct (wq s cs)" by (simp add: wq_distinct) from this[unfolded wq_s_cs] and otherwise show False by autoqedlemma distinct_rest: "distinct rest" by (simp add: distinct_tl rest_def wq_distinct)lemma set_wq_es_cs [simp]: "set (wq (e#s) cs) = set (wq s cs) - {th}"proof(unfold wq_es_cs wq'_def, rule someI2) show "distinct rest \<and> set rest = set rest" by (simp add: distinct_rest) next fix x assume "distinct x \<and> set x = set rest" thus "set x = set (wq s cs) - {th}" by (unfold wq_s_cs, simp add:th_not_in_rest)qedlemma wq_threads_kept: assumes "\<And> th' cs'. th' \<in> set (wq s cs') \<Longrightarrow> th' \<in> threads s" and "th' \<in> set (wq (e#s) cs')" shows "th' \<in> threads (e#s)"proof(cases "cs' = cs") case True have " th' \<in> threads s" proof - from assms(2)[unfolded True set_wq_es_cs] have "th' \<in> set (wq s cs) - {th}" . hence "th' \<in> set (wq s cs)" by simp from assms(1)[OF this] show ?thesis . qed with threads_es show ?thesis by simpnext case False have "th' \<in> threads s" proof - from wq_neq_simp[OF False] have "wq (e # s) cs' = wq s cs'" . from assms(2)[unfolded this] have "th' \<in> set (wq s cs')" . from assms(1)[OF this] show ?thesis . qed with threads_es show ?thesis by simpqedendcontext valid_trace_pbeginlemma threads_es [simp]: "threads (e#s) = threads s" by (unfold is_p, simp)lemma ready_th_s: "th \<in> readys s" using running_th_s by (unfold running_def, auto)lemma live_th_s: "th \<in> threads s" using readys_threads ready_th_s by autolemma wq_threads_kept: assumes "\<And> th' cs'. th' \<in> set (wq s cs') \<Longrightarrow> th' \<in> threads s" and "th' \<in> set (wq (e#s) cs')" shows "th' \<in> threads (e#s)"proof(cases "cs' = cs") case True from assms(2)[unfolded True wq_es_cs] have "th' \<in> set (wq s cs) \<or> th' = th" by auto thus ?thesis proof assume "th' \<in> set (wq s cs)" from assms(1)[OF this] have "th' \<in> threads s" . with threads_es show ?thesis by simp next assume "th' = th" with live_th_s have "th' \<in> threads s" by simp with threads_es show ?thesis by simp qednext case False have "th' \<in> threads s" proof - from wq_neq_simp[OF False] have "wq (e # s) cs' = wq s cs'" . from assms(2)[unfolded this] have "th' \<in> set (wq s cs')" . from assms(1)[OF this] show ?thesis . qed with threads_es show ?thesis by simpqedendcontext valid_trace_setbeginlemma threads_kept[simp]: "threads (e#s) = threads s" by (unfold is_set, simp)lemma wq_threads_kept: assumes "\<And> th' cs'. th' \<in> set (wq s cs') \<Longrightarrow> th' \<in> threads s" and "th' \<in> set (wq (e#s) cs')" shows "th' \<in> threads (e#s)"proof - have "th' \<in> threads s" using assms(1)[OF assms(2)[unfolded wq_kept]] . with threads_kept show ?thesis by simpqedendcontext valid_tracebegintext {* The is the main lemma of this section, which is derived by induction, case analysis on event @{text e} and assembling the @{text "wq_threads_kept"}-results of all possible cases of @{text "e"}.*}lemma wq_threads: assumes "th \<in> set (wq s cs)" shows "th \<in> threads s" using assmsproof(induct arbitrary:th cs rule:ind) case (Nil) thus ?case by (auto simp:wq_def)next case (Cons s e) interpret vt_e: valid_trace_e s e using Cons by simp show ?case proof(cases e) case (Create th' prio') interpret vt: valid_trace_create s e th' prio' using Create by (unfold_locales, simp) show ?thesis using vt.wq_threads_kept Cons by auto next case (Exit th') interpret vt: valid_trace_exit s e th' using Exit by (unfold_locales, simp) show ?thesis using vt.wq_threads_kept Cons by auto next case (P th' cs') interpret vt: valid_trace_p s e th' cs' using P by (unfold_locales, simp) show ?thesis using vt.wq_threads_kept Cons by auto next case (V th' cs') interpret vt: valid_trace_v s e th' cs' using V by (unfold_locales, simp) show ?thesis using vt.wq_threads_kept Cons by auto next case (Set th' prio) interpret vt: valid_trace_set s e th' prio using Set by (unfold_locales, simp) show ?thesis using vt.wq_threads_kept Cons by auto qedqed subsection {* RAG and threads *}text {* As corollaries of @{thm wq_threads}, it is shown in this subsection that the fields (including both domain and range) of @{term RAG} are covered by @{term threads}.*}lemma dm_RAG_threads: assumes in_dom: "(Th th) \<in> Domain (RAG s)" shows "th \<in> threads s"proof - from in_dom obtain n where "(Th th, n) \<in> RAG s" by auto moreover then obtain cs where "n = Cs cs" by (unfold s_RAG_def, auto) ultimately have "(Th th, Cs cs) \<in> RAG s" by simp then have "th \<in> set (wq s cs)" using in_RAG_E s_waiting_def wq_def by auto then show ?thesis using wq_threads by simpqedlemma dm_tG_threads: assumes "th \<in> Domain (tG s)" shows "th \<in> threads s"proof - from assms[unfolded tG_alt_def] have "(Th th) \<in> Domain (RAG s)" by (unfold Domain_def, auto) from dm_RAG_threads[OF this] show ?thesis .qedlemma rg_RAG_threads: assumes "(Th th) \<in> Range (RAG s)" shows "th \<in> threads s" using assms apply(erule_tac RangeE) apply(erule_tac in_RAG_E) apply(auto) using s_holding_def wq_def wq_threads by autolemma rg_tG_threads: assumes "th \<in> Range (tG s)" shows "th \<in> threads s"proof - from assms[unfolded tG_alt_def] have "(Th th) \<in> Range (RAG s)" by (unfold Range_def, auto) from rg_RAG_threads[OF this] show ?thesis .qedlemma RAG_threads: assumes "(Th th) \<in> Field (RAG s)" shows "th \<in> threads s" using assms by (metis Field_def UnE dm_RAG_threads rg_RAG_threads)lemma tG_threads: assumes "th \<in> Field (tG s)" shows "th \<in> threads s" using assms by (metis Field_def UnE dm_tG_threads rg_tG_threads)lemma not_in_thread_isolated: assumes "th \<notin> threads s" shows "(Th th) \<notin> Field (RAG s)" using RAG_threads assms by autolemma not_in_thread_isolated_tG: assumes "th \<notin> threads s" shows "th \<notin> Field (tG s)" using assms using tG_threads by autotext {* As a corollary, this lemma shows that @{term tRAG} is also covered by the @{term threads}-set.*}lemma subtree_tRAG_thread: assumes "th \<in> threads s" shows "subtree (tRAG s) (Th th) \<subseteq> Th ` threads s" (is "?L \<subseteq> ?R")proof - have "?L = {Th th' |th'. Th th' \<in> subtree (RAG s) (Th th)}" by (unfold tRAG_subtree_eq, simp) also have "... \<subseteq> ?R" proof fix x assume "x \<in> {Th th' |th'. Th th' \<in> subtree (RAG s) (Th th)}" then obtain th' where h: "x = Th th'" "Th th' \<in> subtree (RAG s) (Th th)" by auto from this(2) show "x \<in> ?R" proof(cases rule:subtreeE) case 1 thus ?thesis by (simp add: assms h(1)) next case 2 thus ?thesis by (metis ancestors_Field dm_RAG_threads h(1) image_eqI) qed qed finally show ?thesis .qedlemma subtree_tG_thread: assumes "th \<in> threads s" shows "subtree (tG s) th \<subseteq> threads s" (is "?L \<subseteq> ?R")proof - from subtree_tRAG_thread[OF assms] have "subtree (tRAG s) (Th th) \<subseteq> Th ` threads s" . from this[unfolded subtree_tRAG_tG] have " Th ` subtree (tG s) th \<subseteq> Th ` threads s" . thus ?thesis by autoqedendsection {* The formation of @{term RAG} *}text {* The whole of PIP resides on the understanding of the formation of @{term RAG}. We are going to show that @{term RAG} forms a finite branching forest. The formalization is divided into a series of subsections.*}subsection {* The change of @{term RAG} with each step of execution *}text {* The very essence to prove that @{term RAG} has a certain property is to show that this property is preserved as an invariant by the execution of the system, and the basis for such kind of invariant proofs is to show how @{term RAG} is changed with the execution of every execution step (or event, or system operation). In this subsection, the effect of every event on @{text RAG} is derived in its respective locale named @{text "RAG_es"} with all lemmas before auxiliary. These derived @{text "RAG_es"}s constitute the foundation to show the various well-formed properties of @{term RAG}, for example, @{term RAG} is finite, acyclic, and single-valued, etc.*}text {* The following three lemmas show that @{text "RAG"} does not change by the happening of @{text "Set"}, @{text "Create"} and @{text "Exit"} events, respectively.*}lemma (in valid_trace_set) RAG_es [simp]: "(RAG (e # s)) = RAG s" by (unfold is_set s_RAG_def s_waiting_def wq_def, simp add:Let_def)lemma (in valid_trace_create) RAG_es [simp]: "(RAG (e # s)) = RAG s" by (unfold is_create s_RAG_def s_waiting_def wq_def, simp add:Let_def)lemma (in valid_trace_exit) RAG_es[simp]: "(RAG (e # s)) = RAG s" by (unfold is_exit s_RAG_def s_waiting_def wq_def, simp add:Let_def)context valid_trace_vbeginlemma holding_cs_eq_th: assumes "holding s t cs" shows "t = th"proof - from pip_e[unfolded is_v] show ?thesis proof(cases) case (thread_V) from held_unique[OF this(2) assms] show ?thesis by simp qedqedlemma distinct_wq': "distinct wq'" by (metis (mono_tags, lifting) distinct_rest some_eq_ex wq'_def)lemma set_wq': "set wq' = set rest" by (metis (mono_tags, lifting) distinct_rest some_eq_ex wq'_def)lemma th'_in_inv: assumes "th' \<in> set wq'" shows "th' \<in> set rest" using assms set_wq' by simplemma running_th_s: shows "th \<in> running s"proof - from pip_e[unfolded is_v] show ?thesis by (cases, simp)qedlemma neq_t_th: assumes "waiting (e#s) t c" shows "t \<noteq> th"proof assume otherwise: "t = th" show False proof(cases "c = cs") case True have "t \<in> set wq'" using assms[unfolded True s_waiting_def, folded wq_def, unfolded wq_es_cs] by simp from th'_in_inv[OF this] have "t \<in> set rest" . with wq_s_cs[folded otherwise] wq_distinct[of cs] show ?thesis by simp next case False have "wq (e#s) c = wq s c" using False by simp hence "waiting s t c" using assms by (simp add: s_waiting_def wq_def) hence "t \<notin> readys s" by (unfold readys_def, auto) hence "t \<notin> running s" using running_ready by auto with running_th_s[folded otherwise] show ?thesis by auto qedqedlemma waiting_esI1: assumes "waiting s t c" and "c \<noteq> cs" shows "waiting (e#s) t c" proof - have "wq (e#s) c = wq s c" using assms(2) by auto with assms(1) show ?thesis by (simp add: s_waiting_def wq_def) qedlemma holding_esI2: assumes "c \<noteq> cs" and "holding s t c" shows "holding (e#s) t c"proof - from assms(1) have "wq (e#s) c = wq s c" by auto from assms(2)[unfolded s_holding_def, folded wq_def, folded this, folded s_holding_def] show ?thesis .qedlemma holding_esI1: assumes "holding s t c" and "t \<noteq> th" shows "holding (e#s) t c"proof - have "c \<noteq> cs" using assms using holding_cs_eq_th by blast from holding_esI2[OF this assms(1)] show ?thesis .qedendcontext valid_trace_v_nbeginlemma neq_wq': "wq' \<noteq> []" proof (unfold wq'_def, rule someI2) show "distinct rest \<and> set rest = set rest" by (simp add: distinct_rest) next fix x assume " distinct x \<and> set x = set rest" thus "x \<noteq> []" using rest_nnl by autoqed lemma eq_wq': "wq' = taker # rest'" by (simp add: neq_wq' rest'_def taker_def)lemma next_th_taker: shows "next_th s th cs taker" using rest_nnl taker_def wq'_def wq_s_cs by (auto simp:next_th_def)lemma taker_unique: assumes "next_th s th cs taker'" shows "taker' = taker"proof - from assms obtain rest' where h: "wq s cs = th # rest'" "taker' = hd (SOME q. distinct q \<and> set q = set rest')" by (unfold next_th_def, auto) with wq_s_cs have "rest' = rest" by auto thus ?thesis using h(2) taker_def wq'_def by auto qedlemma waiting_set_eq: "{(Th th', Cs cs) |th'. next_th s th cs th'} = {(Th taker, Cs cs)}" by (smt all_not_in_conv bot.extremum insertI1 insert_subset mem_Collect_eq next_th_taker subsetI subset_antisym taker_def taker_unique)lemma holding_set_eq: "{(Cs cs, Th th') |th'. next_th s th cs th'} = {(Cs cs, Th taker)}" using next_th_taker taker_def waiting_set_eq by fastforcelemma holding_taker: shows "holding (e#s) taker cs" by (unfold s_holding_def, unfold wq_es_cs, auto simp:neq_wq' taker_def)lemma waiting_esI2: assumes "waiting s t cs" and "t \<noteq> taker" shows "waiting (e#s) t cs" proof - have "t \<in> set wq'" proof(unfold wq'_def, rule someI2) show "distinct rest \<and> set rest = set rest" by (simp add: distinct_rest) next fix x assume "distinct x \<and> set x = set rest" moreover have "t \<in> set rest" using assms(1) s_waiting_def set_ConsD wq_def wq_s_cs by auto ultimately show "t \<in> set x" by simp qed moreover have "t \<noteq> hd wq'" using assms(2) taker_def by auto ultimately show ?thesis by (unfold s_waiting_def, fold wq_def, unfold wq_es_cs, simp)qedlemma waiting_esE: assumes "waiting (e#s) t c" obtains "c \<noteq> cs" "waiting s t c" | "c = cs" "t \<noteq> taker" "waiting s t cs" "t \<in> set rest'"proof(cases "c = cs") case False hence "wq (e#s) c = wq s c" by auto with assms have "waiting s t c" by (simp add: s_waiting_def wq_def) from that(1)[OF False this] show ?thesis .next case True from assms[unfolded s_waiting_def True, folded wq_def, unfolded wq_es_cs] have "t \<noteq> hd wq'" "t \<in> set wq'" by auto hence "t \<noteq> taker" by (simp add: taker_def) moreover hence "t \<noteq> th" using assms neq_t_th by blast moreover have "t \<in> set rest" by (simp add: `t \<in> set wq'` th'_in_inv) ultimately have "waiting s t cs" by (metis list.sel(1) list.set_sel(2) list.simps(3) rest_def s_waiting_def wq_def wq_s_cs) show ?thesis using that(2) using True `t \<in> set wq'` `t \<noteq> taker` `waiting s t cs` eq_wq' by auto qedlemma holding_esI1: assumes "c = cs" and "t = taker" shows "holding (e#s) t c" by (unfold assms, simp add: holding_taker)lemma holding_esE: assumes "holding (e#s) t c" obtains "c = cs" "t = taker" | "c \<noteq> cs" "holding s t c"proof(cases "c = cs") case True from assms[unfolded True, unfolded s_holding_def, folded wq_def, unfolded wq_es_cs] have "t = taker" by (simp add: taker_def) from that(1)[OF True this] show ?thesis .next case False hence "wq (e#s) c = wq s c" by auto from assms[unfolded s_holding_def, folded wq_def, unfolded this, folded s_holding_def] have "holding s t c" . from that(2)[OF False this] show ?thesis .qedend context valid_trace_v_ebeginlemma nil_wq': "wq' = []" proof (unfold wq'_def, rule someI2) show "distinct rest \<and> set rest = set rest" by (simp add: distinct_rest) next fix x assume " distinct x \<and> set x = set rest" thus "x = []" using rest_nil by autoqed lemma no_taker: assumes "next_th s th cs taker" shows "False"proof - from assms[unfolded next_th_def] obtain rest' where "wq s cs = th # rest'" "rest' \<noteq> []" by auto thus ?thesis using rest_def rest_nil by auto qedlemma waiting_set_eq: "{(Th th', Cs cs) |th'. next_th s th cs th'} = {}" using no_taker by autolemma holding_set_eq: "{(Cs cs, Th th') |th'. next_th s th cs th'} = {}" using no_taker by autolemma no_holding: assumes "holding (e#s) taker cs" shows Falseproof - from wq_es_cs[unfolded nil_wq'] have " wq (e # s) cs = []" . from assms[unfolded s_holding_def, folded wq_def, unfolded this] show ?thesis by autoqedlemma no_waiter_before: "\<not> waiting s t cs"proof assume otherwise: "waiting s t cs" from this[unfolded s_waiting_def, folded wq_def, unfolded wq_s_cs rest_nil] show False by simpqedlemma no_waiter_after: assumes "waiting (e#s) t cs" shows Falseproof - from wq_es_cs[unfolded nil_wq'] have " wq (e # s) cs = []" . from assms[unfolded s_waiting_def, folded wq_def, unfolded this] show ?thesis by autoqedlemma waiting_esI2: assumes "waiting s t c" shows "waiting (e # s) t c"proof - have "c \<noteq> cs" using assms using no_waiter_before by blast from waiting_esI1[OF assms this] show ?thesis .qedlemma waiting_esE: assumes "waiting (e#s) t c" obtains "c \<noteq> cs" "waiting s t c"proof(cases "c = cs") case False hence "wq (e#s) c = wq s c" by auto with assms have "waiting s t c" by (simp add: s_waiting_def wq_def) from that(1)[OF False this] show ?thesis .next case True from no_waiter_after[OF assms[unfolded True]] show ?thesis by autoqedlemma holding_esE: assumes "holding (e#s) t c" obtains "c \<noteq> cs" "holding s t c"proof(cases "c = cs") case True from no_holding[OF assms[unfolded True]] show ?thesis by autonext case False hence "wq (e#s) c = wq s c" by auto from assms[unfolded s_holding_def, folded wq_def, unfolded this, folded s_holding_def] have "holding s t c" . from that[OF False this] show ?thesis .qedend context valid_trace_vbeginlemma RAG_es: "RAG (e # s) = RAG s - {(Cs cs, Th th)} - {(Th th', Cs cs) |th'. next_th s th cs th'} \<union> {(Cs cs, Th th') |th'. next_th s th cs th'}" (is "?L = ?R")proof(rule rel_eqI) fix n1 n2 assume "(n1, n2) \<in> ?L" thus "(n1, n2) \<in> ?R" proof(cases rule:in_RAG_E) case (waiting th' cs') show ?thesis proof(cases "rest = []") case False interpret h_n: valid_trace_v_n s e th cs by (unfold_locales, insert False, simp) from waiting(3) show ?thesis proof(cases rule:h_n.waiting_esE) case 1 with waiting(1,2) show ?thesis by (unfold h_n.waiting_set_eq h_n.holding_set_eq s_RAG_def, fold s_waiting_abv, auto) next case 2 with waiting(1,2) show ?thesis by (unfold h_n.waiting_set_eq h_n.holding_set_eq s_RAG_def, fold s_waiting_abv, auto) qed next case True interpret h_e: valid_trace_v_e s e th cs by (unfold_locales, insert True, simp) from waiting(3) show ?thesis proof(cases rule:h_e.waiting_esE) case 1 with waiting(1,2) show ?thesis by (unfold h_e.waiting_set_eq h_e.holding_set_eq s_RAG_def, fold s_waiting_abv, auto) qed qed next case (holding th' cs') show ?thesis proof(cases "rest = []") case False interpret h_n: valid_trace_v_n s e th cs by (unfold_locales, insert False, simp) from holding(3) show ?thesis proof(cases rule:h_n.holding_esE) case 1 with holding(1,2) show ?thesis by (unfold h_n.waiting_set_eq h_n.holding_set_eq s_RAG_def, fold s_waiting_abv, auto) next case 2 with holding(1,2) show ?thesis by (unfold h_n.waiting_set_eq h_n.holding_set_eq s_RAG_def, fold s_holding_abv, auto) qed next case True interpret h_e: valid_trace_v_e s e th cs by (unfold_locales, insert True, simp) from holding(3) show ?thesis proof(cases rule:h_e.holding_esE) case 1 with holding(1,2) show ?thesis by (unfold h_e.waiting_set_eq h_e.holding_set_eq s_RAG_def, fold s_holding_abv, auto) qed qed qednext fix n1 n2 assume h: "(n1, n2) \<in> ?R" show "(n1, n2) \<in> ?L" proof(cases "rest = []") case False interpret h_n: valid_trace_v_n s e th cs by (unfold_locales, insert False, simp) from h[unfolded h_n.waiting_set_eq h_n.holding_set_eq] have "((n1, n2) \<in> RAG s \<and> (n1 \<noteq> Cs cs \<or> n2 \<noteq> Th th) \<and> (n1 \<noteq> Th h_n.taker \<or> n2 \<noteq> Cs cs)) \<or> (n2 = Th h_n.taker \<and> n1 = Cs cs)" by auto thus ?thesis proof assume "n2 = Th h_n.taker \<and> n1 = Cs cs" with h_n.holding_taker show ?thesis by (unfold s_RAG_def, fold s_holding_abv, auto) next assume h: "(n1, n2) \<in> RAG s \<and> (n1 \<noteq> Cs cs \<or> n2 \<noteq> Th th) \<and> (n1 \<noteq> Th h_n.taker \<or> n2 \<noteq> Cs cs)" hence "(n1, n2) \<in> RAG s" by simp thus ?thesis proof(cases rule:in_RAG_E) case (waiting th' cs') from h and this(1,2) have "th' \<noteq> h_n.taker \<or> cs' \<noteq> cs" by auto hence "waiting (e#s) th' cs'" proof assume "cs' \<noteq> cs" from waiting_esI1[OF waiting(3) this] show ?thesis . next assume neq_th': "th' \<noteq> h_n.taker" show ?thesis proof(cases "cs' = cs") case False from waiting_esI1[OF waiting(3) this] show ?thesis . next case True from h_n.waiting_esI2[OF waiting(3)[unfolded True] neq_th', folded True] show ?thesis . qed qed thus ?thesis using waiting(1,2) by (unfold s_RAG_def, fold s_waiting_abv, auto) next case (holding th' cs') from h this(1,2) have "cs' \<noteq> cs \<or> th' \<noteq> th" by auto hence "holding (e#s) th' cs'" proof assume "cs' \<noteq> cs" from holding_esI2[OF this holding(3)] show ?thesis . next assume "th' \<noteq> th" from holding_esI1[OF holding(3) this] show ?thesis . qed thus ?thesis using holding(1,2) by (unfold s_RAG_def, fold s_holding_abv, auto) qed qed next case True interpret h_e: valid_trace_v_e s e th cs by (unfold_locales, insert True, simp) from h[unfolded h_e.waiting_set_eq h_e.holding_set_eq] have h_s: "(n1, n2) \<in> RAG s" "(n1, n2) \<noteq> (Cs cs, Th th)" by auto from h_s(1) show ?thesis proof(cases rule:in_RAG_E) case (waiting th' cs') from h_e.waiting_esI2[OF this(3)] show ?thesis using waiting(1,2) by (unfold s_RAG_def, fold s_waiting_abv, auto) next case (holding th' cs') with h_s(2) have "cs' \<noteq> cs \<or> th' \<noteq> th" by auto thus ?thesis proof assume neq_cs: "cs' \<noteq> cs" from holding_esI2[OF this holding(3)] show ?thesis using holding(1,2) by (unfold s_RAG_def, fold s_holding_abv, auto) next assume "th' \<noteq> th" from holding_esI1[OF holding(3) this] show ?thesis using holding(1,2) by (unfold s_RAG_def, fold s_holding_abv, auto) qed qed qedqedendcontext valid_trace_pbeginlemma waiting_kept: assumes "waiting s th' cs'" shows "waiting (e#s) th' cs'" using assms by (metis butlast_snoc distinct.simps(2) distinct_singleton hd_append2 in_set_butlastD s_waiting_def wq_def wq_es_cs wq_neq_simp)lemma holding_kept: assumes "holding s th' cs'" shows "holding (e#s) th' cs'"proof(cases "cs' = cs") case False hence "wq (e#s) cs' = wq s cs'" by simp with assms show ?thesis unfolding holding_raw_def s_holding_abv by auto next case True from assms[unfolded s_holding_def, folded wq_def] obtain rest where eq_wq: "wq s cs' = th'#rest" by (metis empty_iff list.collapse list.set(1)) hence "wq (e#s) cs' = th'#(rest@[th])" by (simp add: True wq_es_cs) thus ?thesis by (simp add: holding_raw_def s_holding_abv) qedend lemma (in valid_trace_p) th_not_waiting: "\<not> waiting s th c"proof - have "th \<in> readys s" using running_ready running_th_s by blast thus ?thesis by (unfold readys_def, auto)qedcontext valid_trace_p_hbeginlemma wq_es_cs': "wq (e#s) cs = [th]" using wq_es_cs[unfolded we] by simplemma holding_es_th_cs: shows "holding (e#s) th cs"proof - from wq_es_cs' have "th \<in> set (wq (e#s) cs)" "th = hd (wq (e#s) cs)" by auto thus ?thesis unfolding holding_raw_def s_holding_abv by blast qedlemma RAG_edge: "(Cs cs, Th th) \<in> RAG (e#s)" by (unfold s_RAG_def, fold s_holding_abv, insert holding_es_th_cs, auto)lemma waiting_esE: assumes "waiting (e#s) th' cs'" obtains "waiting s th' cs'" using assms by (metis empty_iff list.sel(1) list.set(1) s_waiting_def set_ConsD wq_def wq_es_cs' wq_neq_simp)lemma holding_esE: assumes "holding (e#s) th' cs'" obtains "cs' \<noteq> cs" "holding s th' cs'" | "cs' = cs" "th' = th"proof(cases "cs' = cs") case True from held_unique[OF holding_es_th_cs assms[unfolded True]] have "th' = th" by simp from that(2)[OF True this] show ?thesis .next case False have "holding s th' cs'" using assms using False unfolding holding_raw_def s_holding_abv by auto from that(1)[OF False this] show ?thesis .qedlemma RAG_es: "RAG (e # s) = RAG s \<union> {(Cs cs, Th th)}" (is "?L = ?R")proof(rule rel_eqI) fix n1 n2 assume "(n1, n2) \<in> ?L" thus "(n1, n2) \<in> ?R" proof(cases rule:in_RAG_E) case (waiting th' cs') from this(3) show ?thesis proof(cases rule:waiting_esE) case 1 thus ?thesis using waiting(1,2) by (unfold s_RAG_def, fold s_waiting_abv, auto) qed next case (holding th' cs') from this(3) show ?thesis proof(cases rule:holding_esE) case 1 with holding(1,2) show ?thesis by (unfold s_RAG_def, fold s_holding_abv, auto) next case 2 with holding(1,2) show ?thesis by auto qed qednext fix n1 n2 assume "(n1, n2) \<in> ?R" hence "(n1, n2) \<in> RAG s \<or> (n1 = Cs cs \<and> n2 = Th th)" by auto thus "(n1, n2) \<in> ?L" proof assume "(n1, n2) \<in> RAG s" thus ?thesis proof(cases rule:in_RAG_E) case (waiting th' cs') from waiting_kept[OF this(3)] show ?thesis using waiting(1,2) by (unfold s_RAG_def, fold s_waiting_abv, auto) next case (holding th' cs') from holding_kept[OF this(3)] show ?thesis using holding(1,2) by (unfold s_RAG_def, fold s_holding_abv, auto) qed next assume "n1 = Cs cs \<and> n2 = Th th" with holding_es_th_cs show ?thesis by (unfold s_RAG_def, fold s_holding_abv, auto) qedqedendcontext valid_trace_p_wbeginlemma wq_s_cs: "wq s cs = holder#waiters" by (simp add: holder_def waiters_def wne)lemma wq_es_cs': "wq (e#s) cs = holder#waiters@[th]" by (simp add: wq_es_cs wq_s_cs)lemma waiting_es_th_cs: "waiting (e#s) th cs" using th_not_in_wq s_waiting_abv wq_es_cs' wq_s_cs using Un_iff list.sel(1) list.set_intros(1) s_waiting_def set_append wq_def wq_es_cs by autolemma RAG_edge: "(Th th, Cs cs) \<in> RAG (e#s)" by (unfold s_RAG_def, fold s_waiting_abv, insert waiting_es_th_cs, auto)lemma holding_esE: assumes "holding (e#s) th' cs'" obtains "holding s th' cs'" using assms proof(cases "cs' = cs") case False hence "wq (e#s) cs' = wq s cs'" by simp with assms show ?thesis using that using s_holding_def wq_def by autonext case True with assms show ?thesis using s_holding_def that wq_def wq_es_cs' wq_s_cs by autoqedlemma waiting_esE: assumes "waiting (e#s) th' cs'" obtains "th' \<noteq> th" "waiting s th' cs'" | "th' = th" "cs' = cs"proof(cases "waiting s th' cs'") case True have "th' \<noteq> th" proof assume otherwise: "th' = th" from True[unfolded this] show False by (simp add: th_not_waiting) qed from that(1)[OF this True] show ?thesis .next case False hence "th' = th \<and> cs' = cs" by (metis assms hd_append2 insert_iff list.simps(15) rotate1.simps(2) s_waiting_def set_rotate1 wne wq_def wq_es_cs wq_neq_simp) with that(2) show ?thesis by metisqedlemma RAG_es: "RAG (e # s) = RAG s \<union> {(Th th, Cs cs)}" (is "?L = ?R")proof(rule rel_eqI) fix n1 n2 assume "(n1, n2) \<in> ?L" thus "(n1, n2) \<in> ?R" proof(cases rule:in_RAG_E) case (waiting th' cs') from this(3) show ?thesis proof(cases rule:waiting_esE) case 1 thus ?thesis using waiting(1,2) by (unfold s_RAG_def, fold s_waiting_abv, auto) next case 2 thus ?thesis using waiting(1,2) by auto qed next case (holding th' cs') from this(3) show ?thesis proof(cases rule:holding_esE) case 1 with holding(1,2) show ?thesis by (unfold s_RAG_def, fold s_holding_abv, auto) qed qednext fix n1 n2 assume "(n1, n2) \<in> ?R" hence "(n1, n2) \<in> RAG s \<or> (n1 = Th th \<and> n2 = Cs cs)" by auto thus "(n1, n2) \<in> ?L" proof assume "(n1, n2) \<in> RAG s" thus ?thesis proof(cases rule:in_RAG_E) case (waiting th' cs') from waiting_kept[OF this(3)] show ?thesis using waiting(1,2) by (unfold s_RAG_def, fold s_waiting_abv, auto) next case (holding th' cs') from holding_kept[OF this(3)] show ?thesis using holding(1,2) by (unfold s_RAG_def, fold s_holding_abv, auto) qed next assume "n1 = Th th \<and> n2 = Cs cs" thus ?thesis using RAG_edge by auto qedqedendcontext valid_trace_pbeginlemma RAG_es: "RAG (e # s) = (if (wq s cs = []) then RAG s \<union> {(Cs cs, Th th)} else RAG s \<union> {(Th th, Cs cs)})"proof(cases "wq s cs = []") case True interpret vt_p: valid_trace_p_h using True by (unfold_locales, simp) show ?thesis by (simp add: vt_p.RAG_es vt_p.we) next case False interpret vt_p: valid_trace_p_w using False by (unfold_locales, simp) show ?thesis by (simp add: vt_p.RAG_es vt_p.wne) qedendsubsection {* RAG is finite *}context valid_trace_vbeginlemma finite_RAG_kept: assumes "finite (RAG s)" shows "finite (RAG (e#s))"proof(cases "rest = []") case True interpret vt: valid_trace_v_e using True by (unfold_locales, simp) show ?thesis using assms by (unfold RAG_es vt.waiting_set_eq vt.holding_set_eq, simp)next case False interpret vt: valid_trace_v_n using False by (unfold_locales, simp) show ?thesis using assms by (unfold RAG_es vt.waiting_set_eq vt.holding_set_eq, simp)qedendcontext valid_tracebeginlemma finite_RAG: shows "finite (RAG s)"proof(induct rule:ind) case Nil show ?case by (auto simp: s_RAG_def waiting_raw_def holding_raw_def wq_def acyclic_def)next case (Cons s e) interpret vt_e: valid_trace_e s e using Cons by simp show ?case proof(cases e) case (Create th prio) interpret vt: valid_trace_create s e th prio using Create by (unfold_locales, simp) show ?thesis using Cons by simp next case (Exit th) interpret vt: valid_trace_exit s e th using Exit by (unfold_locales, simp) show ?thesis using Cons by simp next case (P th cs) interpret vt: valid_trace_p s e th cs using P by (unfold_locales, simp) show ?thesis using Cons using vt.RAG_es by auto next case (V th cs) interpret vt: valid_trace_v s e th cs using V by (unfold_locales, simp) show ?thesis using Cons by (simp add: vt.finite_RAG_kept) next case (Set th prio) interpret vt: valid_trace_set s e th prio using Set by (unfold_locales, simp) show ?thesis using Cons by simp qedqedlemma finite_tRAG: "finite (tRAG s)"proof - from finite_RAG[unfolded RAG_split] have "finite (wRAG s)" "finite (hRAG s)" by auto from finite_relcomp[OF this] tRAG_def show ?thesis by simpqedfind_theorems inj finite "_ ` _"find_theorems tG tRAGthm tRAG_def_tGfind_theorems "finite (?f ` ?A)" "finite ?A"lemma finite_tG: "finite (tG s)"proof(rule finite_imageD) from finite_tRAG[unfolded tRAG_def_tG] show "finite (map_prod Th Th ` tG s)" .next show "inj_on (map_prod Th Th) (tG s)" using inj_on_def by fastforceqedendsubsection {* Uniqueness of waiting *}text {* {\em Uniqueness of waiting} means that a thread can only be blocked on one resource. This property is needed in order to prove that @{term RAG} is acyclic. Therefore, we need to prove it first in the following lemma @{text "waiting_unqiue"}, all lemmas before it are auxiliary. The property is expressed by the following predicate over system state (or event trace), which is also named @{text "waiting_unqiue"}.*}definition "waiting_unique (ss::state) = (\<forall> th cs1 cs2. waiting ss th cs1 \<longrightarrow> waiting ss th cs2 \<longrightarrow> cs1 = cs2)"text {* We are going to show (in the lemma named @{text waiting_unique}) that this property holds on any valid trace (or system state).*}text {* As a first step to prove lemma @{text "waiting_unqiue"}, we need to understand how a thread is get blocked. We show in the following lemmas (all named @{text "waiting_inv"}) that @{term P}-operation is the only cause. *}context valid_trace_createbeginlemma waiting_inv: assumes "\<not> waiting s th' cs'" and "waiting (e#s) th' cs'" shows "e = P th' cs'" using assms by (unfold s_waiting_def, fold wq_def, simp)endcontext valid_trace_setbeginlemma waiting_inv: assumes "\<not> waiting s th' cs'" and "waiting (e#s) th' cs'" shows "e = P th' cs'" using assms by (unfold s_waiting_def, fold wq_def, simp)endcontext valid_trace_exitbeginlemma waiting_inv: assumes "\<not> waiting s th' cs'" and "waiting (e#s) th' cs'" shows "e = P th' cs'" using assms by (unfold s_waiting_def, fold wq_def, simp)endcontext valid_trace_pbeginlemma waiting_inv: assumes "\<not> waiting s th' cs'" and "waiting (e#s) th' cs'" shows "e = P th' cs'"proof(cases "cs' = cs") case True moreover have "th' = th" proof(rule ccontr) assume otherwise: "th' \<noteq> th" have "waiting s th' cs'" proof - from assms(2)[unfolded True s_waiting_def, folded wq_def, unfolded wq_es_cs] have h: "th' \<in> set (wq s cs @ [th])" "th' \<noteq> hd (wq s cs @ [th])" by auto from h(1) and otherwise have "th' \<in> set (wq s cs)" by auto hence "wq s cs \<noteq> []" by auto hence "hd (wq s cs @ [th]) = hd (wq s cs)" by auto with h otherwise have "waiting s th' cs" by (unfold s_waiting_def, fold wq_def, auto) from this[folded True] show ?thesis . qed with assms(1) show False by simp qed ultimately show ?thesis using is_p by simpnext case False hence "wq (e#s) cs' = wq s cs'" by simp from assms[unfolded s_waiting_def, folded wq_def, unfolded this] show ?thesis by simpqedendcontext valid_trace_v_nbeginlemma waiting_inv: assumes "\<not> waiting s th' cs'" and "waiting (e#s) th' cs'" shows "e = P th' cs'"proof - from assms(2) show ?thesis by (cases rule:waiting_esE, insert assms, auto)qedendcontext valid_trace_v_ebeginlemma waiting_inv: assumes "\<not> waiting s th' cs'" and "waiting (e#s) th' cs'" shows "e = P th' cs'"proof - from assms(2) show ?thesis by (cases rule:waiting_esE, insert assms, auto)qedendcontext valid_trace_ebeginlemma waiting_inv: assumes "\<not> waiting s th cs" and "waiting (e#s) th cs" shows "e = P th cs"proof(cases e) case (Create th' prio') then interpret vt: valid_trace_create s e th' prio' by (unfold_locales, simp) show ?thesis using vt.waiting_inv[OF assms] by simpnext case (Exit th') then interpret vt: valid_trace_exit s e th' by (unfold_locales, simp) show ?thesis using vt.waiting_inv[OF assms] by simpnext case (Set th' prio') then interpret vt: valid_trace_set s e th' prio' by (unfold_locales, simp) show ?thesis using vt.waiting_inv[OF assms] by simpnext case (P th' cs') then interpret vt: valid_trace_p s e th' cs' by (unfold_locales, simp) show ?thesis using vt.waiting_inv[OF assms] by simpnext case (V th' cs') then interpret vt_e: valid_trace_v s e th' cs' by (unfold_locales, simp) show ?thesis proof(cases "vt_e.rest = []") case True then interpret vt: valid_trace_v_e s e th' cs' by (unfold_locales, simp) show ?thesis using vt.waiting_inv[OF assms] by simp next case False then interpret vt: valid_trace_v_n s e th' cs' by (unfold_locales, simp) show ?thesis using vt.waiting_inv[OF assms] by simp qedqedtext {* Now, with @{thm waiting_inv} in place, the following lemma shows the uniqueness of waiting is kept by every operation in the PIP protocol. This lemma constitutes the main part in the proof of lemma @{text "waiting_unique"}.*}lemma waiting_unique_kept: assumes "waiting_unique s" shows "waiting_unique (e#s)"proof - note h = assms[unfolded waiting_unique_def, rule_format] { fix th cs1 cs2 assume w1: "waiting (e#s) th cs1" and w2: "waiting (e#s) th cs2" have "cs1 = cs2" proof(rule ccontr) assume otherwise: "cs1 \<noteq> cs2" show False proof(cases "waiting s th cs1") case True from h[OF this] and otherwise have "\<not> waiting s th cs2" by auto from waiting_inv[OF this w2] have "e = P th cs2" . then interpret vt: valid_trace_p s e th cs2 by (unfold_locales, simp) from vt.th_not_waiting and True show ?thesis by simp next case False from waiting_inv[OF this w1] have "e = P th cs1" . then interpret vt: valid_trace_p s e th cs1 by (unfold_locales, simp) have "wq (e # s) cs2 = wq s cs2" using otherwise by simp from w2[unfolded s_waiting_def, folded wq_def, unfolded this] have "waiting s th cs2" by (unfold s_waiting_def, fold wq_def, simp) thus ?thesis by (simp add: vt.th_not_waiting) qed qed } thus ?thesis by (unfold waiting_unique_def, auto)qedendcontext valid_tracebegintext {* With @{thm valid_trace_e.waiting_unique_kept} in place, the proof of the following lemma @{text "waiting_unique"} needs only a very simple induction.*}lemma waiting_unique [unfolded waiting_unique_def, rule_format]: shows "waiting_unique s"proof(induct rule:ind) case Nil show ?case by (unfold waiting_unique_def s_waiting_def, simp)next case (Cons s e) then interpret vt: valid_trace_e s e by simp show ?case using Cons(2) vt.waiting_unique_kept by simpqedendsubsection {* Acyclic keeping *}text {* To prove that @{term RAG} is acyclic, we need to show the acyclic property is preserved by all system operations. There are only two non-trivial cases, the @{term P} and @{term V} operation, where are treated in the following locales, under the name @{text "acylic_RAG_kept"}:*}context valid_trace_v_ebegin lemma acylic_RAG_kept: assumes "acyclic (RAG s)" shows "acyclic (RAG (e#s))"proof(rule acyclic_subset[OF assms]) show "RAG (e # s) \<subseteq> RAG s" by (unfold RAG_es waiting_set_eq holding_set_eq, auto)qedendcontext valid_trace_v_nbegin lemma waiting_taker: "waiting s taker cs" apply (unfold s_waiting_def, fold wq_def, unfold wq_s_cs taker_def) using eq_wq' set_wq' th_not_in_rest by autolemma acylic_RAG_kept: assumes "acyclic (RAG s)" shows "acyclic (RAG (e#s))"proof - have "acyclic ((RAG s - {(Cs cs, Th th)} - {(Th taker, Cs cs)}) \<union> {(Cs cs, Th taker)})" (is "acyclic (?A \<union> _)") proof - from assms have "acyclic ?A" by (rule acyclic_subset, auto) moreover have "(Th taker, Cs cs) \<notin> ?A^*" proof assume otherwise: "(Th taker, Cs cs) \<in> ?A^*" hence "(Th taker, Cs cs) \<in> ?A^+" by (unfold rtrancl_eq_or_trancl, auto) from tranclD[OF this] obtain cs' where h: "(Th taker, Cs cs') \<in> ?A" "(Th taker, Cs cs') \<in> RAG s" by (unfold s_RAG_def, auto) from this(2) have "waiting s taker cs'" by (unfold s_RAG_def, fold s_waiting_abv, auto) from waiting_unique[OF this waiting_taker] have "cs' = cs" . from h(1)[unfolded this] show False by auto qed ultimately show ?thesis by auto qed thus ?thesis by (unfold RAG_es waiting_set_eq holding_set_eq, simp)qedendcontext valid_trace_p_hbeginlemma acylic_RAG_kept: assumes "acyclic (RAG s)" shows "acyclic (RAG (e#s))"proof - have "acyclic (RAG s \<union> {(Cs cs, Th th)})" (is "acyclic (?A \<union> _)") proof - from assms have "acyclic ?A" by (rule acyclic_subset, auto) moreover have "(Th th, Cs cs) \<notin> ?A^*" proof assume otherwise: "(Th th, Cs cs) \<in> ?A^*" hence "(Th th, Cs cs) \<in> ?A^+" by (unfold rtrancl_eq_or_trancl, auto) from tranclD[OF this] obtain cs' where h: "(Th th, Cs cs') \<in> RAG s" by (unfold s_RAG_def, auto) hence "waiting s th cs'" by (unfold s_RAG_def, fold s_waiting_abv, auto) with th_not_waiting show False by auto qed ultimately show ?thesis by auto qed thus ?thesis by (unfold RAG_es, simp)qedendcontext valid_trace_p_wbeginlemma acylic_RAG_kept: assumes "acyclic (RAG s)" shows "acyclic (RAG (e#s))"proof - have "acyclic (RAG s \<union> {(Th th, Cs cs)})" (is "acyclic (?A \<union> _)") proof - from assms have "acyclic ?A" by (rule acyclic_subset, auto) moreover have "(Cs cs, Th th) \<notin> ?A^*" proof assume otherwise: "(Cs cs, Th th) \<in> ?A^*" from pip_e[unfolded is_p] show False proof(cases) case (thread_P) moreover from otherwise have "(Cs cs, Th th) \<in> ?A^+" by (unfold rtrancl_eq_or_trancl, auto) ultimately show ?thesis by auto qed qed ultimately show ?thesis by auto qed thus ?thesis by (unfold RAG_es, simp)qedendsubsection {* RAG is acyclic *}context valid_tracebegintext {* With these @{text "acylic_RAG_kept"}-lemmas proved, the proof of the following @{text "acyclic_RAG"} is straight forward. *}lemma acyclic_RAG: shows "acyclic (RAG s)"proof(induct rule:ind) case Nil show ?case by (auto simp: s_RAG_def waiting_raw_def holding_raw_def wq_def acyclic_def)next case (Cons s e) interpret vt_e: valid_trace_e s e using Cons by simp show ?case proof(cases e) case (Create th prio) interpret vt: valid_trace_create s e th prio using Create by (unfold_locales, simp) show ?thesis using Cons by simp next case (Exit th) interpret vt: valid_trace_exit s e th using Exit by (unfold_locales, simp) show ?thesis using Cons by simp next case (P th cs) interpret vt: valid_trace_p s e th cs using P by (unfold_locales, simp) show ?thesis proof(cases "wq s cs = []") case True then interpret vt_h: valid_trace_p_h s e th cs by (unfold_locales, simp) show ?thesis using Cons by (simp add: vt_h.acylic_RAG_kept) next case False then interpret vt_w: valid_trace_p_w s e th cs by (unfold_locales, simp) show ?thesis using Cons by (simp add: vt_w.acylic_RAG_kept) qed next case (V th cs) interpret vt: valid_trace_v s e th cs using V by (unfold_locales, simp) show ?thesis proof(cases "vt.rest = []") case True then interpret vt_e: valid_trace_v_e s e th cs by (unfold_locales, simp) show ?thesis by (simp add: Cons.hyps(2) vt_e.acylic_RAG_kept) next case False then interpret vt_n: valid_trace_v_n s e th cs by (unfold_locales, simp) show ?thesis by (simp add: Cons.hyps(2) vt_n.acylic_RAG_kept) qed next case (Set th prio) interpret vt: valid_trace_set s e th prio using Set by (unfold_locales, simp) show ?thesis using Cons by simp qedqedendsubsection {* RAG is single-valued *}text {* The proof that @{term RAG} is single-valued makes use of @{text "unique_waiting"} and @{thm held_unique} and the proof itself is very simple:*}context valid_tracebeginlemma unique_RAG: "\<lbrakk>(n, n1) \<in> RAG s; (n, n2) \<in> RAG s\<rbrakk> \<Longrightarrow> n1 = n2" apply(unfold s_RAG_def, auto, fold s_waiting_abv s_holding_abv) by(auto elim:waiting_unique held_unique)lemma sgv_RAG: "single_valued (RAG s)" using unique_RAG by (auto simp:single_valued_def)endsubsection {* RAG is well-founded *}text {* In this section, it is proved that both @{term RAG} and its converse @{term "(RAG s)^-1"} are well-founded. The proof is very simple with the help of already proved fact that @{term RAG} is finite.*}context valid_tracebeginlemma wf_RAG: "wf (RAG s)"proof(rule finite_acyclic_wf) from finite_RAG show "finite (RAG s)" .next from acyclic_RAG show "acyclic (RAG s)" .qedlemma wf_RAG_converse: shows "wf ((RAG s)^-1)"proof(rule finite_acyclic_wf_converse) from finite_RAG show "finite (RAG s)" .next from acyclic_RAG show "acyclic (RAG s)" .qedendsubsection {* RAG forms a finite-branching forest (or tree) *}text {* With all the well-formedness proofs about @{term RAG} in place, it is easy to show.*}context valid_tracebeginlemma forest_RAG: "forest (RAG s)" using sgv_RAG acyclic_RAG by (unfold forest_def, auto)endsublocale valid_trace < forest_RAG?: forest "RAG s" using forest_RAG .sublocale valid_trace < fsbtRAGs?: fforest "RAG s"proof show "\<And>x. finite (children (RAG s) x)" by (smt Collect_empty_eq Range.intros children_def finite.emptyI finite_RAG finite_fbranchI) (*by (rule finite_fbranchI[OF finite_RAG])*)next show "wf (RAG s)" using wf_RAG .qedsubsection {* Derived properties for sub-graphs of RAG *}context valid_tracebeginlemma acyclic_tRAG: "acyclic (tRAG s)"proof(unfold tRAG_def, rule acyclic_compose) show "acyclic (RAG s)" using acyclic_RAG .next show "wRAG s \<subseteq> RAG s" unfolding RAG_split by autonext show "hRAG s \<subseteq> RAG s" unfolding RAG_split by autoqedlemma rel_map_alt_def: "rel_map f R = map_prod f f ` R" by (unfold rel_map_def pairself_def map_prod_def, auto)lemma acyclic_tG: "acyclic (tG s)"proof - have "acyclic (rel_map the_thread (tRAG s))" proof(rule rel_map_acyclic [OF acyclic_tRAG]) show "inj_on the_thread (Domain (tRAG s) \<union> Range (tRAG s))" by (unfold tRAG_alt_def Domain_def Range_def inj_on_def, auto) qed thus ?thesis by (unfold tG_def_tRAG, fold rel_map_alt_def, simp) qedlemma sgv_wRAG: "single_valued (wRAG s)" using waiting_unique by (unfold single_valued_def wRAG_def, auto)lemma sgv_hRAG: "single_valued (hRAG s)" using held_unique by (unfold single_valued_def hRAG_def, auto)lemma sgv_tRAG: "single_valued (tRAG s)" by (unfold tRAG_def, rule single_valued_relcomp, insert sgv_wRAG sgv_hRAG, auto)lemma sgv_tG: "single_valued (tG s)"proof - { fix x y z assume h: "(x, y) \<in> tG s" "(x, z) \<in> tG s" from tG_tRAG[OF h(1)] tG_tRAG[OF h(2)] have "(Th x, Th y) \<in> tRAG s" "(Th x, Th z) \<in> tRAG s" by auto from sgv_tRAG[unfolded single_valued_def, rule_format, OF this] have "y = z" by simp } thus ?thesis by (unfold single_valued_def, auto)qedendtext {* It can be shown that @{term tRAG} is also a finite-branch relational tree (or forest): *}sublocale valid_trace < forest_s?: forest "tRAG s"proof(unfold_locales) from sgv_tRAG show "single_valued (tRAG s)" .next from acyclic_tRAG show "acyclic (tRAG s)" .qedsublocale valid_trace < forest_s_tG?: forest "tG s"proof(unfold_locales) from sgv_tG show "single_valued (tG s)" .next from acyclic_tG show "acyclic (tG s)" .qedcontext valid_tracebeginlemma wf_tRAG: "wf (tRAG s)"proof(rule wf_subset) show "wf (RAG s O RAG s)" using wf_RAG by (fold wf_comp_self, simp)next show "tRAG s \<subseteq> (RAG s O RAG s)" by (unfold tRAG_alt_def, auto)qedlemma wf_tG: "wf (tG s)"proof(rule finite_acyclic_wf) from finite_tG show "finite (tG s)" .next from acyclic_tG show "acyclic (tG s)" .qedlemma finite_children_tRAG: "finite (children (tRAG s) x)" proof(unfold tRAG_def, rule fbranch_compose1[rule_format]) fix x show "finite (children (wRAG s) x)" proof(rule finite_fbranchI1[rule_format]) show "finite (wRAG s)" using finite_RAG[unfolded RAG_split] by auto qed next fix x show "finite (children (hRAG s) x)" proof(rule finite_fbranchI1[rule_format]) show "finite (hRAG s)" using finite_RAG[unfolded RAG_split] by auto qed qedlemma children_map_prod: assumes "inj f" shows " children (map_prod f f ` r) (f x) = f ` (children r x)" (is "?L = ?R")proof - { fix e assume "e \<in> ?L" then obtain e' x' where h: "e = f e'" "f x' = f x" "(e', x') \<in> r" by (auto simp:children_def) with assms[unfolded inj_on_def, rule_format] have eq_x': "x' = x" by auto with h have "e \<in> ?R" by (unfold children_def, auto) } moreover { fix e assume "e \<in> ?R" hence "e \<in> ?L" by (auto simp:children_def) } ultimately show ?thesis by autoqedlemma finite_children_tG: "finite (children (tG s) x)"proof - have "(children (tRAG s) (Th x)) = Th ` children (tG s) x" by (unfold tRAG_def_tG, subst children_map_prod, auto simp:inj_on_def) from finite_children_tRAG[of "Th x", unfolded this] have "finite (Th ` children (tG s) x)" . from finite_imageD[OF this] show ?thesis by (auto simp:inj_on_def)qedendsublocale valid_trace < fsbttRAGs?: fforest "tRAG s"proof fix x show "finite (children (tRAG s) x)" proof(unfold tRAG_def, rule fbranch_compose1[rule_format]) fix x show "finite (children (wRAG s) x)" proof(rule finite_fbranchI1[rule_format]) show "finite (wRAG s)" using finite_RAG[unfolded RAG_split] by auto qed next fix x show "finite (children (hRAG s) x)" proof(rule finite_fbranchI1[rule_format]) show "finite (hRAG s)" using finite_RAG[unfolded RAG_split] by auto qed qednext show "wf (tRAG s)" proof(rule wf_subset) show "wf (RAG s O RAG s)" using wf_RAG by (fold wf_comp_self, simp) next show "tRAG s \<subseteq> (RAG s O RAG s)" by (unfold tRAG_alt_def, auto) qedqedsublocale valid_trace < fsbttGs?: fforest "tG s"proof fix x show "finite (children (tG s) x)" by (simp add:finite_children_tG)next show "wf (tG s)" by (simp add:wf_tG)qedsection {* Chain to readys *}text {* In this section, based on the just derived properties about the shape of @{term RAG}, a more complete view of the relationship between threads is established.*}context valid_tracebegintext {* The first lemma is technical, which says out of any node in thedomain of @{term RAG} (no matter whether it is thread node or resourcenode), there is a path leading to a ready thread.*}lemma chain_building: assumes "node \<in> Domain (RAG s)" obtains th' where "th' \<in> readys s" "(node, Th th') \<in> (RAG s)^+"proof - from assms have "node \<in> Range ((RAG s)^-1)" by auto from wf_base[OF wf_RAG_converse this] obtain b where h_b: "(b, node) \<in> ((RAG s)\<inverse>)\<^sup>+" "\<forall>c. (c, b) \<notin> (RAG s)\<inverse>" by auto obtain th' where eq_b: "b = Th th'" proof(cases b) case (Cs cs) from h_b(1)[unfolded trancl_converse] have "(node, b) \<in> ((RAG s)\<^sup>+)" by auto from tranclE[OF this] obtain n where "(n, b) \<in> RAG s" by auto from this[unfolded Cs] obtain th1 where "waiting s th1 cs" by (unfold s_RAG_def, fold s_waiting_abv, auto) from waiting_holding[OF this] obtain th2 where "holding s th2 cs" . hence "(Cs cs, Th th2) \<in> RAG s" by (unfold s_RAG_def, fold s_holding_abv, auto) with h_b(2)[unfolded Cs, rule_format] have False by auto thus ?thesis by auto qed auto have "th' \<in> readys s" proof - from h_b(2)[unfolded eq_b] have "\<forall>cs. \<not> waiting s th' cs" by (unfold s_RAG_def, fold s_waiting_abv, auto) moreover have "th' \<in> threads s" proof(rule rg_RAG_threads) from tranclD[OF h_b(1), unfolded eq_b] obtain z where "(z, Th th') \<in> (RAG s)" by auto thus "Th th' \<in> Range (RAG s)" by auto qed ultimately show ?thesis by (auto simp:readys_def) qed moreover have "(node, Th th') \<in> (RAG s)^+" using h_b(1)[unfolded trancl_converse] eq_b by auto ultimately show ?thesis using that by metisqedtext {* \noindent The following lemma says for any living thread, either it is ready or there is a path in @{term RAG} leading from it to a ready thread. The lemma is proved easily by instantiating @{thm "chain_building"}.*} lemma th_chain_to_ready: assumes th_in: "th \<in> threads s" shows "th \<in> readys s \<or> (\<exists> th'. th' \<in> readys s \<and> (Th th, Th th') \<in> (RAG s)^+)"proof(cases "th \<in> readys s") case True thus ?thesis by autonext case False from False and th_in have "Th th \<in> Domain (RAG s)" by (auto simp: readys_def s_waiting_def s_RAG_def wq_def waiting_raw_def Domain_def) from chain_building [rule_format, OF this] show ?thesis by autoqedlemma th_chain_to_ready_tG: assumes th_in: "th \<in> threads s" shows "\<exists>th'\<in> nancestors (tG s) th. th' \<in> readys s"proof - from th_chain_to_ready[OF assms] show ?thesis proof assume "th \<in> readys s" thus ?thesis by (unfold nancestors_def, auto) next assume "\<exists>th'. th' \<in> readys s \<and> (Th th, Th th') \<in> (RAG s)\<^sup>+" then obtain th' where h: "th' \<in> readys s" "(Th th, Th th') \<in> (RAG s)\<^sup>+" by auto from h(2) tRAG_trancl_eq have "(Th th, Th th') \<in> (tRAG s)^+" by auto hence "(th, th') \<in> (tG s)^+" by (metis the_thread.simps trancl_tRAG_tG) with h(1) show ?thesis using ancestors_def mem_Collect_eq nancestors2 by fastforce qedqedtext {* The following lemma is a technical one to show that the set of threads in the subtree of any thread is finite.*}lemma finite_subtree_threads: "finite {th'. Th th' \<in> subtree (RAG s) (Th th)}" (is "finite ?A")proof - have "?A = the_thread ` {Th th' | th' . Th th' \<in> subtree (RAG s) (Th th)}" by (auto, insert image_iff, fastforce) moreover have "finite {Th th' | th' . Th th' \<in> subtree (RAG s) (Th th)}" (is "finite ?B") proof - have "?B = (subtree (RAG s) (Th th)) \<inter> {Th th' | th'. True}" by auto moreover have "... \<subseteq> (subtree (RAG s) (Th th))" by auto moreover have "finite ..." by (simp add: fsbtRAGs.finite_subtree) ultimately show ?thesis by auto qed ultimately show ?thesis by autoqed(* ccc *)lemma readys_no_tRAG_chain: assumes "th1 \<in> readys s" and "th2 \<in> readys s" and "th1 \<noteq> th2" shows "(Th th1, Th th2) \<notin> (tRAG s)^*"proof assume "(Th th1, Th th2) \<in> (tRAG s)\<^sup>*" from rtranclD[OF this] show False proof assume "Th th1 = Th th2" with assms show ?thesis by simp next assume "Th th1 \<noteq> Th th2 \<and> (Th th1, Th th2) \<in> (tRAG s)\<^sup>+" hence "(Th th1, Th th2) \<in> (tRAG s)\<^sup>+" by auto from tranclD[OF this] obtain cs where "(Th th1, Cs cs) \<in> RAG s" by (unfold tRAG_alt_def, auto) from in_RAG_E[OF this] have "th1 \<notin> readys s" by (unfold readys_def, auto) with assms show ?thesis by simp qedqedlemma root_readys: assumes "th \<in> readys s" shows "root (tRAG s) (Th th)"proof - { assume "\<not> root (tRAG s) (Th th)" then obtain n' where "(Th th, n') \<in> (tRAG s)^+" unfolding root_def ancestors_def by auto then obtain cs where "(Th th, Cs cs) \<in> RAG s" unfolding tRAG_alt_def using tranclD by fastforce then have "th \<notin> readys s" unfolding readys_def using in_RAG_E by blast with assms have False by simp } then show "root (tRAG s) (Th th)" by autoqedlemma root_readys_tG: assumes "th \<in> readys s" shows "root (tG s) th"proof - { assume "\<not> root (tG s) th" then obtain th' where "(th, th') \<in> (tG s)^+" unfolding root_def ancestors_def by auto then have "(Th th, Th th') \<in> (tRAG s)^+" using trancl_tG_tRAG by simp with root_readys assms have False unfolding root_def ancestors_def by auto } then show "root (tG s) th" by autoqed lemma readys_indep: assumes "th1 \<in> readys s" and "th2 \<in> readys s" and "th1 \<noteq> th2" shows "indep (tRAG s) (Th th1) (Th th2)" using assms readys_no_tRAG_chain unfolding indep_def by blastlemma readys_indep_tG: assumes "th1 \<in> readys s" and "th2 \<in> readys s" and "th1 \<noteq> th2" shows "indep (tG s) th1 th2" using assms unfolding indep_def using readys_no_tRAG_chain rtrancl_tG_tRAG by blasttext {* The following lemma @{text "thread_chain"} holds on any living thread, not necessarily a running one. *}lemma thread_chain: assumes "th \<in> threads s" obtains th' where "th' \<in> subtree (tG s) th" "th' \<in> threads s" "the_preced s th' = Max (the_preced s ` subtree (tG s) th)"proof - have "Max (the_preced s ` subtree (tG s) th) \<in> the_preced s ` subtree (tG s) th" proof(rule Max_in) show "finite (the_preced s ` subtree (tG s) th)" by (simp add: fsbttGs.finite_subtree) next show "the_preced s ` subtree (tG s) th \<noteq> {}" using subtree_def by fastforce qed then obtain th' where h: "th' \<in> subtree (tG s) th" "the_preced s th' = Max (the_preced s ` subtree (tG s) th)" by auto moreover have "th' \<in> threads s" proof - from assms have "th \<in> threads s" . from subtree_tG_thread[OF this] and h show ?thesis by auto qed ultimately show ?thesis using that by autoqedtext {* The following two lemmas shows there is at most one running thread in the system.*}lemma running_unique: assumes running_1: "th1 \<in> running s" and running_2: "th2 \<in> running s" shows "th1 = th2"proof - -- {* According to lemma @{thm thread_chain}, each live thread is chained to a thread in its subtree, who holds the highest precedence of the subtree. The chains for @{term th1} and @{term th2} are established first in the following in @{text "chain1"} and @{text "chain2"}. These chains start with the threads @{text "th1'"} and @{text "th2'"} respectively. *} have "th1 \<in> threads s" using assms by (unfold running_def readys_def, auto) with thread_chain obtain th1' where chain1: "th1' \<in> subtree (tG s) th1" "the_preced s th1' = Max (the_preced s ` subtree (tG s) th1)" "th1' \<in> threads s" by auto have "th2 \<in> threads s" using assms by (unfold running_def readys_def, auto) with thread_chain obtain th2' where chain2: "th2' \<in> subtree (tG s) th2" "the_preced s th2' = Max (the_preced s ` subtree (tG s) th2)" "th2' \<in> threads s" by auto -- {* From these two chains we can be prove that the threads @{term th1} and @{term th2} must be equal. For this we first show that the starting points of the chains are equal. *} have eq_th': "th1' = th2'" proof - -- {* from @{text th1} and @{text th2} running, we know their cp-value is the same *} from running_1 and running_2 have "cp s th1 = cp s th2" unfolding running_def by auto -- {* that means the preced of @{text th1'} and @{text th2'} must be the same *} then have eq_max: "Max (the_preced s ` subtree (tG s) th1) = Max (the_preced s ` subtree (tG s) th2)" unfolding cp_alt_def2 . with chain1(2) chain2(2) have "the_preced s th1' = the_preced s th2'" by simp -- {* since the precedences are the same, we can conclude that @{text th1'} and @{text th2'} are the same *} with preced_unique chain1(3) chain2(3) show "th1' = th2'" unfolding the_preced_def by auto qed moreover have "root (tG s) th1" "root (tG s) th2" using assms using assms root_readys_tG unfolding running_def by auto ultimately show "th1 = th2" using root_unique chain1(1) chain2(1) by fastforceqedlemma card_running: shows "card (running s) \<le> 1"proof(cases "running s = {}") case True thus ?thesis by autonext case False then obtain th where "th \<in> running s" by auto with running_unique have "running s = {th}" by auto thus ?thesis by autoqedtext {* The following two lemmas show that the set of living threads in the system can be partitioned into subtrees of those threads in the @{term readys} set. The first lemma @{text threads_alt_def} shows the union of these subtrees equals to the set of living threads and the second lemma @{text "readys_subtree_disjoint"} shows subtrees of different threads in @{term readys}-set are disjoint.*}lemma subtree_RAG_tG: shows "subtree (tG s) th = {th'. Th th' \<in> subtree (RAG s) (Th th)}" using subtree_tG_tRAG threads_set_eq by autolemma threads_alt_def: "threads s = (\<Union> th \<in> readys s. {th'. Th th' \<in> subtree (RAG s) (Th th)})" (is "?L = ?R")proof - { fix th1 assume "th1 \<in> ?L" from th_chain_to_ready[OF this] have "th1 \<in> readys s \<or> (\<exists>th'. th' \<in> readys s \<and> (Th th1, Th th') \<in> (RAG s)\<^sup>+)" . hence "th1 \<in> ?R" by (auto simp:subtree_def) } moreover { fix th' assume "th' \<in> ?R" then obtain th where h: "th \<in> readys s" " Th th' \<in> subtree (RAG s) (Th th)" by auto from this(2) have "th' \<in> ?L" proof(cases rule:subtreeE) case 1 with h(1) show ?thesis by (auto simp:readys_def) next case 2 from tranclD[OF this(2)[unfolded ancestors_def, simplified]] have "Th th' \<in> Domain (RAG s)" by auto from dm_RAG_threads[OF this] show ?thesis . qed } ultimately show ?thesis by autoqedlemma threads_alt_def1: shows "(threads s) = (\<Union> th \<in> readys s. subtree (tG s) th)"unfolding threads_alt_def subtree_RAG_tG ..lemma readys_subtree_disjoint: assumes "th1 \<in> readys s" and "th2 \<in> readys s" and "th1 \<noteq> th2" shows "subtree (RAG s) (Th th1) \<inter> subtree (RAG s) (Th th2) = {}"proof - { fix n assume "n \<in> subtree (RAG s) (Th th1) \<inter> subtree (RAG s) (Th th2)" hence "(n, Th th1) \<in> (RAG s)^*" "(n, Th th2) \<in> (RAG s)^*" by (auto simp:subtree_def) from star_rpath[OF this(1)] star_rpath[OF this(2)] obtain xs1 xs2 where "rpath (RAG s) n xs1 (Th th1)" "rpath (RAG s) n xs2 (Th th2)" by metis hence False proof(cases rule:forest_RAG.rpath_overlap') case (less_1 xs3) from rpath_star[OF this(3)] have "Th th1 \<in> subtree (RAG s) (Th th2)" by (auto simp:subtree_def) thus ?thesis proof(cases rule:subtreeE) case 1 with assms(3) show ?thesis by auto next case 2 hence "(Th th1, Th th2) \<in> (RAG s)^+" by (auto simp:ancestors_def) from tranclD[OF this] obtain z where "(Th th1, z) \<in> RAG s" by auto from this[unfolded s_RAG_def, folded wq_def] obtain cs' where "waiting s th1 cs'" by (auto simp:s_waiting_abv) with assms(1) show False by (auto simp:readys_def) qed next case (less_2 xs3) from rpath_star[OF this(3)] have "Th th2 \<in> subtree (RAG s) (Th th1)" by (auto simp:subtree_def) thus ?thesis proof(cases rule:subtreeE) case 1 with assms(3) show ?thesis by auto next case 2 hence "(Th th2, Th th1) \<in> (RAG s)^+" by (auto simp:ancestors_def) from tranclD[OF this] obtain z where "(Th th2, z) \<in> RAG s" by auto from this[unfolded s_RAG_def, folded wq_def] obtain cs' where "waiting s th2 cs'" by (auto simp:s_waiting_abv) with assms(2) show False by (auto simp:readys_def) qed qed } thus ?thesis by autoqedendsection {* Relating @{term cp} and @{term the_preced} and @{term preced} *}text {* @{term cp} of a thread is defined to be the maximum of the @{term preced}-values (precedences) of all threads in its subtree given by @{term RAG}. Therefore, there exits a relationship between @{term cp} and @{term preced} (and also its variation @{term "the_preced"}) to be explored, and this is the target of this section.*}context valid_tracebegintext {* Since @{term cp} is the maximum of all @{term preced}s in its subtree, which includes itself, it is not difficult to show that the one thread's precedence is less or equal to its @{text cp}-value:*}lemma le_cp: shows "preced th s \<le> cp s th" proof(unfold cp_alt_def, rule Max_ge) show "finite (the_preced s ` {th'. Th th' \<in> subtree (RAG s) (Th th)})" by (simp add: finite_subtree_threads) next show "preced th s \<in> the_preced s ` {th'. Th th' \<in> subtree (RAG s) (Th th)}" by (simp add: subtree_def the_preced_def) qedtext {* Since @{term cp} is the maximum precedence of its subtree, and the subtree is only a subset of the set of all threads, it can be shown that @{text cp} is less or equal to the maximum of all threads:*}lemma cp_le: assumes th_in: "th \<in> threads s" shows "cp s th \<le> Max (the_preced s ` threads s)"proof(unfold cp_alt_def, rule Max_f_mono) show "finite (threads s)" by (simp add: finite_threads) next show " {th'. Th th' \<in> subtree (RAG s) (Th th)} \<noteq> {}" using subtree_def by fastforcenext show "{th'. Th th' \<in> subtree (RAG s) (Th th)} \<subseteq> threads s" using assms by (smt Domain.DomainI dm_RAG_threads mem_Collect_eq node.inject(1) rtranclD subsetI subtree_def trancl_domain) qedtext {* Since the @{term cp}-value of each individual thread is less or equal to the maximum precedence value of all threads (shown in lemma @{thm cp_le}), it is easy to derive further that maximum @{term "cp"}-value of all threads is also less or equal to the latter. On the other hand, since the precedence value of each individual thread is less of equal to its own @{term cp}-value (shown in lemma @{thm le_cp}), it is easy to show that the maximum of the former is less or equal to the maximum of the latter. By combining these two perspectives, we get the following equality between the two maximums:*}lemma max_cp_eq: shows "Max ((cp s) ` threads s) = Max (the_preced s ` threads s)" (is "?L = ?R")proof - have "?L \<le> ?R" proof(cases "threads s = {}") case False show ?thesis by (rule Max.boundedI, insert cp_le, auto simp:finite_threads False) qed auto moreover have "?R \<le> ?L" by (rule Max_fg_mono, simp add: finite_threads, simp add: le_cp the_preced_def) ultimately show ?thesis by autoqedtext {* (* ddd *) \noindent According to @{thm threads_alt_def} and @{thm readys_subtree_disjoint} , the set of @{term threads} can be partitioned into subtrees of the threads in @{term readys}, and also because @{term cp}-value of a thread is the maximum precedence of its own subtree, by applying the absorbing property of @{term Max} (lemma @{thm Max_UNION}) over the union of subtrees, the following equation can be derived:*}lemma cp_alt_def3: shows "cp s th = Max (preceds (subtree (tG s) th) s)"unfolding cp_alt_def2unfolding image_defunfolding the_preced_defby mesonlemma KK: shows "(\<Union>x\<in>C. B x) = (\<Union> {B x |x. x \<in> C})"by (simp_all add: Setcompr_eq_image)lemma Max_Segments: assumes "finite C" "\<forall>x\<in> C. finite (B x)" "\<forall>x\<in> C. B x \<noteq> {}" "{B x |x. x \<in> C} \<noteq> {}" shows "Max (\<Union>x \<in> C. B x) = Max {Max (B x) | x. x \<in> C}"using assmsapply(subst KK(1))apply(subst Max_Union)apply(auto)[3]apply(simp add: Setcompr_eq_image)apply(auto simp add: image_image)done lemma max_cp_readys_max_preced_tG: shows "Max (cp s ` readys s) = Max (preceds (threads s) s)" (is "?L = ?R")proof(cases "readys s = {}") case False have "Max (preceds (threads s) s) = Max (preceds (\<Union>th\<in>readys s. subtree (tG s) th) s)" unfolding threads_alt_def1 by simp also have "... = Max {Max (preceds (subtree (tG s) th) s) | th. th \<in> readys s}" apply(subst Max_Segments[symmetric]) apply (simp add: finite_readys) apply (simp add: fsbttGs.finite_subtree) apply blast using False apply blast apply(rule arg_cong) back apply(blast) done also have "... = Max {cp s th | th. th \<in> readys s}" unfolding cp_alt_def3 .. finally show "Max (cp s ` readys s) = Max (preceds (threads s) s)" by (simp add: Setcompr_eq_image image_def) qed (auto simp:threads_alt_def)lemma LL:shows "the_preced s ` threads s = preceds (threads s) s"using the_preced_def by autotext {* The following lemma is simply a corollary of @{thm max_cp_readys_max_preced_tG} and @{thm max_cp_eq}:*}lemma max_cp_readys_threads: shows "Max (cp s ` readys s) = Max (cp s ` threads s)" apply(simp add: max_cp_readys_max_preced_tG) apply(simp add: max_cp_eq) apply(simp add: LL) doneendsection {* Relating @{term cntP}, @{term cntV}, @{term cntCS} and @{term pvD} *}text {* As explained in the section where @{term "cntP"}, @{term "cntV"} and @{term "cntCS"} are defined, we need to establish a equation (in lemma @{text "cnp_cnv_cncs"}) so that the last can be calculated out of the first two. While the calculation of @{term "cntV"} and @{term "cntCS"} are relatively simple, the calculation of @{term "cntCS"} and @{term "pvD"} are complicated, because their definitions involve a number of other functions such as @{term holdents}, @{term readys}, and @{term threads}. To prove @{text "cnp_cnv_cncs"}, we need to investigate how the values of these functions are changed with the execution of each kind of system operation. Following conventions, such investigation are divided into locales corresponding to system operations.*}context valid_trace_p_wbeginlemma holding_s_holder: "holding s holder cs" by (unfold s_holding_def, unfold wq_s_cs, auto)lemma holding_es_holder: "holding (e#s) holder cs" by (unfold s_holding_def, unfold wq_es_cs wq_s_cs, auto)lemma holdents_es: shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R") proof - { fix cs' assume "cs' \<in> ?L" hence h: "holding (e#s) th' cs'" by (auto simp:holdents_def) have "holding s th' cs'" proof(cases "cs' = cs") case True from held_unique[OF h[unfolded True] holding_es_holder] have "th' = holder" . thus ?thesis by (unfold True holdents_def, insert holding_s_holder, simp) next case False hence "wq (e#s) cs' = wq s cs'" by simp from h[unfolded s_holding_def, folded wq_def, unfolded this] show ?thesis by (unfold s_holding_def, auto) qed hence "cs' \<in> ?R" by (auto simp:holdents_def) } moreover { fix cs' assume "cs' \<in> ?R" hence h: "holding s th' cs'" by (auto simp:holdents_def) have "holding (e#s) th' cs'" proof(cases "cs' = cs") case True from held_unique[OF h[unfolded True] holding_s_holder] have "th' = holder" . thus ?thesis by (unfold True holdents_def, insert holding_es_holder, simp) next case False hence "wq s cs' = wq (e#s) cs'" by simp from h[unfolded s_holding_def, folded wq_def, unfolded this] show ?thesis by (unfold s_holding_def, auto) qed hence "cs' \<in> ?L" by (auto simp:holdents_def) } ultimately show ?thesis by autoqedlemma cntCS_es_th[simp]: "cntCS (e#s) th' = cntCS s th'" by (unfold cntCS_def holdents_es, simp)lemma th_not_ready_es: shows "th \<notin> readys (e#s)" using waiting_es_th_cs by (unfold readys_def, auto)endlemma (in valid_trace) finite_holdents: "finite (holdents s th)" by (unfold holdents_alt_def, insert fsbtRAGs.finite_children, auto)context valid_trace_p beginlemma live_th_es: "th \<in> threads (e#s)" using live_th_s by (unfold is_p, simp)lemma waiting_neq_th: assumes "waiting s t c" shows "t \<noteq> th" using assms using th_not_waiting by blast endcontext valid_trace_p_hbeginlemma th_not_waiting': "\<not> waiting (e#s) th cs'"proof(cases "cs' = cs") case True show ?thesis by (unfold True s_waiting_def, fold wq_def, unfold wq_es_cs', auto)next case False from th_not_waiting[of cs', unfolded s_waiting_def, folded wq_def] show ?thesis by (unfold s_waiting_def, fold wq_def, insert False, simp)qedlemma ready_th_es: shows "th \<in> readys (e#s)" using th_not_waiting' by (unfold readys_def, insert live_th_es, auto)lemma holdents_es_th: "holdents (e#s) th = (holdents s th) \<union> {cs}" (is "?L = ?R")proof - { fix cs' assume "cs' \<in> ?L" hence "holding (e#s) th cs'" by (unfold holdents_def, auto) hence "cs' \<in> ?R" by (cases rule:holding_esE, auto simp:holdents_def) } moreover { fix cs' assume "cs' \<in> ?R" hence "holding s th cs' \<or> cs' = cs" by (auto simp:holdents_def) hence "cs' \<in> ?L" proof assume "holding s th cs'" from holding_kept[OF this] show ?thesis by (auto simp:holdents_def) next assume "cs' = cs" thus ?thesis using holding_es_th_cs by (unfold holdents_def, auto) qed } ultimately show ?thesis by autoqedlemma not_holding_s_th_cs: "\<not> holding s th cs"proof assume otherwise: "holding s th cs" from pip_e[unfolded is_p] show False proof(cases) case (thread_P) moreover have "(Cs cs, Th th) \<in> RAG s" using otherwise th_not_in_wq using s_holding_def wq_def by auto ultimately show ?thesis by auto qedqedlemma cntCS_es_th: "cntCS (e#s) th = cntCS s th + 1"proof - have "card (holdents s th \<union> {cs}) = card (holdents s th) + 1" proof(subst card_Un_disjoint) show "holdents s th \<inter> {cs} = {}" using not_holding_s_th_cs by (auto simp:holdents_def) qed (auto simp:finite_holdents) thus ?thesis by (unfold cntCS_def holdents_es_th, simp)qedlemma no_holder: "\<not> holding s th' cs"proof assume otherwise: "holding s th' cs" from this[unfolded s_holding_def, folded wq_def, unfolded we] show False by autoqedlemma holdents_es_th': assumes "th' \<noteq> th" shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")proof - { fix cs' assume "cs' \<in> ?L" hence h_e: "holding (e#s) th' cs'" by (auto simp:holdents_def) have "cs' \<noteq> cs" proof assume "cs' = cs" from held_unique[OF h_e[unfolded this] holding_es_th_cs] have "th' = th" . with assms show False by simp qed from h_e[unfolded s_holding_def, folded wq_def, unfolded wq_neq_simp[OF this]] have "th' \<in> set (wq s cs') \<and> th' = hd (wq s cs')" . hence "cs' \<in> ?R" by (unfold holdents_def s_holding_def, auto) } moreover { fix cs' assume "cs' \<in> ?R" hence "holding s th' cs'" by (auto simp:holdents_def) from holding_kept[OF this] have "holding (e # s) th' cs'" . hence "cs' \<in> ?L" by (unfold holdents_def, auto) } ultimately show ?thesis by autoqedlemma cntCS_es_th'[simp]: assumes "th' \<noteq> th" shows "cntCS (e#s) th' = cntCS s th'" by (unfold cntCS_def holdents_es_th'[OF assms], simp)endcontext valid_trace_pbeginlemma readys_kept1: assumes "th' \<noteq> th" and "th' \<in> readys (e#s)" shows "th' \<in> readys s"proof - { fix cs' assume wait: "waiting s th' cs'" have n_wait: "\<not> waiting (e#s) th' cs'" using assms(2)[unfolded readys_def] by auto have False proof(cases "cs' = cs") case False with n_wait wait show ?thesis by (unfold s_waiting_def, fold wq_def, auto) next case True show ?thesis proof(cases "wq s cs = []") case True then interpret vt: valid_trace_p_h by (unfold_locales, simp) show ?thesis using n_wait wait waiting_kept by auto next case False then interpret vt: valid_trace_p_w by (unfold_locales, simp) show ?thesis using n_wait wait waiting_kept by blast qed qed } with assms(2) show ?thesis by (unfold readys_def, auto)qedlemma readys_kept2: assumes "th' \<noteq> th" and "th' \<in> readys s" shows "th' \<in> readys (e#s)"proof - { fix cs' assume wait: "waiting (e#s) th' cs'" have n_wait: "\<not> waiting s th' cs'" using assms(2)[unfolded readys_def] by auto have False proof(cases "cs' = cs") case False with n_wait wait show ?thesis by (unfold s_waiting_def, fold wq_def, auto) next case True show ?thesis proof(cases "wq s cs = []") case True then interpret vt: valid_trace_p_h by (unfold_locales, simp) show ?thesis using n_wait vt.waiting_esE wait by blast next case False then interpret vt: valid_trace_p_w by (unfold_locales, simp) show ?thesis using assms(1) n_wait vt.waiting_esE wait by auto qed qed } with assms(2) show ?thesis by (unfold readys_def, auto)qedlemma readys_simp [simp]: assumes "th' \<noteq> th" shows "(th' \<in> readys (e#s)) = (th' \<in> readys s)" using readys_kept1[OF assms] readys_kept2[OF assms] by metislemma cnp_cnv_cncs_kept: (* ddd *) assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'" shows "cntP (e#s) th' = cntV (e#s) th' + cntCS (e#s) th' + pvD (e#s) th'"proof(cases "th' = th") case True note eq_th' = this show ?thesis proof(cases "wq s cs = []") case True then interpret vt: valid_trace_p_h by (unfold_locales, simp) show ?thesis using assms eq_th' is_p ready_th_s vt.cntCS_es_th vt.ready_th_es pvD_def by auto next case False then interpret vt: valid_trace_p_w by (unfold_locales, simp) show ?thesis using add.commute add.left_commute assms eq_th' is_p live_th_s ready_th_s vt.th_not_ready_es pvD_def apply (auto) by (fold is_p, simp) qednext case False note h_False = False thus ?thesis proof(cases "wq s cs = []") case True then interpret vt: valid_trace_p_h by (unfold_locales, simp) show ?thesis using assms by (insert True h_False pvD_def, auto split:if_splits,unfold is_p, auto) next case False then interpret vt: valid_trace_p_w by (unfold_locales, simp) show ?thesis using assms by (insert False h_False pvD_def, auto split:if_splits,unfold is_p, auto) qedqedendcontext valid_trace_v beginlemma holding_th_cs_s: "holding s th cs" by (unfold s_holding_def, unfold wq_s_cs, auto)lemma th_ready_s [simp]: "th \<in> readys s" using running_th_s by (unfold running_def readys_def, auto)lemma th_live_s [simp]: "th \<in> threads s" using th_ready_s by (unfold readys_def, auto)lemma th_ready_es [simp]: "th \<in> readys (e#s)" using running_th_s neq_t_th by (unfold is_v running_def readys_def, auto)lemma th_live_es [simp]: "th \<in> threads (e#s)" using th_ready_es by (unfold readys_def, auto)lemma pvD_th_s[simp]: "pvD s th = 0" by (unfold pvD_def, simp)lemma pvD_th_es[simp]: "pvD (e#s) th = 0" by (unfold pvD_def, simp)lemma cntCS_s_th [simp]: "cntCS s th > 0"proof - have "cs \<in> holdents s th" using holding_th_cs_s by (unfold holdents_def, simp) moreover have "finite (holdents s th)" using finite_holdents by simp ultimately show ?thesis by (unfold cntCS_def, auto intro!:card_gt_0_iff[symmetric, THEN iffD1])qedendcontext valid_trace_vbeginlemma th_not_waiting: "\<not> waiting s th c"proof - have "th \<in> readys s" using running_ready running_th_s by blast thus ?thesis by (unfold readys_def, auto)qedlemma waiting_neq_th: assumes "waiting s t c" shows "t \<noteq> th" using assms using th_not_waiting by blast endcontext valid_trace_v_nbeginlemma not_ready_taker_s[simp]: "taker \<notin> readys s" using waiting_taker by (unfold readys_def, auto)lemma taker_live_s [simp]: "taker \<in> threads s"proof - have "taker \<in> set wq'" by (simp add: eq_wq') from th'_in_inv[OF this] have "taker \<in> set rest" . hence "taker \<in> set (wq s cs)" by (simp add: wq_s_cs) thus ?thesis using wq_threads by auto qedlemma taker_live_es [simp]: "taker \<in> threads (e#s)" using taker_live_s threads_es by blastlemma taker_ready_es [simp]: shows "taker \<in> readys (e#s)"proof - { fix cs' assume "waiting (e#s) taker cs'" hence False proof(cases rule:waiting_esE) case 1 thus ?thesis using waiting_taker waiting_unique by auto qed simp } thus ?thesis by (unfold readys_def, auto)qedlemma neq_taker_th: "taker \<noteq> th" using th_not_waiting waiting_taker by blast lemma not_holding_taker_s_cs: shows "\<not> holding s taker cs" using holding_cs_eq_th neq_taker_th by autolemma holdents_es_taker: "holdents (e#s) taker = holdents s taker \<union> {cs}" (is "?L = ?R")proof - { fix cs' assume "cs' \<in> ?L" hence "holding (e#s) taker cs'" by (auto simp:holdents_def) hence "cs' \<in> ?R" proof(cases rule:holding_esE) case 2 thus ?thesis by (auto simp:holdents_def) qed auto } moreover { fix cs' assume "cs' \<in> ?R" hence "holding s taker cs' \<or> cs' = cs" by (auto simp:holdents_def) hence "cs' \<in> ?L" proof assume "holding s taker cs'" hence "holding (e#s) taker cs'" using holding_esI2 holding_taker by fastforce thus ?thesis by (auto simp:holdents_def) next assume "cs' = cs" with holding_taker show ?thesis by (auto simp:holdents_def) qed } ultimately show ?thesis by autoqedlemma cntCS_es_taker [simp]: "cntCS (e#s) taker = cntCS s taker + 1"proof - have "card (holdents s taker \<union> {cs}) = card (holdents s taker) + 1" proof(subst card_Un_disjoint) show "holdents s taker \<inter> {cs} = {}" using not_holding_taker_s_cs by (auto simp:holdents_def) qed (auto simp:finite_holdents) thus ?thesis by (unfold cntCS_def, insert holdents_es_taker, simp)qedlemma pvD_taker_s[simp]: "pvD s taker = 1" by (unfold pvD_def, simp)lemma pvD_taker_es[simp]: "pvD (e#s) taker = 0" by (unfold pvD_def, simp) lemma pvD_th_s[simp]: "pvD s th = 0" by (unfold pvD_def, simp)lemma pvD_th_es[simp]: "pvD (e#s) th = 0" by (unfold pvD_def, simp)lemma holdents_es_th: "holdents (e#s) th = holdents s th - {cs}" (is "?L = ?R")proof - { fix cs' assume "cs' \<in> ?L" hence "holding (e#s) th cs'" by (auto simp:holdents_def) hence "cs' \<in> ?R" proof(cases rule:holding_esE) case 2 thus ?thesis by (auto simp:holdents_def) qed (insert neq_taker_th, auto) } moreover { fix cs' assume "cs' \<in> ?R" hence "cs' \<noteq> cs" "holding s th cs'" by (auto simp:holdents_def) from holding_esI2[OF this] have "cs' \<in> ?L" by (auto simp:holdents_def) } ultimately show ?thesis by autoqedlemma cntCS_es_th [simp]: "cntCS (e#s) th = cntCS s th - 1"proof - have "card (holdents s th - {cs}) = card (holdents s th) - 1" proof - have "cs \<in> holdents s th" using holding_th_cs_s by (auto simp:holdents_def) moreover have "finite (holdents s th)" by (simp add: finite_holdents) ultimately show ?thesis by auto qed thus ?thesis by (unfold cntCS_def holdents_es_th)qedlemma holdents_kept: assumes "th' \<noteq> taker" and "th' \<noteq> th" shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")proof - { fix cs' assume h: "cs' \<in> ?L" have "cs' \<in> ?R" proof(cases "cs' = cs") case False hence eq_wq: "wq (e#s) cs' = wq s cs'" by simp from h have "holding (e#s) th' cs'" by (auto simp:holdents_def) from this[unfolded s_holding_def, folded wq_def, unfolded eq_wq] show ?thesis by (unfold holdents_def s_holding_def, auto) next case True from h[unfolded this] have "holding (e#s) th' cs" by (auto simp:holdents_def) from held_unique[OF this holding_taker] have "th' = taker" . with assms show ?thesis by auto qed } moreover { fix cs' assume h: "cs' \<in> ?R" have "cs' \<in> ?L" proof(cases "cs' = cs") case False hence eq_wq: "wq (e#s) cs' = wq s cs'" by simp from h have "holding s th' cs'" by (auto simp:holdents_def) from this[unfolded s_holding_def, folded wq_def, unfolded eq_wq] show ?thesis by (unfold holdents_def s_holding_def, insert eq_wq, simp) next case True from h[unfolded this] have "holding s th' cs" by (auto simp:holdents_def) from held_unique[OF this holding_th_cs_s] have "th' = th" . with assms show ?thesis by auto qed } ultimately show ?thesis by autoqedlemma cntCS_kept [simp]: assumes "th' \<noteq> taker" and "th' \<noteq> th" shows "cntCS (e#s) th' = cntCS s th'" by (unfold cntCS_def holdents_kept[OF assms], simp)lemma readys_kept1: assumes "th' \<noteq> taker" and "th' \<in> readys (e#s)" shows "th' \<in> readys s"proof - { fix cs' assume wait: "waiting s th' cs'" have n_wait: "\<not> waiting (e#s) th' cs'" using assms(2)[unfolded readys_def] by auto have False proof(cases "cs' = cs") case False with n_wait wait show ?thesis by (unfold s_waiting_def, fold wq_def, auto) next case True have "th' \<in> set (th # rest) \<and> th' \<noteq> hd (th # rest)" using wait[unfolded True s_waiting_def, folded wq_def, unfolded wq_s_cs] . moreover have "\<not> (th' \<in> set rest \<and> th' \<noteq> hd (taker # rest'))" using n_wait[unfolded True s_waiting_def, folded wq_def, unfolded wq_es_cs set_wq', unfolded eq_wq'] . ultimately have "th' = taker" by auto with assms(1) show ?thesis by simp qed } with assms(2) show ?thesis by (unfold readys_def, auto)qedlemma readys_kept2: assumes "th' \<noteq> taker" and "th' \<in> readys s" shows "th' \<in> readys (e#s)"proof - { fix cs' assume wait: "waiting (e#s) th' cs'" have n_wait: "\<not> waiting s th' cs'" using assms(2)[unfolded readys_def] by auto have False proof(cases "cs' = cs") case False with n_wait wait show ?thesis by (unfold s_waiting_def, fold wq_def, auto) next case True have "th' \<in> set rest \<and> th' \<noteq> hd (taker # rest')" using wait [unfolded True s_waiting_def, folded wq_def, unfolded wq_es_cs set_wq', unfolded eq_wq'] . moreover have "\<not> (th' \<in> set (th # rest) \<and> th' \<noteq> hd (th # rest))" using n_wait[unfolded True s_waiting_def, folded wq_def, unfolded wq_s_cs] . ultimately have "th' = taker" using th_not_in_rest by simp thm taker_def wq'_def with assms(1) show ?thesis by simp qed } with assms(2) show ?thesis by (unfold readys_def, auto)qedlemma readys_simp [simp]: assumes "th' \<noteq> taker" shows "(th' \<in> readys (e#s)) = (th' \<in> readys s)" using readys_kept1[OF assms] readys_kept2[OF assms] by metislemma cnp_cnv_cncs_kept: assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'" shows "cntP (e#s) th' = cntV (e#s) th' + cntCS (e#s) th' + pvD (e#s) th'"proof - { assume eq_th': "th' = taker" have ?thesis apply (unfold eq_th' pvD_taker_es cntCS_es_taker) by (insert neq_taker_th assms[unfolded eq_th'], unfold is_v, simp) } moreover { assume eq_th': "th' = th" have ?thesis apply (unfold eq_th' pvD_th_es cntCS_es_th) by (insert assms[unfolded eq_th'], unfold is_v, simp) } moreover { assume h: "th' \<noteq> taker" "th' \<noteq> th" have ?thesis using assms apply (unfold cntCS_kept[OF h], insert h, unfold is_v, simp) by (fold is_v, unfold pvD_def, simp) } ultimately show ?thesis by metisqedendcontext valid_trace_v_ebeginlemma holdents_es_th: "holdents (e#s) th = holdents s th - {cs}" (is "?L = ?R")proof - { fix cs' assume "cs' \<in> ?L" hence "holding (e#s) th cs'" by (auto simp:holdents_def) hence "cs' \<in> ?R" proof(cases rule:holding_esE) case 1 thus ?thesis by (auto simp:holdents_def) qed } moreover { fix cs' assume "cs' \<in> ?R" hence "cs' \<noteq> cs" "holding s th cs'" by (auto simp:holdents_def) from holding_esI2[OF this] have "cs' \<in> ?L" by (auto simp:holdents_def) } ultimately show ?thesis by autoqedlemma cntCS_es_th [simp]: "cntCS (e#s) th = cntCS s th - 1"proof - have "card (holdents s th - {cs}) = card (holdents s th) - 1" proof - have "cs \<in> holdents s th" using holding_th_cs_s by (auto simp:holdents_def) moreover have "finite (holdents s th)" by (simp add: finite_holdents) ultimately show ?thesis by auto qed thus ?thesis by (unfold cntCS_def holdents_es_th)qedlemma holdents_kept: assumes "th' \<noteq> th" shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")proof - { fix cs' assume h: "cs' \<in> ?L" have "cs' \<in> ?R" proof(cases "cs' = cs") case False hence eq_wq: "wq (e#s) cs' = wq s cs'" by simp from h have "holding (e#s) th' cs'" by (auto simp:holdents_def) from this[unfolded s_holding_def, folded wq_def, unfolded eq_wq] show ?thesis by (unfold holdents_def s_holding_def, auto) next case True from h[unfolded this] have "holding (e#s) th' cs" by (auto simp:holdents_def) from this[unfolded s_holding_def, folded wq_def, unfolded wq_es_cs nil_wq'] show ?thesis by auto qed } moreover { fix cs' assume h: "cs' \<in> ?R" have "cs' \<in> ?L" proof(cases "cs' = cs") case False hence eq_wq: "wq (e#s) cs' = wq s cs'" by simp from h have "holding s th' cs'" by (auto simp:holdents_def) from this[unfolded s_holding_def, folded wq_def, unfolded eq_wq] show ?thesis by (unfold holdents_def s_holding_def, insert eq_wq, simp) next case True from h[unfolded this] have "holding s th' cs" by (auto simp:holdents_def) from held_unique[OF this holding_th_cs_s] have "th' = th" . with assms show ?thesis by auto qed } ultimately show ?thesis by autoqedlemma cntCS_kept [simp]: assumes "th' \<noteq> th" shows "cntCS (e#s) th' = cntCS s th'" by (unfold cntCS_def holdents_kept[OF assms], simp)lemma readys_kept1: assumes "th' \<in> readys (e#s)" shows "th' \<in> readys s"proof - { fix cs' assume wait: "waiting s th' cs'" have n_wait: "\<not> waiting (e#s) th' cs'" using assms(1)[unfolded readys_def] by auto have False proof(cases "cs' = cs") case False with n_wait wait show ?thesis by (unfold s_waiting_def, fold wq_def, auto) next case True have "th' \<in> set (th # rest) \<and> th' \<noteq> hd (th # rest)" using wait[unfolded True s_waiting_def, folded wq_def, unfolded wq_s_cs] . hence "th' \<in> set rest" by auto with set_wq' have "th' \<in> set wq'" by metis with nil_wq' show ?thesis by simp qed } thus ?thesis using assms by (unfold readys_def, auto)qedlemma readys_kept2: assumes "th' \<in> readys s" shows "th' \<in> readys (e#s)"proof - { fix cs' assume wait: "waiting (e#s) th' cs'" have n_wait: "\<not> waiting s th' cs'" using assms[unfolded readys_def] by auto have False proof(cases "cs' = cs") case False with n_wait wait show ?thesis by (unfold s_waiting_def, fold wq_def, auto) next case True have "th' \<in> set [] \<and> th' \<noteq> hd []" using wait[unfolded True s_waiting_def, folded wq_def, unfolded wq_es_cs nil_wq'] . thus ?thesis by simp qed } with assms show ?thesis by (unfold readys_def, auto)qedlemma readys_simp [simp]: shows "(th' \<in> readys (e#s)) = (th' \<in> readys s)" using readys_kept1 readys_kept2 by metislemma cnp_cnv_cncs_kept: assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'" shows "cntP (e#s) th' = cntV (e#s) th' + cntCS (e#s) th' + pvD (e#s) th'"proof - { assume eq_th': "th' = th" have ?thesis apply (unfold eq_th' pvD_th_es cntCS_es_th) by (insert assms[unfolded eq_th'], unfold is_v, simp) } moreover { assume h: "th' \<noteq> th" have ?thesis using assms apply (unfold cntCS_kept[OF h], insert h, unfold is_v, simp) by (fold is_v, unfold pvD_def, simp) } ultimately show ?thesis by metisqedendcontext valid_trace_vbeginlemma cnp_cnv_cncs_kept: assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'" shows "cntP (e#s) th' = cntV (e#s) th' + cntCS (e#s) th' + pvD (e#s) th'"proof(cases "rest = []") case True then interpret vt: valid_trace_v_e by (unfold_locales, simp) show ?thesis using assms using vt.cnp_cnv_cncs_kept by blast next case False then interpret vt: valid_trace_v_n by (unfold_locales, simp) show ?thesis using assms using vt.cnp_cnv_cncs_kept by blast qedendcontext valid_trace_createbeginlemma th_not_live_s [simp]: "th \<notin> threads s"proof - from pip_e[unfolded is_create] show ?thesis by (cases, simp)qedlemma th_not_ready_s [simp]: "th \<notin> readys s" using th_not_live_s by (unfold readys_def, simp)lemma th_live_es [simp]: "th \<in> threads (e#s)" by (unfold is_create, simp)lemma not_waiting_th_s [simp]: "\<not> waiting s th cs'"proof assume "waiting s th cs'" from this[unfolded s_waiting_def, folded wq_def, unfolded wq_kept] have "th \<in> set (wq s cs')" by auto from wq_threads[OF this] have "th \<in> threads s" . with th_not_live_s show False by simpqedlemma not_holding_th_s [simp]: "\<not> holding s th cs'"proof assume "holding s th cs'" from this[unfolded s_holding_def, folded wq_def, unfolded wq_kept] have "th \<in> set (wq s cs')" by auto from wq_threads[OF this] have "th \<in> threads s" . with th_not_live_s show False by simpqedlemma not_waiting_th_es [simp]: "\<not> waiting (e#s) th cs'"proof assume "waiting (e # s) th cs'" from this[unfolded s_waiting_def, folded wq_def, unfolded wq_kept] have "th \<in> set (wq s cs')" by auto from wq_threads[OF this] have "th \<in> threads s" . with th_not_live_s show False by simpqedlemma not_holding_th_es [simp]: "\<not> holding (e#s) th cs'"proof assume "holding (e # s) th cs'" from this[unfolded s_holding_def, folded wq_def, unfolded wq_kept] have "th \<in> set (wq s cs')" by auto from wq_threads[OF this] have "th \<in> threads s" . with th_not_live_s show False by simpqedlemma ready_th_es [simp]: "th \<in> readys (e#s)" by (simp add:readys_def)lemma holdents_th_s: "holdents s th = {}" by (unfold holdents_def, auto)lemma holdents_th_es: "holdents (e#s) th = {}" by (unfold holdents_def, auto)lemma cntCS_th_s [simp]: "cntCS s th = 0" by (unfold cntCS_def, simp add:holdents_th_s)lemma cntCS_th_es [simp]: "cntCS (e#s) th = 0" by (unfold cntCS_def, simp add:holdents_th_es)lemma pvD_th_s [simp]: "pvD s th = 0" by (unfold pvD_def, simp)lemma pvD_th_es [simp]: "pvD (e#s) th = 0" by (unfold pvD_def, simp)lemma holdents_kept: assumes "th' \<noteq> th" shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")proof - { fix cs' assume h: "cs' \<in> ?L" hence "cs' \<in> ?R" by (unfold holdents_def s_holding_def, unfold wq_kept, auto) } moreover { fix cs' assume h: "cs' \<in> ?R" hence "cs' \<in> ?L" by (unfold holdents_def s_holding_def, unfold wq_kept, auto) } ultimately show ?thesis by autoqedlemma cntCS_kept [simp]: assumes "th' \<noteq> th" shows "cntCS (e#s) th' = cntCS s th'" (is "?L = ?R") using holdents_kept[OF assms] by (unfold cntCS_def, simp)lemma readys_kept1: assumes "th' \<noteq> th" and "th' \<in> readys (e#s)" shows "th' \<in> readys s"proof - { fix cs' assume wait: "waiting s th' cs'" have n_wait: "\<not> waiting (e#s) th' cs'" using assms by (auto simp:readys_def) from wait[unfolded s_waiting_def, folded wq_def] n_wait[unfolded s_waiting_def, folded wq_def, unfolded wq_kept] have False by auto } thus ?thesis using assms by (unfold readys_def, auto)qedlemma readys_kept2: assumes "th' \<noteq> th" and "th' \<in> readys s" shows "th' \<in> readys (e#s)"proof - { fix cs' assume wait: "waiting (e#s) th' cs'" have n_wait: "\<not> waiting s th' cs'" using assms(2) by (auto simp:readys_def) from wait[unfolded s_waiting_def, folded wq_def, unfolded wq_kept] n_wait[unfolded s_waiting_def, folded wq_def] have False by auto } with assms show ?thesis by (unfold readys_def, auto)qedlemma readys_simp [simp]: assumes "th' \<noteq> th" shows "(th' \<in> readys (e#s)) = (th' \<in> readys s)" using readys_kept1[OF assms] readys_kept2[OF assms] by metislemma pvD_kept [simp]: assumes "th' \<noteq> th" shows "pvD (e#s) th' = pvD s th'" using assms by (unfold pvD_def, simp)lemma cnp_cnv_cncs_kept: assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'" shows "cntP (e#s) th' = cntV (e#s) th' + cntCS (e#s) th' + pvD (e#s) th'"proof - { assume eq_th': "th' = th" have ?thesis using assms by (unfold eq_th', simp, unfold is_create, simp) } moreover { assume h: "th' \<noteq> th" hence ?thesis using assms by (simp, simp add:is_create) } ultimately show ?thesis by metisqedendcontext valid_trace_exitbeginlemma th_live_s [simp]: "th \<in> threads s"proof - from pip_e[unfolded is_exit] show ?thesis by (cases, unfold running_def readys_def, simp)qedlemma th_ready_s [simp]: "th \<in> readys s"proof - from pip_e[unfolded is_exit] show ?thesis by (cases, unfold running_def, simp)qedlemma th_not_live_es [simp]: "th \<notin> threads (e#s)" by (unfold is_exit, simp)lemma not_holding_th_s [simp]: "\<not> holding s th cs'"proof - from pip_e[unfolded is_exit] show ?thesis by (cases, unfold holdents_def, auto)qedlemma cntCS_th_s [simp]: "cntCS s th = 0"proof - from pip_e[unfolded is_exit] show ?thesis by (cases, unfold cntCS_def, simp)qedlemma not_holding_th_es [simp]: "\<not> holding (e#s) th cs'"proof assume "holding (e # s) th cs'" from this[unfolded s_holding_def, folded wq_def, unfolded wq_kept] have "holding s th cs'" by (unfold s_holding_def, auto) with not_holding_th_s show False by simpqedlemma ready_th_es [simp]: "th \<notin> readys (e#s)" by (simp add:readys_def)lemma holdents_th_s: "holdents s th = {}" by (unfold holdents_def, auto)lemma holdents_th_es: "holdents (e#s) th = {}" by (unfold holdents_def, auto)lemma cntCS_th_es [simp]: "cntCS (e#s) th = 0" by (unfold cntCS_def, simp add:holdents_th_es)lemma pvD_th_s [simp]: "pvD s th = 0" by (unfold pvD_def, simp)lemma pvD_th_es [simp]: "pvD (e#s) th = 0" by (unfold pvD_def, simp)lemma holdents_kept: assumes "th' \<noteq> th" shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")proof - { fix cs' assume h: "cs' \<in> ?L" hence "cs' \<in> ?R" by (unfold holdents_def s_holding_def, unfold wq_kept, auto) } moreover { fix cs' assume h: "cs' \<in> ?R" hence "cs' \<in> ?L" by (unfold holdents_def s_holding_def, unfold wq_kept, auto) } ultimately show ?thesis by autoqedlemma cntCS_kept [simp]: assumes "th' \<noteq> th" shows "cntCS (e#s) th' = cntCS s th'" (is "?L = ?R") using holdents_kept[OF assms] by (unfold cntCS_def, simp)lemma readys_kept1: assumes "th' \<noteq> th" and "th' \<in> readys (e#s)" shows "th' \<in> readys s"proof - { fix cs' assume wait: "waiting s th' cs'" have n_wait: "\<not> waiting (e#s) th' cs'" using assms by (auto simp:readys_def) from wait[unfolded s_waiting_def, folded wq_def] n_wait[unfolded s_waiting_def, folded wq_def, unfolded wq_kept] have False by auto } thus ?thesis using assms by (unfold readys_def, auto)qedlemma readys_kept2: assumes "th' \<noteq> th" and "th' \<in> readys s" shows "th' \<in> readys (e#s)"proof - { fix cs' assume wait: "waiting (e#s) th' cs'" have n_wait: "\<not> waiting s th' cs'" using assms(2) by (auto simp:readys_def) from wait[unfolded s_waiting_def, folded wq_def, unfolded wq_kept] n_wait[unfolded s_waiting_def, folded wq_def] have False by auto } with assms show ?thesis by (unfold readys_def, auto)qedlemma readys_simp [simp]: assumes "th' \<noteq> th" shows "(th' \<in> readys (e#s)) = (th' \<in> readys s)" using readys_kept1[OF assms] readys_kept2[OF assms] by metislemma pvD_kept [simp]: assumes "th' \<noteq> th" shows "pvD (e#s) th' = pvD s th'" using assms by (unfold pvD_def, simp)lemma cnp_cnv_cncs_kept: assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'" shows "cntP (e#s) th' = cntV (e#s) th' + cntCS (e#s) th' + pvD (e#s) th'"proof - { assume eq_th': "th' = th" have ?thesis using assms by (unfold eq_th', simp, unfold is_exit, simp) } moreover { assume h: "th' \<noteq> th" hence ?thesis using assms by (simp, simp add:is_exit) } ultimately show ?thesis by metisqedendcontext valid_trace_setbeginlemma th_live_s [simp]: "th \<in> threads s"proof - from pip_e[unfolded is_set] show ?thesis by (cases, unfold running_def readys_def, simp)qedlemma th_ready_s [simp]: "th \<in> readys s"proof - from pip_e[unfolded is_set] show ?thesis by (cases, unfold running_def, simp)qedlemma th_not_live_es [simp]: "th \<in> threads (e#s)" by (unfold is_set, simp)lemma holdents_kept: shows "holdents (e#s) th' = holdents s th'" (is "?L = ?R")proof - { fix cs' assume h: "cs' \<in> ?L" hence "cs' \<in> ?R" by (unfold holdents_def s_holding_def, unfold wq_kept, auto) } moreover { fix cs' assume h: "cs' \<in> ?R" hence "cs' \<in> ?L" by (unfold holdents_def s_holding_def, unfold wq_kept, auto) } ultimately show ?thesis by autoqedlemma cntCS_kept [simp]: shows "cntCS (e#s) th' = cntCS s th'" (is "?L = ?R") using holdents_kept by (unfold cntCS_def, simp)lemma readys_kept1: assumes "th' \<in> readys (e#s)" shows "th' \<in> readys s"proof - { fix cs' assume wait: "waiting s th' cs'" have n_wait: "\<not> waiting (e#s) th' cs'" using assms by (auto simp:readys_def) from wait[unfolded s_waiting_def, folded wq_def] n_wait[unfolded s_waiting_def, folded wq_def, unfolded wq_kept] have False by auto } moreover have "th' \<in> threads s" using assms[unfolded readys_def] by auto ultimately show ?thesis by (unfold readys_def, auto)qedlemma readys_kept2: assumes "th' \<in> readys s" shows "th' \<in> readys (e#s)"proof - { fix cs' assume wait: "waiting (e#s) th' cs'" have n_wait: "\<not> waiting s th' cs'" using assms by (auto simp:readys_def) from wait[unfolded s_waiting_def, folded wq_def, unfolded wq_kept] n_wait[unfolded s_waiting_def, folded wq_def] have False by auto } with assms show ?thesis by (unfold readys_def, auto)qedlemma readys_simp [simp]: shows "(th' \<in> readys (e#s)) = (th' \<in> readys s)" using readys_kept1 readys_kept2 by metislemma pvD_kept [simp]: shows "pvD (e#s) th' = pvD s th'" by (unfold pvD_def, simp)lemma cnp_cnv_cncs_kept: assumes "cntP s th' = cntV s th' + cntCS s th' + pvD s th'" shows "cntP (e#s) th' = cntV (e#s) th' + cntCS (e#s) th' + pvD (e#s) th'" using assms by (unfold is_set, simp, fold is_set, simp)endcontext valid_tracebeginlemma cnp_cnv_cncs: "cntP s th' = cntV s th' + cntCS s th' + pvD s th'"proof(induct rule:ind) case Nil thus ?case unfolding cntP_def cntV_def pvD_def cntCS_def holdents_def s_holding_def by(simp add: wq_def)next case (Cons s e) interpret vt_e: valid_trace_e s e using Cons by simp show ?case proof(cases e) case (Create th prio) interpret vt_create: valid_trace_create s e th prio using Create by (unfold_locales, simp) show ?thesis using Cons by (simp add: vt_create.cnp_cnv_cncs_kept) next case (Exit th) interpret vt_exit: valid_trace_exit s e th using Exit by (unfold_locales, simp) show ?thesis using Cons by (simp add: vt_exit.cnp_cnv_cncs_kept) next case (P th cs) interpret vt_p: valid_trace_p s e th cs using P by (unfold_locales, simp) show ?thesis using Cons by (simp add: vt_p.cnp_cnv_cncs_kept) next case (V th cs) interpret vt_v: valid_trace_v s e th cs using V by (unfold_locales, simp) show ?thesis using Cons by (simp add: vt_v.cnp_cnv_cncs_kept) next case (Set th prio) interpret vt_set: valid_trace_set s e th prio using Set by (unfold_locales, simp) show ?thesis using Cons by (simp add: vt_set.cnp_cnv_cncs_kept) qedqedendsection {* Corollaries of @{thm valid_trace.cnp_cnv_cncs} *}context valid_tracebegintext {* The following two lemmas are purely technical, which says a non-living thread can not hold any resource.*}lemma not_thread_holdents: assumes not_in: "th \<notin> threads s" shows "holdents s th = {}"proof - { fix cs assume "cs \<in> holdents s th" hence "holding s th cs" by (auto simp:holdents_def) from this[unfolded s_holding_def, folded wq_def] have "th \<in> set (wq s cs)" by auto with wq_threads have "th \<in> threads s" by auto with assms have False by simp } thus ?thesis by autoqedlemma not_thread_cncs: assumes not_in: "th \<notin> threads s" shows "cntCS s th = 0" using not_thread_holdents[OF assms] by (simp add:cntCS_def)text {* Starting from the following @{text cnp_cnv_eq}, all lemmas in this section concern the meaning of condition @{prop "cntP s th = cntV s th"}, i.e. when the numbers of resource requesting and resource releasing are equal.*}lemma cnp_cnv_eq: assumes "th \<notin> threads s" shows "cntP s th = cntV s th" using assms cnp_cnv_cncs not_thread_cncs pvD_def by (auto)lemma eq_pv_children: assumes eq_pv: "cntP s th = cntV s th" shows "children (RAG s) (Th th) = {}"proof - from cnp_cnv_cncs and eq_pv have "cntCS s th = 0" by (auto split:if_splits) from this[unfolded cntCS_def holdents_alt_def] have card_0: "card (the_cs ` children (RAG s) (Th th)) = 0" . have "finite (the_cs ` children (RAG s) (Th th))" by (simp add: fsbtRAGs.finite_children) from card_0[unfolded card_0_eq[OF this]] show ?thesis by autoqedlemma eq_pv_holdents: assumes eq_pv: "cntP s th = cntV s th" shows "holdents s th = {}" by (unfold holdents_alt_def eq_pv_children[OF assms], simp)lemma eq_pv_subtree: assumes eq_pv: "cntP s th = cntV s th" shows "subtree (RAG s) (Th th) = {Th th}" using eq_pv_children[OF assms] apply(subst subtree_children) apply(simp) done lemma count_eq_RAG_plus: assumes "cntP s th = cntV s th" shows "{th'. (Th th', Th th) \<in> (RAG s)^+} = {}"proof(rule ccontr) assume otherwise: "{th'. (Th th', Th th) \<in> (RAG s)\<^sup>+} \<noteq> {}" then obtain th' where "(Th th', Th th) \<in> (RAG s)^+" by auto from tranclD2[OF this] obtain z where "z \<in> children (RAG s) (Th th)" by (auto simp:children_def) with eq_pv_children[OF assms] show False by simpqedlemma count_eq_RAG_plus_Th: assumes "cntP s th = cntV s th" shows "{Th th' | th'. (Th th', Th th) \<in> (RAG s)^+} = {}" using count_eq_RAG_plus[OF assms] by autolemma count_eq_tRAG_plus: assumes "cntP s th = cntV s th" shows "{th'. (Th th', Th th) \<in> (tRAG s)^+} = {}" using count_eq_RAG_plus_Th[OF assms] using tRAG_trancl_eq by autolemma count_eq_tRAG_plus_Th: assumes "cntP s th = cntV s th" shows "{Th th' | th'. (Th th', Th th) \<in> (tRAG s)^+} = {}" using count_eq_tRAG_plus[OF assms] by autoendsubsection {* A notion @{text detached} and its relation with @{term cntP} and @{term cntV} *}definition detached :: "state \<Rightarrow> thread \<Rightarrow> bool" where "detached s th \<equiv> (\<not>(\<exists> cs. holding s th cs)) \<and> (\<not>(\<exists>cs. waiting s th cs))"text {* The following lemma shows that a thread is detached means it is isolated from @{term RAG}:*}lemma detached_test: shows "detached s th = (Th th \<notin> Field (RAG s))"apply(simp add: detached_def Field_def)apply(simp add: s_RAG_def)apply(simp add: s_holding_abv s_waiting_abv)apply(simp add: Domain_iff Range_iff)apply(simp add: wq_def)apply(auto)donelemma detached_cp_the_preced: assumes "detached s th" shows "cp s th = the_preced s th" (is "?L = ?R")proof - have "?L = Max (the_preced s ` {th'. Th th' \<in> subtree (RAG s) (Th th)})" by (unfold cp_alt_def, simp) moreover have "{th'. Th th' \<in> subtree (RAG s) (Th th)} = {th}" proof - { fix n assume "n \<in> subtree (RAG s) (Th th)" hence "n = Th th" proof(cases rule:subtreeE) case 2 from 2(2) have "Th th \<in> Range (RAG s)" by (elim ancestors_Field, simp) moreover from assms[unfolded detached_test] have "Th th \<notin> Field (RAG s)" . ultimately have False by (auto simp:Field_def) thus ?thesis by simp qed simp } thus ?thesis by auto qed ultimately show ?thesis by autoqedlemma detached_cp_preced: assumes "detached s th" shows "cp s th = preced th s" using detached_cp_the_preced[OF assms] by (simp add:the_preced_def)context valid_tracebeginlemma detached_intro: assumes eq_pv: "cntP s th = cntV s th" shows "detached s th"proof - from eq_pv cnp_cnv_cncs have "th \<in> readys s \<or> th \<notin> threads s" by (auto simp:pvD_def) thus ?thesis proof assume "th \<notin> threads s" with rg_RAG_threads dm_RAG_threads show ?thesis by (auto simp add: detached_def s_RAG_def s_waiting_abv s_holding_abv wq_def Domain_iff Range_iff) next assume "th \<in> readys s" moreover have "Th th \<notin> Range (RAG s)" proof - from eq_pv_children[OF assms] have "children (RAG s) (Th th) = {}" . thus ?thesis by (unfold children_def, auto) qed ultimately show ?thesis by (auto simp add: detached_def s_RAG_def s_waiting_abv s_holding_abv wq_def readys_def) qedqedlemma detached_elim: assumes dtc: "detached s th" shows "cntP s th = cntV s th"proof - have cncs_z: "cntCS s th = 0" proof - from dtc have "holdents s th = {}" unfolding detached_def holdents_test s_RAG_def by (simp add: s_waiting_abv wq_def s_holding_abv Domain_iff Range_iff) thus ?thesis by (auto simp:cntCS_def) qed show ?thesis proof(cases "th \<in> threads s") case True with dtc have "th \<in> readys s" by (unfold readys_def detached_def Field_def Domain_def Range_def, auto simp:s_waiting_abv s_RAG_def) with cncs_z show ?thesis using cnp_cnv_cncs by (simp add:pvD_def) next case False with cncs_z and cnp_cnv_cncs show ?thesis by (simp add:pvD_def) qedqedlemma detached_eq: shows "(detached s th) = (cntP s th = cntV s th)" by (insert vt, auto intro:detached_intro detached_elim)endsection {* Recursive calculation of @{term "cp"} *}text {* According to the normal definitions, such as @{thm cp_def}, @{thm cp_alt_def} and @{thm cp_alt_def1}, the @{term cp}-value of a thread depends on the @{term preced}-values of all threads in its subtree. To calculate a @{term cp}-value, one needs to traverse a whole subtree. However, in this section, we are going to show that @{term cp}-value can be calculate locally (given by the lemma @{text "cp_rec"} in the following). According to this lemma, the @{term cp}-value of a thread can be calculated only from the @{term cp}-values of its children in @{term RAG}. Therefore, if the @{term cp}-values of one thread's children are not changed by an execution step, there is no need to recalculate. This is particularly useful to in Implementation.thy to speed up the recalculation of @{term cp}-values. *}text {* The following function @{text "cp_gen"} is a generalization of @{term cp}. Unlike @{term cp} which returns a precedence for a thread, @{text "cp_gen"} returns precedence for a node in @{term RAG}. When the node represent a thread, @{text cp_gen} is coincident with @{term cp} (to be shown in lemma @{text "cp_gen_def_cond"}), and this is the only meaningful use of @{text cp_gen}. The introduction of @{text cp_gen} is purely technical to easy some of the proofs leading to the finally lemma @{text cp_rec}.*}definition "cp_gen s x = Max ((the_preced s \<circ> the_thread) ` subtree (tRAG s) x)"lemma cp_gen_alt_def: "cp_gen s = (Max \<circ> (\<lambda>x. (the_preced s \<circ> the_thread) ` subtree (tRAG s) x))" by (auto simp:cp_gen_def)lemma cp_gen_def_cond: assumes "x = Th th" shows "cp s th = cp_gen s (Th th)"by (unfold cp_alt_def1 cp_gen_def, simp)lemma cp_gen_over_set: assumes "\<forall> x \<in> A. \<exists> th. x = Th th" shows "cp_gen s ` A = (cp s \<circ> the_thread) ` A"proof(rule f_image_eq) fix a assume "a \<in> A" from assms[rule_format, OF this] obtain th where eq_a: "a = Th th" by auto show "cp_gen s a = (cp s \<circ> the_thread) a" by (unfold eq_a, simp, unfold cp_gen_def_cond[OF refl[of "Th th"]], simp)qedcontext valid_tracebegin(* ddd *)lemma cp_gen_rec: assumes "x = Th th" shows "cp_gen s x = Max ({the_preced s th} \<union> (cp_gen s) ` children (tRAG s) x)"proof(cases "children (tRAG s) x = {}") case True show ?thesis apply(subst True) apply(subst cp_gen_def) apply(subst subtree_children) apply(simp add: assms) using True assms by auto next case False hence [simp]: "children (tRAG s) x \<noteq> {}" by auto note fsbttRAGs.finite_subtree[simp] have [simp]: "finite (children (tRAG s) x)" by (intro rev_finite_subset[OF fsbttRAGs.finite_subtree], rule children_subtree) { fix r x have "subtree r x \<noteq> {}" by (auto simp:subtree_def) } note this[simp] have [simp]: "\<exists>x\<in>children (tRAG s) x. subtree (tRAG s) x \<noteq> {}" proof - from False obtain q where "q \<in> children (tRAG s) x" by blast moreover have "subtree (tRAG s) q \<noteq> {}" by simp ultimately show ?thesis by blast qed have h: "Max ((the_preced s \<circ> the_thread) ` ({x} \<union> \<Union>(subtree (tRAG s) ` children (tRAG s) x))) = Max ({the_preced s th} \<union> cp_gen s ` children (tRAG s) x)" (is "?L = ?R") proof - let "Max (?f ` (?A \<union> \<Union> (?g ` ?B)))" = ?L let "Max (_ \<union> (?h ` ?B))" = ?R let ?L1 = "?f ` \<Union>(?g ` ?B)" have eq_Max_L1: "Max ?L1 = Max (?h ` ?B)" proof - have "?L1 = ?f ` (\<Union> x \<in> ?B.(?g x))" by simp also have "... = (\<Union> x \<in> ?B. ?f ` (?g x))" by auto finally have "Max ?L1 = Max ..." by (simp add: \<open>(the_preced s \<circ> the_thread) ` (\<Union>x\<in>children (tRAG s) x. subtree (tRAG s) x) = (\<Union>x\<in>children (tRAG s) x. (the_preced s \<circ> the_thread) ` subtree (tRAG s) x)\<close>) also have "... = Max (Max ` (\<lambda>x. ?f ` subtree (tRAG s) x) ` ?B)" by(subst Max_Union, auto) also have "... = Max (cp_gen s ` children (tRAG s) x)" by (unfold image_comp cp_gen_alt_def, simp) finally show ?thesis . qed show ?thesis proof - have "?L = Max (?f ` ?A \<union> ?L1)" by simp also have "... = max (the_preced s (the_thread x)) (Max ?L1)" by (subst Max_Un, simp+) also have "... = max (?f x) (Max (?h ` ?B))" by (unfold eq_Max_L1, simp) also have "... =?R" by (rule max_Max_eq, (simp)+, unfold assms, simp) finally show ?thesis . qed qed thus ?thesis by (fold h subtree_children, unfold cp_gen_def, simp) qedlemma cp_rec: "cp s th = Max ({the_preced s th} \<union> (cp s o the_thread) ` children (tRAG s) (Th th))"proof - have "Th th = Th th" by simp note h = cp_gen_def_cond[OF this] cp_gen_rec[OF this] show ?thesis proof - have "cp_gen s ` children (tRAG s) (Th th) = (cp s \<circ> the_thread) ` children (tRAG s) (Th th)" proof(rule cp_gen_over_set) show " \<forall>x\<in>children (tRAG s) (Th th). \<exists>th. x = Th th" by (unfold tRAG_alt_def, auto simp:children_def) qed thus ?thesis by (subst (1) h(1), unfold h(2), simp) qedqedendlemma PIP_actorE: assumes "PIP s e" and "actor e = th" and "\<not> isCreate e" shows "th \<in> running s" using assms by (cases, auto)lemma holdents_RAG: assumes "holdents s th = {}" shows "Th th \<notin> Range (RAG s)"proof assume "Th th \<in> Range (RAG s)" thus False proof(rule RangeE) fix a assume "(a, Th th) \<in> RAG s" with assms[unfolded holdents_test] show False using assms children_def holdents_alt_def by fastforce qedqedlemma readys_RAG: assumes "th \<in> readys s" shows "Th th \<notin> Domain (RAG s)"proof assume "Th th \<in> Domain (RAG s)" thus False proof(rule DomainE) fix b assume "(Th th, b) \<in> RAG s" with assms[unfolded readys_def s_waiting_def] show False using Collect_disj_eq s_RAG_def s_waiting_abv s_waiting_def wq_def by fastforce qedqedtext {* The following two lemmas are general about any valid system state, but are used in the derivation in more specific system operations. *}lemma readys_root: assumes "th \<in> readys s" shows "root (RAG s) (Th th)" unfolding root_def ancestors_def using readys_RAG assmsby (metis Collect_empty_eq Domain.DomainI trancl_domain)lemma readys_in_no_subtree: assumes "th \<in> readys s" and "th' \<noteq> th" shows "Th th \<notin> subtree (RAG s) (Th th')" proof assume "Th th \<in> subtree (RAG s) (Th th')" thus False proof(cases rule:subtreeE) case 1 with assms show ?thesis by auto next case 2 with readys_root[OF assms(1)] show ?thesis by (auto simp:root_def) qedqedlemma readys_holdents_detached: assumes "th \<in> readys s" and "holdents s th = {}" shows "detached s th"proof - from readys_RAG[OF assms(1)] holdents_RAG[OF assms(2)] show ?thesis by (unfold detached_test Field_def, auto)qedlemma len_actions_of_sigma: assumes "finite A" shows "length (actions_of A t) = (\<Sum> th' \<in> A. length (actions_of {th'} t))"proof(induct t) case h: (Cons e t) thus ?case (is "?L = ?R" is "_ = ?T (e#t)") proof(cases "actor e \<in> A") case True have "?L = 1 + ?T t" by (fold h, insert True, simp add:actions_of_def) moreover have "?R = 1 + ?T t" proof - have "?R = length (actions_of {actor e} (e # t)) + (\<Sum>th'\<in>A - {actor e}. length (actions_of {th'} (e # t)))" (is "_ = ?F (e#t) + ?G (e#t)") by (meson True assms sum.remove) moreover have "?F (e#t) = 1 + ?F t" using True by (simp add:actions_of_def) moreover have "?G (e#t) = ?G t" by (auto simp:actions_of_def) moreover have "?F t + ?G t = ?T t" by (metis (no_types, lifting) True assms sum.remove) ultimately show ?thesis by simp qed ultimately show ?thesis by simp next case False hence "?L = length (actions_of A t)" by (simp add:actions_of_def) also have "... = (\<Sum>th'\<in>A. length (actions_of {th'} t))" by (simp add: h) also have "... = ?R" unfolding actions_of_def by (metis (no_types, lifting) False filter.simps(2) singletonD sum.cong) finally show ?thesis . qedqed (auto simp:actions_of_def)lemma threads_Exit: assumes "th \<in> threads s" and "th \<notin> threads (e#s)" shows "e = Exit th" using assms by (cases e, auto)end