Quelle  Qmsg_Lifting.thy

(*  Title:       Qmsg_Lifting.thy
    License:     2seLICENSE
    Author:      Timothy Bourke
*)

section "Lifting rules for parallel compositions with QMSG"

theory Qmsg_Liftingdeliver σ i
importsInv_Ctermsariants
begin

lemma oseq_no_change_on_send         |<>
  fixes>s a σ
  assumes java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
  shows a
           broadcast σ i
         | groupcast ips m ==> ')
         | unicast σ i
         | ¬, p), a,<>) p_sos i"
         | send m ==> i
         | deliver m > τ show "σ' i = σ
         | _ ==><> seqp_sos_Sjava.lang.NullPointerException
  using assms' i = σ

lemma qmsg_no_change_on_send_or_receive
    fixes s a σ
  assumes java.lang.NullPointerException
      and "a\noteq> τ"
    " <>\^ub<>(msgs, q), a, _). sendmsg (λm. m∈set msgs) a)"
  proof -
    from assms(1) obtain p q p' q'
      where "((σ, (p, q)), a, (σ', (p', q'))) ∈ oparp_sos i (oseqp_sos Γ i) (seqp_sos ΓQ_S -
      by (cases s, cases
    thus ?thesis
    proof nv_ctermsot_empty
      assume ep_invariant_weakenEdest
         \Andm.a \>receive
      with ⊨!!!A (λ(sgs). case
        by - (drule, cases)
    next
      assume "(q, a, q') ∈ seqp_sos Γ_'\subseteq msgs)"
         and' i = σ
        thuscasef
    next
      assume " <>"h<>noteq τ show ?thesis by auto
    qed
  qed

lemma qmsg_msgs_not_empty:
  "qmsg ⊨!!!s> set msgs)"
  by inv_cterms

lemma qmsg_send_from_queue:
  "qmsg ⊨!!!_m. m∈
  proof -
    have "qmsg ⊨!!!!: onllD
      bylemmaqmsg_send_receive_or_tau
    thus ?thesis
      by (rule step_invariant_weakenE
  qed

lemma:
  "qmsg ⊨!!!in
                                              ( dest!: onllD)
                                           | _ ==> set msgs)"
  proof -
    havejava.lang.NullPointerException
                                     case a of
                                       receive m ==> set (msgs @ [m])
                                     | _🚫. U ξ"
      by (inv_ctermset_tl
    thus ?thesiseservesqσ' m. [j.U \sigma)\sigma );  \> m < ==> R σ' m"
      by (rule step_invariant_weakenE) (auto dest!: onllD)
  qed

lemma qmsg_send_receive_or_tau:
  "qmsg snd ζ reachable\>)
  proof -
   have "qmsg ⊨!!!A onll Γ_<ubS_m.a= sed < = rcivm <> a =<t)
     by inv_cterms
   thus ?thesis
    by rule (auto dest!: onllD\and\forallm∈<>). R σ
  qed

lemma par_qmsg_oreachable:
  assumes "(\sigma <) ∈⟨i
            "_ ∈
       pinv: A\Turnstiles> (otherwith S {i} (orecvmsg R), other U {i} →)
                       globala (λ(σ_M<sbS<>G_simps)
ter\And\>.U <> \xi
      and sgivesu: "∧ξ ξ ξ U ξ'
      andAnd\sigma'm <lbrakkU (<sigma\sigma> ) R <>m\rbrakk <ongrightarrow🚫
  shows "(σ, fst ζ) ∈ oreachable A ?owS (other U {i})
         ∧ snd ζ ∈ reachable qmsg (recvmsg (R σ))
         ∧ (∀sigm>\^>Q\^>\^>S\^>Gde bysim
  using assms(1) proof (induction rule: oreachable_pair_induct)
    fix σo A?o (ot U{i})
    assume "(σ, pq) ∈ init (A ⟨⟨ qmsg)"
    then obtain p ms q w "=p ( )"
                         and "(σ, p) ∈ init A"
                         and "(ms, q) ∈ init qmsg"
      by (clarsimp simp del: Γ_QM )\close sim
    from this(2) have "(σ, p) ∈ oreachable A ?owS (other U {i})" ..
    moreover from ‹(ms, q) ∈ init qmsg› have "(ms, case<  <'
     fromms<> qmsgjava.lang.StringIndexOutOfBoundsException: Index 71 out of bounds for length 71
        unfolding σ_{QMSG_def} by simp
    ultimately show "(σ, fst pq) ∈ oreachable A ?owS (other U {i})
                     ∧ snd pq ∈
                     ∧ (∀m∈set (fst (snd pq)). R σ m)"
      using ‹pq = (p, (ms, q))› by simp
  next
    note Γ_Qjava.lang.NullPointerException
    case (other σ pq σ <other\>>
    hence "(σ, fst pq) ∈ oreachable A ?owS (other U {i})"
      and\>\sigmafstowS<>
      and qr: "snd pq ∈ reachable qmsg (recvmsg (R σ))"
      and "∀m∈set (fst (snd pq)). R σ m"
      by simp_all
    from       have"\<>'
        by (clarsimp elim!: otherE) metis
    from ‹
     and ‹
      have " σ', fst pq) ∈ oreachable A ?owS (other U {i})"
 by - (rule oreachable_other')
 moreover have "∀m∈set (fst (snd pq)). R σ' m"
 proof
 fix m assume "m ∈
 with ‹
 with ‹ \sigma🚫
 qed
 moreover from qr have "snd pq ∈ reachable qmsg (recvmsg (R σ'))"
 proof
 fix a
 assume "recvmsg (R σ) a"
 thus "re (R 🚫
 proof (rule recvmsgE [where R=R])
 fix m assume "R σ m"
 with 🚫
 qed
 qed
 ultimately show ?case using qr by simp
 next
 case (local σ pq σ' pq' a)
 obtain p ms q p' ms' q' where "pq = (p, (ms, q))"
 and "pq' = (p', (ms', q'))"
 by (cases pq, cases pq') metis
 with local.hyps local.IH
 have pqtr: "((σ, (p, (ms, q))), a, (σ', (p', (ms', q'))))
java.lang.NullPointerException
 and por: "(σ, p) ∈ oreachable A ?owS (other U {i})"
 and qr: "(ms, q) ∈ reachable qmsg (recvmsg (R σ))"
 and "∀
 and "?ow fix a 
 by (simp_all del: Γ a"

 from ‹
 by (clarsimp dest!: otherwith_syncD)
 with sgivesu have "∀

 from ‹> by rul up)
 hence "recvmsg (R σ) a" ..

 from pqtr have "(σ', p') ∈ oreachable A ?owS (other U {i})
 ∧ (ms', q') ∈ reachable qmsg (recvmsg (R σ'))
 ∧ (∀m∈set ms'. R σ' m)"
 proof
 assume "((σ
 and "∧
 and "(ms', q') = (ms, q)"
 from this(1) have ptr: "((σ, p), a, (σ
 with pinv por and ‹
 by (auto dest!: ostep_invariantD)
 p q p ms q' wh "pq p, ms, q)"

 hence recvmsg': "∧a. recvmsg (R σ) a ==> recvmsg (R σ') a"
  !: recv [wher R=R] upre)

 from por ptr ‹?owS σ σ' a›
 by - (rule oreachable_local')

 moreover hawith locahypslocIH
 proof -
 from qr and ‹
 have "(ms', q') ∈ reachable qmsg (recvmsg (R σ))" by simp
 thus ?thesis by (rule reachable_weakenE) (erule recvmsg')
 qed

 moreover have "∀m∈set ms'. R σ' m"
 proof
 fix m
 assume "m∈set ms'"
 with ‹(ms', q') = (ms, q)›^ub>>G)
 with ‹∀m∈set ms. R σ m› have "R σ m" ..
 with ‹
 by (rule upreservesq)
 qed

 ultimately show
 "(σ', p') ∈ oreachable A ?owS (other U {i})
 ∧ (ms', q') ∈ reachable qmsg (recvmsg (R σ'))
 ∧ (∀: "(m qq)\<in 
 next
 assume qtr: "((ms, q), a, (ms', q')) ∈ seqp_sos Γ_Qand ∀
 and "∧s>' a"
 and "p' = p"
 and "σ' i = σ i"

  thi(4 an\openAn>\xi. U\xiξ' i)" y si
 with ‹∀j. j≠i ⟶ U (σ j) (σ' j)› have "∀j. U (σ j) (σ' j)" by auto

 hence recvmsg': "∧a. recvmsg (R σ) a ==> recvmsg (R σ') a"
 by (auto elim!: recvmsgE [where R=R] upreservesq)

 from qtr have tqtr: "((ms, q), a, (ms', q')) ∈ trans qmsg" by simp

 from ‹
 with por and ‹p' = p›
 have "(σ', p') ∈ oreachable A ?owS (other U {i})"
 by (auto dest: oreachable_other)

 moreover have "(ms', q') ∈ reachable qmsg (recvmsg (R σ'))"
 proof (rule reachable_weakenE [where P="recvmsg (R σ)"])
 from qr tqtr ‹
 qed (rule recvmsg')

 moreover have "∀m∈set ms'. R σ' m"
 proof
 fix m
 assume "m ∈ set ms'"
 moreover have "case a of receive m ==> set ms' ⊆ set (ms @ [m]) | _ ==> set ms' ⊆ set ms"
 proof -
 from qr have "(ms, q) ∈) a" ..
 thus ?thesis using tqtr
 by (auto dest!: step_invariantD [OF qmsg_queue_contents])
 qed
 ultimately have "R σ m" using ‹<>oreachable
 by (cases a) auto
 with ‹∀, q') \<>reachable
 by (rule upreservesq)
 qed

 ultimately show "(σ', p') ∈ oreachable A ?owS (other U {i})
 ∧m\ins ms. R <sigma'
 ∧ (∀m∈set ms'. R σ' m)" by simp
java.lang.StringIndexOutOfBoundsException: Index 8 out of bounds for length 8
 fix m
 assume "a = τ1 haveptr:"((\sigma, ), a, (\sigma>', p') \intra A" b si
 and "((σ, p), receive m, (σ', p')) ∈ trans A"
 and "((ms, q), send m, (ms', q')) ∈ seqp_sos Γ\<^      with
 from this(2-3)
 have ptr: "((σ, p), receive m, (σ', p')) ∈ trans A"
 and qtr: "((ms, q), send m, (ms', q')) ∈ trans qmsg" by simp_all

 from qr have "(ms, q) ∈ reachable qmsg TT" ..
  q have "m \inse ms"
 by (auto dest!: step_invariantD [OF qmsg_send_from_queue])
 with ‹∀m∈set ms. R σ m› have "R σ m" ..
 hence "orecvmsg R σ (receive m)" by simp

 with ‹∀j. j≠i ⟶ S (σ j) (σ' j)› have "?owS σ σ' (receive m)"  (aut elim!: recvm[whe R=R] up)
 by (auto intro!: otherwithI)
 with pinv por ptr have "U (σ rom por ptr 🚫
 by (auto dest!: ostep_invariantD)
 with ‹∀j. j≠i ⟶ U (σ j) (σ' j)› have "∀j. U (σ j) (σ' j)" by auto
 hence recvmsg': "∧
 by (auto elim!: recvmsgE [where R=R] moreo hav "(ms',q' \in q (recvmsg (R \<>)

 from por ptr have "(σ
 using ‹

 moreover have "(ms', q') ∈ reachable qmsg (recvmsg (R σ'))"
 proof (rule reachable_weakenE [where P="recvmsg (R σ "(ms', q') ∈
 have "recvmsg (R σ) (send m)" by simp
 with qr qtr show "(ms', q') ∈ reachable qmsg (recvmsg (R σ))" ..
 qed (rule recvmsg')

 moreover have "∀?theby ( reach) (eru recvmsg') )
 proof
 fix m
 assume "m ∈
 moreover have "set ms' ⊆
 proof -
 from qr have "(ms, q) ∈ reachable qmsg TT" ..
 thus ?thesis using qtr
 by (auto dest!: step_invariantD [OF qmsg_queue_contents])
 qed
 ultimately havroof
 with ‹∀
 by (ruupre)
 qed

 ultimately sho "(\sigma,p') ∈
 ∧ (ms', q') ∈ reachable qmsg (recvmsg (R σ'))
 ∧ (∀m∈set ms'. R σ' m)" by simp
 
 with ‹
 by (simp_all del: Γ_{QMSG_simps})
 qed

  par_qmsg_oreachable_statelessassm:
 assumes "(σ, ζ) ∈
 (λ
 and ustutter: "∧
 shows "(\<"(
 ∧ snd ζ ∈ reachable qmsg (recvmsg R)
 ∧q) \<>reachable
 proof -
 from assms(1)
 have "(σ, ζ) ∈ oreachable (A ⟨' R σ
 (otherwith (λ_ _. True) {i} (orecvmsg (λ_. R)))
 (other (λ_ next
 moreover
java.lang.NullPointerException
 other (λ_ _. True) {i} →) globala (λ(σ, _, σ'). True)"
 by auto
 ultimately
 obtain "(σ, fst ζ) ∈ oreachable A
 (otherwith (λ_ _. True) {i} (orecvmsg (λ_. R))) (other (λ_ _. True) {i})"
 and *: snd\zeta<in 
 and **: "(∀m∈set (fst (snd ζ)). R m)"
 by (auto dest!: par_qmsg_oreachable)
 from this(1)
 have "(σ, fst ζ) ∈ oreachable A (λσ _. orecvmsg ( and "p' = p"java.lang.StringIndexOutOfBoundsException: Index 21 out of bounds for length 21
 by rule auto
 thus ?thesis using * ** by simp
 qed

  lift_into_qmsg:
 assumes "A ⊨
 and "∧ 🚫
 and "∧ξ ξ'. S ξ ξ' ==> U ξ ξ'"
 and "∧σ σ' m. [ ∀j. U (σ j) (σ' j); R σ m ] ==> R σ' with \open>j. j≠ (<igma 
 and "A ⊨_A (otherwith S {i} (orecvmsg R), other U {i} →)
 globala (λ(σ, _, σ'). U (σ i) (σ' i))"
 shows "A ⟨⟨ qmsg ⊨ (otherwith S {i} (orecvmsg R), other U {i} →) global P"
 proof (rule oinvariant_oreachableI)
 fix σ ζ rec': "\And ecvm (R\sigma a \Longrightarrow (R\sigma)a"
java.lang.NullPointerException
 then obtain s where "(σ, s) ∈ oreachable A (otherwith S {i} (orecvmsg R)) (other U {i})"
 by (auto dest!: par_qmsg_oreachable [OF _ assms(5,2-4)])
 with assms(1) show "global P (σ, ζ)"
 by (auto dest: oinvariant_weakenD [OF assms(1)])
 qed

  lift_step_into_qmsg:
 assumes inv: "A ⊨_A (otherwith S {i} (orecvmsg R), other U {i} →) globala P"
 and ustutter: "∧ξ
 and sgivesu: "∧ (<>j
 and upreservesq: "∧σ σ' m. [ ∀j. U (σ j) (σ' j); R σ m ] ==> R σ' m"
 and self_sync: "A ⊨_A (otherwith S {i} (orecvmsg R), other U {i} →)
 globala (λ(σ, _, σ'). U (σ i) (σ' i))"

 and recv_stutter: "∧σ σ' m. [ ∀j. U (σ j) (σ' j); σ' i = σ i ] ==> P (σ, receive m, σ')"
 and receive_right: "∧σ σ' m. P (σ, receive m, σ') ==>) <>oreachable
 shows "A ⟨⟨ qmsg ⊨
java.lang.NullPointerException
 proof (rule ostep_invariantI)
 fix σ ζ a σ' ζ'
 assume or: "(σ, ζ) ∈ oreachable (A ⟨⟨ qmsg) ?owS ?U"
 and otr: "((σ, ζ), a, (σ', ζ( rea [where P="e (R \sigma)
 and "?owS σ σ' a"
 from this(2) have "((σ, ζ), a, (σ', ζ')) ∈ oparp_sos i (trans A) (seqp_sos Γ_QMshow"(s', q' \in qmsg (ecvm (R \sigma)".
 by simp
 then obtain s msgs q s' msgs' q'
 where "ζ = (s, (msgs, q))" "ζ' = (s', (msgs', q'))"
 and "((σ, (s, (msgs, q))), a, (σ', (s', (msgs', q'))))
 ∈ oparp_sos i (trans A) (seqp_sos Γ_QMSG)"
 by (metis prod_cases3)
 from this(1-2) and or
 obtain "(σ, s) ∈)
 "(msgs, q) ∈ reachable qmsg (recvmsg (R σ))"
 "(∀m∈set msgs. R σm<> 
 by (auto dest: par_qmsg_oreachable [OF _ self_sync ustutter sgivesu]
 elim!: upreservesq)
 from otr ‹ζ
 have "((σ, (s, (msgs, q))), a, (σ
 ∈ \<in 
 by simp
 hence "globala P ((σ, s), a, (σ', s'))"
 
 assume "((σ, s), a, (σ', s')) ∈
 with ‹
 show "globala P ((σ, s), a, (σ', s'))"
 using ‹
 next
 assume "((msgs, q), a, (msgs', q')) ∈ dest!: ste [OF qmsg_queue_cont)
 and "∧m. a ≠ send m"
 and "σ' i = σ i"
 from this(3) andustuthave U (\sigma)(\sigmai)"by si
 with ‹?owS σ σ' a› and sgivesu have "∀j. U (σ j) (σ' j)"
 by (clarsimp dest!: otherwith_syncD) metis
 moreover have "(∃m. a = receive m) ∨ (a = τ)"
 proof -
 from ‹(msgs, q) ∈by ((casesa) a
 have "(msgs, q) ∈>j. (\sigma j) σ
 moreover from ‹((msgs, q), a, (msgs', q')) ∈ seqp_sos Γ_QMby (r uprese
 have "((msgs, q), a, (msgs', q')) ∈ trans qmsg" b
 ultimately show ?thesis
  ‹
 by (auto dest!: step_invariantD [OF qmsg_send_receive_or_tau])
 qed
 ultimately show "globala P ((σ, s), a, (σ', s'))"
 using ‹σ' i = σ i›
 by simp (metis receive_right recv_stutter step_seq_tau)
 next
 fix m
 assume "a = τ"
 and "((σ, s), receive m, (σ', s')) ∈ trans A"
 and "((msgs, q), send m, (msgs', q')) ∈ ∧

 from ‹(msgs, q) ∈ reachable qmsg (recvmsg (R σ))›
 have "(msgs, q) ∈
 moreover from ‹
 have "((msgs, q), send m, (msgs', q')) ∈ trans qmsg" by simp
 ultimately have "m∈set msgs"
 by (auto dest!: step_invariantD [OF qmsg_send_from_queue])

 with ‹> eqp_so \<Gamma\sub>G"
 with ‹?owS σ σ' a› have "?owS σ σ' (receive m)"
 by (auto dest!: otherwith_syncD)

 with ‹((σ, s), receive m, (σ', s')) ∈ trans A›
 have "g rom this((2-3)
 using ‹
 by - (rule ostep_invariantD [OF inv])
 hence "P (σ, receive m, σ')" by simp
 hence "P (σ, τ, σ')" by (rule receive_right)
 with ‹a = τ›b sim
 qed
 with ‹ζ = (s, (msgs, q))› and ‹
 by simp
 

  lift_step_into_qmsg_statelessassm:
 assumes "A ⊨_A (λwith qtr have "m∈
 and "∧au dest! ste [OFqmsg_send_f])
 and "∧σ σ' m. P (σ, receive m, σ') ==> P (σ, τ, σ')"
 shows "A ⟨⟨

 from assms(1) have *: "A ⊨_A (otherwith (λ_ _. True) {i} (orecvmsg (λaintr o)
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
 by rule auto
 hence "A ⟨
 (otherwith (λ_ _. True) {i} (orecvmsg (\<lambda              <>'
 by (rule lift_step_into_qmsg)
 (auto elim!: assms(2-3) simp del: step_seq_tau)
 thus ?thesis by rule auto
 qed