Theory Step_vpeq_weakly_step_consistent

subsection ‹Weak step consistency›

theory Step_vpeq_weakly_step_consistent
  imports Step Step_invariants Step_vpeq
begin


text ‹The notion of weak step consistency is common usage. We augment it by assuming that the @{term atomic_step_invariant} holds (see~cite"Verbeek2013").›

subsubsection ‹Weak step consistency of auxiliary functions›

lemma ipc_precondition_weakly_step_consistent:
  assumes eq_tid: "vpeq (partition tid) s1 s2"
      and inv1: "atomic_step_invariant s1"
      and inv2: "atomic_step_invariant s2"
    shows "ipc_precondition tid dir partner page s1 = ipc_precondition tid dir partner page s2"
proof -
  let ?sender = "case dir of SEND  tid | RECV  partner"
  let ?receiver = "case dir of SEND  partner | RECV  tid"
  let ?local_access_mode = "case dir of SEND  READ | RECV  WRITE"
  let ?A = "sp_impl_subj_subj s1 (partition ?sender) (partition ?receiver)
             = sp_impl_subj_subj s2 (partition ?sender) (partition ?receiver)"
  let ?B = "sp_impl_subj_obj s1 (partition tid) (PAGE page) ?local_access_mode
         = sp_impl_subj_obj s2 (partition tid) (PAGE page) ?local_access_mode"
 
  have A: "?A"
    proof (cases "Policy.sp_spec_subj_subj (partition ?sender) (partition ?receiver)")
      case True
        thus ?A
          using eq_tid unfolding vpeq_def vpeq_subj_subj_def
          by (simp split: ipc_direction_t.splits)
      next case False
        have "sp_subset s1" and "sp_subset s2"
          using inv1 inv2 unfolding atomic_step_invariant_def sp_subset_def by auto
        hence "¬ sp_impl_subj_subj s1 (partition ?sender) (partition ?receiver)"
          and "¬ sp_impl_subj_subj s2 (partition ?sender) (partition ?receiver)"
          using False unfolding sp_subset_def by auto 
        thus ?A by auto
    qed
  have B: "?B"
    proof (cases "Policy.sp_spec_subj_obj (partition tid) (PAGE page) ?local_access_mode")
      case True
        thus ?B
          using eq_tid unfolding vpeq_def vpeq_subj_obj_def
          by (simp split: ipc_direction_t.splits)
      next case False
        have "sp_subset s1" and "sp_subset s2"
          using inv1 inv2 unfolding atomic_step_invariant_def sp_subset_def by auto
        hence "¬ sp_impl_subj_obj s1 (partition tid) (PAGE page) ?local_access_mode"
          and "¬ sp_impl_subj_obj s2 (partition tid) (PAGE page) ?local_access_mode"
          using False unfolding sp_subset_def by auto 
        thus ?B by auto
    qed
  show ?thesis using A B unfolding ipc_precondition_def by auto
qed

lemma ev_signal_precondition_weakly_step_consistent:
  assumes eq_tid: "vpeq (partition tid) s1 s2"
      and inv1: "atomic_step_invariant s1"
      and inv2: "atomic_step_invariant s2"
    shows "ev_signal_precondition tid partner s1 = ev_signal_precondition tid partner s2"
proof -
  let ?A = "sp_impl_subj_subj s1 (partition tid) (partition partner)
             = sp_impl_subj_subj s2 (partition tid) (partition partner)"
  have A: "?A"
    proof (cases "Policy.sp_spec_subj_subj (partition tid) (partition partner)")
      case True
        thus ?A
          using eq_tid unfolding vpeq_def vpeq_subj_subj_def
          by (simp split: ipc_direction_t.splits)
      next case False
        have "sp_subset s1" and "sp_subset s2"
          using inv1 inv2 unfolding atomic_step_invariant_def sp_subset_def by auto
        hence "¬ sp_impl_subj_subj s1 (partition tid) (partition partner)"
          and "¬ sp_impl_subj_subj s2 (partition tid) (partition partner)"
          using False unfolding sp_subset_def by auto 
        thus ?A by auto
    qed
  show ?thesis using A unfolding ev_signal_precondition_def by auto
qed


lemma set_object_value_consistent:
  assumes eq_obs: "vpeq u s1 s2"
    shows "vpeq u (set_object_value x y s1) (set_object_value x y s2)"
proof -
  let ?s1' = "set_object_value x y s1" and ?s2' = "set_object_value x y s2"
  have E1: "vpeq_obj u ?s1' ?s2'"
    proof -
      { fix x'
        assume 1: "Policy.sp_spec_subj_obj u x' READ"
        have "obj ?s1' x' = obj ?s2' x'" proof (cases "x = x'")
          case True
            thus "obj ?s1' x' = obj ?s2' x'" unfolding set_object_value_def by auto
          next case False
            hence 2: "obj ?s1' x' = obj s1 x'"
              and 3: "obj ?s2' x' = obj s2 x'"
              unfolding set_object_value_def by auto
            have 4: "obj s1 x' = obj s2 x'"
              using 1 eq_obs unfolding vpeq_def vpeq_obj_def by auto
            from 2 3 4 show "obj ?s1' x' = obj ?s2' x'"
              by simp
          qed }
      thus "vpeq_obj u ?s1' ?s2'" unfolding vpeq_obj_def by auto
    qed
  have E4: "vpeq_subj_subj u ?s1' ?s2'"
    proof -
      have "sp_impl_subj_subj ?s1' = sp_impl_subj_subj s1"
       and "sp_impl_subj_subj ?s2' = sp_impl_subj_subj s2"
        unfolding set_object_value_def by auto
      thus "vpeq_subj_subj u ?s1' ?s2'"
        using eq_obs unfolding vpeq_def vpeq_subj_subj_def by auto
    qed
  have E5: "vpeq_subj_obj u ?s1' ?s2'"
    proof -
      have "sp_impl_subj_obj ?s1' = sp_impl_subj_obj s1"
       and "sp_impl_subj_obj ?s2' = sp_impl_subj_obj s2"
        unfolding set_object_value_def by auto
      thus "vpeq_subj_obj u ?s1' ?s2'"
        using eq_obs unfolding vpeq_def vpeq_subj_obj_def by auto
    qed
  from eq_obs have E6: "vpeq_local u ?s1' ?s2'"
  unfolding vpeq_def vpeq_local_def set_object_value_def
   by simp
  from E1 E4 E5 E6
    show ?thesis unfolding vpeq_def 
    by auto
qed

subsubsection ‹Weak step consistency of atomic step functions›

lemma ipc_weakly_step_consistent:
  assumes eq_obs: "vpeq u s1 s2"
      and eq_act: "vpeq (partition tid) s1 s2"
      and inv1:   "atomic_step_invariant s1"
      and inv2:   "atomic_step_invariant s2"
      and prec1: "atomic_step_precondition s1 tid ipt"
      and prec2: "atomic_step_precondition s1 tid ipt"
      and ipt_case: "ipt = SK_IPC dir stage partner page"
    shows "vpeq u
                (atomic_step_ipc tid dir stage partner page s1)
                (atomic_step_ipc tid dir stage partner page s2)"
proof -
  have " mypage .  dir = SEND; stage = BUF mypage   ?thesis"
    proof -
      fix mypage
      assume dir_send: "dir = SEND"
      assume stage_buf: "stage = BUF mypage"
      have "Policy.sp_spec_subj_obj (partition tid) (PAGE page) READ"
        using inv1 prec1 dir_send stage_buf ipt_case
        unfolding atomic_step_invariant_def sp_subset_def
        unfolding atomic_step_precondition_def ipc_precondition_def opposite_ipc_direction_def
        by auto
      hence "obj s1 (PAGE page) = obj s2 (PAGE page)"
        using eq_act unfolding vpeq_def vpeq_obj_def vpeq_local_def
        by auto        
      thus "vpeq u
                (atomic_step_ipc tid dir stage partner page s1)
                (atomic_step_ipc tid dir stage partner page s2)"
        using dir_send stage_buf eq_obs set_object_value_consistent
        unfolding atomic_step_ipc_def
        by auto
    qed
  thus ?thesis
    using eq_obs unfolding atomic_step_ipc_def
    by (cases "stage", auto, cases "dir", auto)
qed

lemma ev_wait_one_weakly_step_consistent:
  assumes eq_obs: "vpeq u s1 s2"
      and eq_act: "vpeq (partition tid) s1 s2"
      and inv1:   "atomic_step_invariant s1"
      and inv2:   "atomic_step_invariant s2"
      and prec1: "atomic_step_precondition s1 (current s1) ipt"
      and prec2: "atomic_step_precondition s1 (current s1) ipt"
    shows "vpeq u
                (atomic_step_ev_wait_one tid  s1)
                (atomic_step_ev_wait_one tid  s2)"
    using assms
    unfolding vpeq_def vpeq_subj_subj_def vpeq_obj_def vpeq_subj_obj_def vpeq_local_def
              atomic_step_ev_wait_one_def
    by simp
    
lemma ev_wait_all_weakly_step_consistent:
  assumes eq_obs: "vpeq u s1 s2"
      and eq_act: "vpeq (partition tid) s1 s2"
      and inv1:   "atomic_step_invariant s1"
      and inv2:   "atomic_step_invariant s2"
      and prec1: "atomic_step_precondition s1 (current s1) ipt"
      and prec2: "atomic_step_precondition s1 (current s1) ipt"
    shows "vpeq u
                (atomic_step_ev_wait_all tid  s1)
                (atomic_step_ev_wait_all tid  s2)"
    using assms
    unfolding vpeq_def vpeq_subj_subj_def vpeq_obj_def vpeq_subj_obj_def vpeq_local_def
              atomic_step_ev_wait_all_def
    by simp
   

lemma ev_signal_weakly_step_consistent:
  assumes eq_obs: "vpeq u s1 s2"
      and eq_act: "vpeq (partition tid) s1 s2"
      and inv1:   "atomic_step_invariant s1"
      and inv2:   "atomic_step_invariant s2"
      and prec1: "atomic_step_precondition s1 (current s1) ipt"
      and prec2: "atomic_step_precondition s1 (current s1) ipt"
    shows "vpeq u
                (atomic_step_ev_signal tid partner s1)
                (atomic_step_ev_signal tid partner s2)"
    using assms
    unfolding vpeq_def vpeq_subj_subj_def vpeq_obj_def vpeq_subj_obj_def vpeq_local_def
              atomic_step_ev_signal_def
    by simp

text ‹The use of @{term extend_f} is to provide infrastructure to support use in dynamic policies, currently not used.›
 
definition extend_f :: "(partition_id_t  partition_id_t  bool)  (partition_id_t  partition_id_t  bool)  (partition_id_t  partition_id_t  bool)" where
  "extend_f f g  λ p1 p2 . f p1 p2  g p1 p2"

definition extend_subj_subj :: "(partition_id_t  partition_id_t  bool)  state_t  state_t" where
  "extend_subj_subj f s  s  sp_impl_subj_subj := extend_f f (sp_impl_subj_subj s) "
  
lemma extend_subj_subj_consistent:
  fixes f :: "partition_id_t  partition_id_t  bool"
  assumes "vpeq u s1 s2"
  shows "vpeq u (extend_subj_subj f s1) (extend_subj_subj f s2)"
proof -
  let ?g1 = "sp_impl_subj_subj s1" and ?g2 = "sp_impl_subj_subj s2"
  have " v . Policy.sp_spec_subj_subj u v  ?g1 u v = ?g2 u v"
   and " v . Policy.sp_spec_subj_subj v u  ?g1 v u = ?g2 v u"
    using assms unfolding vpeq_def vpeq_subj_subj_def by auto
  hence " v . Policy.sp_spec_subj_subj u v  extend_f f ?g1 u v = extend_f f ?g2 u v"
    and " v . Policy.sp_spec_subj_subj v u  extend_f f ?g1 v u = extend_f f ?g2 v u"
    unfolding extend_f_def by auto
  hence 1: "vpeq_subj_subj u (extend_subj_subj f s1) (extend_subj_subj f s2)"
    unfolding vpeq_subj_subj_def extend_subj_subj_def
    by auto
  have 2: "vpeq_obj u (extend_subj_subj f s1) (extend_subj_subj f s2)"
    using assms unfolding vpeq_def vpeq_obj_def extend_subj_subj_def by fastforce
  have 3: "vpeq_subj_obj u (extend_subj_subj f s1) (extend_subj_subj f s2)"
    using assms unfolding vpeq_def vpeq_subj_obj_def extend_subj_subj_def by fastforce
 have 4: "vpeq_local u (extend_subj_subj f s1) (extend_subj_subj f s2)"
    using assms unfolding vpeq_def vpeq_local_def extend_subj_subj_def by fastforce
  from 1 2 3 4 show ?thesis
    using assms unfolding vpeq_def by fast
qed


subsubsection ‹Summary theorems on view-partitioning weak step consistency›

text ‹The atomic step is weakly step consistent with view partitioning.
 Here, the ``weakness'' is that we assume that the two states are vp-equivalent
 not only w.r.t. the observer domain @{term u}, but also w.r.t. the caller
 domain @{term "partition tid"}).›

theorem atomic_step_weakly_step_consistent:
  assumes eq_obs: "vpeq u s1 s2"
      and eq_act: "vpeq (partition (current s1)) s1 s2"
      and inv1:   "atomic_step_invariant s1"
      and inv2:   "atomic_step_invariant s2"
      and prec1: "atomic_step_precondition s1 (current s1) ipt"
      and prec2: "atomic_step_precondition s2 (current s2) ipt"
      and eq_curr: "current s1 = current s2"
  shows "vpeq u (atomic_step s1 ipt) (atomic_step s2 ipt)"
proof -
  show ?thesis
    using assms 
          ipc_weakly_step_consistent
          ev_wait_all_weakly_step_consistent
          ev_wait_one_weakly_step_consistent
          ev_signal_weakly_step_consistent
          vpeq_refl
    unfolding atomic_step_def
    apply (cases ipt, auto)
    apply  (simp split: ev_consume_t.splits ev_wait_stage_t.splits)
    by  (simp split: ev_signal_stage_t.splits)
   qed
end