(* JS May 2009 Formalisation of the invariants in the proof of the WSN of CHESS Checking Frits' proof about fully connected WSNs *) header{*Analysis of a Clock Synchronization Protocol for Wireless Sensor Networks*} theory chess_wsn imports Main "$ISABELLE_HOME/src/HOL/Real/Real" "$ISABELLE_HOME/src/HOL/Divides" "$ISABELLE_HOME/src/HOL/IntDef" begin section{*Parameters and their Constrains*} (* begin general types and constants of the WSN *) text{* In this section, we define the main parameters of the protocol and their constrains. *} subsection{*Main constraints*} text{* We first define the types of the main variables and parameters*} types time = real -- "our time domain" clock = real -- "type of clock vars" WSN_state = nat -- "one node state" SYN_state = nat -- "one synchronizer state" t_csn = int -- "current slot number " t_tsn = int -- "transmission slot number" hw_clock = int -- "type of logical clock" (* what we need is a notion of global state. We have a function for each location*) gWSN_state = "int \ WSN_state" -- "state of node k" gSYN_state = "int \ SYN_state" -- "state of synchronizer of node k" gt_csn = "int \ t_csn" -- "csn of node k" ghw_clk = "int \ hw_clock" -- "logical clock of node k" gclock = "int \ clock" -- "clock variable of node k" gt_tsn = "int \ t_tsn" -- "tsn of node k" g_c = "int \ int" -- "c variable of node k" text{* below are the main parameters *} consts N :: int --" total number of nodes" n :: int --" number of active slots" g :: int --" guardtime" t :: int --"end time (tail) after transmission" max :: time --"max value before clock tick" min :: time --"min value before clock tick" C :: int --"number of slots in a frame" k0 :: int --"number of ticks per slot" (* constraints on all the parameters -- we put them in a locale *) text{*We now define the states of a node and a synchronizer*} constdefs wait :: nat --"initial location of a WSN Node" "wait \ 0" GO_SEND :: nat --"successor state of init" "GO_SEND \ 1" SENDING :: nat --"successor state of GO_SEND" "SENDING \ 2" S_0 :: nat --"initial location of SYNCHRONIZER" "S_0 \ 3" S_1 :: nat --"second location of SYNCHRONIZER" "S_1 \ 4" text{*We load the definitions of the states in the simplifier.*} declare wait_def [simp] GO_SEND_def [simp] SENDING_def [simp] S_0_def [simp] S_1_def [simp] text{*We now group the constraints on the parameters in a locale.*} text{* we define tsn_max as the largest slot number s that is a transmitting slot *} text{*For a slots s, predicate TX(s) holds iff some node is transmitting in s. Note that here we have to define TX as a total function. *} constdefs TX :: "int \ gt_tsn \ bool" "TX s tsn \ (\i. tsn i = s)" constdefs is_max_tsn :: "int \ gt_tsn \ bool" "is_max_tsn tsn_max tsn \ tsn_max \ N \ (\ i. (i \ tsn_max \ tsn tsn_max > tsn i) \ TX (tsn tsn_max) tsn (*tsn tsn_max is a TX slot*))" text{* For a node x, there is a slot in which s is transmitting. *} constdefs TX_node:: "int \ gt_tsn \ bool" "TX_node x tsn \ (\ s. tsn x = s )" locale WSN_p = fixes tsn::gt_tsn fixes csn::gt_csn fixes clk::ghw_clk fixes WSN::gWSN_state fixes SYN::gSYN_state fixes tsn_max::int assumes is_max_tsn_max: "is_max_tsn tsn_max tsn" assumes miax : "0 < min \ min \ max" assumes pos_g : "0 < t \ 0 < g \ g + t + 2 \ k0" assumes mutex_tsn: "\ i (* \ N*). \ j(* \ N*). (i \ j \ tsn i \ tsn j)" assumes slots_node: "3 \ N \ N \ n \ n \ C" assumes tsn_restrict: "\ k. 0 \ tsn k \ tsn k < n" assumes WSN_st_restrict: "\ k. WSN k = wait \ WSN k = GO_SEND \ WSN k = SENDING" assumes SYN_st_restrict: "\ k. SYN k = S_0 \ SYN k = S_1" assumes TX_node_3: "\i\2. TX_node i tsn" assumes TX_0: "TX 0 tsn" text{* For any slot s, PREV(s) denotes the nearest slot preceding s (cyclically) in which some node is transmitting. *} lemma at_least_two: assumes hyp: "(i::int) < (j ::int) \ k < i \ 0 \ k" shows "j \ 2" using hyp by auto lemma (in WSN_p) threenodes_and_tsn_max_3: -- "this lemma shows that there are at least 3 transmitting slots" -- "and therefore our tsn tsn_max is at least equal to 2." shows "tsn tsn_max \ 2 \ (\ i. 0 < i \ i < n - 1 \ TX i tsn)" -- "in the last term, i is a slot number. It shows that there is at " -- "least one transmitting slot between slot 0 and slot n - 1" proof - -- "we first extract that there are 3 transmitting slots" (*i,j, and k are slot numbers*) from TX_node_3 have "TX_node 0 tsn" by auto then obtain i where "tsn 0 = i" by simp note tsn_i = this then have "TX i tsn" by (auto simp add: TX_def) note TX_i = this from TX_node_3 have "TX_node 1 tsn" by auto then obtain j where "tsn 1 = j" by simp note tsn_j = this then have "TX j tsn" by (auto simp add: TX_def) note TX_j = this from TX_node_3 have "TX_node 2 tsn" by auto then obtain k where "tsn 2 = k" by simp note tsn_k = this then have "TX k tsn" by (auto simp add: TX_def) note TX_k = this -- "we get that i, j, and k are positive" from tsn_j and tsn_restrict have "0 \ j \ j < n" by auto note pos_j = this from tsn_k and tsn_restrict have "0 \ k \ k < n" by auto note pos_k = this from tsn_i and tsn_restrict have "0 \ i \ i < n" by auto note pos_i = this -- "now we get that i,j, k are distinct" from mutex_tsn and tsn_i and tsn_j and tsn_k have "i \ j \ j \ k \ i \ k" by auto note all_distinct = this -- "which implies that all the tsn are also distinct" with mutex_tsn have "tsn i \ tsn j \ tsn j \ tsn k \ tsn i \ tsn k" by auto note all_tsn_distinct = this { assume "i > j \ j > k" with pos_i and pos_k have "0 < j \ j < n - 1" by auto with TX_j have "\ i. 0 < i \ i < n - 1 \ TX i tsn" by auto } moreover { assume "i > k \ k > j" with pos_i and pos_j have "0 < k \ k < n - 1" by auto with TX_k have "\ i. 0 < i \ i < n - 1 \ TX i tsn" by auto } moreover { assume "j > i \ i > k" with pos_j and pos_k have "0 < i \ i < n - 1" by auto with TX_i have "\ i. 0 < i \ i < n - 1 \ TX i tsn" by auto } moreover { assume "j > k \ k > i" with pos_j and pos_i have "0 < k \ k < n - 1" by auto with TX_k have "\ i. 0 < i \ i < n - 1 \ TX i tsn" by auto } moreover { assume "k > i \ i > j" with pos_k and pos_j have "0 < i \ i < n - 1" by auto with TX_i have "\ i. 0 < i \ i < n - 1 \ TX i tsn" by auto } moreover { assume "k > j \ j > i" with pos_k and pos_i have "0 < j \ j < n - 1" by auto with TX_j have "\ i. 0 < i \ i < n - 1 \ TX i tsn" by auto } moreover from all_distinct have " (i > j \ j > k) \ (i > k \ k > j) \ (j > i \ i > k) \ (j > k \ k > i) \ (k > i \ i > j) \ (k > j \ j > i)" by auto ultimately have "\ i. 0 < i \ i < n - 1 \ TX i tsn" by auto note second_term = this -- "we define our case analysis" from all_tsn_distinct have " (tsn i > tsn j \ tsn j > tsn k) \ (tsn i > tsn k \ tsn k > tsn j) \ (tsn j > tsn i \ tsn i > tsn k) \ (tsn j > tsn k \ tsn k > tsn i) \ (tsn k > tsn i \ tsn i > tsn j) \ (tsn k > tsn j \ tsn j > tsn i)" by auto -- "we now prove our thesis for each case" moreover { assume "tsn i > tsn j \ tsn j > tsn k \ (tsn i > tsn k \ tsn k > tsn j)" note case1 = this from tsn_restrict have "tsn k \ 0" by auto note tsn_k_pos = this from tsn_restrict have "tsn j \ 0" by auto with case1 and at_least_two and tsn_k_pos have "tsn i \ 2" by auto note tsn_at_least_two = this have ?thesis proof (cases "i = tsn_max") case True note i_is_tsn_max = this with tsn_at_least_two and second_term show ?thesis by simp next case False with tsn_at_least_two and is_max_tsn_max and second_term show ?thesis by (auto simp add: is_max_tsn_def) qed } moreover { assume "(tsn j > tsn i \ tsn i > tsn k) \ (tsn j > tsn k \ tsn k > tsn i)" note case1 = this from tsn_restrict have "tsn k \ 0" by auto note tsn_k_pos = this from tsn_restrict have "tsn i \ 0" by auto with case1 and at_least_two and tsn_k_pos have "tsn j \ 2" by auto note tsn_at_least_two = this have ?thesis proof (cases "j = tsn_max") case True with tsn_at_least_two and second_term show ?thesis by (auto simp add: TX_def) next case False with tsn_at_least_two and is_max_tsn_max and second_term show ?thesis by (auto simp add: is_max_tsn_def) qed } moreover { assume "(tsn k > tsn i \ tsn i > tsn j) \ (tsn k > tsn j \ tsn j > tsn i)" note case1 = this from tsn_restrict have "tsn j \ 0" by auto note tsn_k_pos = this from tsn_restrict have "tsn i \ 0" by auto with case1 and at_least_two and tsn_k_pos have "tsn k \ 2" by auto note tsn_at_least_two = this have ?thesis proof (cases "k = tsn_max") case True with tsn_at_least_two and second_term show ?thesis by (auto simp add: TX_def) next case False with tsn_at_least_two and is_max_tsn_max and second_term show ?thesis by (auto simp add: is_max_tsn_def) qed } ultimately show ?thesis by auto qed lemma (in WSN_p) tsn_max_3: -- "this lemma shows that there are at least 3 transmitting slots" -- "and therefore our tsn tsn_max is at least equal to 2." shows "tsn tsn_max \ 2" using threenodes_and_tsn_max_3 by auto consts PREV1 :: "nat \ int \ gt_tsn \ nat" primrec "PREV1 0 tsn_max tsn = nat (tsn tsn_max)" "PREV1 (Suc x) tsn_max tsn = (if (TX (int x) tsn) then x else PREV1 x tsn_max tsn)" text{* PREV is defined such that if s = 0 or if s is greater than the largest transmitting slot, PREV(s) = this largest TX slot (tsn tsn_max). Otherwise, PREV is the recursive function PREV1. *} constdefs PREV:: "int \ int \ gt_tsn \ int" "PREV x tsn_max tsn \ (if (x = 0 \ x \ n ) then (tsn tsn_max) else int (PREV1 (nat x) tsn_max tsn))" (* constdefs PREV :: "nat \ gt_tsn \ nat" "PREV k tsn \ PREV1 (k mod C) tsn" *) text{* For slots s and t, from(s,t) denotes the (cyclic) distance from s to t. *} constdefs from_slot:: "int \ int \ int" "from_slot k s \ (if (k \ s) then s - k else (C - s - k))" (*this definition just removes the call to modulo *) constdefs D ::"int \ int \ gt_tsn \ int" "D s tsn_max tsn \ from_slot (PREV s tsn_max tsn) s" constdefs is_max_D :: "int \ int \ gt_tsn \ bool" "is_max_D s tsn_max tsn \ s \ 0 \ (\ d. s \ D d tsn_max tsn )" (* end general types and constants of the WSN *) (* begin transition equations *) subsection{*Additional constraints*} text{*We claim that - on top of the constraints listed above - necessary and sufficient conditions for correctness are the following*} locale All_Constraints = WSN_p + fixes M::int assumes M_is_max: "is_max_D M tsn_max tsn" assumes C1: "(real M) * (real k0) * max < ( ((real M) + 1::real) * (real k0) - (real g) - 2::real) * min" assumes C2: "((real M) * (real k0) - (real g)) * max < ((real M) * (real k0) - 1::real) * min" assumes C3: "(real k0 - real t - real g) * max < (-1 + (real k0 + - real g)) * min" subsection{*Consequences of the constraints*} lemma (in WSN_p) TX_tsn_imp_less_n: shows "TX s tsn \ s < n" using tsn_restrict by (auto simp add: TX_def) lemma (in WSN_p) TX_n_imp_max_n: shows "TX (n - 1) tsn \ tsn tsn_max = n - 1" using tsn_restrict is_max_tsn_max apply (auto simp add: TX_def is_max_tsn_def) apply (frule_tac x = ia in spec) apply (drule_tac x = tsn_max in spec) apply (drule_tac x = ia in spec) apply auto done lemma (in WSN_p) TX_diff_C_imp_C_is_n: shows "TX (C - 1) tsn \ C - 1 = n - 1" using tsn_restrict and slots_node apply (auto simp add: TX_def) apply (drule_tac x = i in spec) apply auto done lemma (in WSN_p) PREV1_TX1: assumes hyp: "TX (int x) tsn" shows "PREV1 (x + 1) tsn_max tsn = x" using hyp proof (induct x) case 0 with slots_node and tsn_max_3 show ?case by auto next case (Suc n) then show ?case by auto qed (*lemma (in WSN_p) PREV1_of_1: shows "PREV1 1 tsn_max tsn = 0" proof - from TX_0 show ?thesis by auto qed *) lemma (in WSN_p) PREV1_TX_not: assumes TX_k: "\ TX (int x) tsn" shows "PREV1 (x + 1) tsn_max tsn = PREV1 x tsn_max tsn" using TX_k and TX_0 proof (induct "x") case 0 then show ?case by auto next case (Suc n) then show ?case by auto qed lemma (in WSN_p) PREV1_less: assumes pos_x: "x > 0" shows "PREV1 x tsn_max tsn < x" using pos_x proof (induct x) case 0 then show ?case by simp next case (Suc n) note ind_hyp = this { assume "n = 0" with TX_0 have ?case by auto } moreover { assume "n > 0" with ind_hyp have ?case by auto } moreover have "n = 0 \ n > 0" by auto ultimately show ?case by auto qed lemma (in WSN_p) PREV1_TX1: -- "this lemma shows that if x is a sending slot" -- "then the prev of x cannot be the largest" -- "sending slot." assumes hyp: "x > 0 \ TX (int x) tsn" shows "PREV1 x tsn_max tsn < nat (tsn tsn_max)" proof - -- "we first get that PREV1 x < x" from hyp and PREV1_less[of "x"] have "PREV1 x tsn_max tsn < x" by auto note PREV1_less_x = this -- "then we split whether x is tsn_max or not" show ?thesis proof (cases "x = nat (tsn tsn_max)") case True with PREV1_less_x show ?thesis by simp next case False note case_false = this from hyp obtain j where "tsn j = int x" by (auto simp add: TX_def) with is_max_tsn_max and hyp and case_false have "int x < tsn tsn_max" apply (auto simp add: is_max_tsn_def) apply (drule_tac x = j in spec) apply auto done with PREV1_less_x show ?thesis by simp qed qed lemma (in WSN_p) x_is_nmin1: assumes hyp:"x < n \ n \ x + 1" shows "x = n - 1" using hyp by auto lemma (in WSN_p) PREV_TX1: assumes pos_x: "0 \ x" assumes hyp: "TX x tsn" shows "PREV (x + 1) tsn_max tsn = x" proof - from hyp and TX_tsn_imp_less_n have "x < n" by auto moreover from calculation and hyp and TX_n_imp_max_n and slots_node and pos_x show ?thesis apply (auto simp add: PREV_def) apply (insert x_is_nmin1[of x]) apply simp apply (insert PREV1_TX1[of "nat x"]) apply ( metis Bit_def Numeral.bit.simps(4) Numeral1_eq1_nat Pls_def Suc_eq_add_numeral_1 add_Pls_right hyp int_eq_iff_number_of linorder_not_le nat_add_commute nat_add_distrib nat_number_of_def number_of_is_id pos_x simps(2) zero_le_one zle_add1_eq_le zle_linear zle_trans zless_add1_eq zless_le) apply ( metis Bit_def Numeral1_eq1_nat Pls_def Suc_eq_add_numeral_1 add_Pls_right hyp int_1 int_eq_iff_number_of nat_add_commute nat_add_distrib nat_number_of_def number_of_is_id one_is_num_one pos_x simps(2) zero_zle_int) done qed lemma (in WSN_p) PREV_less: assumes pos_x: "x > 0" shows "PREV x tsn_max tsn < x" using pos_x and tsn_restrict and PREV1_less[of "nat x"] by (drule_tac x = tsn_max in spec) (auto simp add: PREV_def) lemma (in WSN_p) PREV1_TX2: assumes hyp: "TX (int y) tsn \ y < x" shows "PREV1 (x) tsn_max tsn \ y" using hyp proof (induct x) case 0 with slots_node and tsn_max_3 show ?case by auto next case (Suc n) note ind_hyp = this then show ?case proof (cases "y < n") case True with ind_hyp show ?thesis by simp next case False with ind_hyp have "y = n" by auto with ind_hyp and PREV_TX1[of "int n"] show ?thesis by auto qed qed lemma (in WSN_p) PREV1_idle: assumes tx_x: "TX (int x) tsn" assumes current: "y > x \ x \ 0" assumes idle: "\ z. z > x \ z < y \ \ TX (int z) tsn" shows "PREV1 y tsn_max tsn = x" using tx_x idle current proof (induct y) case 0 with current show ?case by simp next case (Suc n) note ind_hyp = this then show ?case proof (cases "x < n") case True with ind_hyp show ?thesis by simp next case False with ind_hyp have "x = n" by auto with ind_hyp and PREV_TX1[of "int n"] show ?thesis by auto qed qed lemma (in WSN_p) PREV1_nmin1: assumes hyp: "\ TX (n - 1) tsn" shows "int (PREV1 (nat (n - 1)) tsn_max tsn) = tsn tsn_max" proof - -- "we first prove that after tsn tsn_max there is no transmitting slot anymore" from is_max_tsn_max have "\ z. z > tsn tsn_max \ \ TX z tsn" by (auto simp add: is_max_tsn_def TX_def) then have "\ z. z > nat (tsn tsn_max) \ z < nat (n - 1) \ \ TX (int z) tsn" by auto moreover from is_max_tsn_max have "TX (tsn tsn_max) tsn" by (simp add: is_max_tsn_def) note TX_tsn_max = this moreover have "tsn tsn_max < n - 1" proof - from tsn_restrict have "tsn tsn_max < n" by auto moreover from hyp and TX_tsn_max have "tsn tsn_max \ n - 1" by auto ultimately show ?thesis by auto qed moreover from calculation and PREV1_idle[of "nat (tsn tsn_max)" "nat (n - 1)"] and tsn_max_3 show ?thesis by auto qed lemma (in WSN_p) PREV_TX_not: assumes TX_k: "\ TX x tsn" assumes pos_x: "x \ 0" shows "PREV (x + 1) tsn_max tsn = PREV x tsn_max tsn" proof (cases "x \ n") case True then show ?thesis by (auto simp add: PREV_def) next case False note case_false = this then have "x + 1 \ n" by auto note x_plus1_leq_n = this from TX_0 and TX_k have "x \ 0" by auto note x_not_0 = this with pos_x have "nat (x + 1) = nat x + 1" by auto note nat_x = this show ?thesis proof (cases "n = x + 1") case False with case_false and x_plus1_leq_n and tsn_max_3 and TX_k and PREV1_TX_not[of "nat x"] and pos_x and TX_0 and x_not_0 and nat_x show ?thesis by (simp add: PREV_def) next case True note case_true = this then have "x = n - 1" by auto note x_nmin1 = this with TX_k have "\ TX (n - 1) tsn" by simp note tx_not_k = this with PREV1_nmin1 and slots_node and TX_0 and case_false and case_true and x_nmin1 show ?thesis by (simp add: PREV_def) qed qed lemma (in WSN_p) PREV_TX2: assumes pos_x: "x > y \ TX y tsn \ y \ 0" shows "PREV x tsn_max tsn \ y" using pos_x proof (cases "x < n") case True with pos_x and PREV1_TX2[of "nat y" "nat x"] show ?thesis by (simp add: PREV_def) next case False with pos_x and is_max_tsn_max show ?thesis apply (simp add: PREV_def is_max_tsn_def) apply (auto simp add: TX_def) done qed lemma (in WSN_p) PREV1_nmin1_ge1: -- "should be true because we have at least 3 transmitting nodes" assumes hyp: "x \ nat (n - 1)" shows "PREV1 x tsn_max tsn \ 1" proof (cases "x > nat (n - 1)") case True then have "x \ nat n" by auto moreover from tsn_restrict have "tsn tsn_max < n" by auto moreover from calculation and slots_node have "nat (tsn tsn_max) < x" by auto moreover from is_max_tsn_max have "TX (tsn tsn_max) tsn" by (auto simp add: is_max_tsn_def) moreover from calculation and PREV1_TX2[of "nat (tsn tsn_max)" "x"] and tsn_max_3 show ?thesis by simp next case False with hyp have "x = nat (n - 1)" by auto moreover from threenodes_and_tsn_max_3 obtain j where "0 < j \ j < n - 1 \ TX j tsn" by auto moreover from calculation and PREV1_TX2[of "nat j" "x"] show ?thesis by auto qed lemma (in WSN_p) PREV1_not_x: shows "PREV1 x tsn_max tsn \ x" proof (induct x) case 0 with tsn_max_3 show ?case by auto next case (Suc n) note ind_hyp = this { assume "n = 0" with TX_0 have ?case by simp } moreover { assume "n > 0" with ind_hyp and PREV1_less[where x = n] have ?case by auto } moreover have "n = 0 \ n > 0" by auto ultimately show ?case by auto qed lemma (in WSN_p) PREV_pos: shows "PREV s tsn_max tsn \ 0" using tsn_max_3 tsn_restrict proof (cases "0 < s \ s < n") case True then show ?thesis by (auto simp add: PREV_def) next case False with tsn_max_3 show ?thesis by (auto simp add: PREV_def) qed lemma (in WSN_p) PREV_not_x: shows "PREV s tsn_max tsn \ s" using tsn_max_3 tsn_restrict proof (cases "0 < s \ s < n") case True with PREV1_not_x[where x = "nat s"] show ?thesis by (auto simp add: PREV_def) next case False with tsn_max_3 and tsn_restrict show ?thesis by (auto simp add: PREV_def) qed lemma (in WSN_p) Prev1_less_n: shows "int (PREV1 x tsn_max tsn) < n" proof (induct x) case 0 with tsn_restrict show ?case by auto next case (Suc n) with TX_tsn_imp_less_n show ?case by auto qed lemma (in WSN_p) D_ge_1: assumes hyp: "s \ 0" shows "D s tsn_max tsn \ 1" proof (cases "s = 0") case True with slots_node and tsn_restrict and tsn_max_3 show ?thesis apply (auto simp add: D_def PREV_def from_slot_def) apply (drule_tac x = tsn_max in spec) apply auto done next case False with hyp and slots_node and TX_tsn_imp_less_n[where s = n] and tsn_restrict and PREV1_less[where x = "nat s"] and PREV1_not_x[of "nat s"] show ?thesis apply (auto simp add: D_def) apply (drule_tac x = tsn_max in spec) apply (auto simp add: PREV_def from_slot_def) done qed lemma (in All_Constraints) M_ge_1: shows "M \ 1" using D_ge_1[of s] and M_is_max and TX_0 apply (auto simp add: is_max_D_def) apply (drule_tac x = s in spec) apply (metis D_ge_1 M_is_max PREV_def all_nat ex_nat int_0_neq_1 int_one_le_iff_zero_less is_max_D_def min_max.ge_sup_conv min_max_01 zle_anti_sym zle_linear zless_le) done lemma (in All_Constraints) Lemma1: assumes hyp: "m \ (real M)" shows "m * (real k0) * max < ((m + 1::real) * (real k0) - (real g) - 2::real) * min" proof - from miax and pos_g have "( ((real M) + 1::real) * (real k0) - (real g) - 2::real) * min = ((real M) * (real k0) + (real k0) - (real g) - 2::real) * min" by (simp add: left_distrib) also have "\ = ((real M) * (real k0) + ((real k0) - (real g) - 2::real)) * min" by simp also from miax and pos_g have "\ = (real M) * (real k0) * min + ((real k0) - (real g) - 2::real) * min" by (simp add: left_distrib) finally have "( ((real M) + 1::real) * (real k0) - (real g) - 2::real) * min = (real M) * (real k0) * min + ((real k0) - (real g) - 2::real) * min" by simp with C1 and miax and pos_g have "(real M) * (real k0) * max < (real M) * (real k0) * min + ((real k0) - (real g) - 2::real) * min" by simp then have "(real M) * (real k0) * max - (real M) * (real k0) * min < ((real k0) - (real g) - 2::real) * min" by simp moreover from pos_g and miax have "(real M) * (real k0) * max - (real M) * (real k0) * min = (real M) * (real k0) * (max - min)" by (simp add: right_diff_distrib) ultimately have "(real M) * (real k0) * (max - min) < ((real k0) - (real g) - 2::real) * min" by simp moreover with hyp and pos_g have "m * (real k0) \ (real M) * (real k0) " by simp with pos_g and miax have "m * (real k0) * (max - min) \ (real M) * (real k0) * (max - min)" by (simp add: mult_right_mono) moreover from calculation and pos_g and miax have "m * (real k0) * (max - min) < ((real k0) - (real g) - 2::real) * min" by simp moreover from pos_g and miax have "m * (real k0) * (max - min) = m * (real k0) * max - m * (real k0) * min" by (simp add: right_diff_distrib) ultimately have "m * (real k0) * max - m * (real k0) * min < ((real k0) - (real g) - 2::real) * min" by simp then have "m * (real k0) * max < m * (real k0) * min + ((real k0) - (real g) - 2::real) * min" by simp moreover with pos_g and miax have "m * (real k0) * min + ((real k0) - (real g) - 2::real) * min = (m * (real k0) + ((real k0) - (real g) - 2::real)) * min" by (simp add: left_distrib) then have " m * (real k0) * min + ((real k0) - (real g) - 2::real) * min = (m * (real k0) + (real k0) - (real g) - 2::real) * min" by simp ultimately show ?thesis by (simp add: left_distrib) qed lemma (in All_Constraints) Lemma2: assumes hyp: "m \ (real M)" shows "(m * (real k0) - (real g)) * max < (m * real k0 - 1) * min" proof - { -- "we first prove that m * k0 (max - min) \ M * k0 (max - min)" from hyp and pos_g have "m * (real k0) \ (real M) * (real k0) " by simp with pos_g and miax have "m * (real k0) * (max - min) \ (real M) * (real k0) * (max - min)" by (simp add: mult_right_mono) } note 1 = this -- "we expand the constraint" { from pos_g and miax have "((real M) * (real k0) - (real g)) * max = (real M) * (real k0) * max - (real g) * max" by (simp add: left_diff_distrib) moreover from pos_g and miax have "((real M) * (real k0) - 1::real) * min = (real M) * (real k0) * min - min" by (simp add: left_diff_distrib) moreover from calculation and C2 have "(real M) * (real k0) * max - (real g) * max < (real M) * (real k0) * min - min" by simp then have "(real g) * max - (real M) * (real k0) * max > min - (real M) * (real k0) * min " by simp then have "(real g) * max - min > (real M) * (real k0) * max - (real M) * (real k0) * min " by simp then have "(real g) * max - min > (real M) * (real k0) * (max - min) " by (simp add: right_diff_distrib) } note 2 = this from 1 and 2 have "(real g) * max - min > m * (real k0) * (max - min)" by simp then have "(real g) * max - min > m * (real k0) * max - m * (real k0) * min" by (simp add: right_diff_distrib) then have "(real g) * max - m * (real k0) * max > min - m * (real k0) * min" by simp then have "m * (real k0) * max - (real g) * max < m * (real k0) * min - min " by simp with pos_g and miax have "(m * (real k0) - (real g)) * max < (m * real k0 - 1) * min " by (simp add: left_diff_distrib) then show ?thesis by simp qed constdefs c :: "int \ gt_csn \ gSYN_state \ ghw_clk \ int \ int" "c k csn SYN clk last_slot \ (if (last_slot = -1) then (clk k) else (if (SYN k = S_1) then 0 else (from_slot last_slot (csn k)) * k0 + (clk k) - g))" section{* UPPAAL Model in Isabelle/HOL *} text{* In this section, we formalize the equations of the UPPAAL model. *} subsection{* Initial state *} text{* Initial state of a WSN k is the node ID x is the clock of node x y is the global clock remembering the time elapsed since the last synchronization WSN is the current state of the node SYN is the current state of the synchronizer csn is the current slot numnber clk is the current value of counter clk last_slot is the current value of global variable last *} constdefs WSN_State_Init :: "int\ gclock \ clock \ gWSN_state \ gSYN_state \ gt_csn \ ghw_clk \ int \ bool" "WSN_State_Init k x y WSN SYN csn clk last_slot \ x k = 0 \ y = 0 \ (WSN k) = wait \ (SYN k) = S_0 \ (csn k) = 0 \ (clk k) = 0 \ last_slot = -1" subsection{* Time passage actions *} text{* time passage action is global to the system and modifies the state of every node for the proof we add clock y which is reset on receiving a message we also add a flag time is the amount of delay that is possible gt_tsn gives the slot in which nodes are transmitting clock x clock y current state of the WSN current state of the synchronizer current slot number current value of counter clk current value of flag current value of b new value of clock x new value of clock y new value of WSN state new value of synchronizer state new value of slot number new value of counter clk new value of last_slot *} constdefs trans_clk :: "time \ gt_tsn (* constants *) \ gclock \ clock \ gWSN_state \ gSYN_state \ gt_csn \ ghw_clk \ int \ gclock \ clock \ gWSN_state \ gSYN_state \ gt_csn \ ghw_clk \ int \ bool" "trans_clk d tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp \ (*state update *) (\ l::int. (*0\l \ *) (* state variables that are not changed *) WSNp l = WSN l \ SYNp l = SYN l \ csnp l = csn l \ clkp l = clk l \ last_slotp = last_slot \ (* update clock y and x*) (if (x l + d \ max) then (xp l = x l + d \ yp = y + d) else (xp l = x l \ yp = y)) \ (* conditions under which the update is done *) 0 \ d \ (* no urgen transition, there is none and no committed location *) \ (WSN l = GO_SEND) )" subsection{* Start message action*} constdefs trans_message :: (* synchonizatio on channel start_message! -- from GO_SEND to sending + synchronizer*) "int \ gt_tsn (* constants *) \ gclock \ clock \ gWSN_state \ gSYN_state \ gt_csn \ ghw_clk \ int \ gclock \ clock \ gWSN_state \ gSYN_state \ gt_csn \ ghw_clk \ int \ bool" "trans_message k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp \ (* state update *) yp = 0 (*reset y*) \ WSNp k = SENDING \ last_slotp = (csn k) \ (* conditions under which the update is done -- URGENT LOCATION*) WSN k = GO_SEND \ (* global modif. : every node in an active slot sync. *) (\ l::int. (if csn l < n then (SYNp l = S_1) else (SYNp l = SYN l))) (* in the current model a sender synchronizes also with itself*) \ (* things that are unchanged in all nodes*) (\ l. xp l = x l \ csnp l = csn l \ clkp l = clk l) \ (*state of the other nodes is unchanced*) (\ l. l \ k \ WSNp l = WSN l) " subsection{* Tick action*} constdefs trans_tick :: (*In the model, we only have two possible actions. Tick or start_message *) "int \ gt_tsn (* constants *) \ gclock \ clock \ gWSN_state \ gSYN_state \ gt_csn \ ghw_clk \ int \ gclock \ clock \ gWSN_state \ gSYN_state \ gt_csn \ ghw_clk \ int \ bool" "trans_tick k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp \ (* state update *) xp k = 0 \ yp = y (*clock x is reset, clock y unchanged *) \ WSNp k = (if (WSN k = wait \ clk k = k0 - 1) (*transition from WAIT to WAIT*) then wait else (if (WSN k = wait \ clk k = g - 1 \ csn k = tsn k) (* transition from WAIT TO GO_SEND*) then GO_SEND else (if (WSN k = SENDING \ clk k = k0 - t - 1) (*transition from SENDING to WAIT*) then wait else WSN k) ) ) \ SYNp k = S_0 (*when the hw clock tick either SYN is in syn_0 and stays there, or it is in syn_1 and goes to syn_0*) \ csnp k = (if (WSN k = wait \ clk k = k0 - 1) then (csn k + 1) mod C else csn k) \ clkp k = (if SYN k = S_0 then (clk k + 1) mod k0 else g + 1) \ last_slotp = last_slot \ (* conditions under which the update is done *) min \ x k \ (WSN k \ GO_SEND) (* and no urgent location *) \ (* global modifications: all other states stay the same*) (\ l::int. l \ k \ xp l = x l \ yp = y \ WSNp l = WSN l \ SYNp l = SYN l \ csnp l = csn l \ clkp l = clk l \ last_slotp = last_slot)" (* end transition equations *) (* begin invariants definitions *) section{* Invariant definitions *} constdefs INV_1 :: "int \ gclock \ bool" "INV_1 k x \ 0 \ x k \ x k \ max " constdefs INV_2 :: "int \ ghw_clk \ bool" "INV_2 k clk \ 0 \ clk k \ clk k < k0" constdefs INV_3 :: "int \ gt_csn \ bool" "INV_3 k csn \ 0 \ csn k \ csn k < C" constdefs INV_4 :: "int \ gWSN_state \ gclock \ bool" "INV_4 k WSN x \ WSN k = GO_SEND \ x k = 0" constdefs INV_5 :: "int \ gWSN_state \ gt_csn \ gt_tsn => bool" "INV_5 k WSN csn tsn \ WSN k = GO_SEND \ csn k = tsn k" constdefs INV_6 :: "int \ gWSN_state \ ghw_clk \ bool" "INV_6 k WSN clk \ WSN k = GO_SEND \ (clk k = g \ clk k = g + 1)" constdefs INV_7 :: "int \ gWSN_state \ gt_csn \ gt_tsn \ bool" "INV_7 k WSN csn tsn \ WSN k = SENDING \ csn k = tsn k" constdefs INV_8 :: "int \ gWSN_state \ ghw_clk \ bool" "INV_8 k WSN clk \ WSN k = SENDING \ (g \ clk k \ clk k < k0 - t)" constdefs INV_9 :: "clock \ bool" "INV_9 y \ y \ 0" constdefs INV_10:: "int \ gSYN_state \ gclock \ clock \ bool" "INV_10 k SYN x y \ SYN k = S_1 \ y \ x k" constdefs INV_11 :: "int \ gSYN_state \ int \ bool" "INV_11 k SYN last_slot \ (last_slot = -1) \ SYN k = S_0" constdefs INV_12 :: "int \ bool" "INV_12 last_slot \ -1 \ last_slot \ last_slot < C" declare INV_1_def [simp] INV_2_def [simp] INV_3_def [simp] INV_4_def [simp] INV_5_def [simp] INV_6_def [simp] INV_7_def [simp] INV_8_def [simp] INV_9_def [simp] INV_10_def [simp] INV_11_def [simp] INV_12_def [simp] WSN_State_Init_def [simp] trans_clk_def [simp] trans_message_def [simp] trans_tick_def [simp] (* end invariant definitions *) (* begin proof of invariants *) section{* Proof of the first 12 invariants *} text{* Proof of Invariant 1 *} text{* INV1 holds in the initial state *} lemma (in WSN_p) INV1_init : assumes init_state: "WSN_State_Init k x y WSN SYN csn clk last_slot" shows "INV_1 k x" using init_state miax by simp text{* INV1 holds after letting time pass *} lemma (in WSN_p) INV_1_clk : assumes ind_hyp: "INV_1 k x" assumes step: "trans_clk d tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp " shows "INV_1 k xp" proof - -- "we first prove the conclusion if one node is in GO_SEND" { assume "\ l. WSN l = GO_SEND" with step have ?thesis by simp } moreover { assume "\ l. WSN l \ GO_SEND" note 1 = this with ind_hyp and step have ?thesis apply simp apply (drule_tac x = k in spec) apply ( metis AC_add.ident class_ringb.add_r0_iff equal_neg_zero minus_add_cancel minus_minus neg_0_le_iff_le real_0_le_add_iff real_add_eq_0_iff real_add_le_0_iff real_le_anti_sym real_le_linear real_le_trans) done } ultimately show ?thesis by auto qed text{* INV1 holds after message actions *} lemma (in WSN_p) INV_1_message : assumes ind_hyp: "\ l. INV_1 l x" assumes step: "trans_message k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_1 l xp" using ind_hyp step by auto text{* INV1 holds after tick actions *} lemma (in WSN_p) INV_1_tick : assumes ind_hyp: "\ l. INV_1 l x" assumes step: "trans_tick k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_1 l xp" using ind_hyp step apply auto apply (drule_tac x = l in spec) apply (drule_tac x = l in spec) apply auto apply (drule_tac x = l in spec) apply (drule_tac x = l in spec) apply auto done text{* Proof of Invariant 2 *} text{* INV2 holds in the initial state *} lemma (in WSN_p) INV2_init : assumes init_state: "WSN_State_Init k x y WSN SYN csn clk last_slot" shows "INV_2 k clk" using init_state miax pos_g by simp text{* INV2 holds after letting time pass *} lemma (in WSN_p) INV_2_clk : assumes ind_hyp: "INV_2 k clk" assumes step: "trans_clk d tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp " shows "INV_2 k clkp" using ind_hyp step by simp text{* INV2 holds after message actions *} lemma (in WSN_p) INV_2_message : assumes ind_hyp: "\ l. INV_2 l clk" assumes step: "trans_message k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_2 l clkp" using ind_hyp step by auto text{* INV2 holds after tick actions *} lemma (in WSN_p) INV_2_tick : assumes ind_hyp: "\ l. INV_2 l clk" assumes step: "trans_tick k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_2 l clkp" proof - { -- "case where l \ k" fix l::int assume "l \ k" with ind_hyp and step and pos_g have "INV_2 l clkp" by simp } then have "\ l. l \ k \ INV_2 l clkp" by simp moreover { -- "case where l = k" fix l::int assume "l = k" with ind_hyp and step and pos_g have "INV_2 l clkp" by simp } then have "\ l. l = k \ INV_2 l clkp" by simp ultimately show ?thesis by auto qed text{* Proof of Invariant 3 *} text{* INV3 holds in the initial state *} lemma (in WSN_p) INV3_init : assumes init_state: "WSN_State_Init k x y WSN SYN csn clk last_slot" shows "INV_3 k csn" using init_state miax slots_node by simp text{* INV3 holds after letting time pass *} lemma (in WSN_p) INV_3_clk : assumes ind_hyp: "INV_3 k csn" assumes step: "trans_clk d tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp " shows "INV_3 k csnp" using ind_hyp step by simp text{* INV3 holds after message actions *} lemma (in WSN_p) INV_3_message : assumes ind_hyp: "\ l. INV_3 l csn" assumes step: "trans_message k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_3 l csnp" using ind_hyp step by auto text{* INV3 holds after tick actions *} lemma (in WSN_p) INV_3_tick : assumes ind_hyp: "\ l. INV_3 l csn" assumes step: "trans_tick k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_3 l csnp" proof - { -- "case where l \ k" fix l::int assume "l \ k" with ind_hyp and step and pos_g have "INV_3 l csnp" by simp } then have "\ l. l \ k \ INV_3 l csnp" by simp moreover { -- "case where l = k" fix l::int assume "l = k" note case_is = this with ind_hyp and step have "INV_3 l csnp" apply auto apply (drule_tac x = k in spec) apply simp apply (metis Pls_def add_Pls diff_le_eq int_0_less_1 less_diff_eq linorder_not_le mult_Pls mult_le_cancel_right1 mult_less_cancel_right1 not_one_less_zero pos_mod_conj zadd_commute zle_trans) done } then have "\ l. l = k \ INV_3 l csnp" by simp ultimately show ?thesis by auto qed text{* Proof of Invariant 4 *} text{* INV4 holds in the initial state *} lemma (in WSN_p) INV4_init : assumes init_state: "WSN_State_Init k x y WSN SYN csn clk last_slot" shows "INV_4 k WSN x" using init_state by simp text{* INV4 holds after letting time pass *} lemma (in WSN_p) INV_4_clk : assumes ind_hyp: "INV_4 k WSN x" assumes step: "trans_clk d tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp " shows "INV_4 k WSNp xp" using ind_hyp step by simp text{* INV4 holds after message actions *} lemma (in WSN_p) INV_4_GO_SEND : assumes ind_hyp: "\ l. INV_4 l WSN x" assumes step: "trans_message k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_4 l WSNp xp" using ind_hyp step by auto text{* INV4 holds after tick actions *} lemma (in WSN_p) INV_4_tick : assumes ind_hyp: "\ l. INV_4 l WSN x" assumes step: "trans_tick k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_4 l WSNp xp" using ind_hyp step by auto text{* Proof of Invariant 5 *} text{* INV5 holds in the initial state *} lemma (in WSN_p) INV5_init : assumes init_state: "WSN_State_Init k x y WSN SYN csn clk last_slot" shows "INV_5 k WSN csn tsn" using init_state by simp text{* INV5 holds after letting time pass *} lemma (in WSN_p) INV_5_clk : assumes ind_hyp: "INV_5 k WSN csn tsn" assumes step: "trans_clk d tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp " shows "INV_5 k WSNp csnp tsn" using ind_hyp step by simp text{* INV5 holds after message actions *} lemma (in WSN_p) INV_5_messgae : assumes ind_hyp: "\ l. INV_5 l WSN csn tsn" assumes step: "trans_message k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_5 l WSNp csnp tsn" using ind_hyp step by auto text{* INV5 holds after tick actions *} lemma (in WSN_p) INV_5_tick : assumes ind_hyp: "\ l. INV_5 l WSN csn tsn" assumes step: "trans_tick k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_5 l WSNp csnp tsn" proof - { -- "case where l \ k" fix l::int assume "l \ k" with ind_hyp and step and pos_g have "INV_5 l WSNp csnp tsn" by simp } then have "\ l. l \ k \ INV_5 l WSNp csnp tsn" by simp moreover { -- "case where l = k" fix l::int assume "l = k" with ind_hyp and step have "INV_5 l WSNp csnp tsn" by simp } then have "\ l. l = k \ INV_5 l WSNp csnp tsn" by simp ultimately show ?thesis by auto qed text{* Proof of Invariant 6 *} text{* INV6 holds in the initial state *} lemma (in WSN_p) INV6_init : assumes init_state: "WSN_State_Init k x y WSN SYN csn clk last_slot" shows "INV_6 k WSN clk" using init_state by simp text{* INV6 holds after letting time pass *} lemma (in WSN_p) INV_6_clk : assumes ind_hyp: "INV_6 k WSN clk" assumes step: "trans_clk d tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp " shows "INV_6 k WSNp clkp" using ind_hyp step by simp text{* INV6 holds after message actions *} lemma (in WSN_p) INV_6_message : assumes ind_hyp: "\ l. INV_6 l WSN clk" assumes step: "trans_message k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_6 l WSNp clkp" proof - { -- "case where l \ k" fix l::int assume "l \ k" with ind_hyp and step and pos_g have "INV_6 l WSNp clkp" by simp } then have "\ l. l \ k \ INV_6 l WSNp clkp" by simp moreover { -- "case where l = k" fix l::int assume "l = k" with ind_hyp and step have "INV_6 l WSNp clkp" by simp } then have "\ l. l = k \ INV_6 l WSNp clkp" by simp ultimately show ?thesis by auto qed text{* INV6 holds after tick actions *} lemma (in WSN_p) INV_6_tick : assumes ind_hyp: "\ l. INV_6 l WSN clk" assumes rel_inv4: "\ l. INV_4 l WSN x" assumes step: "trans_tick k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_6 l WSNp clkp" proof - { -- "case where l \ k" fix l::int assume "l \ k" with ind_hyp and step and pos_g have "INV_6 l WSNp clkp" by simp } then have "\ l. l \ k \ INV_6 l WSNp clkp" by simp moreover { -- "case where l = k" fix l::int assume "l = k" note case_is = this have "(g \ 0 \ k0 > g) \ g mod k0 = g" apply auto apply (metis mod_pos_pos_trivial) done with ind_hyp and step and pos_g and rel_inv4 and miax have "INV_6 l WSNp clkp" apply auto apply (metis SENDING_def Suc_n_not_n Suc_neq_Zero case_is number_of_is_id numeral_1_eq_Suc_0 numeral_2_eq_2 one_is_num_one pordered_ab_group_add_class.compare_rls(11) wait_def zadd_commute) done } then have "\ l. l = k \ INV_6 l WSNp clkp" by simp ultimately show ?thesis by auto qed text{* Proof of Invariant 7 *} text{* INV7 holds in the initial state *} lemma (in WSN_p) INV_7_init : assumes init_state: "WSN_State_Init k x y WSN SYN csn clk last_slot" shows "INV_7 k WSN csn tsn" using init_state by simp text{* INV7 holds after letting time pass *} lemma (in WSN_p) INV_7_clk : assumes ind_hyp: "INV_7 k WSN csn tsn" assumes step: "trans_clk d tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp " shows "INV_7 k WSNp csnp tsn" using ind_hyp step by simp text{* INV7 holds after message actions *} lemma (in WSN_p) INV_7_message : assumes ind_hyp: "\ l. INV_7 l WSN csn tsn" assumes rel_inv5: "\ l. INV_5 l WSN csn tsn" assumes step: "trans_message k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_7 l WSNp csnp tsn" using ind_hyp step rel_inv5 by auto text{* INV7 holds after tick actions *} lemma (in WSN_p) INV_7_tick : assumes ind_hyp: "\ l. INV_7 l WSN csn tsn" assumes step: "trans_tick k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_7 l WSNp csnp tsn" proof - { -- "case where l \ k" fix l::int assume "l \ k" with ind_hyp and step have "INV_7 l WSNp csnp tsn" by simp } then have "\ l. l \ k \ INV_7 l WSNp csnp tsn" by simp moreover { -- "case where l = k" fix l::int assume "l = k" with ind_hyp and step have "INV_7 l WSNp csnp tsn" by simp } then have "\ l. l = k \ INV_7 l WSNp csnp tsn" by simp ultimately show ?thesis by auto qed text{* Proof of Invariant 8 *} text{* INV8 holds in the initial state *} lemma (in WSN_p) INV_8_init : assumes init_state: "WSN_State_Init k x y WSN SYN csn clk last_slot" shows "INV_8 k WSN clk" using init_state by simp text{* INV8 holds after letting time pass *} lemma (in WSN_p) INV_8_clk : assumes ind_hyp: "INV_8 k WSN clk" assumes step: "trans_clk d tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp " shows "INV_8 k WSNp clkp" using ind_hyp step by simp text{* INV8 holds after message actions *} lemma (in WSN_p) INV_8_message : assumes ind_hyp: "\ l. INV_8 l WSN clk" assumes rel_inv6: "\ l. INV_6 l WSN clk" assumes step: "trans_message k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_8 l WSNp clkp" proof - { -- "case where l \ k" fix l::int assume "l \ k" with ind_hyp and step and pos_g and rel_inv6 have "INV_8 l WSNp clkp" by simp } then have "\ l. l \ k \ INV_8 l WSNp clkp" by simp moreover { -- "case where l = k" fix l::int assume "l = k" with ind_hyp and step and pos_g and rel_inv6 have "INV_8 l WSNp clkp" by auto } then have "\ l. l = k \ INV_8 l WSNp clkp" by simp ultimately show ?thesis by auto qed text{* INV8 holds after tick actions *} lemma (in WSN_p) INV_8_tick : assumes ind_hyp: "\ l. INV_8 l WSN clk" assumes rel_inv6: "\ l. INV_6 l WSN clk" assumes step: "trans_tick k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_8 l WSNp clkp" proof - { -- "case where l \ k" fix l::int assume "l \ k" with ind_hyp and step and pos_g and rel_inv6 have "INV_8 l WSNp clkp" by simp } then have "\ l. l \ k \ INV_8 l WSNp clkp" by simp moreover { -- "case where l = k" fix l::int assume "l = k" with ind_hyp and step and pos_g and rel_inv6 have "INV_8 l WSNp clkp" apply - apply (simp only: trans_tick_def INV_8_def) apply simp apply (drule_tac x = k in spec) apply (drule_tac x = k in spec) apply safe apply (simp add: mod_pos_pos_trivial) apply (simp add: mod_pos_pos_trivial) apply (simp add: mod_pos_pos_trivial) apply (simp add: mod_pos_pos_trivial) apply (simp add: mod_pos_pos_trivial) apply (simp add: mod_pos_pos_trivial) apply (simp add: mod_pos_pos_trivial) apply (simp add: mod_pos_pos_trivial) apply (simp add: mod_pos_pos_trivial)+ done } then have "\ l. l = k \ INV_8 l WSNp clkp" by simp ultimately show ?thesis by auto qed text{* Proof of Invariant 9 *} text{* INV9 holds in the initial state *} lemma (in WSN_p) INV_9_init : assumes init_state: "WSN_State_Init k x y WSN SYN csn clk last_slot" shows "INV_9 y" using init_state by simp text{* INV9 holds after letting time pass *} lemma (in WSN_p) INV_9_clk : assumes ind_hyp: "INV_9 y" assumes step: "trans_clk d tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp " shows "INV_9 y" using ind_hyp step by simp text{* INV9 holds after message actions *} lemma (in WSN_p) INV_9_message : assumes ind_hyp: "INV_9 y" assumes step: "trans_message k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "INV_9 y" using ind_hyp step by simp text{* INV9 holds after tick actions *} lemma (in WSN_p) INV_9_tick : assumes ind_hyp: "INV_9 y" assumes step: "trans_tick k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "INV_9 y" using ind_hyp step by simp text{* Proof of Invariant 10 *} text{* Proof of Invariant 10 *} text{* INV10 holds in the initial state *} lemma (in WSN_p) INV_10_init : assumes init_state: "WSN_State_Init k x y WSN SYN csn clk last_slot" shows "INV_10 k SYN x y" using init_state by simp text{* INV10 holds after letting time pass *} lemma (in WSN_p) INV_10_clk : assumes ind_hyp: "INV_10 k SYN x y" assumes step: "trans_clk d tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp " shows "INV_10 k SYNp xp yp" using ind_hyp step apply simp apply (drule_tac x = k in spec) apply (cases "x k + d \ max") apply simp_all done text{* INV10 holds after message actions *} lemma (in WSN_p) INV_10_GO_SEND : assumes ind_hyp: "\ l. INV_10 l SYN x y" assumes rel_inv1: "\ l. INV_1 l x" assumes rel_inv9: "INV_9 y" assumes step: "trans_message k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_10 l SYNp xp yp" using ind_hyp step rel_inv1 rel_inv9 by auto text{* INV10 holds after tick actions *} lemma (in WSN_p) INV_10_tick : assumes ind_hyp: "\ l. INV_10 l SYN x y" assumes rel_inv1: "\ l. INV_1 l x" assumes rel_inv9: "INV_9 y" assumes step: "trans_tick k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_10 l SYNp xp yp" proof - { -- "case where l \ k" fix l::int assume "l \ k" with ind_hyp and step and rel_inv1 and rel_inv9 have "INV_10 l SYNp xp yp" by simp } then have "\ l. l \ k \ INV_10 l SYNp xp yp" by simp moreover { -- "case where l = k" fix l::int assume "l = k" with ind_hyp and step and rel_inv1 and rel_inv9 have "INV_10 l SYNp xp yp " by auto } then have "\ l. l = k \ INV_10 l SYNp xp yp" by simp ultimately show ?thesis by auto qed text{* Proof of Invariant 11 *} text{* INV11 holds in the initial state *} lemma (in WSN_p) INV_11_init : assumes init_state: "WSN_State_Init k x y WSN SYN csn clk last_slot" shows "INV_11 k SYN last_slot" using init_state by simp text{* INV11 holds after letting time pass *} lemma (in WSN_p) INV_11_clk : assumes ind_hyp: "INV_11 k SYN last_slot" assumes step: "trans_clk d tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp " shows "INV_11 k SYNp last_slotp" using ind_hyp step by simp text{* INV11 holds after message actions *} lemma (in WSN_p) INV_11_message : assumes ind_hyp: "\ l. INV_11 l SYN last_slot" assumes rel_inv3: "\ l. INV_3 l csn" assumes step: "trans_message k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_11 l SYNp last_slotp" using ind_hyp step rel_inv3 apply simp apply (drule_tac x = k in spec) apply auto done text{* INV11 holds after tick actions *} lemma (in WSN_p) INV_11_tick : assumes ind_hyp: "\ l. INV_11 l SYN last_slot" assumes step: "trans_tick k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. INV_11 l SYNp last_slotp" using ind_hyp step by auto text{* Proof of Invariant 12 *} text{* INV12 holds in the initial state *} lemma (in WSN_p) INV_12_init : assumes init_state: "WSN_State_Init k x y WSN SYN csn clk last_slot" assumes rel_inv3: "INV_3 k csn" shows "INV_12 last_slot" using init_state rel_inv3 by simp text{* INV12 holds after letting time pass *} lemma (in WSN_p) INV_12_clk : assumes ind_hyp: "INV_12 last_slot" assumes step: "trans_clk d tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp " shows "INV_12 last_slotp" using ind_hyp step by simp text{* INV12 holds after message actions *} lemma (in WSN_p) INV_12_message : assumes ind_hyp: "INV_12 last_slot" assumes rel_inv3: "INV_3 k csn" assumes step: "trans_message k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "INV_12 last_slotp" using ind_hyp step rel_inv3 by auto text{* INV12 holds after tick actions *} lemma (in WSN_p) INV_12_tick : assumes ind_hyp: "INV_12 last_slot" assumes step: "trans_tick k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "INV_12 last_slotp" using ind_hyp step by simp section{* Main Invariant*} subsection{* Definition *} constdefs G_1 :: "int \ gt_csn \ gSYN_state \ ghw_clk \ gclock \ clock \ int \ bool" "G_1 k csn SYN clk x y last_slot \ y \ real (c k csn SYN clk last_slot) * max + x k " constdefs G_2 :: "int \ gt_csn \ gSYN_state \ ghw_clk \ gclock \ clock \ int \ bool" "G_2 k csn SYN clk x y last_slot \ (c k csn SYN clk last_slot) > 0 \ y \ (real (c k csn SYN clk last_slot) - 1::real) * min + x k" constdefs G_3 :: "int \ gt_csn \ gt_tsn \ gWSN_state \ ghw_clk \ int \ bool" "G_3 k csn tsn WSN clk last_slot \ (csn k = tsn k \ (clk k < g \ WSN k = GO_SEND)) \ last_slot \ (csn k)" constdefs G_3a :: "int \ gt_csn \ gt_tsn \ gWSN_state \ ghw_clk \ bool" "G_3a k csn tsn WSN clk \ (csn k = tsn k \ clk k = g) \ (WSN k = GO_SEND \ WSN k = SENDING)" constdefs G_4 :: "int \ gt_csn \ gt_tsn \ gWSN_state \ ghw_clk \ int \ bool" "G_4 k csn tsn WSN clk last_slot\ (csn k = tsn k \ clk k > g) \ last_slot = (csn k)" constdefs G_5 :: "int \ int \ gWSN_state \ gt_csn \ int \ bool" "G_5 k l WSN csn last_slot \ (WSN k = SENDING) \ (csn k = csn l \ (csn l) = last_slot)" constdefs G_6 :: "int \ int \ gWSN_state \ gt_csn \ ghw_clk \ bool" "G_6 k l WSN csn clk \ WSN k = GO_SEND \ (csn k = csn l \ clk k = g)" constdefs G_7 :: "int \ int \ gt_csn \ gt_tsn \ int \ bool" "G_7 k tsn_max csn tsn last_slot \ last_slot = -1 \ (TX (csn k) tsn \ last_slot = (csn k)) \ last_slot = (PREV (csn k) tsn_max tsn)" constdefs G_8 :: "int \ gt_csn \ gt_tsn \ ghw_clk \ int \ bool" "G_8 k csn tsn clk last_slot \ (TX (csn k) tsn \ clk k = k0 - 1) \ last_slot = (csn k)" constdefs G_9 :: "int \ gSYN_state \ gt_csn \ ghw_clk \ int \ bool" "G_9 k SYN csn clk last_slot \ SYN k = S_1 \ (clk k < k0 - 1 \ last_slot = (csn k))" constdefs G_10 :: "int \ gt_csn \ gSYN_state \ ghw_clk \ int \ bool" "G_10 k csn SYN clk last_slot \ (c k csn SYN clk last_slot) \ 0" constdefs G_12 :: "int \ gt_csn \ int \ bool" "G_12 k csn last_slot \ last_slot = -1 \ csn k = 0" constdefs G :: "int \ int \ gWSN_state \ gSYN_state \ gt_csn \ gt_tsn \ ghw_clk \ gclock \ clock \ int \ bool" "G k tsn_max WSN SYN csn tsn clk x y last_slot \ G_1 k csn SYN clk x y last_slot \ G_2 k csn SYN clk x y last_slot \ G_3 k csn tsn WSN clk last_slot \ G_3a k csn tsn WSN clk \ G_4 k csn tsn WSN clk last_slot \ (\ l. G_5 k l WSN csn last_slot)\ (\ l. G_6 k l WSN csn clk) \ G_7 k tsn_max csn tsn last_slot \ G_8 k csn tsn clk last_slot \ G_9 k SYN csn clk last_slot \ G_10 k csn SYN clk last_slot \ G_12 k csn last_slot " declare G_1_def [simp] G_2_def [simp] G_3_def [simp] G_3a_def [simp] G_4_def [simp] G_5_def [simp] G_6_def [simp] G_7_def [simp] G_8_def [simp] G_9_def [simp] G_10_def [simp] G_12_def [simp] G_def [simp] subsection{* Proof: Induction basis *} text{* G holds in the initial state *} lemma (in WSN_p) G_init : assumes init_state: "WSN_State_Init k x y WSN SYN csn clk last_slot" shows "G k tsn_max WSN SYN csn tsn clk x y last_slot" using init_state miax pos_g by (simp add: c_def) subsection{* Proof: time passage action*} text{* G holds after letting time pass *} lemma (in WSN_p) G_clk : assumes ind_hyp: "G k tsn_max WSN SYN csn tsn clk x y last_slot" assumes rel_inv10: "INV_10 k SYN x y" assumes step: "trans_clk d tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp " shows "G k tsn_max WSNp SYNp csnp tsn clkp xp yp last_slotp" proof - -- "we first prove the very easy ones" { from ind_hyp have " G_3 k csn tsn WSN clk last_slot \ G_3a k csn tsn WSN clk \ G_8 k csn tsn clk last_slot \ G_9 k SYN csn clk last_slot \ G_12 k csn last_slot" by (simp only: G_def) simp with step have " G_3 k csnp tsn WSNp clkp last_slotp \ G_3a k csnp tsn WSNp clkp \ G_8 k csnp tsn clkp last_slotp \ G_9 k SYNp csnp clkp last_slotp \ G_12 k csnp last_slotp" by (simp only: G_3_def G_3a_def G_8_def G_9_def G_12_def trans_clk_def) } note G_easy_ones = this -- "we now try G_4" { from ind_hyp have "G_4 k csn tsn WSN clk last_slot" by (simp only: G_def) with step have "G_4 k csnp tsn WSNp clkp last_slotp" by (simp only: G_4_def trans_clk_def) } note G_4 = this -- "we now try G_5" { from ind_hyp have "(\ l. G_5 k l WSN csn last_slot)" by (simp only: G_def) simp with step have "(\ l. G_5 k l WSNp csnp last_slotp)" by (simp only: G_5_def trans_clk_def) } note G_5 = this -- "we now try G_6" { from ind_hyp have "(\ l. G_6 k l WSN csn clk)" by (simp only: G_def) simp with step have "(\ l. G_6 k l WSNp csnp clkp)" by (simp only: G_6_def trans_clk_def) } note G_6 = this -- "we now try G_7" { from ind_hyp have "G_7 k tsn_max csn tsn last_slot" by (simp only: G_def) with step have "G_7 k tsn_max csnp tsn last_slotp" by (simp only: G_7_def trans_clk_def) } note G_7 = this -- "we now try G_10" { from ind_hyp have "G_10 k csn SYN clk last_slot" by (simp only: G_def) with step have "G_10 k csnp SYNp clkp last_slotp" by (simp only: G_10_def trans_clk_def c_def) } note G_10 = this -- "we get the values of yp and xp depending on x k + d" from step have "x k + d \ max \ (xp k = x k + d \ yp = y + d)" apply (simp only: trans_clk_def) apply (drule_tac x = k in spec) apply simp done note case1 = this from step have "x k + d > max \ (xp k = x k \ yp = y)" apply (simp only: trans_clk_def) apply (drule_tac x = k in spec) apply simp done note case2 = this -- "we now try G_1" { from ind_hyp have "G_1 k csn SYN clk x y last_slot" by (simp only: G_def) note hyp_G1 = this -- "now we split the proof in two cases" { assume "x k + d > max" note ass1 = this with hyp_G1 and case2 and rel_inv10 and step have "G_1 k csnp SYNp clkp xp yp last_slotp" by (simp only: G_1_def c_def INV_10_def trans_clk_def) } moreover { assume "x k + d \ max" note ass1 = this with hyp_G1 and case1 and rel_inv10 and step have "G_1 k csnp SYNp clkp xp yp last_slotp" by (simp only: G_1_def c_def INV_10_def trans_clk_def) } moreover have "x k + d > max \ x k + d \ max" by auto ultimately have "G_1 k csnp SYNp clkp xp yp last_slotp" by safe simp_all } note G_1 = this -- "we now try G_2" { from ind_hyp have "G_2 k csn SYN clk x y last_slot" by (simp only: G_def) note hyp_G2 = this { assume "x k + d > max" with hyp_G2 and case2 and rel_inv10 and step have "G_2 k csnp SYNp clkp xp yp last_slotp" by (simp only: G_2_def c_def INV_10_def trans_clk_def) } moreover { assume "x k + d \ max" with hyp_G2 and case1 and rel_inv10 and step have "G_2 k csnp SYNp clkp xp yp last_slotp" by (simp only: G_2_def c_def INV_10_def trans_clk_def) simp } moreover have "x k + d > max \ x k + d \ max" by auto ultimately have "G_2 k csnp SYNp clkp xp yp last_slotp" by safe simp_all } note G_2 = this from G_easy_ones and G_4 and G_5 and G_6 and G_7 and G_10 and G_1 and G_2 show ?thesis by (simp only: G_def) safe qed subsection {* Start Message Action *} lemma (in All_Constraints) g_mult_max: shows "real g * max < (real k0 - 2) * min" proof - have "real g * max = real M * real k0 * max + real g * max - real M * real k0 * max " by simp with pos_g have " real g * max = real M * real k0 * max + (real g - real M * real k0 ) * max" by (simp add: left_diff_distrib) moreover have "(real g - real M * real k0 ) * max = - (real M * real k0 - real g) * max" by simp ultimately have "real g * max = real M * real k0 * max - (real M * real k0 - real g) * max" by (simp (no_asm)) moreover { from pos_g and miax and left_diff_distrib [where a = "(real M + 1::real) * real k0 - real g - 2" and b = "(real M * real k0 - real g)" and c = min] have " ( (real M + 1::real) * real k0 - real g - 2 ) * min - (real M * real k0 - real g) * min = ( (real M + 1::real) * real k0 - real g - 2 - (real M * real k0 - real g)) * min" by simp also have "\ = ( (real M + 1::real) * real k0 - real g - 2 - (real M * real k0) + real g) * min" by simp also have "\ = ( (real M + 1::real) * real k0 - 2 - (real M * real k0)) * min" by simp also from pos_g have "\ = ( (real M * real k0) + real k0 - 2 - (real M * real k0)) * min" by (simp add: left_distrib) also have " \ = ( real k0 - 2 ) * min" by auto finally have "( (real M + 1::real) * real k0 - real g - 2 ) * min - (real M * real k0 - real g) * min = ( real k0 - 2 ) * min" by simp } moreover from C1 have " real M * real k0 * max - (real M * real k0 - real g) * min < ((real M + 1::real) * (real k0) - (real g) - 2::real) * min - (real M * real k0 - real g) * min " by simp moreover { from pos_g have "k0 \ 1" by simp moreover from M_ge_1 have "M \ 1" by simp ultimately have "M * k0 \ k0" by (simp add: mult_compare_simps) moreover from pos_g have "k0 \ g" by simp ultimately have "M * k0 \ g" by auto then have "M * k0 - g \ 0" by simp with M_ge_1 and pos_g have "real (M * k0 - g) \ 0" by (metis real_of_int_ge_zero_cancel_iff) } note pos_fact1 = this with miax and pos_g have "real (M * k0 - g) * max \ real (M * k0 - g) * min" by (simp add: mult_mono) with pos_fact1 have "- real (M * k0 - g) * max \ - real (M * k0 - g) * min" by (metis abs_minus_le_zero abs_of_nonneg local.pos_fact1 miax mult_right_mono_neg real_mult_commute zmult_commute) with pos_g and miax have "real (M * k0) * max - real (M * k0 - g) * max \ real (M * k0) * max - real (M * k0 - g) * min" by (simp add: mult_compare_simps) note fact_good = this with pos_g and M_ge_1 have "real (M * k0) = real M * real k0" by auto note fact_good1 = this with pos_g and M_ge_1 have "real (M * k0 - g) = real (M * k0) - real g" by (simp add: mult_compare_simps) with pos_g and M_ge_1 and pos_fact1 and fact_good1 have "real (M * k0 - g) = real (M * k0) - real g" by simp with pos_g and miax and fact_good and fact_good1 have "real M * real k0 * max - (real M * real k0 - real g) * max \ real M * real k0 * max - (real M * real k0 - real g) * min" by auto moreover have "-2 + real k0 = real k0 - 2" by simp ultimately show ?thesis by auto qed text{* G holds after message actions *} lemma (in All_Constraints) G_message : assumes ind_hyp: "\ l. G l tsn_max WSN SYN csn tsn clk x y last_slot" assumes rel_inv1: "\ l. INV_1 l x" assumes rel_inv2: "\ l. INV_2 l clk" assumes rel_inv3: "\ l. INV_3 l csn" assumes rel_inv4: "\ l. INV_4 l WSN x" assumes rel_inv5: "\ l. INV_5 l WSN csn tsn" assumes rel_inv12: "INV_12 last_slot" assumes step: "trans_message k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. G l tsn_max WSNp SYNp csnp tsn clkp xp yp last_slotp" proof - -- "we first prove G_1, G_2, G_10 and G_12" { from step and rel_inv1 have "\ l. yp = 0 \ xp l \ 0" by (simp only: trans_message_def INV_1_def) auto note 1 = this moreover from step and rel_inv5 have "\ l. SYNp l = S_1" proof - from step and rel_inv5 and tsn_restrict have "SYNp k = S_1" by auto moreover { fix i::int assume "i \ k" from ind_hyp have "(\ l. G_6 k l WSN csn clk)" by (simp only: G_def) simp then have "G_6 k i WSN csn clk" by (simp del: G_6_def) moreover from step have "WSN k = GO_SEND" by simp ultimately have "csn k = csn i" by simp moreover from step and rel_inv5 have "csn k = tsn k" by simp ultimately have "csn i = tsn k" by simp with step and rel_inv5 and tsn_restrict have "SYNp i = S_1" by auto } then have "\ l. l \ k \ SYNp l = S_1" by metis ultimately show ?thesis by metis qed moreover from step and rel_inv5 and tsn_restrict have "last_slotp \ 0" by auto ultimately have "\ l. SYNp l = S_1 \ last_slotp \ 0" by metis note 2 = this from 1 and 2 have "\ l. c l csnp SYNp clkp last_slotp = 0" by (simp add: c_def) with 1 and 2 have "\ l. ( G_1 l csnp SYNp clkp xp yp last_slotp \ G_2 l csnp SYNp clkp xp yp last_slotp \ G_10 l csnp SYNp clkp last_slotp \ G_12 l csnp last_slotp )" by (simp only: G_1_def G_2_def G_10_def G_12_def) simp } note G_1_2_10_12 = this -- "We now check G_3" from step have "WSN k = GO_SEND" by (simp only: trans_message_def) note 1 = this { -- "case where i = k" { fix l::int assume "l = k" from ind_hyp have "(\ l. G_6 k l WSN csn clk)" by (simp only: G_def) simp with 1 have "clk k = g" by (simp only: G_6_def) with step have "clkp k = g \ WSNp k = SENDING" by (simp only: trans_message_def) simp then have "G_3 k csnp tsn WSNp clkp last_slotp" by (simp only: G_3_def) simp } then have "\ l. l = k \ G_3 l csnp tsn WSNp clkp last_slotp" by simp moreover -- "now we prove the case where i \ k" { fix l::int assume "l \ k" note 3 = this from ind_hyp have "(\ j. G_6 k j WSN csn clk)" by (simp only: G_def) simp with 1 have "csn l = csn k" apply simp apply auto apply (drule_tac x = l in spec) apply simp done note 2 = this with rel_inv5 and 1 have "csn k = tsn k" apply (simp del: INV_5_def) apply (simp only: INV_5_def) apply (drule_tac x = k in spec) apply simp done note 4 = this with mutex_tsn and 3 have "tsn k \ tsn l" by auto with 2 and step and 4 have "csnp l \ tsn l" by simp then have "G_3 l csnp tsn WSNp clkp last_slotp" by simp } then have "\ l. l \ k \ G_3 l csnp tsn WSNp clkp last_slotp" by simp ultimately have "\ l. G_3 l csnp tsn WSNp clkp last_slotp" by auto } note G_3 = this -- "We now check G_3_a" { { fix l::int assume "l = k" from step have "WSNp k = SENDING" by (simp only: trans_message_def) then have "G_3a k csnp tsn WSNp clkp" by (simp only: G_3a_def) simp } then have "\ l. l = k \ G_3a l csnp tsn WSNp clkp" by simp moreover { fix l::int assume "l \ k" with ind_hyp have "G_3a l csn tsn WSN clk" by (simp only: G_def) with step have "G_3a l csnp tsn WSNp clkp" by (simp only: G_3a_def trans_message_def) auto } then have "\ l. l \ k \ G_3a l csnp tsn WSNp clkp" by simp ultimately have "\ l. G_3a l csnp tsn WSNp clkp" by auto } note G_3a = this -- "we now check G_4 and G_8 together" { { fix l::int assume "l = k" from step have "last_slotp = (csnp k)" by simp then have "G_4 k csnp tsn WSNp clkp last_slotp \ G_8 k csnp tsn clkp last_slotp " by simp } then have "\ l. l = k \ G_4 l csnp tsn WSNp clkp last_slotp \ G_8 l csnp tsn clkp last_slotp " by simp moreover { fix l::int assume "l \ k" from ind_hyp have "(\ j. G_6 k j WSN csn clk)" by (simp only: G_def) simp with 1 have "csn l = csn k" apply simp apply auto apply (drule_tac x = l in spec) apply simp done with step have "csnp l = csnp k" by simp note 2 = this moreover from step have "last_slotp = (csnp k)" by simp ultimately have "last_slotp = (csnp l)" by simp with 2 have "G_4 l csnp tsn WSNp clkp last_slotp \ G_8 l csnp tsn clkp last_slotp" by simp } then have "\ l. l \ k \ G_4 l csnp tsn WSNp clkp last_slotp \ G_8 l csnp tsn clkp last_slotp " by simp ultimately have "\ l. G_4 l csnp tsn WSNp clkp last_slotp \ G_8 l csnp tsn clkp last_slotp " by auto } note G_4_8 = this -- "we now check G_5" { with 1 and step have "WSNp k = SENDING" by simp note 2 = this from ind_hyp have "(\ j. G_6 k j WSN csn clk)" by (simp only: G_def) simp with step have "\ l. csn l = csn k" apply auto apply (drule_tac x = l in spec) apply simp done with step have "\ l. csnp l = csnp k" by simp then have "\ i j. csnp i = csnp j" apply auto apply (frule_tac x = i in spec) apply (drule_tac x = j in spec) apply simp done note 3 = this moreover with step have "(csnp k) = last_slotp" by simp ultimately have "\ l. (csnp l) = last_slotp" by auto with 1 and 2 and 3 have "\ i. (\ l. G_5 i l WSNp csnp last_slotp)" by auto } note G_5 = this -- "Let's check G_6" { from ind_hyp have "(\ j. G_6 k j WSN csn clk)" by (simp only: G_def) simp with 1 have "\ j. csn j = csn k" apply auto apply (drule_tac x = j in spec) apply simp done note 2 = this then have "\ i j. csn i = csn j" apply auto apply (frule_tac x = i in spec) apply (drule_tac x = j in spec) apply auto done note 3 = this from rel_inv5 and 1 have "csn k = tsn k" by simp with rel_inv5 and mutex_tsn and 2 and 3 have "\ i. i \ k \ WSN i \ GO_SEND" by auto note 4 = this with step have "\ i. i \ k \ WSNp i \ GO_SEND" by simp note 5 = this with step have "WSNp k = SENDING" by simp with 1 have "\ i. (\ j. G_6 i j WSNp csnp clkp)" proof - { from step have "(\ j. G_6 k j WSNp csnp clkp)" by simp } moreover { fix i::int assume "i \ k" with step and 5 have "(\ j. G_6 i j WSNp csnp clkp)" by simp } then have "\ i. i \ k \ (\ j. G_6 i j WSNp csnp clkp)" by (auto simp del: G_6_def) ultimately show ?thesis by auto qed } note G_6 = this -- "We consider invariant G_7" { from 1 and rel_inv5 have "csn k = tsn k" by simp note 2 = this from ind_hyp have "(\ j. G_6 k j WSN csn clk)" by (simp only: G_def) simp with 1 have "\ i. csn i = csn k" apply auto apply (drule_tac x = i in spec) apply simp done note 3 = this with 2 have "\ i. TX (csn i) tsn" by (simp add: TX_def) auto with step have "\ i. TX (csnp i) tsn" by (simp add: TX_def) note 4 = this from step have "(csnp k) = last_slotp" by simp with step and 3 have "\ i. (csnp i) = last_slotp" by auto with 4 have "\ i. G_7 i tsn_max csnp tsn last_slotp" by simp } note G_7 = this -- "G_8 has been checked above" -- "Let's check G_9. That's the difficult case" { fix i::int from ind_hyp have "(\ j. G_6 k j WSN csn clk)" by (simp only: G_def) simp with 1 have "\ l. csn l = csn k" apply simp apply auto apply (drule_tac x = l in spec) apply simp done with step have "\ l. csnp l = csnp k" by simp note 2 = this moreover from step have "last_slotp = (csnp k)" by simp ultimately have "\ l. last_slotp = (csnp l)" apply auto apply (drule_tac x = l in spec) apply simp done note 3 = this -- "we assume that clkp i = k0 - 1 and derive a contradiction" { assume "clk i = k0 - 1" note 4 = this with step have "clkp i = k0 - 1" by simp note contradiction_hyp = this from 1 and rel_inv4 and rel_inv5 have "x k = 0 \ csn k = tsn k" by simp note 5 = this from ind_hyp have "\ l. G_6 k l WSN csn clk" by (simp only: G_def) auto with 1 have "clk k = g \ (\ l. csn k = csn l)" by simp note 6 = this from ind_hyp have "G_3 k csn tsn WSN clk last_slot" by (simp only: G_def) with 6 and 5 and 1 have "(csn k) \ last_slot" by simp note 7 = this from ind_hyp have "G_9 i SYN csn clk last_slot" by (simp only: G_def) with SYN_st_restrict and 4 have "SYN i = S_0" by auto note 8 = this from ind_hyp have "G_9 k SYN csn clk last_slot" by (simp only: G_def) with SYN_st_restrict and 7 have "SYN k = S_0" by auto note 9 = this -- "we now split on the value of last_slot" { assume "last_slot = -1" note case1 = this with 6 have "c k csn SYN clk last_slot = g" by (simp add: c_def) moreover from ind_hyp have "G_1 k csn SYN clk x y last_slot" by (simp only: G_def) moreover from calculation and 5 have "y \ (real g) * max" by simp note een = this from pos_g have "k0 \ 1" by simp note k0_ge_1 = this with 8 and case1 and 4 have "c i csn SYN clk last_slot = k0 - 1" by (simp add: c_def) note twee = this (* from pos_g have "((real k0) - 2) = (real (k0 - Suc 0) - 1::real)" by auto note drie = this*) have "y \ (-2 + real k0) * min + x i" proof - from ind_hyp have "G_2 i csn SYN clk x y last_slot" by (simp only: G_def) with twee and pos_g and k0_ge_1 have "(-2 + real k0) * min + x i \ y" by auto moreover have "(real (k0 - 1) - 1) * min = (-2 + real k0) * min" by auto ultimately show ?thesis by (simp (no_asm)) qed with rel_inv1 have "y \ (-2 + real k0) * min" apply auto apply (drule_tac x = i in spec) apply simp done with een have "real g * max \ (-2 + real k0) * min" by simp moreover from g_mult_max have "real g * max < (real k0 - 2) * min" by simp moreover have "-2 + real k0 = real k0 - 2" by simp ultimately have "G_9 i SYNp csnp clkp last_slotp" by auto } moreover { assume "last_slot \ 0" note case2 = this with 9 and 6 have "c k csn SYN clk last_slot = (from_slot last_slot (csn k)) * k0" by (simp add: c_def) note een = this { from ind_hyp have "G_7 k tsn_max csn tsn last_slot" by (simp only: G_def) with 6 and 7 and 9 and case2 and pos_g have "c k csn SYN clk last_slot = (D (csn k) tsn_max tsn) * k0" by (simp add: c_def D_def) } note twee = this { from een and twee and pos_g have "from_slot last_slot (csn k) * k0 = D (csn k) tsn_max tsn * k0" by simp } note drie = this { -- "we extract an upper bound on y" from ind_hyp have "G_1 k csn SYN clk x y last_slot" by (simp only: G_def) with twee have "y \ (real (D (csn k) tsn_max tsn)) * real k0 * max + x k" by simp with 5 have "y \ (real (D (csn k) tsn_max tsn)) * real k0 * max" by simp } note ub_y = this { -- "we extract a lower bound on y" from pos_g have "k0 \ 1" by simp with 8 and case2 and 4 and pos_g have "c i csn SYN clk last_slot = (from_slot last_slot (csn i)) * k0 + k0 - 1 - g" by (auto simp add: c_def) moreover from 6 have "csn k = csn i" by auto ultimately have " c i csn SYN clk last_slot = (from_slot last_slot (csn k)) * k0 + k0 - 1 - g" by simp with drie have " c i csn SYN clk last_slot = (D (csn k) tsn_max tsn) * k0 + k0 - 1 - g" by auto note good_fact = this moreover { with pos_g and D_ge_1[of "csn k"] and rel_inv3 have "(D (csn k) tsn_max tsn) * k0 + k0 \ 2 * k0" by (simp add: mult_compare_simps) with pos_g have "(D (csn k) tsn_max tsn) * k0 + k0 - 1 > g" by simp then have "(D (csn k) tsn_max tsn) * k0 + k0 - 1 - g > 0" by simp with pos_g and case2 and good_fact have "c i csn SYN clk last_slot > 0" by auto note c_i_not_0 = this from ind_hyp have "G_2 i csn SYN clk x y last_slot" by (auto simp only: G_def) with c_i_not_0 have "y \ (real (c i csn SYN clk last_slot) - 1) * min + x i" by (simp only: G_2_def) } note y_here_good = this moreover { have "real (D (csn k) tsn_max tsn * k0 + k0) = real (D (csn k) tsn_max tsn) * real k0 + real k0" by auto moreover { with pos_g and D_ge_1[of "csn k"] and rel_inv3 have "(D (csn k) tsn_max tsn) * k0 + k0 \ 2 * k0" by (simp add: mult_compare_simps) with pos_g have "(D (csn k) tsn_max tsn) * k0 + k0 - 1 > g" by simp then have "D (csn k) tsn_max tsn * k0 + k0 > g + 1" by auto } moreover { fix a b::int have "a > b \ real (a - b) = real a - real b" by auto } ultimately have " real (D (csn k) tsn_max tsn * k0 + k0 - g - 1) = real (D (csn k) tsn_max tsn) * real k0 + real k0 - real (g + 1)" by auto then have "(real (D (csn k) tsn_max tsn * k0 + k0 - g - 1) - 1) = (-2 + real (D (csn k) tsn_max tsn) * real k0 + real k0 + - real g)" by simp then have "(-2 + real (D (csn k) tsn_max tsn) * real k0 + real k0 + - real g) = real (D (csn k) tsn_max tsn) * real k0 + real k0 - real g - 2" by simp } note stupid1 = this (* moreover from calculation and pos_g*) ultimately have "(real (c i csn SYN clk last_slot) - 1) * min = (real (D (csn k) tsn_max tsn) * real k0 + real k0 - real g - 2) * min" by simp with y_here_good have "y \ (real (D (csn k) tsn_max tsn) * real k0 + real k0 - real g - 2) * min + x i" by metis moreover from rel_inv1 have "x i \ 0" by simp ultimately have "y \ (real (D (csn k) tsn_max tsn) * real k0 + real k0 - real g - 2) * min" by simp then have "y \ ((real (D (csn k) tsn_max tsn) + 1) * real k0 - real g - 2) * min" by (simp add: left_distrib) } note lb_y = this from M_is_max have "D (csn k) tsn_max tsn \ M" by (simp add: is_max_D_def) note quatre = this from lb_y and ub_y have " (real (D (csn k) tsn_max tsn)) * real k0 * max \ ((real (D (csn k) tsn_max tsn) + 1) * real k0 - real g - 2) * min " by simp note cinq = this from quatre and Lemma1[of "real (D (csn k) tsn_max tsn)"] have "real (D (csn k) tsn_max tsn) * real k0 * max < ((real (D (csn k) tsn_max tsn) + 1) * real k0 - real g - 2) * min " by (simp add: left_distrib) with cinq have "G_9 i SYNp csnp clkp last_slotp" by (auto simp del: G_9_def) } moreover from rel_inv12 and slots_node have "last_slot = -1 \ last_slot \ 0" by auto ultimately have "G_9 i SYNp csnp clkp last_slotp" by (auto simp del: G_9_def) } note G_91 = this { assume "clk i < k0 - 1" note my_case = this with step have "clkp i < k0 - 1" by auto note my_case2 = this -- "we first get than csn k = tsn k" from 1 and rel_inv4 and rel_inv5 have "x k = 0 \ csn k = tsn k" by simp moreover -- "we then get that all csn's = csn k by G_6" { from ind_hyp have "\ l. G_6 k l WSN csn clk" by (simp only: G_def) auto with 1 have "clk k = g \ (\ l. csn k = csn l)" by simp } note fact1 = this ultimately have "\ i. csn i = tsn k" by simp with tsn_restrict have "\ i. csn i < n" by auto with step have "\ l. SYNp l = S_1" by simp moreover { with step have "last_slotp = csn k" by simp with fact1 and step and 1 have "csnp i = last_slotp" apply auto apply (drule_tac x = i in spec) apply simp done } moreover from calculation and my_case2 have "G_9 i SYNp csnp clkp last_slotp" by simp } note G_92 = this from rel_inv2 have "clk i < k0 - 1 \ clk i = k0 - 1" apply auto apply (drule_tac x = i in spec) apply simp done with G_91 and G_92 have "G_9 i SYNp csnp clkp last_slotp" by (auto simp del: G_9_def) } then have "\ i. G_9 i SYNp csnp clkp last_slotp" by auto with G_1_2_10_12 and G_3 and G_3a and G_4_8 and G_5 and G_6 and G_7 show ?thesis by (auto simp only: G_def) qed subsection {* Tick Action *} lemma (in All_Constraints) G_tick : assumes ind_hyp: "\ l. G l tsn_max WSN SYN csn tsn clk x y last_slot" assumes rel_inv1: "\ l. INV_1 l x" assumes rel_inv2: "\ l. INV_2 l clk" assumes rel_inv3: "\ l. INV_3 l csn" assumes rel_inv4: "\ l. INV_4 l WSN x" assumes rel_inv5: "\ l. INV_5 l WSN csn tsn" assumes rel_inv6: "\ l. INV_6 l WSN clk" assumes rel_inv7: "\ l. INV_7 l WSN csn tsn" assumes rel_inv8: "\ l. INV_8 l WSN clk" assumes rel_inv9: "INV_9 y" assumes rel_inv10: "\ l. INV_10 l SYN x y" assumes rel_inv11: "\ l. INV_11 l SYN last_slot" assumes rel_inv12: "INV_12 last_slot" assumes TX_0 : "TX 0 tsn" assumes step: "trans_tick k tsn x y WSN SYN csn clk last_slot xp yp WSNp SYNp csnp clkp last_slotp" shows "\ l. G l tsn_max WSNp SYNp csnp tsn clkp xp yp last_slotp" proof - -- "Lemma 3" { have "c k csnp SYNp clkp last_slotp = c k csn SYN clk last_slot + 1" proof - -- "case 1: last_slot = -1" { assume "last_slot = -1" note case1 = this with step have "last_slotp = -1" by simp with case1 have "c k csn SYN clk last_slot = clk k \ c k csnp SYNp clkp last_slotp = clkp k" by (simp add: c_def) note clk_clkp = this moreover from rel_inv11 and case1 have "SYN k = S_0" by simp note S_0_k = this moreover with step have "SYNp k = S_0" by simp moreover { from ind_hyp have "G_12 k csn last_slot" by (simp only: G_def) with case1 have "csn k = 0" by simp with TX_0 have "TX (csn k) tsn" by (simp) } moreover from ind_hyp have "G_8 k csn tsn clk last_slot" by (simp only: G_def) moreover from calculation and case1 and rel_inv2 and rel_inv3 have "clk k < k0 - 1" apply (drule_tac x = k in spec) apply (drule_tac x = k in spec) apply auto done note clk_k = this with step and S_0_k and rel_inv2 have "clkp k = clk k + 1" apply (drule_tac x = k in spec) by (simp add: mod_pos_pos_trivial) with clk_clkp have ?thesis by simp } moreover { assume "last_slot \ 0" note case2 = this { assume "SYN k = S_1" note case2_1 = this with case2 have "c k csn SYN clk last_slot = 0" by (simp add: c_def) note c_k_0 = this with step and case2_1 and case2 have "SYNp k = S_0 \ clkp k = g + 1" by simp note SYNp_k = this from ind_hyp have "G_9 k SYN csn clk last_slot" by (simp only: G_def) with case2_1 have "clk k < k0 - 1 \ last_slot = csn k" by simp note een = this with step have "last_slotp = last_slot \ csnp k = csn k" by simp note twee = this with SYNp_k and case2 have "c k csnp SYNp clkp last_slotp = from_slot last_slotp (csnp k) * k0 + clkp k - g" by (simp add: c_def) moreover { from SYNp_k and pos_g and een and twee have "from_slot last_slotp (csnp k) * k0 + clkp k - g = 1" by (simp add: from_slot_def) } ultimately have "c k csnp SYNp clkp last_slotp = 1" by simp with c_k_0 have ?thesis by simp } moreover { assume "SYN k = S_0" note case2_2 = this with step have "SYNp k = S_0" by simp note SYNp_k = this { assume "clk k < k0 - 1" note case2_2_1 = this with step and case2_2 and rel_inv2 have "last_slotp = last_slot \ csnp k = csn k \ clkp k = clk k + 1" apply (drule_tac x = k in spec) apply (auto simp add: mod_pos_pos_trivial) done note een = this -- "we need to know that Suc (from_slot (nat last_slot) (csn k) * k0 + clk j > g" { from ind_hyp have "G_10 k csn SYN clk last_slot" by (simp only: G_def) with case2 and case2_2 and SYN_st_restrict have "from_slot last_slot (csn k) * k0 + clk k - g \ 0" by (auto simp add: c_def) with pos_g have "from_slot last_slot (csn k) * k0 + clk k \ g" by auto } note twee = this from een and case2_2 and case2 and SYNp_k have "c k csnp SYNp clkp last_slotp = from_slot last_slotp (csnp k) * k0 + clkp k - g" by (simp add: c_def) also with een have "\ = from_slot last_slot (csn k) * k0 + clk k + 1 - g" by simp also with case2_2 and case2 and pos_g and twee have "\ = c k csn SYN clk last_slot + 1" by (auto simp add: c_def add_Suc) finally have ?thesis by simp } moreover { assume "clk k = k0 - 1" note case2_2_2 = this with rel_inv6 and rel_inv8 and WSN_st_restrict and pos_g have "WSN k = wait" apply - apply (drule_tac x = k in spec) apply (drule_tac x = k in spec) apply (drule_tac x = k in spec) apply auto done note wsn_k_wait = this from step have "last_slotp = last_slot" by simp note last_p = this with step and wsn_k_wait and case2_2 and case2_2_2 and pos_g have "clkp k = 0" by simp note clkp_0 = this from step and wsn_k_wait and case2_2_2 have "csnp k = (csn k + 1) mod C" by simp note csnp_here = this with last_p and pos_g and slots_node and rel_inv3 and rel_inv12 and case2 have "from_slot last_slotp (csnp k) = from_slot last_slot (csn k) + 1" proof (cases "csn k < C - 1") case False with rel_inv3 have "csn k = C - 1" apply (drule_tac x = k in spec) apply auto done note csn_val = this with csnp_here have "csnp k= 0" by auto note csnp_val = this have "last_slot > 0" proof - -- "we case split on whether TX (csn k)" { assume "TX (csn k) tsn" note TX_csnk = this from ind_hyp have "G_8 k csn tsn clk last_slot" by (simp only: G_def) with TX_csnk and case2_2_2 have "last_slot = csn k" by simp with csn_val and slots_node have ?thesis by simp } moreover { assume "\ TX (csn k) tsn" note not_TX_csnk = this from ind_hyp have "G_7 k tsn_max csn tsn last_slot" by (simp only: G_def) with not_TX_csnk and case2 have "last_slot = PREV (csn k) tsn_max tsn" by simp note last_slot_prev = this with csn_val and slots_node and tsn_max_3 and PREV1_nmin1 and not_TX_csnk and last_slot_prev have ?thesis by (auto simp add: PREV_def) } ultimately show ?thesis by metis qed note last_slot_nz = this from rel_inv12 and case2 and csn_val have "from_slot last_slot (csn k) = C - 1 - last_slot" by (auto simp add: from_slot_def) note from_slot = this from rel_inv12 and case2 and csnp_val and last_slot_nz and last_p have "from_slot last_slotp (csnp k) = C - last_slot" by (auto simp add: from_slot_def) with from_slot show ?thesis by simp next case True note case_csn_less = this then show ?thesis proof (cases "last_slot \ csn k") case True with csnp_here and case_csn_less and rel_inv3 and last_p show ?thesis apply (drule_tac x = k in spec) apply (auto simp add: from_slot_def mod_pos_pos_trivial) done next case False -- "we have last_slot > csn k" -- "this case can only happen when csn k = 0" -- "because TX(0) at csn k = 1, we have last = 0" note bad_case = this { assume "csn k = 0" note csnk_z = this from ind_hyp have "G_8 k csn tsn clk last_slot" by (simp only: G_def) with TX_0 and case2_2_2 and csnk_z have "last_slot = 0" by simp with bad_case and csnk_z have "False" by simp then have ?thesis by simp } moreover { assume "csn k \ 0" note csnk_nz = this -- "we case split on TX(csn k)" { assume "TX (csn k) tsn" note tx_csnk = this from ind_hyp have "G_8 k csn tsn clk last_slot" by (simp only: G_def) with tx_csnk and case2_2_2 have "last_slot = csn k" by simp with bad_case have "False" by simp then have ?thesis by simp } moreover { assume "\ TX (csn k) tsn" note not_tx_csnk = this from ind_hyp have "G_7 k tsn_max csn tsn last_slot" by (simp only: G_def) with not_tx_csnk and case2 have "last_slot = PREV (csn k) tsn_max tsn" by simp note last_slot_is_PREV = this { assume "csn k \ n" note csn_ge_n = this then have "PREV (csn k) tsn_max tsn = tsn tsn_max" by (simp add: PREV_def) with last_slot_is_PREV have "last_slot = tsn tsn_max" by simp with tsn_restrict have "last_slot < n" by simp with csn_ge_n have "last_slot < csn k" by simp with bad_case have "False" by simp then have ?thesis by simp } moreover { assume "csn k < n" note csn_less_n = this with csnk_nz have "PREV (csn k) tsn_max tsn = int (PREV1 (nat (csn k)) tsn_max tsn)" by (simp add: PREV_def) note prev_is_prev1 = this with csnk_nz and rel_inv3 have "csn k > 0" apply (drule_tac x = k in spec) apply auto done note csnk_pos = this with PREV1_less[of "nat (csn k)"] have "PREV1 (nat (csn k)) tsn_max tsn \ nat (csn k)" by simp with prev_is_prev1 and last_slot_is_PREV and csnk_pos have "last_slot \ csn k" by auto with bad_case have "False" by simp then have ?thesis by simp } moreover have "csn k < n \ csn k \ n" by auto ultimately have ?thesis by auto } ultimately have ?thesis by metis } ultimately show ?thesis by metis qed qed note ici = this with SYNp_k and last_p and case2 and clkp_0 have "c k csnp SYNp clkp last_slotp = from_slot last_slotp (csnp k) * k0 - g" by (simp add: c_def) also with pos_g have "\ = from_slot last_slotp (csnp k) * k0 - 1 - g + 1" by simp also with ici have "\ = ((from_slot last_slot (csn k)) + 1) * k0 - 1 - g + 1" by simp also with pos_g have "\ = from_slot last_slot (csn k) * k0 + k0 - 1 - g + 1" by (auto simp add: left_distrib) also with case2 and case2_2 and case2_2_2 have "\ = c k csn SYN clk last_slot + 1" by (simp add: c_def) finally have ?thesis by simp } moreover from calculation and rel_inv2 have ?thesis apply (drule_tac x = k in spec) apply (metis INV_2_def add1_zle_eq add_less_cancel_left diff_less_eq less_not_permute rel_inv2 zadd_commute zle_diff1_eq zle_refl zless_add1_eq zless_imp_add1_zle zless_le zless_linear) done } moreover from calculation and SYN_st_restrict have ?thesis by auto } moreover from rel_inv12 and slots_node have "last_slot = -1 \ last_slot \ 0" by auto ultimately show ?thesis by auto qed } note Lemma3 = this -- "we now prove G_1" { from ind_hyp have "\ i. G_1 i csn SYN clk x y last_slot " by (simp only: G_def) auto note G_1_i = this { fix i::int assume "i \ k" with step and G_1_i have "G_1 i csnp SYNp clkp xp yp last_slotp" apply auto apply (drule_tac x = i in spec) apply (auto simp add: c_def) done } then have "\ i. i \ k \ G_1 i csnp SYNp clkp xp yp last_slotp" by simp moreover { -- "we prove it for i = k" from step have "yp = y" by simp moreover from G_1_i have "y \ real (c k csn SYN clk last_slot) * max + x k" by simp moreover from rel_inv1 have " real (c k csn SYN clk last_slot) * max + x k \ real (c k csn SYN clk last_slot) * max + max" by auto ultimately have "yp \ real (c k csn SYN clk last_slot) * max + max" by simp moreover from Lemma3 have "real (c k csn SYN clk last_slot) * max + max = real (c k csnp SYNp clkp last_slotp) * max" by (simp add: left_distrib) ultimately have "yp \ real (c k csnp SYNp clkp last_slotp) * max" by simp moreover from step have "xp k = 0" by simp ultimately have "yp \ real (c k csnp SYNp clkp last_slotp) * max + xp k" by simp then have "G_1 k csnp SYNp clkp xp yp last_slotp" by simp } ultimately have "\ i. G_1 i csnp SYNp clkp xp yp last_slotp" by auto } note G_1 = this -- "We prove G_2" { from ind_hyp have "\ i. G_2 i csn SYN clk x y last_slot" by (simp only: G_def) auto note G_2_i = this { fix i::int assume "i \ k" with step and G_2_i have "G_2 i csnp SYNp clkp xp yp last_slotp" apply auto apply (drule_tac x = i in spec) apply (auto simp add: c_def) done } then have "\ i. i \ k \ G_2 i csnp SYNp clkp xp yp last_slotp" by simp moreover { -- "from G10(i) we distinguish two cases" { assume "c k csn SYN clk last_slot = 0" with Lemma3 have "c k csnp SYNp clkp last_slotp = 1" by auto with step have "(real (c k csnp SYNp clkp last_slotp) - 1) * min + xp k = 0" by simp moreover from rel_inv9 and step have "yp \ 0" by simp ultimately have "yp \ (real (c k csnp SYNp clkp last_slotp) - 1) * min + xp k" by auto then have "G_2 k csnp SYNp clkp xp yp last_slotp" by simp } moreover { assume "c k csn SYN clk last_slot > 0" note c_0 = this with Lemma3 have "c k csnp SYNp clkp last_slotp > 0" by auto note c_nz = this from ind_hyp have "G_2 k csn SYN clk x y last_slot" by (simp only: G_def) with c_0 and step have "y \ (real (c k csn SYN clk last_slot) - 1) * min + x k" by auto moreover from step have "yp = y" by simp ultimately have "yp \ (real (c k csn SYN clk last_slot) - 1) * min + x k" by simp moreover with step have "(real (c k csn SYN clk last_slot) - 1) * min + x k \ (real (c k csn SYN clk last_slot)) * min" by (simp add: left_diff_distrib) ultimately have "yp \ (real (c k csn SYN clk last_slot)) * min" by simp moreover { with Lemma3 have "(real (c k csn SYN clk last_slot)) * min = (real (c k csnp SYNp clkp last_slotp) - 1) * min" by simp also with step have "\ = (real (c k csnp SYNp clkp last_slotp) - 1) * min + xp k" by simp finally have "(real (c k csn SYN clk last_slot)) * min = (real (c k csnp SYNp clkp last_slotp) - 1) * min + xp k" by simp } ultimately have "yp \ (real (c k csnp SYNp clkp last_slotp) - 1) * min + xp k" by simp then have "G_2 k csnp SYNp clkp xp yp last_slotp" by simp } moreover from ind_hyp have "G_10 k csn SYN clk last_slot" by (simp only: G_def) ultimately have "G_2 k csnp SYNp clkp xp yp last_slotp" by (metis AC_add.ident G_2_def Lemma3 add_less_cancel_left class_ringb.add_r0_iff zadd_0 zadd_commute zadd_strict_right_mono zless_add1_eq) } ultimately have "\i. G_2 i csnp SYNp clkp xp yp last_slotp " by (auto simp del: G_2_def) } note G_2 = this -- "We proceed to show that G_3 is preserved by tick actions" { from ind_hyp have "\ i. G_3 i csn tsn WSN clk last_slot" by (simp only: G_def) auto note G_3_i = this -- "if i \ k then tick does not modify any variable in G_3, so G_3 still holds" { fix i::int assume "i \ k" note i_not_k = this with step have "csnp i = csn i \ WSNp i = WSN i \ clkp i = clk i \ last_slotp = last_slot" by auto moreover from G_3_i have " G_3 i csn tsn WSN clk last_slot" by auto ultimately have "G_3 i csnp tsn WSNp clkp last_slotp" by (simp only: G_3_def) } then have "\ i. i \ k \ G_3 i csnp tsn WSNp clkp last_slotp" by simp moreover { -- "we now prove it for i = k" from G_3_i have "G_3 k csn tsn WSN clk last_slot" by simp note G_3_k = this from step have "last_slotp = last_slot" by auto note last_slotp = this from rel_inv4 and step have "WSN k \ GO_SEND" by simp note not_go_send = this { assume "csnp k = csn k" note case1 = this then have "G_3 k csnp tsn WSNp clkp last_slotp" proof - { assume "csn k = tsn k \ (clk k < g \ WSN k = GO_SEND)" note case1_1 = this with G_3_k and not_go_send have "last_slot \ csn k" by simp moreover from step and pos_g and case1_1 have "csnp k = csn k" by auto moreover from calculation and last_slotp have "last_slotp \ csnp k" by simp then have ?thesis by simp } moreover { assume "csn k \ tsn k" note case1_2 = this with step and case1 have "csnp k \ tsn k" by simp then have ?thesis by simp } moreover { assume "csn k = tsn k \ (clk k \ g \ (WSN k = wait \ WSN k = SENDING))" note case1_3 = this { assume "WSN k = wait" note WSNk_wait = this from case1_3 and slots_node have "C \ 3" by simp with rel_inv3 have "csn k \ (csn k + 1) mod C" apply (drule_tac x = k in spec) apply (cases "csn k = C - 1") apply auto apply (simp add: mod_pos_pos_trivial) done with case1 and step and not_go_send and G_3_k and case1_3 and WSNk_wait have "clk k \ k0 - 1" by auto } moreover { assume "WSN k = SENDING" note WSNk_sending = this from rel_inv8 and WSNk_sending and pos_g have "clk k < k0 - 1" by auto then have "clk k \ k0 - 1" by simp } moreover from calculation and case1_3 have "clk k \ k0 - 1" by metis with step and case1_3 and pos_g and rel_inv2 have "csnp k = tsn k \ (clkp k \ g \ (WSNp k = wait \ WSNp k = SENDING))" apply (drule_tac x = k in spec) apply (auto simp add: mod_pos_pos_trivial) done with last_slotp and step have ?thesis apply simp apply auto done } moreover from WSN_st_restrict have " csn k = tsn k \ (clk k < g \ WSN k = GO_SEND) \ csn k \ tsn k \ csn k = tsn k \ (clk k \ g \ (WSN k = wait \ WSN k = SENDING))" apply simp apply (drule_tac x = k in spec) apply auto done ultimately show ?thesis by (auto simp del: G_3_def) qed } moreover { assume "csnp k \ csn k" note case2 = this with step have "WSN k = wait \ clk k = k0 - 1" apply simp apply (cases "WSN k = wait \ clk k = k0 - 1") apply simp apply safe apply simp_all done note een = this from ind_hyp have "G_9 k SYN csn clk last_slot" by (simp only: G_def) with een and SYN_st_restrict have "SYN k = S_0" by auto note S_0_k = this with step and pos_g and een have "WSNp k = wait \ clkp k = 0" by simp note twee = this with step and een have "csnp k = (csn k + 1) mod C" by simp note drie = this { assume "csnp k \ tsn k" note case2_1 = this then have "G_3 k csnp tsn WSNp clkp last_slotp" by (auto simp only: G_3_def) } moreover { assume "csnp k = tsn k" note case2_2 = this -- "from G_7 we can distinguish 3 cases" from ind_hyp have "G_7 k tsn_max csn tsn last_slot" by (simp only: G_def) then have "last_slot = -1 \ (TX (csn k) tsn \ last_slot = csn k) \ last_slot = PREV (csn k) tsn_max tsn" by simp moreover { assume "last_slot = -1" note case2_2_1 = this with last_slotp and tsn_restrict have "G_3 k csnp tsn WSNp clkp last_slotp" apply (drule_tac x = k in spec) apply simp done } moreover { assume "(TX (csn k) tsn \ last_slot = csn k)" note case2_2_2 = this with last_slotp and case2 have "G_3 k csnp tsn WSNp clkp last_slotp" by simp } moreover { assume "last_slot = PREV (csn k) tsn_max tsn" note case2_2_3 = this note last_slot_is_prev = this moreover with case2 and step have "csnp k = (csn k + 1) mod C" by auto note csnp_val = this moreover have "PREV (csn k) tsn_max tsn \ (csn k + 1) mod C" proof - { assume "csn k = 0" note csnk_z = this then have "PREV (csn k) tsn_max tsn = tsn tsn_max" by (simp add: PREV_def) moreover with tsn_max_3 have "PREV (csn k) tsn_max tsn \ 2" by simp moreover from csnp_val and csnk_z and slots_node have "(csn k + 1) mod C = 1" by (auto simp add: mod_pos_pos_trivial) ultimately have ?thesis by simp } moreover { assume "0 < csn k \ csn k < n - 1" note csnk_le_nmin1 = this with slots_node have "(csn k + 1) mod C = csn k + 1" by (auto simp add: mod_pos_pos_trivial) moreover from csnk_le_nmin1 and PREV1_less[of "nat (csn k)"] have "PREV (csn k) tsn_max tsn \ csn k" by (auto simp add: PREV_def) ultimately have ?thesis by auto } moreover { assume "csn k = n - 1 \ n < C" note csnk_eq_nmin1_neq_C = this with slots_node have "(csn k + 1) mod C = csn k + 1" by (auto simp add: mod_pos_pos_trivial) moreover from csnk_eq_nmin1_neq_C and PREV1_less[of "nat (csn k)"] and slots_node have "PREV (csn k) tsn_max tsn \ csn k" by (auto simp add: PREV_def) ultimately have ?thesis by auto } moreover { assume "csn k = n - 1 \ n = C" note csnk_eq_nmin1_eqC = this then have "(csn k + 1) mod C = 0" by simp moreover from csnk_eq_nmin1_eqC and PREV1_nmin1_ge1[of "nat (csn k)"] and slots_node have "PREV (csn k) tsn_max tsn \ 1" by (auto simp add: PREV_def) ultimately have ?thesis by simp } moreover { assume "n \ csn k" note csnk_geq_n = this then have "PREV (csn k) tsn_max tsn = tsn tsn_max" by (simp add: PREV_def) note prev_is_tsn_max = this { assume "csn k < C - 1" note csnk_le_Cmin1 = this with rel_inv3 have "(csn k + 1) mod C = csn k + 1" apply (drule_tac x = k in spec) apply (auto simp add: mod_pos_pos_trivial) done moreover with csnk_geq_n have "csn k + 1 > n" by simp moreover { from tsn_restrict have "tsn tsn_max < n" by auto with prev_is_tsn_max have "PREV (csn k) tsn_max tsn < n" by simp } ultimately have ?thesis by auto } moreover { assume "csn k = C - 1" note csnk_eq_Cmin1 = this then have "(csn k + 1) mod C = 0" by simp moreover with csnk_eq_Cmin1 and csnk_geq_n have "PREV (csn k) tsn_max tsn = tsn tsn_max" by (simp add: PREV_def) moreover from tsn_max_3 have "tsn tsn_max > 0" by auto ultimately have ?thesis by auto } moreover from rel_inv3 have "csn k < C - 1 \ csn k = C - 1" apply (drule_tac x = k in spec) apply auto done ultimately have ?thesis by metis } moreover from slots_node and rel_inv3 have "csn k = 0 \ (0 < csn k \ csn k < n - 1) \ (csn k = n - 1 \ n < C) \ (csn k = n - 1 \ n = C) \ (csn k \ n)" apply (drule_tac x = k in spec) apply auto done ultimately show ?thesis by auto qed moreover from calculation and last_slotp have "last_slotp \ csnp k" by simp then have "G_3 k csnp tsn WSNp clkp last_slotp" by simp } ultimately have "G_3 k csnp tsn WSNp clkp last_slotp" by (auto simp del: G_3_def) } ultimately have "G_3 k csnp tsn WSNp clkp last_slotp" by (auto simp del: G_3_def) } moreover have "csnp k = csn k \ csnp k \ csn k" by simp ultimately have "G_3 k csnp tsn WSNp clkp last_slotp" by (auto simp del: G_3_def) } ultimately have "\ i. G_3 i csnp tsn WSNp clkp last_slotp" by (auto simp del: G_3_def) } note G_3 = this -- "we now prove G3_a" { from ind_hyp have "\ i. G_3a i csn tsn WSN clk" by (simp only: G_def) auto note G_3a_i = this { fix i::int assume "i \ k" note i_not_k = this from G_3a_i have "G_3a i csn tsn WSN clk" by auto moreover from step and i_not_k have "csnp i = csn i \ WSNp i = WSN i \ clkp i = clk i" by simp ultimately have "G_3a i csnp tsn WSNp clkp" by simp } then have "\ i. i \ k \ G_3a i csnp tsn WSNp clkp" by simp moreover { -- "we now prove for i = k" { assume "csnp k = tsn k \ clkp k = g" note case_current = this with step have "clkp k = (clk k + 1) mod k0" proof (cases "SYN k = S_0") case True with step show ?thesis by auto next case False with case_current and step have "False" by auto then show ?thesis by simp qed note clkp_val = this with case_current and pos_g have "clk k = g - 1" proof (cases "clk k + 1 = k0") case True with case_current and clkp_val have "(clk k + 1) mod k0 = 0" by auto with case_current and clkp_val and pos_g have "False" by auto then show ?thesis by simp next case False with rel_inv2 have "clk k + 1 < k0 \ clk k \ 0" apply (drule_tac x = k in spec) apply auto done then have "(clk k + 1) mod k0 = clk k + 1" by (auto simp add: mod_pos_pos_trivial) with clkp_val have "clkp k = clk k + 1" by simp with case_current show ?thesis by auto qed moreover { with pos_g have "clk k \ k0 - 1" by auto with step have "csn k = csnp k" by auto with case_current have "csn k = tsn k" by simp } ultimately have "csn k = tsn k \ clk k = g - 1" by simp moreover with rel_inv6 and rel_inv8 and WSN_st_restrict and pos_g have "WSN k = wait" apply auto apply (drule_tac x = k in spec) apply (drule_tac x = k in spec) apply (drule_tac x = k in spec) apply auto done moreover from calculation and step and pos_g have "WSNp k = GO_SEND" by auto then have "G_3a k csnp tsn WSNp clkp" by simp } moreover { assume "csnp k \ tsn k \ clkp k \ g" with step have "G_3a k csnp tsn WSNp clkp" by safe simp_all } ultimately have "G_3a k csnp tsn WSNp clkp" by simp } ultimately have "\ i. G_3a i csnp tsn WSNp clkp" by (auto simp del: G_3a_def) } note G_3a = this -- "we now prove G_4" { from ind_hyp have "\ i. G_4 i csn tsn WSN clk last_slot" by (simp only: G_def) auto note G_4_i = this { fix i::int assume "i \ k" note i_not_k = this from G_4_i have "G_4 i csn tsn WSN clk last_slot" by auto moreover from step and i_not_k have "csnp i = csn i \ WSNp i = WSN i \ clkp i = clk i \ last_slotp = last_slot" by simp ultimately have "G_4 i csnp tsn WSNp clkp last_slotp" by simp } then have "\ i. i \ k \ G_4 i csnp tsn WSNp clkp last_slotp" by simp moreover { -- "we now prove for i = k" from G_4_i have "G_4 k csn tsn WSN clk last_slot" by simp note G_4_k = this from ind_hyp have "\ i. G_3a i csn tsn WSN clk" by (simp only: G_def) auto note G_3a_i = this { assume "csnp k = tsn k \ clkp k > g" note ici = this then have "last_slotp = csnp k" proof - { assume "csnp k \ csn k" note bad_assume = this from step have "csnp k \ csn k \ clk k = k0 - 1" by auto with bad_assume have "clk k = k0 - 1" by simp note clk_val = this from ind_hyp have "G_9 k SYN csn clk last_slot" by (simp only: G_def) then have "SYN k = S_1 \ clk k < k0 - 1" by simp with SYN_st_restrict and clk_val have "SYN k = S_0" apply (drule_tac x = k in spec) apply auto done with step and clk_val have "clkp k = 0" by auto with ici and pos_g have "False" by simp then have "csnp k = csn k" by simp } then have "csnp k = csn k" by auto note csnp_is_csn = this with ici have "csn k = tsn k" by simp note la = this { assume "clk k > g" note case1 = this with G_4_k and la have "last_slot = csn k" by simp moreover from step have "last_slotp = last_slot" by simp moreover from step and ici and pos_g and case1 and la have "csnp k = csn k" by auto ultimately have ?thesis by simp } moreover { assume "clk k = g" note case2 = this from G_3a_i have "G_3a k csn tsn WSN clk" by (simp del: G_3a_def) with case2 and la have "WSN k = SENDING \ WSN k = GO_SEND" by auto moreover { assume "WSN k = SENDING" note WSNk_sending = this from ind_hyp have "G_5 k k WSN csn last_slot" by (simp only: G_def) note G_5 = this from step have "last_slotp = last_slot" by auto with WSNk_sending and G_5 and csnp_is_csn have ?thesis by auto } moreover { assume "WSN k = GO_SEND" with step have ?thesis by auto } ultimately have ?thesis by auto } moreover { assume "clk k < g" note case3 = this { assume "SYN k = S_0" with step have "clkp k = (clk k + 1) mod k0" by auto note clkp_val = this with pos_g and case3 and rel_inv2 have "(clk k + 1) mod k0 = clk k + 1" apply (drule_tac x = k in spec) apply (auto simp add: mod_pos_pos_trivial) done with case3 have "clkp k < g + 1" apply auto apply (metis case3 clkp_val diff_le_eq ici le_diff_eq linorder_not_less pordered_ring_class.ring_simps(24) zadd_commute zle_add1_eq_le zle_anti_sym zle_diff1_eq zle_refl zle_trans zless_imp_add1_zle zless_le) done with ici have "False" by simp } moreover from calculation and SYN_st_restrict have "SYN k = S_1" apply (drule_tac x = k in spec) apply auto done moreover from ind_hyp have "G_9 k SYN csn clk last_slot" by (simp only: G_def) ultimately have "last_slot = csn k" by simp moreover from step have "last_slotp = last_slot" by simp moreover from calculation and csnp_is_csn have ?thesis by simp } moreover from pos_g have "clk k > g \ clk k = g \ clk k < g" by auto ultimately show ?thesis by auto qed then have "G_4 k csnp tsn WSNp clkp last_slotp" by simp } moreover { assume "csnp k \ tsn k \ clkp k \ g" then have "G_4 k csnp tsn WSNp clkp last_slotp" by auto } moreover have "(csnp k = tsn k \ clkp k > g) \ (csnp k \ tsn k \ clkp k \ g)" by auto ultimately have "G_4 k csnp tsn WSNp clkp last_slotp" by (auto simp del: G_4_def) } ultimately have "\ i. G_4 i csnp tsn WSNp clkp last_slotp" by (auto simp del: G_4_def) } note G_4 = this -- "we now proceed to check G_5(i,j)" { -- "If i \ k and j \ k then tick actions do not modify any variable of G_5" from ind_hyp have "\ i. (\ l. G_5 i l WSN csn last_slot)" by (auto simp only: G_def) note G_5_ij = this { fix i::int fix j::int assume "i \ k \ j \ k" note hier = this with step have "WSNp i = WSN i \ csnp i = csn i \ last_slotp = last_slot" by simp moreover from step and hier have "WSNp j = WSN j \ csnp j = csn j \ last_slotp = last_slot" by simp moreover from G_5_ij have "G_5 i j WSN csn last_slot" by (auto simp del: G_5_def) ultimately have "G_5 i j WSNp csnp last_slotp" by simp } then have "\ i l. i \ k \ l \ k \ (G_5 i l WSNp csnp last_slotp)" by (auto simp del: G_5_def) moreover { { fix j::int assume "WSNp k = SENDING" note case1_1 = this then have "csnp j = csnp k \ csnp k = last_slotp" proof - from G_5_ij have "G_5 k j WSN csn last_slot" by (auto simp del: G_5_def) note la = this moreover from case1_1 and step and WSN_st_restrict and rel_inv3 have "WSN k = SENDING" apply simp apply auto apply (metis GO_SEND_def SENDING_def Suc_eq_add_numeral_1 Suc_n_not_n add_eq_if add_is_0 natgb.add_r0_iff numeral_2_eq_2 wait_def) done note ici = this ultimately have "csn k = csn j \ csn k = last_slot" by (auto simp only: G_5_def) with step and ici and la show ?thesis by auto qed then have "G_5 k j WSNp csnp last_slotp" by simp } then have "WSNp k = SENDING \ (\ l. G_5 k l WSNp csnp last_slotp)" by (auto simp del: G_5_def) moreover { fix j::int assume "WSNp k \ SENDING" then have "G_5 k j WSNp csnp last_slotp" by simp } then have "WSNp k \ SENDING \ (\ l. G_5 k l WSNp csnp last_slotp)" by (auto simp del: G_5_def) ultimately have "(\ l. G_5 k l WSNp csnp last_slotp)" by (auto simp del: G_5_def) } moreover { fix i::int assume "i \ k" { assume "WSNp i = SENDING" note case2_1 = this then have "csnp i = csnp k \ csnp k = last_slotp" proof - from G_5_ij have "G_5 i k WSN csn last_slot" by (auto simp del: G_5_def) note la = this from case2_1 and step have "WSN i = SENDING" apply auto apply (metis GO_SEND_def SENDING_def Suc_eq_add_numeral_1 Suc_n_not_n Suc_neq_Zero WSN_st_restrict add_eq_if case2_1 diff_diff_left nat_mult_1 nat_mult_2_right wait_def) done note i_sending = this with la have "csn i = csn k \ csn k = last_slot" by simp note ici = this { assume "csnp k = csn k" with ici and step have ?thesis by auto } moreover { assume "csnp k \ csn k" with step and WSN_st_restrict have "WSN k = wait \ clk k = k0 - 1" apply auto apply (metis GO_SEND_def Suc_eq_add_numeral_1 add_eq_if wait_def) done note daar = this from rel_inv1 have "x i \ max" by simp moreover { from ind_hyp have "G_1 i csn SYN clk x y last_slot " by (simp only: G_def) then have "y \ real (c i csn SYN clk last_slot) * max + x i " by simp } ultimately have "y \ real (c i csn SYN clk last_slot) * max + max " by simp then have "y \ (real (c i csn SYN clk last_slot) + 1) * max " by (simp add: left_distrib) moreover { from ici have "from_slot last_slot (csn i) = 0" by (auto simp add: from_slot_def) moreover from ici and rel_inv3 have "last_slot \ 0" by auto moreover from rel_inv8 and i_sending have "g \ clk i" by simp ultimately have "c i csn SYN clk last_slot \ clk i - g" by (auto simp add: c_def) moreover { from rel_inv8 and i_sending and rel_inv2 have "clk i \ k0 - t - 1" by auto with pos_g have "clk i - g \ k0 - t - 1 - g" by simp } ultimately have "c i csn SYN clk last_slot \ k0 - t - 1 - g" by simp then have "c i csn SYN clk last_slot + 1 \ k0 - t - g" by simp with miax have "(real (c i csn SYN clk last_slot) + 1) * max \ (real k0 - real t - real g) * max" by simp } moreover from miax have "max > 0" by simp ultimately have "y \ (real k0 - real t - real g) * max " by (simp (no_asm) add: mult_compare_simps) note ub_y = this from ind_hyp have "G_10 k csn SYN clk last_slot" by (auto simp only: G_def) { from daar have "clk k = k0 - 1" by simp note clk_val = this from ind_hyp have "G_9 k SYN csn clk last_slot" by (simp only: G_def) then have "SYN k = S_1 \ clk k < k0 - 1" by simp with SYN_st_restrict and clk_val have "SYN k = S_0" apply (drule_tac x = k in spec) apply auto done } with ici and daar and rel_inv3 have "c k csn SYN clk last_slot = k0 - 1 - g" apply (auto simp add: c_def from_slot_def) apply (drule_tac x = i in spec) apply simp done note foo = this from ind_hyp have "G_2 k csn SYN clk x y last_slot" by (auto simp only: G_def) with foo and pos_g have "y \ (-2 + (real k0 + - real g)) * min + x k" apply auto done moreover from step have "x k \ min" by simp ultimately have "y \ (-2 + (real k0 + - real g)) * min + min" by simp with miax have "y \ (-1 + (real k0 + - real g)) * min" by (simp add: left_distrib) with ub_y and pos_g have " (-1 + (real k0 + - real g)) * min \ (real k0 - real t - real g) * max " by simp with C3 and pos_g have "False" by auto then have ?thesis by simp } moreover have "csnp k = csn k \ csnp k \ csn k" by simp ultimately show ?thesis by metis qed then have "G_5 i k WSNp csnp last_slotp" by simp } moreover { assume "WSNp i \ SENDING" then have "G_5 i k WSNp csnp last_slotp" by simp } ultimately have "G_5 i k WSNp csnp last_slotp" by (auto simp del: G_5_def) } then have "\ i. i \ k \ G_5 i k WSNp csnp last_slotp" by (auto simp del: G_5_def) ultimately have "\ i. (\ l. G_5 i l WSNp csnp last_slotp)" apply (auto simp del: G_5_def) apply metis done } note G_5 = this -- "we now prove G_6" { -- "If i \ k and j \ k then tick actions do not modify any variable of G_5" from ind_hyp have "\ i. (\ l. G_6 i l WSN csn clk)" by (auto simp only: G_def) note G_6_ij = this { fix i::int fix j::int assume "i \ k \ j \ k" note hier = this with step have "WSNp i = WSN i \ csnp i = csn i \ clkp i = clk i" by simp moreover from step and hier have "WSNp j = WSN j \ csnp j = csn j \ clkp j = clk j" by simp moreover from G_6_ij have "G_6 i j WSN csn clk" by (auto simp del: G_6_def) ultimately have "G_6 i j WSNp csnp clkp" by simp } then have "\ i l. i \ k \ l \ k \ (G_6 i l WSNp csnp clkp)" by (auto simp del: G_6_def) moreover { -- "we now prove for i = k" fix j::int { assume "WSNp k = GO_SEND" note case1 = this then have "csnp k = csnp j \ clkp k = g" proof - from step and case1 have "WSN k = wait \ csn k = tsn k \ x k \ min \ clk k = g - 1 " apply simp apply (metis GO_SEND_def Suc_eq_add_numeral_1 Suc_n_not_n add_eq_if diff_diff_left wait_def) done note fact1 = this { assume "last_slot = -1" note case1_1 = this moreover from ind_hyp have "G_12 k csn last_slot" by (auto simp only: G_def) moreover from ind_hyp have "G_12 j csn last_slot" by (auto simp only: G_def) ultimately have "csn k = csn j \ csn k = 0" by simp with step and fact1 and pos_g have "csnp k = csnp j" apply simp apply auto apply metis done note goal_1= this from rel_inv11 and case1_1 have "SYN k = S_0" by simp with step and fact1 and pos_g have "clkp k = g" by (auto simp add: mod_pos_pos_trivial) with goal_1 have ?thesis by simp } moreover { assume "last_slot \ 0" note case1_2 = this from ind_hyp have "G_3 k csn tsn WSN clk last_slot" by (auto simp only: G_def) with case1 and fact1 and pos_g have "last_slot \ csn k" by auto note fact2 = this from ind_hyp have "G_7 k tsn_max csn tsn last_slot" by (simp only: G_def) with case1_2 and fact2 have "last_slot = PREV (csn k) tsn_max tsn" by simp note fact3 = this { from ind_hyp have "G_9 k SYN csn clk last_slot" by (simp only: G_def) then have "SYN k = S_1 \ last_slot = csn k" by simp with fact2 and SYN_st_restrict have "SYN k = S_0" apply (drule_tac x = k in spec) apply auto done } note SYN_k = this with case1_2 and fact1 and fact3 and pos_g have "c k csn SYN clk last_slot = D (csn k) tsn_max tsn * k0 - 1 " by (auto simp add: c_def D_def) note fact4 = this { from pos_g have "k0 \ 2" by simp with D_ge_1[of "csn k"] and rel_inv3 have "D (csn k) tsn_max tsn * k0 \ 2" apply (drule_tac x = k in spec) apply auto apply (metis Pls_def comp_arith(61) fact1 less_eq_Pls_Bit linorder_not_le linorder_not_less mult_less_cancel_left2 number_of_is_id xt1(8) zero_le_one zle_trans zmult_commute) done } then have "D (csn k) tsn_max tsn * k0 - 1 > 0" by simp note fact5 = this from ind_hyp have "G_2 k csn SYN clk x y last_slot" by (auto simp only: G_def) with fact5 and fact4 and pos_g have "y \ (-2 + real (D (csn k) tsn_max tsn) * real k0) * min + x k" by auto with fact1 have "y \ (-2 + real (D (csn k) tsn_max tsn) * real k0) * min + min" by auto then have "y \ (-1 + real (D (csn k) tsn_max tsn) * real k0) * min" by (simp add: left_distrib) note fact7 = this moreover { from D_ge_1[of "csn k"] and TX_0 and pos_g and rel_inv3 have "D (csn k) tsn_max tsn * k0 \ k0 " apply auto apply (simp add: mult_compare_simps) done with pos_g and D_ge_1[of "csn k"] and TX_0 and rel_inv3 have "real (D (csn k) tsn_max tsn) * real k0 \ real k0 " by (auto simp add: mult_compare_simps) with pos_g and miax have "(-1 + real (D (csn k) tsn_max tsn) * real k0) * min \ (real k0 - 1) * min" by auto } ultimately have "y \ (real k0 - 1) * min" by auto moreover { from C3 and pos_g have "(-1 + (real k0 + - real g)) * min > (real k0 - real t - real g) * max" by auto moreover from pos_g and miax have "(-1 + (real k0 + - real g)) * min \ (real k0 - 1) * min" by auto ultimately have "(real k0 - 1) * min > (real k0 - real t - real g) * max" by auto moreover { from pos_g have "(real k0 - real t - real g) \ 2" by auto with pos_g and miax have "(real k0 - real t - real g) * max \ 2 * max" by auto } ultimately have "(real k0 - 1) * min > 2 * max" by simp } ultimately have "y > 2 * max" by simp note lb_y = this -- "we now derive an upper bound for y" with rel_inv10 and rel_inv1 and SYN_st_restrict have "SYN j = S_0" apply auto apply (drule_tac x = j in spec) apply (drule_tac x = j in spec) apply (drule_tac x = j in spec) apply simp done note S_0_j = this with case1_2 have "c j csn SYN clk last_slot = from_slot last_slot (csn j) * k0 + clk j - g" by (simp add: c_def) note fact30 = this from ind_hyp have "G_1 j csn SYN clk x y last_slot " by (simp only: G_def) with fact30 have "y \ ( real (from_slot last_slot (csn j) * k0 + clk j - g)) * max + x j" by auto with rel_inv1 have "y \ ( real (from_slot last_slot (csn j) * k0 + clk j - g)) * max + max" apply auto apply (drule_tac x = j in spec) apply simp done moreover with pos_g have "real (from_slot last_slot (csn j) * k0 + clk j - g) = real (from_slot last_slot (csn j)) * real k0 + real (clk j) - real g" by auto ultimately have "y \ ( real (from_slot last_slot (csn j)) * real k0 + real (clk j) - real g) * max + max" by simp then have "y \ ( real (from_slot last_slot (csn j)) * real k0 + real (clk j) - real g + 1) * max" by (auto simp add: left_distrib) note fact40 = this { -- "we now derive that last_slot \ csn j" assume "last_slot = csn j" with fact40 have "y \ (real (clk j) - real g + 1) * max" by (simp add: from_slot_def) moreover from rel_inv2 and pos_g and miax have "(real (clk j) - real g + 1)* max \ (real k0 - real g) * max" apply auto apply (drule_tac x = j in spec) by (auto simp add: left_diff_distrib mult_mono) ultimately have "y \ (real k0 - real g) * max" by simp moreover { from Lemma2[of "real (D (csn k) tsn_max tsn)"] and M_is_max have "(real (D (csn k) tsn_max tsn) * real k0 - 1) * min > (real (D (csn k) tsn_max tsn) * real k0 - real g) * max" by (auto simp add: is_max_D_def) moreover have "(real (D (csn k) tsn_max tsn) * real k0 - 1) = (-1 + real (D (csn k) tsn_max tsn) * real k0)" by simp moreover from calculation and fact7 have "y > (real (D (csn k) tsn_max tsn) * real k0 - real g) * max" by auto moreover { from D_ge_1[of "csn k"] and TX_0 and pos_g and rel_inv3 have "(real (D (csn k) tsn_max tsn) * real k0 - real g) \ (real k0 - real g)" by (auto simp add: mult_compare_simps) with pos_g and miax have "(real (D (csn k) tsn_max tsn) * real k0 - real g) * max \ (real k0 - real g) * max" by auto } ultimately have "y > (real k0 - real g) * max" by auto } ultimately have "False" by auto then have "last_slot \ csn j" by simp } then have "last_slot \ csn j" by auto note fact8 = this from ind_hyp have "G_7 j tsn_max csn tsn last_slot" by (simp only: G_def) with case1_2 and fact8 have "last_slot = PREV (csn j) tsn_max tsn" by auto note fact9 = this def m_k == "D (csn k) tsn_max tsn" def m_j == "D (csn j) tsn_max tsn" from fact1 have "TX (csn k) tsn" by (auto simp add: TX_def) note tx_csnk = this moreover from fact3 and fact9 have "PREV (csn k) tsn_max tsn = PREV (csn j) tsn_max tsn" by simp note PREV_eq_k_j = this moreover from calculation and TX_tsn_imp_less_n[where s = "csn k" ] and tsn_max_3 and slots_node have "m_j \ m_k" proof (cases "csn k = 0") from rel_inv3 have "csn k < C \ csn j < C" by auto note csn_k_j = this from tsn_restrict have "tsn tsn_max < n" by auto note tsn_max_limit = this case True note case_1 = this { assume "csn j = 0 \ csn j \ n" note case_11 = this with calculation and tsn_max_3 and csn_k_j and tsn_max_limit and case_1 and slots_node have ?thesis apply (simp add: m_k_def m_j_def) apply (simp add: PREV_def) apply safe apply simp apply (simp add: D_def PREV_def from_slot_def) done } moreover { assume "\ (csn j = 0 \ csn j \ n)" note case_12 = this with tx_csnk and PREV_eq_k_j and tsn_max_3 and csn_k_j and tsn_max_limit and case_1 and slots_node and rel_inv3 have ?thesis apply (simp add: m_k_def m_j_def) apply (simp add: D_def PREV_def from_slot_def) done } ultimately show ?thesis by metis next from rel_inv3 have "csn k < C \ csn j < C" by auto note csn_k_j = this from tsn_restrict have "tsn tsn_max < n" by auto note tsn_max_limit = this from calculation and TX_tsn_imp_less_n[where s = "csn k"] have "csn k < n" by auto note csn_k_ub = this case False -- "csn k > 0" with rel_inv3 have "csn k > 0" by (drule_tac x = k in spec) auto note case_2 = this { assume "csn j = 0 \ csn j \ n" note case_12 = this with calculation and tsn_max_3 and csn_k_j and tsn_max_limit and case_2 and slots_node and csn_k_ub and is_max_tsn_max and rel_inv3 have ?thesis apply (drule_tac x = k in spec) apply (simp add: m_k_def m_j_def) apply (simp add: PREV_def) apply (insert PREV1_TX1[of "nat (csn k)"]) apply auto done } moreover { assume "\ (csn j = 0 \ csn j \ n)" with rel_inv3 have "csn j > 0 \ csn j < n" by (drule_tac x = j in spec) auto note csnj_pos = this { assume "csn j > csn k" with tx_csnk and PREV1_TX2[of "nat (csn k)" "nat (csn j)"] and case_2 and csnj_pos have "PREV1 (nat (csn j)) tsn_max tsn \ nat (csn k)" by simp with csnj_pos have "PREV (csn j) tsn_max tsn \ csn k" by (simp add: PREV_def) moreover from case_2 and PREV_less[of "csn k"] have "PREV (csn k) tsn_max tsn < csn k" by simp moreover from calculation and PREV_eq_k_j have "False" by simp then have ?thesis by simp } moreover { assume "csn j \ csn k" with case_2 and csn_k_ub and PREV_eq_k_j and PREV_less[of "csn k"] and PREV_less[of "csn j"] and csnj_pos have ?thesis apply simp apply (simp add: m_k_def m_j_def) apply (simp add: D_def PREV_def from_slot_def) done } moreover have "csn j > csn k \ csn j \ csn k" by auto ultimately have ?thesis by metis } ultimately show ?thesis by metis qed note m_j_le_m_k = this from fact9 and fact40 have "(real m_j * real k0 + real (clk j) - real g + 1) * max \ y" by (auto simp add: m_j_def D_def) moreover { from Lemma2[of "real (D (csn k) tsn_max tsn)"] and M_is_max have "(real (D (csn k) tsn_max tsn) * real k0 - 1) * min > (real (D (csn k) tsn_max tsn) * real k0 - real g) * max" by (auto simp add: is_max_D_def) moreover have "(real (D (csn k) tsn_max tsn) * real k0 - 1) = (-1 + real (D (csn k) tsn_max tsn) * real k0)" by simp moreover from calculation and fact7 have "y > (real (D (csn k) tsn_max tsn) * real k0 - real g) * max" by auto then have "y > (real m_k * real k0 - real g) * max" by (simp add: m_k_def) } ultimately have "(real m_j * real k0 + real (clk j) - real g + 1) * max > (real m_k * real k0 - real g) * max" by simp with miax have "(real m_j * real k0 + real (clk j) - real g + 1) > (real m_k * real k0 - real g)" by simp then have "real m_j * real k0 + real (clk j) + 1 > real m_k * real k0" by simp moreover from rel_inv2 have "real m_j * real k0 + real k0 \ real m_j * real k0 + real (clk j) + 1" apply auto apply (drule_tac x = j in spec) apply auto done ultimately have "real m_j * real k0 + real k0 > real m_k * real k0" by simp then have "(real m_j + 1) * real k0 > real m_k * real k0" by (simp add: left_distrib) moreover from pos_g have "k0 > 0" by simp ultimately have "real m_j + 1 > real m_k" by auto then have "real m_j \ real m_k" by simp then have "m_j \ m_k" by simp with m_j_le_m_k have "m_k = m_j" by simp note m_k_eq_m_j = this with PREV_eq_k_j and rel_inv3 and tsn_max_3 and TX_0 have "csn k = csn j" proof (cases "csn k = 0") case True -- "csn k = 0" note csn_z = this with tsn_max_3 have "PREV 0 tsn_max tsn > 0" by (simp add: PREV_def) with m_k_eq_m_j and PREV_eq_k_j and csn_z show ?thesis proof (cases "csn j = 0") case True with csn_z show ?thesis by metis next case False note csnj_nz = this with rel_inv3 have "csn j > 0 \ csn j < C" by (drule_tac x = j in spec) auto note csnj_bounds = this with PREV_less[of "csn j"] have "PREV (csn j) tsn_max tsn < csn j (*\ PREV (csn j) tsn_max tsn > 0*)" by simp note prev_csnj_le_csnj = this from tsn_max_3 have "PREV 0 tsn_max tsn > 0" by (simp add: PREV_def) with m_k_eq_m_j and PREV_eq_k_j and csn_z and csnj_bounds and prev_csnj_le_csnj show ?thesis by (auto simp add: m_k_def m_j_def D_def from_slot_def) qed next case False note csnk_nz = this with rel_inv3 have "csn k > 0 \ csn k < C" by (drule_tac x = k in spec) auto note csnk_bounds = this with PREV_less[of "csn k"] have "PREV (csn k) tsn_max tsn < csn k" by simp with PREV_eq_k_j have "PREV (csn j) tsn_max tsn < csn k" by simp note prev_csnj_le_csnk = this with m_k_eq_m_j and PREV_eq_k_j show ?thesis proof (cases "csn j = 0") case True note csnj_z = this with tsn_max_3 have "PREV 0 tsn_max tsn > 0" by (simp add: PREV_def) note prev_0 = this with m_k_eq_m_j and PREV_eq_k_j and prev_csnj_le_csnk and csnj_z and csnk_bounds show ?thesis by (auto simp add: m_k_def m_j_def D_def from_slot_def) next case False with rel_inv3 have "csn j > 0 \ csn j < C" by (drule_tac x = j in spec) auto with PREV_less[of "csn j"] have "PREV (csn j) tsn_max tsn < csn j" by simp with m_k_eq_m_j and PREV_eq_k_j and prev_csnj_le_csnk show ?thesis by (auto simp add: m_k_def m_j_def D_def from_slot_def) qed qed with step and fact1 and pos_g have "csnp k = csnp j" apply auto apply metis done note csnp_eq = this with step and SYN_k and fact1 and pos_g have "clkp k = g" by (simp add: mod_pos_pos_trivial) with csnp_eq have "csnp k = csnp j \ clkp k = g" by simp } moreover from rel_inv12 have "last_slot = -1 \ last_slot \ 0" by auto ultimately show ?thesis by auto qed with case1 have "G_6 k j WSNp csnp clkp" by (auto simp only: G_6_def) } moreover { assume "WSNp k \ GO_SEND" then have "G_6 k j WSNp csnp clkp" by simp } ultimately have "G_6 k j WSNp csnp clkp" by (auto simp del: G_6_def) } then have "\ l. G_6 k l WSNp csnp clkp" by (auto simp del: G_6_def) moreover { fix i::int assume "i \ k" note i_not_k = this { assume "WSNp i \ GO_SEND" then have "G_6 i k WSNp csnp clkp" by simp } moreover { assume "WSNp i = GO_SEND" note wsnp_i_go_send = this with step and i_not_k have "WSN i = GO_SEND" by auto note wsn_i_go_send = this from G_6_ij have "G_6 i k WSN csn clk" by (auto simp del: G_6_def) with wsn_i_go_send have "csn i = csn k \ clk i = g" by simp note hier = this from step and i_not_k have "csnp i = csn i \ clkp i = clk i" by auto note daar = this { assume "csnp k = csn k" with hier and daar have "csnp i = csnp k \ clkp i = g" by simp } moreover { assume "csnp k \ csn k" note csnp_not_eq = this with step have "clk k = k0 - 1" apply auto apply (metis GO_SEND_def Suc_eq_add_numeral_1 add_eq_if wait_def) done moreover { from rel_inv5 and wsn_i_go_send have "csn i = tsn i" by simp with hier have "TX (csn k) tsn" by (auto simp add: TX_def) } note TX_k = this moreover from ind_hyp have "G_8 k csn tsn clk last_slot" by (simp only: G_def) ultimately have "last_slot = csn k" by simp moreover { from ind_hyp have "G_3 i csn tsn WSN clk last_slot" by (auto simp only: G_def) moreover from rel_inv5 and wsn_i_go_send have "csn i = tsn i" by simp moreover from calculation and wsn_i_go_send have "last_slot \ csn i" by simp } ultimately have "csn i \ csn k" by simp with hier have "False" by simp then have "csnp i = csnp k \ clkp i = g" by simp } ultimately have "csnp i = csnp k \ clkp i = g" by metis then have "G_6 i k WSNp csnp clkp" by simp } ultimately have "G_6 i k WSNp csnp clkp" by (auto simp del: G_6_def) } then have "\ i. i \ k \ G_6 i k WSNp csnp clkp" by (auto simp del: G_6_def) ultimately have "\ i. (\ l. G_6 i l WSNp csnp clkp)" apply (auto simp del: G_6_def) apply metis done note G_6 = this -- "now we prove G_7" { { fix i::int assume "i \ k" note i_not_k = this with step have "csnp i = csn i \ last_slotp = last_slot" by simp moreover from ind_hyp have "G_7 i tsn_max csn tsn last_slot" by (simp only: G_def) ultimately have "G_7 i tsn_max csnp tsn last_slotp" by simp } then have "\ i. i \ k \ G_7 i tsn_max csnp tsn last_slotp" by simp moreover { -- "we now derive G_7(k)" from step have "last_slotp = last_slot" by simp note last_slot_eq = this { assume "csnp k = csn k" note csn_k_unchanged = this moreover from ind_hyp have "G_7 k tsn_max csn tsn last_slot" by (simp only: G_def) moreover from calculation and last_slot_eq have "G_7 k tsn_max csnp tsn last_slotp" by simp } moreover { assume "csnp k \ csn k" note csn_k_changed = this with step and WSN_st_restrict have "WSN k = wait \ clk k = k0 - 1" apply auto apply (metis GO_SEND_def Suc_eq_add_numeral_1 add_eq_if wait_def) done note important1 = this with step have "csnp k = (csn k + 1) mod C" by simp note csnp_val = this { assume "last_slot = -1" with last_slot_eq have "last_slotp = -1" by simp then have "G_7 k tsn_max csnp tsn last_slotp" by simp } moreover { assume "last_slot \ 0" note pos_last_slot = this { assume "TX (csn k) tsn" note TX_k = this from ind_hyp have "G_8 k csn tsn clk last_slot" by (simp only: G_def) with TX_k and important1 have "last_slot = csn k" by auto note last_slot_csn_k = this with rel_inv3 and TX_k have "TX ((csn k) mod C) tsn " apply (drule_tac x = k in spec) apply (auto simp add: mod_pos_pos_trivial) done note tx_csn_k_mod = this with PREV_TX1[of "(csn k) mod C"] have "PREV ((csn k + 1) mod C) tsn_max tsn = (csn k) mod C" proof (cases "csn k = C - 1") case True note csn_Cmin1 = this moreover with TX_diff_C_imp_C_is_n and TX_k have "C - 1 = n - 1" by auto moreover with slots_node have "C = n" by auto moreover with csn_Cmin1 and TX_k and TX_n_imp_max_n have "tsn tsn_max = n - 1" by auto moreover with csn_Cmin1 have "PREV 0 tsn_max tsn = n - 1" by (auto simp add: PREV_def) moreover from calculation and slots_node and rel_inv3 show ?thesis apply (drule_tac x = k in spec) apply (auto simp add: mod_pos_pos_trivial) done next case False note csn_less_C = this with rel_inv3 and slots_node have "csn k < C \ (csn k) + 1 < C" by (drule_tac x = k in spec) auto moreover from TX_tsn_imp_less_n and TX_k have "csn k < n" by auto moreover from slots_node have "csn k < n \ n \ (csn k) + 1 \ csn k = n - 1" by auto moreover with TX_k and TX_n_imp_max_n have "csn k < n \ n \ (csn k) + 1 \ tsn tsn_max = n - 1" apply - apply simp apply auto apply (cases "csn k = n - 1") apply simp apply simp done moreover from calculation and TX_k and rel_inv3 show ?thesis proof (cases "csn k + 1 \ n") case True with calculation and TX_k and rel_inv3 and PREV_TX1[of "csn k"] show ?thesis apply (drule_tac x = k in spec) apply auto apply (auto simp add: mod_pos_pos_trivial) done next case False with slots_node have "csn k + 1 < C" by simp with rel_inv3 and PREV_TX1[of "csn k"] and TX_k show ?thesis apply (drule_tac x = k in spec) apply (auto simp add: mod_pos_pos_trivial) done qed qed moreover from csnp_val have "PREV (csnp k) tsn_max tsn = PREV ((csn k + 1) mod C) tsn_max tsn" by simp moreover from rel_inv3 have "csn k < C \ 0 \ csn k" by auto ultimately have "PREV (csnp k) tsn_max tsn = csn k" by (simp add: mod_pos_pos_trivial) moreover { from ind_hyp have "G_8 k csn tsn clk last_slot" by (simp only: G_def) with important1 and TX_k and last_slot_eq have "last_slotp = csn k" by simp } ultimately have "PREV (csnp k) tsn_max tsn = last_slotp" by simp then have "G_7 k tsn_max csnp tsn last_slotp" by simp } moreover { assume "\ TX (csn k) tsn" note not_TX_k = this with slots_node have "PREV ((csn k + 1) mod C) tsn_max tsn = PREV (csn k) tsn_max tsn" proof (cases "csn k = C - 1") case True note case_true= this from slots_node have "n \ C \ \ n \ C - 1 \ (n = C \ n - 1 = C - 1)" by auto note C_is_n = this from slots_node have "nat (C - 1) = nat C - Suc 0" by auto with PREV1_nmin1 and not_TX_k and case_true and C_is_n have "n \ C \ \ n \ C - 1 \ int (PREV1 (nat (C - 1)) tsn_max tsn) = tsn tsn_max" by auto with slots_node and case_true and C_is_n show ?thesis apply auto apply (auto simp only: PREV_def) apply simp apply simp done next case False with rel_inv3 have "csn k < C - 1" by (drule_tac x = k in spec) auto moreover have "n \ csn k + 1 \ \ n \ csn k \ csn k = n - 1" by auto moreover from calculation and not_TX_k and TX_0 and slots_node and PREV_TX_not[of "csn k"] and rel_inv3 show ?thesis by (drule_tac x = k in spec) (auto simp add: mod_pos_pos_trivial) qed moreover { from ind_hyp have "G_7 k tsn_max csn tsn last_slot" by (simp only: G_def) with not_TX_k and pos_last_slot and last_slot_eq have "last_slotp = PREV (csn k) tsn_max tsn" by simp } ultimately have "PREV ((csn k + 1) mod C) tsn_max tsn = last_slotp " by simp with csnp_val have "PREV (csnp k) tsn_max tsn = last_slotp" by simp then have "G_7 k tsn_max csnp tsn last_slotp" by simp } ultimately have "G_7 k tsn_max csnp tsn last_slotp" by metis } moreover from rel_inv12 and slots_node have "last_slot = -1 \ last_slot \ 0" by auto ultimately have "G_7 k tsn_max csnp tsn last_slotp" by metis } ultimately have "G_7 k tsn_max csnp tsn last_slotp" by metis } ultimately have "\ i. G_7 i tsn_max csnp tsn last_slotp" by metis } note G_7 = this -- "we now prove G_8" { { fix i::int assume "i \ k" note i_not_k = this with step have "csnp i = csn i \ last_slotp = last_slot \ clkp i = clk i" by simp moreover from ind_hyp have "G_8 i csn tsn clk last_slot" by (simp only: G_def) ultimately have "G_8 i csnp tsn clkp last_slotp" by simp } then have "\ i. i \ k \ G_8 i csnp tsn clkp last_slotp" by simp moreover { -- "we now prove G_8(k)" { assume "TX (csnp k) tsn \ clkp k = k0 - 1" note top_level = this with pos_g have "k0 - 1 \ g + 1" by auto with top_level have "clkp k \ g + 1" by simp with step have "clkp k = (clk k + 1) mod k0 " by auto note clkp_val = this with top_level and pos_g have "clk k \ k0 - 1" by auto note clk_k_val = this with step have "csnp k = csn k" by auto note csnp_k = this from clk_k_val and rel_inv2 have "(clk k + 1) mod k0 = clk k + 1" apply (drule_tac x = k in spec) apply (auto simp add: mod_pos_pos_trivial) done with top_level and clkp_val have "clk k + 1 = k0 - 1" by auto then have "clk k = k0 - 2" by auto note clk_k_value = this from step have "last_slotp = last_slot" by simp note ls_nxt = this { from top_level and csnp_k have "TX (csn k) tsn" by simp moreover from step have "x k \ min" by simp moreover from clk_k_value have "clk k = k0 - 2" by simp ultimately have "TX (csn k) tsn \ x k \ min \ clk k = k0 - 2" by metis } note hyp1 = this { assume "last_slot = - 1" note ls_min = this { from ind_hyp have "\i. G_12 i csn last_slot" by (auto simp only: G_def) with ls_min have "\ i. csn i = 0" by auto } note csnk_0 = this with ls_min have "\ i. c i csn SYN clk last_slot = clk i" by (auto simp add: c_def) note c_clk_k = this with hyp1 have "c k csn SYN clk last_slot = k0 - 2" by simp note c_k0min2 = this from g_mult_max have "real g * max < (real k0 - 2) * min" by simp moreover { from pos_g have "k0 \ 1" by simp note k0_ge_1 = this from step have "x k \ min" by simp note x_k_min = this from ind_hyp have "G_2 k csn SYN clk x y last_slot" by (simp only: G_def) with c_k0min2 and pos_g and k0_ge_1 have "(-3 + real k0) * min + x k \ y" by auto with x_k_min have "(-3 + real k0) * min + min \ y" by simp with miax have "(-2 + real k0) * min \ y" by (simp add: left_distrib) moreover have "-2 + real k0 = real k0 - 2" by simp ultimately have "(real k0 - 2) * min \ y" by auto } ultimately have "y > real g * max" by simp note y_lb = this from TX_0 obtain j where "tsn j = 0" by (auto simp add: TX_def) with csnk_0 have "tsn j = csn j" by auto note tsn_j = this { from ind_hyp have "G_1 j csn SYN clk x y last_slot" by (simp only: G_def) then have "y \ real (c j csn SYN clk last_slot) * max + x j " by simp } with c_clk_k have "y \ real (clk j) * max + x j" by simp note y_ub = this { assume "x j = 0" note case1 = this with y_ub and y_lb have "real (clk j) * max > real g * max" by simp with pos_g and miax have "clk j > g" by simp note clk_j_g = this from ind_hyp have "G_4 j csn tsn WSN clk last_slot" by (auto simp only: G_def) with clk_j_g and tsn_j have "last_slot = csn j" by simp with ls_min and rel_inv3 have "False" by (drule_tac x = j in spec) auto then have "last_slotp = csnp k" by simp } moreover { assume "x j > 0" note case2 = this with y_ub and miax and rel_inv1 have "(real (clk j) + 1) * max \ real (clk j) * max + x j" by (simp add: left_distrib) with y_ub and y_lb have "(real (clk j) + 1) * max > real g * max" by simp with pos_g and miax have "clk j + 1 > g" by simp then have "clk j \ g" by simp with pos_g have "clk j = g \ clk j > g" by auto moreover { assume "clk j > g" note g_less_clkj = this from ind_hyp have "G_4 j csn tsn WSN clk last_slot" by (auto simp only: G_def) with g_less_clkj and tsn_j have "last_slot = csn j" by simp with ls_min and rel_inv3 have "False" by (drule_tac x = j in spec) auto then have "last_slotp = csnp k" by simp } moreover { assume "clk j = g" note g_is_clkj = this from ind_hyp have "G_3a j csn tsn WSN clk" by (simp only: G_def) with g_is_clkj and tsn_j and WSN_st_restrict have "WSN j = SENDING \ WSN j = GO_SEND" by auto with rel_inv4 and case2 have "WSN j = SENDING" by auto note WSNj_SENDING= this from ind_hyp have "G_5 j k WSN csn last_slot" by (simp only: G_def) with WSNj_SENDING have "last_slot = csn j" by simp with ls_min and rel_inv3 have "False" by (drule_tac x = j in spec) auto then have "last_slotp = csnp k" by simp } ultimately have "last_slotp = csnp k" by metis } moreover { from rel_inv1 have "x j \ 0" by simp then have "x j = 0 \ x j > 0" by auto } ultimately have "last_slotp = csnp k" by metis } moreover { assume "last_slot = PREV (csn k) tsn_max tsn" note current = this with PREV_not_x[of "csn k"] have "last_slot \ csn k" by simp note ls_not_csnk = this from ind_hyp have "G_9 k SYN csn clk last_slot" by (simp only: G_def) with ls_not_csnk and SYN_st_restrict have "SYN k = S_0" by auto note S0_k = this with ls_not_csnk and hyp1 and current and pos_g and PREV_pos[of "csn k"] have "c k csn SYN clk last_slot = (D (csn k) tsn_max tsn) * k0 + k0 - g - 2" by (auto simp add: c_def D_def) note c_k_val = this from pos_g have "k0 - g - 2 > 0" by auto note pos_part1 = this { from pos_g have "k0 > 0" by simp moreover from D_ge_1[of "csn k"] and rel_inv3 have "D (csn k) tsn_max tsn > 0" by auto ultimately have "D (csn k) tsn_max tsn * k0 > 0" by (auto simp add: mult_pos_pos) } note D_mult_k0_pos = this with c_k_val and pos_part1 have "c k csn SYN clk last_slot > 0" by auto note c_k_pos = this moreover from ind_hyp have "G_2 k csn SYN clk x y last_slot" by (auto simp only: G_def) ultimately have "y \ (real (c k csn SYN clk last_slot) - 1)* min + x k" by simp moreover from step have "(real (c k csn SYN clk last_slot) - 1) * min + x k \ (real (c k csn SYN clk last_slot)) * min" by (simp add: left_diff_distrib) ultimately have "y \ (real (c k csn SYN clk last_slot))* min" by simp with c_k_val have "y \ (real (D (csn k) tsn_max tsn) * real k0 + real k0 - real g - 2) * min" by simp moreover from Lemma1[of "real (D (csn k) tsn_max tsn)"] and M_is_max have "(real (D (csn k) tsn_max tsn) * real k0 + real k0 - real g - 2) * min > real (D (csn k) tsn_max tsn) * real k0 * max" by (auto simp add: is_max_D_def left_distrib) ultimately have "y > real (D (csn k) tsn_max tsn) * real k0 * max" by simp note lb_y = this from hyp1 have "TX (csn k) tsn" by metis then obtain j where "tsn j = csn k" by (auto simp add: TX_def) note tsnj = this { from ind_hyp have "G_1 j csn SYN clk x y last_slot" by (simp only: G_def) then have "y \ real (c j csn SYN clk last_slot) * max + x j " by simp with rel_inv1 have "y \ real (c j csn SYN clk last_slot) * max + max" by (drule_tac x = j in spec) (auto simp: mult_compare_simps) then have "y \ (real (c j csn SYN clk last_slot) + 1) * max" by (simp add: left_distrib) } with lb_y have "(real (c j csn SYN clk last_slot) + 1) * max > real (D (csn k) tsn_max tsn) * real k0 * max" by simp with miax and pos_g have "c j csn SYN clk last_slot + 1 > D (csn k) tsn_max tsn * k0" apply (auto simp add: mult_compare_simps) apply (metis lemma_floor2 real_mult_commute real_of_int_mult tsnj zmult_commute) done then have "c j csn SYN clk last_slot \ D (csn k) tsn_max tsn * k0" by simp note c_j_ge_D = this with D_ge_1[of "csn k"] and rel_inv3 and pos_g and D_mult_k0_pos have "c j csn SYN clk last_slot \ k0" apply (auto simp add: mult_pos_pos zmult_commute zless_le diff_less_eq) apply (metis D_mult_k0_pos Pls_def int_one_le_iff_zero_less mult_le_cancel_left2 zle_anti_sym zle_linear zle_trans zmult_1_right zmult_commute) done note c_geq_k0 = this from c_j_ge_D and D_mult_k0_pos have "c j csn SYN clk last_slot > 0 " by simp note c_j_pos = this { assume "SYN j = S_1" with current and PREV_pos[of "csn k"] have "c j csn SYN clk last_slot = 0" by (simp add: c_def) with c_j_pos have "False" by simp } with SYN_st_restrict have "SYN j = S_0" by auto note SYNj_S0 = this with current and PREV_pos[of "csn k"] have "c j csn SYN clk last_slot = from_slot last_slot (csn j) * k0 + clk j - g" by (simp add: c_def) note c_from_slot = this with c_geq_k0 have "from_slot last_slot (csn j) * k0 + clk j - g \ k0" by simp note from_slot_geq_k0 = this from pos_g and rel_inv2 have "clk j - g < k0" by (drule_tac x = j in spec) auto note clk_j_g_less_k0 = this from from_slot_geq_k0 have "from_slot last_slot (csn j) * k0 \ k0 - (clk j - g)" by simp moreover from clk_j_g_less_k0 have "k0 - (clk j - g) > 0" by simp ultimately have "from_slot last_slot (csn j) * k0 > 0 " by simp note from_slot_pos = this from c_geq_k0 and clk_j_g_less_k0 have "from_slot last_slot (csn j) * k0 + k0 > from_slot last_slot (csn j) * k0 + clk j - g" by simp moreover from c_from_slot and c_j_ge_D have "from_slot last_slot (csn j) * k0 + clk j - g \ D (csn k) tsn_max tsn * k0" by simp note from_slot_geq_D_times_k0 = this ultimately have "from_slot last_slot (csn j) * k0 + k0 > D (csn k) tsn_max tsn * k0" by simp then have "(from_slot last_slot (csn j) + 1) * k0 > D (csn k) tsn_max tsn * k0" by (simp add: left_distrib) with pos_g have "(from_slot last_slot (csn j) + 1) > D (csn k) tsn_max tsn " by (auto simp add: mult_compare_simps) then have "from_slot last_slot (csn j) \ D (csn k) tsn_max tsn" by simp note from_slot_geq_D = this have "last_slot = PREV (csn j) tsn_max tsn" proof - { assume "last_slot = -1" with current and PREV_pos[of "csn k"] have "False" by simp then have ?thesis by simp } moreover { assume "TX (csn j) tsn \ last_slot = csn j" then have "from_slot last_slot (csn j) = 0" by (simp add: from_slot_def) with from_slot_pos have "False" by simp then have ?thesis by simp } moreover { assume "last_slot = PREV (csn j) tsn_max tsn" then have ?thesis by simp } moreover { from ind_hyp have "G_7 j tsn_max csn tsn last_slot" by (simp only: G_def) then have "last_slot = -1 \ (TX (csn j) tsn \ last_slot = csn j) \ last_slot = PREV (csn j) tsn_max tsn" by simp } ultimately show ?thesis by metis qed note last_prev_csnj = this have "csn j = csn k" proof - { assume "csn j < csn k" note case1 = this have "from_slot last_slot (csn j) < D (csn k) tsn_max tsn" proof (cases "csn j > 0") case True with current and last_prev_csnj and PREV_less[of "csn j"] and PREV_less[of "csn k"] and case1 show ?thesis by (auto simp add: from_slot_def D_def) next case False with rel_inv3 have "csn j = 0" apply (drule_tac x = j in spec) apply auto done note csn_j_z = this with last_prev_csnj and current have "PREV (csn k) tsn_max tsn = tsn tsn_max" by (simp add: PREV_def) moreover { from hyp1 and tsn_restrict have "csn k < n" apply (auto simp add: TX_def) apply (drule_tac x = i in spec) apply auto done moreover from PREV1_TX1[of "nat (csn k)"] and case1 and csn_j_z and hyp1 have "PREV1 (nat (csn k)) tsn_max tsn < nat (tsn tsn_max)" by simp moreover from calculation and csn_j_z and case1 have "PREV (csn k) tsn_max tsn < tsn tsn_max" by (simp add: PREV_def) } ultimately have "False" by simp then show ?thesis by simp qed with from_slot_geq_D have ?thesis by simp } moreover { assume "csn j > csn k" note case2 = this -- "we have TX (csn k) so PREV (csn j) has to be greater" -- "or equal to csn k. so PREV (csn j) \ csn k." -- "but we have that PREV (csn k) < csn k and " -- "that PREV (csn k) = PREV (csn j)" -- "so we should derive PREV (csn j) < csn k. Contradiction" { assume "csn k > 0" note csnk_nz = this from hyp1 and case2 and PREV_TX2[of "csn k" "csn j"] and rel_inv3 have "PREV (csn j) tsn_max tsn \ csn k" by (drule_tac x = k in spec) simp moreover from current and last_prev_csnj have "PREV (csn k) tsn_max tsn = PREV (csn j) tsn_max tsn" by simp moreover from PREV_less[of "csn k"] and csnk_nz have "PREV (csn k) tsn_max tsn < csn k" by simp ultimately have ?thesis by simp } moreover { assume "csn k = 0" note csn_k_z = this from csn_k_z and tsn_max_3 have "D (csn k) tsn_max tsn = C - tsn tsn_max" by (simp add: D_def PREV_def from_slot_def) note D_csnk_tsn_max = this from csn_k_z and last_prev_csnj and current have "last_slot = tsn tsn_max" by (simp add: PREV_def) note last_is_max = this from D_csnk_tsn_max and last_is_max and from_slot_geq_D have "from_slot (tsn tsn_max) (csn j) \ C - tsn tsn_max" by simp note from_slot_geq_C_min_tsn_max = this { assume "csn j \ n" note csnj_geq_n = this from tsn_restrict and csnj_geq_n and from_slot_geq_C_min_tsn_max have "from_slot (tsn tsn_max) (csn j) = csn j - tsn tsn_max" by (auto simp add: from_slot_def) with from_slot_geq_C_min_tsn_max have "csn j - tsn tsn_max \ C - tsn tsn_max" by auto then have "csn j \ C" by simp with rel_inv3 have "False" apply (drule_tac x = j in spec) apply simp done then have ?thesis by simp } moreover { assume "csn j < n" note n_less_csnj = this { assume "tsn tsn_max > csn j" then have "from_slot (tsn tsn_max) (csn j) = C - csn j - tsn tsn_max" by (simp add: from_slot_def) with from_slot_geq_C_min_tsn_max have "C - csn j - tsn tsn_max \ C - tsn tsn_max" by simp with tsn_max_3 and rel_inv3 have "csn j = 0" apply (drule_tac x = j in spec) apply auto done with csn_k_z have ?thesis by simp } moreover { assume "tsn tsn_max \ csn j" then have "from_slot (tsn tsn_max) (csn j) = csn j - tsn tsn_max" by (simp add: from_slot_def) with from_slot_geq_C_min_tsn_max have "csn j - tsn tsn_max \ C - tsn tsn_max" by simp with tsn_max_3 and rel_inv3 have "False" apply (drule_tac x = j in spec) apply auto done then have ?thesis by simp } moreover have "tsn tsn_max > csn j \ tsn tsn_max \ csn j" by auto ultimately have ?thesis by metis } moreover have "csn j < n \ csn j \ n" by auto ultimately have ?thesis by metis } moreover from rel_inv3 have "csn k > 0 \ csn k = 0" apply (drule_tac x = k in spec) apply auto done ultimately have ?thesis by metis } moreover have "csn j = csn k \ csn j < csn k \ csn j > csn k" by auto ultimately show ?thesis by metis qed note csnj_k = this with current have "from_slot last_slot (csn j) = D (csn k) tsn_max tsn" by (simp add: D_def) note from_slot_eq_D = this with from_slot_geq_D_times_k0 have "clk j - g \ 0" by auto then have "clk j \ g" by simp moreover { assume "clk j > g" note clkj_ge_g = this from ind_hyp have "G_4 j csn tsn WSN clk last_slot" by (simp only: G_def) with clkj_ge_g and tsnj and csnj_k have "last_slot = csn k" by simp with ls_not_csnk have "False" by simp } moreover { assume "clk j = g" note clkj_eq_g = this { assume "x j > 0" note case1 = this from ind_hyp have "G_3a j csn tsn WSN clk" by (simp only: G_def) with rel_inv4 and case1 and clkj_eq_g and tsnj and csnj_k have "WSN j = SENDING" by (drule_tac x = j in spec) auto note sending_j = this from ind_hyp have "G_5 j k WSN csn last_slot" by (simp only: G_def) with sending_j have "csn k = last_slot" by simp with ls_not_csnk have "False" by simp } moreover { assume "x j = 0" note case2 = this from ind_hyp have "G_1 j csn SYN clk x y last_slot" by (simp only: G_def) then have "y \ real (c j csn SYN clk last_slot) * max + x j " by simp with case2 have "y \ real (c j csn SYN clk last_slot) * max" by simp with lb_y have "real (c j csn SYN clk last_slot) * max > real (D (csn k) tsn_max tsn) * real k0 * max" by simp with miax and pos_g have "c j csn SYN clk last_slot > D (csn k) tsn_max tsn * k0" apply (auto simp add: mult_compare_simps) apply (metis real_mult_commute real_of_int_less_iff real_of_int_mult zmult_commute) done with c_from_slot and from_slot_eq_D have "clk j > g" by simp note clkj_ge_g = this from ind_hyp have "G_4 j csn tsn WSN clk last_slot" by (simp only: G_def) with clkj_ge_g and tsnj and csnj_k have "last_slot = csn k" by simp with ls_not_csnk have "False" by simp } moreover from rel_inv1 have "x j \ 0" by auto ultimately have "False" by (cases "x j > 0") simp_all } ultimately have "False" by (cases "clk j > g") simp_all then have "last_slotp = csnp k" by simp } moreover { from ind_hyp have "G_7 k tsn_max csn tsn last_slot" by (simp only: G_def) then have "last_slot = -1 \ (TX (csn k) tsn \ last_slot = csn k) \ last_slot = PREV (csn k) tsn_max tsn " by simp } moreover from calculation and csnp_k and ls_nxt have "last_slotp = csnp k" by safe simp_all then have "G_8 k csnp tsn clkp last_slotp" by auto } moreover { assume "\ (TX (csnp k) tsn \ clkp k = k0 - 1)" then have "G_8 k csnp tsn clkp last_slotp" by auto } ultimately have "G_8 k csnp tsn clkp last_slotp" by metis } ultimately have "\i. G_8 i csnp tsn clkp last_slotp" by metis } note G_8 = this -- "we check G_9" { { fix i::int assume "i \ k" with step have "SYNp i = SYN i \ csnp i = csn i \ clkp i = clk i \ last_slotp = last_slot" by auto moreover from ind_hyp have "G_9 i SYN csn clk last_slot" by (simp only: G_def) ultimately have "G_9 i SYNp csnp clkp last_slotp" by auto } then have "\ i. i\ k \ G_9 i SYNp csnp clkp last_slotp" by metis moreover { from step have "SYNp k = S_0" by simp then have "G_9 k SYNp csnp clkp last_slotp" by simp } ultimately have "\ i. G_9 i SYNp csnp clkp last_slotp" by (auto simp del: G_9_def) } note G_9 = this -- "we now prove G10" { fix i::int assume "i \ k" note not_k = this from ind_hyp have "G_10 i csn SYN clk last_slot" by (simp only: G_def) moreover from step and not_k have "csnp i = csn i \ SYNp i = SYN i \ clkp i = clk i \ last_slotp = last_slot" by auto ultimately have "G_10 i csnp SYNp clkp last_slotp" by (auto simp add: c_def) } then have "\ i. i\ k \ G_10 i csnp SYNp clkp last_slotp" by metis moreover { from ind_hyp have "G_10 k csn SYN clk last_slot" by (simp only: G_def) with Lemma3 have "G_10 k csnp SYNp clkp last_slotp" by auto } ultimately have "\ i. G_10 i csnp SYNp clkp last_slotp" by (auto simp del: G_10_def) note G_10 = this -- "we finally prove G_12" { { fix i::int assume "i \ k" with step have "csnp i = csn i \ last_slotp = last_slot" by simp moreover from ind_hyp have "G_12 i csn last_slot" by (auto simp only: G_def) ultimately have "G_12 i csnp last_slotp" by auto } moreover { { assume "last_slotp = - 1" with step have "last_slot = -1" by simp note ici = this moreover from ind_hyp have "G_12 k csn last_slot" by (auto simp only: G_def) ultimately have "csn k = 0" by simp note csn_k_0 = this { assume "csnp k = csn k" with csn_k_0 have "csnp k = 0" by simp } moreover { assume "csnp k \ csn k" with step and WSN_st_restrict have "clk k = k0 - 1" apply auto apply (metis GO_SEND_def Suc_eq_add_numeral_1 add_eq_if wait_def) done moreover from csn_k_0 and TX_0 have "TX (csn k) tsn" by simp moreover from ind_hyp have "G_8 k csn tsn clk last_slot" by (simp only: G_def) ultimately have "last_slot = csn k" by simp with rel_inv3 and csn_k_0 have "last_slot \ -1" by (auto simp only: INV_3_def) with ici have "False" by simp then have "csnp k = 0" by simp } ultimately have "csnp k = 0" by metis } then have "G_12 k csnp last_slotp" by simp moreover { assume "last_slotp \ 0" then have "G_12 k csnp last_slotp" by simp } ultimately have "G_12 k csnp last_slotp" by metis } ultimately have "\i. G_12 i csnp last_slotp" by metis } note G_12 = this from G_1 and G_2 and G_3 and G_3a and G_4 and G_5 and G_6 and G_7 and G_8 and G_9 and G_10 and G_12 show ?thesis by (auto simp only: G_def) } qed end