# Stream processing components: Isabelle/HOL formalisation and case studies

# Maria Spichkova

### November 14, 2013

#### Abstract

This set of theories presents an Isabelle/HOL formalisation of stream processing components introduces in Focus, a framework for formal specification and development of interactive systems. This is an extended and updated version of the formalisation, which was elaborated within the methodology "Focus on Isabelle" [7]. In addition, we also applied the formalisation on three case studies that cover different application areas: process control (Steam Boiler System), data transmission (FlexRay communication protocol), memory and processing components (Automotive-Gateway System).

# Contents

| 1 | Inti | roduction                                    | 4  |
|---|------|----------------------------------------------|----|
|   | 1.1  | Stream processing components                 | 4  |
|   | 1.2  | Case Study 1: Steam Boiler System            | 5  |
|   | 1.3  | Case Study 2: FlexRay Communication Protocol | 7  |
|   | 1.4  | Case Study 3: Automotive-Gateway             | 10 |
| 2 | The  | eory ArithExtras.thy                         | 15 |
| 3 | Aux  | xiliary Theory ListExtras.thy                | 15 |
| 4 | Aux  | kiliary arithmetic lemmas                    | 21 |
| 5 | FO   | CUS streams: operators and lemmas            | 23 |
|   | 5.1  | Definition of the FOCUS stream types         | 23 |
|   | 5.2  | Definitions of operators                     | 23 |
|   | 5.3  | Properties of operators                      | 35 |
|   |      | 5.3.1 Lemmas for concatenation operator      | 36 |
|   |      | 5.3.2 Lemmas for operators $ts$ and $msg$    | 37 |
|   |      | 0.0.2 Echimas for operators to and moy       | 91 |

|           | 5.3.4 Lemmas for $fin\_make\_untimed$                                                                                                                                                                                                                                                                                                                                                                       |                                                                 |
|-----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------|
| 6         | Properties of time-synchronous streams of types bool and bit                                                                                                                                                                                                                                                                                                                                                | 43                                                              |
| 7         | Changing time granularity of the streams 7.1 Join time units                                                                                                                                                                                                                                                                                                                                                | 45<br>45<br>49<br>50                                            |
| 8         | Steam Boiler System: Specification                                                                                                                                                                                                                                                                                                                                                                          | 51                                                              |
| 9         | Steam Boiler System: Verification9.1Properties of the Boiler Component9.2Properties of the Controller Component9.3Properties of the Converter Component9.4Properties of the System9.5Proof of the Refinement Relation                                                                                                                                                                                       | 52<br>52<br>54<br>65<br>65<br>68                                |
| 10        | FlexRay: Types                                                                                                                                                                                                                                                                                                                                                                                              | 68                                                              |
|           | FlexRay: Specification  11.1 Auxiliary predicates  11.2 Specifications of the FlexRay components  FlexRay: Verification  12.1 Properties of the function Send  12.2 Properties of the component Scheduler  12.3 Disjoint Frames  12.4 Properties of the sheaf of channels nSend  12.5 Properties of the sheaf of channels nGet  12.6 Properties of the sheaf of channels nStore  12.7 Refinement Properties | 69<br>69<br>70<br><b>72</b><br>73<br>74<br>76<br>80<br>82<br>87 |
| <b>13</b> | Gateway: Types                                                                                                                                                                                                                                                                                                                                                                                              | 89                                                              |
| <b>14</b> | Gateway: Specification                                                                                                                                                                                                                                                                                                                                                                                      | 89                                                              |
| 15        |                                                                                                                                                                                                                                                                                                                                                                                                             | 94<br>94<br>96<br>98<br>100                                     |

| 15.6 Properties of the ServiceCenter component                    | 122  |
|-------------------------------------------------------------------|------|
| 15.7 General properties of stream values                          | 122  |
| 15.8 Properties of the Gateway                                    | 126  |
| 15.9 Proof of the Refinement Relation for the Gateway Requirement | s134 |
| 15.10Lemmas about Gateway Requirements                            | 134  |
| 15.11Properties of the Gateway System                             | 135  |
| 15.12Proof of the Refinement for the Gateway System               | 141  |

# 1 Introduction

The set of theories presented in this paper is an extended and updated Isabelle/HOL[6] formalisation of stream processing components elaborated within the methodology "Focus on Isabelle" [7]. This paper is organised as follows: in the first section we give a general introduction to the Focus stream processing components [2] and briefly describe three case studies to show how the formalisation can be used for specification and verification of system properties. After that we present the Isabelle/HOL representation of these concepts and a number of auxiliary theories on lists and natural numbers useful for the proofs in the case studies. The last three sections introduce the case studies, where system properties are verified formally using the Isabelle theorem prover.

#### 1.1 Stream processing components

The central concept in Focus is a *stream* representing a communication history of a *directed channel* between components. A system in Focus is specified by its components that are connected by channels, and are described in terms of its input/output behavior. The channels in this specification framework are *asynchronous communication links* without delays. They are *directed* and generally assumed to be *reliable*, and *order preserving*. Via these channels components exchange information in terms of *messages* of specified types. For any set of messages M,  $M^{\infty}$  and  $M^*$  denote the sets of all infinite and all finite untimed streams respectively:

$$M^{\infty} \stackrel{\text{def}}{=} \mathbb{N}_+ \to M \qquad M^* \stackrel{\text{def}}{=} \cup_{n \in \mathbb{N}} ([1..n] \to M)$$

A *timed stream*, as suggested in our previous work [7], is represented by a sequence of *time intervals* counted from 0, each of them is a finite sequence of messages that are listed in their order of transmission:

$$M^{\underline{\infty}} \stackrel{\mathrm{def}}{=} \mathbb{N}_+ \to M^* \qquad M^* \stackrel{\mathrm{def}}{=} \cup_{n \in \mathbb{N}} ([1..n] \to M^*)$$

A specification can be elementary or composite – composite specifications are built hierarchically from the elementary ones. Any specification characterises the relation between the *communication histories* for the external input and output channels: the formal meaning of a specification is exactly the input/output relation. This is specified by the lists of input and output channel identifiers, I and O, while the syntactic interface of the specification S is denoted by  $(I_S \triangleright O_S)$ .

To specify the behaviour of a real-time system we use *infinite timed* streams to represent the input and the output streams. The type of *finite timed streams* will be used only if some argumentation about a timed stream that was truncated at some point of time is needed. The type of *finite* 

untimed streams will be used to argue about a sequence of messages that are transmitted during a time interval. The type of infinite untimed streams will be used in the case of timed specifications only to represent local variables of Focus specification. Our definition in Isabelle/HOL of corresponding types is given below:

- Finite timed streams of type 'a are represented by the type 'a fstream, which is an abbreviation for the type 'a list list.
- Finite untimed streams of type 'a are represented by the list type: 'a list.
- Infinite timed streams of type 'a are represented by the type 'a istream, which represents the functional type  $nat \Rightarrow 'a \ list$ .
- Infinite untimed streams of type 'a are represented by the functional type  $nat \Rightarrow 'a$ .

All the operators defined in the presented theories are based on the standard Isabelle/HOL library and the theory *Filter.thy* (see [1]).

### 1.2 Case Study 1: Steam Boiler System

A steam boiler control system can be represent as a distributed system consisting of a number of communicating components and must fulfil real time requirements. This case study shows how we can deal with local variables (system's states) and in which way we can represent mutually recursive functions to avoid problems in proofs. The main idea of the steam boiler specification was taken from [2]: The steam boiler has a water tank, which contains a number of gallons of water, and a pump, which adds 10 gallons of water per time unit to its water tank, if the pump is on. At most 10 gallons of water are consumed per time unit by the steam production, if the pump is off. The steam boiler has a sensor that measures the water level.

We specified the following components: ControlSystem (general requirements specification), ControlSystemArch (system architecture), SteamBoiler, Converter, and Controller. We present here the following Isabelle/HOL theories for this system:

- SteamBoiler.thy specifications of the system components,
- SteamBoiler\_proof proof of refinement relation between the requirements and the architecture specifications.

The specification *ControlSystem* describes the requirements for the steam boiler system: in each time interval the system outputs it current water level in gallons and this level should always be between 200 and 800 gallons (the system works in the time-synchronous manner).

The specification *ControlSystemArch* describes a general architecture of the steam boiler system. The system consists of three components: a steam boiler, a converter, and a controller.



The SteamBoiler component works in time-synchronous manner: the current water level is controlled every time interval. The boiler has two output channels with equal streams (y = s) and it fixes the initial water level to be 500 gallons. For every point of time the following must be true: if the pump is off, the boiler consumes at most 10 gallons of water, otherwise (the pump is on) at most 10 gallons of water will be added to its water tank.

The *Converter* component converts the asynchronous output produced by the controller to time-synchronous input for the steam boiler. Initially the pump is off, and at every later point of time (from receiving the first instruction from the controller) the output will be the last input from the controller.

The Controller component, contrary to the steam boiler component, behaves in a purely asynchronous manner to keep the number of control signals small, it means it might not be desirable to switch the pump on and off more often than necessary. The controller is responsible for switching the steam boiler pump on and off. If the pump is off: if the current water level is above 300 gallons the pump stays off, otherwise the pump is started and will run until the water level reaches 700 gallons. If the pump is on: if the current water level is below 700 gallons the pump stays on, otherwise the pump is turned off and will be off until the water level reaches 300 gallons.

To show that the specified system fulfills the requirements we need to show that the specification ControlSystemArch is a refinement of the specification ControlSystem. It follows from the definition of behavioral refinement that in order to verify that ControlSystem 
ightharpoonup ControlSystemArch it is enough to prove that

$$[ControlSystemArch] \Rightarrow [ControlSystem]$$

Therefore, we have to prove a lemma that says the specification ControlSystemArch is a refinement of the specification ControlSystem:

lemma L0-ControlSystem:  $[\![ ControlSystemArch \ s ]\!] \implies ControlSystem \ s$ 

#### 1.3 Case Study 2: FlexRay Communication Protocol

In this section we present a case study on FlexRay, communication protocol for safety-critical real-time applications. This protocol has been developed by the FlexRay Consortium [3] for embedded systems in vehicles, and its advantages are deterministic real-time message transmission, fault tolerance, integrated functionality for clock synchronisation and higher bandwidth.

FlexRay contains a set of complex algorithms to provide the communication services. From the view of the software layers above FlexRay only a few of these properties become visible. The most important ones are static cyclic communication schedules and system-wide synchronous clocks. These provide a suitable platform for distributed control algorithms as used e.g. in drive-by-wire applications. The formalization described here is based on the "Protocol Specification 2.0" [4].

The static message transmission model of FlexRay is based on *rounds*. FlexRay rounds consist of a constant number of time slices of the same length, so called *slots*. A node can broadcast its messages to other nodes at statically defined slots. At most one node can do it during any slot.

For the formalisation of FlexRay in Focus we would like to refer to [5] and [7]. To reduce the complexity of the system several aspects of FlexRay have been abstracted in this formalisation:

- (1) There is no clock synchronization or start-up phase since clocks are assumed to be synchronous. This corresponds very well with the *time-synchronous* notion of FOCUS.
- (2) The model does not contain bus guardians that protect channels on the physical layer from interference caused by communication that is not aligned with FlexRay schedules.
- (3) Only the static segment of the communication cycle has been included not the dynamic, as we are mainly interested in time-triggered systems.
- (4) The time-basis for the system is one slot i.e. one slot FlexRay corresponds to one tick in the formalisation.
- (5) The system contains only one FlexRay channel. Adding a second channel would mean simply doubling the FlexRay component with a different configuration and adding extra channels for the access to the *CNI\_Buffer* component.

The system architecture consists of the following components, which describe the FlexRay components accordingly to the FlexRay standard [4]:

- FlexRay (general requirements specification),
- FlexRayArch (system architecture),
- FlexRayArchitecture (guarantee part of the system architecture),

- Cable,
- Controller,
- Scheduler, and
- BusInterface.

We present the following Isabelle/HOL theories in this case study:

- FR\_types.thy datatype definitions,
- FR.thy specifications of the system components and auxiliary functions and predicates,
- FR\_proof proof of refinement relation between the requirements and the architecture specifications.

The type Frame that describes a FlexRay frame consists of a slot identifier of type  $\mathbb{N}$  and the payload. The type of payload is defined as a finite list of type Message. The type Config represents the bus configuration and contains the scheduling table schedule of a node and the length of the communication round cycleLength. A scheduling table of a node consists of a number of slots in which this node should be sending a frame with the corresponding identifier (identifier that is equal to the slot).

```
type Message = msg \ (message\_id : \mathbb{N}, ftcdata : Data)

type Frame = frm \ (slot : \mathbb{N}, data : Data)

type Config = conf \ (schedule : \mathbb{N}^*, cycleLength : \mathbb{N})
```

We do not specify the type Data here to have a polymorphic specification of FlexRay (this type can be underspecified later to any datatype), therefore, in Isabelle/HOL it will be also defined as a polymorphic type 'a. The types 'a nFrame, nNat and nConfig are used to represent sheaves of channels of types Frame,  $\mathbb{N}$  and Config respectively. In the specification group will be used channels recv and activations, as well as sheaves of channels (return<sub>1</sub>, ..., return<sub>n</sub>), (c<sub>1</sub>,..., c<sub>n</sub>), (store<sub>1</sub>,..., store<sub>n</sub>), (get<sub>1</sub>,..., get<sub>n</sub>), and (send<sub>1</sub>,..., send<sub>n</sub>). We also need to declare some constant, sN, for the number of specification replication and the corresponding number of channels in sheaves, as well as to define the list of sheaf upper bounds, sheafNumbers.

The architecture of the FlexRay communication protocol is specified as the Focus specification FlexRayArch. Its assumption-part consists of three constraints: (i) all bus configurations have disjoint scheduling tables, (ii) all bus configurations have the equal length of the communication round, (iii) each FlexRay controller can receive tab most one data frame each time interval from the environment' of the FlexRay system. The guarantee-part of FlexRayArch is represented by the specification FlexRayArchitecture (see below).

```
FlexRayArch (constant c_1, ..., c_n \in Config) = timed = in return_1, ..., return_n : Frame
out store_1, ..., store_n : Frame; get_1, ..., get_n : \mathbb{N}

asm \forall i \in [1..n] : msg_1(return_i)
DisjointSchedules(c_1, ..., c_n)
IdenticCycleLength(c_1, ..., c_n)
gar (store_1, ..., store_n, get_1, ..., get_n) :=
FlexRayArchitecture(c_1, ..., c_n)(return_1, dots, return_n)
```



The component Cable simulate the broadcast properties of the physical network cable – every received FlexRay frame is resent to all connected nodes. Thus, if one FlexRayController send some frame, this frame will be resent to all nodes (to all FlexRayControllers of the system). The assumption is that all input streams of the component Cable are disjoint – this holds by the properties of the FlexRayController components and the overall system assumption that the scheduling tables of all nodes are disjoint. The guarantee is specified by the predicate Broadcast.

The Focus specification FlexRayController represent the controller component for a single node of the system. It consists of the components Scheduler and BusInterface. The Scheduler signals the BusInterface, that is responsible for the interaction with other nodes of the system (i.e. for the real send and receive of frames), on which time which FlexRay frames must be send from the node. The Scheduler describes the communication scheduler. It sends at every time t interval, which is equal modulo the length of the

communication cycle to some FlexRay frame identifier (that corresponds to the number of the slot in the communication round) from the scheduler table, this frame identifier.

The specification FlexRay represents requirements on the protocol: If the scheduling tables are correct in terms of the predicates DisjointSchedules (all bus configurations have disjoint scheduling tables) and IdenticCycleLength (all bus configurations have the equal length of the communication round), and also the FlexRay component receives in every time interval at most one message from each node (via channels  $return_i$ ,  $1 \le i \le n$ ), then

- the frame transmission by FlexRay must be correct in terms of the predicate *FrameTransmission*: if the time t is equal modulo the length of the cycle (FlexRay communication round) to the element of the scheduler table of the node k, then this and only this node can send a data at the tth time interval;
- FlexRay component sends in every time interval at most one message to each node via channels  $get_i$  and  $store_i$ ,  $1 \le i \le n$ ).

To show that the specified system fulfill the requirements we need to show that the specification FlexRayArch is a refinement of the specification FlexRay. It follows from the definition of behavioral refinement that in order to verify that  $FlexRay \rightsquigarrow FlexRayArch$  it is enough to prove that

$$[FlexRayArch] \Rightarrow [FlexRay]$$

Therefore, we have to define and to prove a lemma, that says the specification FlexRayArch is a refinement of the specification FlexRay:

**lemma** main-fr-refinement:

 $FlexRayArch\ n\ nReturn\ nC\ nStore\ nGet \Longrightarrow FlexRay\ n\ nReturn\ nC\ nStore\ nGet$ 

#### 1.4 Case Study 3: Automotive-Gateway

This section introduces the case study on telematics (electronic data transmission) gateway that was done for the Verisoft project<sup>1</sup>. If the gateway receives from a ECall application of a vehicle a signal about crash (more precise, the command to initiate the call to the Emergency Service Center, ESC), and after the establishing the connection it receives the command to send the crash data, received from sensors. These data are restored in the internal buffer of the gateway and should be resent to the ESC and the voice communication will be established, assuming that there is no connection fails. The system description consists of the following specifications:

<sup>&</sup>lt;sup>1</sup>http://www.verisoft.de

- GatewaySystem (gateway system architecture),
- GatewaySystemReq (gateway system requirements),
- ServiceCenter (Emergency Service Center),
- Gateway (gateway architecture),
- GatewayReq (gateway requirements),
- Sample (the main component describing its logic),
- Delay (the component modelling the communication delay), and
- Loss (the component modelling the communication loss).

We present the following Isabelle/HOL theories in this case study:

- Gateway\_types.thy datatype definitions,
- Gateway.thy specifications of the system components,
- Gateway\_proof proofs of refinement relations between the requirements and the architecture specifications (for the components Gateway and GatewaySystem).

The datatype *ECall\_Info* represents a tuple, consisting of the data that the Emergency Service Center needs – here we specify these data to contain the vehicle coordinates and the collision speed, they can also extend by some other information. The datatype *GatewayStatus* represents the status (internal state) of the gateway.

```
\begin{array}{lll} \mbox{type $Coordinates$} &=& \mathbb{N} \times \mathbb{N} \\ \mbox{type $CollisionSpeed$} &=& \mathbb{N} \\ \mbox{type $ECall\_Info$} &=& ecall(coord \in Coordinates, speed \in CollisionSpeed)$\\ \mbox{type $GatewayStatus$} &=& \{ init\_state, \ call, \ connection\_ok, \\ && sending\_data, \ voice\_com \ \} \end{array}
```

To specify the automotive gateway we will use a number of datatypes consisting of one or two elements:  $\{init, send\}$ ,  $\{stop\_vc\}$ ,  $\{vc\_com\}$  and  $\{sc\_ack\}$ . We name these types reqType, stopType, vcType and aType correspondingly.

The Focus specification of the general gateway system architecture is presented below:



The stream loss is specified to be a time-synchronous one (exactly one message each time interval). It represents the connection status: the message true at the time interval t corresponds to the connection failure at this time interval, the message false at the time interval t means that at this time interval no data loss on the gateway connection.

The specification GatewaySystemReq specifies the requirements for the component GatewaySystem: Assuming that the input streams req and stop can contain at every time interval at most one message, and assuming that the stream lose contains at every time interval exactly one message. If

- at any time interval t the gateway system is in the initial state,
- at time interval t+1 the signal about crash comes at first time (more precise, the command to initiate the call to the ESC,
- after 3 + m time intervals the command to send the crash data comes at first time,
- the gateway system has received until the time interval t+2 the crash data,
- there is no connection fails from the time interval t until the time interval t + 4 + k + 2d,

then at time interval t+4+k+2d the voice communication is established. The component ServiceCenter represents the interface behaviour of the ESC (wrt. connection to the gateway): if at time t a message about a vehicle crash comes, it acknowledges this event by sending the at time t+1 message  $sc\_ack$  that represents the attempt to establish the voice communication with the driver or a passenger of the vehicle. if there is no connection failure, after d time intervals the voice communication will be started.

We specify the gateway requirements (GatewayReq) as follows:

- 1. If at time t the gateway is in the initial state  $init\_state$ , and it gets the command to establish the connection with the central station, and also there is no environment connection problems during the next 2 time intervals, it establishes the connection at the time interval t+2.
- 2. If at time t the gateway has establish the connection, and it gets the command to send the ECall data to the central station, and also there is no environment connection problems during the next d+1 time intervals, then it sends the last corresponding data. The central station becomes these date at the time t+d.
- 3. If the gateway becomes the acknowledgment from the central station that it has receives the sent ECall data, and also there is no environment connection problems, then the voice communication is started.

The specification of the gateway architecture, Gateway, is parameterised one: the parameter  $d \in \mathbb{N}$  denotes the communication delay between the

central station and a vehicle. This component consists of three subcomponents: Sample, Delay, and Loss:



The component Delay models the communication delay. Its specification is parameterised one: it inherits the parameter of the component Gateway. This component simply delays all input messages on d time intervals. During the first d time intervals no output message will be produced.

The component Loss models the communication loss between the central station and the vehicle gateway: if during time interval t from the component Loss no message about a lost connection comes, the messages come during time interval t via the input channels a and i2 will be forwarded without any delay via channels a2 and i respectively. Otherwise all messages come during time interval t will be lost.

The component Sample represents the logic of the gateway component. If it receives from a ECall application of a vehicle the command to initiate the call to the ESC it tries to establish the connection. If the connection is established, and the component Sample receives from a ECall application of a vehicle the command to send the crash data, which were already received and stored in the internal buffer of the gateway, these data will be resent to the ESC. After that this component waits to the acknowledgment from the ESC. If the acknowledgment is received, the voice communication will be established, assuming that there is no connection fails.

For the component Sample we have the assumption, that the streams req, a1, and stop can contain at every time interval at most one message, and also that the stream loss must contain at every time interval exactly one message. This component uses local variables st and buffer (more precisely, a local variable buffer and a state variable st). The guarantee part of the component Sample can be specified as a timed state transition diagram (TSTS) and an expression which says how the local variable buffer is computed, or using the corresponding table representation, which is semantically equivalent to the TSTD.



Figure 1: Timed state transition diagram for the component Sample

To show that the specified gateway architecture fulfils the requirements we need to show that the specification Gateway is a refinement of the specification GatewayReq. Therefore, we need to define and to prove the following lemma:

```
lemma Gateway-L\theta:
```

Gateway req dt a stop lose d ack i vc

 $\implies$  GatewayReq req dt a stop lose d ack i vc

To show that the specified gateway architecture fulfills the requirements we need to show that the specification GatewaySystem is a refinement of the specification GatewaySystemReq. Therefore, we need to define and to prove the following lemma:

#### **lemma** $GatewaySystem-L\theta$ :

GatewaySystem req dt stop lose d ack vc

 $\implies \textit{GatewaySystemReq req dt stop lose d ack vc}$ 

# 2 Theory ArithExtras.thy

theory ArithExtras

 $\mathbf{qed}$ 

```
imports Main
begin
datatype natInf = Fin nat
               | Infty
                                          (\infty)
primrec
nat2inat :: nat \ list \Rightarrow natInf \ list
where
  nat2inat [] = [] |
  nat2inat (x\#xs) = (Fin x) \# (nat2inat xs)
\quad \text{end} \quad
3
      Auxiliary Theory ListExtras.thy
theory ListExtras
imports Main
begin
definition
  disjoint :: 'a \ list \Rightarrow 'a \ list \Rightarrow bool
 disjoint \ x \ y \equiv (set \ x) \cap (set \ y) = \{\}
primrec
  mem :: 'a \Rightarrow 'a \ list \Rightarrow bool \ (infixr \ mem \ 65)
  x mem [] = False |
  x \ mem \ (y \# l) = ((x = y) \lor (x \ mem \ l))
definition
  memS :: 'a \Rightarrow 'a \ list \Rightarrow bool
where
 memS \ x \ l \equiv x \in (set \ l)
lemma mem\text{-}memS\text{-}eq: x mem l \equiv memS x l
proof (induct l)
  case Nil
  \mathbf{from} \ this \ \mathbf{show} \ ?case
  by (simp add: memS-def)
    fix a la case (Cons a la)
    from Cons show ?case
    by (simp \ add: memS-def)
```

```
\mathbf{lemma}\ \mathit{mem-set-1}\colon
 assumes h1:a mem l
 shows a \in set l
using assms
proof (induct l)
  case Nil
  from this show ?case
 by auto
\mathbf{next}
 fix a la case (Cons a la)
 from Cons show ?case
 by auto
qed
lemma mem-set-2:
 assumes h1:a \in set l
 shows a mem l
\mathbf{using}\ \mathit{assms}
proof (induct l)
  \mathbf{case}\ \mathit{Nil}
  from this show ?case
  by auto
\mathbf{next}
  fix a la case (Cons a la)
  from Cons show ?case
 by auto
\mathbf{qed}
lemma set-inter-mem:
 assumes h1:x mem l1
     and h2:x mem l2
 shows set l1 \cap set l2 \neq \{\}
using assms
proof (induct l1)
  case Nil
 \mathbf{from} \ \mathit{this} \ \mathbf{show} \ ?\mathit{case}
  by auto
next
  fix a la case (Cons a la)
  from Cons show ?case
 by (auto, simp add: mem-set-1)
 qed
\mathbf{lemma}\ \mathit{mem-notdisjoint}\colon
 assumes h1:x mem l1
     and h2:x mem \ l2
 shows ¬ disjoint l1 l2
```

```
proof
 assume sg\theta: disjoint l1 l2
 from h1 and h2 have sg1:set l1 \cap set l2 \neq \{\}
   by (simp add: set-inter-mem)
 from h1 and h2 and sg1 and sg0 show False
  by (simp add: disjoint-def)
\mathbf{qed}
lemma mem-notdisjoint2:
 assumes h1:disjoint (schedule A) (schedule B)
     and h2:x mem schedule A
 shows \neg x mem schedule B
proof -
 { assume a1: x mem schedule B
   from h2 and a1 have sg1:\neg disjoint (schedule A) (schedule B)
     by (simp add: mem-notdisjoint)
   from h1 and sg1 have False by simp
  } from this have sg2:\neg x mem schedule B by blast
 from this show ?thesis by simp
qed
lemma Add-Less:
 assumes \theta < b
 shows (Suc\ a - b < Suc\ a) = True
using assms by arith
lemma list-length-hint1:
 assumes l \sim = []
 \mathbf{shows} \ \theta < \mathit{length} \ \mathit{l}
using assms by simp
lemma list-length-hint1a:
 assumes l \sim = []
 shows \theta < length l
using assms by simp
lemma list-length-hint2:
 assumes h1:length x = Suc \theta
 shows [hd \ x] = x
using assms
proof (induct \ x)
 case Nil
 from this show ?case
 by auto
next
 fix a la case (Cons a la)
 from Cons show ?case
 by auto
\mathbf{qed}
```

```
lemma list-length-hint2a:
  assumes h1:length l = Suc 0
  shows tl \ l = []
using assms
proof (induct l)
  case Nil
  from this show ?case
  by auto
\mathbf{next}
  fix a la case (Cons a la)
  \mathbf{from}\ \mathit{Cons}\ \mathbf{show}\ \mathit{?case}
  by auto
\mathbf{qed}
lemma list-length-hint 3:
  assumes length l = Suc \theta
  shows l \neq []
using assms
proof (induct l)
  case Nil
  from this show ?case
  by auto
\mathbf{next}
  fix a la case (Cons a la)
  from Cons show ?case
  by auto
qed
lemma list-length-hint4:
  assumes h1:length x \leq Suc \theta
     and h2:x \neq []
  shows length x = Suc \theta
\mathbf{using}\ \mathit{assms}
proof (induct \ x)
  {\bf case}\ {\it Nil}
  from this show ?case
  by auto
\mathbf{next}
  fix a la case (Cons a la)
  from Cons show ?case
  \mathbf{by}\ \mathit{auto}
qed
{\bf lemma}\ \mathit{length}\text{-}\mathit{nonempty}\text{:}
  assumes h1:x \neq []
  shows Suc \ \theta \leq length \ x
using assms
proof (induct \ x)
  case Nil
```

```
from this show ?case
 by auto
next
 fix a la case (Cons a la)
 from Cons show ?case
 by auto
\mathbf{qed}
lemma last-nth-length:
 assumes x \neq []
 shows x ! ((length x) - Suc \theta) = last x
using assms
proof (induct \ x)
 case Nil
 from this show ?case
 by auto
next
 fix a la case (Cons a la)
 from Cons show ?case
 by auto
\mathbf{qed}
lemma list-nth-append0:
 assumes h1:i < length x
 shows x ! i = (x \bullet z) ! i
proof (cases i)
 assume i=0
 with h1 show ?thesis by (simp add: nth-append)
\mathbf{next}
 \mathbf{fix}\ ii\ \mathbf{assume}\ i=\mathit{Suc}\ ii
 with h1 show ?thesis by (simp add: nth-append)
\mathbf{lemma}\ \mathit{list-nth-append1}\colon
 assumes h1:i < length x
 shows (b \# x) ! i = (b \# x \bullet y) ! i
proof -
 from h1 have sg1:i < length (b \# x) by auto
 from this have sg2: (b \# x) ! i = ((b \# x) \bullet y) ! i
   by (rule list-nth-append0)
 from this show ?thesis by simp
qed
lemma list-nth-append2:
 assumes h1:i < Suc \ (length \ x)
 shows (b \# x) ! i = (b \# x \bullet a \# y) ! i
proof -
 from h1 have sg1:i < length (b \# x) by auto
 from this have sg2: (b \# x) ! i = ((b \# x) \bullet (a \# y)) ! i
```

```
by (rule list-nth-append\theta)
 from this show ?thesis by simp
qed
lemma list-nth-append3:
 assumes h1: \neg i < Suc (length x)
     and h2:i - Suc (length x) < Suc (length y)
 shows (a \# y) ! (i - Suc (length x)) = (b \# x \bullet a \# y) ! i
proof (cases i)
 assume i=0
 with h1 show ?thesis by (simp add: nth-append)
next
 fix ii assume i = Suc ii
 with h1 show ?thesis by (simp add: nth-append)
\mathbf{lemma}\ \mathit{list-nth-append4}\colon
 assumes h1:i < Suc (length x + length y)
    and h2:\neg i - Suc (length x) < Suc (length y)
 shows False
using assms by arith
lemma list-nth-append5:
 assumes h1:i - length \ x < Suc \ (length \ y)
     and h2:\neg i - Suc (length x) < Suc (length y)
 shows \neg i < Suc (length <math>x + length y)
using assms by arith
lemma list-nth-append 6:
 \mathbf{assumes}\ h1{:}\neg\ i\ -\ length\ x\ <\ Suc\ (length\ y)
    and h2:\neg i - Suc (length x) < Suc (length y)
 shows \neg i < Suc (length x + length y)
using assms by arith
lemma list-nth-append6a:
 assumes h1:i < Suc (length x + length y)
    and h2:\neg i - length \ x < Suc \ (length \ y)
 shows False
using assms by arith
lemma list-nth-append7:
 assumes h1:i - length \ x < Suc \ (length \ y)
     and h2:i - Suc (length x) < Suc (length y)
 shows i < Suc (Suc (length <math>x + length y))
using assms by arith
lemma list-nth-append8:
 assumes h1: \neg i < Suc (length x + length y)
    and h2:i < Suc (Suc (length <math>x + length y))
```

```
shows i = Suc (length x + length y)
using assms by arith

lemma list-nth-append9:
assumes h1:i - Suc (length x) < Suc (length y)
shows i < Suc (Suc (length x + length y))
using assms by arith

lemma list-nth-append10:
assumes h1:\neg i < Suc (length x)
and h2:\neg i - Suc (length x) < Suc (length y)
shows \neg i < Suc (Suc (length x + length y))
using assms by arith
```

# 4 Auxiliary arithmetic lemmas

```
theory arith-hints
imports Main
begin
lemma arith-mod-neq:
 assumes h1:a \mod n \neq b \mod n
 \mathbf{shows}\ a \neq b
using assms by auto
\mathbf{lemma} \ \mathit{arith-mod-nzero} \colon
 fixes i::nat
 assumes h1: i < n
     and h2:0 < i
 shows 0 < (n * t + i) \mod n
proof -
 from h1 and h2 have sg1:(i + n * t) \mod n = i
   by (simp add: mod-mult-self2)
 also have sg2:n * t + i = i + n * t by simp
 from this and h1 and h2 show ?thesis
   by (simp\ (no-asm-simp))
qed
lemma arith-mult-neg-nzero1:
 fixes i::nat
 assumes h1:i < n
    and h2:0 < i
 \mathbf{shows}\ i\,+\,n\,*\,t\,\neq\,n\,*\,q
proof -
 from h1 and h2 have sg1:(i + n * t) \mod n = i
   by (simp add: mod-mult-self2)
 also have sg2:(n * q) \mod n = 0 by simp
```

```
from this and h1 and h2 have (i + n * t) \mod n \neq (n * q) \mod n
   by simp
 from this show ?thesis by (rule arith-mod-neq)
lemma arith-mult-neg-nzero2:
 fixes i::nat
 assumes h1:i < n
    and h2:0 < i
 shows n * t + i \neq n * q
proof -
 from h1 and h2 have i + n * t \neq n * q
   by (rule arith-mult-neq-nzero1)
 from this show ?thesis by simp
qed
lemma arith-mult-neg-nzero3:
 fixes i::nat
 assumes h1:i < n and h2:0 < i
 shows n + n * t + i \neq n * qc
proof -
  from h1 and h2 have sg1: n*(Suc t) + i \neq n*qc
    by (rule arith-mult-neq-nzero2)
  have sg2: n + n * t + i = n * (Suc \ t) + i \ by simp
  from sg1 and sg2 show ?thesis by arith
qed
lemma arith-modZero1:
 (t + n * t) \mod Suc \ n = 0
proof -
 have ((Suc\ n) * t)\ mod\ Suc\ n = 0 by (rule\ mod\ mult\ self1\ -is\ -0)
 from this show ?thesis by simp
qed
\mathbf{lemma} \ \mathit{arith-modZero2} \colon
 Suc\ (n + (t + n * t))\ mod\ Suc\ n = 0
proof -
 have ((Suc\ n) * (Suc\ t))\ mod\ Suc\ n = 0 by (rule\ mod-mult-self1-is-0)
 from this show ?thesis by simp
qed
lemma arith1:
 assumes h1:Suc n * t = Suc n * q
 shows t = q
proof -
 have Suc \ n * t = Suc \ n * q = (t = q \mid (Suc \ n) = (0::nat))
   by (rule mult-cancel1)
 from this and h1 show ?thesis by simp
qed
```

```
lemma arith2:
 fixes t n q :: nat
 assumes h1:t+n*t=q+n*q
 shows t = q
proof -
 have sg1:t + n * t = (Suc \ n) * t by auto
 have sg2:q + n * q = (Suc \ n) * q by auto
 from h1 and sq1 and sg2 have Suc\ n*t=Suc\ n*q by arith
 from this show ?thesis by (rule arith1)
qed
end
5
    FOCUS streams: operators and lemmas
theory stream
 imports ListExtras ArithExtras
begin
      Definition of the FOCUS stream types
5.1
— Finite timed FOCUS stream
type-synonym 'a fstream = 'a list list
— Infinite timed FOCUS stream
type-synonym 'a istream = nat \Rightarrow 'a list
— Infinite untimed FOCUS stream
type-synonym 'a iustream = nat \Rightarrow 'a
— FOCUS stream (general)
datatype 'a stream =
       FinT 'a fstream — finite timed streams
      FinU 'a list — finite untimed streams
      | InfT 'a istream — infinite timed streams
      | InfU 'a iustream — infinite untimed streams
      Definitions of operators
— domain of an infinite untimed stream
```

— domain of a finite untimed stream (using natural numbers enriched by Infinity)

definition

where

definition

infU-dom :: natInf set

infU-dom  $\equiv \{x. \exists i. x = (Fin i)\} \cup \{\infty\}$ 

fin U-dom-nat $Inf :: 'a \ list \Rightarrow natInf set$ 

```
fin U-dom-nat Inf s \equiv \{x. \exists i. x = (Fin i) \land i < (length s)\}
— domain of a finite untimed stream
primrec
fin U-dom :: 'a list \Rightarrow nat set
where
 fin U-dom [] = {} |
 fin U-dom (x \# xs) = \{length \ xs\} \cup (fin U-dom xs)
— range of a finite timed stream
primrec
 fin T-range :: 'a fstream \Rightarrow 'a set
where
 fin T-range [] = \{\} \mid
 finT-range (x\#xs) = (set \ x) \cup finT-range xs
— range of a finite untimed stream
definition
  fin U-range :: 'a list \Rightarrow 'a set
where
 fin U-range x \equiv set x
— range of an infinite timed stream
definition
   infT-range :: 'a istream \Rightarrow 'a set
  infT-range s \equiv \{y. \exists i::nat. y mem (s i)\}
— range of a finite untimed stream
definition
   infU-range :: (nat \Rightarrow 'a) \Rightarrow 'a \ set
  infU-range s \equiv \{ y. \exists i::nat. y = (s i) \}
— range of a (general) stream
definition
   stream-range :: 'a stream \Rightarrow 'a set
where
 stream-range s \equiv case \ s \ of
      FinT x \Rightarrow finT-range x
    \mid FinU x \Rightarrow finU-range x
     | InfT x \Rightarrow infT-range x
    | InfU x \Rightarrow infU-range x
— finite timed stream that consists of n empty time intervals
primrec
   nticks :: nat \Rightarrow 'a fstream
where
```

```
nticks \ \theta = [] \ |
 nticks (Suc i) = [] \# (nticks i)
— removing the first element from an infinite stream
— in the case of an untimed stream: removing the first data element
— in the case of a timed stream: removing the first time interval
definition
  inf-tl :: (nat \Rightarrow 'a) \Rightarrow (nat \Rightarrow 'a)
where
 inf-tl s \equiv (\lambda \ i. \ s \ (Suc \ i))
— removing i first elements from an infinite stream s
— in the case of an untimed stream: removing i first data elements
— in the case of a timed stream: removing i first time intervals
definition
  inf-drop :: nat \Rightarrow (nat \Rightarrow 'a) \Rightarrow (nat \Rightarrow 'a)
 \textit{inf-drop is} \equiv \lambda \ \textit{j. s} \ (\textit{i+j})
— finding the first nonempty time interval in a finite timed stream
primrec
fin-find1nonemp :: 'a fstream \Rightarrow 'a list
where
fin-find1nonemp [] = [] |
fin-find1nonemp (x\#xs) =
   (if x = []
     then fin-find1nonemp xs
     else x)
— finding the first nonempty time interval in an infinite timed stream
definition
 inf-find1nonemp :: 'a istream \Rightarrow 'a list
where
in \textit{f-find1} nonemp\ s
 (if (\exists i. s i \neq [])
   then s (LEAST i. s i \neq [])
   else [])
— finding the index of the first nonempty time interval in a finite timed stream
primrec
fin-find1nonemp-index :: 'a fstream \Rightarrow nat
where
fin-find1nonemp-index [] = 0
fin-find1nonemp-index (x\#xs) =
   (if x = []
     then Suc (fin-find1nonemp-index xs)
     else 0)
```

— finding the index of the first nonempty time interval in an infinite timed stream

```
definition
 inf-find1nonemp-index :: 'a istream <math>\Rightarrow nat
inf-find1nonemp-index s
 ( if (\exists i. s i \neq [])
   then (LEAST i. s i \neq [])
   else 0)
— length of a finite timed stream: number of data elements in this stream
 fin-length :: 'a fstream \Rightarrow nat
where
 fin-length (x\#xs) = (length x) + (fin-length xs)
— length of a (general) stream
definition
  stream-length :: 'a stream \Rightarrow natInf
where
  stream-length s \equiv
     case s of
               (FinT \ x) \Rightarrow Fin \ (fin-length \ x)
             | (FinU x) \Rightarrow Fin (length x)
             | (InfT x) \Rightarrow \infty
             | (InfU x) \Rightarrow \infty
— removing the first k elements from a finite (nonempty) timed stream
primrec
 fin-nth :: 'a fstream \Rightarrow nat \Rightarrow 'a
where
  fin-nth-Cons:
 fin-nth (hds # tls) k =
     ( if hds = []
       then fin-nth tls\ k
       else ( if (k < (length hds))
              then nth hds k
              else fin-nth tls (k - length hds)))
— removing i first data elements from an infinite timed stream s
primrec
 inf-nth :: 'a istream <math>\Rightarrow nat \Rightarrow 'a
where
inf-nth \ s \ \theta = hd \ (s \ (LEAST \ i.(s \ i) \neq [])) \ |
inf-nth \ s \ (Suc \ k) =
     (if ((Suc k) < (length (s \theta)))
       then (nth (s 0) (Suc k))
```

```
else ( if (s \ \theta) = []
                then (inf-nth (inf-tl (inf-drop
                       (LEAST\ i.\ (s\ i) \neq [])\ s))\ k\ )
                else inf-nth (inf-tl s) k ))
— removing the first k data elements from a (general) stream
definition
    stream-nth :: 'a stream <math>\Rightarrow nat \Rightarrow 'a
where
   stream-nth \ s \ k \equiv
          case s of (FinT x) \Rightarrow fin\text{-}nth x k
                  | (Fin U x) \Rightarrow nth x k
                  | (InfT x) \Rightarrow inf-nth x k
                  | (InfU x) \Rightarrow x k
— prefix of an infinite stream
primrec
  inf-prefix :: 'a list \Rightarrow (nat \Rightarrow 'a) \Rightarrow nat \Rightarrow bool
where
  inf-prefix [] s k = True |
  inf\text{-prefix } (x\#xs) \ s \ k = ((x = (s \ k)) \land (inf\text{-prefix } xs \ s \ (Suc \ k)))
— prefix of a finite stream
primrec
  fin-prefix :: 'a list \Rightarrow 'a list \Rightarrow bool
where
  fin-prefix [] s = True |
  fin-prefix (x\#xs) s =
     (if (s = [])
      then False
      else (x = (hd \ s)) \land (fin\text{-prefix } xs \ s)
— prefix of a (general) stream
definition
   stream-prefix :: 'a stream \Rightarrow 'a stream \Rightarrow bool
where
  stream-prefix p \ s \equiv
   (case p of
        (FinT x) \Rightarrow
        (case \ s \ of \ (FinT \ y) \Rightarrow \ (fin-prefix \ x \ y)
                   (FinU\ y) \Rightarrow False
                   (InfT\ y) \Rightarrow inf\text{-prefix}\ x\ y\ \theta
                   | (InfU y) \Rightarrow False |
      | (Fin U x) \Rightarrow
        (case \ s \ of \ (FinT \ y) \Rightarrow False
                   | (FinU y) \Rightarrow (fin-prefix x y) |
                   | (InfT y) \Rightarrow False
                   (InfU\ y) \Rightarrow inf-prefix\ x\ y\ \theta
      | (InfT x) \Rightarrow
```

```
(case \ s \ of \ (FinT \ y) \Rightarrow False
                  | (FinU y) \Rightarrow False
                   | (InfT \ y) \Rightarrow (\forall \ i. \ x \ i = y \ i) 
 | (InfU \ y) \Rightarrow False ) 
      | (InfU x) \Rightarrow
        (case \ s \ of \ (FinT \ y) \Rightarrow False
                  | (FinU y) \Rightarrow False
                   | (InfT \ y) \Rightarrow False 
 | (InfU \ y) \Rightarrow (\forall \ i. \ x \ i = y \ i) ) ) 
— truncating a finite stream after the n-th element
primrec
fin-truncate :: 'a list \Rightarrow nat \Rightarrow 'a list
where
  fin-truncate [] [] []
  fin-truncate (x\#xs) i =
      (case i of 0 \Rightarrow []
         \mid (Suc \ n) \Rightarrow x \# (fin\text{-}truncate \ xs \ n))
— truncating a finite stream after the n-th element
— n is of type of natural numbers enriched by Infinity
definition
  fin-truncate-plus :: 'a list \Rightarrow natInf \Rightarrow 'a list
 where
fin-truncate-plus s n
  case n of (Fin i) \Rightarrow fin-truncate s i \mid \infty
— truncating an infinite stream after the n-th element
primrec
  inf-truncate :: (nat \Rightarrow 'a) \Rightarrow nat \Rightarrow 'a \ list
   inf-truncate s \ \theta = [s \ \theta]
   inf-truncate s (Suc k) = (inf-truncate s k) • [s (Suc k)]
— truncating an infinite stream after the n-th element
— n is of type of natural numbers enriched by Infinity
definition
  inf-truncate-plus :: 'a istream \Rightarrow natInf \Rightarrow 'a stream
 where
 inf-truncate-plus s n
  case n of (Fin i) \Rightarrow FinT (inf-truncate s i)
           \mid \infty \quad \Rightarrow InfT s
— concatanation of a finite and an infinite stream
```

definition

 $\mathit{fin}\text{-}\mathit{inf}\text{-}\mathit{append}$  ::

 $a list \Rightarrow (nat \Rightarrow a') \Rightarrow (nat \Rightarrow a')$ 

```
where
fin-inf-append us s \equiv
 (\lambda i. (if (i < (length us)))
        then (nth us i)
        else\ s\ (i\ -\ (length\ us))\ ))
— insuring that the infinite timed stream is time-synchronous
definition
   ts :: 'a \ istream \Rightarrow bool
where
ts \ s \equiv \ \forall \ i. \ (length \ (s \ i) = 1)
— insuring that each time interval of an infinite timed stream contains at most n
data elements
definition
  msg :: nat \Rightarrow 'a \ istream \Rightarrow bool
where
 msg \ n \ s \equiv \ \forall \ t. \ length \ (s \ t) \leq n
— insuring that each time interval of a finite timed stream contains at most n data
elements
primrec
 fin\text{-}msg :: nat \Rightarrow 'a \ list \ list \Rightarrow bool
where
fin\text{-}msg\ n\ [] = True\ []
fin\text{-}msg\ n\ (x\#xs) = (((length\ x) \le n) \land (fin\text{-}msg\ n\ xs))
— making a finite timed stream to a finite untimed stream
definition
  fin-make-untimed :: 'a fstream \Rightarrow 'a list
where
 fin-make-untimed x \equiv concat x
— making an infinite timed stream to an infinite untimed stream
— (auxiliary function)
primrec
  inf-make-untimed1 :: 'a istream \Rightarrow nat \Rightarrow 'a
where
inf-make-untimed 1-0:
  inf-make-untimed1 s \ 0 = hd \ (s \ (LEAST \ i.(s \ i) \neq []))
inf-make-untimed 1-Suc:
  inf-make-untimed1 s (Suc k) =
   (if ((Suc k) < length (s \theta)))
     then nth (s 0) (Suc k)
     else ( if (s \ \theta) = [
            then (inf-make-untimed1 (inf-tl (inf-drop
                         (LEAST i. \forall j. j < i \longrightarrow (s j) = [])
```

s)) k)

else inf-make-untimed1 (inf-tl s) k ))

```
— making an infinite timed stream to an infinite untimed stream
— (main function)
definition
   inf-make-untimed :: 'a istream \Rightarrow (nat \Rightarrow 'a)
where
  inf-make-untimed s
  \lambda i. inf-make-untimed1 s i
— making a (general) stream untimed
definition
   make-untimed :: 'a stream \Rightarrow 'a stream
where
   make-untimed s \equiv
     case s of (FinT x) \Rightarrow FinU (fin-make-untimed x)
             | (FinU x) \Rightarrow FinU x
             | (InfT x) \Rightarrow
               (if (\exists i. \forall j. i < j \longrightarrow (xj) = [])
                then FinU (fin-make-untimed (inf-truncate x
                            (LEAST i. \forall j. i < j \longrightarrow (x j) = [])))
                else InfU (inf-make-untimed x))
             | (InfU x) \Rightarrow InfU x
— finding the index of the time interval that contains the k-th data element
— defined over a finite timed stream
primrec
 \mathit{fin\text{-}tm} :: 'a \; \mathit{fstream} \; \Rightarrow \; \mathit{nat} \; \Rightarrow \; \mathit{nat}
where
 fin-tm [] k = k |
 fin-tm (x\#xs) k =
   (if k = 0)
    then \ 0
    else (if (k \leq length x)
          then (Suc \ \theta)
          else\ Suc(fin-tm\ xs\ (k-length\ x))))
— auxiliary lemma for the definition of the truncate operator
lemma inf-tm-hint1:
  assumes i2 = Suc \ i - length \ a
     and \neg Suc \ i \leq length \ a
     and a \neq [
 shows i2 < Suc i
using assms
by auto
```

```
— filtering a finite timed stream
definition
  finT-filter :: 'a set => 'a fstream => 'a fstream
where
 finT-filter m \ s \equiv map \ (\lambda \ s. \ filter \ (\lambda \ y. \ y \in m) \ s) \ s
— filtering an infinite timed stream
definition
  infT-filter :: 'a set => 'a istream => 'a istream
 infT-filter m \ s \equiv (\lambda i.(filter \ (\lambda \ x. \ x \in m) \ (s \ i)))
— removing duplications from a finite timed stream
definition
  finT-remdups :: 'a fstream => 'a fstream
where
 fin T-remdups s \equiv map (\lambda \ s. \ remdups \ s) \ s
— removing duplications from an infinite timed stream
definition
  infT-remdups :: 'a istream => 'a istream
where
 infT-remdups s \equiv (\lambda i.(remdups (s i)))
— removing duplications from a time interval of a stream
primrec
  fst-remdups :: 'a list \Rightarrow 'a list
where
fst-remdups [] = [] |
fst-remdups (x#xs) =
   (if xs = []
    then [x]
    else (if x = (hd xs)
          then fst-remdups xs
          else (x\#xs))
— time interval operator
definition
 ti :: 'a \ fstream \Rightarrow nat \Rightarrow 'a \ list
where
ti \ s \ i \equiv
   (if \ s = [] \ then \ [] \ else \ (nth \ s \ i))
— insuring that a sheaf of channels is correctly defined
definition
  CorrectSheaf :: nat \Rightarrow bool
where
  CorrectSheaf \ n \equiv 0 < n
```

```
— insuring that all channels in a sheaf are disjunct
— indices in the sheaf are represented using an extra specified set
definition
   inf-disjS :: 'b \ set \Rightarrow ('b \Rightarrow 'a \ istream) \Rightarrow bool
where
  inf-disjS IdSet nS
   \forall \ (t::nat) \ i \ j. \ (i:IdSet) \ \land \ (j:IdSet) \ \land \ ((nS \ i) \ t) \neq [] \ \longrightarrow \ ((nS \ j) \ t) = [] 
— insuring that all channels in a sheaf are disjunct
— indices in the sheaf are represented using natural numbers
definition
   inf-disj :: nat \Rightarrow (nat \Rightarrow 'a \ istream) \Rightarrow bool
where
  inf-disj n nS
  \forall (t::nat) (i::nat) (j::nat).
   i < n \land j < n \land i \neq j \land ((nS \ i) \ t) \neq [] \longrightarrow
   ((nS j) t) = []
— taking the prefix of n data elements from a finite timed stream
— (defined over natural numbers)
fun fin-get-prefix :: ('a fstream \times nat) \Rightarrow 'a fstream
where
 fin-get-prefix([], n) = [] |
 fin-get-prefix(x \# xs, i) =
     ( if (length x) < i
       then x \# fin\text{-}get\text{-}prefix(xs, (i - (length x)))
       else [take \ i \ x])
— taking the prefix of n data elements from a finite timed stream
— (defined over natural numbers enriched by Infinity)
 fin-get-prefix-plus :: 'a fstream \Rightarrow natInf \Rightarrow 'a fstream
where
fin-get-prefix-plus s n
  case\ n\ of\ (Fin\ i) \Rightarrow \mathit{fin-get-prefix}(s,\ i)
          \mid \infty \quad \Rightarrow s
— auxiliary lemmas
lemma length-inf-drop-hint1:
```

assumes  $s \ k \neq []$ 

**by** (auto simp: inf-drop-def)

using assms

**shows** length (inf-drop  $k s \theta$ )  $\neq \theta$ 

```
\mathbf{lemma}\ \mathit{length-inf-drop-hint2}\colon
(s \ 0 \neq [] \longrightarrow length \ (inf-drop \ 0 \ s \ 0) < Suc \ i
  \longrightarrow Suc \ i - length \ (inf-drop \ 0 \ s \ 0) < Suc \ i)
 by (simp add: inf-drop-def list-length-hint1)
— taking the prefix of n data elements from an infinite timed stream
— (defined over natural numbers)
fun infT-get-prefix :: ('a istream \times nat) \Rightarrow 'a fstream
  infT-get-prefix(s, 0) = []
  infT-get-prefix(s, Suc i) =
   (if (s 0) = []
      then ( if (\forall i. s i = [])
            then []
            else (let
                    k = (LEAST \ k. \ s \ k \neq [] \land (\forall i. \ i < k \longrightarrow s \ i = []));
                    s2 = inf-drop(k+1) s
                  in (if (length (s k) = 0)
                      then []
                      else (if (length (s k) < (Suc i))
                            then s \ k \# infT-get-prefix (s2,Suc \ i - length \ (s \ k))
                            else\ [take\ (Suc\ i)\ (s\ k)]\ )))
      else
        (if ((length (s 0)) < (Suc i))
        then (s \ \theta) \# infT-get-prefix(inf-drop 1 s, (Suc \ i) - (length \ (s \ \theta)))
        else [take (Suc i) (s \theta)]
    )
— taking the prefix of n data elements from an infinite untimed stream
— (defined over natural numbers)
primrec
  infU-get-prefix :: (nat \Rightarrow 'a) \Rightarrow nat \Rightarrow 'a \ list
where
  infU-get-prefix s \theta = [] |
  infU-get-prefix s (Suc i)
        = (infU-get-prefix \ s \ i) \bullet [s \ i]
— taking the prefix of n data elements from an infinite timed stream
— (defined over natural numbers enriched by Infinity)
definition
  infT-get-prefix-plus :: 'a istream \Rightarrow natInf \Rightarrow 'a stream
where
```

```
infT-get-prefix-plus s n
  case n of (Fin i) \Rightarrow FinT (infT-get-prefix(s, i))
           |\infty\rangle \Rightarrow InfT s
— taking the prefix of n data elements from an infinite untimed stream
— (defined over natural numbers enriched by Infinity)
definition
  infU-get-prefix-plus :: (nat \Rightarrow 'a) \Rightarrow natInf \Rightarrow 'a stream
where
 infU-get-prefix-plus s n
  case n of (Fin i) \Rightarrow FinU (infU-get-prefix s i)
           \mid \infty \quad \Rightarrow InfU s
— taking the prefix of n data elements from an infinite stream
— (defined over natural numbers enriched by Infinity)
definition
  take-plus :: natInf \Rightarrow 'a \ list \Rightarrow 'a \ list
where
 take-plus n s
  \begin{array}{ccc} \mathit{case} \ \mathit{n} \ \mathit{of} \ (\mathit{Fin} \ i) \Rightarrow (\mathit{take} \ i \ s) \\ \mid \infty & \Rightarrow s \end{array}
— taking the prefix of n data elements from a (general) stream
— (defined over natural numbers enriched by Infinity)
definition
   get\text{-}prefix :: 'a stream \Rightarrow natInf \Rightarrow 'a stream
where
   get-prefix s \ k \equiv
        case s of (FinT x) \Rightarrow FinT (fin-get-prefix-plus x k)
                  | (FinU x) \Rightarrow FinU (take-plus k x) |
                  | (InfT x) \Rightarrow infT-get-prefix-plus x k
                  |(InfU x) \Rightarrow infU\text{-}get\text{-}prefix\text{-}plus x k
— merging time intervals of two finite timed streams
primrec
   fin\text{-}merge\text{-}ti::'a\ fstream \Rightarrow 'a\ fstream \Rightarrow 'a\ fstream
where
fin\text{-}merge\text{-}ti \ [] \ y = y \ |
fin-merge-ti (x\#xs) y =
    (case y of [] \Rightarrow (x \# xs)
         |(z\#zs) \Rightarrow (x \bullet z) \# (fin\text{-merge-ti } xs \ zs))
— merging time intervals of two infinite timed streams
 inf-merge-ti :: 'a istream \Rightarrow 'a istream \Rightarrow 'a istream
where
```

```
inf-merge-ti x y
 \lambda i. (x i) \bullet (y i)
— the last time interval of a finite timed stream
primrec
 fin-last-ti :: ('a list) list \Rightarrow nat \Rightarrow 'a list
where
fin-last-ti s \ \theta = hd \ s \mid
fin-last-ti s (Suc i) =
    (if s!(Suc i) \neq []
      then s!(Suc\ i)
      else fin-last-ti s i)
— the last nonempty time interval of a finite timed stream
— (can be applied to the streams which time intervals are empty from some mo-
ment)
primrec
 inf-last-ti :: 'a istream \Rightarrow nat \Rightarrow 'a list
inf-last-ti s \theta = s \theta
inf-last-ti s (Suc i) =
    (if s (Suc i) \neq []
      then s (Suc i)
      else inf-last-ti s i)
5.3
       Properties of operators
lemma inf-last-ti-nonempty-k:
 assumes inf-last-ti dt t \neq [
 shows inf-last-ti dt (t + k) \neq []
using assms by (induct k, auto)
\mathbf{lemma} \ \mathit{inf-last-ti-nonempty} \colon
 assumes s \ t \neq []
 shows inf-last-ti s (t + k) \neq []
using assms by (induct k, auto, induct t, auto)
lemma arith-sum-t2k:
t + 2 + k = (Suc \ t) + (Suc \ k)
by arith
lemma inf-last-ti-Suc2:
 assumes h1:dt\ (Suc\ t) \neq [] \lor dt\ (Suc\ (Suc\ t)) \neq []
 shows
              inf-last-ti dt (t + 2 + k) \neq []
proof (cases dt (Suc t) \neq [])
 assume a1:dt (Suc \ t) \neq []
 from a1 have sg2:inf-last-ti\ dt\ ((Suc\ t) + (Suc\ k)) \neq []
```

```
by (rule inf-last-ti-nonempty)
  from sg2 show ?thesis by (simp add: arith-sum-t2k)
  assume a2:\neg dt (Suc \ t) \neq []
 from a2 and h1 have sg1:dt (Suc (Suc t)) \neq [] by simp
 from sg1 have sg2:inf-last-ti\ dt\ (Suc\ (Suc\ t)+k)\neq []
   by (rule inf-last-ti-nonempty)
  from sq2 show ?thesis by auto
qed
5.3.1
         Lemmas for concatenation operator
lemma fin-length-append:
fin\text{-}length (x \bullet y) = (fin\text{-}length x) + (fin\text{-}length y)
 by (induct \ x, \ auto)
lemma fin-append-Nil:
fin-inf-append [] z = z
 by (simp add: fin-inf-append-def)
lemma correct-fin-inf-append1:
 assumes s1 = fin\text{-}inf\text{-}append [x] s
 shows s1 (Suc i) = s i
using assms by (simp add: fin-inf-append-def)
\mathbf{lemma}\ \mathit{correct-fin-inf-append2}\colon
fin-inf-append [x] s (Suc i) = s i
 by (simp add: fin-inf-append-def)
lemma fin-append-com-Nil1:
fin-inf-append [] (fin-inf-append y z)
= fin-inf-append ([] \bullet y) z
 by (simp add: fin-append-Nil)
lemma fin-append-com-Nil2:
fin-inf-append \ x \ (fin-inf-append \ [] \ z) = fin-inf-append \ (x \bullet []) \ z
 by (simp add: fin-append-Nil)
\mathbf{lemma}\ \mathit{fin-append-com-i}:
fin-inf-append \ x \ (fin-inf-append \ y \ z) \ i = fin-inf-append \ (x \bullet y) \ z \ i
proof (cases x)
 assume Nil:x = []
 thus ?thesis by (simp add: fin-append-com-Nil1)
 fix a \ l assume Cons: x = a \# l
 thus ?thesis
 proof (cases y)
```

assume y = []

```
thus ?thesis by (simp add: fin-append-com-Nil2)
 next
   fix aa\ la\ {\bf assume}\ {\it Cons2:y}=\ aa\ \#\ la
   show ?thesis
   apply (simp add: fin-inf-append-def, auto, simp add: list-nth-append0)
   by (simp add: nth-append)
 qed
qed
5.3.2
        Lemmas for operators ts and msg
lemma ts-msg1:
 assumes ts p
 shows msg 1 p
using assms by (simp add: ts-def msg-def)
lemma ts-inf-tl:
 assumes ts x
 shows ts (inf-tl x)
using assms by (simp add: ts-def inf-tl-def)
lemma ts-length-hint1:
assumes h1:ts x
 shows x i \neq []
proof -
 from h1 have sg1:length(x i) = Suc \ 0 by (simp \ add: \ ts-def)
 thus ?thesis by auto
qed
lemma ts-length-hint2:
assumes h1:ts x
 shows length (x i) = Suc (0::nat)
using assms
 by (simp\ add:\ ts\text{-}def)
lemma ts-Least-\theta:
 assumes h1:ts x
 shows (LEAST i. (x \ i) \neq []) = (0::nat)
using assms
proof -
 from h1 have sg1:x \ 0 \neq [] by (rule ts-length-hint1)
 thus ?thesis
 apply (simp add: Least-def)
 by auto
qed
lemma inf-tl-Suc:
inf-tl \ x \ i = x \ (Suc \ i)
 by (simp add: inf-tl-def)
```

```
lemma ts-Least-Suc\theta:
 assumes h1:ts x
 shows (LEAST i. x (Suc i) \neq []) = 0
proof -
 from h1 have sg1:x (Suc \theta) \neq [] by (simp add: ts-length-hint1)
 thus ?thesis by (simp add: Least-def, auto)
qed
lemma ts-inf-make-untimed-inf-tl:
 assumes h1:ts x
 shows inf-make-untimed (inf-tl x) i = inf-make-untimed x (Suc i)
using assms
 apply (simp add: inf-make-untimed-def)
 {f proof}\ (induct\ i)
   case \theta
   from h1 show ?case
    by (simp add: ts-length-hint1 ts-length-hint2)
 next
   case (Suc\ i)
   from h1 show ?case
    by (simp add: ts-length-hint1 ts-length-hint2)
qed
lemma ts-inf-make-untimed1-inf-tl:
 assumes h1:ts x
 shows inf-make-untimed1 (inf-tl x) i = inf-make-untimed1 x (Suc i)
using assms
 proof (induct i)
   case \theta
   from h1 show ?case
    by (simp add: ts-length-hint1 ts-length-hint2)
 next
   case (Suc\ i)
   from h1 show ?case
    by (simp add: ts-length-hint1 ts-length-hint2)
qed
lemma msg-nonempty1:
 assumes h1:msg (Suc \theta) a and h2:a t=aa \# l
 shows l = []
proof -
 from h1 have sg1:length\ (a\ t) \leq Suc\ 0 by (simp\ add:\ msg-def)
 from h2 and sg1 show ?thesis by auto
qed
```

```
lemma msg-nonempty2:
 assumes h1:msg (Suc \theta) a and h2:a t \neq []
  shows length (a t) = (Suc \theta)
proof -
  from h1 have sg1:length\ (a\ t) \leq Suc\ 0 by (simp\ add:\ msg-def)
  from h2 have sg2:length (a t) \neq 0 by auto
  from sg1 and sg2 show ?thesis by arith
qed
5.3.3
         Lemmas for inf_truncate
\mathbf{lemma} \ \textit{inf-truncate-nonempty}:
 assumes h1:z i \neq [
 shows inf-truncate z i \neq []
proof (induct i)
   case \theta
   from h1 show ?case by auto
 next
   case (Suc\ i)
    from h1 show ?case by auto
\mathbf{qed}
\mathbf{lemma}\ \textit{concat-inf-truncate-nonempty}\colon
  assumes h1: z i \neq []
  shows concat (inf\text{-}truncate\ z\ i) \neq []
using assms
proof (induct i)
   case \theta
   thus ?case by auto
  next
   case (Suc\ i)
   thus ?case by auto
qed
\mathbf{lemma}\ concat\text{-}inf\text{-}truncate\text{-}nonempty\text{-}a:
 assumes h1:z i = [a]
 shows concat (inf-truncate z i) \neq []
using assms
proof (induct i)
   \mathbf{case}\ \theta
   thus ?case by auto
 \mathbf{next}
   case (Suc\ i)
   thus ?case by auto
qed
```

```
\mathbf{lemma}\ concat\text{-}inf\text{-}truncate\text{-}nonempty\text{-}el\text{:}
 assumes h1:z i \neq []
 shows concat (inf-truncate z i) \neq []
using assms
proof (induct i)
   case \theta
   thus ?case by auto
 \mathbf{next}
   case (Suc \ i)
   thus ?case by auto
\mathbf{qed}
lemma inf-truncate-append:
(inf-truncate\ z\ i\bullet [z\ (Suc\ i)])=inf-truncate\ z\ (Suc\ i)
proof (induct i)
   \mathbf{case}\ \theta
   thus ?case by auto
 next
   case (Suc\ i)
   thus ?case by auto
qed
5.3.4
         Lemmas for fin_make_untimed
{\bf lemma}\ fin-make-untimed-append:
 assumes h1:fin-make-untimed x \neq []
 shows fin-make-untimed (x \bullet y) \neq []
using assms by (simp add: fin-make-untimed-def)
lemma\ fin-make-untimed-inf-truncate-Nonempty:
 assumes h1:z \ k \neq []
     and h2:k \leq i
 shows fin-make-untimed (inf-truncate z i) \neq []
using assms
 apply (simp add: fin-make-untimed-def)
 proof (induct i)
   case \theta
   thus ?case by auto
 next
   case (Suc\ i)
   thus ?case
   proof cases
     assume k \leq i
     from Suc and this show \exists xs \in set (inf-truncate z (Suc i)). xs \neq []
      by auto
```

```
next
     assume \neg k \leq i
     from Suc and this have sg1:k = Suc i by arith
     from Suc and this show \exists xs \in set \ (inf-truncate \ z \ (Suc \ i)). \ xs \neq []
       by auto
    qed
\mathbf{qed}
\mathbf{lemma}\ \textit{last-fin-make-untimed-append}\colon
last\ (fin\text{-}make\text{-}untimed\ (z\bullet [[a]])) = a
 by (simp add: fin-make-untimed-def)
lemma\ last-fin-make-untimed-inf-truncate:
  assumes h1:z i = [a]
  shows last (fin\text{-}make\text{-}untimed\ (inf\text{-}truncate\ z\ i)) = a
using assms
proof (induction i)
  case \theta
   from this show ?case by (simp add: fin-make-untimed-def)
next
   case (Suc \ i)
   thus ?case
   by (simp add: fin-make-untimed-def)
qed
\mathbf{lemma}\ \mathit{fin-make-untimed-append-empty}\colon
fin-make-untimed (z \bullet [[]]) = fin-make-untimed z
 by (simp add: fin-make-untimed-def)
\mathbf{lemma}\ \mathit{fin-make-untimed-inf-truncate-append-a}\colon
fin-make-untimed (inf-truncate z i \bullet [[a]])!
  (length\ (fin-make-untimed\ (inf-truncate\ z\ i\bullet [[a]]))-Suc\ 0)=a
 by (simp add: fin-make-untimed-def)
\mathbf{lemma}\ \mathit{fin-make-untimed-inf-truncate-Nonempty-all:}
  assumes h1:z \ k \neq []
  shows \forall i. k \leq i \longrightarrow fin\text{-}make\text{-}untimed (inf\text{-}truncate z i) \neq []
using assms by (simp add: fin-make-untimed-inf-truncate-Nonempty)
\mathbf{lemma}\ \mathit{fin-make-untimed-inf-truncate-Nonempty-all0}:
  assumes h1:z \ 0 \neq []
  shows \forall i. fin-make-untimed (inf-truncate z i) \neq []
using assms by (simp add: fin-make-untimed-inf-truncate-Nonempty)
```

```
\mathbf{lemma}\ \mathit{fin-make-untimed-inf-truncate-Nonempty-all0a}:
 assumes h1:z \theta = [a]
 shows \forall i. fin-make-untimed (inf-truncate z i) \neq []
using assms by (simp add: fin-make-untimed-inf-truncate-Nonempty-all0)
lemma\ fin-make-untimed-inf-truncate-Nonempty-all-app:
 assumes h1:z \theta = [a]
 shows \forall i. fin-make-untimed (inf-truncate z i \bullet [z (Suc i)]) \neq []
proof
 \mathbf{fix} i
 from h1 have sg1:fin-make-untimed (inf-truncate z i) \neq []
   by (simp add: fin-make-untimed-inf-truncate-Nonempty-all0a)
 from h1 and sg1 show fin-make-untimed (inf-truncate z i \bullet [z (Suc i)]) \neq []
   by (simp add: fin-make-untimed-append)
qed
lemma fin-make-untimed-nth-length:
 assumes h1:z i = [a]
 shows
 fin-make-untimed (inf-truncate z i)!
    (length (fin-make-untimed (inf-truncate z i)) - Suc \theta)
   = a
proof -
from h1 have sg1:last (fin-make-untimed (inf-truncate zi)) = a
 by (simp add: last-fin-make-untimed-inf-truncate)
from h1 have sg2:concat\ (inf-truncate\ z\ i) \neq []
 by (rule concat-inf-truncate-nonempty-a)
from h1 and sg1 and sg2 show ?thesis
 by (simp add: fin-make-untimed-def last-nth-length)
qed
         Lemmas for inf_disj and inf_disjS
5.3.5
lemma inf-disj-index:
 assumes h1:inf-disj n nS
     and h2:nS \ k \ t \neq []
     and h3:k < n
 shows (SOME i. i < n \land nS \ i \ t \neq []) = k
proof -
 from h1 have \forall j. k < n \land j < n \land k \neq j \land nS \ k \ t \neq [] \longrightarrow nS \ j \ t = []
   by (simp add: inf-disj-def, auto)
 from this and assms show ?thesis by auto
qed
```

```
lemma inf-disjS-index:
assumes h1:inf-disjS IdSet nS
and h2:k:IdSet
and h3:nS k t \neq []
shows (SOME\ i.\ (i:IdSet) \land nSend\ i\ t \neq []) = k
proof —
from h1 have \forall\ j.\ k \in IdSet \land j \in IdSet \land nS\ k\ t \neq [] \longrightarrow nS\ j\ t = []
by (simp\ add:\ inf-disjS-def, auto)
from this and assms\ show\ ?thesis\ by\ auto
qed
```

 $\mathbf{end}$ 

# 6 Properties of time-synchronous streams of types bool and bit

```
theory BitBoolTS
\mathbf{imports}\ \mathit{Main}\ \mathit{stream}
begin
datatype bit = Zero \mid One
primrec
  negation :: bit \Rightarrow bit
where
 negation Zero = One \mid
 negation \ One = Zero
lemma ts-bit-stream-One:
 assumes h1:ts x
    and h2:x \ i \neq [Zero]
 shows x i = [One]
proof -
 from h1 have sg1:length (x i) = Suc \ \theta
   by (simp add: ts-def)
 from this and h2 show ?thesis
 proof (cases \ x \ i)
   assume Nil:x i = []
   from this and sg1 show ?thesis by simp
 fix a\ l assume Cons:x\ i=a\ \#\ l
   from this and sg1 and h2 show ?thesis
   proof (cases a)
    assume a = Zero
     from this and sg1 and h2 and Cons show ?thesis by auto
```

```
assume a = One
    from this and sg1 and Cons show ?thesis by auto
   qed
 qed
qed
\mathbf{lemma}\ ts	ext{-}bit	ext{-}stream	ext{-}Zero:
 assumes h1:ts x
    and h2:x \ i \neq [One]
 shows x i = [Zero]
proof -
 from h1 have sg1:length (x i) = Suc \ 0
   by (simp add: ts-def)
 from this and h2 show ?thesis
 proof (cases \ x \ i)
   assume Nil:x i = []
   from this and sg1 show ?thesis by simp
 fix a \ l assume Cons: x \ i = a \# l
   from this and sg1 and h2 show ?thesis
   proof (cases a)
    assume a = Zero
    from this and sg1 and Cons show ?thesis by auto
   \mathbf{next}
    assume a = One
    from this and sg1 and h2 and Cons show ?thesis by auto
   qed
 qed
\mathbf{qed}
lemma ts-bool-True:
 assumes h1:ts x
    and h2:x \ i \neq [False]
 shows x i = [True]
proof -
 from h1 have sg1:length (x i) = Suc \ 0
   by (simp add: ts-def)
 from this and h2 show ?thesis
 proof (cases \ x \ i)
   assume Nil:x i = []
   from this and sg1 show ?thesis by simp
 next
 fix a \ l assume Cons: x \ i = a \# l
   from this and sg1 have sg2:x i = [a] by simp
   from this and h2 show ?thesis by auto
 qed
qed
```

```
\mathbf{lemma}\ ts	ext{-}bool	ext{-}False:
  assumes h1:ts x
     and h2:x \ i \neq [True]
  shows x i = [False]
proof -
  from h1 have sg1:length (x i) = Suc \ \theta
   by (simp add: ts-def)
  from this and h2 show ?thesis
  proof (cases \ x \ i)
   assume Nil:x i = []
   from this and sg1 show ?thesis by simp
 \mathbf{next}
 fix a \ l assume Cons: x \ i = a \# l
   from this and sq1 have sq2:x i = [a] by simp
   from this and h2 show ?thesis by auto
  qed
qed
\mathbf{lemma}\ \textit{ts-bool-True-False}\colon
  fixes x::bool\ istream
 assumes h1:ts x
 shows x i = [True] \lor x i = [False]
proof (cases \ x \ i = \lceil True \rceil)
  assume x i = [True]
  from this and h1 show ?thesis by simp
\mathbf{next}
  assume x \ i \neq [\mathit{True}]
 from this and h1 show ?thesis by (simp add: ts-bool-False)
qed
end
```

# 7 Changing time granularity of the streams

```
theory JoinSplitTime
imports stream arith-hints
begin
```

#### 7.1 Join time units

```
primrec
join\text{-}ti ::'a \ istream \Rightarrow nat \Rightarrow nat \Rightarrow 'a \ list
where
join\text{-}ti\text{-}0\text{:}
join\text{-}ti \ s \ x \ 0 = s \ x \ |
join\text{-}ti\text{-}Suc\text{:}
```

```
join-ti \ s \ x \ (Suc \ i) = (join-ti \ s \ x \ i) \bullet (s \ (x + (Suc \ i)))
primrec
 fin-join-ti ::'a fstream \Rightarrow nat \Rightarrow nat \Rightarrow 'a list
where
fin-join-ti-0:
fin-join-ti s x 0 = nth s x |
fin-join-ti-Suc:
fin-join-ti s \ x \ (Suc \ i) = (fin-join-ti s \ x \ i) \bullet (nth \ s \ (x + (Suc \ i)))
definition
 join-time ::'a istream \Rightarrow nat \Rightarrow 'a istream
where
join-time s \ n \ t \equiv
  (case n of
      \theta \Rightarrow []
 |(Suc\ i) \Rightarrow join-ti\ s\ (n*t)\ i)
lemma join-ti-hint1:
 assumes join-ti s x (Suc i) = []
  shows join-ti \ s \ x \ i = []
using assms by auto
lemma join-ti-hint2:
 assumes join-ti \ s \ x \ (Suc \ i) = []
 shows s(x + (Suc\ i)) = [
using assms by auto
lemma join-ti-hint3:
 assumes join-ti \ s \ x \ (Suc \ i) = []
 shows \quad s \ (x+i) = []
using assms by (induct i, auto)
lemma join-ti-empty-join:
 assumes h1:i \leq n
     and h2:join-ti \ s \ x \ n = []
 shows
               s(x+i) = [
using assms
proof (induct n)
  case \theta
 from this show ?case by auto
\mathbf{next}
  case (Suc \ n)
  from this show ?case
 proof (cases i = Suc n)
```

```
assume a1:i = Suc \ n
   from a1 and Suc show ?thesis by simp
 next
   assume a2:i \neq Suc \ n
   from a2 and Suc show ?thesis by simp
 qed
qed
\mathbf{lemma}\ join\text{-}ti\text{-}empty\text{-}ti\text{:}
 assumes \forall i \leq n. \ s(x+i) = []
 shows join-ti \ s \ x \ n = []
using assms by (induct \ n, \ auto)
lemma join-ti-1nempty:
 assumes \forall i. 0 < i \land i < Suc \ n \longrightarrow s \ (x+i) = []
 shows join-ti \ s \ x \ n = s \ x
using assms by (induct n, auto)
lemma join-time1t: \forall t. join-time s (1::nat) t = s t
by (simp add: join-time-def)
lemma join-time1: join-time s 1 = s
by (simp add: fun-eq-iff join-time-def)
lemma join-time-empty1:
 assumes h1:i < n
    and h2:join-time\ s\ n\ t=[]
 shows s(n*t+i) = []
proof (cases n)
 assume a1:n = 0
 from assms and a1 show ?thesis by (simp add: join-time-def)
next
 \mathbf{fix} \ x
 assume a2:n = Suc x
 from assms and a2 have sg1:join-ti\ s\ (t+x*t)\ x=[]
   by (simp add: join-time-def)
 from a2 and h1 have sg2:i \le x by simp
 from sg2 and sg1 and a2 show ?thesis by (simp add: join-ti-empty-join)
qed
lemma fin-join-ti-hint1:
 assumes fin-join-ti s \ x \ (Suc \ i) = []
 shows fin-join-ti \ s \ x \ i = []
using assms by auto
```

```
lemma fin-join-ti-hint2:
 assumes fin-join-ti \ s \ x \ (Suc \ i) = []
           nth \ s \ (x + (Suc \ i)) = []
using assms by auto
lemma fin-join-ti-hint3:
  assumes fin-join-ti s x (Suc i) = []
 shows nth \ s \ (x + i) = []
\mathbf{using} \ assms \ \mathbf{by} \ (induct \ i, \ auto)
lemma fin-join-ti-empty-join:
  assumes h1:i \le n
     and h2:fin-join-ti \ s \ x \ n = []
 shows
              nth \ s \ (x+i) = []
using assms
proof (induct \ n)
 case \theta
  from this show ?case by auto
\mathbf{next}
  case (Suc \ n)
  from this show ?case
  proof (cases i = Suc \ n)
   assume a1:i = Suc \ n
   from Suc and a1 show ?thesis by simp
  next
   assume a2:i \neq Suc \ n
   from Suc and a2 show ?thesis by simp
  qed
\mathbf{qed}
lemma fin-join-ti-empty-ti:
 assumes \forall i \leq n. \ nth \ s \ (x+i) = []
 shows fin-join-ti s x n = []
using assms by (induct n, auto)
lemma fin-join-ti-1nempty:
 assumes \forall i. 0 < i \land i < Suc \ n \longrightarrow nth \ s \ (x+i) = []
 shows fin-join-ti \ s \ x \ n = nth \ s \ x
using assms by (induct n, auto)
```

### 7.2 Split time units

```
definition
 split-time ::'a istream \Rightarrow nat \Rightarrow 'a istream
where
split-time s n t \equiv
 ( if (t \bmod n = 0)
   then s (t div n)
   else [])
lemma split-time1t: \forall t. split-time s \ 1 \ t = s \ t
by (simp add: split-time-def)
lemma split-time 1: split-time s \ 1 = s
by (simp add: fun-eq-iff split-time-def)
lemma split-time-mod:
 assumes t \mod n \neq 0
 shows split-time s \ n \ t = []
using assms by (simp add: split-time-def)
lemma split-time-nempty:
 assumes 0 < n
 shows split-time s \ n \ (n * t) = s \ t
using assms by (simp add: split-time-def)
lemma split-time-nempty-Suc:
 assumes 0 < n
 shows split\text{-}time\ s\ (Suc\ n)\ ((Suc\ n)*t) = split\text{-}time\ s\ n\ (n*t)
proof -
 have sq\theta: \theta < Suc \ n by simp
 from sg0 have sg1:split-time\ s\ (Suc\ n)\ ((Suc\ n)*t) = s\ t
   by (rule split-time-nempty)
 from assms have sg2:split-time s n (n * t) = s t
   by (rule split-time-nempty)
 from sg1 and sg2 show ?thesis by simp
qed
lemma split-time-empty:
 assumes h1:i < n and h2:0 < i
 shows split-time s \ n \ (n * t + i) = []
proof -
 from assms have sq1:0 < (n * t + i) \mod n by (simp add: arith-mod-nzero)
 from assms and sg1 show ?thesis by (simp add: split-time-def)
qed
lemma split-time-empty-Suc:
 assumes h1:i < n and h2:0 < i
 shows split-time s (Suc n) ((Suc n)* t + i) = split-time s n (n * t + i)
proof -
```

```
from h1 have sg1:i < Suc \ n by simp
 from sg1 and h2 have sg2:split-time\ s\ (Suc\ n)\ (Suc\ n*t+i)=[]
   by (rule split-time-empty)
 from assms have sg3:split-time\ s\ n\ (n*t+i) = []
   by (rule split-time-empty)
 from sg3 and sg2 show ?thesis by simp
qed
lemma split-time-hint1:
 assumes n = Suc m
 shows split-time s (Suc n) (i + n * i + n) = []
proof -
 have sg1:i + n * i + n = (Suc \ n) * i + n by simp
 have sg2:n < Suc \ n by simp
 from assms have sg3:0 < n by simp
 from sg2 and sg3 have sg4:split-time s (Suc n) (Suc n * i + n) = []
   by (rule split-time-empty)
 from sg1 and sg4 show ?thesis by auto
qed
```

### 7.3 Duality of the split and the join operators

```
lemma join-split-i:
 assumes \theta < n
 shows join-time (split-time s n) n i = s i
proof (cases n)
 assume a1:n = 0
  from this and assms show ?thesis by simp
next
 \mathbf{fix} \ k
 assume a2:n = Suc k
 have sg\theta: \theta < Suc k by simp
 from sg\theta have sg1:(split-time\ s\ (Suc\ k))\ (Suc\ k*i) = s\ i
   by (rule split-time-nempty)
 have sg2:i + k * i = (Suc \ k) * i  by simp
 have sg3: \forall j. \ 0 < j \land j < Suc \ k \longrightarrow split-time \ s \ (Suc \ k) \ (Suc \ k * i + j) = []
   by (clarify, rule split-time-empty, auto)
 from sg3 have sg4:join-ti (split-time\ s\ (Suc\ k)) ((Suc\ k)*i)\ k=
                  (split\text{-}time\ s\ (Suc\ k))\ (Suc\ k*i)
   by (rule join-ti-1nempty)
  from a2 and sq4 and sq1 show ?thesis by (simp add: join-time-def)
qed
lemma join-split:
 assumes \theta < n
 shows join-time (split-time s n) n = s
using assms by (simp add: fun-eq-iff join-split-i)
end
```

# 8 Steam Boiler System: Specification

```
theory SteamBoiler
imports stream BitBoolTS
begin
definition
 ControlSystem :: nat istream \Rightarrow bool
where
 ControlSystem\ s \equiv
 (ts\ s)\ \wedge
  (\forall (j::nat). (200::nat) \le hd (s j) \land hd (s j) \le (800:: nat))
definition
  SteamBoiler :: bit istream \Rightarrow nat istream \Rightarrow nat istream \Rightarrow bool
where
 SteamBoiler \ x \ s \ y \equiv
  ts x
  ((ts\ y)\ \land\ (ts\ s)\ \land\ (y=s)\ \land
  ((s \ \theta) = [500::nat]) \land
  (\forall (j::nat). (\exists (r::nat).
                (\theta::nat) < r \land r \le (1\theta::nat) \land
                hd\ (s\ (Suc\ j)) =
                   (if hd (x j) = Zero
                    then (hd (s j)) - r
                    else\ (hd\ (s\ j))\ +\ r))\ ))
definition
  Converter :: bit istream \Rightarrow bit istream \Rightarrow bool
where
 Converter\ z\ x
  (ts x)
  (\forall (t::nat).
    hd(x t) =
        (if (fin-make-untimed (inf-truncate z t) = [])
         then
             Zero
         else
             (fin-make-untimed\ (inf-truncate\ z\ t))!
                 ((length\ (fin-make-untimed\ (inf-truncate\ z\ t)))-(1::nat))
       ))
definition
  Controller\text{-}L::
    nat\ istream \Rightarrow bit\ iustream \Rightarrow bit\ iustream \Rightarrow bit\ istream \Rightarrow bool
where
```

```
Controller-L y lIn lOut z
  (z \ \theta = [Zero])
  (\forall (t::nat).
  (if (lIn t) = Zero
   then ( if 300 < hd (y t)
          then \ (z\ t) = [] \quad \land (lOut\ t) = Zero
          else\ (z\ t) = [One] \land (lOut\ t) = One
   else ( if hd(y t) < 700
          then (z t) = [] \land (lOut t) = One
          else\ (z\ t) = [Zero] \land (lOut\ t) = Zero\ )\ ))
definition
  Controller :: nat \ istream \Rightarrow bit \ istream \Rightarrow bool
where
 Controller y z
 \equiv
 (ts \ y)
 (\exists \ \textit{l. Controller-L y (fin-inf-append [Zero] l) l z})
definition
  ControlSystemArch :: nat istream \Rightarrow bool
where
 ControlSystemArch s
  \exists x z :: bit istream. \exists y :: nat istream.
   (SteamBoiler x s y \land Controller y z \land Converter z x)
end
```

# 9 Steam Boiler System: Verification

theory SteamBoiler-proof imports SteamBoiler begin

## 9.1 Properties of the Boiler Component

```
lemma L1-Boiler:
   assumes h1: SteamBoiler x s y
      and h2: ts x
   shows ts s
using assms by (simp add: SteamBoiler-def)
lemma L2-Boiler:
   assumes h1: SteamBoiler x s y
```

```
and h2: ts x
 shows ts y
using assms by (simp add: SteamBoiler-def)
lemma L3-Boiler:
 assumes h1:SteamBoiler \ x \ s \ y
    and h2:ts \ x
 shows 200 \le hd \ (s \ \theta)
using assms by (simp add: SteamBoiler-def)
lemma L4-Boiler:
 \mathbf{assumes}\ h1{:}SteamBoiler\ x\ s\ y
    and h2:ts x
 shows hd (s \theta) < 800
using assms by (simp add: SteamBoiler-def)
lemma L5-Boiler:
 assumes h1: SteamBoiler x s y
    and h2:ts \ x
    and h3:hd(x j) = Zero
 shows (hd\ (s\ j)) \le hd\ (s\ (Suc\ j)) + (10::nat)
proof -
  from h1 and h2 obtain r where
    a1:r \leq 10 and
    a2:hd\ (s\ (Suc\ j)) = (if\ hd\ (x\ j) = Zero\ then\ hd\ (s\ j) - r\ else\ hd\ (s\ j) + r)
    by (simp add: SteamBoiler-def, auto)
  from a2 and h3 have sg1:hd (s (Suc j)) = hd (s j) - r by simp
  from sg1 and a1 show ?thesis by auto
qed
lemma L6-Boiler:
 assumes h1: SteamBoiler \ x \ s \ y
    and h2:ts x
    and h3:hd(x j) = Zero
 shows (hd\ (s\ j)) - (10::nat) \le hd\ (s\ (Suc\ j))
proof -
  from h1 and h2 obtain r where
    a1:r \leq 10 and
    a2:hd\ (s\ (Suc\ j)) = (if\ hd\ (x\ j) = Zero\ then\ hd\ (s\ j) - r\ else\ hd\ (s\ j) + r)
    by (simp add: SteamBoiler-def, auto)
  from a2 and h3 have sg1:hd (s (Suc j)) = hd (s j) - r by simp
  from sg1 and a1 show ?thesis by auto
qed
```

```
lemma L7-Boiler:
 assumes h1:SteamBoiler x s y
    and h2:ts \ x
    and h3:hd (x j) \neq Zero
 shows (hd\ (s\ j)) \ge hd\ (s\ (Suc\ j)) - (10::nat)
using assms
proof -
  from h1 and h2 obtain r where
    a1:r \leq 10 and
    a2:hd\ (s\ (Suc\ j)) = (if\ hd\ (x\ j) = Zero\ then\ hd\ (s\ j) - r\ else\ hd\ (s\ j) + r)
    by (simp add: SteamBoiler-def, auto)
  from a2 and h3 have sg1:hd (s (Suc j)) = hd (s j) + r by simp
  from sg1 and a1 show ?thesis by auto
qed
lemma L8-Boiler:
 assumes h1:SteamBoiler \ x \ s \ y
    and h2:ts \ x
    and h3:hd(x j) \neq Zero
 shows (hd\ (s\ j)) + (10::nat) \ge hd\ (s\ (Suc\ j))
proof -
  from h1 and h2 obtain r where
    a1:r \leq 10 and
    a2:hd\ (s\ (Suc\ j))=(if\ hd\ (x\ j)=Zero\ then\ hd\ (s\ j)-r\ else\ hd\ (s\ j)+r)
    by (simp add: SteamBoiler-def, auto)
  from a2 and h3 have sg1:hd (s (Suc j)) = hd (s j) + r by simp
  from sq1 and a1 show ?thesis by auto
qed
9.2
      Properties of the Controller Component
lemma L1-Controller:
 assumes h1:Controller-L\ s\ (fin-inf-append\ [Zero]\ l)\ l\ z
 shows
             fin-make-untimed (inf-truncate z i) \neq []
proof -
 from h1 have \forall i. 0 \leq i \longrightarrow fin\text{-make-untimed (inf-truncate } zi) \neq []
  by (simp add: Controller-L-def fin-make-untimed-inf-truncate-Nonempty-all0a)
 from this show ?thesis by simp
\mathbf{qed}
lemma L2-Controller-Zero:
 assumes h1:Controller-L y (fin-inf-append [Zero] l) l z
    and h2:l\ t=Zero
    and h3:300 < hd (y (Suc t))
             z (Suc t) = []
 shows
proof -
 from h2 have sq1:fin-inf-append [Zero] l (Suc t) = Zero
```

```
by (simp add: correct-fin-inf-append1)
 from h1 and sg1 and h3 show ?thesis by (simp add: Controller-L-def)
qed
lemma L2-Controller-One:
 assumes h1:Controller-L\ y\ (fin-inf-append\ [Zero]\ l)\ l\ z
     and h2:l\ t=One
    and h3:hd (y (Suc t)) < 700
 shows
             z (Suc t) = []
proof -
 from h2 have sg1:fin-inf-append [Zero] l (Suc t) \neq Zero
   by (simp add: correct-fin-inf-append1)
 from h1 and sg1 and h3 show ?thesis by (simp add: Controller-L-def)
qed
lemma L3-Controller-Zero:
 assumes h1:Controller-L y (fin-inf-append [Zero] l) l z
    and h2:l\ t=Zero
    and h3: \neg 300 < hd (y (Suc t))
             z (Suc t) = [One]
 shows
proof -
 from h2 have sg1:fin-inf-append [Zero] l (Suc t) = Zero
   \mathbf{by}\ (\mathit{simp}\ \mathit{add}\colon \mathit{correct\text{-}fin\text{-}inf\text{-}append1})
 from h1 and sg1 and h3 show ?thesis by (simp add: Controller-L-def)
qed
lemma L3-Controller-One:
 assumes h1:Controller-L y (fin-inf-append [Zero] l) l z
    and h2:l\ t=One
    and h3:\neg hd (y (Suc t)) < 700
 shows
             z (Suc t) = [Zero]
proof -
 from h2 have sq1:fin-inf-append [Zero] l (Suc t) \neq Zero
   by (simp add: correct-fin-inf-append1)
 from h1 and sg1 and h3 show ?thesis by (simp add: Controller-L-def)
qed
lemma L4-Controller-Zero:
 assumes h1:Controller-L y (fin-inf-append [Zero] l) l z
     and h2:l (Suc t) = Zero
             (z (Suc t) = [] \land l t = Zero) \lor (z (Suc t) = [Zero] \land l t = One)
 shows
proof (cases \ l \ t)
 assume a1:l \ t = Zero
 from this and h1 and h2 show ?thesis
 proof -
```

```
from at have sg1:fin-inf-append [Zero] l (Suc t) = Zero
    by (simp add: correct-fin-inf-append1)
   from h1 and sg1 have sg2:
    if 300 < hd \ (y \ (Suc \ t))
     then z (Suc t) = [] \land l (Suc t) = Zero
     else\ z\ (Suc\ t) = [One] \land l\ (Suc\ t) = One
     by (simp add: Controller-L-def)
   show ?thesis
   proof (cases 300 < hd (y (Suc t)))
    assume a11:300 < hd (y (Suc t))
    from all and sg2 have sg3:z (Suc t) = [] \land l (Suc t) = Zero by simp
    from this and a1 show ?thesis by simp
   next
    assume a12: \neg 300 < hd \ (y \ (Suc \ t))
    from a12 and sg2 have sg4:z (Suc t) = [One] \land l (Suc t) = One by simp
    from this and h2 show ?thesis by simp
   qed
 qed
next
 assume a2:l\ t=One
 from this and h1 and h2 show ?thesis
 proof -
   from a2 have sg5:fin-inf-append [Zero] l (Suc t) \neq Zero
    by (simp add: correct-fin-inf-append1)
   from h1 and sq5 have sq6:
    if hd (y (Suc t)) < 700
     then z (Suc t) = [] \land l (Suc t) = One
     else\ z\ (Suc\ t) = [Zero] \land l\ (Suc\ t) = Zero
     by (simp add: Controller-L-def)
   show ?thesis
   proof (cases hd (y (Suc t)) < 700)
    assume a21:hd\ (y\ (Suc\ t)) < 700
    from a21 and sg6 have sg7:z (Suc t) = [] \land l (Suc t) = One by simp
    from this and h2 show ?thesis by simp
   next
    assume a22:\neg hd (y (Suc t)) < 700
    from a22 and sg6 have sg8:z (Suc t) = [Zero] \land l (Suc t) = Zero by simp
    from this and a2 show ?thesis by simp
   qed
 qed
qed
lemma L4-Controller-One:
 assumes h1:Controller-L y (fin-inf-append [Zero] l) l z
    and h2:l (Suc t) = One
 shows
            (z (Suc \ t) = [] \land l \ t = One) \lor (z (Suc \ t) = [One] \land l \ t = Zero)
proof (cases \ l \ t)
 assume a1:l\ t=Zero
```

```
from this and h1 and h2 show ?thesis
 proof -
   from a1 have sg1:fin-inf-append [Zero] l (Suc t) = Zero
    by (simp add: correct-fin-inf-append1)
   from h1 and sq1 have sq2:
    if 300 < hd \ (y \ (Suc \ t))
     then z (Suc t) = [] \land l (Suc t) = Zero
     else\ z\ (Suc\ t) = [One] \land l\ (Suc\ t) = One
     by (simp add: Controller-L-def)
   show ?thesis
   proof (cases 300 < hd (y (Suc t)))
    assume a11:300 < hd (y (Suc t))
    from all and sg2 have sg3:z (Suc t) = [] \land l (Suc t) = Zero by simp
    from this and h2 show ?thesis by simp
   next
    assume a12: \neg 300 < hd \ (y \ (Suc \ t))
    from a12 and sg2 have sg4:z (Suc t) = [One] \land l (Suc t) = One by simp
    from this and a1 show ?thesis by simp
   qed
 qed
next
 assume a2:l\ t=One
 from this and h1 and h2 show ?thesis
 proof -
   from a2 have sg5:fin-inf-append [Zero] l (Suc t) \neq Zero
    by (simp add: correct-fin-inf-append1)
   from h1 and sq5 have sq6:
    if hd (y (Suc t)) < 700
     then z (Suc t) = [] \land l (Suc t) = One
     else\ z\ (Suc\ t) = [Zero] \land l\ (Suc\ t) = Zero
     by (simp add: Controller-L-def)
   show ?thesis
   proof (cases\ hd\ (y\ (Suc\ t)) < 700)
    assume a21:hd\ (y\ (Suc\ t)) < 700
    from a21 and sg6 have sg7:z (Suc t) = [] \land l (Suc t) = One by simp
    from this and a2 show ?thesis by simp
   next
    assume a22:\neg hd (y (Suc t)) < 700
    from a22 and sg6 have sg8:z (Suc t) = [Zero] \land l (Suc t) = Zero by simp
    from this and h2 show ?thesis by simp
   qed
 qed
qed
\mathbf{lemma}\ L5-Controller-Zero:
 assumes h1:Controller-L\ y\ lIn\ lOut\ z
    and h2:lOut\ t=Zero
    and h3:z t = []
 shows lIn t = Zero
```

```
proof (cases lIn t)
 assume a1:lIn\ t=Zero
 from this show ?thesis by simp
 assume a2:lIn\ t=One
 from a2 and h1 have sq1:
   if hd(y t) < 700
   then z t = [] \wedge lOut t = One
   else\ z\ t = [Zero] \land lOut\ t = Zero
   by (simp add: Controller-L-def)
 show ?thesis
 proof (cases hd (y t) < 700)
   assume a3:hd (y t) < 700
   from a3 and sg1 have sg2:z \ t = [] \land lOut \ t = One by simp
   from this and h2 show ?thesis by simp
   assume a4:\neg hd (y t) < 700
   from a4 and sg1 have sg3:z t = [Zero] \land lOut \ t = Zero by simp
   from this and h3 show ?thesis by simp
 qed
qed
lemma L5-Controller-One:
 assumes h1:Controller-L\ y\ lIn\ lOut\ z
    and h2:lOut\ t=One
    and h3:z t = []
 shows lIn t = One
proof (cases \ lIn \ t)
 assume a1:lIn\ t=Zero
 from a1 and h1 have sg1:
   if 300 < hd (y t)
   then z t = [] \land lOut t = Zero
   else \ z \ t = [One] \land lOut \ t = One
   by (simp add: Controller-L-def)
 show ?thesis
 proof (cases 300 < hd (y t))
   assume a3:300 < hd (y t)
   from a3 and sg1 have sg2:z t = [] \land lOut t = Zero by simp
   from this and h2 show ?thesis by simp
 next
   assume a4: \neg 300 < hd (y t)
   from a4 and sg1 have sg3:z \ t = [One] \land lOut \ t = One by simp
   from this and h3 show ?thesis by simp
 qed
next
 assume a2:lIn\ t=One
 from this show ?thesis by simp
qed
```

```
\mathbf{lemma}\ L5\text{-}Controller:
 assumes h1:Controller-L y lIn lOut z
    and h2:lOut\ t=a
    and h3:z t = []
 shows lIn t = a
proof (cases a)
 assume a = Zero
 from this and h1 and h2 and h3 show ?thesis
   by (simp add: L5-Controller-Zero)
next
 assume a = One
 from this and h1 and h2 and h3 show ?thesis
   by (simp add: L5-Controller-One)
qed
lemma L6-Controller-Zero:
 assumes h1:Controller-L y (fin-inf-append [Zero] l) l z
    and h2:l (Suc t) = Zero
    and h3:z (Suc t) = []
 shows l t = Zero
proof -
 from h1 and h2 and h3 have (fin-inf-append [Zero] l) (Suc t) = Zero
   \mathbf{by}\ (simp\ add\colon\ L5\text{-}Controller\text{-}Zero)
 from this show ?thesis
   by (simp add: correct-fin-inf-append2)
\mathbf{qed}
lemma L6-Controller-One:
 assumes h1:Controller-L y (fin-inf-append [Zero] l) l z
    and h2:l (Suc t) = One
    and h3:z (Suc t) = []
 shows l t = One
proof -
 from h1 and h2 and h3 have (fin-inf-append [Zero] l) (Suc t) = One
   by (simp add: L5-Controller-One)
 from this show ?thesis
   by (simp add: correct-fin-inf-append2)
qed
lemma L6-Controller:
 assumes h1:Controller-L y (fin-inf-append [Zero] l) l z
    and h2:l (Suc t) = a
    and h3:z (Suc t) = []
 shows l t = a
```

```
proof (cases a)
 assume a = Zero
 from this and h1 and h2 and h3 show ?thesis
   by (simp add: L6-Controller-Zero)
next
 assume a = One
 from this and h1 and h2 and h3 show ?thesis
   by (simp add: L6-Controller-One)
qed
lemma L7-Controller-Zero:
 assumes h1:Controller-L y (fin-inf-append [Zero] l) l z
    and h2:l\ t=Zero
            last (fin-make-untimed (inf-truncate z t)) = Zero
 shows
using assms
proof (induct t)
 case \theta
 from h1 have sg1:z \ 0 = [Zero] by (simp add: Controller-L-def)
 from this show ?case by (simp add: fin-make-untimed-def)
next
  \mathbf{fix} \ t
  case (Suc\ t)
  from this show ?case
  proof (cases \ l \ t)
    assume a1:l \ t = Zero
    from Suc have
     sg1:(z (Suc \ t) = [] \land l \ t = Zero) \lor (z (Suc \ t) = [Zero] \land l \ t = One)
     by (simp add: L4-Controller-Zero)
    from this and a1 have sg2:z (Suc t) = []
     by simp
    from Suc and sg2 and a1 show ?case
     by (simp add: fin-make-untimed-append-empty)
    assume a1:l \ t = One
    from Suc have
     sg1:(z (Suc t) = [] \land l t = Zero) \lor (z (Suc t) = [Zero] \land l t = One)
     by (simp add: L4-Controller-Zero)
    from this and a1 have sg2:z (Suc t) = [Zero] by simp
    from a1 and Suc and sg2 show ?case
     by (simp add: fin-make-untimed-def)
  qed
qed
lemma L7-Controller-One-l0:
 assumes h1:Controller-L y (fin-inf-append [Zero] l) l z
    and h2:y \theta = [500::nat]
 shows l \theta = Zero
```

```
proof (rule ccontr)
 assume a1: \neg l \ \theta = Zero
 from assms have sg1:z \ 0 = [Zero] by (simp add: Controller-L-def)
 have sq2:fin-inf-append [Zero] l(0::nat) = Zero by (simp\ add:\ fin-inf-append-def)
 from assms and a1 and sg1 and sg2 show False
  by (simp add: Controller-L-def)
\mathbf{qed}
lemma L7-Controller-One:
 assumes h1:Controller-L\ y\ (fin-inf-append\ [Zero]\ l)\ l\ z
    and h2:l \ t = One
    and h\beta:y \theta = [50\theta::nat]
 shows last (fin-make-untimed (inf-truncate z t)) = One
using assms
proof (induct\ t)
 case \theta
 from h1 and h3 have sg0:l \ 0 = Zero by (simp add: L7-Controller-One-l0)
 from this and \theta show ?case by simp
next
  \mathbf{fix} \ t
  \mathbf{case}\ (Suc\ t)
  from this show ?case
  proof (cases \ l \ t)
    assume a1:l \ t = Zero
    from Suc have
     sg1:(z (Suc t) = [] \land l t = One) \lor (z (Suc t) = [One] \land l t = Zero)
     by (simp add: L4-Controller-One)
    from this and a1 have sg2:z (Suc t) = [One]
     by simp
    from Suc and sg2 and a1 show ?case
     by (simp add: fin-make-untimed-def)
  \mathbf{next}
    assume a1:l \ t = One
    from Suc have
     sg1:(z (Suc t) = [] \land l t = One) \lor (z (Suc t) = [One] \land l t = Zero)
     by (simp add: L4-Controller-One)
    from this and a1 have sg2:z (Suc t) = [
     by simp
    from a1 and Suc and sg2 show ?case
     by (simp add: fin-make-untimed-def)
  qed
qed
lemma L7-Controller:
 assumes h1:Controller-L y (fin-inf-append [Zero] l) l z
    and h2:y \ \theta = [500::nat]
 shows
             last (fin-make-untimed (inf-truncate z t)) = l t
```

```
proof (cases l t)
 assume l t = Zero
 from this and h1 show ?thesis
   by (simp add: L7-Controller-Zero)
next
 assume l t = One
 from this and h1 and h2 show ?thesis
   by (simp add: L7-Controller-One)
qed
lemma L8-Controller:
 assumes h1:Controller-L y (fin-inf-append [Zero] l) l z
            z t = [] \lor z t = [Zero] \lor z t = [One]
proof (cases fin-inf-append [Zero] l \ t = Zero)
 assume a1:fin-inf-append [Zero] l t = Zero
 from a1 and h1 have sg1:
  if 300 < hd (y t)
   then z t = [] \wedge l t = Zero
   else z t = [One] \land l t = One
   by (simp add: Controller-L-def)
 show ?thesis
 proof (cases 300 < hd (y t))
   assume a11:300 < hd (y t)
   from all and sgl show ?thesis by simp
 next
   assume a12: \neg 300 < hd (y t)
   from a12 and sq1 show ?thesis by simp
 qed
next
 assume a2:fin-inf-append [Zero] l \ t \neq Zero
 from a2 and h1 have sg2:
  if hd(y t) < 700
   then z t = [] \wedge l t = One
   else\ z\ t = [Zero] \land l\ t = Zero
   by (simp add: Controller-L-def)
 show ?thesis
 proof (cases hd (y t) < 700)
   assume a21:hd (y t) < 700
   from a21 and sg2 show ?thesis by simp
 next
   assume a22:\neg hd (y t) < 700
   from a22 and sg2 show ?thesis by simp
 qed
qed
```

```
lemma L9-Controller:
 assumes h1:Controller-L s (fin-inf-append [Zero] l) l z
    and h2:fin-make-untimed (inf-truncate z i)!
           (length\ (fin-make-untimed\ (inf-truncate\ z\ i)) - Suc\ \theta) = Zero
    and h3:last\ (fin-make-untimed\ (inf-truncate\ z\ i))=l\ i
    and h4:200 \le hd \ (s \ i)
    and h5:hd (s (Suc i)) = hd (s i) - r
    and h6:fin-make-untimed (inf-truncate z i) \neq []
    and h7:0 < r
    and h8:r \leq 10
 shows 200 \le hd \ (s \ (Suc \ i))
proof -
 from h6 and h2 and h3 have sg0:li=Zero
   by (simp add: last-nth-length)
 show ?thesis
 proof (cases fin-inf-append [Zero] l i = Zero)
   assume a1:fin-inf-append [Zero] l i = Zero
   from a1 and h1 have sg1:
    if 300 < hd (s i)
     then z i = [] \land l i = Zero
     else\ z\ i = [One] \land l\ i = One
     by (simp add: Controller-L-def)
   show ?thesis
   proof (cases 300 < hd (s i))
    assume a11:300 < hd (s i)
    from all and h5 and h8 show ?thesis by simp
    assume a12: \neg 300 < hd (s i)
    from a12 and sg1 and sg0 show ?thesis by simp
   qed
 next
   assume a2:fin-inf-append [Zero] l \ i \neq Zero
   from a2 and h1 have sg2:
    if hd(s i) < 700
     then z i = [] \wedge l i = One
     else\ z\ i = [Zero] \land l\ i = Zero
     by (simp add: Controller-L-def)
   show ?thesis
   proof (cases hd (s i) < 700)
    assume a21:hd (s i) < 700
    from this and sg2 and sg0 show ?thesis by simp
   next
    assume a22:\neg hd (s i) < 700
    from this and h5 and h8 show ?thesis by simp
   qed
 qed
qed
```

```
lemma L10-Controller:
 assumes h1:Controller-L s (fin-inf-append [Zero] l) l z
    and h2:fin-make-untimed (inf-truncate z i)!
           (length\ (fin-make-untimed\ (inf-truncate\ z\ i)) - Suc\ \theta) \neq Zero
    and h3:last\ (fin-make-untimed\ (inf-truncate\ z\ i))=l\ i
    and h4:hd (s i) \le 800
    and h5:hd (s (Suc i)) = hd (s i) + r
    and h6:fin-make-untimed (inf-truncate z i) \neq []
    and h7:0 < r
    and h8:r \leq 10
 shows hd (s (Suc i)) \leq 800
proof -
 from h6 and h2 and h3 have sg0:l \ i \neq Zero
   by (simp add: last-nth-length)
 show ?thesis
 proof (cases fin-inf-append [Zero] l i = Zero)
   assume a1:fin-inf-append [Zero] l i = Zero
   from a1 and h1 have sg1:
    if 300 < hd (s i)
     then z i = [] \land l i = Zero
     else\ z\ i = [One] \land l\ i = One
     by (simp add: Controller-L-def)
   show ?thesis
   proof (cases 300 < hd (s i))
    assume a11:300 < hd (s i)
    from all and sgl and sg0 show ?thesis by simp
    assume a12: \neg 300 < hd (s i)
    from h5 and a12 and h8 show ?thesis by simp
   qed
 next
   assume a2:fin-inf-append [Zero] l \ i \neq Zero
   from a2 and h1 have sg2:
    if hd(s i) < 700
     then z i = [] \wedge l i = One
     else\ z\ i = [Zero] \land l\ i = Zero
     by (simp add: Controller-L-def)
   show ?thesis
   proof (cases hd (s i) < 700)
    assume a21:hd (s i) < 700
    from this and h5 and h8 show ?thesis by simp
   next
    assume a22:\neg hd (s i) < 700
    from this and sg2 and sg0 show ?thesis by simp
   qed
 qed
qed
```

## 9.3 Properties of the Converter Component

```
lemma L1-Converter:
 assumes h1:Converter z x
    and h2:fin\text{-}make\text{-}untimed\ (inf\text{-}truncate\ z\ t) \neq []
             hd(x t) = (fin\text{-}make\text{-}untimed(inf\text{-}truncate z t))!
             ((length\ (fin-make-untimed\ (inf-truncate\ z\ t)))-(1::nat))
using assms
 by (simp add: Converter-def)
lemma L1a-Converter:
 assumes h1:Converter z x
    and h2:fin\text{-}make\text{-}untimed\ (inf\text{-}truncate\ z\ t) \neq []
    and h3:hd (x t) = Zero
             (fin-make-untimed\ (inf-truncate\ z\ t))!
 shows
             ((length\ (fin-make-untimed\ (inf-truncate\ z\ t)))-(1::nat))
           = Zero
using assms
 by (simp add: L1-Converter)
      Properties of the System
lemma L1-ControlSystem:
 assumes h1:ControlSystemArch s
 shows ts \ s
proof -
 from h1 obtain x z y
   where a1:Converter\ z\ x and a2:SteamBoiler\ x\ s\ y
   by (simp only: ControlSystemArch-def, auto)
 from this have sg1:ts x
   by (simp add: Converter-def)
 from a2 and sq1 show ?thesis by (rule L1-Boiler)
qed
lemma L2-ControlSystem:
 assumes h1:ControlSystemArch s
 shows (200::nat) \leq hd (s i)
proof -
 from h1 obtain x z y
   where a1:Converter z x and a2: SteamBoiler x s y and a3:Controller y z
   by (simp only: ControlSystemArch-def, auto)
 from this have sg1:ts \ x by (simp \ add: Converter-def)
 from sg1 and a2 have sg2:ts y by (simp add: L2-Boiler)
 from sq1 and a2 have sq3:y = s by (simp\ add:\ SteamBoiler-def)
 from a1 and a2 and a3 and sg1 and sg2 and sg3 show 200 \le hd (s i)
 proof (induction i)
   case \theta
   from this show ?case by (simp add: L3-Boiler)
 next
```

```
\mathbf{fix} i
   case (Suc\ i)
   from this obtain l
    where a4: Controller-L s (fin-inf-append [Zero] l) l z
    by (simp add: Controller-def, atomize, auto)
   from Suc and a4 have sg4:fin-make-untimed (inf-truncate z i) \neq []
    by (simp add: L1-Controller)
  from a2 and sg1 have y0asm:y0 = [500::nat] by (simp add: SteamBoiler-def)
    from Suc and a4 and sg4 and y0asm have sg5: last (fin-make-untimed
(inf\text{-}truncate\ z\ i)) = l\ i
    by (simp add: L7-Controller)
   from a2 and sg1 obtain r where
     aa\theta:\theta < r and
     aa1:r \leq 10 and
     aa2:hd\ (s\ (Suc\ i)) = (if\ hd\ (x\ i) = Zero\ then\ hd\ (s\ i) - r\ else\ hd\ (s\ i) + r)
       by (simp add: SteamBoiler-def, auto)
   from Suc and a4 and sg4 and sg5 show ?case
   proof (cases hd (x i) = Zero)
     assume aaZero:hd\ (x\ i)=Zero
     from a1 and sg4 and this have
       sg7:(fin-make-untimed\ (inf-truncate\ z\ i))!
          ((length (fin-make-untimed (inf-truncate z i))) - Suc 0) = Zero
       by (simp add: L1-Converter)
     from aa2 and aaZero have sg8:hd (s (Suc i)) = hd (s i) - r by simp
     from Suc have sgSuc:200 \le hd (s i) by simp
     from a4 and sg7 and sg5 and sgSuc and sg8 and sg4 and aa0 and aa1
     show ?thesis
        by (rule L9-Controller)
    next
     assume aaOne:hd (x i) \neq Zero
     from a1 and sg4 and this have
       sq7:(fin-make-untimed\ (inf-truncate\ z\ i))!
          ((length\ (fin-make-untimed\ (inf-truncate\ z\ i)))-Suc\ 0) \neq Zero
       by (simp add: L1-Converter)
     from aa2 and aaOne have sg9:hd (s (Suc i)) = hd (s i) + r by simp
     from Suc and this show ?thesis by simp
    qed
 qed
qed
lemma L3-ControlSystem:
 assumes h1:ControlSystemArch s
 shows hd (s i) \leq (800:: nat)
proof -
 from h1 obtain x z y
   where a1:Converter z x and a2: SteamBoiler x s y and a3:Controller y z
   by (simp only: ControlSystemArch-def, auto)
 from this have sg1:ts \ x by (simp \ add: Converter-def)
```

```
from sg1 and a2 have sg2:ts y by (simp add: L2-Boiler)
 from sg1 and a2 have sg3:y = s by (simp \ add: SteamBoiler-def)
 from a1 and a2 and a3 and sg1 and sg2 and sg3 show hd (s i) \leq (800::
 proof (induction i)
   case \theta
   from this show ?case by (simp add: L4-Boiler)
 next
   \mathbf{fix} i
   \mathbf{case}\ (\mathit{Suc}\ i)
   from this obtain l
    where a4: Controller-L s (fin-inf-append [Zero] l) l z
    by (simp add: Controller-def, atomize, auto)
   from a4 have sg4:fin-make-untimed (inf-truncate z i) \neq []
    by (simp add: L1-Controller)
  from a2 and sq1 have y0asm:y0 = [500::nat] by (simp\ add:\ SteamBoiler-def)
    from Suc and a4 and sg4 and y0asm have sg5: last (fin-make-untimed
(inf\text{-}truncate\ z\ i)) = l\ i
    by (simp add: L7-Controller)
   from a2 and sg1 obtain r where
     aa\theta:\theta < r and
     aa1:r \leq 10 and
     aa2:hd\ (s\ (Suc\ i)) = (if\ hd\ (x\ i) = Zero\ then\ hd\ (s\ i) - r\ else\ hd\ (s\ i) + r)
       by (simp add: SteamBoiler-def, auto)
   from this and Suc and a4 and sg4 and sg5 show ?case
   proof (cases hd (xi) = Zero)
     assume aaZero:hd (x i) = Zero
     from a1 and sg4 and this have
       sg7:(fin-make-untimed\ (inf-truncate\ z\ i))!
          ((length (fin-make-untimed (inf-truncate z i))) - Suc 0) = Zero
       by (simp add: L1-Converter)
     from aa2 and aaZero have sg8:hd (s (Suc i)) = hd (s i) - r by simp
     from this and Suc show ?thesis by simp
     assume aaOne:hd (x i) \neq Zero
     from a1 and sq4 and this have
       sg7:(fin-make-untimed\ (inf-truncate\ z\ i))!
          ((length\ (fin-make-untimed\ (inf-truncate\ z\ i))) - Suc\ \theta) \neq Zero
       by (simp add: L1-Converter)
     from aa2 and aaOne have sg9:hd (s (Suc i)) = hd (s i) + r by simp
     from Suc have sgSuc:hd (s i) \le 800 by simp
     from a4 and sg7 and sg5 and sgSuc and sg9 and sg4 and aa0 and aa1
     show ?thesis
        by (rule L10-Controller)
    qed
 qed
qed
```

```
Proof of the Refinement Relation
9.5
lemma L0-ControlSystem:
 assumes h1:ControlSystemArch s
 shows ControlSystem s
   apply (simp add: ControlSystem-def)
   apply auto
proof -
 from h1 show sg1:ts s by (rule L1-ControlSystem)
\mathbf{next}
 from h1 show sg2:(200::nat) \le hd (s j) by (rule\ L2\text{-}ControlSystem)
next
 \mathbf{fix} \ j
 from h1 show sg3:hd (s j) \le (800:: nat) by (rule L3-ControlSystem)
qed
\quad \text{end} \quad
       FlexRay: Types
10
theory FR-types
\mathbf{imports}\ \mathit{stream}
  message-id :: nat
  ftcdata :: 'a
```

```
record 'a Message =
    message-id :: nat
    ftcdata :: 'a

record 'a Frame =
    slot :: nat
    dataF :: ('a Message) list

record Config =
    schedule :: nat list
    cycleLength :: nat

type-synonym 'a nFrame = nat \Rightarrow ('a Frame) istream
type-synonym nNat = nat \Rightarrow nat istream
type-synonym nConfig = nat \Rightarrow Config

consts sN :: nat

definition
    sheafNumbers :: nat list
where sheafNumbers \equiv [sN]
```

end

## 11 FlexRay: Specification

```
theory FR
imports FR-types
begin
```

### 11.1 Auxiliary predicates

— The predicate DisjointSchedules is true for sheaf of channels of type Config,

```
— if all bus configurations have disjoint scheduling tables.
```

#### definition

```
DisjointSchedules :: nat \Rightarrow nConfig \Rightarrow bool
where
DisjointSchedules n nC
\equiv
\forall i j. i < n \land j < n \land i \neq j \longrightarrow
disjoint (schedule (nC i)) (schedule (nC j))
```

- The predicate IdenticCycleLength is true for sheaf of channels of type Config,
- if all bus configurations have the equal length of the communication round.

#### definition

```
\begin{array}{l} \textit{IdenticCycleLength} :: nat \Rightarrow nConfig \Rightarrow bool \\ \textbf{where} \\ \textit{IdenticCycleLength} \ n \ nC \\ \equiv \\ \forall \ i \ j. \ i < n \land j < n \longrightarrow \\ \textit{cycleLength} \ (nC \ i) = \textit{cycleLength} \ (nC \ j) \end{array}
```

- The predicate FrameTransmission defines the correct message transmission:
- if the time t is equal modulo the length of the cycle (Flexray communication round)
- to the element of the scheduler table of the node k, then this and only this node
- can send a data atn the tth time interval.

#### definition

```
Frame Transmission ::
nat \Rightarrow 'a \ nFrame \Rightarrow 'a \ nFrame \Rightarrow nNat \Rightarrow nConfig \Rightarrow bool
where
Frame Transmission n \ nStore \ nReturn \ nGet \ nC
\equiv
\forall \ (t::nat) \ (k::nat). \ k < n \longrightarrow
( \ let \ s = t \ mod \ (cycleLength \ (nC \ k))
in
```

```
let s = t \mod (cycleLength (nC k))

in

(s mem (schedule (nC k)))

\longrightarrow

(nGet k t) = [s] \land

(\forall j. j < n \land j \neq k \longrightarrow

((nStore j) t) = ((nReturn k) t))))
```

```
    The predicate Broadcast describes properties of FlexRay broadcast.

definition
   Broadcast::
     nat \Rightarrow 'a \ nFrame \Rightarrow 'a \ Frame \ istream \Rightarrow bool
  Broadcast n nSend recv
   \forall (t::nat).
    (if \exists k. k < n \land ((nSend k) t) \neq []
      then (recv\ t) = ((nSend\ (SOME\ k.\ k < n \land ((nSend\ k)\ t) \neq []))\ t)
      else (recv t) = []
— The predicate Receive defines the relations on the streams to represent
— data receive by FlexRay controller.
definition
  Receive ::
  'a Frame istream \Rightarrow 'a Frame istream \Rightarrow nat istream \Rightarrow bool
where
  Receive recv store activation
   \forall (t::nat).
    (if (activation t) = []
      then (store t) = (recv t)
      else\ (store\ t) = [])
— The predicate Send defines the relations on the streams to represent
— sending data by FlexRay controller.
definition
  Send ::
  'a Frame istream \Rightarrow 'a Frame istream \Rightarrow nat istream \Rightarrow nat istream \Rightarrow bool
  Send return send get activation
  \forall (t::nat).
   (if (activation t) = []
     then (get\ t) = [] \land (send\ t) = []
     else\ (get\ t) = (activation\ t) \land (send\ t) = (return\ t)
11.2
          Specifications of the FlexRay components
definition
   FlexRay ::
  nat \Rightarrow 'a \ nFrame \Rightarrow nConfig \Rightarrow 'a \ nFrame \Rightarrow nNat \Rightarrow bool
  FlexRay \ n \ nReturn \ nC \ nStore \ nGet
   (CorrectSheaf n) \land
   ((\forall (i::nat). \ i < n \longrightarrow (msg \ 1 \ (nReturn \ i))) \land
    (DisjointSchedules\ n\ nC) \land (IdenticCycleLength\ n\ nC)
```

```
(Frame Transmission \ n \ nStore \ nReturn \ nGet \ nC) \ \land
    (\forall (i::nat). \ i < n \longrightarrow (msg \ 1 \ (nGet \ i)) \land (msg \ 1 \ (nStore \ i)))))
definition
   Cable :: nat \Rightarrow 'a \ nFrame \Rightarrow 'a \ Frame \ istream \Rightarrow bool
where
  Cable\ n\ nSend\ recv
   (CorrectSheaf n)
   ((inf\text{-}disj \ n \ nSend) \longrightarrow (Broadcast \ n \ nSend \ recv))
definition
   Scheduler :: Config \Rightarrow nat istream \Rightarrow bool
where
  Scheduler\ c\ activation
  \forall (t::nat).
   (let s = (t mod (cycleLength c))
      in
       (if (s mem (schedule c)))
         then (activation \ t) = [s]
         else (activation t) = [])
definition
  BusInterface ::
    nat\ istream \Rightarrow 'a\ Frame\ istream \Rightarrow 'a\ Frame\ istream \Rightarrow
     'a Frame istream \Rightarrow 'a Frame istream \Rightarrow nat istream \Rightarrow bool
where
  BusInterface activation return recv store send get
   (Receive\ recv\ store\ activation)\ \land
   (Send return send get activation)
definition
   FlexRayController ::
     'a \; Frame \; istream \Rightarrow 'a \; Frame \; istream \Rightarrow \; Config \Rightarrow
      'a Frame istream \Rightarrow 'a Frame istream \Rightarrow nat istream \Rightarrow bool
where
  FlexRayController return recv c store send get
  (\exists \ activation.
     (Scheduler\ c\ activation)\ \land
     (BusInterface activation return recv store send get))
```

```
definition
  FlexRayArchitecture ::
  nat \Rightarrow 'a \ nFrame \Rightarrow nConfig \Rightarrow 'a \ nFrame \Rightarrow nNat \Rightarrow bool
  FlexRayArchitecture n nReturn nC nStore nGet
  (CorrectSheaf n) \land
  (\exists nSend recv.
    (Cable n nSend recv) \land
    (\forall (i::nat). i < n \longrightarrow
        FlexRayController\ (nReturn\ i)\ recv\ (nC\ i)
                         (nStore\ i)\ (nSend\ i)\ (nGet\ i)))
definition
  FlexRayArch ::
  nat \Rightarrow 'a \ nFrame \Rightarrow nConfig \Rightarrow 'a \ nFrame \Rightarrow nNat \Rightarrow bool
  FlexRayArch n nReturn nC nStore nGet
  (CorrectSheaf n) \land
  ((\forall (i::nat). \ i < n \longrightarrow msg \ 1 \ (nReturn \ i)) \land
   (DisjointSchedules\ n\ nC) \land (IdenticCycleLength\ n\ nC)
   (FlexRayArchitecture \ n \ nReturn \ nC \ nStore \ nGet))
end
12
        FlexRay: Verification
theory FR-proof
imports FR
begin
12.1
         Properties of the function Send
lemma Send-L1:
{\bf assumes}\ h1{:}Send\ return\ send\ get\ activation
    and h2:send t \neq []
shows (activation \ t) \neq []
using assms by (simp add: Send-def, auto)
lemma Send-L2:
```

assumes h1:Send return send get activation

and  $h2:(activation\ t) \neq []$ and  $h3:return\ t \neq []$ shows  $(send\ t) \neq []$ 

using assms by (simp add: Send-def)

## 12.2 Properties of the component Scheduler

```
lemma Scheduler-L1:
assumes h1:Scheduler C activation
   and h2:(activation\ t) \neq []
shows (t \mod (cycleLength \ C)) \mod (schedule \ C)
using assms
proof -
  { assume a1:\neg t mod cycleLength C mem schedule C}
   from h1 have sq1:
    if t mod cycleLength C mem schedule C
     then activation t = [t \mod cycleLength C]
     else activation t = []
     by (simp add: Scheduler-def Let-def)
   from a1 and sg1 have sg2:activation t = [] by simp
   from sg2 and h2 have sg3:False by simp
  } from this have sg4:(t mod (cycleLength C)) mem (schedule C) by blast
 from this show ?thesis by simp
qed
lemma Scheduler-L2:
assumes h1:Scheduler C activation
   and h2:\neg (t mod cycleLength C) mem (schedule C)
shows activation t = [
using assms by (simp add: Scheduler-def Let-def)
lemma Scheduler-L3:
assumes h1: Scheduler C activation
   and h2:(t mod cycleLength C) mem (schedule C)
shows activation t \neq []
using assms by (simp add: Scheduler-def Let-def)
lemma Scheduler-L4:
{\bf assumes}\ h1{:}Scheduler\ C\ activation
   and h2:(t mod cycleLength C) mem (schedule C)
shows activation t = [t \mod cycleLength C]
using assms by (simp add: Scheduler-def Let-def)
lemma correct-DisjointSchedules1:
 assumes h1:DisjointSchedules \ n \ nC
    and h2: Identic CycleLength n nC
    and h3:(t mod cycleLength (nC i)) mem schedule (nC i)
    and h4:i < n
    and h5:j < n
    and h6:i \neq j
 shows \neg (t \mod cycleLength (nC j) mem schedule (nC j))
```

```
proof -
  from h1 and h4 and h5 and h6 have sg1:disjoint (schedule (nCi)) (schedule
(nCj)
   by (simp add: DisjointSchedules-def)
  from h2 and h4 and h5 have sg2:cycleLength (nC i) = cycleLength (nC j)
   by (simp only: IdenticCycleLength-def, blast)
 from sg1 and h3 have sg3:\neg (t \ mod \ (cycleLength \ (nC \ i))) mem \ (schedule \ (nC \ i))
j))
   by (simp add: mem-notdisjoint2)
 from sg2 and sg3 show ?thesis by simp
qed
12.3
        Disjoint Frames
lemma disjointFrame-L1:
 assumes h1:DisjointSchedules \ n \ nC
    and h2:IdenticCycleLength n nC
    and h3: \forall i < n. FlexRayController (nReturn i) rcv
                 (nC\ i)\ (nStore\ i)\ (nSend\ i)\ (nGet\ i)
   and h4:nSend \ i \ t \neq []
   and h5:i < n
   and h6:j < n
   and h7:i \neq j
 shows nSend j t = []
proof -
  from h3 and h5 have sg1:
  FlexRayController (nReturn i) rcv (nC i) (nStore i) (nSend i) (nGet i)
   by auto
  from h3 and h6 have sq2:
  FlexRayController\ (nReturn\ j)\ rcv\ (nC\ j)\ (nStore\ j)\ (nSend\ j)\ (nGet\ j)
   by auto
 from sg1 obtain activation1 where
    a1:Scheduler (nC i) activation1 and
    a2:BusInterface activation1 (nReturn i) rcv (nStore i) (nSend i) (nGet i)
    by (simp add: FlexRayController-def, auto)
 from sg2 obtain activation2 where
    a3:Scheduler\ (nC\ j)\ activation2\ {\bf and}
    a4:BusInterface activation2 (nReturn j) rcv (nStore j) (nSend j) (nGet j)
    by (simp add: FlexRayController-def, auto)
  from h1 and h5 and h6 and h7 have sg3:disjoint (schedule (nC i)) (schedule
(nC j)
   by (simp add: DisjointSchedules-def)
 from a2 have sg4a:Send (nReturn i) (nSend i) (nGet i) activation1
    by (simp add: BusInterface-def)
 from sg4a and h4 have sg5:activation1 \ t \neq [] by (simp \ add: Send-L1)
  from a1 and sg5 have sg6:(t mod (cycleLength (nC i))) mem (schedule (nC
    by (simp add: Scheduler-L1)
 from h2 and h5 and h6 have sq7:cycleLength (nC i) = cycleLength (nC j)
```

```
by (simp only: IdenticCycleLength-def, blast)
 from sg3 and sg6 have sg8:\neg (t \mod (cycleLength (nC i))) mem (<math>schedule (nC
j))
   by (simp add: mem-notdisjoint2)
 from sg8 and sg7 have sg9:\neg (t \ mod \ (cycleLength \ (nC \ j))) mem \ (schedule \ (nC \ j))
j))
   by simp
  from sg9 and a3 have sg10:activation2 t = [] by (simp\ add:\ Scheduler-L2)
  from a4 have sg11:Send (nReturn j) (nSend j) (nGet j) activation2
    by (simp add: BusInterface-def)
 from sg11 and sg10 show ?thesis by (simp add: Send-def)
qed
lemma disjointFrame-L2:
 assumes h1:DisjointSchedules \ n \ nC
    and h2:IdenticCycleLength n nC
    and h3: \forall i < n. FlexRayController (nReturn i) rcv
                  (nC\ i)\ (nStore\ i)\ (nSend\ i)\ (nGet\ i)
 shows inf-disj n nSend
using assms
  apply (simp add: inf-disj-def, clarify)
 by (rule disjointFrame-L1, auto)
lemma disjointFrame-L3:
 assumes h1:DisjointSchedules \ n \ nC
    and h2:IdenticCycleLength n nC
    and h3: \forall i < n. FlexRayController (nReturn i) rcv
                  (nC\ i)\ (nStore\ i)\ (nSend\ i)\ (nGet\ i)
   and h4:t \mod cycleLength (nC i) \mod schedule (nC i)
   and h5:i < n
   and h6:j < n
   and h7:i \neq j
 shows nSend j t = []
proof -
 from h2 and h5 and h6 have sg1:cycleLength (nC i) = cycleLength (nC j)
   by (simp only: IdenticCycleLength-def, blast)
  from h1 and h5 and h6 and h7 have sg2:disjoint (schedule (nC i)) (schedule
   by (simp add: DisjointSchedules-def)
  from sg2 and h4 have sg3:\neg (t \ mod \ (cycleLength \ (nC \ i))) mem \ (schedule \ (nC \ i))
j))
   by (simp add: mem-notdisjoint2)
 from sg1 and sg3 have sg4:\neg (t \ mod \ (cycleLength \ (nC \ j))) mem (<math>schedule \ (nC \ j))
j))
   by simp
  from h3 and h6 have sq5:
  FlexRayController\ (nReturn\ j)\ rcv\ (nC\ j)\ (nStore\ j)\ (nSend\ j)\ (nGet\ j)
```

```
by auto
 from sq5 obtain activation2 where
   a1:Scheduler\ (nC\ j)\ activation2\ {\bf and}
   a2:BusInterface\ activation2\ (nReturn\ j)\ rev\ (nStore\ j)\ (nSend\ j)\ (nGet\ j)
   by (simp add: FlexRayController-def, auto)
 from sg4 and a1 have sg6:activation2 t = [] by (simp add: Scheduler-L2)
 from a2 have sg7:Send (nReturn j) (nSend j) (nGet j) activation2
   by (simp add: BusInterface-def)
 from sg7 and sg6 show ?thesis by (simp add: Send-def)
qed
12.4
        Properties of the sheaf of channels nSend
lemma fr-Send1:
assumes h1:FlexRayController (nReturn i) recv (nCi) (nStore i) (nSend i) (nGet
   and h2:\neg (t mod cycleLength (nC i) mem schedule (nC i))
shows
           (nSend\ i)\ t = []
proof -
 from h1 obtain activation where
   a1:Scheduler (nC i) activation and
   a2:BusInterface activation (nReturn i) recv (nStore i) (nSend i) (nGet i)
   by (simp add: FlexRayController-def, auto)
 from a1 and h2 have sg1:activation t = [] by (simp add: Scheduler-L2)
 from a2 have sg2:Send (nReturn i) (nSend i) (nGet i) activation
   by (simp add: BusInterface-def)
 from sg2 and sg1 show ?thesis by (simp add: Send-def)
qed
lemma fr-Send2:
assumes h1: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend
i) (nGet i)
   and h2:DisjointSchedules \ n \ nC
   and h3:IdenticCycleLength \ n \ nC
   and h4:t \mod cycleLength (nC k) \mod schedule (nC k)
   and h5:k < n
shows nSend k t = nReturn k t
using assms
proof -
from h1 and h5 have sq1:
  FlexRayController\ (nReturn\ k)\ recv\ (nC\ k)\ (nStore\ k)\ (nSend\ k)\ (nGet\ k)
   by auto
 from sq1 obtain activation where
   a1:Scheduler (nC k) activation and
   a2:BusInterface\ activation\ (nReturn\ k)\ recv\ (nStore\ k)\ (nSend\ k)\ (nGet\ k)
   by (simp add: FlexRayController-def, auto)
 from a1 and h4 have sg3:activation t \neq [] by (simp add: Scheduler-L3)
 from a2 have sq4:Send (nReturn k) (nSend k) (nGet k) activation
```

```
by (simp add: BusInterface-def)
 from sg4 and sg3 show ?thesis by (simp add: Send-def)
qed
lemma fr-Send3:
assumes h1: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend
i) (nGet i)
    and h2:DisjointSchedules \ n \ nC
    and h3:IdenticCycleLength \ n \ nC
    and h4:t \mod cycleLength (nC k) \mod schedule (nC k)
    and h5:k < n
    and h6:nReturn \ k \ t \neq []
shows nSend \ k \ t \neq []
using assms by (simp add: fr-Send2)
lemma fr-Send4:
assumes h1: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend
i) (nGet i)
    and h2:DisjointSchedules \ n \ nC
    and h3:IdenticCycleLength \ n \ nC
    and h4:t \mod cycleLength (nC k) \mod schedule (nC k)
    and h5:k < n
    and h6:nReturn \ k \ t \neq []
shows \exists k. \ k < n \longrightarrow nSend \ k \ t \neq []
from assms show k < n \longrightarrow nSend \ k \ t \neq [] by (simp add: fr-Send3)
qed
lemma fr-Send5:
assumes h1: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend
i) (nGet i)
    and h2:DisjointSchedules \ n \ nC
    and h3:IdenticCycleLength \ n \ nC
    and h4:t \mod cycleLength (nC k) \mod schedule (nC k)
    and h5:k < n
    and h6:nReturn \ k \ t \neq []
    and h7: \forall k < n. \ nSend \ k \ t = []
shows False
proof -
 from h1 and h2 and h3 and h4 and h5 and h6 have sg1:nSend \ k \ t \neq []
   by (simp add: fr-Send2)
 from h7 and h5 have sg2:nSend\ k\ t=[] by blast
 from sg1 and sg2 show ?thesis by simp
qed
```

```
lemma fr-Send6:
assumes h1: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend
i) (nGet i)
    and h2:DisjointSchedules \ n \ nC
    and h3:IdenticCycleLength \ n \ nC
    and h4:t \mod cycleLength (nC k) \mod schedule (nC k)
    and h5:k < n
    and h6:nReturn \ k \ t \neq []
shows \exists k < n. \ nSend \ k \ t \neq []
proof (rule ccontr)
 assume \neg (\exists k < n. \ nSend \ k \ t \neq [])
 from this and assms show False
   apply auto
   by (rule fr-Send5, auto)
qed
lemma fr-Send7:
assumes h1: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend
i) (nGet i)
    and h2:DisjointSchedules \ n \ nC
    and h3:IdenticCycleLength \ n \ nC
    and h4:t \mod cycleLength (nC k) \mod schedule (nC k)
    and h5:k < n
    and h6:j < n
    and h6:nReturn \ k \ t = []
shows nSend j t = []
using assms
proof (cases j = k)
 assume a1: j = k
 from assms have sg1: nSend \ k \ t = nReturn \ k \ t by (simp add: fr-Send2)
 from sg1 and a1 and h6 show ?thesis by simp
next
 assume a2:j \neq k
 from assms and a2 show ?thesis by (simp add: disjointFrame-L3)
qed
lemma fr-Send8:
assumes h1: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend
i) (nGet i)
    and h2:DisjointSchedules\ n\ nC
    and h3:IdenticCycleLength \ n \ nC
    and h4:t \mod cycleLength (nC k) \mod schedule (nC k)
    and h5:k < n
    and h6:nReturn \ k \ t = []
shows \neg (\exists k < n. \ nSend \ k \ t \neq [])
using assms by (auto, simp add: fr-Send7)
```

```
lemma fr-nC-Send:
assumes h1: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend
i) (nGet i)
    and h2:k < n
    and h3:DisjointSchedules \ n \ nC
    and h4:IdenticCycleLength \ n \ nC
    and h5:t \mod cycleLength (nC k) \mod schedule (nC k)
shows \forall j. \ j < n \land j \neq k \longrightarrow (nSend \ j) \ t = []
using assms by (clarify, simp add: disjointFrame-L3)
lemma length-nSend:
assumes h1:BusInterface activation (nReturn i) recv (nStore i) (nSend i) (nGet
    and h2: \forall t. length (nReturn i t) < Suc 0
shows length (nSend i t) \leq Suc \ \theta
proof -
 from h1 have sg1:Send (nReturn i) (nSend i) (nGet i) activation
   by (simp add: BusInterface-def)
 from sg1 have sg2:
  if activation t = [] then nGet\ i\ t = [] \land nSend\ i\ t = []
   else nGet\ i\ t=activation\ t\ \land\ nSend\ i\ t=nReturn\ i\ t
   by (simp add: Send-def)
 show ?thesis
 proof (cases activation t = [])
   assume a1:activation t = []
   from sg2 and a1 show ?thesis by simp
 next
   assume a2:activation t \neq []
   from h2 have sg3:length (nReturn \ i \ t) \leq Suc \ 0 by auto
   from sg2 and a2 and sg3 show ?thesis by simp
 qed
qed
lemma msg-nSend:
assumes h1:BusInterface activation (nReturn i) recv (nStore i) (nSend i) (nGet
i)
    and h2:msg (Suc \theta) (nReturn i)
shows msg (Suc \theta) (nSend i)
using assms by (simp add: msg-def, clarify, simp add: length-nSend)
\mathbf{lemma}\ \textit{Broadcast-nSend-empty1}:
 assumes h1:Broadcast n nSend recv
    and h2: \forall k < n. \ nSend \ k \ t = []
 shows
             recv \ t = []
proof -
```

```
from h1 have sq1:
  if \exists k < n. nSend k t \neq []
   then recv t = nSend (SOME k. k < n \land nSend k t \neq []) t
   else recv t = []
  by (simp add: Broadcast-def)
 from sq1 and h2 show ?thesis by simp
qed
        Properties of the sheaf of channels nGet
12.5
lemma fr-nGet1a:
assumes h1:FlexRayController (nReturn k) recv (nC k) (nStore k) (nSend k)
(nGet \ k)
    and h2:t \mod cycleLength (nC k) \mod schedule (nC k)
shows nGet\ k\ t = [t\ mod\ cycleLength\ (nC\ k)]
proof -
 from h1 obtain activation1 where
    a1:Scheduler (nC k) activation 1 and
    a2:BusInterface activation1 (nReturn k) recv (nStore k) (nSend k) (nGet k)
    by (simp add: FlexRayController-def, auto)
  from a2 have sg1:Send (nReturn \ k) \ (nSend \ k) \ (nGet \ k) activation1
    by (simp add: BusInterface-def)
  from sq1 have sq2:
   if activation1 t = [] then nGet \ k \ t = [] \land nSend \ k \ t = []
    else nGet\ k\ t=activation1\ t\ \land\ nSend\ k\ t=nReturn\ k\ t
    by (simp add: Send-def)
 from a1 and h2 have sg3:activation1 \ t = [t \ mod \ cycleLength \ (nC \ k)]
    by (simp add: Scheduler-L4)
 from sg2 and sg3 show ?thesis by simp
qed
lemma fr-nGet1:
assumes h1: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend
i) (nGet i)
    and h2:t \mod cycleLength (nC k) \mod schedule (nC k)
    and h3:k < n
shows nGet \ k \ t = [t \ mod \ cycleLength \ (nC \ k)]
proof -
 from h1 and h3 have sg1:
   FlexRayController\ (nReturn\ k)\ recv\ (nC\ k)\ (nStore\ k)\ (nSend\ k)\ (nGet\ k)
 from sg1 and h2 show ?thesis by (rule fr-nGet1a)
qed
lemma fr-nGet2a:
```

assumes h1:FlexRayController (nReturn k) recv (nC k) (nStore k) (nSend k)

(nGet k)

```
and h2:\neg (t mod cycleLength (nC k) mem schedule (nC k))
shows nGet \ k \ t = []
proof -
  from h1 obtain activation1 where
    a1:Scheduler (nC k) activation 1 and
    a2:BusInterface\ activation1\ (nReturn\ k)\ recv\ (nStore\ k)\ (nSend\ k)\ (nGet\ k)
    by (simp add: FlexRayController-def, auto)
  from a2 have sg2:Send (nReturn k) (nSend k) (nGet k) activation1
    by (simp add: BusInterface-def)
  from sg2 have sg3:
   if activation1 \ t = [] \ then \ nGet \ k \ t = [] \land nSend \ k \ t = []
    else nGet\ k\ t=activation1\ t\wedge nSend\ k\ t=nReturn\ k\ t
    by (simp add: Send-def)
 from a1 and h2 have sg4: activation1 t = []
    by (simp add: Scheduler-L2)
 from sq3 and sq4 show ?thesis by simp
qed
lemma fr-nGet2:
assumes h1: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend
i) (nGet i)
    and h2:\neg (t mod cycleLength (nC k) mem schedule (nC k))
    and h3:k < n
shows nGet \ k \ t = []
proof -
 from h1 and h3 have sg1:
   FlexRayController (nReturn k) recv (nC k) (nStore k) (nSend k) (nGet k)
   by auto
 from sg1 and h2 show ?thesis by (rule fr-nGet2a)
qed
lemma length-nGet1:
assumes h1:FlexRayController (nReturn k) recv (nC k) (nStore k) (nSend k)
(nGet \ k)
shows length (nGet\ k\ t) \leq Suc\ \theta
\mathbf{proof} (cases t mod cycleLength (nC k) mem schedule (nC k))
 assume a1:t \mod cycleLength (nC k) mem schedule (nC k)
 from h1 and a1 have sq1:nGet\ k\ t=[t\ mod\ cycleLength\ (nC\ k)]
   by (rule\ fr-nGet1a)
 from sg1 show ?thesis by auto
 assume a2:\neg (t \ mod \ cycleLength \ (nC \ k) \ mem \ schedule \ (nC \ k))
 from h1 and a2 have sg2:nGet\ k\ t=[] by (rule\ fr-nGet2a)
 from sg2 show ?thesis by auto
qed
```

```
lemma msq-nGet1:
 assumes h1:FlexRayController (nReturn k) recv (nC k) (nStore k) (nSend k)
(nGet k)
shows msg (Suc \theta) (nGet k)
using assms by (simp add: msg-def, auto, rule length-nGet1)
lemma msg-nGet2:
assumes h1: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend
i) (nGet i)
    and h2:k < n
shows msg (Suc \theta) (nGet k)
proof -
 from h1 and h2 have sg1:
  FlexRayController\ (nReturn\ k)\ recv\ (nC\ k)\ (nStore\ k)\ (nSend\ k)\ (nGet\ k)
 from sg1 show ?thesis by (rule msg-nGet1)
qed
12.6
        Properties of the sheaf of channels nStore
lemma fr-nStore-nReturn1:
assumes h\theta:Broadcast n nSend recv
  and h1:inf-disj n nSend
  and h2: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend i)
(nGet\ i)
  and h3:DisjointSchedules \ n \ nC
  and h4:IdenticCycleLength n nC
  and h5:t \mod cycleLength (nC k) \mod schedule (nC k)
  and h6:k < n
  and h7:j < n
  and h8:j \neq k
shows nStore j t = nReturn k t
proof -
 from h2 and h6 have sg1:
   FlexRayController\ (nReturn\ k)\ recv\ (nC\ k)\ (nStore\ k)\ (nSend\ k)\ (nGet\ k)
   by auto
 from h2 and h7 have sq2:
   FlexRayController\ (nReturn\ j)\ recv\ (nC\ j)\ (nStore\ j)\ (nSend\ j)\ (nGet\ j)
   by auto
  from sq1 obtain activation1 where
    a1:Scheduler (nC k) activation 1 and
    a2:BusInterface\ activation1\ (nReturn\ k)\ recv\ (nStore\ k)\ (nSend\ k)\ (nGet\ k)
    by (simp add: FlexRayController-def, auto)
 from sg2 obtain activation2 where
    a3:Scheduler (nC j) activation2 and
    a4:BusInterface activation2 (nReturn j) recv (nStore j) (nSend j) (nGet j)
    by (simp add: FlexRayController-def, auto)
 from a4 have sq3:Receive recv (nStore j) activation2
```

```
by (simp add: BusInterface-def)
 from this have sg4:
  if activation2 \ t = [] then nStore \ j \ t = recv \ t \ else \ nStore \ j \ t = []
   by (simp add: Receive-def)
 from a1 and h5 have sg5:activation1 \ t \neq []
    by (simp add: Scheduler-L3)
from h4 and h6 and h7 have sg6:cycleLength (nC k) = cycleLength (nC j)
   by (simp only: IdenticCycleLength-def, blast)
 from h3 and h6 and h7 and h8 have sq7:disjoint (schedule (nC k)) (schedule
(nCj)
   by (simp add: DisjointSchedules-def)
 from sg? and h5 have sg8:
  \neg (t \bmod (cycleLength (nC k))) \bmod (schedule (nC j))
   by (simp add: mem-notdisjoint2)
 from sq\theta and sq8 have sq9:
  \neg (t \ mod \ (cycleLength \ (nC \ j))) \ mem \ (schedule \ (nC \ j))
   by simp
 from sg9 and a3 have sg10:activation2 t = [] by (simp add: Scheduler-L2)
 from sg10 and sg4 have sg11:nStore\ j\ t=recv\ t by simp
 from h\theta have sq15:
  if \exists k < n. nSend k t \neq []
   then recv t = nSend (SOME k. k < n \land nSend k t \neq []) t
   else recv \ t = []
   by (simp add: Broadcast-def)
 show ?thesis
 proof (cases nReturn \ k \ t = [])
   assume a5: nReturn \ k \ t = []
   from h2 and h3 and h4 and h5 and h6 and a5 have sg16:
   \neg (\exists k < n. \ nSend \ k \ t \neq [])
    by (simp add: fr-Send8)
   from sg16 and sg15 have sg17:recv t = [] by simp
   from sg11 and sg17 have sg18:nStore\ j\ t = [] by simp
   from this and a5 show ?thesis by simp
   assume a6:nReturn \ k \ t \neq []
   from h2 and h3 and h4 and h5 and h6 and a6 have sq19:
   \exists k < n. \ nSend \ k \ t \neq []
    by (simp add: fr-Send6)
   from h2 and h3 and h4 and h5 and h6 and a6 have sq20:nSend k t \neq []
    by (simp add: fr-Send3)
   from h1 and sg20 and h6 have sg21:(SOME k. k < n \land nSend \ k \ t \neq []) = k
    by (simp add: inf-disj-index)
   from sq15 and sq19 have sq22:
   recv \ t = nSend \ (SOME \ k. \ k < n \land nSend \ k \ t \neq []) \ t
    by simp
   from sg22 and sg21 have sg23:recv t = nSend k t by <math>simp
   from h2 and h3 and h4 and h5 and h6 have sg24:nSend k t = nReturn k t
    by (simp add: fr-Send2)
   from sg11 and sg23 and sg24 show ?thesis by simp
```

```
qed
qed
lemma fr-nStore-nReturn2:
assumes h1: Cable n nSend recv
    and h2: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend
i) (nGet i)
    and h3:DisjointSchedules \ n \ nC
    and h4:IdenticCycleLength n nC
    and h5:t \mod cycleLength (nC k) \mod schedule (nC k)
    and h6:k < n
    and h7:j < n
    and h8:j \neq k
\mathbf{shows} \ \ nStore \ j \ t = nReturn \ k \ t
proof -
 from h1 have sg1:inf-disj n nSend \longrightarrow Broadcast n nSend recv
   by (simp add: Cable-def)
 from h3 and h4 and h2 have sg2:inf-disj n nSend
   by (simp add: disjointFrame-L2)
 from sg1 and sg2 have sg3:Broadcast n nSend recv by simp
 from sg3 and sg2 and assms show ?thesis by (simp \ add: fr-nStore-nReturn1)
qed
lemma fr-nStore-empty1:
assumes h1: Cable n nSend recv
    and h2: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend
i) (nGet i)
   and h3:DisjointSchedules \ n \ nC
    and h4:IdenticCycleLength \ n \ nC
    and h5:(t mod cycleLength (nC k) mem schedule (nC k))
    and h6:k < n
shows nStore \ k \ t = []
proof -
 from h2 and h6 have sg1:
   FlexRayController (nReturn k) recv (nC k) (nStore k) (nSend k) (nGet k)
  from sg1 obtain activation1 where
    a1:Scheduler\ (nC\ k)\ activation1 and
    a2:BusInterface activation1 (nReturn k) recv (nStore k) (nSend k) (nGet k)
    by (simp add: FlexRayController-def, auto)
 from a2 have sg2:Receive recv (nStore k) activation1
    by (simp add: BusInterface-def)
 from this have sq3:
  if activation1 t = [] then nStore \ k \ t = recv \ t \ else \ nStore \ k \ t = []
   by (simp add: Receive-def)
 from a1 and h5 have sg4: activation1 t \neq []
    by (simp add: Scheduler-L3)
from sg3 and sg4 show ?thesis by simp
qed
```

```
lemma fr-nStore-nReturn3:
assumes h1:Cable n nSend recv
    and h2: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend
i) (nGet i)
    and h3:DisjointSchedules \ n \ nC
    and h4:IdenticCycleLength \ n \ nC
    and h5:t \mod cycleLength (nC k) \mod schedule (nC k)
    and h6:k < n
\mathbf{shows} \  \, \forall \, j. \, j < n \, \land \, j \neq k \longrightarrow n \\ \mathit{Store} \, \, j \, \, t = n \\ \mathit{Return} \, \, k \, \, t
using assms
 by (clarify, simp add: fr-nStore-nReturn2)
lemma length-nStore:
assumes h1: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend
i) (nGet i)
    and h2:DisjointSchedules \ n \ nC
    and h3:IdenticCycleLength \ n \ nC
    and h4:inf-disj n nSend
    and h5:i < n
    and h6: \forall i < n. msg (Suc 0) (nReturn i)
    and h7:Broadcast n nSend recv
shows length (nStore i t) \leq Suc 0
proof -
 from h7 have sq1:
  if \exists k < n. \ nSend \ k \ t \neq \lceil
   then recv t = nSend (SOME k. k < n \land nSend k t \neq []) t
   else recv \ t = []
  by (simp add: Broadcast-def)
  show ?thesis
 proof (cases \exists k < n. \ nSend \ k \ t \neq [])
   assume a1:\exists k < n. \ nSend \ k \ t \neq []
   from a1 obtain k where a2:k < n and a3:nSend \ k \ t \neq [] by auto
   from h1 and a2 have sq4:
     FlexRayController\ (nReturn\ k)\ recv\ (nC\ k)\ (nStore\ k)\ (nSend\ k)\ (nGet\ k)
     by auto
   from sq4 obtain activation1 where
     a4:Scheduler (nC k) activation1 and
     a5:BusInterface activation1 (nReturn k) recv (nStore k) (nSend k) (nGet k)
     by (simp add: FlexRayController-def, auto)
   from a5 have sg5:Send (nReturn k) (nSend k) (nGet k) activation1
     by (simp add: BusInterface-def)
   from a5 have sg6:Receive recv (nStore k) activation1
     by (simp add: BusInterface-def)
   from sg5 and a3 have sg7:(activation1\ t) \neq [] by (simp\ add:\ Send-L1)
   from sq6 have sq8:
    if activation1 \ t = []
```

```
then nStore \ k \ t = recv \ t \ else \ nStore \ k \ t = []
    by (simp add: Receive-def)
   from sg8 and sg7 have sg9:nStore\ k\ t=[] by simp
   from a4 and sg7 have sg10:(t mod (cycleLength (nC k))) mem (schedule (nC
k))
    by (simp add: Scheduler-L1)
   show ?thesis
   proof (cases i = k)
    assume aa1: i = k
    from sg9 and aa1 show ?thesis by simp
   next
    assume aa2:i \neq k
     from h7 and h4 and h1 and h2 and h3 and sg10 and a2 and h5 and
aa2 have sg11:
     nStore \ i \ t = nReturn \ k \ t
      by (simp add: fr-nStore-nReturn1)
    from h6 and a2 have sq12:msq (Suc \theta) (nReturn k) by auto
    from a2 and h6 have sg13:length (nReturn k t) \leq Suc \ \theta
      by (simp\ add:\ msg\text{-}def)
    from sq11 and sq13 show ?thesis by simp
   qed
 next
   assume a10:\neg (\exists k < n. \ nSend \ k \ t \neq [])
  from h7 and a10 have sg14:recv t = [] by (simp add: Broadcast-nSend-empty1)
from h1 and h5 have sq15:
    FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend i) (nGet i)
    by auto
   from sq15 obtain activation2 where
    a11:Scheduler (nC i) activation 2 and
    a12:BusInterface activation2 (nReturn i) recv (nStore i) (nSend i) (nGet i)
    by (simp add: FlexRayController-def, auto)
   from a12 have sg16:Receive recv (nStore i) activation2
    by (simp add: BusInterface-def)
   from sg16 have sg17:
    if activation2 \ t = []
    then nStore \ i \ t = recv \ t \ else \ nStore \ i \ t = []
    by (simp add: Receive-def)
   show ?thesis
   proof (cases activation t = [])
    assume aa3:activation2 \ t = []
    from sg17 and aa3 and sg14 have sg18:nStore i t = [] by simp
    from this show ?thesis by simp
   \mathbf{next}
    assume aa4:activation2 \ t \neq []
    from sg17 and aa4 have sg18:nStore i t = [] by simp
    from this show ?thesis by simp
   qed
 qed
qed
```

```
lemma msg-nStore:
assumes h1: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend
i) (nGet i)
    and h2:DisjointSchedules \ n \ nC
    and h3:IdenticCycleLength \ n \ nC
    and h4:inf-disj n nSend
    and h5:i < n
    and h6: \forall i < n. msg (Suc 0) (nReturn i)
    and h7: Cable n nSend recv
shows msg (Suc \theta) (nStore i)
using assms
 apply (simp (no-asm) add: msg-def, simp add: Cable-def, clarify)
 by (simp add: length-nStore)
12.7
        Refinement Properties
lemma fr-refinement-FrameTransmission:
assumes h1: Cable n nSend recv
 and h2: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend i)
(nGet\ i)
 and h3:DisjointSchedules \ n \ nC
 and h4: Identic CycleLength n nC
{f shows} Frame Transmission n nStore nReturn nGet nC
using assms
 apply (simp add: FrameTransmission-def Let-def, auto)
 apply (simp add: fr-nGet1)
 by (simp add: fr-nStore-nReturn3)
{\bf lemma}\ \mathit{FlexRayArch-CorrectSheaf}\colon
assumes h1:FlexRayArch n nReturn nC nStore nGet
  \mathbf{shows}
            CorrectSheaf n
using assms by (simp add: FlexRayArch-def)
lemma FlexRayArch-FrameTransmission:
assumes h1:FlexRayArch n nReturn nC nStore nGet
 and h2: \forall i < n. msg (Suc \ \theta) (nReturn \ i)
 and h3:DisjointSchedules \ n \ nC
 and h4:IdenticCycleLength n nC
            Frame Transmission \ n \ nStore \ nReturn \ nGet \ nC
shows
proof -
from assms obtain nSend recv where
a1:Cable n nSend recv and
a2: \forall i < n. FlexRayController (nReturn i) recv (nC i) (nStore i) (nSend i) (nGet
i) by (simp add: FlexRayArch-def FlexRayArchitecture-def, auto)
 from a1 and a2 and h3 and h4 show ?thesis
   by (rule fr-refinement-Frame Transmission)
qed
```

```
lemma FlexRayArch-nGet:
assumes h1:FlexRayArch n nReturn nC nStore nGet
    and h2: \forall i < n. msg (Suc \ \theta) (nReturn \ i)
    and h3:DisjointSchedules \ n \ nC
    and h4:IdenticCycleLength \ n \ nC
    and h5:i < n
shows
            msg (Suc \ \theta) (nGet \ i)
proof -
from assms obtain nSend recv where
   a1:Cable n nSend recv and
  a2: \forall i < n. \ FlexRayController \ (nReturn \ i) \ recv \ (nC \ i) \ (nStore \ i) \ (nSend \ i) \ (nGet
   by (simp add: FlexRayArch-def FlexRayArchitecture-def, auto)
 from a2 and h5 show ?thesis by (rule msg-nGet2)
qed
lemma FlexRayArch-nStore:
assumes h1:FlexRayArch n nReturn nC nStore nGet
    and h2: \forall i < n. msg (Suc \ \theta) (nReturn \ i)
    and h3:DisjointSchedules \ n \ nC
    and h4:IdenticCycleLength \ n \ nC
    and h5:i < n
shows
            msg (Suc \ \theta) (nStore \ i)
proof -
from assms obtain nSend recv where
   a1:Cable n nSend recv and
  a2: \forall i < n. \ FlexRayController \ (nReturn \ i) \ recv \ (nC \ i) \ (nStore \ i) \ (nSend \ i) \ (nGet
i)
   by (simp add: FlexRayArch-def FlexRayArchitecture-def, auto)
 from h3 and h4 and a2 have sg1:inf-disj n nSend by (simp add: disjointFrame-L2)
 from a2 and h3 and h4 and sg1 and h5 and h2 and a1 show ?thesis
   by (rule msg-nStore)
qed
theorem main-fr-refinement:
assumes h1:FlexRayArch n nReturn nC nStore nGet
shows
            FlexRay n nReturn nC nStore nGet
using assms
 by (simp add: FlexRay-def
             FlexRayArch-CorrectSheaf
             FlexRayArch-Frame Transmission
             FlexRayArch-nGet
             FlexRayArch-nStore)
```

end

# 13 Gateway: Types

theory Gateway-types

Loss:

where

```
imports stream
begin
type-synonym
   Coordinates = nat \times nat
type-synonym
   CollisionSpeed = nat
\mathbf{record}\ \mathit{ECall}	ext{-}\mathit{Info} =
   coord:: Coordinates
   speed::CollisionSpeed
{f datatype} \ {\it GatewayStatus} =
    init\text{-}state
    call
    connection\text{-}ok
    sending\text{-}data
  | voice-com
datatype reqType = init \mid send
\mathbf{datatype}\ \mathit{stopType}\ = \mathit{stop\text{-}vc}
\mathbf{datatype}\ \mathit{vcType}\ =\ \mathit{vc\text{-}com}
\mathbf{datatype}\ \mathit{aType} = \mathit{sc\text{-}ack}
end
14
         Gateway: Specification
theory Gateway
imports Gateway-types
begin
definition
 ServiceCenter::
   \textit{ECall-Info istream} \Rightarrow \textit{aType istream} \Rightarrow \textit{bool}
where
 ServiceCenter\ i\ a
  \forall (t::nat).
  a \ \theta = [] \land a \ (Suc \ t) = (if \ (i \ t) = [] \ then \ [] \ else \ [sc-ack])
definition
```

 $bool\ istream \Rightarrow aType\ istream \Rightarrow ECall-Info\ istream \Rightarrow$ 

 $aType\ istream \Rightarrow ECall-Info\ istream \Rightarrow bool$ 

```
Loss lose a i2 a2 i
  \forall (t::nat).
  (if lose t = [False])
    then a2 t = a t \wedge i t = i2 t
    else a2\ t = [] \land i\ t = []
definition
 Delay ::
  aType\ istream \Rightarrow ECall-Info\ istream \Rightarrow nat \Rightarrow
   a\mathit{Type}\ istream \Rightarrow \mathit{ECall-Info}\ istream \Rightarrow \mathit{bool}
where
 Delay a2 i1 d a1 i2
  \forall (t::nat).
   (t < d \longrightarrow a1 \ t = [] \land i2 \ t = []) \land
   (t \ge d \longrightarrow (a1 \ t = a2 \ (t-d)) \land (i2 \ t = i1 \ (t-d)))
definition
 tiTable	ext{-}SampleT::
 reqType\ istream\ \Rightarrow\ aType\ istream\ \Rightarrow
  stop\,Type\,\,istream\,\Rightarrow\,bool\,\,istream\,\Rightarrow\,
  (nat \Rightarrow GatewayStatus) \Rightarrow (nat \Rightarrow ECall-Info\ list) \Rightarrow
  GatewayStatus\ istream \Rightarrow ECall-Info\ istream \Rightarrow vcType\ istream
  \Rightarrow (nat \Rightarrow GatewayStatus) \Rightarrow bool
where
 tiTable-SampleT req a1 stop lose st-in buffer-in
          ack i1 vc st-out
  \forall
     (t::nat)
     (r::reqType\ list)\ (x::aType\ list)
     (y::stop Type \ list) \ (z::bool \ list).
   (*1*)
   (st\text{-}in\ t=init\text{-}state \land req\ t=[init]
     \longrightarrow ack \ t = [call] \land i1 \ t = [] \land vc \ t = []
          \wedge st-out t = call)
   Λ
   (*2*)
   ( st-in t = init-state \land req t \neq [init]
     \longrightarrow ack t = [init\text{-state}] \land i1 \ t = [] \land vc \ t = []
          \wedge st-out t = init\text{-state})
   \land
   (*3*)
   ((st\text{-}in\ t=call\ \lor\ (st\text{-}in\ t=connection\text{-}ok\ \land\ r\neq [send]))\ \land
     req t = r \land lose t = [False]
     \longrightarrow ack t = [connection-ok] \land i1 \ t = [] \land vc \ t = []
         \wedge st-out t = connection-ok)
   (*4*)
```

```
((st-in \ t = call \lor st-in \ t = connection-ok \lor st-in \ t = sending-data)
     \land lose \ t = [True]
     \longrightarrow ack t = [init\text{-state}] \land i1 \ t = [] \land vc \ t = []
         \wedge st-out t = init\text{-state})
   Λ
   (*5*)
   ( st-in t = connection-ok \land req \ t = [send] \land lose \ t = [False]
      \longrightarrow ack \ t = [sending-data] \land i1 \ t = buffer-in \ t \land vc \ t = []
          \wedge st-out t = sending-data)
   \land
   (*6*)
   ( st-in t = sending-data \land a1 t = [] \land lose t = [False]
     \longrightarrow ack \ t = [sending-data] \land i1 \ t = [] \land vc \ t = []
          \land st-out t = sending-data)
   Λ
   (*7*)
   ( st-in t = sending-data \land a1 t = [sc-ack] \land lose t = [False]
     \longrightarrow ack \ t = [voice\text{-}com] \land i1 \ t = [] \land vc \ t = [vc\text{-}com]
         \wedge st-out t = voice\text{-}com)
   (*8*)
   (st-in \ t = voice-com \land stop \ t = [] \land lose \ t = [False]
     \longrightarrow ack \ t = [voice\text{-}com] \land i1 \ t = [] \land vc \ t = [vc\text{-}com]
          \land st-out t = voice\text{-}com)
   Λ
   (*9*)
   (st-in \ t = voice-com \land stop \ t = [] \land lose \ t = [True]
     \longrightarrow ack \ t = [voice-com] \land i1 \ t = [] \land vc \ t = []
          \land st-out t = voice\text{-}com)
   (*10*)
   (st-in \ t = voice-com \land stop \ t = [stop-vc]
     \longrightarrow ack \ t = [init\text{-}state] \land i1 \ t = [] \land vc \ t = []
          \wedge st-out t = init\text{-state})
definition
 Sample-L:
 reqType\ istream\ \Rightarrow\ ECall\text{-}Info\ istream\ \Rightarrow\ aType\ istream\ \Rightarrow
  stopType\ istream \Rightarrow bool\ istream \Rightarrow
  (nat \Rightarrow GatewayStatus) \Rightarrow (nat \Rightarrow ECall-Info\ list) \Rightarrow
  GatewayStatus\ istream \Rightarrow ECall-Info\ istream \Rightarrow vcType\ istream
  \Rightarrow (nat \Rightarrow GatewayStatus) \Rightarrow (nat \Rightarrow ECall-Info list)
  \Rightarrow bool
where
 Sample-L req dt a1 stop lose st-in buffer-in
          ack i1 vc st-out buffer-out
  (\forall (t::nat).
   \mathit{buffer-out}\ t =
```

```
(if dt t = [] then buffer-in t else dt t))
  (tiTable-SampleT req a1 stop lose st-in buffer-in
                   ack i1 vc st-out)
definition
 Sample ::
 reqType\ istream\ \Rightarrow\ ECall\text{-}Info\ istream\ \Rightarrow\ aType\ istream\ \Rightarrow
 stopType\ istream \Rightarrow bool\ istream \Rightarrow
  GatewayStatus\ istream \Rightarrow ECall-Info\ istream \Rightarrow vcType\ istream
  \Rightarrow bool
where
 Sample req dt a1 stop lose ack i1 vc
  ((msg\ (1::nat)\ req)\ \land
   (msq\ (1::nat)\ a1)\ \land
   (msg\ (1::nat)\ stop))
  (\exists st buffer.
  (Sample-L req dt a1 stop lose
            (fin-inf-append [init-state] st)
            (fin-inf-append [[]] buffer)
            ack i1 vc st buffer))
definition
 Gateway ::
   reqType\ istream \Rightarrow ECall-Info\ istream \Rightarrow aType\ istream \Rightarrow
    stopType\ istream \Rightarrow bool\ istream \Rightarrow nat \Rightarrow
    GatewayStatus\ istream \Rightarrow ECall-Info\ istream \Rightarrow vcType\ istream
    \Rightarrow bool
where
 Gateway req dt a stop lose d ack i vc
  \equiv \exists i1 i2 x y.
    (Sample req dt x stop lose ack i1 vc) \land
    (Delay y i1 d x i2) \wedge
    (Loss lose a i2 y i)
definition
  GatewaySystem::
   reqType\ istream \Rightarrow ECall-Info\ istream \Rightarrow
    stopType\ istream \Rightarrow bool\ istream \Rightarrow nat \Rightarrow
    GatewayStatus\ istream \Rightarrow vcType\ istream
    \Rightarrow bool
where
 Gateway System\ req\ dt\ stop\ lose\ d\ ack\ vc
 \exists a i.
 (Gateway \ req \ dt \ a \ stop \ lose \ d \ ack \ i \ vc) \ \land
 (ServiceCenter i a)
```

```
definition
 GatewayReq::
   reqType\ istream \Rightarrow ECall-Info\ istream \Rightarrow aType\ istream \Rightarrow
    stopType\ istream \Rightarrow bool\ istream \Rightarrow nat \Rightarrow
    GatewayStatus\ istream \Rightarrow ECall-Info\ istream \Rightarrow vcType\ istream
    \Rightarrow bool
where
 GatewayReq req dt a stop lose d ack i vc
 ((msg\ (1::nat)\ req) \land (msg\ (1::nat)\ a) \land
  (msg\ (1::nat)\ stop) \land \ (ts\ lose))
   \longrightarrow
  (\forall (t::nat).
  (ack\ t = [init\text{-}state] \land reg\ (Suc\ t) = [init] \land
    lose (t+1) = [False] \land lose (t+2) = [False]
    \longrightarrow ack \ (t+2) = [connection-ok])
  (ack\ t = [connection-ok] \land req\ (Suc\ t) = [send] \land
    (\forall (k::nat). \ k \leq (d+1) \longrightarrow lose \ (t+k) = [False])
    \longrightarrow i ((Suc \ t) + d) = inf-last-ti \ dt \ t
        \land ack (Suc\ t) = [sending-data])
  (ack\ (t+d) = [sending-data] \land a\ (Suc\ t) = [sc-ack] \land
    (\forall (k::nat). \ k \leq (d+1) \longrightarrow lose \ (t+k) = \lceil False \rceil)
    \longrightarrow vc ((Suc \ t) + d) = [vc\text{-}com])
definition
  GatewaySystemReq::
   reqType\ istream \Rightarrow ECall-Info\ istream \Rightarrow
    stopType\ istream \Rightarrow bool\ istream \Rightarrow nat \Rightarrow
    GatewayStatus\ istream \Rightarrow vcType\ istream
    \Rightarrow bool
where
 GatewaySystemReq req dt stop lose d ack vc
 ((msg\ (1::nat)\ req) \land (msg\ (1::nat)\ stop) \land (ts\ lose))
  (\forall (t::nat) (k::nat).
  (ack\ t = [init\text{-}state] \land req\ (Suc\ t) = [init]
  \land (\forall t1. t1 \leq t \longrightarrow req t1 = [])
  \wedge req(t+2) = []
  \land (\forall m. m < k + 3 \longrightarrow reg (t + m) \neq [send])
  \land req (t+3+k) = [send] \land inf-last-ti dt (t+2) \neq []
  \wedge (\forall (j::nat).
```

end

 $j \leq (4 + k + d + d) \longrightarrow lose (t+j) = [False])$ 

 $\longrightarrow vc (t + 4 + k + d + d) = [vc\text{-}com])$ 

## 15 Gateway: Verification

```
theory Gateway-proof-aux
imports Gateway BitBoolTS
begin
```

### 15.1 Properties of the defined data types

```
lemma aType\text{-}empty:
 assumes h1:msg (Suc \theta) a
    and h2: a \ t \neq [sc\text{-}ack]
              a t = []
 shows
proof (cases \ a \ t)
 assume a1:a t = [
 from this show ?thesis by simp
\mathbf{next}
 \mathbf{fix} \ aa \ l
 assume a2:a\ t=aa\ \#\ l
 show ?thesis
   proof (cases aa)
    assume a3:aa = sc-ack
    from h1 have sg1:length\ (a\ t) \leq Suc\ 0 by (simp\ add:\ msg-def)
     from this and h1 and h2 and a2 and a3 show ?thesis by auto
   qed
qed
lemma aType-nonempty:
 assumes h1:msg (Suc \theta) a
    and h2: a t \neq []
 shows
              a t = [sc\text{-}ack]
proof (cases a t)
 assume a1:a t = []
 from this and h2 show ?thesis by simp
next
 \mathbf{fix} \ aa \ l
 assume a2:a \ t = aa \# l
 from a2 and h1 have sg1: l = [] by (simp \ add: msg-nonempty1)
 from a2 and h1 and sg1 show ?thesis
   proof (cases aa)
    assume a3:aa = sc-ack
    from this and sg1 and h2 and a2 show ?thesis by simp
   qed
qed
lemma a Type-lemma:
 assumes h1:msg (Suc \theta) a
 shows
             a \ t = [] \lor a \ t = [sc\text{-}ack]
using assms
 apply auto
 by (simp add: aType-empty)
```

```
\mathbf{lemma}\ stop\ Type\text{-}empty:
 assumes h1:msg (Suc \theta) a
     and h2:a \ t \neq [stop-vc]
 shows a t = []
proof (cases \ a \ t)
 assume a1:a t = []
 from this show ?thesis by simp
next
 \mathbf{fix} \ aa \ l
 assume a2:a\ t=aa\ \#\ l
 show ?thesis
   proof (cases aa)
     assume a3:aa = stop-vc
     from h1 have sg1:length\ (a\ t) \leq Suc\ 0 by (simp\ add:\ msg-def)
     from this and h1 and h2 and a2 and a3 show ?thesis by auto
   qed
qed
lemma stopType-nonempty:
 assumes h1:msg (Suc \theta) a
     and h2:a \ t \neq []
 shows a \ t = [stop-vc]
proof (cases a t)
 assume a1:a t = []
 from this and h2 show ?thesis by simp
next
 \mathbf{fix} aa l
 assume a2:a\ t=aa\ \#\ l
 \mathbf{show} \ ?thesis
   proof (cases aa)
     assume a3:aa = stop-vc
     from h1 have sg1:length\ (a\ t) \leq Suc\ 0 by (simp\ add:\ msg-def)
     from this and h1 and h2 and a2 and a3 show ?thesis by auto
   qed
qed
\mathbf{lemma}\ stop\ Type-lemma:
 assumes h1:msg (Suc \theta) a
 shows
              a \ t = [] \lor a \ t = [stop-vc]
using assms
 apply auto
 by (simp add: stopType-empty)
\mathbf{lemma}\ \mathit{vcType\text{-}empty}\colon
 assumes h1:msg (Suc \theta) a
     and h2:a \ t \neq [vc\text{-}com]
 \mathbf{shows} a \ t = []
proof (cases \ a \ t)
```

```
assume a1:a t = []
 from this show ?thesis by simp
\mathbf{next}
 \mathbf{fix} \ aa \ l
 assume a2:a\ t=aa\ \#\ l
 show ?thesis
   proof (cases aa)
    assume a3:aa = vc\text{-}com
    from h1 have sg1:length\ (a\ t) \leq Suc\ 0 by (simp\ add:\ msg-def)
    from this and h1 and h2 and a2 and a3 show ?thesis by auto
   qed
qed
lemma vcType-lemma:
 assumes h1:msg (Suc \theta) a
 shows
             a \ t = [] \lor a \ t = [vc\text{-}com]
using assms
 apply auto
 by (simp\ add:\ vcType-empty)
15.2 Properties of the Delay component
lemma Delay-L1:
assumes h1: \forall t1 < t. i1 t1 = []
    and h2:Delay y i1 d x i2
    and h3:t2 < t + d
  shows i2 t2 = []
proof (cases t2 < d)
 assume a1:t2 < d
 from h2 have sq1:t2 < d \longrightarrow i2 \ t2 = []
   by (simp add: Delay-def)
 from sg1 and a1 show ?thesis by simp
next
 assume a2:\neg t2 < d
 from h2 have sg2:d \leq t2 \longrightarrow i2 t2 = i1 (t2 - d)
   by (simp add: Delay-def)
 from a2 and sg2 have sg3:i2 t2 = i1 (t2 - d) by simp
 from h1 and a2 and h3 and sg3 show ?thesis by auto
qed
lemma Delay-L2:
assumes h1: \forall t1 < t. i1 t1 = []
    and h2:Delay y i1 d x i2
  shows \forall t2 < t + d. i2 t2 = []
using assms by (clarify, rule Delay-L1, auto)
```

lemma Delay-L3:

```
assumes h1: \forall t1 \leq t. \ y \ t1 = []
    and h2:Delay y i1 d x i2
    and h3:t2 \le t + d
  shows x t2 = []
proof (cases t2 < d)
 assume a1:t2 < d
 from h2 have sg1:t2 < d \longrightarrow x \ t2 = []
   by (simp add: Delay-def)
 from sq1 and a1 show ?thesis by simp
\mathbf{next}
 assume a2:\neg t2 < d
 from h2 have sg2:d \leq t2 \longrightarrow x \ t2 = y \ (t2 - d)
   by (simp add: Delay-def)
 from a2 and sg2 have sg3:x t2 = y (t2 - d) by simp
 from h1 and a2 and h3 and sg3 show ?thesis by auto
qed
lemma Delay-L4:
assumes h1: \forall t1 \leq t. \ y \ t1 = []
    and h2:Delay y i1 d x i2
  shows \forall t2 \leq t + d. \ x \ t2 = []
using assms by (clarify, rule Delay-L3, auto)
lemma Delay-lengthOut1:
 assumes h1: \forall t. length (x t) \leq Suc \theta
     and h2:Delay \ x \ i1 \ d \ y \ i2
 shows length (y t) \leq Suc \ \theta
proof (cases \ t < d)
 assume a1:t < d
 from h2 have sg1:t < d \longrightarrow y \ t = []
   by (simp add: Delay-def)
 from a1 and sg1 show ?thesis by auto
next
 assume a2:\neg t < d
 from h2 have sg2:t \ge d \longrightarrow (y \ t = x \ (t-d))
   by (simp add: Delay-def)
  from a2 and sg2 and h1 show ?thesis by auto
qed
lemma Delay-msg1:
 assumes h1:msg (Suc \theta) x
     and h2:Delay \ x \ i1 \ d \ y \ i2
             msg (Suc \ \theta) \ y
 shows
using assms
 by (simp add: msg-def Delay-lengthOut1)
```

#### 15.3 Properties of the Loss component

```
lemma Loss-L1:
assumes h1: \forall t2 < t. \ i2 \ t2 = []
    and h2:Loss lose a i2 y i
    and h3:t2 < t
    and h4:ts lose
shows i t2 = []
proof (cases lose t2 = [False])
 assume a1:lose \ t2 = [False]
 from assms and a1 show ?thesis by (simp add: Loss-def)
 assume a2:lose\ t2 \neq [False]
 from a2 and h4 have sg1:lose\ t2 = [True] by (simp\ add:\ ts\text{-}bool\text{-}True)
 from assms and sg1 show ?thesis by (simp add: Loss-def)
qed
lemma Loss-L2:
assumes h1: \forall t2 < t. i2 t2 = []
    and h2:Loss lose a i2 y i
    and h3:ts lose
shows \forall t2 < t. \ i \ t2 = []
using assms
 apply clarify
 by (rule Loss-L1, auto)
lemma Loss-L3:
assumes h1: \forall t2 < t. \ a \ t2 = []
    and h2:Loss lose a i2 y i
    and h3:t2 < t
    and h4:ts lose
shows y t2 = [
proof (cases\ lose\ t2 = [False])
 assume a1:lose\ t2=[False]
 from assms and a1 show ?thesis by (simp add: Loss-def)
next
 assume a2:lose\ t2 \neq [False]
 from a2 and h4 have sg1:lose\ t2 = [True] by (simp\ add:\ ts\text{-}bool\text{-}True)
 from assms and sg1 show ?thesis by (simp add: Loss-def)
qed
lemma Loss-L4:
assumes h1: \forall t2 < t. \ a \ t2 = []
    and h2:Loss lose a i2 y i
    and h3:ts\ lose
shows \forall t2 < t. \ y \ t2 = []
using assms
 apply clarify
 by (rule Loss-L3, auto)
```

```
lemma Loss-L5:
assumes h1: \forall t1 \leq t. \ a \ t1 = []
    and h2:Loss lose a i2 y i
    and h3:t2 \leq t
    and h4:ts lose
shows y t2 = []
proof (cases\ lose\ t2 = [False])
 assume a1:lose \ t2 = [False]
 from assms and a1 show ?thesis by (simp add: Loss-def)
\mathbf{next}
 assume a2:lose\ t2 \neq [False]
 from a2 and h4 have sg1:lose\ t2 = [True] by (simp\ add:\ ts-bool-True)
 from assms and sg1 show ?thesis by (simp add: Loss-def)
\mathbf{qed}
lemma Loss-L5Suc:
assumes h1: \forall j \leq d. a (t + Suc j) = []
    and h2:Loss lose a i2 y i
    and h3:Suc j \leq d
    and h4:ts\ lose
shows y(t + Suc j) = []
proof (cases\ lose\ (t + Suc\ j) = [False])
 assume a1:lose\ (t + Suc\ j) = [False]
 from assms and a1 show ?thesis by (simp add: Loss-def)
\mathbf{next}
 assume a2:lose\ (t + Suc\ j) \neq [False]
 from a2 and h4 have sq1:lose\ (t + Suc\ j) = [True] by (simp\ add:\ ts-bool-True)
 from assms and sq1 show ?thesis by (simp add: Loss-def)
\mathbf{qed}
lemma Loss-L6:
assumes h1: \forall t2 \leq t. \ a \ t2 = []
    and h2:Loss lose a i2 y i
    and h3:ts\ lose
shows \forall t2 \leq t. \ y \ t2 = []
using assms
 apply clarify
 by (rule Loss-L5, auto)
lemma Loss-lengthOut1:
 assumes h1: \forall t. length (a t) \leq Suc \ \theta
     and h2:Loss lose a i2 \times i
 shows length (x t) \leq Suc \theta
proof (cases\ lose\ t = [False])
 assume a1:lose\ t = [False]
 from a1 and h2 have sg1:x t = a t by (simp add: Loss-def)
 from h1 have sg2:length (a t) \leq Suc \ \theta by auto
 from sg1 and sg2 show ?thesis by simp
next
```

```
assume a2:lose \ t \neq [False]
 from a2 and h2 have sg2:x t = [] by (simp \ add: \ Loss-def)
 from sg2 show ?thesis by simp
lemma Loss-lengthOut2:
 assumes h1: \forall t. length (a t) \leq Suc \ \theta
     and h2:Loss lose a i2 \times i
 shows \forall t. length (x t) \leq Suc \theta
using assms
 \mathbf{by}\ (simp\ add\colon Loss\text{-}lengthOut1)
lemma Loss-msg1:
 assumes h1:msg (Suc \theta) a
     and h2:Loss lose a i2 x i
 shows
              msq (Suc \ \theta) \ x
using assms
 by (simp add: msg-def Loss-def Loss-lengthOut1)
```

#### 15.4 Properties of the composition of Delay and Loss components

```
lemma Loss-Delay-length-y:
  assumes h1: \forall t. length (a t) \leq Suc \theta
     and h2:Delay \ x \ i1 \ d \ y \ i2
     and h3:Loss lose a i2 \times i
 shows length (y t) \leq Suc \theta
proof -
  from h1 and h3 have sg1: \forall t. length (x t) \leq Suc \theta
   by (simp add: Loss-lengthOut2)
  from this and h2 show ?thesis
   by (simp add: Delay-lengthOut1)
qed
\mathbf{lemma}\ Loss\text{-}Delay\text{-}msg\text{-}a:
  assumes h1:msg (Suc \theta) a
     and h2:Delay \ x \ i1 \ d \ y \ i2
     and h3:Loss lose a i2 \times i
 shows
               msg (Suc \ \theta) \ y
using assms
  by (simp add: msg-def Loss-Delay-length-y)
```

#### **Auxiliary Lemmas** 15.5

```
lemma inf-last-ti2:
 assumes h1:inf-last-ti\ dt\ (Suc\ (Suc\ t)) \neq []
             inf-last-ti dt (Suc (Suc (t + k))) \neq []
 shows
using assms
proof (induct k)
```

```
case \theta
 from this show ?case by auto
\mathbf{next}
 case Suc
 from this show ?case by auto
qed
lemma aux-ack-t2:
 assumes h1: \forall m \leq k. ack (Suc\ (Suc\ (t+m))) = [connection-ok]
    and h2:Suc (Suc t) < t2
    and h3:t2 < t + 3 + k
            ack \ t2 = [connection-ok]
 shows
proof -
 from h3 have sg1:t2 - Suc (Suc t) \le k by arith
 from h1 and sq1
   obtain m where a1:m = t2 - Suc (Suc t)
           and a2:ack (Suc (Suc (t + m))) = [connection-ok]
   by auto
 from h2 have sg2:(Suc\ (Suc\ (t2-2))) = t2 by arith
 from h2 have sg3:Suc\ (Suc\ (t+(t2-Suc\ (Suc\ t))))=t2 by arith
 from sg1 and a1 and a2 and sg2 and sg3 show ?thesis by simp
qed
lemma aux-lemma-lose-1:
 assumes h1: \forall j \le ((2::nat) * d + ((4::nat) + k)). (lose (t + j) = x)
    and h2:ka \leq Suc \ d
            lose\ (Suc\ (Suc\ (t+k+ka)))=x
 shows
proof -
 from h2 have sg1:k + (2::nat) + ka \le (2::nat) * d + ((4::nat) + k) by arith
 from h2 and sg1 have sg2:Suc\ (Suc\ (k+ka)) \le 2*d+(4+k) by arith
 from sg1 and sg2 and h1 and h2 obtain j where a1:j = k + (2::nat) + ka
                            and a2:lose (t + j) = x
   by arith
 have sg3:Suc\ (Suc\ (t+(k+ka))) = Suc\ (Suc\ (t+k+ka)) by arith
 from a1 and a2 and sg3 show ?thesis by simp
qed
lemma aux-lemma-lose-2:
 assumes h1: \forall j \leq (2::nat) * d + ((4::nat) + k). lose (t + j) = [False]
 shows \forall x \leq d + (1::nat). lose (t + x) = [False]
using assms by auto
lemma aux-lemma-lose-3a:
 assumes h1: \forall j \leq 2 * d + (4 + k). lose (t + j) = [False]
    and h2:ka \leq Suc \ d
```

```
shows lose (d + (t + (3 + k)) + ka) = [False]
proof -
 from h2 have sg1:(d + 3 + k + ka) \le 2 * d + (4 + k)
   by arith
 from h1 and h2 and sg1 obtain j where a1:j = (d + 3 + k + ka) and
                                   a2:lose\ (t+j)=[False]
   by simp
  from h2 and sq1 have sq2:(t + (d + 3 + k + ka)) = (d + (t + (3 + k)) + ka)
ka
 from h1 and h2 and a1 and a2 and sg2 show ?thesis
   by simp
qed
lemma aux-lemma-lose-3:
 assumes h1: \forall j \leq 2 * d + (4 + k). lose (t + j) = [False]
             \forall ka \leq Suc \ d. \ lose \ (d + (t + (3 + k)) + ka) = [False]
 shows
using assms
 by (auto, simp add: aux-lemma-lose-3a)
lemma aux-arith1-Gateway7:
 assumes h1:t2 - t \le (2::nat) * d + (t + ((4::nat) + k))
     and h2:t2 < t + (3::nat) + k + d
     and h3: \neg t2 - d < (0::nat)
 shows t2 - d < t + (3::nat) + k
using assms by arith
lemma ts-lose-ack-st1ts:
 assumes h1:ts lose
 and h2:lose \ t = [True] \longrightarrow ack \ t = [x] \land st\text{-}out \ t = x
 and h3:lose\ t = [False] \longrightarrow ack\ t = [y] \land st\text{-}out\ t = y
 shows ack \ t = [st\text{-}out \ t]
proof (cases lose t = [False])
 assume a1:lose\ t=\lceil False \rceil
 from this and h3 show ?thesis by simp
next
 assume a2:lose \ t \neq [False]
 from this and h1 have ag1:lose\ t = [True] by (simp\ add:\ ts\text{-}bool\text{-}True)
 from this and a2 and h2 show ?thesis by simp
qed
lemma ts-lose-ack-st1:
 assumes h1:lose\ t = [True] \lor lose\ t = [False]
 and h2:lose \ t = [True] \longrightarrow ack \ t = [x] \land st\text{-}out \ t = x
 and h3:lose\ t = [False] \longrightarrow ack\ t = [y] \land st\text{-}out\ t = y
```

```
shows ack \ t = [st\text{-}out \ t]
proof (cases\ lose\ t = [False])
  assume a1:lose\ t = [False]
  from this and h3 show ?thesis by simp
next
  assume a2:lose \ t \neq [False]
  from this and h1 have ag1:lose\ t = [True] by (simp\ add:\ ts\text{-}bool\text{-}True)
  from this and a2 and h2 show ?thesis by simp
qed
lemma ts-lose-ack-st2ts:
  assumes h1:ts lose
  and h2:lose\ t=[True] \longrightarrow
      ack \ t = [x] \land i1 \ t = [] \land vc \ t = [] \land st\text{-out} \ t = x
 and h3:lose\ t = [False] \longrightarrow
     ack \ t = [y] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = y
 shows ack \ t = [st\text{-}out \ t]
proof (cases\ lose\ t = [False])
  assume a1:lose\ t = [False]
  from this and h3 show ?thesis by simp
\mathbf{next}
  assume a2:lose \ t \neq [False]
  from this and h1 have ag1:lose t = [True] by (simp add: ts-bool-True)
  from this and a2 and h2 show ?thesis by simp
qed
lemma ts-lose-ack-st2:
  assumes h1:lose\ t = [True] \lor lose\ t = [False]
  and h2:lose\ t=[True]
     ack \ t = [x] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = x
 and h3:lose\ t=[False] \longrightarrow
     ack \ t = [y] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = y
  shows ack \ t = [st\text{-}out \ t]
proof (cases lose t = [False])
  assume a1:lose\ t=[False]
  from this and h3 show ?thesis by simp
\mathbf{next}
  assume a2:lose\ t \neq [False]
  from this and h1 have ag1:lose\ t = [True] by (simp\ add:\ ts\text{-}bool\text{-}True)
  from this and a2 and h2 show ?thesis by simp
qed
\mathbf{lemma}\ \textit{ts-lose-ack-st2vc-com}\colon
  assumes h1:lose\ t = [True] \lor lose\ t = [False]
  and h2:lose\ t=[True] \longrightarrow
     ack \ t = [x] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = x
 and h3:lose\ t=[False] \longrightarrow
```

```
ack \ t = [y] \land i1 \ t = [] \land vc \ t = [vc\text{-}com] \land st\text{-}out \ t = y
  shows ack \ t = [st\text{-}out \ t]
proof (cases lose t = [False])
  assume a1:lose\ t=[False]
  from this and h3 show ?thesis by simp
  assume a2:lose \ t \neq [False]
  from this and h1 have ag1:lose t = [True] by (simp add: ts-bool-True)
  from this and a2 and h2 show ?thesis by simp
qed
lemma ts-lose-ack-st2send:
  assumes h1:lose\ t = [True] \lor lose\ t = [False]
  and h2:lose\ t=[True] \longrightarrow
      ack \ t = [x] \land i1 \ t = [\land vc \ t = [\land st\text{-}out \ t = x]]
  and h3:lose\ t = [False] \longrightarrow
      ack \ t = [y] \land i1 \ t = b \ t \land vc \ t = [] \land st\text{-out} \ t = y
  shows ack \ t = [st\text{-}out \ t]
proof (cases lose t = [False])
  assume a1:lose\ t = [False]
  from this and h3 show ?thesis by simp
\mathbf{next}
  assume a2:lose\ t \neq [False]
  from this and h1 have ag1:lose t = [True] by (simp add: ts-bool-True)
  from this and a2 and h2 show ?thesis by simp
qed
lemma tiTable-ack-st-splitten:
  assumes h1:ts lose
      and h2:msq (Suc \theta) a1
      and h3:msg (Suc \theta) stop
      and h4:st-in\ t=init-state\ \land\ req\ t=[init]\longrightarrow
          ack \ t = [call] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = call
      and h5:st-in\ t=init-state\ \land\ reg\ t\neq [init] \longrightarrow
          ack \ t = [init\text{-}state] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = init\text{-}state
     and h6:(st\text{-}in\ t=call\ \lor\ st\text{-}in\ t=connection\text{-}ok\ \land\ req\ t\neq [send])\ \land\ lose\ t=
[False] \longrightarrow
          ack \ t = [connection-ok] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = connection-ok]
     and h7:(st\text{-}in\ t=call\ \lor\ st\text{-}in\ t=connection\text{-}ok\ \lor\ st\text{-}in\ t=sending\text{-}data)\ \land
lose \ t = [True] \longrightarrow
          ack \ t = [init\text{-}state] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = init\text{-}state]
      and h8:st-in\ t=connection-ok \land req\ t=[send] \land lose\ t=[False] \longrightarrow
          ack \ t = [sending-data] \land i1 \ t = b \ t \land vc \ t = [] \land st\text{-out} \ t = sending-data
      and h9:st-in\ t=sending-data \land a1\ t=[] \land lose\ t=[False] \longrightarrow
          ack \ t = [sending-data] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = sending-data]
      and h10:st-in\ t=sending-data \land a1\ t=[sc-ack] \land lose\ t=[False] \longrightarrow
          ack \ t = [voice-com] \land i1 \ t = [] \land vc \ t = [vc-com] \land st-out \ t = voice-com]
```

```
and h11:st-in\ t=voice-com\ \land\ stop\ t=[]\ \land\ lose\ t=[False]\longrightarrow
        ack \ t = [voice-com] \land i1 \ t = [] \land vc \ t = [vc-com] \land st-out \ t = voice-com]
     and h12:st-in t = voice\text{-}com \land stop \ t = [] \land lose \ t = [True] \longrightarrow
        ack \ t = [voice\text{-}com] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = voice\text{-}com]
     and h13:st-in\ t = voice-com\ \land\ stop\ t = [stop-vc] \longrightarrow
        ack \ t = [init\text{-}state] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = init\text{-}state
 shows ack \ t = [st\text{-}out \ t]
proof -
 from h1 and h6 and h7 have sg1:lose\ t = [True] \lor lose\ t = [False]
   by (simp add: ts-bool-True-False)
show ?thesis
proof (cases st-in t)
 assume a1:st-in\ t=init-state
 from a1 and h4 and h5 show ?thesis
 proof (cases req t = [init])
   assume a11:req\ t=[init]
   from all and al and h4 and h5 show ?thesis by simp
 next
   assume a12:req\ t \neq [init]
   from a12 and a1 and h4 and h5 show ?thesis by simp
 qed
next
 assume a2:st-in\ t=call
 from a2 and sg1 and h6 and h7 show ?thesis
    apply simp
    by (rule ts-lose-ack-st2, assumption+)
next
 assume a3:st-in\ t=connection-ok
 from a3 and h6 and h7 and h8 show ?thesis apply simp
 proof (cases req t = [send])
   assume a31:req\ t=[send]
   from this and a3 and h6 and h7 and h8 and sg1 show ?thesis
     apply simp
     by (rule ts-lose-ack-st2send, assumption+)
   assume a32:req\ t \neq [send]
   from this and a3 and h6 and h7 and h8 and sg1 show ?thesis
     apply simp
     by (rule ts-lose-ack-st2, assumption+)
 qed
next
 assume a4:st-in\ t=sending-data
 from sq1 and a4 and h7 and h9 and h10 show ?thesis apply simp
 proof (cases a1 t = [])
   assume a41:a1 \ t = []
   from this and a4 and sg1 and h7 and h9 and h10 show ?thesis
     apply simp
     by (rule ts-lose-ack-st2, assumption+)
 next
```

```
assume a42:a1 \ t \neq []
   from this and h2 have a1\ t = [sc\text{-}ack] by (simp\ add:\ aType\text{-}nonempty)
   from this and a4 and a42 and sg1 and h7 and h9 and h10 show ?thesis
     apply simp
     by (rule ts-lose-ack-st2vc-com, assumption+)
  qed
\mathbf{next}
  assume a5:st-in\ t=voice-com
  from a5 and h11 and h12 and h13 show ?thesis apply simp
  proof (cases stop t = [])
   assume a51:stop \ t = [
   from this and a5 and h11 and h12 and h13 and sg1 show ?thesis
     apply simp
     by (rule ts-lose-ack-st2vc-com, assumption+)
  next
   assume a52:stop \ t \neq []
   from this and h3 have sg7:stop \ t = [stop-vc]
     by (simp add: stopType-nonempty)
   from this and a5 and a52 and h13 show ?thesis by simp
 qed
qed
qed
\mathbf{lemma}\ tiTable\text{-}ack\text{-}st:
  assumes h1:tiTable-SampleT reg a1 stop lose st-in b ack i1 vc st-out
     and h2:ts\ lose
     and h3:msg (Suc 0) a1
     and h4:msg (Suc \theta) stop
               ack \ t = [st\text{-}out \ t]
 shows
proof -
  from assms have sg1:
  st-in t = init-state \land req \ t = [init] \longrightarrow
   ack \ t = [call] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = call
    by (simp add: tiTable-SampleT-def)
  from assms have sg2:
   st-in t = init-state \land reg \ t \neq [init] \longrightarrow
   ack \ t = [init\text{-}state] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = init\text{-}state
    by (simp add: tiTable-SampleT-def)
  from assms have sg3:
   (st\text{-}in\ t=call\ \lor\ st\text{-}in\ t=connection\text{-}ok\ \land\ req\ t\neq [send])\ \land
    lose \ t = [False] \longrightarrow
    ack \ t = [connection-ok] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = connection-ok]
    by (simp add: tiTable-SampleT-def)
  from assms have sg4:
   (st\text{-}in\ t=call\ \lor\ st\text{-}in\ t=connection\text{-}ok\ \lor\ st\text{-}in\ t=sending\text{-}data)\ \land
    lose \ t = [True] \longrightarrow
    ack \ t = [init\text{-}state] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = init\text{-}state
    by (simp add: tiTable-SampleT-def)
  from assms have sg5:
```

```
st-in t = connection-ok \land req \ t = [send] \land lose \ t = [False] \longrightarrow
   ack \ t = [sending-data] \land i1 \ t = b \ t \land vc \ t = [] \land st\text{-out} \ t = sending-data
   by (simp add: tiTable-SampleT-def)
  from assms have sg6:
   st-in t = sending-data \land a1 t = [] \land lose t = [False] \longrightarrow
   ack \ t = [sending-data] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = sending-data]
    by (simp add: tiTable-SampleT-def)
  from assms have sg7:
   st-in t = sending-data \land a1 t = [sc-ack] \land lose t = [False] \longrightarrow
   ack \ t = [voice-com] \land i1 \ t = [] \land vc \ t = [vc-com] \land st-out \ t = voice-com]
   by (simp\ add:\ tiTable-SampleT-def)
  from assms have sg8:
  st-in t = voice-com \land stop \ t = [] \land lose \ t = [False] \longrightarrow
   ack \ t = [voice\text{-}com] \land i1 \ t = [] \land vc \ t = [vc\text{-}com] \land st\text{-}out \ t = voice\text{-}com]
   by (simp add: tiTable-Sample T-def)
  from assms have sq9:
   st-in t = voice-com \land stop \ t = [] \land lose \ t = [True] \longrightarrow
   ack \ t = [voice\text{-}com] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = voice\text{-}com]
   by (simp\ add:\ tiTable-SampleT-def)
  from assms have sg10:
  st-in t = voice-com \land stop \ t = [stop-vc] \longrightarrow
   \mathit{ack}\ t = \lceil \mathit{init\text{-}state} \rceil \ \land \ \mathit{i1}\ t = []\ \land \ \mathit{vc}\ t = []\ \land \ \mathit{st\text{-}out}\ t = \mathit{init\text{-}state}
   by (simp add: tiTable-Sample T-def)
  from h2 and h3 and h4 and sg1 and sg2 and sg3 and sg4 and sg5 and
  sg6 and sg7 and sg8 and sg9 and sg10 show ?thesis
   by (rule tiTable-ack-st-splitten)
qed
lemma tiTable-ack-st-hd:
 assumes h1:tiTable-SampleT req a1 stop lose st-in b ack i1 vc st-out
     and h2:ts lose
     and h3:msq (Suc 0) a1
     and h4:msg (Suc \theta) stop
 shows st-out t = hd (ack t)
using assms by (simp add: tiTable-ack-st)
lemma tiTable-ack-connection-ok:
  assumes h1:tiTable-SampleT req x stop lose st-in b ack i1 vc st-out
     and h2:ack \ t = [connection-ok]
     and h3:msg (Suc \theta) x
     and h4:ts lose
     and h5:msg (Suc \theta) stop
 shows (st-in t = call \lor st-in t = connection-ok \land req \ t \neq [send]) \land 
         lose \ t = [False]
proof -
  from h1 and h4 have sg1:lose\ t = [True] \lor lose\ t = [False]
   by (simp add: ts-bool-True-False)
  from h1 and h3 have sg2:x t = [] \lor x t = [sc\text{-}ack]
   by (simp add: aType-lemma)
```

```
from h1 and h5 have sg3:stop \ t = [] \lor stop \ t = [stop-vc]
 by (simp add: stopType-lemma) show ?thesis
proof (cases st-in t)
 assume a1:st-in\ t=init-state
 show ?thesis
 proof (cases req t = [init])
   assume a11:req\ t=[init]
  from h1 and a1 and a11 and h2 show ?thesis by (simp add: tiTable-SampleT-def)
 next
   assume a12:req\ t \neq [init]
  from h1 and a1 and a12 and h2 show ?thesis by (simp add: tiTable-SampleT-def)
 qed
next
 assume a2:st-in\ t=call
 show ?thesis
 proof (cases lose t = [True])
   assume a21:lose\ t = [True]
  from h1 and a2 and a21 and h2 show ?thesis by (simp add: tiTable-SampleT-def)
   assume a22:lose\ t \neq [True]
   from this and h4 have a22a:lose\ t=[False] by (simp\ add:\ ts\text{-}bool\text{-}False)
   from h1 have
    (st\text{-}in\ t=call\ \lor\ st\text{-}in\ t=connection\text{-}ok\ \land\ req\ t\neq [send])\ \land
      lose \ t = [False] \longrightarrow
      ack \ t = [connection-ok] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = connection-ok]
     by (simp add: tiTable-Sample T-def)
   from this and a2 and a22a and h2 show ?thesis by simp
 ged
next
 assume a3:st-in\ t=connection-ok
 show ?thesis
 proof (cases lose t = [True])
   assume a31:lose\ t = [True]
   from h1 have
    (st\text{-}in\ t=call\ \lor\ st\text{-}in\ t=connection\text{-}ok\ \lor\ st\text{-}in\ t=sending\text{-}data)\ \land
     lose \ t = [True] \longrightarrow
      ack \ t = [init\text{-}state] \land i1 \ t = [] \land vc \ t = [] \land st\text{-}out \ t = init\text{-}state
     by (simp add: tiTable-Sample T-def)
   from this and a3 and a31 and h2 show ?thesis by simp
   assume a32:lose\ t \neq [True]
   from this and h4 have a32a:lose\ t = [False] by (simp\ add:\ ts\text{-}bool\text{-}False)
   show ?thesis
   proof (cases req t = [send])
     assume a321:req\ t=[send]
     from h1 and a3 and a32a and a321 and h2 show ?thesis
       by (simp add: tiTable-Sample T-def)
   next
     assume a322:req\ t \neq [send]
```

```
from h1 and a3 and a32a and a322 and h2 show ?thesis
        by (simp add: tiTable-SampleT-def)
    qed
   qed
 next
   assume a4:st-in\ t=sending-data
   show ?thesis
   proof (cases lose t = [True])
    assume a41:lose\ t = [True]
   from h1 and a4 and a41 and h2 show ?thesis by (simp add: tiTable-SampleT-def)
   next
    assume a42:lose\ t \neq [True]
    from this and h4 have a42a:lose\ t = [False] by (simp\ add:\ ts\text{-bool-False})
    show ?thesis
    proof (cases x t = [sc\text{-}ack])
      assume a421:x t = [sc\text{-}ack]
      from h1 and a4 and a42a and a421 and h2 show ?thesis
       by (simp add: tiTable-SampleT-def)
      assume a422: x t \neq [sc\text{-}ack]
      from this and h3 have a422a:x t = [] by (simp \ add: aType-empty)
      from h1 and a4 and a42a and a422a and h2 show ?thesis
       by (simp add: tiTable-SampleT-def)
    qed
   qed
 next
   assume a5:st-in\ t=voice-com
   show ?thesis
   proof (cases\ stop\ t = [stop-vc])
    assume a51:stop\ t = [stop-vc]
    from h1 and a5 and a51 and h2 show ?thesis
       by (simp add: tiTable-Sample T-def)
  \mathbf{next}
    assume a52:stop\ t \neq [stop-vc]
    from this and h5 have a52a:stop t = [] by (simp \ add: stop \ Type-empty)
    show ?thesis
    proof (cases lose t = [True])
      assume a521:lose\ t=[True]
      from h1 and a5 and a52a and a521 and h2 show ?thesis
       by (simp add: tiTable-Sample T-def)
    next
      assume a522:lose\ t \neq [True]
     from this and h4 have a522a:lose\ t = [False] by (simp\ add:\ ts-bool-False)
      from h1 and a5 and a52a and a522a and h2 show ?thesis
       by (simp add: tiTable-SampleT-def)
    qed
   qed
 qed
qed
```

```
lemma tiTable-i1-1:
 assumes h1:tiTable-SampleT req x stop lose st-in b ack i1 vc st-out
     and h2:ts\ lose
     and h3:msg (Suc \theta) x
     and h4:msg (Suc \theta) stop
     and h5:ack\ t = [connection-ok]
 shows i1 \ t = []
proof -
 from assms have sg1:
  (st\text{-}in\ t=call\ \lor\ st\text{-}in\ t=connection\text{-}ok\ \land\ req\ t\neq [send])\ \land
   lose \ t = [False]
   by (simp add: tiTable-ack-connection-ok)
 from this and h1 show ?thesis by (simp add: tiTable-SampleT-def)
qed
lemma tiTable-ack-call:
 {\bf assumes}\ h1{:}tiTable{-}SampleT\ req\ x\ stop\ lose\ st{-}in\ b\ ack\ i1\ vc\ st{-}out
     and h2:ack\ t=[call]
     and h3:msg (Suc \theta) x
     and h4:ts lose
     and h5:msg (Suc \theta) stop
 shows st-in t = init-state \land req t = [init]
proof -
 from h1 and h4 have sg1:lose\ t = [True] \lor lose\ t = [False]
   by (simp add: ts-bool-True-False)
 from h1 and h3 have sg2:x t = [] \lor x t = [sc\text{-}ack]
   by (simp add: aType-lemma)
 from h1 and h5 have sg3:stop \ t = [] \lor stop \ t = [stop-vc]
   by (simp add: stopType-lemma)
 show ?thesis
 proof (cases st-in t)
   assume a1:st-in\ t=init-state
   show ?thesis
   proof (cases req t = [init])
     assume a11:req\ t=[init]
     from h1 and a1 and a11 and h2 show ?thesis
      by (simp add: tiTable-SampleT-def)
   \mathbf{next}
     assume a12:req\ t \neq [init]
     from h1 and a1 and a12 and h2 show ?thesis
       by (simp add: tiTable-Sample T-def)
   qed
 next
   assume a2:st\text{-}in\ t=call
   show ?thesis
   proof (cases lose t = [True])
     assume a21:lose\ t = [True]
     from h1 and a2 and a21 and h2 show ?thesis
```

```
by (simp add: tiTable-SampleT-def)
 \mathbf{next}
   assume a22:lose\ t \neq [True]
   from this and h4 have a22a:lose t = [False] by (simp \ add: \ ts\text{-bool-False})
   from h1 and a2 and a22a and h2 show ?thesis
     by (simp add: tiTable-Sample T-def)
 qed
next
 assume a\beta:st-in t = connection-ok
 show ?thesis
 proof (cases lose t = [True])
  assume a31:lose\ t = [True]
 from h1 and a3 and a31 and h2 show ?thesis by (simp add: tiTable-SampleT-def)
   assume a32:lose\ t \neq [True]
   from this and h4 have a32a:lose\ t = [False] by (simp add: ts-bool-False)
  show ?thesis
   proof (cases req t = [send])
    assume a321:req\ t=[send]
    from h1 and a3 and a32a and a321 and h2 show ?thesis
      by (simp add: tiTable-SampleT-def)
   \mathbf{next}
    assume a322:req\ t \neq [send]
    from h1 and a3 and a32a and a322 and h2 show ?thesis
       by (simp add: tiTable-Sample T-def)
   qed
 qed
next
 assume a4:st-in\ t=sending-data
 show ?thesis
 proof (cases lose t = [True])
  assume a41:lose\ t = [True]
   from h1 and a4 and a41 and h2 show ?thesis
    by (simp add: tiTable-SampleT-def)
   assume a42:lose\ t \neq [True]
   from this and h4 have a42a:lose\ t = [False] by (simp\ add:\ ts\text{-bool-False})
   show ?thesis
   proof (cases x t = [sc\text{-}ack])
    assume a421:x t = [sc\text{-}ack]
    from h1 and a4 and a42a and a421 and h2 show ?thesis
      by (simp add: tiTable-SampleT-def)
   next
    assume a422: x t \neq [sc\text{-}ack]
    from this and h3 have a422a:x t = [] by (simp \ add: aType-empty)
    from h1 and a4 and a42a and a422a and h2 show ?thesis
      by (simp add: tiTable-SampleT-def)
   qed
 qed
```

```
next
   assume a5:st-in\ t=voice-com
   show ?thesis
   proof (cases stop t = [stop-vc])
    assume a51:stop \ t = [stop-vc]
    from h1 and a5 and a51 and h2 show ?thesis
      by (simp add: tiTable-SampleT-def)
    assume a52:stop\ t \neq [stop-vc]
    from this and h5 have a52a:stop t = [] by (simp \ add: stop \ Type-empty)
    show ?thesis
    proof (cases lose t = [True])
      assume a521:lose\ t = [True]
      from h1 and a5 and a52a and a521 and h2 show ?thesis
        by (simp add: tiTable-SampleT-def)
      assume a522:lose\ t \neq [True]
      from this and h4 have a522a:lose t = [False] by (simp \ add: \ ts\text{-bool-False})
      from h1 and a5 and a52a and a522a and h2 show ?thesis
        by (simp add: tiTable-SampleT-def)
    qed
   qed
 qed
qed
lemma tiTable-i1-2:
 assumes h1:tiTable-SampleT reg a1 stop lose st-in b ack i1 vc st-out
    and h2:ts lose
    and h3:msg (Suc 0) a1 and h4:msg (Suc 0) stop
    and h5:ack\ t = [call]
 shows i1 \ t = []
proof -
 from assms have sg1:st-in\ t=init-state \land req\ t=[init]
   by (simp add: tiTable-ack-call)
 from this and h1 show ?thesis
   by (simp add: tiTable-Sample T-def)
\mathbf{qed}
lemma tiTable-ack-init\theta:
 assumes h1:tiTable-SampleT reg a1 stop lose
              (fin-inf-append [init-state] st)
               b ack i1 vc st
    and h2:req \theta = []
 shows ack \theta = [init\text{-}state]
proof -
 have sg1:(fin-inf-append [init-state] st) (0::nat) = init-state
   by (simp add: fin-inf-append-def)
 from h1 and sg1 and h2 show ?thesis by (simp add: tiTable-SampleT-def)
qed
```

```
\mathbf{lemma}\ tiTable\text{-}ack\text{-}init:
 assumes h1:tiTable-SampleT reg a1 stop lose
               (fin-inf-append [init-state] st)
                b ack i1 vc st
     and h2:ts\ lose
     and h3:msg (Suc \theta) a1
     and h4:msg (Suc \theta) stop
     and h5: \forall t1 \leq t. req t1 = []
 shows ack \ t = [init\text{-}state]
using assms
proof (induction \ t)
 case \theta
 from this show ?case
   by (simp\ add:\ tiTable-ack-init\theta)
 case (Suc\ t)
 from Suc have sg1: st\ t = hd\ (ack\ t)
   by (simp add: tiTable-ack-st-hd)
 from Suc and sg1 have sg2:
  (fin-inf-append [init-state] st) (Suc t) = init-state)
   by (simp add: correct-fin-inf-append2)
 from Suc and sg1 and sg2 show ?case
   by (simp add: tiTable-Sample T-def)
qed
lemma tiTable-i1-3:
 assumes h1:tiTable-SampleT req x stop lose
               (fin-inf-append [init-state] st)
                b ack i1 vc st
     and h2:ts lose
     and h3:msg (Suc \theta) x
     and h4:msg (Suc \theta) stop
     and h5: \forall t1 \leq t. req t1 = []
shows i1 \ t = []
proof -
 from assms have sg1:ack \ t = [init-state]
   by (simp add: tiTable-ack-init)
 from assms have sg2:st\ t = hd\ (ack\ t)
   by (simp add: tiTable-ack-st-hd)
 from sg1 and sg2 have sg3:
  (fin-inf-append [init-state] st) (Suc t) = init-state)
   by (simp add: correct-fin-inf-append2)
 from h1 and h2 have sg4:lose\ t = [True] \lor lose\ t = [False]
   by (simp add: ts-bool-True-False)
 from h1 and h3 have sg5:x t = [] \lor x t = [sc\text{-}ack]
   by (simp add: aType-lemma)
```

```
from h1 and h4 have sg6:stop\ t = [] \lor stop\ t = [stop-vc]
 by (simp add: stopType-lemma)
show ?thesis
proof (cases fin-inf-append [init-state] st t)
 assume a1:fin-inf-append [init-state] st t = init-state
 from assms and sg1 and sg2 and sg3 and a1 show ?thesis
   by (simp add: tiTable-SampleT-def)
 assume a2:fin-inf-append [init-state] st t = call
 show ?thesis
 proof (cases lose t = [True])
   assume a21:lose\ t = [True]
  from h1 and a2 and a21 show ?thesis by (simp add: tiTable-SampleT-def)
 next
   assume a22:lose\ t \neq [True]
   from this and h2 have a22a:lose\ t = [False] by (simp\ add:\ ts-bool-False)
  from h1 and a2 and a22a show ?thesis by (simp add: tiTable-SampleT-def)
 qed
\mathbf{next}
 assume a3:fin-inf-append [init-state] st t = connection-ok
 show ?thesis
 proof (cases lose t = [True])
   assume a31:lose\ t = [True]
  from h1 and a3 and a31 show ?thesis by (simp add: tiTable-SampleT-def)
 \mathbf{next}
   assume a32:lose\ t \neq [True]
   from this and h2 have a32a:lose t = [False] by (simp \ add: ts\text{-bool-}False)
   from h5 have a322:reg t \neq [send] by auto
   from h1 and a3 and a32a and a322 show ?thesis
    by (simp\ add:\ tiTable-SampleT-def)
 qed
next
 assume a4:fin-inf-append [init-state] st t = sending-data
 show ?thesis
 proof (cases lose t = [True])
   assume a41:lose\ t = [True]
  from h1 and a4 and a41 show ?thesis by (simp add: tiTable-SampleT-def)
 next
   assume a42:lose\ t \neq [True]
   from this and h2 have a42a:lose\ t = [False] by (simp\ add:\ ts-bool-False)
   show ?thesis
   proof (cases \ x \ t = [sc\text{-}ack])
    assume a421:x t = [sc\text{-}ack]
    from h1 and a4 and a42a and a421 and h2 show ?thesis
      by (simp add: tiTable-SampleT-def)
    assume a422: x t \neq [sc\text{-}ack]
    from this and h3 have a422a:x t = [] by (simp \ add: aType-empty)
```

```
from h1 and a4 and a42a and a422a and h2 show ?thesis
        by (simp add: tiTable-SampleT-def)
     qed
   qed
 next
   assume a5:fin-inf-append [init-state] st t = voice-com
   show ?thesis
   proof (cases stop t = [stop-vc])
     assume a51:stop\ t = [stop-vc]
   from h1 and a5 and a51 and h2 show ?thesis by (simp add: tiTable-SampleT-def)
   next
     assume a52:stop \ t \neq [stop-vc]
     from this and h4 have a52a:stop t = [] by (simp \ add: stop \ Type-empty)
     show ?thesis
     proof (cases lose t = [True])
      assume a521:lose\ t=[True]
      from h1 and a5 and a52a and a521 and h2 show ?thesis
        by (simp add: tiTable-Sample T-def)
      assume a522:lose\ t \neq [True]
      from this and h2 have a522a:lose t = [False] by (simp \ add: \ ts\text{-bool-False})
      from h1 and a5 and a52a and a522a and h2 show ?thesis
        by (simp add: tiTable-SampleT-def)
     qed
   qed
 qed
qed
\mathbf{lemma}\ tiTable\text{-}st\text{-}call\text{-}ok:
 assumes h1:tiTable-SampleT req x stop lose
               (fin-inf-append [init-state] st)
                b ack i1 vc st
    and h2:ts lose
    and h3: \forall m \leq k. ack (Suc\ (Suc\ (t+m))) = [connection-ok]
    and h4:st (Suc t) = call
 shows st (Suc (Suc t)) = connection-ok
proof -
   from h4 have sg1:
    (fin-inf-append [init-state] st) (Suc (Suc t)) = call
    by (simp add: correct-fin-inf-append2)
  from h1 and h2 have sg2:lose\ (Suc\ (Suc\ t)) = [True] \lor lose\ (Suc\ (Suc\ t)) =
[False]
   \mathbf{by}\ (simp\ add\colon ts\text{-}bool\text{-}True\text{-}False)
  show ?thesis
  proof (cases\ lose\ (Suc\ (Suc\ t)) = [False])
    assume a1:lose\ (Suc\ (Suc\ t)) = [False]
    from h1 and a1 and sg1 show ?thesis
     by (simp add: tiTable-SampleT-def)
```

```
next
    assume a2:lose\ (Suc\ (Suc\ t)) \neq [False]
    from h3 have sg3:ack (Suc (Suc t)) = [connection-ok] by auto
    from h1 and a2 and sg1 and sg2 and sg3 show ?thesis
     by (simp add: tiTable-SampleT-def)
  qed
qed
lemma tiTable-i1-4b:
 assumes h1:tiTable-SampleT req x stop lose
               (fin-inf-append [init-state] st)
               b ack i1 vc st
    and h2:ts lose
    and h3:msq (Suc \theta) x
    and h4:msq (Suc \theta) stop
    and h5: \forall t1 \leq t. req t1 = []
    and h6:req\ (Suc\ t)=[init]
     and h7: \forall m < k + 3. req (t + m) \neq [send]
    and h7: \forall m \leq k. ack (Suc (Suc (t + m))) = [connection-ok]
    and h8: \forall j \leq k + 3. lose (t + j) = [False]
    and h9:t2 < (t + 3 + k)
 shows i1 \ t2 = []
proof (cases \ t2 \le t)
 assume a1:t2 \leq t
 from assms and a1 show ?thesis by (simp add: tiTable-i1-3)
next
 assume a2:\neg t2 < t
 from assms have sg1:ack\ t = [init\text{-}state] by (simp\ add:\ tiTable\text{-}ack\text{-}init)
 from assms have sg2:st\ t = hd\ (ack\ t) by (simp\ add:\ tiTable-ack-st-hd)
 from sg1 and sg2 have sg3:
  (fin-inf-append [init-state] st) (Suc t) = init-state)
   by (simp add: correct-fin-inf-append2)
 from assms and sg3 have sg4:st (Suc t) = call
   by (simp add: tiTable-SampleT-def)
 show ?thesis
 proof (cases t2 = Suc \ t)
   assume a3:t2 = Suc t
   from assms and sg3 and a3 show ?thesis
     by (simp add: tiTable-SampleT-def)
 next
   assume a4:t2 \neq Suc \ t
  from assms and sq4 and a4 and a2 have sq7:st (Suc (Suc t)) = connection-ok
     by (simp add: tiTable-st-call-ok)
   from assms have sg8:ack (Suc (Suc t)) = [st (Suc (Suc t))]
    by (simp \ add: tiTable-ack-st)
   show ?thesis
   proof (cases \ t2 = Suc \ (Suc \ t))
     assume a5:t2 = Suc (Suc t)
```

```
from h7 and h9 and a5 have sg9:ack\ t2 = [connection-ok] by auto
    from assms and sg9 show ?thesis by (simp add: tiTable-i1-1)
    assume a6:t2 \neq Suc (Suc t)
    from a6 and a4 and a2 have sg10:Suc\ (Suc\ t) < t2 by arith
    from h7 and h9 and sq10 have sq11:ack t2 = [connection-ok]
      by (simp add: aux-ack-t2)
    from assms and a6 and sg7 and sg8 and sg11 show ?thesis
      by (simp add: tiTable-i1-1)
   qed
 qed
qed
lemma tiTable-i1-4:
 assumes h1:tiTable-SampleT reg a1 stop lose
              (fin-inf-append [init-state] st)
               b ack i1 vc st
    and h2:ts lose
    and h3:msg (Suc 0) a1
    and h4:msg (Suc \theta) stop
    and h5: \forall t1 \leq t. req t1 = []
    and h\theta:req (Suc t) = [init]
    and h7: \forall m < k + 3. req (t + m) \neq [send]
    and h7: \forall m \leq k. ack (Suc (Suc (t + m))) = [connection-ok]
    and h8: \forall j \leq k + 3. lose (t + j) = [False]
 shows \forall t2 < (t + 3 + k). i1 t2 = []
using assms by (simp add: tiTable-i1-4b)
lemma tiTable-ack-ok:
 assumes h1: \forall j \leq d + 2. lose (t + j) = [False]
    and h2:ts\ lose
    and h4:msg (Suc \theta) stop
    and h5:msg (Suc \theta) a1
    and h6:reg\ (Suc\ t) \neq [send]
    and h7:ack\ t = [connection-ok]
    and h8:tiTable-SampleT req a1 stop lose (fin-inf-append [init-state] st) b ack
i1 vc st
 shows ack (Suc t) = [connection-ok]
proof -
 from h8 and h2 and h5 and h4 have sg1:st t = hd (ack t)
   by (simp add: tiTable-ack-st-hd)
 from sg1 and h7 have sg2:
  (fin-inf-append [init-state] st) (Suc t) = connection-ok
   by (simp add: correct-fin-inf-append2)
 have sg3a:Suc \ 0 \le d + 2 by arith
 from h1 and sg3a have sg3:lose\ (t + Suc\ \theta) = [False] by auto
 from sg2 and sg3 and h6 and h8 show ?thesis
```

```
by (simp add: tiTable-SampleT-def)
\mathbf{qed}
lemma Gateway-L7a:
 assumes h1:Gateway req dt a stop lose d ack i vc
    and h2:msg (Suc \theta) a
    and h3:msg (Suc \theta) stop
    and h_4:msg (Suc \theta) req
    and h5:ts\ lose
    and h6: \forall j \leq d + 2. lose (t + j) = [False]
    and h7:req\ (Suc\ t) \neq [send]
    and h8:ack\ (t) = [connection-ok]
 shows ack (Suc \ t) = [connection-ok]
proof -
 from h1 and h3 and h4 and h7 obtain i1 i2 a1 a2 where
   ah1:Sample req dt a1 stop lose ack i1 vc and
   ah2:Delay a2 i1 d a1 i2 and
   ah3:Loss lose a i2 a2 i
   by (simp add: Gateway-def, auto)
 from ah2 and ah3 and h2 have sg1:msg (Suc 0) a1
   by (simp add: Loss-Delay-msg-a)
 from ah1 and sg1 and h3 and h4 obtain st buffer where
   ah4:Sample-L req dt a1 stop lose (fin-inf-append [init-state] st)
          (fin-inf-append [[]] buffer)
          ack i1 vc st buffer
   by (simp add: Sample-def, auto)
 from ah4 have sg2:
   tiTable-SampleT req a1 stop lose (fin-inf-append [init-state] st)
       (fin-inf-append [[]] buffer)
       ack i1 vc st
   by (simp add: Sample-L-def)
 from h6 and h5 and h3 and sg1 and h7 and h8 and sg2 show ?thesis
   by (simp add: tiTable-ack-ok)
qed
lemma Sample-L-buffer:
 assumes h1:
   Sample-L req dt a1 stop lose (fin-inf-append [init-state] st)
        (fin-inf-append [[]] buffer)
        ack i1 vc st buffer
 shows buffer t = inf-last-ti dt t
proof -
 from h1 have sg1:
  \forall t. buffer t =
   (if dt t = [] then fin-inf-append [[]] buffer t else dt t)
   by (simp add: Sample-L-def)
 from sg1 show ?thesis
```

```
proof (induct t)
   case \theta
   from this show ?case
     by (simp add: fin-inf-append-def)
  next
   \mathbf{fix} \ t
   case (Suc\ t)
   from this show ?case
   proof (cases dt \ t = [])
     assume a1:dt\ t = [
     from a1 and Suc show ?thesis
       by (simp add: correct-fin-inf-append1)
   \mathbf{next}
     assume a2:dt \ t \neq []
     from a2 and Suc show ?thesis
       by (simp add: correct-fin-inf-append1)
   qed
 qed
qed
\mathbf{lemma} \quad tiTable\text{-}SampleT\text{-}i1\text{-}buf\!fer:
  assumes h1:ack \ t = [connection-ok]
     and h2:req\ (Suc\ t)=[send]
     and h3: \forall k \leq Suc \ d. \ lose \ (t + k) = [False]
     and h4: buffer t = inf-last-ti dt t
    and h6:tiTable-SampleT req a1 stop lose (fin-inf-append [init-state] st)
     (fin-inf-append [[]] buffer) ack
     i1 \ vc \ st
    and h7:st\ t = hd\ (ack\ t)
    and h8:fin-inf-append [init-state] st (Suc t) = connection-ok
 shows i1 (Suc\ t) = inf-last-ti\ dt\ t
proof -
 have sg1:Suc\ 0 \le Suc\ d by arith
 from h3 and sg1 have sg2:lose (Suc t) = [False] by auto
 from h6 have
  fin-inf-append [init-state] st (Suc t) = connection-ok \land
   reg (Suc \ t) = [send] \land
   lose (Suc \ t) = [False] \longrightarrow
   ack (Suc \ t) = [sending-data] \land
   i1 \; (Suc \; t) = (fin-inf-append \; [[]] \; buffer) \; (Suc \; t) \; \land
   vc (Suc t) = [] \land st (Suc t) = sending-data
   by (simp add: tiTable-SampleT-def)
 from this and h8 and h2 and sg2 have
  i1 (Suc t) = (fin-inf-append [[]] buffer) (Suc t) by simp
  from this and h4 show ?thesis by (simp add: correct-fin-inf-append1)
qed
```

```
lemma Sample-L-i1-buffer:
 assumes h1:msg (Suc \theta) req
     and h2:msg (Suc \theta) a
     and h3:msg (Suc \theta) stop
     and h4:msg (Suc \theta) a1
     and h5:ts\ lose
     and h6:ack\ t = [connection-ok]
     and h7:reg (Suc \ t) = [send]
     and h8: \forall k \leq Suc \ d. \ lose \ (t + k) = [False]
     and h9:Sample-L req dt a1 stop lose
             (fin-inf-append [init-state] st)
             (fin-inf-append []] buffer) ack i1 vc st buffer
 shows i1 (Suc t) = buffer t
proof -
 from h9 have sg1:buffer\ t=inf-last-ti\ dt\ t
   by (simp add: Sample-L-buffer)
 from h9 have sq2:
   \forall t. \ buffer \ t = (if \ dt \ t = [] \ then \ fin-inf-append [[]] \ buffer \ t \ else \ dt \ t)
   by (simp add: Sample-L-def)
 from h9 have sg3:
   tiTable-SampleT req a1 stop lose (fin-inf-append [init-state] st)
     (fin-inf-append [[]] buffer) ack
     i1 \ vc \ st
   by (simp add: Sample-L-def)
 from sg3 and h5 and h4 and h3 have sg4:st\ t = hd\ (ack\ t)
   by (simp add: tiTable-ack-st-hd)
 from h6 and sg4 have sg5:
   (fin-inf-append [init-state] st) (Suc t) = connection-ok
   by (simp add: correct-fin-inf-append1)
 from h6 and h7 and h8 and sg1 and sg3 and sg4 and sg5 have sg6:
   i1 (Suc t) = inf-last-ti dt t
    by (simp add: tiTable-SampleT-i1-buffer)
 from this and sg1 show ?thesis by simp
qed
\mathbf{lemma}\ ti Table\text{-}Sample T\text{-}sending\text{-}data:
 assumes h1: tiTable-SampleT req a1 stop lose (fin-inf-append [init-state] st)
       (fin-inf-append [[]] buffer)
       ack i1 vc st
     and h2: \forall j \leq 2 * d. lose (t + j) = [False]
     and h3: \forall t \le t + d + d. a1 t \le t = []
     and h4:ack\ (t+x) = [sending-data]
     and h5:fin-inf-append [init-state] st (Suc (t + x)) = sending-data
     and h6:Suc\ (t+x) \le 2*d+t
 shows ack (Suc (t + x)) = [sending-data]
proof -
 from h6 have Suc \ x \le 2 * d by arith
 from this and h2 have sg1:lose\ (t + Suc\ x) = [False] by auto
```

```
from h6 have Suc\ (t+x) \le t+d+d by arith
 from this and h3 have sg2:a1 (Suc (t + x)) = [] by auto
 from h1 and sg1 and sg2 and h5 show ?thesis
   by (simp add: tiTable-Sample T-def)
qed
lemma Sample-sending-data:
 assumes h1:msg (Suc \theta) stop
    and h2:ts\ lose
    and h3:msg (Suc \theta) req
    and h4:msg (Suc 0) a1
    and h5: \forall j \leq 2 * d. lose (t + j) = [False]
    and h6:ack\ t = [sending-data]
    and h7:Sample req dt a1 stop lose ack i1 vc
    and h8:x \leq d+d
    and h9: \forall t \neq t \leq t + d + d. a1 t \neq t = []
shows ack (t + x) = [sending-data]
using assms
proof -
 from h1 and h3 and h4 and h7 obtain st buffer where a1:
  Sample-L req dt a1 stop lose (fin-inf-append [init-state] st)
          (fin-inf-append [[]] buffer) ack
          i1 vc st buffer
   by (simp add: Sample-def, auto)
 from a1 have sg1:
   tiTable-SampleT req a1 stop lose (fin-inf-append [init-state] st)
      (fin-inf-append [[]] buffer)
       ack i1 vc st
    by (simp add: Sample-L-def)
 from a1 have sg2:
   \forall t. \ buffer \ t = (if \ dt \ t = [] \ then \ fin-inf-append [[]] \ buffer \ t \ else \ dt \ t)
    by (simp add: Sample-L-def)
 from h1 and h2 and h4 and h6 and h8 and sg1 and sg2 show ?thesis
 proof (induct \ x)
   case \theta
   from this show ?case by simp
 next
   \mathbf{fix} \ x
   case (Suc \ x)
   from this have sg3:st(t+x) = hd(ack(t+x))
    by (simp add: tiTable-ack-st-hd)
   from Suc have sq4:x \leq d + d by arith
   from Suc and sg3 and sg4 have sg5:
    (fin-inf-append [init-state] st) (Suc (t + x)) = sending-data
    by (simp add: fin-inf-append-def)
   from Suc have sg6:Suc (t + x) \le 2 * d + t by simp
   from Suc have sg7:ack\ (t+x) = [sending-data] by simp
   from sg1 and h5 and h9 and sg7 and sg5 and sg6 have sg7:
```

```
ack \ (Suc \ (t+x)) = [sending-data]

by (simp \ add: \ tiTable-SampleT-sending-data)

from this show ?case by simp

qed

qed
```

## 15.6 Properties of the ServiceCenter component

```
\mathbf{lemma}\ Service Center-a-l:
 assumes h1:ServiceCenter i a
             length (a t) \leq (Suc \ \theta)
proof (cases t)
 case \theta
 from this and h1 show ?thesis by (simp add: ServiceCenter-def)
 fix m assume Suc:t = Suc m
 from this and h1 show ?thesis by (simp add: ServiceCenter-def)
lemma ServiceCenter-a-msg:
 assumes h1:ServiceCenter i a
             msg (Suc \ \theta) \ a
using assms by (simp add: msg-def ServiceCenter-a-l)
\mathbf{lemma}\ \mathit{ServiceCenter-L1}\colon
 assumes h1: \forall t2 < x. i t2 = []
     and h2:ServiceCenter i a
     and h\beta:t \leq x
 shows a t = []
using assms
proof (induct t)
  case \theta
  from this show ?case by (simp add: ServiceCenter-def)
  case (Suc\ t)
  from this show ?case by (simp add: ServiceCenter-def)
lemma ServiceCenter-L2:
 assumes h1: \forall t2 < x. i t2 = []
     and h2:ServiceCenter i a
 shows \forall t3 \leq x. \ a \ t3 = []
using assms by (clarify, simp add: ServiceCenter-L1)
```

#### 15.7 General properties of stream values

```
lemma streamValue1:

assumes h1: \forall j \leq D + (z::nat). str(t + j) = x

and h2: j \leq D

shows str(t + j + z) = x
```

```
proof -
   from h2 have sg1: j + z \leq D + z by arith
   have sg2:t + j + z = t + (j + z) by arith
   from h1 and sg1 and sg2 show ?thesis by (simp (no-asm-simp))
qed
lemma stream Value 2:
 assumes h1: \forall j \leq D + (z::nat). str(t + j) = x
             \forall j \leq D. \ str (t + j + z) = x
using assms by (clarify, simp add: streamValue1)
lemma stream Value 3:
 assumes h1: \forall j \leq D. str(t + j + (Suc y)) = x
    and h2:j \leq D
    and h3:str(t+y)=x
   shows str(t+j+y) = x
using assms
proof (induct j)
 case \theta
 from h3 show ?case by simp
next
 case (Suc j)
 from this show ?case by auto
qed
lemma stream Value 4:
 assumes h1: \forall j \leq D. str(t + j + (Suc y)) = x
    and h3:str(t+y)=x
             \forall j \leq D. \ str (t + j + y) = x
   shows
using assms
 by (clarify, simp add: stream Value 3)
\mathbf{lemma}\ \mathit{streamValue5}\colon
 assumes h1: \forall j \leq D. str(t+j+((i::nat)+k)) = x
    and h2:j \leq D
 shows
             str (t + i + k + j) = x
proof -
  have sg1:t + i + k + j = t + j + (i + k) by arith
  from assms and sq1 show ?thesis by (simp (no-asm-simp))
\mathbf{qed}
lemma stream Value 6:
 assumes h1: \forall j \leq D. str(t+j+((i::nat)+k)) = x
             \forall j \leq D. \ str \ (t + (i::nat) + k + j) = x
using assms by (clarify, simp add: streamValue5)
lemma stream Value 7:
 assumes h1: \forall j \leq d. str(t + i + k + d + Suc j) = x
    and h2:str(t + i + k + d) = x
```

```
and h3:j \leq Suc \ d
 shows
            str (t + i + k + d + j) = x
proof -
 from h1 have sg1:str(t+i+k+d+Sucd)=x
   by (simp\ (no-asm-simp),\ simp)
 from assms show ?thesis
 proof (cases j = Suc d)
   assume a1:j = Suc d
   from a1 and sg1 show ?thesis by simp
 next
   assume a2:j \neq Suc \ d
   from a2 and b3 have sg2:j \le d by auto
   from assms and sg2 show ?thesis
   proof (cases j > 0)
    assume a3:0 < j
    from a3 and h3 have sg3:j - (1::nat) \le d by simp
    from a3 have sg4:Suc (j - (1::nat)) = j by arith
    from sg3 and h1 and sg4 have sg5:str(t+i+k+d+j)=x by auto
    from sg5 show ?thesis by simp
   \mathbf{next}
    assume a \neq : \neg \theta < j
    from a4 have sg6:j = 0 by simp
    from h2 and sg6 show ?thesis by simp
   qed
 qed
qed
lemma stream Value 8:
 assumes h1: \forall j \leq d. str(t + i + k + d + Suc j) = x
    and h2:str(t + i + k + d) = x
           \forall j \leq Suc \ d. \ str \ (t+i+k+d+j) = x
using assms by (clarify, simp add: streamValue?)
\mathbf{lemma} \ \mathit{arith-streamValue9} \mathit{aux} \colon
Suc\ (t+(j+d)+(i+k)) = Suc\ (t+i+k+d+j)
by arith
lemma stream Value 9:
 assumes h1: \forall j \leq 2 * d. str(t + j + Suc(i + k)) = x
    and h2:j \leq d
            str (t + i + k + d + Suc j) = x
 shows
proof -
 from h2 have (j+d) \le 2 * d by arith
 from h1 and this have str(t + (j + d) + Suc(i + k)) = x by auto
 from this show ?thesis by (simp add: arith-stream Value 9 aux)
qed
```

```
lemma stream Value 10:
 assumes h1: \forall j \leq 2 * d. str(t + j + Suc(i + k)) = x
 shows
             \forall j \leq d. \ str \ (t + i + k + d + Suc \ j) = x
using assms
 apply clarify
 by (rule stream Value 9, auto)
lemma arith-sum1:(t::nat) + (i + k + d) = t + i + k + d
by arith
lemma arith-sum2:Suc\ (Suc\ (t+k+j)) = Suc\ (Suc\ (t+(k+j)))
by arith
lemma arith-sum 4:t + 3 + k + d = Suc (t + (2::nat) + k + d)
by arith
lemma stream Value 11:
assumes h1: \forall j \le 2 * d + (4 + k). lose (t + j) = x
    and h2:j \leq Suc \ d
            lose (t + 2 + k + j) = x
shows
proof -
 from h2 have sg1:2 + k + j \le 2 * d + (4 + k) by arith
 have sg2:Suc\ (Suc\ (t+k+j)) = Suc\ (Suc\ (t+(k+j))) by arith
 from sg1 and h1 have lose (t + (2 + k + j)) = x by blast
 from this and sg2 show ?thesis by (simp add: arith-sum2)
qed
lemma stream Value 12:
assumes h1: \forall j \le 2 * d + (4 + k). lose (t + j) = x
            \forall j \leq Suc \ d. \ lose \ (t+2+k+j) = x
using assms
 apply clarify by (rule stream Value 11, auto)
lemma stream Value 43:
 assumes h1: \forall j \leq 2 * d + ((4::nat) + k). lose (t + j) = [False]
 shows \forall j \le 2 * d. \ lose \ ((t + (3::nat) + k) + j) = [False]
proof -
 from h1 have sg1: \forall j \leq 2 * d. lose (t + j + (4 + k)) = [False]
   by (simp add: stream Value2)
 have sg2:Suc (3 + k) = (4 + k) by arith
 from sg1 and sg2 have sg3:\forall j \le 2 * d. lose (t + j + Suc (3 + k)) = [False]
   by (simp\ (no-asm-simp))
 from h1 have sq4:lose\ (t+(3+k))=[False] by auto
 from sg3 and sg4 have sg5: \forall j \le 2 * d. lose (t + j + (3 + k)) = [False]
   by (rule stream Value 4)
 from sg5 show ?thesis by (rule stream Value 6)
qed
end
```

```
theory Gateway-proof
imports Gateway-proof-aux
begin
```

# 15.8 Properties of the Gateway

```
lemma Gateway-L1:
 assumes h1:Gateway req dt a stop lose d ack i vc
    and h2:msg (Suc \theta) req
    and h3:msg (Suc \theta) a
    and h4:msg (Suc \theta) stop
    and h5:ts\ lose
    and h6:ack\ t = [init-state]
    and h7:req\ (Suc\ t)=[init]
    and h8:lose (Suc \ t) = [False]
    and h9:lose\ (Suc\ (Suc\ t)) = [False]
 shows ack (Suc (Suc t)) = [connection-ok]
proof -
 from h1 obtain i1 i2 x y
   where a1:Sample req dt x stop lose ack i1 vc
    and a2:Delay y i1 d x i2
    and a3:Loss lose a i2 y i
   by (simp only: Gateway-def, auto)
 from a2 and a3 and h3 have sg1:msg (Suc 0) x
   by (simp add: Loss-Delay-msg-a)
 from a1 and h2 and h4 and sg1 obtain st buffer where a4:
   tiTable-Sample T reg x stop lose
      (fin-inf-append [init-state] st) (fin-inf-append [[]] buffer) ack
       i1 \ vc \ st
    by (simp add: Sample-def Sample-L-def, auto)
 from a4 and b5 and sg1 and b4 have sg2:st\ t = bd\ (ack\ t)
   by (simp add: tiTable-ack-st-hd)
 from h6 and sg1 and sg2 and h4 have sg3:
  (fin-inf-append [init-state] st) (Suc t) = init-state)
   by (simp add: correct-fin-inf-append1)
 from a4 and h7 and sg3 have sg4:st (Suc t) = call
   by (simp add: tiTable-Sample T-def)
 from sg4 have sg5:(fin-inf-append [init-state] st) (Suc (Suc t)) = call
   by (simp add: correct-fin-inf-append1)
 from a4 and sg5 and assms show ?thesis
   by (simp add: tiTable-Sample T-def)
qed
```

```
lemma Gateway-L2:
 assumes h1: Gateway req dt a stop lose d ack i vc
    and h2:msg (Suc \theta) req
    and h3:msg (Suc \theta) a
    and h4:msg (Suc \theta) stop
    and h5:ts\ lose
    and h6:ack \ t = [connection-ok]
    and h7:reg (Suc \ t) = [send]
    and h8: \forall k \leq Suc \ d. \ lose \ (t + k) = [False]
 shows i (Suc (t + d)) = inf-last-ti dt t
proof -
 from h1 obtain i1 i2 x y
   where a1:Sample req dt x stop lose ack i1 vc
    and a2:Delay y i1 d x i2
    and a3:Loss lose a i2 y i
   by (simp only: Gateway-def, auto)
 from a2 and a3 and h3 have sq1:msq (Suc \theta) x
   by (simp add: Loss-Delay-msg-a)
 from a1 and h2 and h4 and sg1 obtain st buffer where a4:
   Sample-L req dt x stop lose (fin-inf-append [init-state] st)
       (fin-inf-append [[]] buffer) ack i1 vc st buffer
   by (simp add: Sample-def, auto)
 from a4 have sg2:buffer t = inf-last-ti dt t
   by (simp add: Sample-L-buffer)
 from assms and a1 and a4 and sq1 and sq2 have sq3:i1 (Suc t) = buffer t
   by (simp add: Sample-L-i1-buffer)
 from a2 and sq1 have sq4:i2 ((Suc t) + d) = i1 (Suc t)
   by (simp add: Delay-def)
 from a3 and h8 have sg5:i((Suc\ t) + d) = i2((Suc\ t) + d)
   by (simp add: Loss-def, auto)
 from sg5 and sg4 and sg3 and sg2 show ?thesis by simp
qed
lemma Gateway-L3:
 assumes h1:Gateway req dt a stop lose d ack i vc
    and h2:msq (Suc \theta) req
    and h3:msg (Suc \theta) a
    and h4:msg (Suc \theta) stop
    and h5:ts\ lose
    and h6:ack\ t = [connection-ok]
    and h7:req\ (Suc\ t) = [send]
    and h8: \forall k \leq Suc \ d. \ lose \ (t + k) = [False]
 shows ack (Suc t) = [sending-data]
proof -
 from h1 obtain i1 i2 x y
   where a1:Sample req dt x stop lose ack i1 vc
    and a2:Delay y i1 d x i2
    and a3:Loss lose a i2 y i
   by (simp only: Gateway-def, auto)
```

```
from a2 and a3 and h3 have sg1:msg (Suc \theta) x
   by (simp add: Loss-Delay-msg-a)
 from a1 and h2 and h4 and sg1 obtain st buffer where a4:
   tiTable-Sample T req x stop lose
      (fin-inf-append [init-state] st) (fin-inf-append [[]] buffer) ack
    by (simp add: Sample-def Sample-L-def, auto)
 from a4 and h5 and sq1 and h4 have sg2:st\ t = hd\ (ack\ t)
   by (simp add: tiTable-ack-st-hd)
 from sg2 and h6 have sg3:(fin-inf-append [init-state] st) (Suc t) = connection-ok
   by (simp add: correct-fin-inf-append1)
 from h8 have sg4:lose (Suc \ t) = [False] by auto
 from a4 and sg3 and sg4 and h7 have sg5:st (Suc t) = sending-data
   by (simp add: tiTable-SampleT-def)
 from a4 and h2 and sg1 and h4 and h5 have sg6:ack (Suc t) = [st (Suc t)]
   by (simp add: tiTable-ack-st)
 from sq5 and sq6 show ?thesis by simp
qed
lemma Gateway-L4:
 assumes h1:Gateway req dt a stop lose d ack i vc
    and h2:msg (Suc \theta) req
    and h3:msg (Suc \theta) a
    and h4:msg (Suc \theta) stop
    and h5:ts\ lose
    and h6:ack\ (t+d) = [sending-data]
    and h7:a (Suc t) = [sc-ack]
    and h8: \forall k \leq Suc \ d. \ lose \ (t + k) = [False]
 shows vc (Suc (t + d)) = [vc\text{-}com]
proof -
 from h1 obtain i1 i2 x y
   where a1:Sample req dt x stop lose ack i1 vc
    and a2:Delay y i1 d x i2
    and a3:Loss lose a i2 y i
   by (simp only: Gateway-def, auto)
 from a2 and a3 and h3 have sq1:msq (Suc 0) x
   by (simp add: Loss-Delay-msg-a)
 from a1 and h2 and h4 and sg1 obtain st buffer where a4:
   tiTable-Sample T req x stop lose
      (fin-inf-append [init-state] st) (fin-inf-append [[]] buffer) ack
       i1 \ vc \ st
    by (simp add: Sample-def Sample-L-def, auto)
 from a4 and b5 and sq1 and b4 have sq2:st (t+d) = bd (ack (t+d))
   by (simp add: tiTable-ack-st-hd)
 from sg2 and h6 have sg3:(fin-inf-append [init-state] st) (Suc <math>(t+d)) = sending-data
   by (simp add: correct-fin-inf-append1)
 from a3 and h8 have sg4:y (Suc t) = a (Suc t)
   by (simp add: Loss-def, auto)
 from a2 and sg1 have sg5:x((Suc\ t) + d) = y(Suc\ t)
```

```
by (simp add: Delay-def)
 from sg5 and sg4 and h7 have sg6: x (Suc (t + d)) = [sc\text{-}ack] by simp
 from h8 have sg7:lose\ (Suc\ (t+d)) = [False] by auto
 from sq6 and a4 and h2 and sg1 and h4 and h5 and sg7 and sg3 show
   by (simp add: tiTable-Sample T-def)
qed
lemma Gateway-L5:
 assumes h1: Gateway req dt a stop lose d ack i vc
    and h2:msg (Suc \theta) req
    and h3:msg (Suc \theta) a
    and h4:msg (Suc \theta) stop
    and h5:ts\ lose
    and h6:ack\ (t+d) = [sending-data]
    and h7: \forall j \leq Suc \ d. \ a \ (t+j) = []
    and h8: \forall k \leq (d+d). lose (t+k) = [False]
 shows j \leq d \longrightarrow ack \ (t+d+j) = [sending-data]
proof -
 from h1 obtain i1 i2 x y
   where a1:Sample req dt x stop lose ack i1 vc
    and a2:Delay y i1 d x i2
    and a3:Loss lose a i2 y i
   by (simp only: Gateway-def, auto)
 from a2 and a3 and h3 have sg1:msg (Suc 0) x
   by (simp add: Loss-Delay-msg-a)
 from a1 and h2 and h4 and sg1 obtain st buffer where a4:
   tiTable-Sample T req x stop lose
      (fin-inf-append [init-state] st) (fin-inf-append [[]] buffer) ack
       i1\ vc\ st
    by (simp add: Sample-def Sample-L-def, auto)
 from assms and a2 and a3 and sg1 and a4 show ?thesis
 proof (induct j)
   case \theta
   from \theta show ?case by simp
 next
   case (Suc \ j)
   from Suc show ?case
   proof (cases Suc j \leq d)
    assume \neg Suc j \leq d from this show ?thesis by simp
   \mathbf{next}
    assume a\theta:Suc j \leq d
    from a0 have sg2:d + Suc j \leq d + d by arith
    from sg2 have sg3:Suc (d + j) \le d + d by arith
    from a4 and h2 and sg1 and h4 and h5 have sg4:
     st (t+d+j) = hd (ack (t+d+j))
      by (simp add: tiTable-ack-st-hd)
    from Suc and a\theta and sg4 have sg5:
     (fin-inf-append [init-state] st) (Suc (t+d+j)) = sending-data
```

```
by (simp add: correct-fin-inf-append1)
    from h7 and a0 have sg6: \forall j \leq d. a (t + Suc j) = [] by auto
    from sg6 and a3 and a0 and h5 have sg7:y (t + (Suc j)) = []
      by (rule\ Loss-L5Suc)
    from sg7 and a2 have sg8a:x (t + d + (Suc j)) = []
      by (simp add: Delay-def)
    from sg8a have sg8:x (Suc\ (t+d+j)) = [] by simp
    have sg9:Suc\ (t+d+j)=Suc\ (t+(d+j)) by arith
    from a4 have sq10:
      fin-inf-append [init-state] st (Suc (t + d + j)) = sending-data \land
       x \left( Suc \left( t + d + j \right) \right) = [] \land
       lose (Suc (t + d + j)) = [False] \longrightarrow
       ack (Suc (t + d + j)) = [sending-data]
      by (simp add: tiTable-SampleT-def)
    from h8 and sg3 have sg11:lose (t + Suc (d + j)) = [False] by blast
    have sg12:Suc\ (t+d+j)=t+Suc\ (d+j) by arith
    from sg12 and sg11 have sg13:lose (Suc (t + d + j)) = [False]
      by (simp\ (no-asm-simp),\ simp)
    from sg10 and sg5 and sg8a and sg13 show ?thesis by simp
   qed
 qed
qed
lemma Gateway-L6-induction:
assumes h1:msg (Suc \theta) req
    and h2:msq (Suc \theta) x
    and h3:msg (Suc \theta) stop
    and h4:ts lose
    and h5: \forall j \leq k. lose (t + j) = [False]
    and h6: \forall m \leq k. \ req \ (t+m) \neq [send]
    and h7:ack \ t = [connection-ok]
    and h8:Sample req dt x1 stop lose ack i1 vc
    and h9:Delay x2 i1 d x1 i2
    and h10:Loss lose x i2 x2 i
    and h11:m \leq k
shows ack (t + m) = [connection-ok]
using assms
proof (induct m)
 case \theta from this show ?case by simp
next
 case (Suc\ m)
 from Suc have sg1:msg (Suc \ \theta) x1 by (simp \ add: \ Loss-Delay-msg-a)
 from Suc and sq1 obtain st buffer where
   a1:tiTable-SampleT req x1 stop lose (fin-inf-append [init-state] st)
       (fin-inf-append [[]] buffer) ack i1 vc st and
   a2: \forall t. buffer t = (if dt t = [] then fin-inf-append [[]] buffer t else dt t)
   by (simp add: Sample-def Sample-L-def, auto)
 from a1 and sg1 and h3 and h4 have sg2:st(t+m) = hd(ack(t+m))
   by (simp add: tiTable-ack-st-hd)
```

```
from Suc have sg3:ack\ (t+m) = [connection-ok] by simp
 from a1 and sg2 and sg3 have sg4:
 (fin-inf-append [init-state] st) (Suc (t + m)) = connection-ok
   by (simp add: fin-inf-append-def)
 from Suc have sq5:Suc m \le k by simp
 from sg5 and h5 have sg6:lose (Suc (t + m)) = [False] by auto
 from h6 and sg5 have sg7:req\ (Suc\ (t+m)) \neq [send] by auto
 from a1 and sg3 and sg4 and sg5 and sg6 and sg7 show ?case
   by (simp add: tiTable-Sample T-def)
qed
lemma Gateway-L6:
assumes h1:Gateway req dt a stop lose d ack i vc
    and h2: \forall m \leq k. \ req \ (t+m) \neq [send]
    and h3: \forall j \leq k. lose (t + j) = [False]
    and h4:ack\ t = [connection-ok]
    and h5:msq (Suc \theta) req
    and h6:msg (Suc \theta) stop
    and h7:msg (Suc \theta) a
    and h8:ts\ lose
shows \forall m \leq k. \ ack \ (t + m) = [connection-ok]
using assms
by (simp add: Gateway-def, clarify, simp add: Gateway-L6-induction)
lemma Gateway-L6a:
assumes h1:Gateway req dt a stop lose d ack i vc
    and h2: \forall m \leq k. \ req \ (t + 2 + m) \neq [send]
    and h3: \forall j \leq k. lose (t + 2 + j) = [False]
    and h4:ack\ (t+2) = [connection-ok]
    and h5:msg (Suc \theta) req
    and h6:msg (Suc \theta) stop
    and h7:msg (Suc \theta) a
    and h8:ts lose
shows \forall m \le k. ack (t + 2 + m) = [connection-ok]
using assms by (rule Gateway-L6)
lemma aux-k3req:
assumes h1: \forall m < k + 3. req (t + m) \neq [send] and h2: m \leq k
shows req (Suc\ (Suc\ (t+m))) \neq [send]
proof -
 from h2 have m + 2 < k + 3 by arith
 from h1 and this have req (t + (m + 2)) \neq [send] by blast
 from this show ?thesis by simp
qed
lemma aux3lose:
 assumes h1: \forall j \le k + d + 3. lose (t + j) = [False]
    and h2:j \leq k
 shows lose (Suc\ (Suc\ (t+j))) = [False]
```

```
proof -
 from h2 have j + 2 \le k + d + 3 by arith
 from h1 and this have lose (t + (j + 2)) = [False] by blast
 from this show ?thesis by simp
ged
lemma Gateway-L7:
assumes h1:Gateway req dt a stop lose d ack i vc
    and h2:ts lose
    and h3:msg (Suc \theta) a
    and h4:msg (Suc \theta) stop
    and h5:msg (Suc \theta) req
    and h\theta:req (Suc t) = [init]
    and h7: \forall m < (k+3). req (t+m) \neq [send]
    and h8:reg\ (t + 3 + k) = [send]
    and h9:ack\ t = [init-state]
    and h10: \forall j \le k + d + 3. lose (t + j) = [False]
    and h11: \forall t1 \leq t. req t1 = []
 shows \forall t2 < (t + 3 + k + d). i t2 = []
proof -
 have Suc \ \theta \leq k + d + 3 by arith
 from h10 and this have lose (t + Suc \ 0) = [False] by blast
 from this have sg1:lose (Suc \ t) = [False] by simp
 have Suc\ (Suc\ \theta) \le k + d + 3 by arith
 from h10 and this have lose (t + Suc (Suc 0)) = [False] by blast
 from this have sg2:lose\ (Suc\ (Suc\ t)) = [False] by simp
 from h1 and h2 and h3 and h4 and h5 and h6 and h9 and sq1 and sq2
have sq3:
  ack (t + 2) = [connection-ok]
   by (simp add: Gateway-L1)
from h7 and this have sg4: \forall m \leq k. req ((t+2)+m) \neq [send]
   by (auto, simp add: aux-k3req)
 from h10 have sg5: \forall j \leq k. lose ((t + 2) + j) = [False]
   by (auto, simp add: aux3lose)
 from h1 and sg4 and sg5 and sg3 and h5 and h4 and h3 and h2 have sg6:
  \forall m \leq k. \ ack \ ((t+2)+m) = [connection-ok]
   by (rule Gateway-L6a)
 from sg6 have sg7:ack (t + 2 + k) = [connection-ok] by auto
 from h1 obtain i1 i2 x y where
   a1:Sample req dt x stop lose ack i1 vc and
   a2:Delay y i1 d x i2 and
   a3:Loss lose a i2 y i
   by (simp add: Gateway-def, auto)
 from h3 and a2 and a3 have sg8:msg (Suc 0) x
   by (simp add: Loss-Delay-msg-a)
 from a1 and sg8 and h4 and h5 obtain st buffer where
   a4:tiTable-SampleT req x stop lose (fin-inf-append [init-state] st)
       (fin-inf-append [[]] buffer) ack i1 vc st and
   a5: \forall t. buffer t = (if dt t = [] then fin-inf-append [[]] buffer t else dt t)
```

```
by (simp add: Sample-def Sample-L-def, auto)
 from a4 and h2 and sg8 and h4 and h11 and h6 and h7 and sg6 and h10
 have sg9: \forall t1 < (t + 3 + k). i1 t1 = []
   by (simp add: tiTable-i1-4)
 from sg9 and a2 have sg10: \forall t2 < (t + 3 + k + d). i2 t2 = []
   by (rule Delay-L2)
 from sg10 and a3 and h2 show ?thesis by (rule Loss-L2)
qed
lemma Gateway-L8a:
 assumes h1:Gateway req dt a stop lose d ack i vc
    and h2:msg (Suc \theta) req
    and h3:msg (Suc \theta) stop
    and h4:msg (Suc \theta) a
    and h5:ts\ lose
    and h6: \forall j \leq 2 * d. lose (t + j) = [False]
     and h7:ack\ t = [sending-data]
    and h8: \forall t3 \leq t + d. a t3 = []
    and h9:x \leq d+d
 shows ack (t + x) = [sending-data]
proof -
 from h1 obtain i1 i2 x y where
   a1:Sample req dt x stop lose ack i1 vc and
   a2:Delay\ y\ i1\ d\ x\ i2\ {\bf and}
   a3:Loss lose a i2 y i
   by (simp add: Gateway-def, auto)
 from h8 and a3 and h5 have sg1: \forall t3 \leq t + d. y t3 = [] by (rule Loss-L6)
 from sg1 and a2 have sg2:\forall t4 \leq t + d + d. x t4 = [] by (rule Delay-L4)
 from h4 and a2 and a3 have sg3:msg (Suc 0) x by (simp add: Loss-Delay-msg-a)
 from h3 and h5 and h2 and sg3 and h6 and h7 and a1 and h9 and sg2
show ?thesis
   by (simp add: Sample-sending-data)
qed
lemma Gateway-L8:
 assumes h1:Gateway reg dt a stop lose d ack i vc
     and h2:msg (Suc \theta) req
     and h3:msg (Suc \theta) stop
     and h4:msg (Suc \theta) a
    and h5:ts\ lose
    and h6: \forall j \leq 2 * d. lose (t + j) = [False]
    and h7:ack\ t = [sending-data]
     and h8: \forall t3 \le t + d. \ a \ t3 = []
 shows \forall x \leq d + d. ack (t + x) = [sending-data]
using assms
 by (simp add: Gateway-L8a)
```

# 15.9 Proof of the Refinement Relation for the Gateway Requirements

```
lemma Gateway-L0:
assumes h1:Gateway req dt a stop lose d ack i vc
shows GatewayReq req dt a stop lose d ack i vc
using assms
by (simp add: GatewayReq-def Gateway-L1 Gateway-L2 Gateway-L3 Gateway-L4)
```

# 15.10 Lemmas about Gateway Requirements

```
lemma GatewayReg-L1:
 assumes h1:msg (Suc \theta) req
     and h2:msg (Suc \theta) stop
     and h3:msg (Suc \theta) a
    and h4:ts lose
     and h6:req\ (t + 3 + k) = [send]
     and h7: \forall j \le 2 * d + (4 + k). lose (t + j) = [False]
     and h9: \forall m \leq k. ack (t + 2 + m) = [connection-ok]
     and h10: GatewayReg reg dt a stop lose d ack i vc
shows ack (t + 3 + k) = [sending-data]
proof -
 from h9 have sg1:ack (Suc (Suc (t + k))) = [connection-ok] by auto
 from h? have sg2:
  \forall ka \leq Suc \ d. \ lose \ (Suc \ (t + k + ka))) = [False]
   by (simp add: aux-lemma-lose-1)
 from h1 and h2 and h3 and h4 and h6 and h10 and sq1 and sq2 have sq3:
  ack (t + 2 + k) = [connection-ok] \land
   req (Suc (t + 2 + k)) = [send] \land (\forall k \leq Suc \ d. \ lose (t + k) = [False]) \longrightarrow
   ack (Suc (t + 2 + k)) = [sending-data]
   by (simp add: GatewayReq-def)
 have sg4:t+3+k=Suc\ (Suc\ (Suc\ (t+k))) by arith
 from sg3 and sg1 and h6 and h7 and sg4 show ?thesis
   by (simp add: eval-nat-numeral)
qed
lemma GatewayReq-L2:
assumes h1:msg (Suc 0) req
    and h2:msg (Suc \theta) stop
    and h3:msg (Suc \theta) a
     and h4:ts lose
    and h5:GatewayReg reg dt a stop lose d ack i vc
     and h6:reg (t + 3 + k) = [send]
     and h7:inf-last-ti \ dt \ t \neq []
     and h8: \forall j \le 2 * d + (4 + k). lose (t + j) = [False]
     and h9: \forall m \leq k. \ ack \ (t + 2 + m) = [connection-ok]
 shows i (t + 3 + k + d) \neq []
proof -
 from h8 have sg1:(\forall (x::nat). x \leq (d+1) \longrightarrow lose (t+x) = [False])
   by (simp add: aux-lemma-lose-2)
```

```
from h8 have sg2:\forall ka \leq Suc\ d.\ lose\ (Suc\ (Suc\ (t+k+ka))) = [False] by (simp\ add:\ aux\text{-}lemma\text{-}lose\text{-}1) from h9 have sg3:ack\ (t+2+k) = [connection\text{-}ok] by simp from h1 and h2 and h3 and h4 and h5 and h6 and sg2 and sg3 have sg4:ack\ (t+2+k) = [connection\text{-}ok] \land req\ (Suc\ (t+2+k)) = [send] \land (\forall k \leq Suc\ d.\ lose\ (t+k) = [False]) \longrightarrow i\ (Suc\ (t+2+k+d)) = inf\text{-}last\text{-}ti\ dt\ (t+2+k) by (simp\ add:\ GatewayReq\text{-}def,\ auto) from h7 have sg5:inf\text{-}last\text{-}ti\ dt\ (t+2+k) \neq [] by (simp\ add:\ inf\text{-}last\text{-}ti\text{-}nonempty\text{-}k) have sg6:t+3+k=Suc\ (Suc\ (Suc\ (t+k))) by arith have sg7:t+2+k=Suc\ (Suc\ (t+k)) by arith from sg1\ and\ sg2\ and\ sg3\ and\ sg4\ and\ sg5\ and\ sg6\ and\ sg7\ and\ h6\ show ?thesis by (simp\ add:\ eval\text{-}nat\text{-}numeral) qed
```

### 15.11 Properties of the Gateway System

```
lemma Gateway System-L1 aux:
 assumes h1:msg (Suc \theta) req
      and h2:msg (Suc \theta) stop
      and h3:msg (Suc \theta) a
      and h4:ts lose
      and h5:msg~(Suc~\theta)~req~\wedge~msg~(Suc~\theta)~a~\wedge~msg~(Suc~\theta)~stop~\wedge~ts~lose~\longrightarrow
        (\forall t. (ack \ t = [init\text{-}state] \land
          req (Suc \ t) = [init] \land lose (Suc \ t) = [False] \land
          lose (Suc (Suc t)) = [False] \longrightarrow
          ack (Suc (Suc t)) = [connection-ok]) \land
         (ack \ t = [connection-ok] \land reg \ (Suc \ t) = [send] \land
         (\forall k \leq Suc \ d. \ lose \ (t + k) = [False]) \longrightarrow
          i (Suc (t + d)) = inf-last-ti dt t \wedge ack (Suc t) = [sending-data]) \wedge
         (ack\ (t+d) = [sending-data] \land a\ (Suc\ t) = [sc-ack] \land
          (\forall k \leq Suc \ d. \ lose \ (t + k) = [False]) \longrightarrow
          vc (Suc (t + d)) = [vc\text{-}com])
 shows ack (t + 3 + k + d + d) = [sending-data] \land
          a \left( Suc \left( t + 3 + k + d \right) \right) = \left[ sc\text{-}ack \right] \wedge
         (\forall ka \leq Suc \ d. \ lose \ (t+3+k+d+ka) = [False]) \longrightarrow
         vc (Suc (t + 3 + k + d + d)) = [vc\text{-}com]
using assms by blast
lemma Gateway System-L3 aux:
  assumes h1:msg (Suc \theta) req
      and h2:msg (Suc \theta) stop
      and h3:msg (Suc \theta) a
      and h4:ts\ lose
      and h5:msg~(Suc~\theta)~req~\wedge~msg~(Suc~\theta)~a~\wedge~msg~(Suc~\theta)~stop~\wedge~ts~lose~\longrightarrow
        (\forall t. (ack \ t = [init\text{-}state] \land
          reg (Suc \ t) = [init] \land lose (Suc \ t) = [False] \land
```

```
lose (Suc (Suc t)) = [False] \longrightarrow
         ack (Suc (Suc t)) = [connection-ok]) \land
        (ack \ t = [connection-ok] \land req \ (Suc \ t) = [send] \land
        (\forall k \leq Suc \ d. \ lose \ (t + k) = [False]) \longrightarrow
         i (Suc (t + d)) = inf-last-ti dt t \wedge ack (Suc t) = [sending-data]) \wedge
        (ack\ (t+d) = [sending-data] \land a\ (Suc\ t) = [sc-ack] \land
         (\forall k \leq Suc \ d. \ lose \ (t + k) = [False]) \longrightarrow
         vc (Suc (t + d)) = [vc\text{-}com])
 shows ack (t + 2 + k) = [connection-ok] \land
        req (Suc (t + 2 + k)) = [send] \land
        (\forall j \leq Suc \ d. \ lose \ (t + 2 + k + j) = [False]) \longrightarrow
        i \left( Suc \left( t + 2 + k + d \right) \right) = inf-last-ti \ dt \left( t + 2 + k \right)
using assms by blast
lemma GatewaySystem-L1:
assumes h2:ServiceCenter i a
    and h3:GatewayReq req dt a stop lose d ack i vc
    and h4:msg (Suc \theta) req
    and h5:msg (Suc \theta) stop
    and h\theta:msq (Suc \theta) a
    and h7:ts\ lose
    and h9: \forall j \le 2 * d + (4 + k). lose (t + j) = [False]
    and h11:i (t + 3 + k + d) \neq []
    and h14: \forall x \leq d+d. ack (t+3+k+x) = [sending-data]
shows vc (2 * d + (t + (4 + k))) = [vc\text{-}com]
proof -
  from h2 have \forall t. a (Suc t) = (if i t = [] then [] else [sc-ack])
   by (simp add:ServiceCenter-def)
 from this have sg1:
   a \left( Suc \left( t + 3 + k + d \right) \right) = \left( if i \left( t + 3 + k + d \right) = \left[ \right] then \left[ \right] else \left[ sc\text{-}ack \right] \right)
 from sg1 and h11 have sg2:a (Suc\ (t+3+k+d)) = [sc\text{-}ack] by auto
 from h14 have sg3:ack\ (t+3+k+2*d) = [sending-data] by simp
 from h4 and h5 and h6 and h7 and h3 have sg4:
    ack (t + 3 + k + d + d) = [sending-data] \land a (Suc (t + 3 + k + d)) =
[sc\text{-}ack] \wedge
    (\forall ka \leq Suc \ d. \ lose \ (t+3+k+d+ka) = [False]) \longrightarrow
    vc (Suc (t + 3 + k + d + d)) = [vc\text{-}com]
   \mathbf{apply} \ (simp \ only: \ GatewayReq\text{-}def)
   by (rule GatewaySystem-L1aux, auto)
  from h9 have sg5: \forall ka \leq Suc \ d. \ lose \ (d + (t + (3 + k)) + ka) = [False]
   by (simp add: aux-lemma-lose-3)
 have sg5a:d + (t + (3 + k)) = t + 3 + k + d by arith
 from sg5 and sg5a have sg5b: \forall ka \leq Suc\ d.\ lose\ (t+3+k+d+ka) = [False]
by auto
 have sq6:(t+3+k+2*d) = (2*d+(t+(3+k))) by arith
  have sg7:Suc\ (Suc\ (Suc\ (t+k+(d+d)))) = Suc\ (Suc\ (t+k+d+d))
d))) by arith
```

```
have sg8:Suc\ (Suc\ (Suc\ (Suc\ (t+k+d+d)))) =
         Suc (Suc (Suc (d + d + (t + k))))) by arith
 from sg4 and sg3 and sg2 and sg5b and sg6 and sg7 and sg8 show ?thesis
   by (simp add: eval-nat-numeral)
qed
lemma aux4lose1:
 assumes h1: \forall j \leq 2 * d + (4 + k). lose (t + j) = [False]
    and h2:j \leq k
 shows lose (t + (2::nat) + j) = [False]
 from h2 have (2::nat) + j \le (2::nat) * d + (4 + k) by arith
 from h1 and this have lose (t + (2 + j)) = [False] by blast
 from this show ?thesis by simp
qed
lemma aux4lose2:
 assumes h1: \forall j \le 2 * d + (4 + k). lose (t + j) = [False]
    and h2:3 + k + d \le 2 * d + (4 + k)
 shows lose (t + (3::nat) + k + d) = [False]
proof -
 from assms have lose (t + ((3::nat) + k + d)) = [False] by blast
 from this show ?thesis by (simp add: arith-sum1)
qed
lemma aux4req:
 assumes h1:\forall (m::nat) \leq k + 2. req(t+m) \neq [send]
    and h2:m \leq k
    and h3:req\ (t+2+m)=[send]
 shows False
proof -
 from h2 have (2::nat) + m \le k + (2::nat) by arith
 from h1 and this have req (t + (2 + m)) \neq [send] by blast
 from this and h3 show ?thesis by simp
qed
lemma GatewaySystem-L2:
assumes h1:Gateway req dt a stop lose d ack i vc
    and h2:ServiceCenter i a
    and h3:GatewayReq req dt a stop lose d ack i vc
    and h4:msg (Suc \theta) req
    and h5:msg (Suc \theta) stop
    and h6:msg (Suc \theta) a
    and h7:ts lose
    and h8:ack\ t = [init-state]
    and h9:reg\ (Suc\ t)=[init]
    and h10: \forall t1 \leq t. req t1 = []
```

```
and h11: \forall m \leq k + 2. req (t + m) \neq [send]
    and h12:req\ (t + 3 + k) = [send]
    and h13:inf-last-ti\ dt\ t \neq []
    and h14: \forall j \le 2 * d + (4 + k). lose (t + j) = [False]
shows vc (2 * d + (t + (4 + k))) = [vc\text{-}com]
proof -
 have Suc 0 \le 2 * d + (4 + k) by arith
 from h14 and this have lose (t + Suc \ \theta) = [False] by blast
 from this have sg1:lose\ (Suc\ t) = [False] by simp
 have Suc\ (Suc\ \theta) \le 2*d + (4+k) by arith
 from h14 and this have lose (t + Suc\ (Suc\ \theta)) = [False] by blast
 from this have sg2:lose\ (Suc\ (Suc\ t)) = [False] by simp
 from h3 and h4 and h5 and h6 and h7 and h8 and h9 and sg1 and sg2
have sg3:
  ack (t + 2) = [connection-ok]
   by (simp add: GatewayReg-def)
 from h14 have sg4: \forall j \leq k. \ lose \ (t+2+j) = [False]
   by (clarify, rule aux4lose1, simp)
 from h11 have sg5: \forall m \leq k. req (t + 2 + m) \neq [send]
   by (clarify, rule aux4req, auto)
 from h1 and sg5 and sg4 and sg3 and h4 and h5 and h6 and h7 have sg6:
  \forall m \leq k. \ ack \ (t + 2 + m) = [connection-ok]
   by (rule Gateway-L6)
  from h3 and h4 and h5 and h6 and h7 and h12 and h14 and sg6 have
  ack (t + 3 + k) = [sending-data]
   by (simp add: GatewayReq-L1)
 from h3 and h4 and h5 and h6 and h7 and h12 and h13 and h14 and sg6
have sg11:
  i (t + 3 + k + d) \neq []
   by (simp add: GatewayReq-L2)
 from h11 have sg12: \forall m < k + 3. req (t + m) \neq [send] by auto
 from h14 have sq13: \forall j \le k + d + 3. lose (t + j) = [False] by auto
 from h1 and h7 and h6 and h5 and h4 and h9 and sg12 and h12 and h8
and sq13 and h10
   have sg14: \forall t2 < (t + 3 + k + d). i t2 = []
   by (simp add: Gateway-L7)
 from sg14 and h2 have sg15: \forall t3 \le (t+3+k+d). at3 = []
   by (simp add: ServiceCenter-L2)
 from h14 have sq18: \forall j \le 2 * d. lose ((t + 3 + k) + j) = [False]
   by (simp add: stream Value 43)
 from h14 have sg16a: \forall j \le 2 * d. lose (t + j + (4 + k)) = [False]
   by (simp add: stream Value2)
 have sg16b:Suc\ (3 + k) = (4 + k) by arith
  from sg16a and sg16b have sg16: \forall j \le 2 * d. lose (t + j + Suc (3 + k)) =
[False]
```

```
by (simp\ (no-asm-simp))
 from h1 and h4 and h5 and h6 and h7 and sg18 and sg10 and sg15 have
sg19:
   \forall x \leq d + d. \ ack \ (t + 3 + k + x) = [sending-data]
    by (simp add: Gateway-L8)
 from sq19 have sq19a:ack (t + 3 + k + d + d) = [sending-data] by auto
 from sg16 have sg20a: \forall j \leq d. lose (t + 3 + k + d + (Suc j)) = [False]
   by (rule stream Value 10)
 have sg20b:3 + k + d \le 2 * d + (4 + k) by arith
 from h14 and sg20b have sg20c:lose (t + 3 + k + d) = [False]
   by (rule aux4lose2)
  from sg20a and sg20c have sg20: \forall j \leq Suc d. lose (t + 3 + k + d + j) =
[False]
   by (rule stream Value 8)
 from h4 and h5 and h6 and h7 and h3 have sq21:
    ack (t + 3 + k + d + d) = [sending-data] \land
     a \left( Suc \left( t + 3 + k + d \right) \right) = \left[ sc\text{-}ack \right] \wedge
     (\forall j \leq Suc \ d. \ lose \ (t + 3 + k + d + j) = [False]) \longrightarrow
     vc (Suc (t + 3 + k + d + d)) = [vc\text{-}com]
    apply (simp only: GatewayReq-def)
    by (rule GatewaySystem-L1aux, auto)
  from h2 and sg11 have sg22:a (Suc (t + 3 + k + d)) = [sc-ack]
    by (simp only: ServiceCenter-def, auto)
  from sg21 and sg19a and sg22 and sg20 have sg23:
    vc (Suc (t + 3 + k + d + d)) = [vc\text{-}com] by simp
  have sg24:2*d+(t+(4+k))=(Suc\ (t+3+k+d+d)) by arith
  from sg23 and sg24 show ?thesis
    by (simp\ (no-asm-simp),\ simp)
qed
lemma GatewaySystem-L3:
assumes h1: Gateway req dt a stop lose d ack i vc
    and h2:ServiceCenter i a
    and h3:GatewayReq req dt a stop lose d ack i vc
    and h4:msq (Suc \theta) req
    and h5:msg (Suc \theta) stop
    and h6:msq (Suc \theta) a
    and h7:ts\ lose
    and h8: dt (Suc \ t) \neq [] \lor dt (Suc \ (Suc \ t)) \neq []
    and h9: ack t = [init\text{-}state]
    and h10:req\ (Suc\ t)=[init]
    and h11: \forall t1 \leq t. req t1 = []
    and h12: \forall m \leq k + 2. req (t + m) \neq [send]
    and h13:req\ (t + 3 + k) = [send]
    and h14: \forall j \le 2 * d + (4 + k). lose (t + j) = [False]
shows vc (2 * d + (t + (4 + k))) = [vc\text{-}com]
proof -
 have Suc 0 \le 2 * d + (4 + k) by arith
```

```
from h14 and this have lose (t + Suc \ \theta) = [False] by blast
 from this have sg1:lose\ (Suc\ t) = [False] by simp
 have Suc\ (Suc\ \theta) \le 2*d + (4+k) by arith
 from h14 and this have lose (t + Suc (Suc \theta)) = [False] by blast
 from this have sq2:lose\ (Suc\ (Suc\ t)) = [False] by simp
 from h3 and h4 and h5 and h6 and h7 and h10 and h9 and sq1 and sq2
have sq3:
  ack (t + 2) = [connection-ok]
   by (simp add: GatewayReq-def)
 from h14 have sg4: \forall j \leq k. \ lose \ (t + 2 + j) = [False]
   by (clarify, rule aux4lose1, simp)
 from h12 have sg5: \forall m \leq k. req (t + 2 + m) \neq [send]
   by (clarify, rule aux4req, auto)
 from h1 and sg5 and sg4 and sg3 and h4 and h5 and h6 and h7 have sg6:
  \forall m < k. \ ack \ (t + 2 + m) = [connection-ok]
   by (rule Gateway-L6)
 from sg6 have sg6a:ack (t + 2 + k) = [connection-ok] by simp
  from h3 and h4 and h5 and h6 and h7 and h13 and h14 and sg6 have
sg10:
  ack (t + 3 + k) = [sending-data]
   by (simp\ add:\ GatewayReq-L1)
 from h3 and h4 and h5 and h6 and h7 have sg11a:
  ack (t + 2 + k) = [connection-ok] \land
   reg (Suc (t + 2 + k)) = [send] \land
   (\forall j \leq Suc \ d. \ lose \ ((t+2+k)+j) = [False]) \longrightarrow
   i \left( Suc \left( t + (2::nat \right) + k + d \right) \right) = inf-last-ti \ dt \left( t + 2 + k \right)
   \mathbf{apply} \ (simp \ only: \ GatewayReq\text{-}def)
   by (rule GatewaySystem-L3aux, auto)
 have sg12:Suc (t + 2 + k) = t + 3 + k by arith
 from h13 and sg12 have sg12a:req (Suc (t + 2 + k)) = [send]
   by (simp add: eval-nat-numeral)
 from h14 have sg13: \forall j \leq Suc \ d. \ lose \ ((t+2+k)+j) = [False]
   by (rule stream Value 12)
 from sq11a and sq6a and h13 and sq12a and sq13 have sq14:
   i \left( Suc \left( t + (2::nat \right) + k + d \right) \right) = inf-last-ti \ dt \left( t + 2 + k \right)  by simp
 from h8 have sg15:inf-last-ti\ dt\ (t+2+k)\neq []
   by (rule inf-last-ti-Suc2)
 from sg14 and sg15 have sg16: i(t + 3 + k + d) \neq []
   by (simp add: arith-sum4)
 from h14 have sg17: \forall j \le k + d + 3. lose (t + j) = [False] by auto
 from h12 have sg18: \forall m < (k+3). req (t+m) \neq [send] by auto
 from h1 and h4 and h5 and h6 and h7 and h10 and sg18 and h13 and h9
and sg17 and h11
   have sg19: \forall t2 < (t + 3 + k + d). i t2 = []
   by (simp add: Gateway-L7)
 from h2 and sg19 have sg20: \forall t3 \le (t+3+k+d). at3 = []
```

```
by (simp add: ServiceCenter-L2) from h14 have sg21: \forall j \leq 2*d. lose (t+3+k+j) = [False] by (simp add: streamValue43) from h1 and h4 and h5 and h6 and h7 and sg21 and sg10 and sg20 have sg22: \forall x \leq d+d. ack (t+3+k+x) = [sending-data] by (simp add: Gateway-L8) from h2 and h3 and h4 and h5 and h6 and h7 and h14 and sg16 and sg22 show ?thesis by (simp add: GatewaySystem-L1) qed
```

# 15.12 Proof of the Refinement for the Gateway System

```
lemma GatewaySystem-L0:
assumes h1: GatewaySystem\ req\ dt\ stop\ lose\ d\ ack\ vc
shows
           GatewaySystemReq req dt stop lose d ack vc
proof -
 from h1 obtain x i where
   a1:Gateway req dt x stop lose d ack i vc and
   a2:ServiceCenter\ i\ x
   by (simp add: GatewaySystem-def, auto)
 from a1 have sg1: GatewayReq req dt x stop lose d ack i vc
   by (simp \ add: \ Gateway-L0)
 from a2 have sg2:msg (Suc \theta) x
   by (simp add: ServiceCenter-a-msg)
 from h1 and a1 and a2 and sq1 and sq2 show ?thesis
   apply (simp add: GatewaySystemReq-def, auto)
   apply (simp add: GatewaySystem-L3)
   apply (simp add: GatewaySystem-L3)
   apply (simp add: GatewaySystem-L3)
   by (simp add: GatewaySystem-L2)
qed
```

 $\mathbf{end}$ 

# References

- [1] S. Berghofer. Isabelle/HOL Filter Theory, 2005.
- [2] M. Broy and K. Stølen. Specification and Development of Interactive Systems: Focus on Streams, Interfaces, and Refinement. Springer, 2001.
- [3] FlexRay Consortium. http://www.flexray.com.
- [4] FlexRay Consortium. FlexRay Communication System Protocol Specification Version 2.0, 2004.
- [5] C. Kühnel and M. Spichkova. Fault-Tolerant Communication for Distributed Embedded Systems. In *Software Engineering and Fault Tolerance*, Series on Software Engineering and Knowledge Engineering, 2007.
- [6] T. Nipkow, L. C. Paulson, and M. Wenzel. *Isabelle/HOL A Proof Assistant for Higher-Order Logic*. LNCS. Springer, 2013.
- [7] M. Spichkova. Specification and Seamless Verification of Embedded Real-Time Systems: FOCUS on Isabelle. PhD thesis, 2007.