-- I) Base case --> (pfifo1 @ (pair1 , (pair2 , pfifo2))) = empty open INV -- assumptions eq (pfifo1 @ (pair1 , (pair2 , pfifo2))) = empty . -- check red queue-lemma6(pfifo1, (pair1 , (pair2 , pfifo2))) implies inv9(init,pair1,pair2,pair3,pfifo1,pfifo2) . close --> ~((pfifo1 @ (pair1 , (pair2 , pfifo2))) = empty) open INV -- assumptions eq ((pfifo1 @ (pair1 , (pair2 , pfifo2))) = empty) = false . -- check red inv9(init,pair1,pair2,pair3,pfifo1,pfifo2) . close -- II) Inductive cese --> 1) send1(s) --> ~(put(fifo1(s),< bit1(s),pac(next(s)) >) = pfifo1 @ (pair1,pair2,pfifo2)) open ISTEP -- arbitrary values -- assumptions eq (put(fifo1(s),< bit1(s),pac(next(s)) >) = pfifo1 @ (pair1,pair2,pfifo2)) = false . -- successor state eq s' = send1(s) . -- check red istep9 . close --> put(fifo1(s),< bit1(s),pac(next(s)) >) = pfifo1 @ (pair1,pair2,pfifo2), --> pfifo2 = empty, --> ~(fifo1(s) = pfifo1 @ (pair1,empty) and pair2 = < bit1(s),pac(next(s)) >) open ISTEP -- arbitrary values -- assumptions eq put(fifo1(s),< bit1(s),pac(next(s)) >) = pfifo1 @ (pair1,pair2,pfifo2) . eq pfifo2 = empty . eq (fifo1(s) = pfifo1 @ (pair1,empty) and pair2 = < bit1(s),pac(next(s)) >) = false . -- successor state eq s' = send1(s) . -- check red queue-lemma1(fifo1(s),pfifo1,< bit1(s),pac(next(s)) >,pair1,pair2) implies istep9 . close --> put(fifo1(s),< bit1(s),pac(next(s)) >) = pfifo1 @ (pair1,pair2,pfifo2), --> pfifo2 = empty, --> fifo1(s) = pfifo1 @ (pair1,empty) and pair2 = < bit1(s),pac(next(s)) > open ISTEP -- arbitrary values -- assumptions eq put(fifo1(s),< bit1(s),pac(next(s)) >) = pfifo1 @ (pair1,pair2,pfifo2) . eq pfifo2 = empty . -- eq (fifo1(s) = pfifo1 @ (pair1,empty) -- and pair2 = < bit1(s),pac(next(s)) >) = true . eq fifo1(s) = pfifo1 @ (pair1,empty) . eq pair2 = < bit1(s),pac(next(s)) > . -- -- successor state eq s' = send1(s) . -- check red istep9 . close --> put(fifo1(s),< bit1(s),pac(next(s)) >) = pfifo1 @ (pair1,pair2,pfifo2), --> pfifo2 = bit10,bfifo10, --> ~(fifo1(s) = del(pfifo1 @ (pair1,pair2,p,ps)) --> and < bit1(s),pac(next(s)) > = bot(p,ps)) open ISTEP -- arbitrary values op p : -> BPPair . op ps : -> PFifo . -- assumptions eq put(fifo1(s),< bit1(s),pac(next(s)) >) = pfifo1 @ (pair1,pair2,pfifo2) . eq pfifo2 = p,ps . eq (fifo1(s) = del(pfifo1 @ (pair1,pair2,p,ps)) and < bit1(s),pac(next(s)) > = bot(p,ps)) = false . -- successor state eq s' = send1(s) . -- check red queue-lemma2(fifo1(s),pfifo1,ps,< bit1(s),pac(next(s)) >, pair1,pair2,p) implies istep9 . close --> put(fifo1(s),< bit1(s),pac(next(s)) >) = pfifo1 @ (pair1,pair2,pfifo2), --> pfifo2 = bit10,bfifo10, --> fifo1(s) = del(pfifo1 @ (pair1,pair2,p,ps)) --> and < bit1(s),pac(next(s)) > = bot(p,ps), --> ~(del(pfifo1 @ (pair1,pair2,p,ps)) --> = pfifo1 @ (pair1,pair2,del(p,ps))) open ISTEP -- arbitrary values op p : -> BPPair . op ps : -> PFifo . -- assumptions eq put(fifo1(s),< bit1(s),pac(next(s)) >) = pfifo1 @ (pair1,pair2,pfifo2) . eq pfifo2 = p,ps . -- eq (fifo1(s) = del(pfifo1 @ (pair1,pair2,p,ps)) -- and < bit1(s),pac(next(s)) > = bot(p,ps)) = true . eq fifo1(s) = del(pfifo1 @ (pair1,pair2,p,ps)) . eq bot(p,ps) = < bit1(s),pac(next(s)) > . -- eq (del(pfifo1 @ (pair1,pair2,p,ps)) = pfifo1 @ (pair1,pair2,del(p,ps))) = false . -- successor state eq s' = send1(s) . -- check red queue-lemma7(pfifo1,(pair2,p,ps),pair1) implies istep9 . close --> put(fifo1(s),< bit1(s),pac(next(s)) >) = pfifo1 @ (pair1,pair2,pfifo2), --> pfifo2 = bit10,bfifo10, --> fifo1(s) = del(pfifo1 @ (pair1,pair2,p,ps)) --> and < bit1(s),pac(next(s)) > = bot(p,ps), --> del(pfifo1 @ (pair1,pair2,p,ps)) --> = pfifo1 @ (pair1,pair2,del(p,ps)), --> pair3 \in (del(p,ps)) open ISTEP -- arbitrary values op p : -> BPPair . op ps : -> PFifo . -- assumptions eq put(fifo1(s),< bit1(s),pac(next(s)) >) = pfifo1 @ (pair1,pair2,pfifo2) . eq pfifo2 = p,ps . -- eq (fifo1(s) = del(pfifo1 @ (pair1,pair2,p,ps)) -- and < bit1(s),pac(next(s)) > = bot(p,ps)) = true . eq fifo1(s) = del(pfifo1 @ (pair1,pair2,p,ps)) . eq bot(p,ps) = < bit1(s),pac(next(s)) > . -- eq del(pfifo1 @ (pair1,pair2,p,ps)) = pfifo1 @ (pair1,pair2,del(p,ps)) . eq pair3 \in (del(p,ps)) = true . -- successor state eq s' = send1(s) . -- check red inv9(s,pair1,pair2,pair3,pfifo1,del(p,ps)) implies istep9 . close --> put(fifo1(s),< bit1(s),pac(next(s)) >) = pfifo1 @ (pair1,pair2,pfifo2), --> pfifo2 = bit10,bfifo10, --> fifo1(s) = del(pfifo1 @ (pair1,pair2,p,ps)) --> and < bit1(s),pac(next(s)) > = bot(p,ps), --> del(pfifo1 @ (pair1,pair2,p,ps)) --> = pfifo1 @ (pair1,pair2,del(p,ps)), --> ~(pair3 \in (del(p,ps))), ~(pair3 \in (p,ps)) open ISTEP -- arbitrary values op p : -> BPPair . op ps : -> PFifo . -- assumptions eq put(fifo1(s),< bit1(s),pac(next(s)) >) = pfifo1 @ (pair1,pair2,pfifo2) . eq pfifo2 = p,ps . -- eq (fifo1(s) = del(pfifo1 @ (pair1,pair2,p,ps)) -- and < bit1(s),pac(next(s)) > = bot(p,ps)) = true . eq fifo1(s) = del(pfifo1 @ (pair1,pair2,p,ps)) . eq bot(p,ps) = < bit1(s),pac(next(s)) > . -- eq del(pfifo1 @ (pair1,pair2,p,ps)) = pfifo1 @ (pair1,pair2,del(p,ps)) . eq pair3 \in (del(p,ps)) = false . eq pair3 \in (p,ps) = false . -- successor state eq s' = send1(s) . -- check red inv9(s,pair1,pair2,pair3,pfifo1,del(p,ps)) implies istep9 . close --> put(fifo1(s),< bit1(s),pac(next(s)) >) = pfifo1 @ (pair1,pair2,pfifo2), --> pfifo2 = bit10,bfifo10, --> fifo1(s) = del(pfifo1 @ (pair1,pair2,p,ps)) --> and < bit1(s),pac(next(s)) > = bot(p,ps), --> del(pfifo1 @ (pair1,pair2,p,ps)) --> = pfifo1 @ (pair1,pair2,del(p,ps)), --> ~(pair3 \in (del(p,ps))), (pair3 \in (p,ps), --> ~(pair3 = < bit1(s),pac(next(s)) >) open ISTEP -- arbitrary values op p : -> BPPair . op ps : -> PFifo . -- assumptions eq put(fifo1(s),< bit1(s),pac(next(s)) >) = pfifo1 @ (pair1,pair2,pfifo2) . eq pfifo2 = p,ps . -- eq (fifo1(s) = del(pfifo1 @ (pair1,pair2,p,ps)) -- and < bit1(s),pac(next(s)) > = bot(p,ps)) = true . eq fifo1(s) = del(pfifo1 @ (pair1,pair2,p,ps)) . eq bot(p,ps) = < bit1(s),pac(next(s)) > . -- eq del(pfifo1 @ (pair1,pair2,p,ps)) = pfifo1 @ (pair1,pair2,del(p,ps)) . eq pair3 \in (del(p,ps)) = false . eq pair3 \in (p,ps) = true . eq (pair3 = < bit1(s),pac(next(s)) >) = false . -- successor state eq s' = send1(s) . -- check red queue-lemma3(ps,pair3,p) implies istep9 . close --> put(fifo1(s),< bit1(s),pac(next(s)) >) = pfifo1 @ (pair1,pair2,pfifo2), --> pfifo2 = bit10,bfifo10, --> fifo1(s) = del(pfifo1 @ (pair1,pair2,p,ps)) --> and < bit1(s),pac(next(s)) > = bot(p,ps), --> del(pfifo1 @ (pair1,pair2,p,ps)) --> = pfifo1 @ (pair1,pair2,del(p,ps)), --> ~(pair3 \in (del(p,ps))), (pair3 \in (p,ps), --> pair3 = < bit1(s),pac(next(s)) > open ISTEP -- arbitrary values op p : -> BPPair . op ps : -> PFifo . -- assumptions eq put(fifo1(s),< bit1(s),pac(next(s)) >) = pfifo1 @ (pair1,pair2,pfifo2) . eq pfifo2 = p,ps . -- eq (fifo1(s) = del(pfifo1 @ (pair1,pair2,p,ps)) -- and < bit1(s),pac(next(s)) > = bot(p,ps)) = true . eq fifo1(s) = del(pfifo1 @ (pair1,pair2,p,ps)) . eq bot(p,ps) = < bit1(s),pac(next(s)) > . -- eq del(pfifo1 @ (pair1,pair2,p,ps)) = pfifo1 @ (pair1,pair2,del(p,ps)) . eq pair3 \in (del(p,ps)) = false . eq pair3 \in (p,ps) = true . eq pair3 = < bit1(s),pac(next(s)) > . -- successor state eq s' = send1(s) . -- check red inv9(s,pair1,pair2,pair3,pfifo1,del(p,ps)) implies istep9 . close --> 2) rec1(s) --> c-rec1(s), bit1(s) = b open ISTEP -- arbitrary values op b : -> Bool . op bs : -> BFifo . -- assumptions -- eq c-rec1(s) = true . eq fifo2(s) = b,bs . -- eq bit1(s) = b . -- successor state eq s' = rec1(s) . -- check red istep9 . close --> c-rec1(s), ~(bit1(s) = b), --> ~(fifo1(s) = pfifo1 @ (pair1,pair2,pfifo2)) open ISTEP -- arbitrary values op b : -> Bool . op bs : -> BFifo . -- assumptions -- eq c-rec1(s) = true . eq fifo2(s) = b,bs . -- eq (bit1(s) = b) = false . eq (fifo1(s) = pfifo1 @ (pair1,pair2,pfifo2)) = false . -- successor state eq s' = rec1(s) . -- check red istep9 . close --> c-rec1(s), ~(bit1(s) = b), --> fifo1(s) = pfifo1 @ (pair1,pair2,pfifo2), --> ~(pair1 = < bit1(s) , pac(next(s)) >), --> ~(pair1 \in (pfifo1 @ (pair1,pair2,pfifo2))) open ISTEP -- arbitrary values op b : -> Bool . op bs : -> BFifo . -- assumptions -- eq c-rec1(s) = true . eq fifo2(s) = b,bs . -- eq (bit1(s) = b) = false . eq fifo1(s) = pfifo1 @ (pair1,pair2,pfifo2) . eq (pair1 = < bit1(s) , pac(next(s)) >) = false . eq pair1 \in (pfifo1 @ (pair1,pair2,pfifo2)) = false . -- successor state eq s' = rec1(s) . -- check red queue-lemma4(pfifo1,(pair2,pfifo2),pair1) implies istep9 . close --> c-rec1(s), ~(bit1(s) = b), --> fifo1(s) = pfifo1 @ (pair1,pair2,pfifo2), --> ~(pair1 = < bit1(s) , pac(next(s)) >), --> pair1 \in (pfifo1 @ (pair1,pair2,pfifo2)), bit2(s) = b open ISTEP -- arbitrary values op b : -> Bool . op bs : -> BFifo . -- assumptions -- eq c-rec1(s) = true . eq fifo2(s) = b,bs . -- eq (bit1(s) = b) = false . eq fifo1(s) = pfifo1 @ (pair1,pair2,pfifo2) . eq (pair1 = < bit1(s) , pac(next(s)) >) = false . eq pair1 \in (pfifo1 @ (pair1,pair2,pfifo2)) = true . eq bit2(s) = b . -- successor state eq s' = rec1(s) . -- check red inv11(s,pair1) implies istep9 . close --> c-rec1(s), ~(bit1(s) = b), --> fifo1(s) = pfifo1 @ (pair1,pair2,pfifo2), --> ~(pair1 = < bit1(s) , pac(next(s)) >), --> pair1 \in (pfifo1 @ (pair1,pair2,pfifo2)), ~(bit2(s) = b) open ISTEP -- arbitrary values op b : -> Bool . op bs : -> BFifo . -- assumptions -- eq c-rec1(s) = true . eq fifo2(s) = b,bs . -- eq (bit1(s) = b) = false . eq fifo1(s) = pfifo1 @ (pair1,pair2,pfifo2) . eq (pair1 = < bit1(s) , pac(next(s)) >) = false . eq pair1 \in (pfifo1 @ (pair1,pair2,pfifo2)) = true . eq (bit2(s) = b) = false . -- successor state eq s' = rec1(s) . -- check red inv2(s) implies istep9 . close --> c-rec1(s), ~(bit1(s) = b), --> fifo1(s) = pfifo1 @ (pair1,pair2,pfifo2), --> ~(pair2 = < bit1(s) , pac(next(s)) >) open ISTEP -- arbitrary values op b : -> Bool . op bs : -> BFifo . -- assumptions -- eq c-rec1(s) = true . eq fifo2(s) = b,bs . -- eq (bit1(s) = b) = false . eq fifo1(s) = pfifo1 @ (pair1,pair2,pfifo2) . eq (pair2 = < bit1(s) , pac(next(s)) >) = false . -- successor state eq s' = rec1(s) . -- check red inv11(s,pair2) implies istep9 . close --> c-rec1(s), ~(bit1(s) = b), --> fifo1(s) = pfifo1 @ (pair1,pair2,pfifo2), --> pair1 = < bit1(s) , pac(next(s)) >, --> pair2 = < bit1(s) , pac(next(s)) > open ISTEP -- arbitrary values op b : -> Bool . op bs : -> BFifo . -- assumptions -- eq c-rec1(s) = true . eq fifo2(s) = b,bs . -- eq (bit1(s) = b) = false . eq fifo1(s) = pfifo1 @ (pair1,pair2,pfifo2) . eq pair1 = < bit1(s) , pac(next(s)) > . eq pair2 = < bit1(s) , pac(next(s)) > . -- successor state eq s' = rec1(s) . -- check red istep9 . close --> ~c-rec1(s) open ISTEP -- arbitrary values -- assumptions eq c-rec1(s) = false . -- successor state eq s' = rec1(s) . -- check red istep9 . close --> 3) send2(s) open ISTEP -- arbitrary values -- assumptions -- successor state eq s' = send2(s) . -- check red istep9 . close --> 4) rec2(s) --> c-rec2(s), ~(ps = pfifo1 @ (pair1,pair2,pfifo2)) open ISTEP -- arbitrary values op p : -> BPPair . op ps : -> PFifo . -- assumptions -- eq c-rec2(s) = true . eq fifo1(s) = p,ps . -- eq (ps = pfifo1 @ (pair1,pair2,pfifo2)) = false . -- successor state eq s' = rec2(s) . -- check red istep9 . close --> c-rec2(s), ps = pfifo1 @ (pair1,pair2,pfifo2) open ISTEP -- arbitrary values op p : -> BPPair . op ps : -> PFifo . -- assumptions -- eq c-rec2(s) = true . eq fifo1(s) = p,ps . -- eq ps = pfifo1 @ (pair1,pair2,pfifo2) . -- successor state eq s' = rec2(s) . -- check red inv9(s,pair1,pair2,pair3,(p,pfifo1),pfifo2) implies istep9 . close --> ~c-rec2(s) open ISTEP -- arbitrary values -- assumptions eq c-rec2(s) = false . -- successor state eq s' = rec2(s) . -- check red istep9 . close --> 5) drop1(s) --> c-drop1(s), ~(ps = pfifo1 @ (pair1,pair2,pfifo2)) open ISTEP -- arbitrary values op p : -> BPPair . op ps : -> PFifo . -- assumptions -- eq c-drop1(s) = true . eq fifo1(s) = p,ps . -- eq (ps = pfifo1 @ (pair1,pair2,pfifo2)) = false . -- successor state eq s' = drop1(s) . -- check red istep9 . close --> c-drop1(s), ps = pfifo1 @ (pair1,pair2,pfifo2) open ISTEP -- arbitrary values op p : -> BPPair . op ps : -> PFifo . -- assumptions -- eq c-drop1(s) = true . eq fifo1(s) = p,ps . -- eq ps = pfifo1 @ (pair1,pair2,pfifo2) . -- successor state eq s' = drop1(s) . -- check red inv9(s,pair1,pair2,pair3,(p,pfifo1),pfifo2) implies istep9 . close --> ~c-drop1(s) open ISTEP -- arbitrary values -- assumptions eq c-drop1(s) = false . -- successor state eq s' = drop1(s) . -- check red istep9 . close --> 6) dup1(s) --> c-dup1(s), pfifo1 = empty, ~(p,p,ps = pair1,pair2,pfifo2) open ISTEP -- arbitrary values op p : -> BPPair . op ps : -> PFifo . -- assumptions -- eq c-dup1(s) = true . eq fifo1(s) = p,ps . -- eq pfifo1 = empty . eq (p,p,ps = pair1,pair2,pfifo2) = false . -- successor state eq s' = dup1(s) . -- check red istep9 . close --> c-dup1(s), pfifo1 = empty, p,p,ps = pair1,pair2,pfifo2 open ISTEP -- arbitrary values op p : -> BPPair . op ps : -> PFifo . -- assumptions -- eq c-dup1(s) = true . eq fifo1(s) = p,ps . -- eq pfifo1 = empty . -- eq p,p,ps = pair1,pair2,pfifo2 . eq pair1 = p . eq pair2 = p . eq pfifo2 = ps . -- -- successor state eq s' = dup1(s) . -- check red istep9 . close --> c-dup1(s), pfifo1 = p1,ps1 open ISTEP -- arbitrary values ops p p1 : -> BPPair . ops ps ps1 : -> PFifo . -- assumptions -- eq c-dup1(s) = true . eq fifo1(s) = p,ps . -- eq pfifo1 = p1,ps1 . -- successor state eq s' = dup1(s) . -- check red inv9(s,pair1,pair2,pair3,ps1,pfifo2) implies istep9 . close --> ~c-dup1(s) open ISTEP -- arbitrary values -- assumptions eq c-dup1(s) = false . -- successor state eq s' = dup1(s) . -- check red istep9 . close --> 7) drop2(s) --> c-drop2(s) open ISTEP -- arbitrary values op b : -> Bool . op bs : -> BFifo . -- assumptions -- eq c-drop2(s) = true . eq fifo2(s) = b,bs . -- successor state eq s' = drop2(s) . -- check red istep9 . close --> ~c-drop2(s) open ISTEP -- arbitrary values -- assumptions eq c-drop2(s) = false . -- successor state eq s' = drop2(s) . -- check red istep9 . close --> 8) dup2(s) --> c-dup2(s) open ISTEP -- arbitrary values ops b b1 : -> Bool . ops bs bs1 : -> BFifo . -- assumptions -- eq c-dup2(s) = true . eq fifo2(s) = b,bs . -- successor state eq s' = dup2(s) . -- check red istep9 . close --> ~c-dup2(s) open ISTEP -- arbitrary values -- assumptions eq c-dup2(s) = false . -- successor state eq s' = dup2(s) . -- check red istep9 . close --> QED