-- file: readerWriter.mod

-- counter
mod! COUNTER {
  [ Counter ]
  op 0 : -> Counter .
  op s_ : Counter -> Counter .
}   
mod! READERS-WRITERS {
  pr(COUNTER)
  -- configuration: representation of state
  [ Config ]
  op <_,_> : Counter Counter -> Config { constr } .
  -- < readers, writers > 
 
  -- the following four transitions rules 
  -- are specifying a READERS-WRITERS policy
  vars R W : Counter .

  -- can start to write if no readers and no writers
  trans [+w] : <   0,   0 > => <   0, s 0 > .

  -- can start to read if no writers
  trans [+r] : <   R,   0 > => < s R,   0 > .

  -- can stop reading anytime
  trans [-r] : < s R,   W > => <   R,   W > .

  -- can stop writing anytime
  trans [-w] : <   R, s W > => <   R,   W > .
}

mod RW-PROP {
   pr(READERS-WRITERS)
   vars R W : Counter
   -- mutual exclusion property
   pred mutualEx_ : Config
   eq mutualEx < 0 , W > = true .
   eq mutualEx < R , 0 > = true .
   eq mutualEx < s R , s W > = false .
   -- only one writer property
   pred oneWt_ : Config
   eq oneWt < R, 0 > = true .
   eq oneWt < R, s 0 > = true .
   eq oneWt < R, s s W > = false .
   -- both properties
   pred mutualExAndOneWt_ : Config
   eq mutualExAndOneWt < R, W > = (mutualEx < R, W >) and (oneWt < R, W >) .
 }

eof

-- proof of the fact:
-- mutualEx(< s s R:Counter , 0 >) = mutualEx(< s 0 , 0 >) .
-- and
-- oneWt(< s s R:Counter , 0 >) = oneWt(< s 0 , 0 >) .
open (RW-PROP + EQL)
red mutualEx(< s s R:Counter , 0 >) = mutualEx(< s 0 , 0 >) .
red oneWt(< s s R:Counter , 0 >) = oneWt(< s 0 , 0 >) .
close

--> proofs of:
--> (mutualExAndOneWt < r , w >) is an invariant 
--> for all reachable configurations 
--> from the initial configuration: < 0 , 0 >
--> using equational abstraction (eq < s s R , 0 > = < s 0 , 0 > .)

--> (1) proof of mutualEx:
open RW-PROP
eq < s s R:Counter , 0 > = < s 0 , 0 > .
red < 0 , 0 > ==>* C:Config suchThat (mutualEx(C) == false) .
red < 0 , 0 > ==>* < s R:Counter , s W:Counter >  .
close

--> (2) proof of oneWt:
open RW-PROP
eq < s s R:Counter , 0 > = < s 0 , 0 > .
red < 0 , 0 > ==>* C:Config suchThat (oneWt(C) == false) .
red < 0 , 0 > ==>* < R:Counter , s s W:Counter >  .
close

--> (3) proof of mutualExAndOneWt:
open RW-PROP
eq < s s R:Counter , 0 > = < s 0 , 0 > .
red < 0 , 0 > ==>* C:Config suchThat (mutualExAndOneWt C == false) .
close