** =============================================================== ** ==== QLOCK Proof Score for the mutual exclusion property ====== ** =============================================================== -- loading sysSpec and propSpec in qlock-sysProp.cafe -- loading Generate&Check module GENcases in genCases.cafe --> ============================================================== --> Verification of the Initial State Condition: --> (for-all S:State)(init(S) implies inv(S)) --> ============================================================== -- an actual parameter module for the module GENcases -- define v_ and ii_ for checking the initial state condition mod! QLOCKinit {pr(INIT + QLOCKprop) -- for passing actual parameters to the module GENcases [Qu Aid Label Aobs < Val < ValSq] op _,_ : ValSq ValSq -> ValSq {assoc} . -- predicate to be checked (i.e. init-c) for the --> case[2]: S:State = (Q:Qu $ ((lb[A:Aid]: L:Label) AS:Aobs)) op v_ : ValSq -> Bool . eq v(Q:Qu,A:Aid,L:Label,AS:Aobs) = init(Q $ ((lb[A]: L) AS)) implies inv(Q $ ((lb[A]: L) AS)) . -- for indicating information [IndInfo] op ii_ : ValSq -> IndInfo {constr} . op ss_ : State -> IndInfo {constr} . eq ii(Q:Qu,A:Aid,L:Label,AS:Aobs) = ss(Q $ ((lb[A]: L) AS)) . } -- generate & check all possible cases -- for the initial state condition mod CKallCasesInit {inc(GENcases(QLOCKinit)) -- arbitray constants op q : -> Qu . op as : -> Aobs . -- Aid constant literals [AidConLt < Aid] eq (B1:AidConLt = B2:AidConLt) = (B1 == B2) . ops b1 b2 : -> AidConLt . -- function to check for the --> case[1]: S:State = (Q:Qu $ empty) op ck-1 : -> Bool . eq ck-1 = init(q $ empty) implies inv(q $ empty) . -- function to generat & check all possible cases for --> case[2]: S:State = (Q:Qu $ ((lb[A:Aid]: L:Label) AS:Aobs)) op gen&ck-2 : -> IndTr . -- a term of sort IndTr for checking all possible cases eq gen&ck-2 = ($ | mmi([(empQ), (b1), (rs;ws;cs), (as)] || [(b1 & q), (b1;b2), (rs;ws;cs), (as)])) . } -- reductions for verification of initial state condition open (CKallCasesInit) . red ck-1 . -- s1 red gen&ck-2 . -- s2-s13 close --> ============================================================== --> Verification of the Invariant Condition: --> (for-all (S->S'):State->State(One-Step-Transition)) --> (inv(S) implies inv(S')) --> ============================================================== -- an actual parameter module for the module GENcases -- define v_ for checking the inductive invariant condition mod! QLOCKinv {pr(QLOCKsys + QLOCKprop) -- for passing actual parameters to the module GENcases [Qu Aid Label Aobs State < Val < ValSq] op _,_ : ValSq ValSq -> ValSq {assoc} . -- for indicating information [IndInfo] op _->_!!_ : State State Bool -> IndInfo {constr} . -- predicate to be checked (i.e. init-c) for the --> case[2]: S:State = (Q:Qu $ ((lb[A:Aid]: L:Label) AS:Aobs)) -- Pname for pre-post conditions ops pre post : -> Pname . op v_ : ValSq -> Bool . eq v(Q:Qu,A:Aid,L:Label,AS:Aobs,SS:State) = not((Q $ ((lb[A]: L) AS)) =(*,1)=>+ SS suchThat (not((cj(pre,(Q $ ((lb[A]: L) AS))) implies cj(post,SS)) == true)) {(Q $ ((lb[A]: L) AS)) -> SS !! (inv(Q $ ((lb[A]: L) AS)) implies inv(SS))}) . -- for indicating information op ii_ : ValSq -> IndInfo . op ss_ : State -> IndInfo {constr} . eq ii(Q:Qu,A:Aid,L:Label,AS:Aobs,SS:State) = ss(Q $ ((lb[A]: L) AS)) . } -- generate & check all possible cases -- for the inductive invariant condition mod CKallCasesInv {inc(GENcases(QLOCKinv)) -- arbitray constants op q : -> Qu . op as : -> Aobs . -- Aid constant literals [AidConLt < Aid] eq (B1:AidConLt = B2:AidConLt) = (B1 == B2) . ops b1 b2 : -> AidConLt . -- function to check for the --> case[1]: S:State = op ck-1 : State -> Bool . eq ck-1(SS:State) = not((q $ empty) =(*,1)=>+ SS suchThat (not((inv(q $ empty) implies inv(SS)) == true))) . -- function to generat & check all possible cases for --> case[2]: S:State = (Q:Qu $ ((lb[A:Aid]: L:Label) AS:Aobs)) op gen&ck-2 : State -> IndTr . -- a term of sort IndTr for checking all possible cases eq gen&ck-2(SS:State) = ($ | mmi([(empQ), (b1), (rs;ws;cs), (as), (SS)] || [(b1 & q), (b1;b2), (rs;ws;cs), (as), (SS)])) . } -- facts to be used mod FACTtbu { pr(QLOCKprop) -- necessary fact about #aq eq #aq(Q:Qu & A1:Aid,A2:Aid) = if (A1 = A2) then (s 0) + #aq(Q,A2) else #aq(Q,A2) fi . } -- reductions for verification of inductive invariant condition -- for s1 open (CKallCasesInv + FACTtbu) . red ck-1(SS:State) . -- s1 close -- for s2-s13 -- eq inv = wfs mx qep rs ws cs . -- divide inv and check open (CKallCasesInv + FACTtbu) . eq pre = inv . eq post = wfs mx qep . red gen&ck-2(SS:State) . -- s2-s13 close -- open (CKallCasesInv + FACTtbu) . eq pre = inv . eq post = rs ws cs . red gen&ck-2(SS:State) . -- s2-s13 close -- check all at once open (CKallCasesInv + FACTtbu) . eq pre = inv . eq post = inv . red gen&ck-2(SS:State) . -- s2-s13 close -- ============================================================== -- ==============================================================