** =============================================================== ** ==== QLOCK Proof Score for the mutual exclusion property ====== ** =============================================================== in qlock-sysProp.cafe -- the module for -- generating state patterns that cover all possible cases mod GENpatterns{pr(QLOCKprop) -- arbitray constants op q : -> Qu . op as : -> Aobs . -- arbitray Aid constant literals [AidConLt < Aid] eq (B1:AidConLt = B2:AidConLt) = (B1 == B2) . ops b1 b2 : -> AidConLt . -- State constants ops s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 : -> State . --> case[1]: S:State = (Q:Qu $ empty) eq s1 = (q $ empty) . --> case[2]: S:State = (Q:Qu $ ((lb[A:Aid]: L:Label) AS:Aobs)) -- s2-s13 is generated by a combinatorial generation scheme -- specified witha -- [(empQ;(b1 & q)),(b1;b2),(rs;ws;cs),(as)] -- and 'cover' the three left hand sides of the trans rules -- in the module QLOCKsys eq s2 = (empQ $ ((lb[b1]: rs) as)) . -- wt eq s3 = (empQ $ ((lb[b1]: ws) as)) . eq s4 = (empQ $ ((lb[b1]: cs) as)) . eq s5 = (empQ $ ((lb[b2]: rs) as)) . ** redundant eq s6 = (empQ $ ((lb[b2]: ws) as)) . ** redundant eq s7 = (empQ $ ((lb[b2]: cs) as)) . ** redundant eq s8 = ((b1 & q) $ ((lb[b1]: rs) as)) . -- wt eq s9 = ((b1 & q) $ ((lb[b1]: ws) as)) . -- ty eq s10 = ((b1 & q) $ ((lb[b1]: cs) as)) . -- ex eq s11 = ((b1 & q) $ ((lb[b2]: rs) as)) . -- wt eq s12 = ((b1 & q) $ ((lb[b2]: ws) as)) . eq s13 = ((b1 & q) $ ((lb[b2]: cs) as)) . -- ex } --> ============================================================== --> Verification of the Initial State Condition: --> (for-all S:State)(init(S) implies inv(S)) --> ============================================================== mod INIT-C {pr(QLOCKprop) pred init-c : State . eq init-c(S:State) = init(S) implies inv(S) . } -- checking init-c all possible cases open (GENpatterns + INIT-C) . red init-c(s1) . red init-c(s2) . red init-c(s3) . red init-c(s4) . red init-c(s5) . red init-c(s6) . red init-c(s7) . red init-c(s8) . red init-c(s9) . red init-c(s10) . red init-c(s11) . red init-c(s12) . red init-c(s13) . close --> ============================================================== --> Verification of the Invariant Condition: --> (for-all (S->S'):State->State(One-Step-Transition)) --> (inv(S) implies inv(S')) --> ============================================================== -- defining inv-c mod INV-C {pr(QLOCKprop + QLOCKsys) -- indicator information [IndInfo] op _->_!!_ : State State Bool -> IndInfo {constr} . -- predicate to be checked pred inv-c : State State . eq inv-c(S:State,SS:State) = (not(S =(*,1)=>+ SS suchThat (not((inv(S) implies inv(SS)) == true)) {S -> SS !! (inv(S) implies inv(SS))})) . } -- facts to be used mod FACTtbu { pr(QLOCKprop) -- necessary fact about #aq eq #aq(Q:Qu & A1:Aid,A2:Aid) = if (A1 = A2) then (s 0) + #aq(Q,A2) else #aq(Q,A2) fi . } -- checking inv-c for all possible cases open (GENpatterns + INV-C + FACTtbu) . -- open (GENpatterns + INV-C) . -- red inv-c(s1,SS:State) . red inv-c(s2,SS:State) . red inv-c(s3,SS:State) . red inv-c(s4,SS:State) . red inv-c(s5,SS:State) . red inv-c(s6,SS:State) . red inv-c(s7,SS:State) . red inv-c(s8,SS:State) . red inv-c(s9,SS:State) . red inv-c(s10,SS:State) . red inv-c(s11,SS:State) . red inv-c(s12,SS:State) . red inv-c(s13,SS:State) . close -- ============================================================== -- ==============================================================