--> **************************************************************** --> proof score for inductive invariant condition --> **************************************************************** --> ---------------------------------------------------------------- --> require qlock-prop require qlock-prop --> ---------------------------------------------------------------- --> IINVcheck: module for checking invariant --> ---------------------------------------------------------------- mod IINVcheck { pr(MX + HQ=C + RWL) -- possible inductive invariant predicate on State pred iinv : State . eq iinv(S:State) = ((mx S) and (hq=c S)) . -- iinv is stable (i.e. is preserved through any transition) pred stable-iinv : State State . eq stable-iinv(S:State,SS:State) = (iinv(S) implies iinv(SS)) . pred check-iinv_ : State . eq check-iinv S:State = not(S =(*,1)=>+ SS:State if CC:Bool suchThat not((CC implies stable-iinv(S,SS)) == true) {stable-iinv(S,SS)}) . -- fresh constants for level 0 ops aq : -> Aq . ops as-r as-w as-c : -> As . -- fresh constants for refined level 1 op aq-1 : -> Aq . ops as-r-1 as-w-1 as-c-1 : -> As . ops a-q-1 a-r-1 a-w-1 a-c-1 : -> Aid . } --> **************************************************************** -- three state patterns in the left-hand-side -- of the three trans rules -- wt: [AQ:Aq r (A1:Aid AS1:As) w AS2:As c AS3:As] -- ty: [(A:Aid | AQ:Aq) r AS1:As w (A AS2:As) c AS3:As] -- exc: [(A:Aid | AQ:Aq) r AS1:As w AS2:As c (A3:Aid AS3:As)] --> **************************************************************** --> **************************************************************** --> wt: [AQ:Aq r (A1:Aid AS1:As) w AS2:As c AS3:As] --> **************************************************************** --> ---------------------------------------------------------------- --> IINVcheck-wt: module for checking w.r.t. WT --> ---------------------------------------------------------------- mod IINVcheck-wt { pr(IINVcheck + WT) op iinvCheck-wt : -> Bool . eq iinvCheck-wt = check-iinv [aq r (a-r-1 as-r-1) w as-w c as-c] . } --> ================================================================ --> check that (iinvCheck-wt = true) (1) --> ---------------------------------------------------------------- select IINVcheck-wt . :goal{eq iinvCheck-wt = true .} :def csp-q = :csp{eq aq = empQ . eq aq = (a-q-1 | aq-1) .} :apply(csp-q rd-) --> QED -- ================================================================= #| IINVcheck-wt(X.STATE)> :show proof root* [csp-q] 1* [csp-q] 2* IINVcheck-wt(X.STATE)> :desc proof ==> root* -- context module: #Goal-root -- targeted sentence: eq iinvCheck-wt = true . [csp-q] 1* -- context module: #Goal-1 -- assumption eq [csp-q]: aq = empQ . -- discharged sentence: eq [RD-]: iinvCheck-wt = true . [csp-q] 2* -- context module: #Goal-2 -- assumption eq [csp-q]: aq = a-q-1 | aq-1 . -- discharged sentence: eq [RD-]: iinvCheck-wt = true . |# --> ================================================================ --> check that (iinvCheck-wt = true) (2) --> ---------------------------------------------------------------- --> 1 open IINVcheck-wt . eq aq = empQ . red iinvCheck-wt . close --> 2 open IINVcheck-wt . eq aq = (a-q-1 | aq-1) . red iinvCheck-wt . close --> QED --> **************************************************************** --> ty: [(A:Aid | AQ:Aq) r AS1:As w (A AS2:As) c AS3:As] --> **************************************************************** --> ---------------------------------------------------------------- --> IINVcheck-ty: module for checking w.r.t. TY --> ---------------------------------------------------------------- mod IINVcheck-ty { pr(IINVcheck + TY) op iinvCheck-ty : -> Bool . eq iinvCheck-ty = check-iinv [(a-q-1 | aq-1) r as-r w (a-q-1 as-w-1) c as-c] . } --> ================================================================ --> check that (iinvCheck-ty = true) (1) --> ---------------------------------------------------------------- select IINVcheck-ty . :goal{eq iinvCheck-ty = true .} :def csp-c = :csp{eq as-c = empS . eq as-c = (a-c-1 as-c-1) .} :def csp-qc = :csp{eq a-q-1 = a-c-1 . eq (a-q-1 =a a-c-1) = false .} :apply(csp-c rd- csp-qc rd-) --> QED -- ================================================================= #| IINVcheck-ty(X.STATE)> :show proof root* [csp-c] 1* [csp-c] 2* [csp-qc] 2-1* [csp-qc] 2-2* IINVcheck-ty(X.STATE)> :desc proof ==> root* -- context module: #Goal-root -- targeted sentence: eq iinvCheck-ty = true . [csp-c] 1* -- context module: #Goal-1 -- assumption eq [csp-c]: as-c = empS . -- discharged sentence: eq [RD-]: iinvCheck-ty = true . [csp-c] 2* -- context module: #Goal-2 -- assumption eq [csp-c]: as-c = a-c-1 as-c-1 . -- targeted sentence: eq iinvCheck-ty = true . [csp-qc] 2-1* -- context module: #Goal-2-1 -- assumptions eq [csp-c]: as-c = a-c-1 as-c-1 . eq [csp-qc]: a-q-1 = a-c-1 . -- discharged sentence: eq [RD-]: iinvCheck-ty = true . [csp-qc] 2-2* -- context module: #Goal-2-2 -- assumptions eq [csp-c]: as-c = a-c-1 as-c-1 . eq [csp-qc]: a-q-1 =a a-c-1 = false . -- discharged sentence: eq [RD-]: iinvCheck-ty = true . |# --> ================================================================ --> check that (iinvCheck-ty = true) (2) --> ---------------------------------------------------------------- --> 1 open IINVcheck-ty . eq as-c = empS . red iinvCheck-ty . close --> 2-1 open IINVcheck-ty . eq as-c = (a-c-1 as-c-1) . eq a-q-1 = a-c-1 . red iinvCheck-ty . close --> 2-2 open IINVcheck-ty . eq as-c = (a-c-1 as-c-1) . eq (a-q-1 =a a-c-1) = false . red iinvCheck-ty . close --> QED --> **************************************************************** --> exc: [(A:Aid | AQ:Aq) r AS1:As w AS2:As c (A3:Aid AS3:As)] --> **************************************************************** --> ---------------------------------------------------------------- --> IINVcheck-exc: module for checking w.r.t. EXC --> ---------------------------------------------------------------- mod IINVcheck-exc { pr(IINVcheck + EXC) op iinvCheck-exc : -> Bool . eq iinvCheck-exc = check-iinv [(a-q-1 | aq-1) r as-r w as-w c (a-c-1 as-c-1)] . } --> ================================================================ --> check that (iinvCheck-exc = true) (1) --> ---------------------------------------------------------------- select IINVcheck-exc . :goal{eq iinvCheck-exc = true .} :def csp-qc = :csp{eq a-q-1 = a-c-1 . eq (a-q-1 =a a-c-1) = false .} :def csp-asc = :csp{eq as-c-1 = empS . eq (as-c-1 =as empS) = false .} :apply(csp-qc rd- csp-asc rd-) --> QED -- ================================================================= #| IINVcheck-exc(X.STATE)> :show proof root* [csp-qc] 1* [csp-asc] 1-1* [csp-asc] 1-2* [csp-qc] 2* IINVcheck-exc(X.STATE)> :desc proof ==> root* -- context module: #Goal-root -- targeted sentence: eq iinvCheck-exc = true . [csp-qc] 1* -- context module: #Goal-1 -- assumption eq [csp-qc]: a-q-1 = a-c-1 . -- targeted sentence: eq iinvCheck-exc = true . [csp-asc] 1-1* -- context module: #Goal-1-1 -- assumptions eq [csp-qc]: a-q-1 = a-c-1 . eq [csp-asc]: as-c-1 = empS . -- discharged sentence: eq [RD-]: iinvCheck-exc = true . [csp-asc] 1-2* -- context module: #Goal-1-2 -- assumptions eq [csp-qc]: a-q-1 = a-c-1 . eq [csp-asc]: as-c-1 =as empS = false . -- discharged sentence: eq [RD-]: iinvCheck-exc = true . [csp-qc] 2* -- context module: #Goal-2 -- assumption eq [csp-qc]: a-q-1 =a a-c-1 = false . -- discharged sentence: eq [RD-]: iinvCheck-exc = true . |# --> ================================================================ --> check that (iinvCheck-exc = true) (2) --> ---------------------------------------------------------------- --> 1-1 open IINVcheck-exc . eq a-q-1 = a-c-1 . eq as-c-1 = empS . red iinvCheck-exc . close --> 1-2 open IINVcheck-exc . eq a-q-1 = a-c-1 . eq (as-c-1 =as empS) = false . red iinvCheck-exc . close --> 2 open IINVcheck-exc . eq (a-q-1 =a a-c-1) = false . red iinvCheck-exc . close --> QED --> **************************************************************** --> end of file eof --> ****************************************************************