-- I) Base case open INV red inv200(init,pair1,pair2,pair3,pfifo1,pfifo2) . close -- II) Inductive ceses --> 1) send1(s) open ISTEP -- arbitrary objects -- assumptions eq (put(fifo1(s),< tag1(s) , next(s) >) = pfifo1 @ (pair1 | pair2 | pfifo2)) = false . -- successor state eq s' = send1(s) . -- check if the predicate is true. red istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close -- open ISTEP -- arbitrary objects -- assumptions eq put(fifo1(s),< tag1(s) , next(s) >) = pfifo1 @ (pair1 | pair2 | pfifo2) . eq pfifo2 = empty . -- facts eq pair2 = < tag1(s) , next(s) > . -- successor state eq s' = send1(s) . -- check if the predicate is true. red istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close -- open ISTEP -- arbitrary objects op pair10 : -> Pair . op pfifo10 : -> PFifo . -- assumptions eq put(fifo1(s),< tag1(s) , next(s) >) = pfifo1 @ (pair1 | pair2 | pfifo2) . eq pfifo2 = pair10 | pfifo10 . eq pair3 \in (del(pair10 | pfifo10)) = true . -- facts eq fifo1(s) = del(pfifo1 @ (pair1 | pair2 | pfifo2)) . -- successor state eq s' = send1(s) . -- check if the predicate is true. red inv200(s,pair1,pair2,pair3,pfifo1,del(pair10 | pfifo10)) implies istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close -- open ISTEP -- arbitrary objects op pair10 : -> Pair . op pfifo10 : -> PFifo . -- assumptions eq put(fifo1(s),< tag1(s) , next(s) >) = pfifo1 @ (pair1 | pair2 | pfifo2) . eq pfifo2 = pair10 | pfifo10 . eq pair3 \in (del(pair10 | pfifo10)) = false . eq pair3 \in (pair10 | pfifo10) = false . -- facts eq fifo1(s) = del(pfifo1 @ (pair1 | pair2 | pfifo2)) . -- successor state eq s' = send1(s) . -- check if the predicate is true. red inv200(s,pair1,pair2,pair3,pfifo1,del(pair10 | pfifo10)) implies istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close -- open ISTEP -- arbitrary objects op pair10 : -> Pair . op pfifo10 : -> PFifo . -- assumptions eq put(fifo1(s),< tag1(s) , next(s) >) = pfifo1 @ (pair1 | pair2 | pfifo2) . eq pfifo2 = pair10 | pfifo10 . eq pair3 \in (del(pair10 | pfifo10)) = false . -- (1) eq pair3 \in (pair10 | pfifo10) = true . -- (2) -- facts eq fifo1(s) = del(pfifo1 @ (pair1 | pair2 | pfifo2)) . eq pair3 = < tag1(s) , next(s) > . -- from (1) and (2) -- successor state eq s' = send1(s) . -- check if the predicate is true. red inv200(s,pair1,pair2,pair3,pfifo1,del(pair10 | pfifo10)) implies istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close --> 2) rec1(s) -- 2.1) c-rec1(s) open ISTEP -- arbitrary objects -- assumptions -- eq c-rec1(s) = true . eq empty?(fifo2(s)) = false . -- eq tag1(s) = top(fifo2(s)) . -- successor state eq s' = rec1(s) . -- check if the predicate is true. red istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close -- open ISTEP -- arbitrary objects -- assumptions -- eq c-rec1(s) = true . eq empty?(fifo2(s)) = false . -- eq (tag1(s) = top(fifo2(s))) = false . eq (fifo1(s) = pfifo1 @ (pair1 | pair2 | pfifo2)) = false . -- successor state eq s' = rec1(s) . -- check if the predicate is true. red istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close -- open ISTEP -- arbitrary objects -- assumptions -- eq c-rec1(s) = true . eq empty?(fifo2(s)) = false . -- eq (tag1(s) = top(fifo2(s))) = false . eq fifo1(s) = pfifo1 @ (pair1 | pair2 | pfifo2) . eq (pair1 = < tag1(s) , next(s) >) = false . -- facts eq pair1 \in (pfifo1 @ (pair1 | pair2 | pfifo2)) = true . -- successor state eq s' = rec1(s) . -- check if the predicate is true. red inv220(s,pair1) implies istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close -- open ISTEP -- arbitrary objects -- assumptions -- eq c-rec1(s) = true . eq empty?(fifo2(s)) = false . -- eq (tag1(s) = top(fifo2(s))) = false . eq fifo1(s) = pfifo1 @ (pair1 | pair2 | pfifo2) . eq (pair2 = < tag1(s) , next(s) >) = false . -- facts eq pair2 \in (pfifo1 @ (pair1 | pair2 | pfifo2)) = true . -- successor state eq s' = rec1(s) . -- check if the predicate is true. red inv220(s,pair2) implies istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close -- open ISTEP -- arbitrary objects -- assumptions -- eq c-rec1(s) = true . eq empty?(fifo2(s)) = false . -- eq (tag1(s) = top(fifo2(s))) = false . eq fifo1(s) = pfifo1 @ (pair1 | pair2 | pfifo2) . eq pair1 = < tag1(s) , next(s) > . eq pair2 = < tag1(s) , next(s) > . -- successor state eq s' = rec1(s) . -- check if the predicate is true. red istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close -- -- 2.2) not c-rec1(s) open ISTEP -- arbitrary objects -- assumptions eq c-rec1(s) = false . -- successor state eq s' = rec1(s) . -- check if the predicate is true. red istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close --> 3) send2(s) open ISTEP -- arbitrary objects -- assumptions -- successor state eq s' = send2(s) . -- check if the predicate is true. red istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close --> 4) rec2(s) -- 4.1) c-rec2(s) open ISTEP -- arbitrary objects -- assumptions -- eq c-rec2(s) = true . eq empty?(fifo1(s)) = false . -- eq (get(fifo1(s)) = pfifo1 @ (pair1 | pair2 | pfifo2)) = false . -- successor state eq s' = rec2(s) . -- check if the predicate is true. red istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close -- open ISTEP -- arbitrary objects -- assumptions -- eq c-rec2(s) = true . eq empty?(fifo1(s)) = false . -- eq get(fifo1(s)) = pfifo1 @ (pair1 | pair2 | pfifo2) . -- facts eq (fifo1(s) = top(fifo1(s)) | (pfifo1 @ (pair1 | pair2 | pfifo2))) = true . -- successor state eq s' = rec2(s) . -- check if the predicate is true. red inv200(s,pair1,pair2,pair3,(top(fifo1(s)) | pfifo1),pfifo2) implies istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close -- -- 4.2) c-rec2(s) open ISTEP -- arbitrary objects -- assumptions eq c-rec2(s) = false . -- successor state eq s' = rec2(s) . -- check if the predicate is true. red istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close --> 5) drop1(s) -- 5.1) c-drop1(s) open ISTEP -- arbitrary objects -- assumptions -- eq c-drop1(s) = true . eq empty?(fifo1(s)) = false . -- eq (get(fifo1(s)) = pfifo1 @ (pair1 | pair2 | pfifo2)) = false . -- successor state eq s' = drop1(s) . -- check if the predicate is true. red istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close -- open ISTEP -- arbitrary objects -- assumptions -- eq c-drop1(s) = true . eq empty?(fifo1(s)) = false . -- eq get(fifo1(s)) = pfifo1 @ (pair1 | pair2 | pfifo2) . -- facts eq (fifo1(s) = top(fifo1(s)) | (pfifo1 @ (pair1 | pair2 | pfifo2))) = true . -- successor state eq s' = drop1(s) . -- check if the predicate is true. red inv200(s,pair1,pair2,pair3,(top(fifo1(s)) | pfifo1),pfifo2) implies istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close -- -- 5.2) not c-drop1(s) open ISTEP -- arbitrary objects -- assumptions eq c-drop1(s) = false . -- successor state eq s' = drop1(s) . -- check if the predicate is true. red istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close --> 6) dup1(s) -- 6.1) c-dup1(s) open ISTEP -- arbitrary objects -- assumptions -- eq c-dup1(s) = true . eq empty?(fifo1(s)) = false . -- eq (top(fifo1(s)) | fifo1(s) = pfifo1 @ (pair1 | pair2 | pfifo2)) = false . -- successor state eq s' = dup1(s) . -- check if the predicate is true. red istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close -- open ISTEP -- arbitrary objects -- assumptions -- eq c-dup1(s) = true . eq empty?(fifo1(s)) = false . -- eq top(fifo1(s)) | fifo1(s) = pfifo1 @ (pair1 | pair2 | pfifo2) . eq pfifo1 = empty . -- facts eq pair1 = pair2 . -- successor state eq s' = dup1(s) . -- check if the predicate is true. red istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close -- open ISTEP -- arbitrary objects op pair10 : -> Pair . op pfifo10 : -> PFifo . -- assumptions -- eq c-dup1(s) = true . eq empty?(fifo1(s)) = false . -- eq top(fifo1(s)) | fifo1(s) = pfifo1 @ (pair1 | pair2 | pfifo2) . eq pfifo1 = pair10 | pfifo10 . -- facts eq fifo1(s) = pfifo10 @ (pair1 | pair2 | pfifo2) . -- successor state eq s' = dup1(s) . -- check if the predicate is true. red inv200(s,pair1,pair2,pair3,pfifo10,pfifo2) implies istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close -- -- 6.2) not c-dup1(s) open ISTEP -- arbitrary objects -- assumptions eq c-dup1(s) = false . -- successor state eq s' = dup1(s) . -- check if the predicate is true. red istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close --> 7) drop2(s) -- 7.1) c-drop2(s) open ISTEP -- arbitrary objects -- assumptions -- eq c-drop2(s) = true . eq empty?(fifo2(s)) = false . -- successor state eq s' = drop2(s) . -- check if the predicate is true. red istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close -- -- 7.2) not c-drop2(s) open ISTEP -- arbitrary objects -- assumptions eq c-drop2(s) = false . -- successor state eq s' = drop2(s) . -- check if the predicate is true. red istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close --> 8) dup2(s) -- 8.1) c-dup2(s) open ISTEP -- arbitrary objects -- assumptions -- eq c-dup2(s) = true . eq empty?(fifo2(s)) = false . -- successor state eq s' = dup2(s) . -- check if the predicate is true. red istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close -- -- 8.2) not c-dup2(s) open ISTEP -- arbitrary objects -- assumptions eq c-dup2(s) = false . -- successor state eq s' = dup2(s) . -- check if the predicate is true. red istep200(pair1,pair2,pair3,pfifo1,pfifo2) . close --> Q.E.D.