-- ======================================================================== -- QLOCK Proof score for invariant properties -- the third verification condition -- ======================================================================== -- ======================================================================== require qlock-prop -- ======================================================================== mod IINVcheck {ex(MX + HQ=C) inc(RWL) -- possible inductive invariant predicate on State pred iinv : State . eq iinv(S:State) = ((mx S) and (hq=c S)) . -- iinv is stable (i.e. is preserved through any transition) pred stable-iinv : State State . eq stable-iinv(S:State,SS:State) = (iinv(S) implies iinv(SS)) . -- information constructor [Infom] op (ifm _ _ _ _) : State State Bool Bool -> Infom {constr} -- predicate used in check-iinv pred _then _ : Bool Bool . eq (true then B:Bool) = B . eq (false then B:Bool) = true . -- predicate for checking that iinv is stable pred check-iinv : State . eq check-iinv(S:State) = not(S =(*,1)=>+ SS:State if CC:Bool suchThat not((CC then stable-iinv(S,SS)) == true) {(ifm S SS CC stable-iinv(S,SS))}) . -- arbitray constants; fresh constants ops aq : -> Aq . ops as1 as2 as3 : -> As . ops a a1 a2 a3 : -> Aid . -- Aid literals [AidLt < Aid] -- an equation for literals of sort AidLt eq (B1:AidLt = B2:AidLt) = (B1 == B2) . -- arbitrary Aid literals ops b b1 b2 b3 : -> AidLt . } -- ======================================================================== -- three state patterns in the left-hand-side of the three trans rules -- wt: [AQ:Aq r (A1:Aid AS1:As) w AS2:As c AS3:As] -- ty: [(A:Aid | AQ:Aq) r AS1:As w (A AS2:As) c AS3:As] -- exc: [(A:Aid | AQ:Aq) r AS1:As w AS2:As c (A3:Aid AS3:As)] -- ======================================================================== -- ======================================================================== --> wt: [AQ:Aq r (A1:Aid AS1:As) w AS2:As c AS3:As] -- ======================================================================== mod WTcoverSet1 {ex(IINVcheck) op s-wt-0 : -> State . eq s-wt-0 = [aq r (a1 as1) w as2 c as3] . } open WTcoverSet1 . pr(WT) red check-iinv(s-wt-0) . close ** not successful mod WTcoverSet2 {ex(IINVcheck) ops s-wt-01 s-wt-02 : -> State . eq s-wt-01 = [empQ r (a1 as1) w as2 c as3] . eq s-wt-02 = [(a | aq) r (a1 as1) w as2 c as3] . **> s-exc-01 and s-exc-02 cover s-exc-0 } open WTcoverSet2 . pr(WT) red check-iinv(s-wt-01) . red check-iinv(s-wt-02) . close ** successful -- ======================================================================== --> ty: [(A:Aid | AQ:Aq) r AS1:As w (A AS2:As) c AS3:As] -- ======================================================================== mod TYcoverSet1 {ex(IINVcheck) op s-ty-0 : -> State . eq s-ty-0 = [(b | aq) r as1 w (b as2) c as3] . } open TYcoverSet1 . pr(TY) red check-iinv(s-ty-0) . close ** not successful mod TYcoverSet2 {ex(IINVcheck) ops s-ty-01 s-ty-02 s-ty-03 : -> State . eq s-ty-01 = [(b | aq) r as1 w (b as2) c empS] . eq s-ty-02 = [(b | aq) r as1 w (b as2) c (b as3)] . eq s-ty-03 = [(b | aq) r as1 w (b as2) c (b3 as3)] . **> s-ty-01, s-ty-02, and s-ty-03 cover s-ty-0 } open TYcoverSet2 . pr(TY) red check-iinv(s-ty-01) . red check-iinv(s-ty-02) . red check-iinv(s-ty-03) . close ** successful -- ======================================================================== --> exc: [(A:Aid | AQ:Aq) r AS1:As w AS2:As c (A3:Aid AS3:As)] -- ======================================================================== mod EXCcoverSet1 {ex(IINVcheck) op s-exc-0 : -> State . eq s-exc-0 = [(a | aq) r as1 w as2 c (a3 as3)] . } open EXCcoverSet1 . pr(EXC) red check-iinv(s-exc-0) . close ** not successful mod EXCcoverSet2 {ex(IINVcheck) ops s-exc-01 s-exc-02 : -> State . eq s-exc-01 = [(b | aq) r as1 w as2 c (b as3)] . eq s-exc-02 = [(b | aq) r as1 w as2 c (b3 as3)] . **> s-exc-01 and s-exc-02 cover s-exc-0 } open EXCcoverSet2 . pr(EXC) -- fact to be used eq ((AS:As =< empS) and (mx AS)) = (AS =< empS) . -- red check-iinv(s-exc-01) . red check-iinv(s-exc-02) . close ** successful -- ======================================================================== -- proof score for the fact to be used -- eq ((AS:As =< empS) and (mx AS)) = (AS =< empS) . open IINVcheck . red ((empS =< empS) and (mx empS)) = (empS =< empS) . red (((a1 as1) =< empS) and (mx (a1 as1))) = ((a1 as1) =< empS) . close -- ======================================================================== eof -- ========================================================================