-
Notifications
You must be signed in to change notification settings - Fork 200
/
EWD840_proof.tla
84 lines (79 loc) · 3.48 KB
/
EWD840_proof.tla
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
---------------------------- MODULE EWD840_proof ----------------------------
(***************************************************************************)
(* This module contains the proof of the safety properties of Dijkstra's *)
(* termination detection algorithm. Checking the proof requires TLAPS to *)
(* be installed. *)
(***************************************************************************)
EXTENDS EWD840, TLAPS
(***************************************************************************)
(* The algorithm is type-correct: TypeOK is an inductive invariant. *)
(***************************************************************************)
LEMMA TypeCorrect == Spec => []TypeOK
<1>1. Init => TypeOK
BY DEF Init, TypeOK, Color
<1>2. TypeOK /\ [Next]_vars => TypeOK'
<2> SUFFICES ASSUME TypeOK,
[Next]_vars
PROVE TypeOK'
OBVIOUS
<2>. USE NAssumption DEF TypeOK, Node, Color
<2>1. CASE InitiateProbe
BY <2>1 DEF InitiateProbe
<2>2. ASSUME NEW i \in Node \ {0},
PassToken(i)
PROVE TypeOK'
BY <2>2 DEF PassToken
<2>3. ASSUME NEW i \in Node,
SendMsg(i)
PROVE TypeOK'
BY <2>3 DEF SendMsg
<2>4. ASSUME NEW i \in Node,
Deactivate(i)
PROVE TypeOK'
BY <2>4 DEF Deactivate
<2>5. CASE UNCHANGED vars
BY <2>5 DEF vars
<2>. QED
BY <2>1, <2>2, <2>3, <2>4, <2>5 DEF Environment, Next, System
<1>. QED BY <1>1, <1>2, PTL DEF Spec
(***************************************************************************)
(* Prove the main soundness property of the algorithm by (1) proving that *)
(* Inv is an inductive invariant and (2) that it implies correctness. *)
(***************************************************************************)
THEOREM Safety == Spec => []TerminationDetection
<1>1. Init => Inv
BY NAssumption DEF Init, Inv, Node
<1>2. TypeOK /\ Inv /\ [Next]_vars => Inv'
BY NAssumption
DEF TypeOK, Inv, Next, vars, Node, Color,
System, Environment, InitiateProbe, PassToken, SendMsg, Deactivate
<1>3. Inv => TerminationDetection
BY NAssumption DEF Inv, TerminationDetection, terminationDetected, Node
<1>. QED
BY <1>1, <1>2, <1>3, TypeCorrect, PTL DEF Spec
(***************************************************************************)
(* Step <1>3 of the above proof shows that Dijkstra's invariant implies *)
(* TerminationDetection. If you find that one-line proof too obscure, here *)
(* is a more detailed, hierarchical proof of that same implication. *)
(***************************************************************************)
LEMMA Inv => TerminationDetection
<1>1. SUFFICES ASSUME tpos = 0, tcolor = "white",
color[0] = "white", ~ active[0],
Inv
PROVE \A i \in Node : ~ active[i]
BY <1>1 DEF TerminationDetection, terminationDetected
<1>2. ~ Inv!P2 BY tcolor = "white" DEF Inv
<1>3. ~ Inv!P1 BY <1>1 DEF Inv
<1>. QED
<2>1. Inv!P0 BY Inv, <1>2, <1>3 DEF Inv
<2>. TAKE i \in Node
<2>3. CASE i = 0 BY <2>1, <1>1, <2>3
<2>4. CASE i \in 1 .. N-1
<3>1. tpos < i BY tpos=0, <2>4, NAssumption
<3>2. i < N BY NAssumption, <2>4
<3>. QED BY <3>1, <3>2, <2>1
<2>. QED BY <2>3, <2>4 DEF Node
=============================================================================
\* Modification History
\* Last modified Thu Jan 21 16:13:02 CET 2021 by merz
\* Created Mon Sep 09 11:33:10 CEST 2013 by merz