@@ -1022,13 +1022,13 @@ ASSUME ValueNonempty == Value # {}
10221022LEMMA FiniteSetHasMax ==
10231023 ASSUME NEW S \in SUBSET Int , IsFiniteSet ( S ) , S # { }
10241024 PROVE \E max \in S : \A x \in S : max >= x
1025- < 1 > DEFINE P ( T ) == T \in SUBSET Int /\ T # { } => \E max \in T : \A x \in T : max >= x
1025+ < 1 > DEFINE P ( T ) == T # { } => \E max \in T : \A x \in T : max >= x
10261026< 1 > 1 . P ( { } )
10271027 OBVIOUS
1028- < 1 > 2 . ASSUME NEW T , NEW x , P ( T ) , x \notin T
1028+ < 1 > 2 . ASSUME NEW T \in SUBSET S , P ( T ) , NEW x \in S \ T
10291029 PROVE P ( T \cup { x } )
10301030 BY < 1 > 2
1031- < 1 > 3 . \A T : IsFiniteSet ( T ) => P ( T )
1031+ < 1 > 3 . P ( S )
10321032 < 2 > HIDE DEF P
10331033 < 2 > QED BY < 1 > 1 , < 1 > 2 , FS_Induction , IsaM ( "blast" )
10341034< 1 > QED BY < 1 > 3 , Zenon
@@ -1150,50 +1150,6 @@ LiveSpec == Spec /\ LiveAssumption
11501150(************************************************************************** *)
11511151-----------------------------------------------------------------------------
11521152(* **************************************************************************)
1153- (* Here are two temporal-logic proof rules. Their validity is obvious *)
1154- (* when you understand what they mean. *)
1155- (************************************************************************** *)
1156- THEOREM AlwaysForall ==
1157- ASSUME NEW CONSTANT S , NEW TEMPORAL P ( _ )
1158- PROVE ( \A s \in S : [] P ( s ) ) <=> [] ( \A s \in S : P ( s ) )
1159- OBVIOUS
1160-
1161- LEMMA EventuallyAlwaysForall ==
1162- ASSUME NEW CONSTANT S , IsFiniteSet ( S ) ,
1163- NEW TEMPORAL P ( _ )
1164- PROVE ( \A s \in S : <> [] P ( s ) ) => <> [] ( \A s \in S : P ( s ) )
1165- < 1 > DEFINE A ( x ) == <> [] P ( x )
1166- L ( T ) == \A s \in T : A ( s )
1167- R ( T ) == \A s \in T : P ( s )
1168- Q ( T ) == L ( T ) => <> [] R ( T )
1169- < 1 > 1 . Q ( { } )
1170- < 2 > 1 . R ( { } ) OBVIOUS
1171- < 2 > 2 . <> [] R ( { } ) BY < 2 > 1 , PTL
1172- < 2 > QED BY < 2 > 2
1173- < 1 > 2 . ASSUME NEW T , NEW x
1174- PROVE Q ( T ) => Q ( T \cup { x } )
1175- < 2 > 1 . L ( T \cup { x } ) => A ( x )
1176- < 3 > HIDE DEF A
1177- < 3 > QED OBVIOUS
1178- < 2 > 2 . L ( T \cup { x } ) /\ Q ( T ) => <> [] R ( T )
1179- OBVIOUS
1180- < 2 > 3 . <> [] R ( T ) /\ A ( x ) => <> [] ( R ( T ) /\ P ( x ) )
1181- BY PTL
1182- < 2 > 4 . R ( T ) /\ P ( x ) => R ( T \cup { x } )
1183- OBVIOUS
1184- < 2 > 5 . <> [] ( R ( T ) /\ P ( x ) ) => <> [] R ( T \cup { x } )
1185- BY < 2 > 4 , PTL
1186- < 2 > QED
1187- BY < 2 > 1 , < 2 > 2 , < 2 > 3 , < 2 > 5
1188- < 1 > HIDE DEF Q
1189- < 1 > 3 . \A T : IsFiniteSet ( T ) => Q ( T )
1190- BY < 1 > 1 , < 1 > 2 , FS_Induction , IsaM ( "blast" )
1191- < 1 > 4 . Q ( S )
1192- BY < 1 > 3
1193- < 1 > QED
1194- BY < 1 > 4 DEF Q
1195- -----------------------------------------------------------------------------
1196- (* **************************************************************************)
11971153(* Here is our proof that LiveSpec implements the specification LiveSpec *)
11981154(* of module Consensus under our refinement mapping. *)
11991155(************************************************************************** *)
@@ -1257,7 +1213,6 @@ THEOREM Liveness == LiveSpec => C!LiveSpec
12571213 <> [] ( \A self \in Q : maxBal [ self ] = b )
12581214 < 2 > DEFINE MB ( s ) == maxBal [ s ] = b
12591215 < 2 > 0 . ( \A self \in Q : <> [] MB ( self ) ) => <> [] ( \A self \in Q : MB ( self ) )
1260- \* BY <1>a, EventuallyAlwaysForall \* fails, even when hiding the definition of MB
12611216 < 3 > HIDE DEF MB
12621217 < 3 > DEFINE A ( x ) == <> [] MB ( x )
12631218 L ( T ) == \A self \in T : A ( self ) \* NB: changing the names of the bound vars makes the QED step fail!
@@ -1281,11 +1236,9 @@ THEOREM Liveness == LiveSpec => C!LiveSpec
12811236 BY < 4 > 4 , PTL
12821237 < 4 > QED BY < 4 > 1 , < 4 > 2 , < 4 > 3 , < 4 > 5
12831238 < 3 > HIDE DEF I
1284- < 3 > 3 . \A T : IsFiniteSet ( T ) => I ( T )
1285- BY < 3 > 1 , < 3 > 2 , FS_Induction , IsaM ( "blast" )
1286- < 3 > 4 . I ( Q )
1287- BY < 1 > a , < 3 > 3
1288- < 3 > QED BY < 3 > 4 DEF I
1239+ < 3 > 3 . I ( Q )
1240+ BY < 1 > a , < 3 > 1 , < 3 > 2 , FS_Induction , IsaM ( "blast" )
1241+ < 3 > QED BY < 3 > 3 DEF I
12891242 < 2 > 1 . SUFFICES ASSUME NEW self \in Q
12901243 PROVE Spec /\ LiveAssumption ! ( Q , b ) => <> [] MB ( self )
12911244 BY < 2 > 0 , Isa
@@ -1481,7 +1434,6 @@ THEOREM Liveness == LiveSpec => C!LiveSpec
14811434 < 3 > 4 . QED
14821435 BY < 3 > 2 , < 3 > 3 , PTL
14831436 < 2 > 4 . ( \A self \in Q : <> [] Voted ( self ) ) => <> [] ( \A self \in Q : Voted ( self ) )
1484- \* again, we need to redo the proof instead of using lemma EventuallyAlwaysForall
14851437 < 3 > DEFINE A ( x ) == <> [] Voted ( x )
14861438 L ( T ) == \A self \in T : A ( self )
14871439 R ( T ) == \A self \in T : Voted ( self )
@@ -1504,11 +1456,9 @@ THEOREM Liveness == LiveSpec => C!LiveSpec
15041456 BY < 4 > 4 , PTL
15051457 < 4 > QED BY < 4 > 1 , < 4 > 2 , < 4 > 3 , < 4 > 5
15061458 < 3 > HIDE DEF I
1507- < 3 > 3 . \A T : IsFiniteSet ( T ) => I ( T )
1508- BY < 3 > 1 , < 3 > 2 , FS_Induction , IsaM ( "blast" )
1509- < 3 > 4 . I ( Q )
1510- BY < 1 > a , < 3 > 3
1511- < 3 > QED BY < 3 > 4 DEF I
1459+ < 3 > 3 . I ( Q )
1460+ BY < 1 > a , < 3 > 1 , < 3 > 2 , FS_Induction , IsaM ( "blast" )
1461+ < 3 > QED BY < 3 > 3 DEF I
15121462 < 2 > QED
15131463 BY < 2 > 1 , VT2 , < 2 > 2 , < 2 > 3 , < 2 > 4 , PTL
15141464
0 commit comments