Proofs of the invariant Lemmas 3 and 4 and the refinement Proposition 1 from the paper Root Contention in IEEE 1394 by Marielle Stoelinga and Frits Vaandrager. Version 1/1/99 Proof Lemma 3 ------------- Suppose s satisfies assertions (3)-(19) and s --SEND(i,m)--> s'. 0 s |= snt_i = empty (pre SEND) 1 Assume m = req 1.1 s |= rec_i = empty 1.2 Assume s |= msg_ij =/= empty 1.2.1 s |= msg_ij = req (0 + INV18) 1.2.2 s |= x_i <= x_ij (INV15) 1.2.3 s |= x_ij <= Gamma (INV9) 1.2.4 s |= delta_i <= x_i (pre SEND) 1.2.5 s |= delta_fast <= delta_i <= x_i <= x_ij <= Gamma 1.2.6 Contradiction with assumption (1) 1.3 s |= msg_ij = empty 2 Assume m = ack 2.1 s |= rec_i =/= empty (pre SEND) 2.2 Assume s |= msg_ij =/= empty 2.2.1 msg_ij = req (0 + INV18) 2.2.2 snt_i = req (INV14) 2.2.3 Contradiction with (0) 2.3 s |= msg_ij = empty 3 s |= msg_ij = empty 4 Assume s |= Cont(j) 4.1 s |= x_i <= Gamma (INV11) 4.2 s |= delta_i <= x_i (pre SEND) 4.3 s |= delta_fast <= delta_i <= x_i <= Gamma 4.4 Contradiction with assumption (1) 5 s |= not Cont(j) 6 s |= rec_j =/= ack (0 + INV17) 7 Assume rec_j = req 7.1 s |= snt_j =/= req (5) 7.2 s |= snt_j =/= ack (0 + INV19) 7.3 s |= snt_j =/= empty (0 + INV16) 7.4 Contradiction 8 s |= rec_j = empty 9 Assume m = req 9.1 Assume s |= msg_ji = empty 9.1.1 s |= snt_j = empty (5 + INV13) 9.1.2 s' |= not Cont(i) /\ not Cont(j) 9.2 Assume s |= msg_ji =/= empty 9.2.1 s |= msg_ji = req (0 + INV18,19) 9.2.2 s |= snt_j =/= empty (0, 8, 9.2.1, INV15) 9.2.3 s |= snt_j = req (0 + INV19) 9.2.4 s' |= Cont(i) /\ Cont(j) 9.3 s' |= Cont(i) <=> Cont(j) 10 Assume m = ack 10.1 s' |= snt_i = ack /\ msg_ij = ack /\ rec_j = empty (8, 10, eff SEND) 10.2 s' |= not Cont(i) /\ not Cont(j) 10.3 s' |= Cont(i) <=> Cont(j) 11 s' |= Cont(i) <=> Cont(j) (9 + 10) 12 QED (3, 8, 11) Proof Lemma 4 ------------- Invariants (3)-(9) are local for the component automata and easy to prove. We prove invariants (10)-(19) simulataneously by induction. For the base case, we only have to check that assertions (10)-(19) hold for the initial state, which is easy. For the induction case, suppose that s is a reachable state that satisfies assertions (10)-(19) and has an outgoing step s --a--> s'. We prove that s' satisfies assertions (10)-(19) via a case distinction on a. 1 a = FLIP(k) 1.1 s |= status_k = unknown /\ snt_k = rec_k = req (pre FLIP) 1.2 s' |= status_k = unknown /\ snt_k = rec_k = empty /\ x_k = 0 (eff FLIP) 1.3 Assume k=i 1.3.1 Assume s |= Cont(j) 1.3.1.1 s' |= Cont(j) 1.3.1.2 s' |= INV10 1.3.2 Assume s |= not Cont(j) 1.3.2.1 s |= x_j <= Gamma (INV11) 1.3.2.2 s' |= x_j <= Gamma (eff FLIP) 1.3.2.3 s' |= |x_i - x_j | <= Gamma 1.3.2.4 s' |= INV10 1.3.3 s' |= INV10 1.3.4 s' |= INV11 1.3.5 s' |= INV12 (FLIP(i) does not modify any variable that occurs in the invariant) 1.3.6 s' |= INV13 (s' |= snt_i = empty) 1.3.7 s' |= INV14 (s' |= Wait(i)) 1.3.8 Assume s |= Cont(j) 1.3.8.1 s' |= Cont(j) 1.3.8.2 s' |= sent_j = req /\ x_i <= x_ij (s' |= x_i = 0, INV8) 1.3.8.3 s' |= INV15 1.3.9 Assume s |= not Cont(j) 1.3.9.1 s |= msg_ij = empty (INV11) 1.3.9.2 s' |= msg_ij = empty 1.3.9.3 s' |= INV15 1.3.10 s' |= INV15 1.3.11 s' |= INV16 (s' |= rec_i = empty) 1.3.12 s' |= INV17 (s' |= rec_i = empty) 1.3.13 s |= msg_ij =/= ack (INV18) 1.3.14 s' |= msg_ij =/= ack 1.3.15 s' |= INV18 1.3.16 s' |= INV19 (s' |= snt_i = empty) 1.4 Assume k=j 1.4.1 Assume s |= Cont(i) 1.4.1.1 s' |= Cont(i) 1.4.1.2 s' |= INV10 1.4.2 Assume s |= not Cont(i) 1.4.2.1 s |= x_i <= Gamma (INV11) 1.4.2.2 s' |= x_i <= Gamma (eff FLIP) 1.4.2.3 s' |= |x_i - x_j | <= Gamma 1.4.2.4 s' |= INV10 1.4.3 s' |= INV10 1.4.4 s |= msg_ij = empty (INV12) 1.4.5 s' |= msg_ij = empty 1.4.6 s' |= Wait(j) /\ x_j <= Gamma 1.4.7 s' |= INV11 1.4.8 s' |= INV12 (1.4.5) 1.4.9 Assume s |= Cont(i) 1.4.9.1 s' |= Cont(i) 1.4.9.2 s' |= INV13 1.4.10 Assume s |= not Cont(i) 1.4.10.1 s |= snt_i = empty (INV11) 1.4.10.2 s' |= snt_i = empty 1.4.10.3 s' |= INV13 1.4.11 s' |= INV13 1.4.12 s' |= INV14 (1.4.5) 1.4.13 s' |= INV15 (1.4.5) 1.4.14 s |= not (snt_i = empty /\ rec_i = req) (INV16) 1.4.15 s' |= not (snt_i = empty /\ rec_i = req) 1.4.16 s' |= INV16 1.4.17 s |= rec_i =/= ack (INV17) 1.4.18 s' |= rec_i =/= ack 1.4.19 s' |= INV17 1.4.20 s' |= INV18 (1.4.5) 1.4.21 s |= snt_i =/= ack (INV19) 1.4.22 s' |= snt_i =/= ack 1.4.23 s' |= INV19 1.5 s' |= INV10-19 2 a = TIME(d) 2.1 s' |= INV10, INV12-19 (s |= INV10, INV12-19, eff TIME) 2.2 Assume s |= not(Cont(i) /\ not Cont(j)) 2.2.1 s' |= not(Cont(i) /\ not Cont(j)) 2.2.2 s' |= INV11 2.3 Assume s |= Cont(i) /\ not Cont(j) 2.3.1 s |= status_i = unknown (INV6, INV7, INV12) 2.3.2 s |= not(snt_i = rec_i = req) (pre TIME) 2.3.3 s |= msg_ji = req 2.3.4 s |= Wait(j) /\ msg_ij = empty (INV11) 2.3.5 s |= x_j <= x_ji (INV15) 2.3.6 s |= x_ji + d <= Gamma (pre TIME for Wire_ji) 2.3.7 s |= x_j + d <= Gamma 2.3.4 s' |= x_j <= Gamma (eff TIME) 2.3.6 s' |= Wait(j) /\ msg_ij = empty (2.3.4) 2.3.7 s' |= INV11 3 a = SEND(k,req) Let l =/= k 3.1 s |= status_k = unknown /\ snt_k = rec_k = empty /\ x_k >= delta_k (pre SEND) 3.2 s |= msg_kl = rec_l = empty (lemma 3) 3.3 s' |= status_k = unknown /\ snt_k = req /\ rec_k = empty /\ x_k >= delta_k /\ msg_kl = req /\ x_kl = 0 (eff SEND) 3.4 s' |= Cont(k) <=> Cont(l) (lemma 3) 3.5 Assume k = i 3.5.1 s |= | x_i - x_j | <= Gamma (INV10) 3.5.2 s' |= | x_i - x_j | <= Gamma 3.5.3 s' |= INV10 3.5.4 s' |= INV11 (3.4) 3.5.5 s' |= rec_j = empty (3.2) 3.5.6 s' |= INV12 3.5.7 s' |= INV13 (s' |= msg_ij = req) 3.5.8 s' |= snt_j =/= ack (INV19 and s |= snt_i = empty) 3.5.9 s' |= snt_j =/= ack 3.5.10 s |= x_i <= Delta_i (3.1, INV4) 3.5.11 s' |= x_i <= Delta_i 3.5.12 s' |= snt_i = req /\ delta_i <= x_i - x_ij <= Delta_i (3.3,3.5.11) 3.5.13 s' |= INV14 3.5.14 s' |= INV15 (s' |= not Wait(i)) 3.5.15 s' |= INV16 (s' |= snt_i = req) 3.5.16 s' |= INV17 (s' |= rec_i = empty) 3.5.17 s' |= INV18 (s' |= msg_ij = req) 3.5.18 s' |= INV19 (s' |= snt_i = req) 3.6 Assume k = j 3.6.1 s |= | x_i - x_j | <= Gamma (INV10) 3.6.2 s' |= | x_i - x_j | <= Gamma 3.6.3 s' |= INV10 3.6.4 s' |= INV11 (3.4) 3.6.5 s' |= INV12 (s' |= rec_j = empty) 3.6.6 Assume s |= snt_i = empty 3.6.6.1 s' |= snt_i = empty 3.6.6.2 s' |= INV13 3.6.7 Assume s |= snt_i =/= empty 3.6.7.1 s |= snt_i = req (INV19) 3.6.7.2 s' |= Cont(i) 3.6.7.3 s' |= INV13 3.6.8 s' |= INV13 3.6.9 s' |= INV14 (predicate snt_j =/= ack unchanged by action, other variables mentioned in invariant remain unchanged) 3.6.10 s |= not (msg_ij = req /\ Wait(i)) (INV 15) 3.6.11 s' |= not (msg_ij = req /\ Wait(i)) 3.6.12 s' |= INV15 3.6.13 s' |= rec_i = empty (lemma 3 + effect SEND) 3.6.14 s' |= INV16 3.6.15 s' |= INV17 (3.6.13) 3.6.16 s |= msg_ij =/= ack (INV18,19) 3.6.17 s' |= msg_ij =/= ack 3.6.18 s' |= INV18 3.6.19 s |= snt_i =/= ack (INV19) 3.6.20 s' |= snt_i =/= ack 3.6.21 s' |= INV19 3.7 s' |= INV10-19 4 a = SEND(k,ack) Let l =/= k 4.1 s |= status_k= unknown /\ snt_k = empty /\ rec_k = req /\ x_k >= delta_k (pre SEND, INV17,19) 4.2 s |= msg_kl = rec_l = empty (lemma 3) 4.3 s' |= status_k = unknown /\ snt_k = ack /\ rec_k = req /\ x_k >= delta_k /\ msg_kl = ack /\ x_kl = 0 (eff SEND) 4.4 s |= not Cont(k) /\ not Cont(l) (4.1, 4.2) 4.5 s' |= Cont(k) <=> Cont(l) (lemma 3) 4.6 Assume k = i 4.6.1 s |= | x_i - x_j | <= Gamma (INV10) 4.6.2 s' |= | x_i - x_j | <= Gamma 4.6.3 s' |= INV10 4.6.4 s' |= INV11 (4.5) 4.6.5 s' |= rec_j = empty (4.2 + eff SEND) 4.6.6 s' |= INV12 4.6.7 s' |= INV13 (4.3) 4.6.8 s' |= INV14 (4.3) 4.6.9 s' |= INV15 (4.3) 4.6.10 s' |= INV16 (s' |= snt_i = ack) 4.6.11 s' |= INV17 (4.3) 4.6.12 s' |= INV18 (4.3) 4.6.13 s |= snt_j = req /\ x_j >= delta_j (INV16) 4.6.14 s' |= snt_j = req /\ x_j >= delta_j 4.6.15 s' |= INV19 4.7 Assume k = j 4.7.1 s |= | x_i - x_j | <= Gamma (INV10) 4.7.2 s' |= | x_i - x_j | <= Gamma 4.7.3 s' |= INV10 4.7.4 s' |= INV11 (4.5) 4.7.5 s |= rec_j = req (4.1) 4.7.5 s |= msg_ij = empty (INV12) 4.7.6 s' |= msg_ij = empty 4.7.7 s' |= INV12 4.7.8 s' |= INV13 (s' |= rec_j = req) 4.7.9 s' |= INV14 (4.7.6) 4.7.10 s' |= INV15 (4.7.6) 4.7.11 s' |= rec_i = empty (4.2 + eff SEND) 4.7.12 s' |= INV16 4.7.13 s' |= INV17 4.7.14 s' |= INV18 (4.7.6) 4.7.15 s |= snt_i =/= ack (INV19) 4.7.16 s' |= snt_i =/= ack 4.7.17 s' |= INV19 4.8 s' |= INV10-19 5 a = RECEIVE(i,req) 5.1 s |= msg_ji=req (pre RECEIVE) 5.2 s |= rec_i = empty (INV12) 5.3 s' |= msg_ji=empty /\ rec_i=req (eff RECEIVE) 5.4 s |= Cont(i) <=> s' |= Cont(i) s |= Cont(j) <=> s' |= Cont(j) (5.1-3) 5.5 s.x_i = s'.x_i /\ s.x_j = s'.x_j (eff RECEIVE) 5.6 s' |= INV10 (via obvious argument) 5.7 s' |= INV11 (via similar argument) 5.8 s' |= INV12 (state variables unaffected) 5.9 s' |= INV13 (state variables and predicate Cont(i) unaffected) 5.10 Assume s |= msg_ij = req /\ Wait(i) 5.10.1 s |= sent_j = req (INV15) 5.10.2 s |= Cont(j) /\ not Cont(i) 5.10.3 s |= msg_ji = empty (INV11) 5.10.4 Contradication with 5.1 5.11 Assume s |= msg_ij =/= req 5.11.1 s' |= msg_ij =/= req 5.11.2 s' |= INV14 5.12 Assume s |= msg_ij = req /\ not Wait(i) 5.12.1 s |= rhs of INV 14 5.12.2 s' |= rhs of INV14 5.12.3 s' |= INV14 5.13 s' |= INV14 (5.10-5.12) 5.14 s' |= INV15 (5.3) 5.15 Assume s |= snt_i =/= empty 5.15.1 s' |= snt_i =/= empty 5.15.2 s' |= INV16 5.16 Assume s |= snt_i = empty 5.16.1 s |= Wait(i) (5.2) 5.16.2 s |= not Wait(j) (5.1,5.16,INV15) 5.16.3 s |= snt_j=req /\ delta_j <= x_j (INV14,INV8) 5.16.4 s |= rec_j =/= ack (INV17, 5.16) 5.16.5 s |= rec_j =/= req (5.16,5.16.3,INV11,5.1) 5.16.6 s |= rec_j = empty (5.16.4,5.16.5) 5.16.7 s' |= snt_j=req /\ delta_j <= x_j /\ rec_j = empty (5.16.3, 5.16.6, eff RECEIVE) 5.16.7 s' |= INV16 5.17 s' |= INV17 (5.3) 5.18 s |= msg_ij =/= ack (INV18,INV19, 5.2) 5.19 s' |= msg_ij =/= ack (eff RECEIVE) 5.20 s' |= INV18 5.21 s |= snt_i =/= ack (INV19, 5.2) 5.22 s' |= snt_i =/= ack 5.23 s' |= INV19 6 a = RECEIVE(j,req) 6.1 s |= msg_ij = req (pre RECEIVE) 6.2 s |= rec_j = empty (INV12) 6.3 s' |= msg_ij = empty /\ rec_j = req 6.4 s' |= INV10 (the action does not affect variables x_i and x_j, and the predicates Cont(i) and Cont(j)) 6.5 s |= not (Cont(i) /\ not Cont(j)) (INV11 and 6.1) 6.6 s' |= not (Cont(i) /\ not Cont(j)) 6.7 s' |= INV11 6.8 s' |= INV12 (6.3) 6.9 s' |= INV13 (6.3) 6.10 s' |= INV14 (6.3) 6.11 s' |= INV15 (6.3) 6.12 Assume s |= snt_i = empty /\ rec_i = req 6.12.1 s |= snt_i = req (INV14) 6.12.2 Contradiction 6.13 s |= not (snt_i = empty /\ rec_i = req) 6.14 s' |= not (snt_i = empty /\ rec_i = req) 6.15 s' |= INV16 6.16 s |= rec_i =/= ack (INV17, 19) 6.17 s' |= rec_i =/= ack 6.18 s' |= INV17 6.19 s' |= INV18 (s' |= msg_ij = empty) 6.20 s |= snt_i =/= ack (INV14) 6.21 s' |= snt_i =/= ack 6.22 s' |= INV19 7 a = RECEIVE(k,ack) let l =/= k 7.1 s |= msg_lk = ack (pre RECEIVE) 7.2 s |= snt_l = ack (INV18) 7.3 s |= rec_l = snt_k = req /\ x_k >= delta_k (INV19) 7.4 s |= rec_k = empty (INV12) 7.5 s |= msg_kl = empty (INV12) 7.6 s |= |x_k - x_l| <= Gamma (INV10) 7.7 s' |= snt_k = req /\ rec_k = ack /\ snt_l = ack /\ rec_l = req /\ msg_kl = msg_lk = empty /\ |x_k - x_l| <= Gamma (eff RECEIVE) 7.8 Assume k=i 7.8.1 s' |= INV10 7.8.2 s' |= INV11 7.8.3 s' |= INV12 7.8.4 s' |= INV13 7.8.5 s' |= INV14 7.8.6 s' |= INV15 7.8.7 s' |= INV16 7.8.8 s' |= INV17 7.8.9 s' |= INV18 7.8.10 s' |= INV19 7.9 Assume k=j 7.9.1 s' |= INV10 7.9.2 s' |= INV11 7.9.3 s' |= INV12 7.9.4 s' |= INV13 7.9.5 s' |= INV14 7.9.6 s' |= INV15 7.9.7 s' |= INV16 7.9.8 s' |= INV17 7.9.9 s' |= INV18 7.9.10 s' |= INV19 7.10 s' |= INV10-19 8 a = ROOT(k) The only state variable that is affected by this action is status_k, but this variable does not occur in any of the invariants. 9 a = CHILD(k) The only state variable that is affected by this action is status_k, but this variable does not occur in any of the invariants. Proof of Proposition 1 ---------------------- Let r be the function from states(Impl) to states(I1) that is determined by the predicate stated in the proposition. Function r trivially meets the first condition of a weak probabilistic step refinement, since it maps start states of Impl to start states of I1. For the second condition, suppose that s is a reachable state of Impl and s --a--> P is a step of Impl. We check that r satisfies the condition via a case distinction on a. Let u = r(s). 1 Assume a = FLIP(i) Let P = {0.5 |-> s1, 0.5 |-> s2} st s1.coin_i = head and s2 = s1[tail/coin_i] Let u1 = r(s1) and u2 = r(s2) 1.1 s.status_i = unknown /\ s.snt_i = req /\ s.rec_i = req (pre FLIP(i)) 1.2 s.status_j = unknown (1.1 + INV6,19,7,17) 1.3 u.phase[i] = init (1.1,1.2) 1.4 /\ s1.status_i = s1.status_j = unknown /\ s1.snt_i = s1.rec_i = empty /\ s1.coin_j = s.coin_j /\ s1.x_i = 0 /\ s1.x_j = s.x_j /\ s1.x_ij = s.x_ij /\ s1.x_ji = s.x_ji /\ s2.status_i = s2.status_j = unknown /\ s2.snt_i = s2.rec_i = empty /\ s2.coin_j = s.coin_j /\ s2.x_i = 0 /\ s2.x_j = s.x_j /\ s2.x_ij = s.x_ij /\ s2.x_ji = s.x_ji (eff FLIP(i)) 1.5 Assume s.Cont(j) 1.5.1 s1.Cont(j) /\ s2.Cont(j) (1.5, eff FLIP(i)) 1.5.2 u.phase[j] = init (1.1, 1.2, 1.5) 1.5.3 /\ u1.phase[i] = head /\ u1.phase[j] = init /\ u2.phase[i] = tail /\ u2.phase[j] = init (1.4,1.5.1) 1.5.4 /\ u1.x = min(s1.x_ij,s1.x_ji) = min(s.x_ij,s.x_ji) = u.x /\ u1.x = min(s1.x_ij,s1.x_ji) = min(s.x_ij,s.x_ji) = u.x 1.5.5 u --FLIP(i)--> {0.5 |-> u1, 0.5 |-> u2} 1.5.6 u --FLIP(i)--> r_*(P) 1.6 Assume not s.Cont(j) 1.6.1 not s1.Cont(j) /\ not s2.Cont(j) (1.6, effect FLIP(i)) 1.6.2 u.phase[j] = s.coin_j (1.1, 1.2, 1.6) 1.6.3 u1.phase[j] = s1.coin_j = s.coin_j = u.phase[j] /\ u2.phase[j] = s2.coin_j = s.coin_j = u.phase[j] 1.6.4 u1.phase[i] = s1.coin_i = head /\ u2.phase[i] = s2.coin_i = tail 1.6.5 u1.x = min(s1.x_i,s1.x_j) = 0 /\ u2.x = min(s2.x_i,s2.x_j) = 0 (1.4 + INV3) 1.6.6 u --FLIP(i)--> {0.5 |-> u1, 0.5 |-> u2} 1.6.7 u --FLIP(i)--> r_*(P) 1.7 u --FLIP(i)--> r_*(P) 2 Assume a = SEND(i,req) Let P = {1 |-> s'} and u' = r(s') 2.1 s.status_i = unknown /\ s.snt_i = s.rec_i = empty (pre SEND) 2.2 s.msg_ij = s.rec_j = empty (Lemma 3) 2.3 s.status_j = unknown (2.1,2.2, INV6,19,7) 2.4 /\ s'.status_i = s'.status_j = unknown /\ s'.snt_i = req /\ s'.rec_i = s'.rec_j = empty /\ s'.coin_i = s.coin_i /\ s'.coin_j = s.coin_j /\ s'.x_i = s.x_i /\ s'.x_j = s.x_j /\ s'.msg_ij = req /\ s'.x_ij = 0 (eff SEND) 2.5 s'.Cont(i) <=> s'.Cont(j) (Lemma 3) 2.6 Assume s.msg_ji = empty 2.6.1 s'.msg_ji = empty 2.6.2 not s'.Cont(i) /\ not s'.Cont(j) (2.4,2.5,2.6.1) 2.6.3 u'.phase[i] = s'.coin_i = s.coin_i = u.phase[i] /\ u'.phase[j] = s'.coin_j = s.coin_j = u.phase[j] /\ u'.x = min(s'.x_i,s'.x_j) = min(s.x_i,s.x_j) = u.x 2.6.4 u = u' 2.7 Assume s.msg_ji =/= empty 2.7.1 s.msg_ji = req (2.7,INV18,19) 2.7.2 s'.msg_ji = req 2.7.3 s'.Cont(i) /\ s'.Cont(j) (2.4,2.5,2.7.2) 2.7.4 u'.phase = constant(init) u'.x = min(s'.x_ij,s'.x_ji) = 0 (2.4, INV8) 2.7.5 s.x_i >= s.delta_i (pre SEND) 2.7.6 s.x_i <= s.Delta_i (INV4) 2.7.7 s.snt_j = req (2.7.3,eff SEND) 2.7.8 s.delta_j <= s.x_j - s.x_ji <= s.Delta_j (INV14) 2.7.9 s.x_ji >= 0 (INV8) 2.7.10 |s.x_i - s.x_j| <= Gamma (INV10) 2.7.11 s.x_ji <= Gamma (INV9) 2.7.12 Assume s.coin_i = head /\ s.coin_j = tail 2.7.12.1 Delta_fast + 2 Gamma = s.Delta_i + 2 Gamma >= s.x_i + 2 Gamma >= s.x_j + Gamma >= s.delta_j = delta_slow 2.7.12.2 Contradiction with assumption (2) 2.7.13 Assume s.coin_i = tail /\ s.coin_j = head 2.7.13.1 Delta_fast + 2 Gamma = s.Delta_j + 2 Gamma >= (s.x_j - s.x_ji) + 2 Gamma >= s.x_j + Gamma >= s.x_i >= s.delta_i = delta_slow 2.7.13.2 Contradiction with assumption (2) 2.7.14 s.coin_i = s.coin_j ; let c = s.coin_i 2.7.15 u.phase = constant(c) 2.7.16 Assume c = head 2.7.16.1 u.x = min(s.x_i,s.x_j) >= min(s.delta_i,s.delta_j) = delta_fast 2.7.17 Assume c = tail 2.7.17.1 u.x = min(s.x_i,s.x_j) >= min(s.delta_i,s.delta_j) = delta_slow 2.7.18 u --RETRY(c)--> u' 2.8 u= u' \/ u --RETRY(c)--> u' 3 Assume a = SEND(i,ack) Let P = {1 |-> s'} and u' = r(s') 3.1 s.status_i = unknown /\ s.snt_i = empty /\ s.rec_i =/= empty (pre SEND) 3.2 s.msg_ij = s.rec_j = empty (Lemma 3) 3.3 s.status_j = unknown (3.1,3.2, INV6,19,7) 3.4 /\ s'.status_i = s'.status_j = unknown /\ s'.snt_i = ack /\ s'.rec_i =/= empty /\ s'.rec_j = empty /\ s'.coin_i = s.coin_i /\ s'.coin_j = s.coin_j /\ s'.x_i = s.x_i /\ s'.x_j = s.x_j /\ s'.msg_ij = ack 3.5 u.phase[i] = s.coin_i /\ u.phase[j] = s.coin_j 3.6 u'.phase[i] = s'.coin_i /\ u'.phase[j] = s'.coin_j 3.7 u.phase = u'.phase 3.8 u.x = min(s.x_i,s.x_j) 3.9 u'.x = min(s'.x_i,s'.x_j) 3.10 u.x = u'.x 3.11 u = u' 4 Assume a = RECEIVE(i,m) Let P = {1 |-> s'} and u' = r(s') This action does not modify any of the variables mentioned in the invariant, and also leaves the value of the state functions Cont(i) and (Cont(j) unchanged. Hence u = u'. 5 Assume a = ROOT(i) Let P = {1 |-> s'} and u' = r(s') 5.1 s.status_i = unknown /\ s.snt_i = ack (pre ROOT) 5.2 s.rec_i = s.snt_j = req /\ s.rec_j =/= req (INV19) 5.3 s.status_j =/= root (INV6) 5.4 s.msg_ij =/= req (INV14) 5.5 u.phase[i] = s.coin_i /\ u.phase[j] = s.coin_j 5.6 s.x_i >= delta_i (INV5) 5.7 s.x_i >= s.x_j - Gamma /\ s.x_j >= s.x_i - Gamma (INV10) 5.8 Delta_i >= x_i (INV4) 5.9 Assume s.coin_i = head /\ s.coin_j = tail 5.9.1 Delta_fast + 2 Gamma >= Delta_i + 2 Gamma >= x_i + 2 Gamma >= x_j + Gamma >= delta_slow + Gamma > delta_slow 5.9.2 Contradiction with (2) 5.10 not (s.coin_i = head /\ s.coin_j = tail) 5.11 s'.status_i = root (eff ROOT) 5.12 u'.phase[i] = u'.phase[j] = done 5.13 u.x = min(s.x_i,s.x_j) >= s.x_i - Gamma >= delta_i - Gamma 5.14 /\ s'.snt_i = ack /\ s'.rec_j =/= req /\ s'.status_j =/= req /\ s'.x_i = s.x_i /\ s'.x_j = s.x_j 5.15 u'.x = u.x 5.16 u --ROOT(i)--> u' 6 Assume a = TIME(d) Let P = {1 |-> s'} and u' = r(s') 6.0 All state variables have the same value in s and s', except x_1, x_2, x_12 and x_21, which are all incremented by d 6.1 Assume s.status_1 = root \/ status_2 = root 6.1.1 u.phase = constant(done) 6.1.2 u --TIME(d)--> u' 6.2 Assume s.status_1 = child /\ s.status_2 = child 6.2.1 s.rec_1 = ack /\ s.rec_2 = ack (INV7) 6.2.2 s.snt_1 = ack /\ s.snt_2 = ack (INV17) 6.2.3 s.rec_1 = req /\ s.rec_2 = req (INV19) 6.2.4 Contradiction (6.2.1, 6.2.3) 6.3 Assume s.status_i = child /\ s.status_j = unknown for some i, j with i =/= j 6.3.1 s.rec_i = ack (INV7) 6.3.2 s.rec_j = ack (INV17) 6.3.3 Contradiction (6.3, 6.3.2, pre TIME) 6.4 Assume s.status_1 = s.status_2 = unknown 6.4.1 s.snt_1 =/= ack /\ s.rec_1 =/= ack /\ not (s.snt_1 = s.rec_1 = req) /\ s.snt_2 =/= ack /\ s.rec_2 =/= ack /\ not (s.snt_2 = s.rec_2 = req) (pre TIME) 6.4.2 Assume s.Cont(i), for some i 6.4.2.1 s.msg_ji = req (if we let j =/= i) 6.4.2.2 s.x_ji + d <= Gamma (pre TIME for Wire) 6.4.2.3 u.phase[i] = init /\ u.x + d <= Gamma 6.4.2.4 u --TIME(d)--> u' 6.4.3 Assume not s.Cont(1) /\ not s.Cont(2)) 6.4.3.1 {u.phase[1],u.phase[2]} subseteq {head,tail} (6.4,6.4.3) 6.4.3.2 s.snt_1 = empty \/ s.snt_2 = empty (6.4.1,6.4.3,INV13,17,18) 6.4.3.3 s.x_i + d <= maxdelay(s.coin_i) \/ s.x_j + d <= maxdelay(s.coin_j) (6.4.3.2, pre TIME) 6.4.3.4 u.x + d = min(s.x_i,s.x_j) + d <= max(maxdelay(s.coin_i), maxdelay(s.coin_j)) = max(maxdelay(phase[1],maxdelay(phase[2])) 6.4.3.5 u --TIME(d)--> u' 6.5 u --TIME(d)--> u' 7 Assume a = CHILD(i) Let P = {1 |-> s'} and u' = r(s') This action does not modify any of the variables mentioned in the invariant except status_i. However, status_i only occurs within the predicate status_i = root, and the value of this predicate remains unchanged. Hence u = u'. 8 QED