1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
|
(in-package "ACL2")
#|
properties.lisp
~~~~~~~~~~~~~~~
In this book, we define the functions rep, pick, label, suff, commit, and
inv. These are the main functions whose properties will show that the
implementation is a stuttering bisimulation of the spec. The other function,
rank which will be required to show finiteness of the stuttering, will be
defined and discussed in the book stutter2.lisp
|#
(include-book "lexicographic")
(include-book "measures")
(include-book "properties-of-sets")
(include-book "variables")
(include-book "fairenv")
(defun map-status (keys procs)
(if (endp keys) ()
(-> (map-status (rest keys) procs)
(first keys)
(>_ :status (status (<- procs (first keys)))))))
;; The representative of an implementation state is simply the vector
;; containing the status field of the states.
(DEFUN rep-b-c (st)
(let ((procs (procs st)))
(>_ :procs (map-status (keys procs) procs)
:bucket (bucket st)
:queue (queue st)
:go (get-go st))))
;; We are proving stuttering equivalence. So pick is just the identity
;; function.
(DEFUN pick-b-c (st in)
(declare (ignore st)) in)
(DEFUN fair-pick-b-c (st X)
(fair-select (env st) X))
(defun wait-status (p)
(equal (status p) 'wait))
(defun go-status (p)
(equal (status p) 'go))
(defun idle-status (p)
(equal (status p) 'idle))
(defun interested-status (p)
(equal (status p) 'interested))
(defun legal-loc (p)
(let ((loc (loc p)))
(and (integerp loc)
(>= loc 0)
(<= loc 9))))
(defun extract-indices-with-pos (procs queue)
(if (endp queue) nil
(let ((rest-ind (extract-indices-with-pos procs
(rest queue))))
(if (pos (<- procs (first queue)))
(cons (first queue) rest-ind)
rest-ind))))
(defun pos=1+temp-aux (procs queue)
(if (endp queue) T
(and (equal (pos (<- procs (first queue)))
(1+ (temp (<- procs (first queue)))))
(pos=1+temp-aux procs (rest queue)))))
(defun pos=1+temp (procs queue)
(pos=1+temp-aux procs
(extract-indices-with-pos procs queue)))
(defun lexicographic-temp (procs queue)
(if (endp queue) T
(if (endp (rest queue)) T
(and (lex< (temp (<- procs (first queue)))
(first queue)
(temp (<- procs (second queue)))
(second queue))
(lexicographic-temp procs (rest queue))))))
;; suff is a subset of the set of invariants. This is the amount of
;; invariants which we have to assume to prove stuttering
;; equivalence. However, we need to strengthen the invariants a lot,
;; just in order to show the persistence over an execution.
(defun suff-proc (procs in bucket queue max)
(let ((p (<- procs in)))
(case (loc p)
(0 (not (memberp in queue)))
(1 (idle-status p))
(2 t)
(3 (and (interested-status p)
(natp (temp p))
(<= (temp p) max)
(implies (not (equal max (temp p)))
(memberp in queue))
(implies (equal max (temp p))
(memberp in bucket))))
(4 (memberp in queue))
(5 (and (memberp in queue)
(not (choosing p))))
(6 (and (wait-status p)
(memberp in queue)
(not (choosing p))
(implies (endp (indices p))
(and (consp queue)
(equal (first queue) in)))))
(7 (and (not (choosing p))
(pos p)
(memberp in queue)
(memberp (current p)
(keys procs))))
(8 (and (consp (indices p))
(pos p)
(not (choosing p))
(memberp in queue)
(not (choosing p))
(memberp (current p)
(keys procs))))
(9 (and (go-status p)
(not (choosing p))
(consp queue)))
(t nil))))
(DEFUN suff-b-c (st in)
(let* ((procs (procs st))
(proc (<- procs in))
(bucket (bucket st))
(queue (queue st))
(max (maxval st)))
(and (disjoint bucket queue)
(natp max)
(pos=1+temp procs queue)
(lexicographic-temp procs queue)
(my-subsetp queue (keys procs))
(implies (consp queue) (suff-proc procs (car queue) bucket queue max))
(implies proc (suff-proc procs in bucket queue max)))))
(DEFUN fair-suff-b-c (st X)
(and (suff-b-c st (fair-select (env st) X))
(my-subsetp (keys (procs st))
(select-que (env st)))))
;; commit is simply a predicate that indicates end of stuttering.
(defun commit-proc (p)
(or (equal (loc p) 1)
(equal (loc p) 3)
(equal (loc p) 9)
(and (equal (loc p) 6)
(endp (indices p)))))
(DEFUN commit-b-c (st in)
(let ((proc (<- (procs st) in)))
(implies proc (commit-proc proc))))
;; The labelling function. As indicated earlier in the definition of
;; rep, we need only to pick up the vector of the status field.
(defun status-list (keys r)
(if (endp keys) ()
(cons (status (<- r (first keys)))
(status-list (rest keys) r))))
(DEFUN label (st)
(get-go st))
;; We now try to define the "strong" invariants.
(defun inv-p-p (procs in bucket queue max)
(let* ((p (<- procs in))
(curr (<- procs (current p))))
(case (loc p)
(0 (and (idle-status p)
(not (choosing p))
(not (pos p))
(not (memberp in queue))
(not (memberp in bucket))))
(1 (and (idle-status p)
(not (pos p))
(choosing p)
(not (memberp in queue))
(not (memberp in bucket))))
(2 (and (interested-status p)
(natp (temp p))
(choosing p)
(not (pos p))
(implies (not (equal max (temp p)))
(memberp in queue))
(implies (equal max (temp p))
(memberp in bucket))
(<= (temp p) max)))
(3 (and (<= (temp p) max)
(natp (temp p))
(choosing p)
(pos p)
(equal (pos p) (1+ (temp p)))
(interested-status p)
(implies (not (equal max (temp p)))
(memberp in queue))
(implies (equal max (temp p))
(memberp in bucket))))
(4 (and (wait-status p)
(choosing p)
(natp (pos p))
(equal (pos p) (1+ (temp p)))
(not (memberp in bucket))
(memberp in queue)))
(5 (and (wait-status p)
(natp (pos p))
(equal (pos p) (1+ (temp p)))
(not (choosing p))
(memberp in queue)))
(6 (and (wait-status p)
(natp (pos p))
(equal (pos p) (1+ (temp p)))
(not (choosing p))
(memberp in queue)
(my-subsetp (indices p) (keys procs))
(my-subsetp (previous queue in) (indices p))))
(7 (and (wait-status p)
(natp (pos p))
(equal (pos p) (1+ (temp p)))
(not (choosing p))
(consp (indices p))
(my-subsetp (previous queue in) (indices p))
(my-subsetp (indices p) (keys procs))
(equal (current p) (first (indices p)))
(memberp in queue)))
(8 (and (wait-status p)
(natp (pos p))
(equal (pos p) (1+ (temp p)))
(not (choosing p))
(consp (indices p))
(equal (current p) (first (indices p)))
(implies (choosing curr)
(not (memberp (current p) (previous queue in))))
(my-subsetp (previous queue in) (indices p))
(my-subsetp (indices p) (keys procs))
(memberp in queue)))
(9 (and (go-status p)
(not (choosing p))
(equal (pos p) (1+ (temp p)))
(consp queue)
(not (memberp in bucket))
(equal in (first queue))))
(t nil))))
(defun inv-p-keys (procs keys bucket queue max)
(if (endp keys) T
(and (inv-p-p procs (first keys) bucket queue max)
(inv-p-keys procs (rest keys) bucket queue max))))
(defun choosing-pos (procs queue)
(if (endp queue) T
(and (implies (not (natp (pos (<- procs (first queue)))))
(choosing (<- procs (first queue))))
(choosing-pos procs (rest queue)))))
(defun choosing-bucket (procs bucket)
(if (endp bucket) T
(and (choosing (<- procs (first bucket)))
(choosing-bucket procs (rest bucket)))))
(defun q<max (procs queue max)
(if (endp queue) T
(and (< (temp (<- procs (first queue))) max)
(q<max procs (rest queue) max))))
(defun b=max (procs bucket max)
(if (endp bucket) T
(and (equal max (temp (<- procs (first bucket))))
(b=max procs (rest bucket) max))))
(defun legal-status (p)
(or (idle-status p)
(interested-status p)
(wait-status p)
(go-status p)))
(defun legal-status-listp (keys procs)
(if (endp keys) T
(and (legal-status (<- procs (first keys)))
(legal-status-listp (rest keys) procs))))
(defun legal-pos (p)
(or (legal-loc p)
(not (pos p))))
(defun legal-pos-listp (keys procs)
(if (endp keys) T
(and (legal-pos (<- procs (first keys)))
(legal-pos-listp (rest keys) procs))))
(DEFUN inv-b-c (st)
(let* ((procs (procs st))
(keys (keys procs))
(bucket (bucket st))
(queue (queue st))
(max (maxval st)))
(and (natp max)
(uniquep queue)
(orderedp bucket)
(b=max procs bucket max)
(q<max procs queue max)
(lexicographic-temp procs queue)
(choosing-bucket procs bucket)
(choosing-pos procs queue)
(my-subsetp queue keys)
(my-subsetp bucket keys)
(disjoint bucket queue)
(legal-status-listp keys procs)
(inv-p-keys procs keys bucket queue max))))
(DEFUN fair-inv-b-c (st)
(and (inv-b-c st)
(my-subsetp (keys (procs st))
(select-que (env st)))))
;; END Definitions of Properties.
(defun inv-p-p-c-s (procs in bucket queue go)
(let ((p (<- procs in)))
(case (status p)
(idle (and (not (equal in go))
(not (memberp in queue))
(not (memberp in bucket))))
(interested (and (not (equal in go))
(or (memberp in bucket)
(memberp in queue))))
(wait (and (not (equal in go))
(memberp in queue)))
(go (and (equal in go)
(equal in (car queue))))
(t nil))))
(defun inv-p-keys-c-s (procs keys bucket queue go)
(if (endp keys) T
(and (inv-p-p-c-s procs (first keys) bucket queue go)
(inv-p-keys-c-s procs (rest keys) bucket queue go))))
(defun go-procs (go procs)
(implies go (equal (status (<- procs go)) 'go)))
(defun go-queue (go queue)
(implies go
(equal (car queue) go)))
(defun keys-not-nil (keys)
(if (endp keys) T
(and (first keys)
(keys-not-nil (rest keys)))))
(DEFUN inv-c-s (st)
(let* ((procs (procs st))
(keys (keys procs))
(bucket (bucket st))
(queue (queue st))
(go (get-go st)))
(and (inv-p-keys-c-s procs keys bucket queue go)
(go-queue go queue)
(go-procs go procs)
(keys-not-nil keys)
(orderedp bucket)
(uniquep queue)
(disjoint bucket queue)
(my-subsetp bucket keys)
(my-subsetp queue keys))))
(defun suff-proc-c-s (procs in bucket queue go)
(let ((p (<- procs in)))
(case (status p)
(wait (or (memberp in queue)
(memberp in bucket)))
((idle interested) T)
(go (equal go in))
(t nil))))
(defun go-keys (go keys)
(implies go
(memberp go keys)))
(DEFUN suff-c-s (st in)
(let* ((procs (procs st))
(keys (keys procs))
(p (<- (procs st) in))
(bucket (bucket st))
(go (get-go st))
(queue (queue st)))
(and (go-queue go queue)
(go-procs go procs)
(go-keys go keys)
(implies p (suff-proc-c-s procs in bucket queue go)))))
(defun commit-proc-c-s (p in queue)
(or (and (equal (status p) 'wait)
(equal in (first queue)))
(equal (status p) 'go)))
(DEFUN commit-c-s (st in)
(let* ((p (<- (procs st) in))
(queue (queue st)))
(implies p (commit-proc-c-s p in queue))))
(DEFUN rep-c-s (st)
(>_ :procs (keys (procs st))
:go (get-go st)))
|
