$$$sscop.pvs sscop: THEORY BEGIN IMPORTING sscop_SD_sender_invariants2 IMPORTING sscop_SD_sender_invariants6 %imports sscop_SD_sender_invariants1,4 IMPORTING sscop_SD_sender_invariants5 %imports sscop_SD_sender_invariants3 IMPORTING sscop_SD_receiver_invariants5 %imports sscop_SD_receiver_invariants1,2,3,4 IMPORTING sscop_USTAT_receiver_invariants2 %imports sscop_USTAT_receiver_invariants1 IMPORTING sscop_POLL_receiver_invariants3 %imports sscop_POLL_receiver_invariants1,2 IMPORTING sscop_STAT_receiver_invariants2 %imports sscop_STAT_receiver_invariants1 %the theorems sscop_SD_receiver_invariants5.final_result and %sscop_SD_receiver_invariants6.final_result constitute the %the final result: the protocol correctly delivers in order messages %from origin to destination. It uses results from all the theories above. END sscop $$$sscop_STAT_receiver.pvs sscop_STAT_receiver: THEORY BEGIN IMPORTING sscop_datatypes control: TYPE = {DataTransferReady,DtrStatBeginAckNackLoop, DtrStatTestForReXmit, OutOfDtr,DtrStatSearchReXmitQueue,DtrStatTestEndOfNacks, DtrStatTestAckNackComplete} State : TYPE = [# pc : control, VT_PA : nat,%lower bound of STAT window VT_A : nat,%lower bound of sender's window VT_MS : nat,%upper bound of sender's window vList : ListType,%for storage vCount : nat,% counts missing SD PDUs seq1 : nat, %for storage seq2: nat, %or storage i: nat,%go over STAT list j: nat,%go over retransmission queue vReXmitQueue: QueueDataType, %sender's retransmission queue vReXmitQueue_PtrIn : nat, %sender's retrans queue in-pointer RS_sender_index : nat %index of sender in RS channel #] %parameters vReXmitQueue_PtrOut : nat %sender's retransmission queue out pointer RS_channel : [nat->(RS?)] %RS channel RS_receiver_index : nat %receiver index in RS channel vXmitBuffer: SendBufferType %sender's buffer VT_S : nat %upper bound of sender's window VT_PS : nat %largest POLL seq number VR_H: nat VR_R:nat SR_channel: [nat->(SR?)] SR_sender_index: nat SR_receiver_index: nat vRecvBuffer : RecvBufferType receiver_Control: TYPE = {DtrRecvTestSeq,DtrPollSendList,Idle} receiver_pc: receiver_Control vN_S : nat VR_MR : nat vN_PS:nat trans(s: State, a: Action, s_: State): bool = %receiving a correct STAT with 0 or 1 elements in its list : ignore it s`pc = DataTransferReady AND s`RS_sender_index < RS_receiver_index AND STAT?(a) AND a = RS_channel(s`RS_sender_index) AND mList(a)`Length <= 1 AND s`VT_PA <= mN_PS(a) AND mN_PS(a) <= VT_PS AND s`VT_A <= mN_R(a) AND mN_R(a) <= VT_S AND s_ = s WITH[`pc := DataTransferReady, `RS_sender_index := s`RS_sender_index+1] OR %receiving a correct STAT at least 2 elements in its list : process it s`pc = DataTransferReady AND s`RS_sender_index < RS_receiver_index AND STAT?(a) AND a = RS_channel(s`RS_sender_index) AND mList(a)`Length >= 2 AND s`VT_PA <= mN_PS(a) AND mN_PS(a) <= VT_PS AND s`VT_A <= mN_R(a) AND mN_R(a) <= VT_S AND s_ = s WITH [`pc := DtrStatBeginAckNackLoop, `RS_sender_index := s`RS_sender_index+1, `VT_A := mN_R(a), `VT_PA := mN_PS(a), `VT_MS := mN_MR(a), `vList := mList(a), `vCount := 0, `seq1 := mList(a)`Data(1), `seq2 := mList(a)`Data(2), `i := 0 ] OR %receiving an incorrect STAT s`pc = DataTransferReady AND s`RS_sender_index < RS_receiver_index AND STAT?(a) AND a = RS_channel(s`RS_sender_index) AND NOT (s`VT_PA <= mN_PS(a) AND mN_PS(a) <= VT_PS AND s`VT_A <= mN_R(a) AND mN_R(a) <= VT_S) AND s_ = s WITH [`pc := OutOfDtr] OR %simulating loss of a STAT PDU s`RS_sender_index < RS_receiver_index AND STAT?(a) AND a = RS_channel(s`RS_sender_index) AND s_ = s WITH [`RS_sender_index := s`RS_sender_index+1] OR %checking that current pair (seq1, seq2) of list elements is correct s`pc = DtrStatBeginAckNackLoop AND s`seq1 < s`seq2 AND s`seq2 <= VT_S AND vXmitBuffer`Data(s`seq1)`Seq = s`seq1 AND tau?(a) AND s_ = s WITH [`pc := DtrStatTestForReXmit] OR %current pair (seq1, seq2) of list elements is incorrect s`pc = DtrStatBeginAckNackLoop AND NOT (s`seq1 < s`seq2 AND s`seq2 <= VT_S AND vXmitBuffer`Data(s`seq1)`Seq = s`seq1) AND tau?(a) AND s_ = s WITH [`pc := OutOfDtr] OR %if the poll seq number for seq 1 in sender's buffer is less than the poll seq % number received, initiate a loop to search-and-add the seq1 element in % sender's buffer to retrans queue s`pc = DtrStatTestForReXmit AND vXmitBuffer`PollSeq(s`seq1) < s`VT_PA AND tau?(a) AND s_ = s WITH[`pc := DtrStatSearchReXmitQueue, `j := vReXmitQueue_PtrOut] %otherwise, will not even try to add that seq1 element number in retrans queue OR s`pc = DtrStatTestForReXmit AND vXmitBuffer`PollSeq(s`seq1) >= s`VT_PA AND tau?(a) AND s_ = s WITH[`pc := DtrStatTestEndOfNacks, `seq1 := s`seq1 +1] OR %loop while not found s`pc = DtrStatSearchReXmitQueue AND s`j < s`vReXmitQueue_PtrIn AND NOT s`vReXmitQueue(s`j)`Seq = s`seq1 AND tau?(a) AND s_ = s WITH[`pc := DtrStatSearchReXmitQueue, `j := s`j+1] OR %done, found: increment seq1 by one s`pc = DtrStatSearchReXmitQueue AND s`j < s`vReXmitQueue_PtrIn AND s`vReXmitQueue(s`j)`Seq = s`seq1 AND tau?(a) AND s_ = s WITH[`pc := DtrStatTestEndOfNacks, `seq1 := s`seq1+1] OR %done, not found: add seq1 element to retrans queue, increment seq1 by one s`pc = DtrStatSearchReXmitQueue AND s`j = s`vReXmitQueue_PtrIn AND tau?(a) AND s_ = s WITH [`pc := DtrStatTestEndOfNacks, `vReXmitQueue(s`vReXmitQueue_PtrIn)`Payload := vXmitBuffer`Data(s`seq1)`Payload, `vReXmitQueue(s`vReXmitQueue_PtrIn)`Seq := vXmitBuffer`Data(s`seq1)`Seq, `vReXmitQueue_PtrIn := s`vReXmitQueue_PtrIn+1, `vCount := s`vCount+1, `seq1 := s`seq1+1] OR %if seq1 < seq2, go back to DtrStatBeginAckNackLoop s`pc = DtrStatTestEndOfNacks AND s`seq1 < s`seq2 AND tau?(a) AND s_ = s WITH[`pc := DtrStatBeginAckNackLoop] OR %if seq1 has reached seq2, will go to next pair in STAT list (increase i by two) s`pc = DtrStatTestEndOfNacks AND s`seq1 = s`seq2 AND tau?(a) AND s_ = s WITH[`pc := DtrStatTestAckNackComplete, `i := s`i +2] OR %if there are at least two mot elements in the STAT list, memorize them in %(seq1,seq2) s`pc = DtrStatTestAckNackComplete AND s`i <= s`vList`Length-2 AND tau?(a) AND s_ = s WITH [`pc := DtrStatBeginAckNackLoop, `seq1 := s`vList`Data(s`i+1), `seq2 := s`vList`Data(s`i+2)] OR %otherwise, just send an indication error s`pc = DtrStatTestAckNackComplete AND s`i > s`vList`Length-2 AND MAA_ERROR_WITH_COUNT?(a) AND mCount(a) = s`vCount AND s_ = s WITH[`pc := DataTransferReady] END sscop_STAT_receiver $$$sscop_STAT_receiver.prf (|sscop_STAT_receiver| (|RS_channel_TCC1| "" (INST + "LAMBDA (n:nat) : USTAT(0,0,(#Length:= 0, Data := LAMBDA(w:nat) : 0#))") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL) (|SR_channel_TCC1| "" (INST 1 "LAMBDA(x:nat) : NEW_SD(0,choose({d:Data_Type|TRUE}))") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL) (|trans_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC4| "" (SUBTYPE-TCC) NIL NIL)) $$$sscop_STAT_receiver_invariants1.pvs sscop_STAT_receiver_invariants1: THEORY BEGIN IMPORTING sscop_STAT_receiver init(s:State) : bool = s`pc = DataTransferReady AND %*-OLD_SD_inv3, sscop_SD_sender_invariants3.OLD_SD_inv3, %*sscop_SD_receiver_invariants1.init_inv7, %*sscop_USTAT_receiver_invariants1.USTAT_inv4, %*sscop_POLL_receiverinvariants1.OLD_SD_inv3 (FORALL (i:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1)): s`vReXmitQueue(i)`Seq < VR_H) AND %cf. *-OLD_SD_inv6, %*sscop_USTAT_receiver_invariants1.ReXmit_inv1, %sscop_SD_sender_invariants3.OLD_SD_inv6 (FORALL (k,l:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1)) : k /= l IMPLIES s`vReXmitQueue(k)`Seq /= s`vReXmitQueue(l)`Seq) AND %cf. *-OLD_SD_inv5, sscop_SD_receiver_invariants1.init_inv5, %*sscop_USTAT_receiver_invariants1.USTAT_inv7, %*sscop_SD_sender_invariants3.OLD_SD_inv5 (FORALL (k:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1), l: subrange(SR_receiver_index,SR_sender_index-1)) : LET pdu = SR_channel(l) IN OLD_SD?(pdu) IMPLIES s`vReXmitQueue(k)`Seq /= mN_S(pdu)) AND %*-sscop_STAT_receiver_invariants2.retrans_inv1, %*sscop_SD_receiver_invariants1.init_inv6, %*sscop_USTAT_receiver_invariants1.USTAT_inv8, %sscop_SD_sender_invariants3.retrans_inv1 (FORALL (k:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1)) : NOT vRecvBuffer`Arrived(s`vReXmitQueue(k)`Seq)) AND %*OLD_SD_inv1_aux, *-sscop_USTAT_receiver_invariants1.USTAT_inv5, %*scop_SD_receiver_invariants2.OLD_SD_inv1, %sscop_SD_sender_invariants3.OLD_SD_inv1_aux (FORALL (k :subrange(s`RS_sender_index, RS_receiver_index-1)): let pdu = RS_channel(k) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l:subrange(bottom,top-1), m:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1)): s`vReXmitQueue(m)`Seq < l) AND %-USTAT_inv, %*sscop_SD_receiver_invariants2.USTAT_inv, %and sscop_USTAT_receiver_invariants1.USTAT_inv3, %*sscop_POLL_receiver_invariants1.USTAT_inv (FORALL (i :subrange(s`RS_sender_index, RS_receiver_index-1)) : let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l: subrange(bottom,top-1)) : l < VR_H) AND %*-indicated_equals_sent_aux1_aux1_aux2, %*sscop_SD_sender_invariants5.indicated_equals_sent_aux1_aux1_aux2, %*sscop_USTAT_receiver_invariants1.indicated_equals_sent_aux1_aux1_aux2, (FORALL (k:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1)) : s`vReXmitQueue(k)`Payload = vXmitBuffer`Data(s`vReXmitQueue(k)`Seq)`Payload) AND %sscop_SD_sender_invariants6.final_result_aux, %sscop_POLL_receiver_invariants1.STAT_inv2_aux1 %*sscop_SD_receiver_invariants2.USTAT_inv3_aux2, %*sscop_USTAT_receiver_invariants1.VT_A_LEQ_VR_R, %*sscop_STAT_receiver_invariants1.VT_A_LEQ_VR_R s`VT_A <= VR_R AND %-OLD_SD_inv3_aux, %*sscop_SD_sender_invariants5.indicated_equals_sent_aux1_aux1_aux1, %*sscop_POLL_receiver_invariants1.VT_S_GE_VR_H, %sscop_SD_sender_invariants1.VT_S_GE_VR_H and %sscop_SD_sender_invariants2.VT_S_GE_VR_H, %*sscop_SD_receiver_invariants1.VT_S_GE_VR_H, VR_H <= VT_S AND %-OLD_SD_inv3_aux3, sscop_USTAT_receiver_invariants1.xMitBuffer_inv1, %*sscop_SD_sender_invariants1.xMitBuffer_inv1, %sscop_SD_receiver_invariants2.USTAT_inv3_aux1 (FORALL (k:below(VT_S)) : vXmitBuffer`Data(k)`Seq = k) AND %-STAT_inv1, *sscop_POLL_receiver_invariants2.STAT_inv1, %*sscop_SD_receiver_invariants3.OLD_SD_inv1_aux_aux3 (FORALL (k: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET pdu = RS_channel(k) IN STAT?(pdu) IMPLIES LET statlist = mList(pdu) IN statlist`Length >= 2 IMPLIES (FORALL (i: upto(statlist`Length - 2)): even?(i) IMPLIES LET elt1 = statlist`Data(i + 1), elt2 = statlist`Data(i + 2) IN elt1 < elt2 AND elt2 <= VR_H)) AND %*-OLD_SD_inv5_aux3, *sscop_SD_sender_invariants5.OLD_SD_inv5_aux3 (FORALL (l:subrange(SR_receiver_index, SR_sender_index - 1)): LET pdu = SR_channel(l) IN OLD_SD?(pdu) IMPLIES vXmitBuffer`PollSeq(mN_S(pdu)) >= s`VT_PA) AND %-OLD_SD_inv5_aux4, %*sscop_SD_sender_invariants5.OLD_SD_inv5_aux4, %*sscop_POLL_receiver_invariants3.OLD_SD_inv5_aux4, %sscop_SD_receiver_invariants4.retrans_inv1_aux5 (FORALL (l: subrange(SR_receiver_index, SR_sender_index - 1), k: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET old_sd = SR_channel(l), stat = RS_channel(k) IN OLD_SD?(old_sd) AND STAT?(stat) IMPLIES vXmitBuffer`PollSeq(mN_S(old_sd)) >= mN_PS(stat)) AND %-sscop_STAT_receiver_invariants2.retrans_inv1_aux3, %*sscop_POLL_receiver_invariants2.retrans_inv1_aux3, %*sscop_SD_receiver_invariants4.retrans_inv1_aux3, %*sscop_SD_sender_invariants2.retrans_inv1_aux3 (FORALL (k: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET pdu = RS_channel(k) IN STAT?(pdu) IMPLIES LET statlist = mList(pdu) IN statlist`Length >= 2 IMPLIES (FORALL (l: upto(statlist`Length - 2)): even?(l) IMPLIES LET elt1 = statlist`Data(l + 1), elt2 = statlist`Data(l + 2) IN FORALL (m: subrange(elt1,elt2-1)): NOT vRecvBuffer`Arrived(m) OR vXmitBuffer`PollSeq(m) >= mN_PS(pdu))) AND %-OLD_SD_inv1_aux_aux2, *sscop_SD_receiver_invariants3.OLD_SD_inv1_aux_aux2, %*sscop_POLL_receiver_ivariants3.OLD_SD_inv1_aux_aux2 (FORALL (k, l: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET ustat = RS_channel(k), stat = RS_channel(l) IN USTAT?(ustat) AND STAT?(stat) AND k > l IMPLIES (FORALL (m: nat): even?(m) AND m <= mList(stat)`Length-2 IMPLIES mList(stat)`Data(2 + m) <= mList(ustat)`Data(1))) AND %*-STAT_inv2, %*sscop_SD_sender_invariants5.STAT_inv2, %*sscop_USTAT_receiver_invariants2.STAT_inv2, %*sscop_POLL_receiver_invariants3.STAT_inv2, (FORALL (k: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET pdu = RS_channel(k) IN STAT?(pdu) IMPLIES (s`VT_PA <= mN_PS(pdu) AND mN_PS(pdu) <= VT_PS AND s`VT_A <= mN_R(pdu) AND mN_R(pdu) <= VT_S)) AND %-VT_A_LEQ_VR_R_aux, *sscop_SD_receiver_invariants3.VT_A_LEQ_VR_R_aux, %*sscop_POLL_receiver_invariants3.VT_A_LEQ_VR_R_aux (FORALL (k: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET pdu = RS_channel(k) IN STAT?(pdu) IMPLIES mN_R(pdu) <= VR_R) AND %-STAT_inv2_aux, *sscop_POLL_receiver_invariants3.STAT_inv2_aux (FORALL (k,l: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET pdu1 = RS_channel(l), pdu2 = RS_channel(k) IN STAT?(pdu1) AND STAT?(pdu2) AND l < k IMPLIES mN_R(pdu1) <= mN_R(pdu2)) AND %-STAT_inv2_aux2, *sscop_POLL_receiver_invariants3.STAT_inv2_aux2 (FORALL (k,l: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET pdu1 = RS_channel(l), pdu2 = RS_channel(k) IN STAT?(pdu1) AND STAT?(pdu2) AND l < k IMPLIES mN_PS(pdu1) <= mN_PS(pdu2)) AND %*-OLD_SD_inv5_aux3_aux1, %*sscop_SD_sender_invariants5.OLD_SD_inv5_aux3_aux1, %sscop_SD_sender_invariants2.STAT_inv2_aux10, VT_PS >= s`VT_PA AND %*-STAT_inv2_aux2_aux9, %sscop_POLL_receiver_invariants3.STAT_inv2_aux2_aux9, %*sscop_SD_sender_invariants2.STAT_inv2_aux2_aux9 (FORALL (k: subrange(SR_receiver_index, SR_sender_index-1)): LET poll = SR_channel(k) IN POLL?(poll) IMPLIES s`VT_PA <= mN_PS(poll)) AND %-STAT_inv2_aux2_aux10, %*sscop_POLL_receiver_invariants3.STAT_inv2_aux2_aux2, %*sscop_SD_sender_invariants2.STAT_inv2_aux2 (FORALL (k:subrange(SR_receiver_index, SR_sender_index - 1), l: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET poll = SR_channel(k), stat = RS_channel(l) IN POLL?(poll) AND STAT?(stat) IMPLIES mN_PS(poll) >= mN_PS(stat)) AND %cf. *-sscop_SD_sender_invariants1.USTAT_inv1, %*sscop_SD_receiver_invariants2.USTAT_inv3 and %*sscop_USTAT_receiver_invariants1.xMitBuffer_inv2, %*sscop_STAT_receiver_invariants2.xMitBuffer_inv2 (FORALL (i :subrange(s`RS_sender_index, RS_receiver_index-1)): let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bot = ustat_list`Data(1), top = ustat_list`Data(2), vN_R = mN_R(pdu) IN s`VT_A <= vN_R AND vN_R <= bot AND bot < top AND top < VT_S AND (FORALL (j:subrange(bot,top-1)): vXmitBuffer`Data(j)`Seq = j)) AND %-sscop_STAT_receiver_invariants2.xMitBuffer_inv2_aux, %*sscop_SD_receiver_invariants4.xMitBuffer_inv2_aux, %*sscop_POLL_receiver_invariants3.xMitBuffer_inv2_aux (FORALL (k,l: subrange(s`RS_sender_index, RS_receiver_index-1)): let stat = RS_channel(k), ustat = RS_channel(l) IN STAT?(stat) AND USTAT?(ustat) AND k < l IMPLIES mN_R(stat) <= mN_R(ustat)) AND VR_H <= VR_MR IMPORTING runs[State,init,LAMBDA(s,s_: State): EXISTS(a:Action): trans(s,a,s_)] %-inductive OLD_SD_inv3_aux : LEMMA invariant(LAMBDA(s:State) : VR_H <= VT_S) %-inductive STAT_inv1: LEMMA invariant(LAMBDA (s: State): FORALL (k: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET pdu = RS_channel(k) IN STAT?(pdu) IMPLIES LET statlist = mList(pdu) IN statlist`Length >= 2 IMPLIES (FORALL (i: upto(statlist`Length - 2)): even?(i) IMPLIES LET elt1 = statlist`Data(i + 1), elt2 = statlist`Data(i + 2) IN elt1 < elt2 AND elt2 <= VR_H)) %proved using STAT_inv1 OLD_SD_inv3_aux5: LEMMA invariant(LAMBDA (s: State): (s`pc = DtrStatSearchReXmitQueue OR s`pc = DtrStatTestForReXmit OR s`pc = DtrStatBeginAckNackLoop OR s`pc = DtrStatTestEndOfNacks OR s`pc = DtrStatTestAckNackComplete) IMPLIES FORALL (j: nat) : ((even?(j) AND s`i + j <= s`vList`Length - 2) IMPLIES (s`vList`Data(s`i + j +1) < s`vList`Data(s`i + j + 2) AND s`vList`Data(s`i + j + 2) <= VR_H))) %inductive OLD_SD_inv3_aux6: LEMMA invariant(LAMBDA (s: State): (s`pc = DtrStatSearchReXmitQueue OR s`pc = DtrStatTestForReXmit OR s`pc = DtrStatBeginAckNackLoop OR s`pc = DtrStatTestEndOfNacks) IMPLIES (s`i <=s`vList`Length -2 AND s`seq2 = s`vList`Data(s`i + 2))) %proved using OLD_SD_inv3_aux6, OLD_SD_inv3_aux5, STAT_inv1 OLD_SD_inv3_aux2: LEMMA invariant(LAMBDA(s:State) : (s`pc = DtrStatSearchReXmitQueue OR s`pc = DtrStatTestForReXmit OR s`pc = DtrStatBeginAckNackLoop) IMPLIES (s`seq1 < s`seq2 AND s`seq2 <= VR_H)) %-inductive OLD_SD_inv3_aux3 : LEMMA invariant(LAMBDA(s:State) : FORALL (k:below(VT_S)) : vXmitBuffer`Data(k)`Seq = k) %-proved using OLD_SD_inv3_aux, OLD_SD_inv3_aux2, OLD_SD_inv3_aux3 OLD_SD_inv3 : LEMMA invariant(LAMBDA(s:State) : FORALL (k:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1)): s`vReXmitQueue(k)`Seq < VR_H) %inductive OLD_SD_inv6_aux2: LEMMA invariant(LAMBDA (s: State): s`pc = DtrStatSearchReXmitQueue AND s`j < s`vReXmitQueue_PtrIn IMPLIES (FORALL (l: subrange(vReXmitQueue_PtrOut, s`j-1)): s`seq1 /= s`vReXmitQueue(l)`Seq)) %proved using OLD_SD_inv6_aux2 OLD_SD_inv6_aux1: LEMMA invariant(LAMBDA (s: State): s`pc = DtrStatSearchReXmitQueue AND s`j = s`vReXmitQueue_PtrIn IMPLIES (FORALL (l: subrange(vReXmitQueue_PtrOut, s`vReXmitQueue_PtrIn - 1)): s`seq1 /= s`vReXmitQueue(l)`Seq)) %-proved using OLD_SD_inv3_aux2, OLD_SD_inv3_aux, OLD_SD_inv3_aux3, %OLD_SD_inv6_aux1 OLD_SD_inv6 : LEMMA invariant(LAMBDA(s:State) : FORALL (k,l:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1)) : k /= l IMPLIES s`vReXmitQueue(k)`Seq /= s`vReXmitQueue(l)`Seq) %inductive OLD_SD_inv5_aux1: LEMMA invariant(LAMBDA (s: State): (s`pc = DtrStatSearchReXmitQueue OR s`pc = DtrStatTestForReXmit OR s`pc = DtrStatBeginAckNackLoop OR s`pc = DtrStatTestEndOfNacks) IMPLIES s`seq1 >= s`vList`Data(s`i + 1)) %inductive OLD_SD_inv5_aux2: LEMMA invariant(LAMBDA(s:State) : s`pc = DtrStatSearchReXmitQueue IMPLIES vXmitBuffer`PollSeq(s`seq1) < s`VT_PA) %-inductive OLD_SD_inv5_aux4: LEMMA invariant(LAMBDA (s: State): FORALL (l: subrange(SR_receiver_index, SR_sender_index - 1), k: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET old_sd = SR_channel(l), stat = RS_channel(k) IN OLD_SD?(old_sd) AND STAT?(stat) IMPLIES vXmitBuffer`PollSeq(mN_S(old_sd)) >= mN_PS(stat)) %-proved using OLD_SD_inv5_aux4 OLD_SD_inv5_aux3: LEMMA invariant(LAMBDA(s:State) : FORALL (l:subrange(SR_receiver_index, SR_sender_index - 1)): LET pdu = SR_channel(l) IN OLD_SD?(pdu) IMPLIES vXmitBuffer`PollSeq(mN_S(pdu)) >= s`VT_PA) %-proved using OLD_SD_inv3_aux3, OLD_SD_inv3_aux, OLD_SD_inv3_aux2, %OLD_SD_inv5_aux2 OLD_SD_inv5: LEMMA invariant(LAMBDA (s: State): FORALL (k: subrange(vReXmitQueue_PtrOut, s`vReXmitQueue_PtrIn - 1), l: subrange(SR_receiver_index, SR_sender_index - 1)): LET pdu = SR_channel(l) IN OLD_SD?(pdu) IMPLIES s`vReXmitQueue(k)`Seq /= mN_S(pdu)) %-inductive USTAT_inv: LEMMA invariant(LAMBDA (s: State): FORALL (i :subrange(s`RS_sender_index, RS_receiver_index-1)) : let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l: subrange(bottom,top-1)) : l < VR_H) %-inductive OLD_SD_inv1_aux_aux2: LEMMA invariant(LAMBDA (s: State): FORALL (k, l: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET ustat = RS_channel(k), stat = RS_channel(l) IN USTAT?(ustat) AND STAT?(stat) AND k > l IMPLIES (FORALL (m: nat): even?(m) AND m <= mList(stat)`Length-2 IMPLIES mList(stat)`Data(2 + m) <= mList(ustat)`Data(1))) %proved using OLD_SD_inv1_aux_aux2 OLD_SD_inv1_aux_aux1: LEMMA invariant(LAMBDA(s:State) : (s`pc = DtrStatSearchReXmitQueue OR s`pc = DtrStatTestForReXmit OR s`pc = DtrStatBeginAckNackLoop OR s`pc = DtrStatTestEndOfNacks OR s`pc = DtrStatTestAckNackComplete) IMPLIES FORALL (k: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET pdu = RS_channel(k) IN USTAT?(pdu) IMPLIES LET ustat_list = mList(pdu) IN FORALL (m: nat): (even?(m) AND s`i + m <= s`vList`Length - 2) IMPLIES s`vList`Data(2 + s`i +m) <= ustat_list`Data(1)) %proved using OLD_SD_inv1_aux_aux1 OLD_SD_inv1_aux: LEMMA invariant(LAMBDA (s: State): FORALL (k: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET pdu = RS_channel(k) IN USTAT?(pdu) IMPLIES LET ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l: subrange(bottom, top - 1), m: subrange(vReXmitQueue_PtrOut, s`vReXmitQueue_PtrIn - 1)): s`vReXmitQueue(m)`Seq < l) %-proved using OLD_SD_inv3_aux2, OLD_SD_inv3_aux, OLD_SD_inv3_aux3 indicated_equals_sent_aux1_aux1_aux2: LEMMA invariant(LAMBDA (s: State): FORALL (k: subrange(vReXmitQueue_PtrOut, s`vReXmitQueue_PtrIn - 1)): s`vReXmitQueue(k)`Payload = vXmitBuffer`Data(s`vReXmitQueue(k)`Seq)`Payload) %-inductive VT_A_LEQ_VR_aux : LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET pdu = RS_channel(k) IN STAT?(pdu) IMPLIES mN_R(pdu) <= VR_R) %-proved using VT_A_LEQ_VR_aux VT_A_LEQ_VR_R : LEMMA invariant(LAMBDA(s:State) :s`VT_A <= VR_R) %-inductive STAT_inv2_aux2: LEMMA invariant(LAMBDA(s:State) : FORALL (k,l: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET pdu1 = RS_channel(l), pdu2 = RS_channel(k) IN STAT?(pdu1) AND STAT?(pdu2) AND l < k IMPLIES mN_PS(pdu1) <= mN_PS(pdu2)) %-inductive STAT_inv2_aux: LEMMA invariant(LAMBDA(s:State) : FORALL (k,l: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET pdu1 = RS_channel(l), pdu2 = RS_channel(k) IN STAT?(pdu1) AND STAT?(pdu2) AND l < k IMPLIES mN_R(pdu1) <= mN_R(pdu2)) %proved using STAT_inv2,STAT_inv2_aux STAT_inv2: LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET pdu = RS_channel(k) IN STAT?(pdu) IMPLIES (s`VT_PA <= mN_PS(pdu) AND mN_PS(pdu) <= VT_PS AND s`VT_A <= mN_R(pdu) AND mN_R(pdu) <= VT_S)) %-inductive OLD_SD_inv5_aux3_aux1 : LEMMA invariant(LAMBDA(s:State): VT_PS >= s`VT_PA) %-inductive STAT_inv2_aux2_aux10: LEMMA invariant(LAMBDA (s: State): FORALL (k:subrange(SR_receiver_index, SR_sender_index - 1), l: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET poll = SR_channel(k), stat = RS_channel(l) IN POLL?(poll) AND STAT?(stat) IMPLIES mN_PS(poll) >= mN_PS(stat)) %-proved using STAT_inv2_aux2_aux10 STAT_inv2_aux2_aux9: LEMMA invariant(LAMBDA(s:State): FORALL (k: subrange(SR_receiver_index, SR_sender_index-1)): LET poll = SR_channel(k) IN POLL?(poll) IMPLIES s`VT_PA <= mN_PS(poll)) %final goal for this theory %proved using OLD_SD_inv3_aux2, OLD_SD_inv3_aux3, OLD_SD_inv3_aux,STAT_inv2 OutOfDtr_unreachable : LEMMA invariant(LAMBDA(s:State) : NOT s`pc = OutOfDtr) END sscop_STAT_receiver_invariants1 $$$sscop_STAT_receiver_invariants1.prf (|sscop_STAT_receiver_invariants1| (|init_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC4| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC5| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC6| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC7| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC8| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC9| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC10| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC11| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC12| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC13| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC14| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC15| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC16| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC17| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC18| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC19| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC20| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC21| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC22| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC23| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv3_aux| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv1_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "k") (("2" (TYPEPRED "k") (("2" (BETA) (("2" (GROUND) (("2" (SKOLEM + "i") (("2" (TYPEPRED "i") (("2" (FLATTEN) (("2" (INST - "k") (("1" (GROUND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv3_aux5| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "j") (("2" (TYPEPRED "j") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "2 * j!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "2 * j!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "2 * j!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "2 * j!1") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "2 * j!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "2 * j!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "2 * j!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "2 * j!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "2 * j!1") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "2 * j!1") (("10" (GRIND) NIL NIL)) NIL) ("11" (REPLACE -5 (1) RL) (("11" (LEMMA "STAT_inv1") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "r(n)`RS_sender_index") (("11" (GROUND) (("11" (INST - "j") (("11" (SPLIT) (("1" (GROUND) NIL NIL) ("2" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("12" (INST - "2 * j!1") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "2 * j!1") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "2 * j!1") (("14" (GRIND) NIL NIL)) NIL) ("15" (LEMMA "STAT_inv1") (("15" (EXPAND "invariant") (("15" (INST - "r" "n") (("15" (INST - "r(n)`RS_sender_index") (("15" (GROUND) (("15" (INST - "2*j!1") (("15" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("16" (INST - "2 * j!1") (("16" (GRIND) NIL NIL)) NIL) ("17" (INST - "2 * j!1") (("17" (GRIND) NIL NIL)) NIL) ("18" (INST - "2 * j!1") (("18" (GRIND) NIL NIL)) NIL) ("19" (INST - "2 * j!1") (("19" (GRIND) NIL NIL)) NIL) ("20" (INST - "2 * j!1") (("20" (GRIND) NIL NIL)) NIL) ("21" (INST - "2 * j!1") (("21" (GRIND) NIL NIL)) NIL) ("22" (INST - "2 * j!1") (("22" (GRIND) NIL NIL)) NIL) ("23" (INST - "2 * j!1") (("23" (GRIND) NIL NIL)) NIL) ("24" (INST - "2 * j!1") (("24" (GRIND) NIL NIL)) NIL) ("25" (INST - "2 * j!1") (("25" (GRIND) NIL NIL)) NIL) ("26" (INST - "2 * j!1") (("26" (GRIND) NIL NIL)) NIL) ("27" (INST - "2 * j!1") (("27" (GRIND) NIL NIL)) NIL) ("28" (INST - "2 * j!1 + 2") (("28" (SPLIT) (("1" (GRIND) NIL NIL) ("2" (INST + "j!1+1") (("2" (ASSERT) NIL NIL)) NIL) ("3" (ASSERT) NIL NIL)) NIL)) NIL) ("29" (INST - "2 * j!1") (("29" (GRIND) NIL NIL)) NIL) ("30" (INST - "2 * j!1 +2") (("30" (SPLIT) (("1" (GRIND) NIL NIL) ("2" (INST + "j!1+1") (("2" (ASSERT) NIL NIL)) NIL) ("3" (ASSERT) NIL NIL)) NIL)) NIL) ("31" (LEMMA "STAT_inv1") (("31" (EXPAND "invariant") (("31" (INST - "r" "n") (("31" (INST - "r(n)`RS_sender_index") (("31" (GROUND) (("31" (INST - "2*j!1") (("31" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("32" (LEMMA "STAT_inv1") (("32" (EXPAND "invariant") (("32" (INST - "r" "n") (("32" (INST - "r(n)`RS_sender_index") (("32" (GROUND) (("32" (INST - "2*j!1") (("32" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv3_aux6| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv3_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) (("1" (LEMMA "STAT_inv1") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`RS_sender_index") (("1" (GROUND) (("1" (INST - "0") (("1" (GROUND) (("1" (INST + "0") (("1" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (LEMMA "OLD_SD_inv3_aux5") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (GROUND) (("2" (INST - "0") (("2" (SPLIT) (("1" (GROUND) NIL NIL) ("2" (INST + "0") (("2" (ASSERT) NIL NIL)) NIL) ("3" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("3" (LEMMA "STAT_inv1") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "r(n)`RS_sender_index") (("3" (GROUND) (("3" (INST - "0") (("3" (GRIND) (("3" (LEMMA "STAT_inv1") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "r(n)`RS_sender_index") (("3" (GROUND) (("3" (INST - "0") (("3" (GROUND) (("3" (INST 1 "0") (("3" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("4" (LEMMA "OLD_SD_inv3_aux5") (("4" (EXPAND "invariant") (("4" (INST - "r" "n") (("4" (GROUND) (("4" (INST - "0") (("4" (GROUND) (("4" (INST + "0") (("4" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("5" (LEMMA "STAT_inv1") (("5" (EXPAND "invariant") (("5" (INST - "r" "n") (("5" (INST - "r(n)`RS_sender_index") (("5" (GROUND) (("5" (INST - "0") (("5" (GRIND) (("5" (LEMMA "STAT_inv1") (("5" (EXPAND "invariant") (("5" (INST - "r" "n") (("5" (INST - "r(n)`RS_sender_index") (("5" (ASSERT) (("5" (INST - "0") (("5" (ASSERT) (("5" (INST + "0") (("5" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("6" (LEMMA "OLD_SD_inv3_aux6") (("6" (GRIND) (("6" (LEMMA "OLD_SD_inv3_aux5") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (GROUND) (("6" (INST - "0") (("6" (GROUND) (("6" (INST + "0") (("6" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("7" (LEMMA "OLD_SD_inv3_aux5") (("7" (EXPAND "invariant") (("7" (INST - "r" "n") (("7" (GROUND) (("7" (INST - "0") (("7" (GROUND) (("7" (INST + "0") (("7" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("8" (LEMMA "STAT_inv1") (("8" (EXPAND "invariant") (("8" (INST - "r" "n") (("8" (INST - "r(n)`RS_sender_index") (("8" (GROUND) (("8" (INST - "0") (("8" (GRIND) (("8" (LEMMA "STAT_inv1") (("8" (EXPAND "invariant") (("8" (INST - "r" "n") (("8" (INST - "r(n)`RS_sender_index") (("8" (GROUND) (("8" (INST - "0") (("8" (ASSERT) (("8" (INST + "0") (("8" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("9" (LEMMA "OLD_SD_inv3_aux5") (("9" (EXPAND "invariant") (("9" (INST - "r" "n") (("9" (GROUND) (("9" (INST - "0") (("9" (GROUND) (("9" (INST + "0") (("9" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv3_aux3| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv3_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") NIL NIL) ("2" (INST - "i") NIL NIL) ("3" (INST - "i") NIL NIL) ("4" (INST - "i") NIL NIL) ("5" (INST - "i") NIL NIL) ("6" (INST - "i") NIL NIL) ("7" (INST - "i") NIL NIL) ("8" (INST - "i") NIL NIL) ("9" (INST - "i") NIL NIL) ("10" (INST - "i") NIL NIL) ("11" (INST - "i") NIL NIL) ("12" (INST - "i") NIL NIL) ("13" (INST - "i") NIL NIL) ("14" (COMMENT "will prove (pc = DtrStatSearchReXmitQueue => seq1 <= seq2 < VR_H) and use VR_H <= VT_S and FORALL (i < VT_S) : vXmitBuffer`Data(i)`Seq = i") (("14" (LEMMA "OLD_SD_inv3_aux") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (LEMMA "OLD_SD_inv3_aux2") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (GROUND) (("14" (LEMMA "OLD_SD_inv3_aux3") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (INST - "r(n)`seq1") (("14" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) ";;;will prove (pc = DtrStatSearchReXmitQueue => seq1 <= seq2 < VR_H) and use VR_H <= VT_S and FORALL (i < VT_S) : vXmitBuffer`Data(i)`Seq = i")) NIL) ("15" (INST - "i") NIL NIL) ("16" (INST - "i") NIL NIL) ("17" (INST - "i") NIL NIL) ("18" (INST - "i") NIL NIL) ("19" (INST - "i") NIL NIL) ("20" (INST - "i") NIL NIL) ("21" (INST - "i") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv6_aux2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv6_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "l") (("2" (TYPEPRED "l") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "l") NIL NIL) ("2" (INST - "l") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv6_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "l") (("2" (TYPEPRED "l") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "l") NIL NIL) ("2" (INST - "l") NIL NIL) ("3" (LEMMA "OLD_SD_inv6_aux2") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (GROUND) (("3" (INST - "l") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv6_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv6| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("k" "l")) (("2" (TYPEPRED ("k" "l")) (("2" (INST - "k" "l") (("1" (GRIND :IF-MATCH NIL) (("1" (LEMMA "OLD_SD_inv3_aux2") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (GROUND) (("1" (LEMMA "OLD_SD_inv3_aux") (("1" (GRIND) (("1" (LEMMA "OLD_SD_inv3_aux3") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - " r(n)`seq1") (("1" (REPLACE -1) (("1" (COMMENT "prove pc= DtrStatSearchReXmitQueue AND j = vReXmitQueue_PtrIn-1 => FORALL l :subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1) : seq1 /= vReXmitQueue(l)`Seq") (("1" (LEMMA "OLD_SD_inv6_aux1") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (GROUND) (("1" (INST - "l") NIL NIL)) NIL)) NIL)) NIL)) ";;;prove pc= DtrStatSearchReXmitQueue AND j = vReXmitQueue_PtrIn-1 => FORALL l :subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1) : seq1 /= vReXmitQueue(l)`Seq")) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (LEMMA "OLD_SD_inv3_aux2") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (GROUND) (("2" (LEMMA "OLD_SD_inv3_aux") (("2" (GRIND) (("2" (LEMMA "OLD_SD_inv3_aux3") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - " r(n)`seq1") (("2" (REPLACE -1) (("2" (COMMENT "prove pc= DtrStatSearchReXmitQueue AND j = vReXmitQueue_PtrIn-1 => FORALL l :subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1) : seq1 /= vReXmitQueue(l)`Seq") (("2" (LEMMA "OLD_SD_inv6_aux1") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (GROUND) (("2" (INST - "k") (("2" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) ";;;prove pc= DtrStatSearchReXmitQueue AND j = vReXmitQueue_PtrIn-1 => FORALL l :subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1) : seq1 /= vReXmitQueue(l)`Seq")) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (GRIND :IF-MATCH NIL) (("2" (LEMMA "OLD_SD_inv3_aux2") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (GROUND) (("2" (LEMMA "OLD_SD_inv3_aux") (("2" (GRIND) (("2" (LEMMA "OLD_SD_inv3_aux3") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - " r(n)`seq1") (("2" (REPLACE -1) (("2" (COMMENT "prove pc= DtrStatSearchReXmitQueue AND j = vReXmitQueue_PtrIn-1 => FORALL l :subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1) : seq1 /= vReXmitQueue(l)`Seq") (("2" (LEMMA "OLD_SD_inv6_aux1") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (GROUND) (("2" (INST - "k") (("2" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) ";;;prove pc= DtrStatSearchReXmitQueue AND j = vReXmitQueue_PtrIn-1 => FORALL l :subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1) : seq1 /= vReXmitQueue(l)`Seq")) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("3" (GRIND :IF-MATCH NIL) (("3" (LEMMA "OLD_SD_inv3_aux2") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (GROUND) (("3" (LEMMA "OLD_SD_inv3_aux") (("3" (GRIND) (("3" (LEMMA "OLD_SD_inv3_aux3") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - " r(n)`seq1") (("3" (REPLACE -1) (("3" (COMMENT "prove pc= DtrStatSearchReXmitQueue AND j = vReXmitQueue_PtrIn-1 => FORALL l :subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1) : seq1 /= vReXmitQueue(l)`Seq") (("3" (LEMMA "OLD_SD_inv6_aux1") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (GROUND) (("3" (INST - "l") NIL NIL)) NIL)) NIL)) NIL)) ";;;prove pc= DtrStatSearchReXmitQueue AND j = vReXmitQueue_PtrIn-1 => FORALL l :subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1) : seq1 /= vReXmitQueue(l)`Seq")) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv5_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv5_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv5_aux4_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv5_aux4_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv5_aux4_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv5_aux4| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (BETA) (("1" (EXPAND* "run" "init") (("1" (FLATTEN) NIL NIL)) NIL)) NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("l" "k")) (("2" (TYPEPRED "l" "k") (("2" (BETA) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "l" "k") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "l" "k") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "l" "k") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "l" "k") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "l" "k") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "l" "k") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "l" "k") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "l" "k") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "l" "k") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "l" "k") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "l" "k") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "l" "k") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "l" "k") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "l" "k") (("14" (GRIND) NIL NIL)) NIL) ("15" (INST - "l" "k") (("15" (GRIND) NIL NIL)) NIL) ("16" (INST - "l" "k") (("16" (GRIND) NIL NIL)) NIL) ("17" (INST - "l" "k") (("17" (GRIND) NIL NIL)) NIL) ("18" (INST - "l" "k") (("18" (GRIND) NIL NIL)) NIL) ("19" (INST - "l" "k") (("19" (GRIND) NIL NIL)) NIL) ("20" (INST - "l" "k") (("20" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv5_aux3_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv5_aux3_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv5_aux3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "l") (("2" (TYPEPRED "l") (("2" (BETA) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "l") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "l") (("2" (GROUND) (("2" (LEMMA "OLD_SD_inv5_aux4") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "l" "r(n)`RS_sender_index") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("3" (INST - "l") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "l") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "l") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "l") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "l") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "l") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "l") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "l") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "l") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "l") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "l") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "l") (("14" (GRIND) NIL NIL)) NIL) ("15" (INST - "l") (("15" (GRIND) NIL NIL)) NIL) ("16" (INST - "l") (("16" (GRIND) NIL NIL)) NIL) ("17" (INST - "l") (("17" (GRIND) NIL NIL)) NIL) ("18" (INST - "l") (("18" (GRIND) NIL NIL)) NIL) ("19" (INST - "l") (("19" (GRIND) NIL NIL)) NIL) ("20" (INST - "l") (("20" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv5| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("k" "l")) (("2" (TYPEPRED "k" "l") (("2" (BETA) (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k" "l") (("1" (GROUND) NIL NIL)) NIL) ("2" (INST - "k" "l") (("2" (GROUND) NIL NIL)) NIL) ("3" (INST - "k" "l") (("3" (GROUND) NIL NIL)) NIL) ("4" (INST - "k" "l") (("4" (GROUND) NIL NIL)) NIL) ("5" (INST - "k" "l") (("5" (GROUND) NIL NIL)) NIL) ("6" (INST - "k" "l") (("6" (GROUND) NIL NIL)) NIL) ("7" (INST - "k" "l") (("7" (GROUND) NIL NIL)) NIL) ("8" (INST - "k" "l") (("8" (GROUND) NIL NIL)) NIL) ("9" (INST - "k" "l") (("9" (GROUND) NIL NIL)) NIL) ("10" (INST - "k" "l") (("10" (GROUND) NIL NIL)) NIL) ("11" (INST - "k" "l") (("11" (GROUND) NIL NIL)) NIL) ("12" (INST - "k" "l") (("12" (GROUND) NIL NIL)) NIL) ("13" (INST - "k" "l") (("13" (GROUND) NIL NIL)) NIL) ("14" (LEMMA "OLD_SD_inv3_aux3") (("14" (LEMMA "OLD_SD_inv3_aux") (("14" (LEMMA "OLD_SD_inv3_aux2") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (INST - "r" "n") (("14" (INST - "r" "n") (("14" (GROUND) (("14" (INST - "r(n)`seq1") (("14" (REPLACE -4) (("14" (LEMMA "OLD_SD_inv5_aux2") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (GROUND) (("14" (REPLACE*) (("14" (COMMENT "will prove the negation of vXmitBuffer`PollSeq(mN_S(SR_channel(l))) < r(n)`VT_PA") (("14" (LEMMA "OLD_SD_inv5_aux3") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (INST - "l") (("14" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) ";;;will prove the negation of vXmitBuffer`PollSeq(mN_S(SR_channel(l))) < r(n)`VT_PA")) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("15" (INST - "k" "l") (("15" (GROUND) NIL NIL)) NIL) ("16" (INST - "k" "l") (("16" (GROUND) NIL NIL)) NIL) ("17" (INST - "k" "l") (("17" (GROUND) NIL NIL)) NIL) ("18" (INST - "k" "l") (("18" (GROUND) NIL NIL)) NIL) ("19" (INST - "k" "l") (("19" (GROUND) NIL NIL)) NIL) ("20" (INST - "k" "l") (("20" (GROUND) NIL NIL)) NIL) ("21" (INST - "k" "l") (("21" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|USTAT_inv_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "i") (("2" (TYPEPRED "i") (("2" (BETA) (("2" (FLATTEN) (("2" (SKOLEM + "l") (("2" (TYPEPRED "l") (("2" (INST - "i") (("1" (GROUND) (("1" (INST - "l") NIL NIL)) NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv1_aux_aux2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv1_aux_aux2_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv1_aux_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("k" "l")) (("2" (TYPEPRED ("k" "l")) (("2" (BETA) (("2" (GROUND) (("2" (SKOLEM + "m") (("2" (TYPEPRED "m") (("2" (INST - "k" "l") (("1" (GROUND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL) ("6" (HIDE 2) (("6" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv1_aux_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM + "k") (("2" (TYPEPRED "k") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k") (("1" (GROUND) (("1" (INST - "m!1") (("1" (GROUND) (("1" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST - "k") (("2" (GROUND) (("2" (INST - "m!1") (("2" (GROUND) (("2" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("3" (INST - "k") (("3" (GROUND) (("3" (INST - "m!1") (("3" (GROUND) (("3" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("4" (INST - "k") (("4" (GROUND) (("4" (INST - "m!1") (("4" (GROUND) (("4" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("5" (INST - "k") (("5" (GROUND) (("5" (INST - "m!1") (("5" (GROUND) (("5" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("6" (LEMMA "OLD_SD_inv1_aux_aux2") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (INST - "k" "r(n)`RS_sender_index") (("6" (GROUND) (("6" (INST - "m!1") (("6" (INST - "m!1") (("1" (GROUND) (("1" (INST + "j!1") NIL NIL) ("2" (INST + "j!1") NIL NIL)) NIL) ("2" (GROUND) (("1" (INST + "j!1") NIL NIL) ("2" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("7" (INST - "k") (("7" (GROUND) (("7" (INST - "m!1") (("7" (GROUND) (("7" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("8" (INST - "k") (("8" (GROUND) (("8" (INST - "m!1") (("8" (GROUND) (("8" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("9" (INST - "k") (("9" (GROUND) (("9" (INST - "m!1") (("9" (GROUND) (("9" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("10" (INST - "k") (("10" (GROUND) (("10" (INST - "m!1") (("10" (GROUND) (("10" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("11" (INST - "k") (("11" (GROUND) (("11" (INST - "m!1") (("11" (GROUND) (("11" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("12" (INST - "k") (("12" (GROUND) (("12" (INST - "m!1") (("12" (GROUND) (("12" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("13" (INST - "k") (("13" (GROUND) (("13" (INST - "m!1") (("13" (GROUND) (("13" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("14" (INST - "k") (("14" (GROUND) (("14" (INST - "m!1") (("14" (GROUND) (("14" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("15" (INST - "k") (("15" (GROUND) (("15" (INST - "m!1+2") (("15" (GROUND) (("15" (INST + "j!1+1") (("15" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("16" (LEMMA "OLD_SD_inv1_aux_aux2") (("16" (EXPAND "invariant") (("16" (INST - "r" "n") (("16" (INST - "k" "r(n)`RS_sender_index") (("16" (GROUND) (("16" (INST - "m!1") (("16" (GROUND) (("16" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv1_aux| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "k") (("2" (BETA) (("2" (TYPEPRED "k") (("2" (GROUND) (("2" (SKOLEM + ("l" "m")) (("2" (TYPEPRED "l" "m") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k") (("1" (GROUND) (("1" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("2" (INST - "k") (("2" (GROUND) (("2" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("3" (INST - "k") (("3" (GROUND) (("3" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("4" (INST - "k") (("4" (GROUND) (("4" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("5" (INST - "k") (("5" (GROUND) (("5" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("6" (INST - "k") (("6" (GROUND) (("6" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("7" (INST - "k") (("7" (GROUND) (("7" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("8" (INST - "k") (("8" (GROUND) (("8" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("9" (INST - "k") (("9" (GROUND) (("9" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("10" (INST - "k") (("10" (GROUND) (("10" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("11" (INST - "k") (("11" (GROUND) (("11" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("12" (INST - "k") (("12" (GROUND) (("12" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("13" (INST - "k") (("13" (GROUND) (("13" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("14" (INST - "k") (("14" (GROUND) (("14" (LEMMA "OLD_SD_inv3_aux") (("14" (LEMMA "OLD_SD_inv3_aux2") (("14" (LEMMA "OLD_SD_inv3_aux3") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (INST - "r" "n") (("14" (INST - "r" "n") (("14" (GROUND) (("14" (INST - "r(n)`seq1") (("14" (REPLACE -3) (("14" (CASE "r(n)`seq2 <= mList(RS_channel(k))`Data(1)") (("1" (ASSERT) NIL NIL) ("2" (LEMMA "OLD_SD_inv3_aux6") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (GROUND) (("2" (REPLACE -2) (("2" (LEMMA "OLD_SD_inv1_aux_aux1") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (GROUND) (("2" (INST - "k") (("2" (GROUND) (("2" (INST - "0") (("2" (GROUND) (("2" (INST + "0") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("15" (INST - "k") (("15" (GROUND) (("15" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("16" (INST - "k") (("16" (GROUND) (("16" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("17" (INST - "k") (("17" (GROUND) (("17" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("18" (INST - "k") (("18" (GROUND) (("18" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("19" (INST - "k") (("19" (GROUND) (("19" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("20" (INST - "k") (("20" (GROUND) (("20" (INST - "l" "m") NIL NIL)) NIL)) NIL) ("21" (INST - "k") (("21" (GROUND) (("21" (INST - "l" "m") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|indicated_equals_sent_aux1_aux1_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "k") (("2" (TYPEPRED "k") (("2" (INST - "k") (("1" (GRIND) (("1" (LEMMA "OLD_SD_inv3_aux2") (("1" (LEMMA "OLD_SD_inv3_aux") (("1" (LEMMA "OLD_SD_inv3_aux3") (("1" (GRIND) (("1" (INST - "r" "n") (("1" (INST - "r" "n") (("1" (INST - "r" "n") (("1" (GROUND) (("1" (INST - "r(n)`seq1") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (GRIND) (("2" (LEMMA "OLD_SD_inv3_aux2") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (GROUND) (("2" (LEMMA "OLD_SD_inv3_aux3") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (LEMMA "OLD_SD_inv3_aux") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "r(n)`seq1") (("1" (GROUND) NIL NIL) ("2" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|VT_A_LEQ_VR_aux| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "k") (("2" (TYPEPRED "k") (("2" (INST - "k") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (VT_A_LEQ_VR_R "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) (("2" (LEMMA "VT_A_LEQ_VR_aux") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "r(n)`RS_sender_index") (("2" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("k" "l")) (("2" (INST - "k" "l") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("k" "l")) (("2" (INST - "k" "l") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM + "k") (("2" (TYPEPRED "k") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "k") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "k") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "k") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "k") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "k") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "k") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "k") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "k") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "k") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "k") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "k") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "k") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "k") (("14" (GRIND) NIL NIL)) NIL) ("15" (INST - "k") (("15" (GRIND) NIL NIL)) NIL) ("16" (INST - "k") (("16" (GRIND) NIL NIL)) NIL) ("17" (INST - "k") (("17" (GRIND) NIL NIL)) NIL) ("18" (INST - "k") (("18" (GRIND) NIL NIL)) NIL) ("19" (INST - "k") (("19" (GRIND) NIL NIL)) NIL) ("20" (INST - "k") (("20" (GRIND) NIL NIL)) NIL) ("21" (INST - "k") (("21" (GRIND) NIL NIL)) NIL) ("22" (INST - "k") (("22" (GRIND) (("22" (LEMMA "STAT_inv2_aux") (("22" (EXPAND "invariant") (("22" (INST - "r" "n") (("22" (INST - "k" "r(n)`RS_sender_index") (("22" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("23" (INST - "k") (("23" (GRIND) NIL NIL)) NIL) ("24" (INST - "k") (("24" (GRIND) NIL NIL)) NIL) ("25" (INST - "k") (("25" (GRIND) NIL NIL)) NIL) ("26" (INST - "k") (("26" (GRIND) NIL NIL)) NIL) ("27" (INST - "k") (("27" (GRIND) NIL NIL)) NIL) ("28" (INST - "k") (("28" (GRIND) NIL NIL)) NIL) ("29" (INST - "k") (("29" (GRIND) NIL NIL)) NIL) ("30" (INST - "k") (("30" (GRIND) NIL NIL)) NIL) ("31" (INST - "k") (("31" (GRIND) NIL NIL)) NIL) ("32" (INST - "k") (("32" (GRIND) NIL NIL)) NIL) ("33" (INST - "k") (("33" (GRIND) NIL NIL)) NIL) ("34" (INST - "k") (("34" (GRIND) NIL NIL)) NIL) ("35" (INST - "k") (("35" (GRIND) NIL NIL)) NIL) ("36" (INST - "k") (("36" (GRIND) NIL NIL)) NIL) ("37" (INST - "k") (("37" (GRIND) NIL NIL)) NIL) ("38" (INST - "k") (("38" (GRIND) NIL NIL)) NIL) ("39" (INST - "k") (("39" (GRIND) NIL NIL)) NIL) ("40" (INST - "k") (("40" (GRIND) NIL NIL)) NIL) ("41" (INST - "k") (("41" (GRIND) NIL NIL)) NIL) ("42" (INST - "k") (("42" (GRIND) NIL NIL)) NIL) ("43" (INST - "k") (("43" (GRIND) NIL NIL)) NIL) ("44" (INST - "k") (("44" (GRIND) NIL NIL)) NIL) ("45" (INST - "k") (("45" (GRIND) NIL NIL)) NIL) ("46" (INST - "k") (("46" (GRIND) NIL NIL)) NIL) ("47" (INST - "k") (("47" (GRIND) NIL NIL)) NIL) ("48" (INST - "k") (("48" (GRIND) NIL NIL)) NIL) ("49" (INST - "k") (("49" (GRIND) NIL NIL)) NIL) ("50" (INST - "k") (("50" (GRIND) NIL NIL)) NIL) ("51" (INST - "k") (("51" (GRIND) NIL NIL)) NIL) ("52" (INST - "k") (("52" (GRIND) NIL NIL)) NIL) ("53" (INST - "k") (("53" (GRIND) NIL NIL)) NIL) ("54" (INST - "k") (("54" (GRIND) NIL NIL)) NIL) ("55" (INST - "k") (("55" (GRIND) NIL NIL)) NIL) ("56" (INST - "k") (("56" (GRIND) NIL NIL)) NIL) ("57" (INST - "k") (("57" (GRIND) NIL NIL)) NIL) ("58" (INST - "k") (("58" (GRIND) NIL NIL)) NIL) ("59" (INST - "k") (("59" (GRIND) NIL NIL)) NIL) ("60" (INST - "k") (("60" (GRIND) NIL NIL)) NIL) ("61" (INST - "k") (("61" (GRIND) NIL NIL)) NIL) ("62" (INST - "k") (("62" (GRIND) (("62" (LEMMA "STAT_inv2_aux2") (("62" (EXPAND "invariant") (("62" (INST - "r" "n") (("62" (INST - "k" "r(n)`RS_sender_index") (("62" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("63" (INST - "k") (("63" (GRIND) NIL NIL)) NIL) ("64" (INST - "k") (("64" (GRIND) NIL NIL)) NIL) ("65" (INST - "k") (("65" (GRIND) NIL NIL)) NIL) ("66" (INST - "k") (("66" (GRIND) NIL NIL)) NIL) ("67" (INST - "k") (("67" (GRIND) NIL NIL)) NIL) ("68" (INST - "k") (("68" (GRIND) NIL NIL)) NIL) ("69" (INST - "k") (("69" (GRIND) NIL NIL)) NIL) ("70" (INST - "k") (("70" (GRIND) NIL NIL)) NIL) ("71" (INST - "k") (("71" (GRIND) NIL NIL)) NIL) ("72" (INST - "k") (("72" (GRIND) NIL NIL)) NIL) ("73" (INST - "k") (("73" (GRIND) NIL NIL)) NIL) ("74" (INST - "k") (("74" (GRIND) NIL NIL)) NIL) ("75" (INST - "k") (("75" (GRIND) NIL NIL)) NIL) ("76" (INST - "k") (("76" (GRIND) NIL NIL)) NIL) ("77" (INST - "k") (("77" (GRIND) NIL NIL)) NIL) ("78" (INST - "k") (("78" (GRIND) NIL NIL)) NIL) ("79" (INST - "k") (("79" (GRIND) NIL NIL)) NIL) ("80" (INST - "k") (("80" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL) ("6" (HIDE 2) (("6" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv5_aux3_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux2_aux10_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2_aux10| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("k" "l")) (("2" (INST - "k" "l") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux2_aux9_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2_aux9| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (LEMMA "STAT_inv2_aux2_aux10") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "k!1" "r(n)`RS_sender_index") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("3" (INST - "k!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "k!1") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "k!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "k!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "k!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "k!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "k!1") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "k!1") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "k!1") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "k!1") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "k!1") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "k!1") (("14" (GRIND) NIL NIL)) NIL) ("15" (INST - "k!1") (("15" (GRIND) NIL NIL)) NIL) ("16" (INST - "k!1") (("16" (GRIND) NIL NIL)) NIL) ("17" (INST - "k!1") (("17" (GRIND) NIL NIL)) NIL) ("18" (INST - "k!1") (("18" (GRIND) NIL NIL)) NIL) ("19" (INST - "k!1") (("19" (GRIND) NIL NIL)) NIL) ("20" (INST - "k!1") (("20" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OutOfDtr_unreachable| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -2) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) (("1" (LEMMA "STAT_inv2") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`RS_sender_index") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (LEMMA "STAT_inv2") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "r(n)`RS_sender_index") (("2" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("3" (LEMMA "STAT_inv2") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "r(n)`RS_sender_index") (("3" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("4" (LEMMA "STAT_inv2") (("4" (EXPAND "invariant") (("4" (INST - "r" "n") (("4" (INST - "r(n)`RS_sender_index") (("4" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("5" (LEMMA "OLD_SD_inv3_aux3") (("5" (LEMMA "OLD_SD_inv3_aux2") (("5" (LEMMA "OLD_SD_inv3_aux") (("5" (EXPAND "invariant") (("5" (INST - "r" "n") (("5" (INST - "r" "n") (("5" (INST - "r" "n") (("5" (GROUND) (("5" (INST - "r(n)`seq1") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("6" (LEMMA "OLD_SD_inv3_aux2") (("6" (LEMMA "OLD_SD_inv3_aux") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (INST - "r" "n") (("6" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("7" (LEMMA "OLD_SD_inv3_aux2") (("7" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) $$$sscop_STAT_receiver_invariants2.pvs sscop_STAT_receiver_invariants2: THEORY BEGIN IMPORTING sscop_STAT_receiver_invariants1 %-inductive retrans_inv1_aux3 : LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET pdu = RS_channel(k) IN STAT?(pdu) IMPLIES LET statlist = mList(pdu) IN statlist`Length >= 2 IMPLIES (FORALL (l: upto(statlist`Length - 2)): even?(l) IMPLIES LET elt1 = statlist`Data(l + 1), elt2 = statlist`Data(l + 2) IN FORALL (m: subrange(elt1,elt2-1)): NOT vRecvBuffer`Arrived(m) OR vXmitBuffer`PollSeq(m) >= mN_PS(pdu))) %proved using retrans_inv1_aux3 retrans_inv1_aux2: LEMMA invariant(LAMBDA (s: State): ( s`pc = DtrStatSearchReXmitQueue OR s`pc = DtrStatTestForReXmit OR s`pc = DtrStatBeginAckNackLoop OR s`pc = DtrStatTestEndOfNacks OR s`pc = DtrStatTestAckNackComplete) IMPLIES (FORALL (j: nat): (even?(j) AND s`i + j <= s`vList`Length - 2) IMPLIES (FORALL (k: subrange(s`vList`Data(s`i + j + 1), s`vList`Data(s`i + j + 2) - 1)): NOT vRecvBuffer`Arrived(k) OR vXmitBuffer`PollSeq(k) >= s`VT_PA ))) %proved using USTAT_inv1, retrans_inv1_aux2, retrans_inv1_aux3 retrans_inv1_aux4: LEMMA invariant(LAMBDA (s: State): (s`pc = DtrStatTestForReXmit OR s`pc = DtrStatBeginAckNackLoop) IMPLIES (NOT vRecvBuffer`Arrived(s`seq1) OR vXmitBuffer`PollSeq(s`seq1) >= s`VT_PA)) %proved using retrans_inv1_aux4 retrans_inv1_aux1: LEMMA invariant(LAMBDA (s: State): s`pc = DtrStatSearchReXmitQueue IMPLIES NOT vRecvBuffer`Arrived(s`seq1)) %-proved using retrans_inv1_aux1 & others (add) retrans_inv1: LEMMA invariant(LAMBDA (s: State): FORALL (k: subrange(vReXmitQueue_PtrOut, s`vReXmitQueue_PtrIn - 1)): NOT vRecvBuffer`Arrived(s`vReXmitQueue(k)`Seq)) %-inductive xMitBuffer_inv2_aux : LEMMA invariant(LAMBDA(s:State) : FORALL (k,l: subrange(s`RS_sender_index, RS_receiver_index-1)): let stat = RS_channel(k), ustat = RS_channel(l) IN STAT?(stat) AND USTAT?(ustat) AND k < l IMPLIES mN_R(stat) <= mN_R(ustat)) %-proved using xMitBuffer_inv2_aux xMitBuffer_inv2 : LEMMA invariant(LAMBDA(s:State) : FORALL (i :subrange(s`RS_sender_index, RS_receiver_index-1)): let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bot = ustat_list`Data(1), top = ustat_list`Data(2), vN_R = mN_R(pdu) IN s`VT_A <= vN_R AND vN_R <= bot AND bot < top AND top < VT_S AND (FORALL (j:subrange(bot,top-1)): vXmitBuffer`Data(j)`Seq = j)) %inductive retrans_inv1_aux0: LEMMA invariant(LAMBDA(s:State): VR_H <= VR_MR) END sscop_STAT_receiver_invariants2 $$$sscop_STAT_receiver_invariants2.prf (|sscop_STAT_receiver_invariants2| (|retrans_inv1_aux3_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux3_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux3_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux3_TCC4| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "k") (("2" (BETA) (("2" (FLATTEN) (("2" (TYPEPRED "k") (("2" (SKOLEM + "l") (("2" (FLATTEN) (("2" (TYPEPRED "l") (("2" (SKOLEM + "m") (("2" (TYPEPRED "m") (("2" (INST - "k") (("1" (GROUND) (("1" (INST - "l") (("1" (GROUND) (("1" (INST - "m") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|retrans_inv1_aux2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "j") (("2" (FLATTEN) (("2" (TYPEPRED "j") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "j") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "j") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "j") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "j") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "j") (("5" (GRIND) NIL NIL)) NIL) ("6" (LEMMA "retrans_inv1_aux3") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (INST - "r(n)`RS_sender_index") (("6" (GROUND) (("6" (INST - "j") (("6" (GROUND) (("6" (INST - "k!1") (("6" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("7" (INST - "j") (("7" (GROUND) (("7" (INST - "k!1") (("7" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("8" (INST - "j") (("8" (GROUND) (("8" (INST - "k!1") (("8" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("9" (INST - "j") (("9" (GROUND) (("9" (INST - "k!1") (("9" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("10" (INST - "j") (("10" (GROUND) (("10" (INST - "k!1") (("10" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("11" (INST - "j") (("11" (GROUND) (("11" (INST - "k!1") (("11" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("12" (INST - "j") (("12" (GROUND) (("12" (INST - "k!1") (("12" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("13" (INST - "j") (("13" (GROUND) (("13" (INST - "k!1") (("13" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("14" (INST - "j") (("14" (GROUND) (("14" (INST - "k!1") (("14" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("15" (INST - "2*j!1+2") (("15" (GROUND) (("1" (INST - "k!1") (("1" (GROUND) NIL NIL)) NIL) ("2" (INST + "j!1+1") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL) ("16" (LEMMA "retrans_inv1_aux3") (("16" (EXPAND "invariant") (("16" (INST - "r" "n") (("16" (INST - "r(n)`RS_sender_index") (("16" (GROUND) (("16" (INST - "j") (("16" (GROUND) (("16" (INST - "k!1") (("16" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|retrans_inv1_aux4| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) (("1" (LEMMA "retrans_inv1_aux3") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`RS_sender_index") (("1" (GROUND) (("1" (INST - "0") (("1" (GROUND) (("1" (INST - "mList(RS_channel(r(n)`RS_sender_index))`Data(1)") (("1" (GROUND) NIL NIL) ("2" (LEMMA "STAT_inv1") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "r(n)`RS_sender_index") (("2" (GROUND) (("2" (INST - "0") (("2" (GROUND) (("2" (INST + "0") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST + "0") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (LEMMA "retrans_inv1_aux2") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (GROUND) (("2" (INST - "0") (("2" (GROUND) (("1" (INST - "r(n)`vList`Data(1 + r(n)`i)") (("1" (GROUND) NIL NIL) ("2" (LEMMA "OLD_SD_inv3_aux5") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (GROUND) (("2" (INST - "0") (("2" (GROUND) (("2" (INST + "0") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST + "0") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("3" (LEMMA "retrans_inv1_aux3") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "r(n)`RS_sender_index") (("3" (GROUND) (("3" (INST - "0") (("3" (GROUND) (("1" (INST - "mList(RS_channel(r(n)`RS_sender_index))`Data(1)") (("1" (GROUND) NIL NIL) ("2" (LEMMA "STAT_inv1") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "r(n)`RS_sender_index") (("2" (GROUND) (("2" (INST - "0") (("2" (GROUND) (("2" (INST + "0") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST + "0") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("4" (LEMMA "retrans_inv1_aux2") (("4" (EXPAND "invariant") (("4" (INST - "r" "n") (("4" (GROUND) (("4" (INST - "0") (("4" (GROUND) (("1" (INST - "r(n)`vList`Data(1 + r(n)`i)") (("1" (GROUND) NIL NIL) ("2" (LEMMA "OLD_SD_inv3_aux5") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (GROUND) (("2" (INST - "0") (("2" (GROUND) (("2" (INST + "0") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST + "0") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("5" (LEMMA "retrans_inv1_aux3") (("5" (EXPAND "invariant") (("5" (INST - "r" "n") (("5" (INST - "r(n)`RS_sender_index") (("5" (GROUND) (("5" (INST - "0") (("5" (GROUND) (("1" (INST - "mList(RS_channel(r(n)`RS_sender_index))`Data(1)") (("1" (GROUND) NIL NIL) ("2" (LEMMA "STAT_inv1") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "r(n)`RS_sender_index") (("2" (GROUND) (("2" (INST - "0") (("2" (GROUND) (("2" (INST + "0") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST + "0") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("6" (LEMMA "OLD_SD_inv5_aux1") (("6" (GRIND) (("6" (LEMMA "OLD_SD_inv3_aux6") (("6" (GRIND) (("6" (LEMMA "retrans_inv1_aux2") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (GROUND) (("6" (INST - "0") (("6" (GROUND) (("1" (INST - "r(n)`seq1") (("1" (GROUND) NIL NIL)) NIL) ("2" (INST + "0") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("7" (LEMMA "retrans_inv1_aux2") (("7" (EXPAND "invariant") (("7" (INST - "r" "n") (("7" (GROUND) (("7" (INST - "0") (("7" (GROUND) (("1" (INST - "r(n)`vList`Data(1 + r(n)`i)") (("1" (GROUND) NIL NIL) ("2" (LEMMA "OLD_SD_inv3_aux5") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (GROUND) (("2" (INST - "0") (("2" (GROUND) (("2" (INST + "0") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST + "0") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|retrans_inv1_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) (("2" (LEMMA "retrans_inv1_aux4") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|retrans_inv1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "k") (("2" (TYPEPRED "k") (("2" (INST - "k") (("1" (GRIND) (("1" (LEMMA "OLD_SD_inv3_aux2") (("1" (LEMMA "OLD_SD_inv3_aux3") (("1" (LEMMA "OLD_SD_inv3_aux") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r" "n") (("1" (INST - "r" "n") (("1" (INST - "r(n)`seq1") (("1" (GROUND) (("1" (REPLACE -4) (("1" (LEMMA "retrans_inv1_aux1") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL) ("2" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (GRIND) (("2" (LEMMA "OLD_SD_inv3_aux2") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (GROUND) (("2" (LEMMA "OLD_SD_inv3_aux3") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "r(n)`seq1") (("1" (REPLACE -1) (("1" (LEMMA "retrans_inv1_aux1") (("1" (GRIND) NIL NIL)) NIL)) NIL) ("2" (LEMMA "OLD_SD_inv3_aux") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|xMitBuffer_inv2_aux_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|xMitBuffer_inv2_aux_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|xMitBuffer_inv2_aux| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("k" "l")) (("2" (INST - "k" "l") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|xMitBuffer_inv2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|xMitBuffer_inv2_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|xMitBuffer_inv2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM + "i") (("2" (TYPEPRED "i") (("2" (FLATTEN) (("2" (INST - "i") (("1" (GROUND) (("1" (GRIND :IF-MATCH NIL) (("1" (LEMMA "xMitBuffer_inv2_aux") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`RS_sender_index" "i") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|retrans_inv1_aux0| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) $$$sscop_POLL_receiver.pvs sscop_POLL_receiver: THEORY %this the function of the SSCOP protocol that receives a POLL PDU and %sends a STAT PDU % cf. ITU recommendation Q2110 BEGIN IMPORTING sscop_datatypes control : TYPE = {DataTransferReady,OutOfDtr,DtrPollSkipArrived, DtrPollScanMissing, DtrPollSendList} State : TYPE = [# pc: control, VR_H: nat, %receiver's window: highest received element ever RS_channel: [nat->(RS?)], % receiver-sender channel RS_receiver_index : nat, % index of RS_channel SR_receiver_index: nat, %index of channel from sender vN_PS : nat, %next three for storage only vList: ListType, i: nat #] %parameters SR_channel : [nat->(SR?)] SR_sender_index : nat VR_MR: nat VR_R: nat vRecvBuffer: RecvBufferType VT_S: nat VT_PS : nat VT_PA:nat VT_A:nat vReXmitQueue_PtrOut : nat vReXmitQueue_PtrIn : nat vReXmitQueue: QueueDataType RS_sender_index : nat vXmitBuffer: SendBufferType %transition relation trans(s: State, a: Action, s_: State): bool = %receiving a correct POLL s`pc = DataTransferReady AND s`SR_receiver_index < SR_sender_index AND POLL?(a) AND a = SR_channel(s`SR_receiver_index) AND mN_S(a) >= s`VR_H AND s_ = s WITH [`pc := DtrPollSkipArrived, `SR_receiver_index := s`SR_receiver_index + 1, `vN_PS := mN_PS(a), `VR_H := IF mN_S(a) < VR_MR THEN mN_S(a) ELSE VR_MR ENDIF, `vList`Length := 0, `i := VR_R] %receiving a correct POLL OR s`pc = DataTransferReady AND s`SR_receiver_index < SR_sender_index AND POLL?(a) AND a = SR_channel(s`SR_receiver_index) AND mN_S(a) < s`VR_H AND s_ = s WITH [`pc := OutOfDtr] %simulating loss of POLL OR s`SR_receiver_index < SR_sender_index AND POLL?(a) AND a = SR_channel(s`SR_receiver_index) AND s_ = s WITH [(SR_receiver_index) := s`SR_receiver_index + 1] %skip arrived SD PDU's OR s`pc = DtrPollSkipArrived AND s`i < s`VR_H AND vRecvBuffer`Arrived(s`i) AND tau?(a) AND s_ = s WITH [`pc := DtrPollSkipArrived, `i := s`i + 1] %memorize next SD not arrived in list OR s`pc = DtrPollSkipArrived AND s`i < s`VR_H AND NOT vRecvBuffer`Arrived(s`i) AND tau?(a) AND s_ = s WITH [`pc := DtrPollScanMissing, `vList`Data(s`vList`Length + 1) := s`i, `vList`Length := s`vList`Length + 1] %skip following non-arrived SDs OR s`pc = DtrPollScanMissing AND s`i < s`VR_H AND NOT vRecvBuffer`Arrived(s`i) AND tau?(a) AND s_ = s WITH [`pc := DtrPollScanMissing, `i := s`i + 1] %memorize next SD arrived in list OR s`pc = DtrPollScanMissing AND s`i < s`VR_H AND vRecvBuffer`Arrived(s`i) AND tau?(a) AND s_ = s WITH [`pc := DtrPollSkipArrived, `vList`Data(s`vList`Length + 1) := s`i, `vList`Length := s`vList`Length + 1] %done: add VR_H to list (from DtrPollSkipArrived) OR s`pc = DtrPollSkipArrived AND s`i = s`VR_H AND tau?(a) AND s_ = s WITH [`pc := DtrPollSendList, `vList`Data(s`vList`Length + 1) := s`i, `vList`Length := s`vList`Length + 1] %done: add VR_H to list (from DtrPollScanMissing) OR s`pc = DtrPollScanMissing AND s`i = s`VR_H AND tau?(a) AND s_ = s WITH [`pc := DtrPollSendList, `vList`Data(s`vList`Length + 1) := s`i, `vList`Length := s`vList`Length + 1] %send a STAT PDU with the list OR s`pc = DtrPollSendList AND s_ = s WITH [ `pc := DataTransferReady, `RS_channel(s`RS_receiver_index) := STAT(VR_R, VR_MR,s`vN_PS,s`vList), `RS_receiver_index := s`RS_receiver_index + 1] END sscop_POLL_receiver $$$sscop_POLL_receiver.prf (|sscop_POLL_receiver| (|SR_channel_TCC1| "" (INST 1 "LAMBDA(x:nat) : NEW_SD(0,choose({d:Data_Type|TRUE}))") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL) (|trans_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC3| "" (SUBTYPE-TCC) NIL NIL)) $$$sscop_POLL_receiver_invariants1.pvs sscop_POLL_receiver_invariants1: THEORY BEGIN IMPORTING sscop_POLL_receiver init(s:State) : bool = s`pc = DataTransferReady AND %cf. *-VT_S_GE_VR_H, %*sscop_SD_sender_invariants1.VT_S_GE_VR_H and %sscop_SD_sender_invariants2.VT_S_GE_VR_H, %*sscop_SD_receiver_invariants1.VT_S_GE_VR_H, %sscop_SD_sender_invariants5.indicated_equals_sent_aux1_aux1_aux1. %sscop_STAT_receiver_invariants1.OLD_SD_inv3_aux (VT_S >= s`VR_H AND %cf. *-NEW_SD_inv1, %*sscop_SD_sender_invariants1.NEW_SD_inv1 and %*sscop_SD_receiver_invariants1.NEW_SD_inv1 (FORALL (i: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu = SR_channel(i) IN NEW_SD?(pdu) IMPLIES mN_S(pdu) >= s`VR_H) AND %cf. *-NEW_SD_inv5, sscop_SD_sender_invariants1.NEW_SD_inv5 and %*sscop_SD_receiver_invariants1.VT_S_GE_VR_H (FORALL (k:nat) : k >= s`VR_H => NOT vRecvBuffer`Arrived(k)) AND % cf. -POLL_inv2, *sscop_SD_sender_invariants2.POLL_inv2 (FORALL (i: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu = SR_channel(i) IN POLL?(pdu) IMPLIES VT_S >= mN_S(pdu)) AND % cf. -POLL_inv1, *sscop_SD_sender_invariants2.POLL_inv1 (FORALL (j, k: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu_1 = SR_channel(j), pdu_2 = SR_channel(k) IN POLL?(pdu_1) AND POLL?(pdu_2) AND j < k IMPLIES mN_S(pdu_1) <= mN_S(pdu_2)) AND % cf. *-POLL_inv0, *sscop_SD_sender_invariants2.POLL_inv0, %*sscop_SD_receiver_invariants1.POLL_inv0 (FORALL (i: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu = SR_channel(i) IN POLL?(pdu) IMPLIES mN_S(pdu) >= s`VR_H) AND %cf. *-OLD_SD_inv3, %sscop_SD_sender_invariants3.OLD_SD_inv3, %*sscop_SD_receiver_invariants1.init_inv7, %*sscop_USTAT_receiver_invariants1.USTAT_inv4, %*sscop_STAT_receiver_invariants1.OLD_SD_inv3 (FORALL (i:subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1)): vReXmitQueue(i)`Seq < s`VR_H) AND %cf. *-OLD_SD_inv2, %*sscop_SD_receiver_invariants1.init_inv4, %*sscop_SD_sender_invariants3.OLD_SD_inv2 (FORALL (j: subrange(s`SR_receiver_index,SR_sender_index-1)): LET pdu = SR_channel(j) IN OLD_SD?(pdu) IMPLIES mN_S(pdu) < s`VR_H) AND %*-VR_MR_GE_VR_H, %sscop_SD_sender_invariants4.VR_MR_GE_VR_H, %*sscop_SD_receiver_invariants1.VT_S_GE_VR_H_aux1, %sscop_STAT_receiver_invariants13.retrans_inv1_aux0 VR_MR >= s`VR_H AND %*-VR_H_GE_VR_R,sscop_SD_sender_invariants4.indicated_equals_sent_aux, %*sscop_SD_receiver_invariants1.VT_S_GE_VR_H_aux3 s`VR_H >= VR_R AND %*-USTAT_inv, *sscop_SD_receiver_invariants2.USTAT_inv, %sscop_USTAT_receiver_invariants1.USTAT_inv3, %sscop_STAT_receiver_invariants1.USTAT_inv (FORALL (i :subrange(RS_sender_index, s`RS_receiver_index-1)) : let pdu = s`RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l: subrange(bottom,top-1)) : l < s`VR_H) AND %-NEW_SD_POLL and *sscop_SD_sender_invariants2.NEW_SD_POLL (FORALL (i,j : subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu1 = SR_channel(i), pdu2 = SR_channel(j) IN NEW_SD?(pdu1) AND POLL?(pdu2) AND i > j IMPLIES mN_S(pdu1) >= mN_S(pdu2)) AND %*-sscop_POLL_receiver_invariants2.STAT_inv1, %sscop_STAT_receiver_invariants1.STAT_inv1, %*ssscop_SD_receiver_invariants1.OLD_SD_inv1_aux_aux3 (FORALL (k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET pdu = s`RS_channel(k) IN STAT?(pdu) IMPLIES LET statlist = mList(pdu) IN statlist`Length >= 2 IMPLIES (FORALL (i: upto(statlist`Length - 2)): even?(i) IMPLIES LET elt1 = statlist`Data(i + 1), elt2 = statlist`Data(i + 2) IN elt1 < elt2 AND elt2 <= s`VR_H)) AND %*-sscop_POLL_receiver_invariants2.retrans_inv1_aux3, %sscop_STAT_receiver_invariants2.retrans_inv1_aux3, %*sscop_SD_sender_invariants2.retrans_inv1_aux3, %*sscop_SD_receiver_invariants4.retrans_inv1_aux3, (FORALL (k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET pdu = s`RS_channel(k) IN STAT?(pdu) IMPLIES LET statlist = mList(pdu) IN statlist`Length >= 2 IMPLIES (FORALL (l: upto(statlist`Length - 2)): even?(l) IMPLIES LET elt1 = statlist`Data(l + 1), elt2 = statlist`Data(l + 2) IN FORALL (m: subrange(elt1,elt2-1)): NOT vRecvBuffer`Arrived(m) OR vXmitBuffer`PollSeq(m) >= mN_PS(pdu))) AND %sscop_USTAT_receiver_invariants2.STAT_inv2_aux3, %*-sscop_POLL_receiver_invariants3.STAT_inv2_aux3, %*sscop_SD_receiver_invariants3.STAT_inv2_aux3 (FORALL (k,l: subrange(RS_sender_index, s`RS_receiver_index-1)): let stat = s`RS_channel(k), ustat = s`RS_channel(l) IN STAT?(stat) AND USTAT?(ustat) AND l < k IMPLIES mN_R(ustat) <= mN_R(stat)) AND %sscop_USTAT_receiver_invariants1.VT_A_LEQ_VR_R_aux2, %*sscop_SD_receiver_invariants2.USTAT_inv4_aux, %-sscop_POLL_receiver_invariants3.STAT_inv2_aux3_aux1 (FORALL (k: subrange(RS_sender_index, s`RS_receiver_index-1)): let ustat = s`RS_channel(k) IN USTAT?(ustat) IMPLIES mN_R(ustat) <= VR_R) AND %*-sscop_POLL_receiver_invariants3.VT_A_LEQ_VR_R_aux, %*sscop_SD_receiver_invariants3.VT_A_LEQ_VR_R_aux, %sscop_STAT_receiver_invariants1.VT_A_LEQ_VR_R_aux (FORALL (k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET pdu = s`RS_channel(k) IN STAT?(pdu) IMPLIES mN_R(pdu) <= VR_R) AND %*-sscop_POLL_receiver_invariants3.STAT_inv2_aux, %sscop_STAT_receiver_invariants1.STAT_inv2_aux (FORALL (k,l: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET pdu1 = s`RS_channel(l), pdu2 = s`RS_channel(k) IN STAT?(pdu1) AND STAT?(pdu2) AND l < k IMPLIES mN_R(pdu1) <= mN_R(pdu2)) AND %*-sscop_POLL_receiver_invariants3.STAT_inv2_aux2, %sscop_STAT_receiver_invariants1.STAT_inv2_aux2 (FORALL (k,l: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET pdu1 = s`RS_channel(l), pdu2 = s`RS_channel(k) IN STAT?(pdu1) AND STAT?(pdu2) AND l < k IMPLIES mN_PS(pdu1) <= mN_PS(pdu2)) AND %*-sscop_POLL_receiver_invariants3.STAT_inv2_aux2_aux2, %*sscop_SD_sender_invariants2.STAT_inv2_aux2, %sscop_STAT_receiver_invariants1.STAT_inv2_aux2_aux10 (FORALL (j: subrange(s`SR_receiver_index, SR_sender_index-1), k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET poll = SR_channel(j), stat = s`RS_channel(k) IN POLL?(poll) AND STAT?(stat) IMPLIES mN_PS(poll) >= mN_PS(stat)) AND %-sscop_POLL_receiver_invariants3.STAT_inv2_aux2_aux4, %*sscop_SD_sender_invariants2.STAT_inv2_aux2_aux4 (FORALL (j,k: subrange(s`SR_receiver_index, SR_sender_index-1)): LET poll1 = SR_channel(j), poll2 = SR_channel(k) IN POLL?(poll1) AND POLL?(poll2) AND j < k IMPLIES mN_PS(poll1) <= mN_PS(poll2)) AND %*-sscop_POLL_receiver_invariants3.STAT_inv2_aux5, %*sscop_SD_sender_invariants2.STAT_inv2_aux3 (FORALL (k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET stat = s`RS_channel(k) IN STAT?(stat) IMPLIES VT_PS >= mN_PS(stat)) AND %-sscop_POLL_receiver_invariants3.STAT_inv2_aux5_aux2, %*sscop_SD_sender_invariants2.STAT_inv2_aux2_aux5, %sscop_SD_sender_invariants5.OLD_SD_inv5_aux4_aux3 (FORALL (k: subrange(s`SR_receiver_index, SR_sender_index-1)): LET poll = SR_channel(k) IN POLL?(poll) IMPLIES VT_PS >= mN_PS(poll)) AND %sscop_STAT_receiver_invariants1.OLD_SD_inv5_aux4, %*sscop_SD_sender_invariants5.OLD_SD_inv5_aux4, %*-sscop_POLL_receiver_invariants3.OLD_SD_inv5_aux4, %sscop_SD_receiver_invariants4.retrans_inv1_aux5 (FORALL (l: subrange(s`SR_receiver_index, SR_sender_index - 1), k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET old_sd = SR_channel(l), stat = s`RS_channel(k) IN OLD_SD?(old_sd) AND STAT?(stat) IMPLIES vXmitBuffer`PollSeq(mN_S(old_sd)) >= mN_PS(stat)) %-sscop_POLL_receiver_invariants3.OLD_SD_inv5_aux4_aux2, %*sscop_SD_sender_invariants5.OLD_SD_inv5_aux4_aux2, AND (FORALL (l,k: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET old_sd = SR_channel(l), poll = SR_channel(k) IN OLD_SD?(old_sd) AND POLL?(poll) AND l > k IMPLIES vXmitBuffer`PollSeq(mN_S(old_sd)) >= mN_PS(poll)) AND %*-sscop_POLL_receiver_invariants3.OLD_SD_inv1_aux_aux2 %sscop_STAT_receiver_invariants1.OLD_SD_inv1_aux_aux2, %*sscop_SD_receiver_invariants3.OLD_SD_inv1_aux_aux2 (FORALL (k, l: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET ustat = s`RS_channel(k), stat = s`RS_channel(l) IN USTAT?(ustat) AND STAT?(stat) AND k > l IMPLIES (FORALL (m: nat): even?(m) AND m <= mList(stat)`Length-2 IMPLIES mList(stat)`Data(2 + m) <= mList(ustat)`Data(1))) AND %*sscop_SD_sender_invariants5.STAT_inv2, %*sscop_STAT_receiver_invariants1.STAT_inv2, %*sscop_USTAT_receiver_invariants2.STAT_inv2 %*-sscop_POLL_receiver_invariants3.STAT_inv2 (FORALL (k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET pdu = s`RS_channel(k) IN STAT?(pdu) IMPLIES (VT_PA <= mN_PS(pdu) AND mN_PS(pdu) <= VT_PS AND VT_A <= mN_R(pdu) AND mN_R(pdu) <= VT_S)) AND %sscop_SD_sender_invariants6.final_result_aux, %sscop_POLL_receiver_invariants3.STAT_inv2_aux1 %*sscop_SD_receiver_invariants2.USTAT_inv3_aux2, %*sscop_USTAT_receiver_invariants1.VT_A_LEQ_VR_R, %*sscop_STAT_receiver_invariants1.VT_A_LEQ_VR_R (VT_A <= VR_R) AND %-STAT_inv2_aux2_aux9, %*sscop_STAT_receiver_invariants1.STAT_inv2_aux2_aux9, %*sscop_SD_sender_invariants2.STAT_inv2_aux2_aux9 (FORALL (k: subrange(s`SR_receiver_index, SR_sender_index-1)): LET poll = SR_channel(k) IN POLL?(poll) IMPLIES VT_PA <= mN_PS(poll)) AND %sscop_STAT_receiver_invariants2.xMitBuffer_inv2_aux, %*sscop_SD_receiver_invariants4.xMitBuffer_inv2_aux, %*-sscop_POLL_receiver_invariants3.xMitBuffer_inv2_aux (FORALL (k,l: subrange(RS_sender_index, s`RS_receiver_index-1)): let stat = s`RS_channel(k), ustat = s`RS_channel(l) IN STAT?(stat) AND USTAT?(ustat) AND k < l IMPLIES mN_R(stat) <= mN_R(ustat))) IMPORTING runs[State,init,LAMBDA(s,s_:State): EXISTS (a:Action): trans(s,a,s_)] %-inductive POLL_inv2: LEMMA invariant(LAMBDA(s:State) : FORALL (i: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu = SR_channel(i) IN POLL?(pdu) IMPLIES VT_S >= mN_S(pdu)) %-proved using POLL_inv2 VT_S_GE_VR_H : LEMMA invariant(LAMBDA(s:State) : VT_S >= s`VR_H) %-inductive NEW_SD_POLL: LEMMA invariant(LAMBDA(s:State) : FORALL (i,j : subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu1 = SR_channel(i), pdu2 = SR_channel(j) IN NEW_SD?(pdu1) AND POLL?(pdu2) AND i > j IMPLIES mN_S(pdu1) >= mN_S(pdu2)) %-proved using NEW_SD_POLL NEW_SD_inv1: LEMMA invariant(LAMBDA(s:State) : FORALL (i: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu = SR_channel(i) IN NEW_SD?(pdu) IMPLIES mN_S(pdu) >= s`VR_H) %-inductive VR_MR_GE_VR_H: LEMMA invariant(LAMBDA(s:State) : VR_MR >= s`VR_H) %-proved using VR_MR_GE_VR_H NEW_SD_inv5: LEMMA invariant(LAMBDA(s:State) : FORALL (k:nat) : k >= s`VR_H => NOT vRecvBuffer`Arrived(k)) %-inductive POLL_inv1 : LEMMA invariant(LAMBDA(s:State): FORALL (j, k: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu_1 = SR_channel(j), pdu_2 = SR_channel(k) IN POLL?(pdu_1) AND POLL?(pdu_2) AND j < k IMPLIES mN_S(pdu_1) <= mN_S(pdu_2)) %-proved using POLL_inv1 POLL_inv0: LEMMA invariant(LAMBDA (s:State) : FORALL (i: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu = SR_channel(i) IN POLL?(pdu) IMPLIES mN_S(pdu) >= s`VR_H) %-proved using VR_MR_GE_VR_H OLD_SD_inv3 : LEMMA invariant(LAMBDA (s:State) : FORALL (i:subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1)): vReXmitQueue(i)`Seq < s`VR_H) %-proved using VR_MR_GE_VR_H OLD_SD_inv2: LEMMA invariant(LAMBDA (s:State) : FORALL (j: subrange(s`SR_receiver_index,SR_sender_index-1)): LET pdu = SR_channel(j) IN OLD_SD?(pdu) IMPLIES mN_S(pdu) < s`VR_H) %-proved using VR_MR_GE_VR_H VR_H_GE_VR_R : LEMMA invariant(LAMBDA (s:State) : s`VR_H >= VR_R) %-proved using VR_MR_GE_VR_H USTAT_inv: LEMMA invariant(LAMBDA (s:State) : FORALL (i :subrange(RS_sender_index, s`RS_receiver_index-1)) : let pdu = s`RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l: subrange(bottom,top-1)) : l < s`VR_H) %final goal for this theory %proved using POLL_inv0 OutOfDtr_unrerachable : LEMMA invariant(LAMBDA(s:State) : NOT s`pc = OutOfDtr) END sscop_POLL_receiver_invariants1 $$$sscop_POLL_receiver_invariants1.prf (|sscop_POLL_receiver_invariants1| (|init_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC4| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC5| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC6| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC7| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC8| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC9| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC10| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC11| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC12| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC13| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC14| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC15| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC16| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC17| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC18| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC19| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC20| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC21| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC22| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC23| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC24| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC25| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC26| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC27| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC28| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC29| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC30| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC31| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC32| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC33| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC34| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC35| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC36| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC37| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC38| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC39| "" (SUBTYPE-TCC) NIL NIL) (|POLL_inv2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|POLL_inv2_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|POLL_inv2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL) ("4" (GRIND) NIL NIL) ("5" (GRIND) NIL NIL) ("6" (GRIND) NIL NIL) ("7" (GRIND) NIL NIL) ("8" (GRIND) NIL NIL) ("9" (GRIND) NIL NIL) ("10" (GRIND) NIL NIL) ("11" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (VT_S_GE_VR_H "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) (("1" (LEMMA "POLL_inv2") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`SR_receiver_index") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (LEMMA "POLL_inv2") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "r(n)`SR_receiver_index") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (NEW_SD_POLL_TCC1 "" (SUBTYPE-TCC) NIL NIL) (NEW_SD_POLL_TCC2 "" (SUBTYPE-TCC) NIL NIL) (NEW_SD_POLL_TCC3 "" (SUBTYPE-TCC) NIL NIL) (NEW_SD_POLL "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("i" "j")) (("2" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|NEW_SD_inv1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|NEW_SD_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (GRIND) (("1" (LEMMA "NEW_SD_POLL") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "i" "r(n)`SR_receiver_index") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST - "i") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "i") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "i") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "i") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "i") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "i") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "i") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "i") (("11" (GRIND) (("11" (LEMMA "NEW_SD_POLL") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "i" "r(n)`SR_receiver_index") (("11" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (VR_MR_GE_VR_H "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|NEW_SD_inv5| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "i") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "i") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "i") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "i") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "i") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "i") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "i") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "i") (("11" (GRIND) (("11" (LEMMA "VR_MR_GE_VR_H") (("11" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|POLL_inv1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|POLL_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("i" "j")) (("2" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|POLL_inv0| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (GRIND) (("1" (LEMMA "POLL_inv1") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`SR_receiver_index" "i") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST - "i") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "i") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "i") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "i") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "i") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "i") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "i") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "i") (("11" (GRIND) (("11" (LEMMA "NEW_SD_POLL") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "i" "r(n)`SR_receiver_index") (("11" (GRIND) (("11" (LEMMA "POLL_inv1") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "r(n)`SR_receiver_index" "i") (("11" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv3_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "i") NIL NIL) ("3" (INST - "i") NIL NIL) ("4" (INST - "i") NIL NIL) ("5" (INST - "i") NIL NIL) ("6" (INST - "i") NIL NIL) ("7" (INST - "i") NIL NIL) ("8" (INST - "i") NIL NIL) ("9" (INST - "i") NIL NIL) ("10" (INST - "i") NIL NIL) ("11" (INST - "i") (("11" (GRIND) (("11" (LEMMA "VR_MR_GE_VR_H") (("11" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "i") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "i") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "i") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "i") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "i") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "i") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "i") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "i") (("11" (GRIND) (("11" (LEMMA "VR_MR_GE_VR_H") (("11" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (VR_H_GE_VR_R "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) (("2" (LEMMA "VR_MR_GE_VR_H") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|USTAT_inv_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "i") (("2" (TYPEPRED "i") (("2" (BETA) (("2" (FLATTEN) (("2" (SKOLEM + "l") (("2" (TYPEPRED "l") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (GROUND) (("1" (INST - "l") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("2" (INST - "i") (("2" (GROUND) (("2" (INST - "l") NIL NIL)) NIL)) NIL) ("3" (INST - "i") (("3" (GROUND) (("3" (INST - "l") NIL NIL)) NIL)) NIL) ("4" (INST - "i") (("4" (GROUND) (("4" (INST - "l") NIL NIL)) NIL)) NIL) ("5" (INST - "i") (("5" (GROUND) (("5" (INST - "l") NIL NIL)) NIL)) NIL) ("6" (INST - "i") (("6" (GROUND) (("6" (INST - "l") NIL NIL)) NIL)) NIL) ("7" (INST - "i") (("7" (GROUND) (("7" (INST - "l") NIL NIL)) NIL)) NIL) ("8" (INST - "i") (("8" (GROUND) (("8" (INST - "l") NIL NIL)) NIL)) NIL) ("9" (INST - "i") (("9" (GROUND) (("9" (INST - "l") NIL NIL)) NIL)) NIL) ("10" (INST - "i") (("10" (GROUND) (("10" (INST - "l") NIL NIL)) NIL)) NIL) ("11" (INST - "i") (("11" (GROUND) (("11" (INST - "l") (("11" (LEMMA "VR_MR_GE_VR_H") (("11" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OutOfDtr_unrerachable| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -2) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (GRIND) (("2" (LEMMA "POLL_inv0") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "r(n)`SR_receiver_index") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) $$$sscop_POLL_receiver_invariants2.pvs sscop_POLL_receiver_invariants2 : THEORY BEGIN IMPORTING sscop_POLL_receiver_invariants1 %inductive STAT_inv1_aux2 : LEMMA invariant(LAMBDA(s:State) : s`pc = DtrPollSendList IMPLIES (s`vList`Length >0 AND s`vList`Data(s`vList`Length) = s`VR_H)) %inductive STAT_inv1_aux7 : LEMMA invariant(LAMBDA(s:State) : (s`pc = DtrPollSkipArrived IMPLIES even?(s`vList`Length)) AND (s`pc = DtrPollScanMissing IMPLIES odd?(s`vList`Length))) %proved using STAT_inv1_aux7 STAT_inv1_aux6: LEMMA invariant(LAMBDA(s:State) : (s`pc = DtrPollSkipArrived OR s`pc = DtrPollScanMissing) IMPLIES FORALL (l:subrange(1,s`vList`Length)): (odd?(l) IMPLIES NOT vRecvBuffer`Arrived(s`vList`Data(l))) AND (even?(l) IMPLIES vRecvBuffer`Arrived(s`vList`Data(l)))) %proved even_odd1: LEMMA FORALL (l:nat) : odd?(l) OR even?(l) %proved evn_odd2: LEMMA FORALL (l:nat) : odd?(l) OR odd?(l+1) %proved evn_odd3: LEMMA FORALL (l:nat) : even?(l) OR even?(l+1) %proved using even_odd1,evn_odd2,evn_odd3,STAT_inv1_aux6 STAT_inv1_aux8: LEMMA invariant(LAMBDA(s:State) : (s`pc = DtrPollSkipArrived OR s`pc = DtrPollScanMissing) IMPLIES FORALL (l:subrange(1,s`vList`Length-1)): s`vList`Data(l) /= s`vList`Data(l+1)) %inductive STAT_inv1_aux5 : LEMMA invariant(LAMBDA(s:State) : (s`pc = DtrPollSkipArrived OR s`pc = DtrPollScanMissing) IMPLIES FORALL (l:posnat) : l <= s`vList`Length IMPLIES s`vList`Data(l) <= s`i) %proved using STAT_inv1_aux5 STAT_inv1_aux4: LEMMA invariant(LAMBDA(s:State) : (s`pc = DtrPollSkipArrived OR s`pc = DtrPollScanMissing OR s`pc = DtrPollSendList) IMPLIES FORALL (l,m:posnat) : l < s`vList`Length AND m <= s`vList`Length AND l < m IMPLIES s`vList`Data(l) <= s`vList`Data(m)) %proved using STAT_inv1_aux8, STAT_inv1_aux4 STAT_inv1_aux9: LEMMA invariant(LAMBDA(s:State) : (s`pc = DtrPollSkipArrived OR s`pc = DtrPollScanMissing) IMPLIES FORALL (l:subrange(1,s`vList`Length-1)): s`vList`Data(l) < s`vList`Data(l+1)) %inductive STAT_inv1_aux11: LEMMA invariant(LAMBDA(s:State) : (s`pc = DtrPollSkipArrived OR s`pc = DtrPollScanMissing) IMPLIES FORALL (l:subrange(1,s`vList`Length)): s`vList`Data(l) < s`VR_H) %proved using STAT_inv1_aux11 STAT_inv1_aux10: LEMMA invariant(LAMBDA(s:State) : (s`pc = DtrPollSendList IMPLIES FORALL (l:subrange(1,s`vList`Length-1)): s`vList`Data(l) < s`vList`Data(l+1))) %proved using STAT_inv1_aux10, STAT_inv1_aux9 STAT_inv1_aux1: LEMMA invariant(LAMBDA(s:State) : (s`pc = DtrPollSkipArrived OR s`pc = DtrPollScanMissing OR s`pc = DtrPollSendList) IMPLIES FORALL (l,m:posnat) : l < s`vList`Length AND m <= s`vList`Length AND l < m IMPLIES s`vList`Data(l) < s`vList`Data(m)) %-proved using STAT_inv1_aux1, STAT_inv1_aux2, VR_MR_GE_VR_H STAT_inv1 : LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET pdu = s`RS_channel(k) IN STAT?(pdu) IMPLIES LET statlist = mList(pdu) IN statlist`Length >= 2 IMPLIES (FORALL (i: upto(statlist`Length - 2)): even?(i) IMPLIES LET elt1 = statlist`Data(i + 1), elt2 = statlist`Data(i + 2) IN elt1 < elt2 AND elt2 <= s`VR_H)) %inductive retrans1_inv1_aux3_aux2: LEMMA invariant(LAMBDA (s: State): (s`pc = DtrPollScanMissing AND s`vList`Length > 0) IMPLIES (FORALL (m: subrange(s`vList`Data(s`vList`Length), s`i - 1)): NOT vRecvBuffer`Arrived(m))) %proved using retrans1_inv1_aux3_aux2, STAT_inv1_aux7 retrans1_inv1_aux3_aux1: LEMMA invariant(LAMBDA (s: State): (s`pc = DtrPollSkipArrived OR s`pc = DtrPollScanMissing OR s`pc = DtrPollSendList) IMPLIES (FORALL (l: nat): even?(l) AND l <= s`vList`Length - 2 IMPLIES (FORALL (m: subrange(s`vList`Data(l + 1), s`vList`Data(l + 2) - 1)): NOT vRecvBuffer`Arrived(m)))) %-proved using retrans1_inv1_aux3_aux1 retrans_inv1_aux3: LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET pdu = s`RS_channel(k) IN STAT?(pdu) IMPLIES LET statlist = mList(pdu) IN statlist`Length >= 2 IMPLIES (FORALL (l: upto(statlist`Length - 2)): even?(l) IMPLIES LET elt1 = statlist`Data(l + 1), elt2 = statlist`Data(l + 2) IN FORALL (m: subrange(elt1,elt2-1)): NOT vRecvBuffer`Arrived(m) OR vXmitBuffer`PollSeq(m) >= mN_PS(pdu))) END sscop_POLL_receiver_invariants2 $$$sscop_POLL_receiver_invariants2.prf (|sscop_POLL_receiver_invariants2| (|STAT_inv1_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv1_aux7| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -1) (("2" (GRIND) NIL NIL)) NIL) ("3" (SKOLEM + "n") (("3" (HIDE -2) (("3" (EXPAND "run_fragment") (("3" (INST - "n") (("3" (GRIND :IF-MATCH NIL) (("1" (INST + "0") (("1" (ASSERT) NIL NIL)) NIL) ("2" (INST + "j!1+1") (("2" (ASSERT) NIL NIL)) NIL) ("3" (INST + "0") (("3" (ASSERT) NIL NIL)) NIL) ("4" (INST + "0") (("4" (ASSERT) NIL NIL)) NIL) ("5" (INST + "0") (("5" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv1_aux6| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "l") (("2" (TYPEPRED "l") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "l") (("1" (GROUND) NIL NIL)) NIL) ("2" (INST - "l") (("2" (GROUND) NIL NIL)) NIL) ("3" (LEMMA "STAT_inv1_aux7") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (GROUND) (("1" (HIDE-ALL-BUT (-1 -2)) (("1" (SKOLEM - "w") (("1" (SKOLEM - "v") (("1" (REPLACE -1) (("1" (HIDE -1) (("1" (ASSERT :FLUSH? T) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (SKOLEM - "w") (("2" (REPLACE -1) (("2" (HIDE-ALL-BUT (-8)) (("2" (ASSERT :FLUSH? T) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("4" (INST - "l") (("1" (GROUND) NIL NIL) ("2" (LEMMA "STAT_inv1_aux7") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (GROUND) (("1" (HIDE-ALL-BUT (-1 -2)) (("1" (SKOLEM - "w") (("1" (SKOLEM - "v") (("1" (REPLACE -1) (("1" (HIDE -1) (("1" (ASSERT :FLUSH? T) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (SKOLEM - "w") (("2" (REPLACE -1) (("2" (HIDE-ALL-BUT (-4 -6 2)) (("2" (ASSERT :FLUSH? T) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("5" (INST - "l") (("5" (GROUND) NIL NIL)) NIL) ("6" (INST - "l") (("6" (GROUND) NIL NIL)) NIL) ("7" (INST - "l") (("7" (GROUND) NIL NIL)) NIL) ("8" (INST - "l") (("8" (GROUND) NIL NIL)) NIL) ("9" (INST - "l") (("9" (GROUND) NIL NIL)) NIL) ("10" (INST - "l") (("10" (GROUND) NIL NIL)) NIL) ("11" (INST - "l") (("11" (GROUND) NIL NIL)) NIL) ("12" (LEMMA "STAT_inv1_aux7") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (GROUND) (("1" (HIDE-ALL-BUT (-1 -2)) (("1" (SKOLEM - "v") (("1" (SKOLEM - "w") (("1" (REPLACE -1) (("1" (HIDE -1) (("1" (ASSERT :FLUSH? T) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (SKOLEM - "w") (("2" (REPLACE -1) (("2" (HIDE-ALL-BUT -7) (("2" (ASSERT :FLUSH? T) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("13" (INST - "l") (("1" (GROUND) NIL NIL) ("2" (LEMMA "STAT_inv1_aux7") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (GROUND) (("1" (HIDE-ALL-BUT (-1 -2)) (("1" (SKOLEM - "w") (("1" (SKOLEM - "v") (("1" (REPLACE -1) (("1" (HIDE -1) (("1" (ASSERT :FLUSH? T) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (SKOLEM - "w") (("2" (REPLACE -1) (("2" (HIDE-ALL-BUT (-4 -6 2)) (("2" (ASSERT :FLUSH? T) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("14" (INST - "l") (("14" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|even_odd1| "" (INDUCT "l") (("1" (GRIND) NIL NIL) ("2" (SKOLEM + "l") (("2" (GROUND) (("1" (HIDE 1) (("1" (EXPAND* "odd?" "even?") (("1" (SKOLEM - "j") (("1" (INST + "j+1") (("1" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (EXPAND* "odd?" "even?") NIL NIL)) NIL)) NIL)) NIL)) NIL) (|evn_odd2| "" (INDUCT "l") (("1" (GROUND) NIL NIL) ("2" (SKOLEM + "j") (("2" (GROUND) (("2" (EXPAND* "odd?" "even?") (("2" (HIDE 1) (("2" (SKOLEM - "q") (("2" (INST + "q+1") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|evn_odd3| "" (INDUCT "l") (("1" (GROUND) NIL NIL) ("2" (SKOLEM + "j") (("2" (GROUND) (("2" (HIDE 1) (("2" (EXPAND* "odd?" "even?") (("2" (SKOLEM - "q") (("2" (INST + "q+1") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv1_aux8_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv1_aux8_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv1_aux8| "" (EXPAND "invariant") (("" (LEMMA "STAT_inv1_aux6") (("" (EXPAND "invariant") (("" (SKOLEM + ("r" "n")) (("" (INST - "r" "n") (("" (GROUND) (("1" (SKOLEM + "l") (("1" (TYPEPRED "l") (("1" (INST-CP - "l") (("1" (INST-CP - "l+1") (("1" (HIDE -4) (("1" (GROUND) (("1" (HIDE-ALL-BUT (1 3)) (("1" (LEMMA "evn_odd3") (("1" (GRIND) NIL NIL)) NIL)) NIL) ("2" (HIDE-ALL-BUT (1 2)) (("2" (LEMMA "even_odd1") (("2" (GRIND) NIL NIL)) NIL)) NIL) ("3" (HIDE-ALL-BUT (1 2)) (("3" (LEMMA "evn_odd2") (("3" (GRIND) NIL NIL)) NIL)) NIL) ("4" (HIDE-ALL-BUT (1 2)) (("4" (LEMMA "even_odd1") (("4" (GRIND) NIL NIL)) NIL)) NIL) ("5" (HIDE-ALL-BUT (1 3)) (("5" (LEMMA "evn_odd3") (("5" (GRIND) NIL NIL)) NIL)) NIL) ("6" (HIDE-ALL-BUT (2 3)) (("6" (LEMMA "even_odd1") (("6" (GRIND) NIL NIL)) NIL)) NIL) ("7" (HIDE-ALL-BUT (1 2)) (("7" (LEMMA "even_odd1") (("7" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (SKOLEM + "l") (("2" (TYPEPRED "l") (("2" (INST-CP - "l+1") (("2" (INST-CP - "l") (("2" (HIDE -4) (("2" (GROUND) (("1" (HIDE-ALL-BUT (1 3)) (("1" (LEMMA "evn_odd3") (("1" (INST - "l") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL) ("2" (HIDE-ALL-BUT (1 2)) (("2" (LEMMA "even_odd1") (("2" (GRIND) NIL NIL)) NIL)) NIL) ("3" (HIDE-ALL-BUT (1 2)) (("3" (LEMMA "evn_odd2") (("3" (GRIND) NIL NIL)) NIL)) NIL) ("4" (HIDE-ALL-BUT (1 2)) (("4" (LEMMA "even_odd1") (("4" (GRIND) NIL NIL)) NIL)) NIL) ("5" (HIDE-ALL-BUT (3 4)) (("5" (LEMMA "even_odd1") (("5" (GRIND) NIL NIL)) NIL)) NIL) ("6" (HIDE-ALL-BUT (3 2)) (("6" (LEMMA "even_odd1") (("6" (GRIND) NIL NIL)) NIL)) NIL) ("7" (HIDE-ALL-BUT (3 4)) (("7" (LEMMA "even_odd1") (("7" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv1_aux5| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "l") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "l") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "l") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "l") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "l") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "l") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "l") (("6" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv1_aux4| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("l" "m")) (("2" (TYPEPRED ("l" "m")) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "l" "m") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "l" "m") (("2" (GRIND) NIL NIL)) NIL) ("3" (LEMMA "STAT_inv1_aux5") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (GROUND) (("3" (INST - "l") (("3" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("4" (INST - "l" "m") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "l" "m") (("5" (GRIND) NIL NIL)) NIL) ("6" (LEMMA "STAT_inv1_aux5") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (GROUND) (("6" (INST - "l") (("6" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("7" (INST - "l" "m") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "l" "m") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "l" "m") (("9" (GRIND) NIL NIL)) NIL) ("10" (LEMMA "STAT_inv1_aux5") (("10" (EXPAND "invariant") (("10" (INST - "r" "n") (("10" (GROUND) (("10" (INST - "l") (("10" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("11" (INST - "l" "m") (("11" (GRIND) NIL NIL)) NIL) ("12" (LEMMA "STAT_inv1_aux5") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (GROUND) (("12" (INST - "l") (("12" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("13" (INST - "l" "m") (("13" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv1_aux9| "" (LEMMA "STAT_inv1_aux4") (("" (LEMMA "STAT_inv1_aux8") (("" (EXPAND "invariant") (("" (SKOLEM + ("r" "n")) (("" (INST - "r" "n") (("" (INST - "r" "n") (("" (GROUND) (("1" (SKOLEM + "l") (("1" (INST - "l") (("1" (INST - "l" "l+1") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("2" (SKOLEM + "l") (("2" (INST - "l") (("2" (INST - "l" "l+1") (("2" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv1_aux11| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "l") (("2" (TYPEPRED "l") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "l") NIL NIL) ("2" (INST - "l") NIL NIL) ("3" (INST - "l") NIL NIL) ("4" (INST - "l") NIL NIL) ("5" (INST - "l") NIL NIL) ("6" (INST - "l") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv1_aux10_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv1_aux10_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv1_aux10| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "l") (("2" (TYPEPRED "l") (("2" (GRIND :IF-MATCH NIL) (("1" (LEMMA "STAT_inv1_aux9") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (GROUND) (("1" (INST - "l") NIL NIL) ("2" (INST - "l") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (LEMMA "STAT_inv1_aux11") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (GROUND) (("2" (INST - "l") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("3" (INST - "l") NIL NIL) ("4" (LEMMA "STAT_inv1_aux11") (("4" (EXPAND "invariant") (("4" (INST - "r" "n") (("4" (GROUND) (("4" (INST - "l") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("5" (INST - "l") NIL NIL) ("6" (LEMMA "STAT_inv1_aux11") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (GROUND) (("6" (INST - "l") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("7" (LEMMA "STAT_inv1_aux9") (("7" (EXPAND "invariant") (("7" (INST - "r" "n") (("7" (GROUND) (("7" (INST - "l") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("8" (LEMMA "STAT_inv1_aux11") (("8" (EXPAND "invariant") (("8" (INST - "r" "n") (("8" (GROUND) (("8" (INST - "l") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("9" (LEMMA "STAT_inv1_aux9") (("9" (EXPAND "invariant") (("9" (INST - "r" "n") (("9" (GROUND) (("9" (INST - "l") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv1_aux1| "" (LEMMA "STAT_inv1_aux10") (("" (LEMMA "STAT_inv1_aux9") (("" (EXPAND "invariant") (("" (SKOLEM + ("r" "n")) (("" (INST - "r" "n") (("" (INST - "r" "n") (("" (CASE "(r(n)`pc = DtrPollSkipArrived OR r(n)`pc = DtrPollScanMissing OR r(n)`pc = DtrPollSendList) IMPLIES (FORALL (l: subrange(1, r(n)`vList`Length - 1)): r(n)`vList`Data(l) < r(n)`vList`Data(1 + l))") (("1" (HIDE -2 -3) (("1" (FLATTEN) (("1" (NAME "c" "r(n)`pc = DtrPollSkipArrived OR r(n)`pc = DtrPollScanMissing OR r(n)`pc = DtrPollSendList") (("1" (REPLACE -1 (-2 -3)) (("1" (HIDE -1) (("1" (GROUND) (("1" (HIDE -2) (("1" (SKOLEM + ("l" "_")) (("1" (INDUCT "m") (("1" (TYPEPRED "m!1") (("1" (PROPAX) NIL NIL)) NIL) ("2" (GROUND) NIL NIL) ("3" (SKOLEM + "j") (("3" (GROUND) (("1" (INST - "j") (("1" (ASSERT) NIL NIL)) NIL) ("2" (INST - "j") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv1_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "k") (("2" (TYPEPRED "k") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k") (("1" (GROUND) (("1" (INST - "i!1") (("1" (GROUND) (("1" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST - "k") (("2" (GROUND) (("2" (INST - "i!1") (("2" (GROUND) (("2" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("3" (INST - "k") (("3" (GROUND) (("3" (INST - "i!1") (("3" (GROUND) (("3" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("4" (REPLACE -8 (-3 1) RL) (("4" (LEMMA "STAT_inv1_aux2") (("4" (LEMMA "STAT_inv1_aux1") (("4" (EXPAND "invariant") (("4" (INST - "r" "n") (("4" (INST - "r" "n") (("4" (GROUND) (("4" (INST - "2+i!1" "r(n)`vList`Length") (("4" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("5" (INST - "k") (("5" (GROUND) (("5" (INST - "i!1") (("5" (GROUND) (("5" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("6" (INST - "k") (("6" (GROUND) (("6" (INST - "i!1") (("6" (GROUND) (("6" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("7" (INST - "k") (("7" (GROUND) (("7" (INST - "i!1") (("7" (GROUND) (("7" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("8" (INST - "k") (("8" (GROUND) (("8" (INST - "i!1") (("8" (GROUND) (("8" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("9" (INST - "k") (("9" (GROUND) (("9" (INST - "i!1") (("9" (GROUND) (("9" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("10" (INST - "k") (("10" (GROUND) (("10" (INST - "i!1") (("10" (GROUND) (("10" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("11" (INST - "k") (("11" (GROUND) (("11" (INST - "i!1") (("11" (GROUND) (("11" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("12" (INST - "k") (("12" (GROUND) (("12" (INST - "i!1") (("12" (GROUND) (("1" (LEMMA "VR_MR_GE_VR_H") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("13" (INST - "k") (("13" (GROUND) (("13" (INST - "i!1") (("13" (GROUND) (("13" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("14" (INST - "k") (("14" (GROUND) (("14" (INST - "i!1") (("14" (GROUND) (("14" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("15" (INST - "k") (("15" (GROUND) (("15" (INST - "i!1") (("15" (GROUND) (("15" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("16" (REPLACE -8 (-3 1) RL) (("16" (LEMMA "STAT_inv1_aux1") (("16" (EXPAND "invariant") (("16" (INST - "r" "n") (("16" (GROUND) (("16" (INST - "1 + i!1" "2 + i!1") (("16" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("17" (INST - "k") (("17" (GROUND) (("17" (INST - "i!1") (("17" (GROUND) (("17" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("18" (INST - "k") (("18" (GROUND) (("18" (INST - "i!1") (("18" (GROUND) (("18" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("19" (INST - "k") (("19" (GROUND) (("19" (INST - "i!1") (("19" (GROUND) (("19" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("20" (INST - "k") (("20" (GROUND) (("20" (INST - "i!1") (("20" (GROUND) (("20" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("21" (INST - "k") (("21" (GROUND) (("21" (INST - "i!1") (("21" (GROUND) (("21" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("22" (INST - "k") (("22" (GROUND) (("22" (INST - "i!1") (("22" (GROUND) (("22" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("23" (INST - "k") (("23" (GROUND) (("23" (INST - "i!1") (("23" (GROUND) (("23" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("24" (INST - "k") (("24" (GROUND) (("24" (INST - "i!1") (("24" (GROUND) (("24" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|retrans1_inv1_aux3_aux2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|retrans1_inv1_aux3_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "m!1") NIL NIL) ("2" (INST - "m!1") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|retrans1_inv1_aux3_aux1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|retrans1_inv1_aux3_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "l") (("2" (TYPEPRED "l") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "l") (("1" (GROUND) (("1" (INST - "m!1") NIL NIL)) NIL)) NIL) ("2" (INST - "l") (("2" (GROUND) (("2" (INST - "m!1") NIL NIL)) NIL)) NIL) ("3" (REPLACE -8 (-1 -2 -5 -9 -15) RL) (("3" (LEMMA "retrans1_inv1_aux3_aux2") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (GROUND) (("3" (INST - "m!1") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("4" (INST - "l") (("4" (GROUND) (("4" (INST - "m!1") NIL NIL)) NIL)) NIL) ("5" (INST - "l") (("5" (GROUND) (("5" (INST - "m!1") NIL NIL)) NIL)) NIL) ("6" (REPLACE -8 (-1 -2 -5 -9 -14) RL) (("6" (LEMMA "STAT_inv1_aux7") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (GROUND) (("1" (HIDE-ALL-BUT (-1 -2)) (("1" (EXPAND "odd?") (("1" (SKOLEM - "v") (("1" (SKOLEM - "w") (("1" (REPLACE -1) (("1" (HIDE -1) (("1" (ASSERT :FLUSH? T) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (SKOLEM - "w") (("2" (REPLACE -1) (("2" (HIDE-ALL-BUT (-3 -9)) (("2" (ASSERT :FLUSH? T) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("7" (INST - "l") (("7" (GROUND) (("7" (INST - "m!1") NIL NIL)) NIL)) NIL) ("8" (INST - "l") (("8" (GROUND) (("8" (INST - "m!1") NIL NIL)) NIL)) NIL) ("9" (INST - "l") (("9" (GROUND) (("9" (INST - "m!1") NIL NIL)) NIL)) NIL) ("10" (LEMMA "STAT_inv1_aux7") (("10" (EXPAND "invariant") (("10" (INST - "r" "n") (("10" (GROUND) (("1" (EXPAND "odd?") (("1" (HIDE-ALL-BUT (-1 -2)) (("1" (SKOLEM - "w") (("1" (SKOLEM - "v") (("1" (REPLACE -1) (("1" (HIDE -1) (("1" (ASSERT :FLUSH? T) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (SKOLEM - "w") (("2" (REPLACE -1) (("2" (HIDE-ALL-BUT (-3)) (("2" (ASSERT :FLUSH? T) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("11" (INST - "l") (("11" (GROUND) (("11" (INST - "m!1") NIL NIL)) NIL)) NIL) ("12" (LEMMA "retrans1_inv1_aux3_aux2") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (GROUND) (("12" (INST - "m!1") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("13" (INST - "l") (("13" (GROUND) (("13" (INST - "m!1") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|retrans_inv1_aux3_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux3_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "k") (("2" (TYPEPRED "k") (("2" (BETA) (("2" (GROUND) (("2" (SKOLEM + "l") (("2" (TYPEPRED "l") (("2" (GROUND) (("2" (SKOLEM + "m") (("2" (TYPEPRED "m") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k") (("1" (GROUND) (("1" (INST - "l") (("1" (GROUND) (("1" (INST - "m") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST - "k") (("2" (GROUND) (("2" (INST - "l") (("2" (GROUND) (("2" (INST - "m") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("3" (INST - "k") (("3" (GROUND) (("3" (INST - "l") (("3" (GROUND) (("3" (INST - "m") (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("4" (REPLACE -10 (-3 -4 -5) RL) (("4" (LEMMA "retrans1_inv1_aux3_aux1") (("4" (EXPAND "invariant") (("4" (INST - "r" "n") (("4" (GROUND) (("4" (INST - "l") (("4" (GROUND) (("4" (INST - "m") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("5" (INST - "k") (("5" (GROUND) (("5" (INST - "l") (("5" (GROUND) (("5" (INST - "m") (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("6" (INST - "k") (("6" (GROUND) (("6" (INST - "l") (("6" (GROUND) (("6" (INST - "m") (("6" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("7" (INST - "k") (("7" (GROUND) (("7" (INST - "l") (("7" (GROUND) (("7" (INST - "m") (("7" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("8" (INST - "k") (("8" (GROUND) (("8" (INST - "l") (("8" (GROUND) (("8" (INST - "m") (("8" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("9" (INST - "k") (("9" (GROUND) (("9" (INST - "l") (("9" (GROUND) (("9" (INST - "m") (("9" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("10" (INST - "k") (("10" (GROUND) (("10" (INST - "l") (("10" (GROUND) (("10" (INST - "m") (("10" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("11" (INST - "k") (("11" (GROUND) (("11" (INST - "l") (("11" (GROUND) (("11" (INST - "m") (("11" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("12" (INST - "k") (("12" (GROUND) (("12" (INST - "l") (("12" (GROUND) (("12" (INST - "m") (("12" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) $$$sscop_POLL_receiver_invariants3.pvs sscop_POLL_receiver_invariants3: THEORY BEGIN IMPORTING sscop_POLL_receiver_invariants2 %-inductive STAT_inv2_aux3_aux1: LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(RS_sender_index, s`RS_receiver_index-1)): let ustat = s`RS_channel(k) IN USTAT?(ustat) IMPLIES mN_R(ustat) <= VR_R) %-proved using STAT_inv2_aux3_aux1 STAT_inv2_aux3 : LEMMA invariant(LAMBDA(s:State) : FORALL (k,l: subrange(RS_sender_index, s`RS_receiver_index-1)): let stat = s`RS_channel(k), ustat = s`RS_channel(l) IN STAT?(stat) AND USTAT?(ustat) AND l < k IMPLIES mN_R(ustat) <= mN_R(stat)) %-inductive VT_A_LEQ_VR_R_aux: LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET pdu = s`RS_channel(k) IN STAT?(pdu) IMPLIES mN_R(pdu) <= VR_R) %-proved using VT_A_LEQ_VR_R_aux STAT_inv2_aux: LEMMA invariant(LAMBDA(s:State) : FORALL (k,l: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET pdu1 = s`RS_channel(l), pdu2 = s`RS_channel(k) IN STAT?(pdu1) AND STAT?(pdu2) AND l < k IMPLIES mN_R(pdu1) <= mN_R(pdu2)) %-inductive STAT_inv2_aux2_aux4: LEMMA invariant(LAMBDA(s:State): FORALL (j,k: subrange(s`SR_receiver_index, SR_sender_index-1)): LET poll1 = SR_channel(j), poll2 = SR_channel(k) IN POLL?(poll1) AND POLL?(poll2) AND j < k IMPLIES mN_PS(poll1) <= mN_PS(poll2)) %proved using STAT_inv2_aux2_aux4 STAT_inv2_aux2_aux3: LEMMA invariant(LAMBDA (s: State): (s`pc = DtrPollSkipArrived OR s`pc = DtrPollScanMissing OR s`pc = DtrPollSendList) IMPLIES (FORALL (k: subrange(s`SR_receiver_index, SR_sender_index-1)): LET poll = SR_channel(k) IN POLL?(poll) IMPLIES s`vN_PS <= mN_PS(poll))) %-proved using STAT_inv2_aux2_aux3 STAT_inv2_aux2_aux2: LEMMA invariant(LAMBDA (s: State): FORALL (j: subrange(s`SR_receiver_index, SR_sender_index-1), k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET poll = SR_channel(j), stat = s`RS_channel(k) IN POLL?(poll) AND STAT?(stat) IMPLIES mN_PS(poll) >= mN_PS(stat)) %proveds using STAT_inv2_aux2_aux2 STAT_inv2_aux2_aux1: LEMMA invariant(LAMBDA (s: State): (s`pc = DtrPollSkipArrived OR s`pc = DtrPollScanMissing OR s`pc = DtrPollSendList) IMPLIES (FORALL (k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET stat = s`RS_channel(k) IN STAT?(stat) IMPLIES s`vN_PS >= mN_PS(stat))) %-proved using STAT_inv2_aux2_aux1 STAT_inv2_aux2: LEMMA invariant(LAMBDA(s:State) : FORALL (k,l: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET pdu1 = s`RS_channel(l), pdu2 = s`RS_channel(k) IN STAT?(pdu1) AND STAT?(pdu2) AND l < k IMPLIES mN_PS(pdu1) <= mN_PS(pdu2)) %-inductive STAT_inv2_aux5_aux2: LEMMA invariant(LAMBDA (s: State): FORALL (k: subrange(s`SR_receiver_index, SR_sender_index-1)): LET poll = SR_channel(k) IN POLL?(poll) IMPLIES VT_PS >= mN_PS(poll)) %proved using STAT_inv2_aux5_aux2 STAT_inv2_aux5_aux1: LEMMA invariant(LAMBDA (s: State): (s`pc = DtrPollSkipArrived OR s`pc = DtrPollScanMissing OR s`pc = DtrPollSendList) IMPLIES s`vN_PS <= VT_PS) %-proved using STAT_inv2_aux5_aux1 STAT_inv2_aux5 : LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET stat = s`RS_channel(k) IN STAT?(stat) IMPLIES VT_PS >= mN_PS(stat)) %-inductive OLD_SD_inv5_aux4_aux2 : LEMMA invariant(LAMBDA(s:State) : FORALL (l,k: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET old_sd = SR_channel(l), poll = SR_channel(k) IN OLD_SD?(old_sd) AND POLL?(poll) AND l > k IMPLIES vXmitBuffer`PollSeq(mN_S(old_sd)) >= mN_PS(poll)) %proved using OLD_SD_inv5_aux4_aux2 OLD_SD_inv5_aux4_aux1: LEMMA invariant(LAMBDA (s: State): (s`pc = DtrPollSkipArrived OR s`pc = DtrPollScanMissing OR s`pc = DtrPollSendList) IMPLIES (FORALL (l: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET old_sd = SR_channel(l) IN OLD_SD?(old_sd) IMPLIES vXmitBuffer`PollSeq(mN_S(old_sd)) >= s`vN_PS)) %-proved using OLD_SD_inv5_aux4_aux1 OLD_SD_inv5_aux4 : LEMMA invariant(LAMBDA(s:State) : FORALL (l: subrange(s`SR_receiver_index, SR_sender_index - 1), k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET old_sd = SR_channel(l), stat = s`RS_channel(k) IN OLD_SD?(old_sd) AND STAT?(stat) IMPLIES vXmitBuffer`PollSeq(mN_S(old_sd)) >= mN_PS(stat)) %-inductive OLD_SD_inv1_aux_aux2 : LEMMA invariant(LAMBDA(s:State) : FORALL (k, l: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET ustat = s`RS_channel(k), stat = s`RS_channel(l) IN USTAT?(ustat) AND STAT?(stat) AND k > l IMPLIES (FORALL (m: nat): even?(m) AND m <= mList(stat)`Length-2 IMPLIES mList(stat)`Data(2 + m) <= mList(ustat)`Data(1))) %-inductive STAT_inv2_aux1: LEMMA invariant(LAMBDA(s:State) : VT_A <= VR_R) %proved using STAT_inv2_aux1 STAT_inv2_aux2_aux6: LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET pdu = s`RS_channel(k) IN STAT?(pdu) IMPLIES VT_A <= mN_R(pdu)) %-inductive STAT_inv2_aux2_aux9 : LEMMA invariant(LAMBDA(s:State): FORALL (k: subrange(s`SR_receiver_index, SR_sender_index-1)): LET poll = SR_channel(k) IN POLL?(poll) IMPLIES VT_PA <= mN_PS(poll)) %proved using STAT_inv2_aux2_aux9 STAT_inv2_aux2_aux8: LEMMA invariant(LAMBDA(s:State) : (s`pc = DtrPollSendList OR s`pc = DtrPollScanMissing OR s`pc = DtrPollSkipArrived) IMPLIES VT_PA <= s`vN_PS) %proved using STAT_inv2_aux2_aux8 STAT_inv2_aux2_aux7: LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET pdu = s`RS_channel(k) IN STAT?(pdu) IMPLIES VT_PA <= mN_PS(pdu)) %-proved using VT_S_GE_VR_H, VR_H_GE_VR_R, %STAT_inv2_aux2_aux6,STAT_inv2_aux5_aux1, %STAT_inv2_aux2_aux7,STAT_inv2_aux2_aux8 STAT_inv2 : LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET pdu = s`RS_channel(k) IN STAT?(pdu) IMPLIES (VT_PA <= mN_PS(pdu) AND mN_PS(pdu) <= VT_PS AND VT_A <= mN_R(pdu) AND mN_R(pdu) <= VT_S)) %-inductive xMitBuffer_inv2_aux : LEMMA invariant(LAMBDA(s:State) : FORALL (k,l: subrange(RS_sender_index, s`RS_receiver_index-1)): let stat = s`RS_channel(k), ustat = s`RS_channel(l) IN STAT?(stat) AND USTAT?(ustat) AND k < l IMPLIES mN_R(stat) <= mN_R(ustat)) END sscop_POLL_receiver_invariants3 $$$sscop_POLL_receiver_invariants3.prf (|sscop_POLL_receiver_invariants3| (|STAT_inv2_aux3_aux1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux3_aux1_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux3_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "k") (("2" (INST - "k") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux3_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux3_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux3_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k!1" "l!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "k!1" "l!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "k!1" "l!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (LEMMA "STAT_inv2_aux3_aux1") (("4" (EXPAND "invariant") (("4" (INST - "r" "n") (("4" (INST - "l!1") (("4" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("5" (INST - "k!1" "l!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "k!1" "l!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "k!1" "l!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "k!1" "l!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "k!1" "l!1") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "k!1" "l!1") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "k!1" "l!1") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "k!1" "l!1") (("12" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|VT_A_LEQ_VR_R_aux_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|VT_A_LEQ_VR_R_aux| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "k!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "k!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "k!1") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "k!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "k!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "k!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "k!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "k!1") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "k!1") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "k!1") (("11" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k!1" "l!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "k!1" "l!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "k!1" "l!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (GRIND) (("4" (LEMMA "VT_A_LEQ_VR_R_aux") (("4" (GRIND) NIL NIL)) NIL)) NIL) ("5" (INST - "k!1" "l!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "k!1" "l!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "k!1" "l!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "k!1" "l!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "k!1" "l!1") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "k!1" "l!1") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "k!1" "l!1") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "k!1" "l!1") (("12" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux2_aux4_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2_aux4_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2_aux4_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2_aux4_TCC4| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2_aux4| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("j" "k")) (("2" (INST - "j" "k") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux2_aux3_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2_aux3_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2_aux3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "k") (("2" (GRIND :IF-MATCH NIL) (("1" (LEMMA "STAT_inv2_aux2_aux4") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`SR_receiver_index" "k") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST - "k") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "k") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "k") (("4" (GRIND) NIL NIL)) NIL) ("5" (LEMMA "STAT_inv2_aux2_aux4") (("5" (EXPAND "invariant") (("5" (INST - "r" "n") (("5" (INST - "r(n)`SR_receiver_index" "k") (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("6" (INST - "k") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "k") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "k") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "k") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "k") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "k") (("11" (GRIND) NIL NIL)) NIL) ("12" (LEMMA "STAT_inv2_aux2_aux4") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (INST - "r(n)`SR_receiver_index" "k") (("12" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("13" (LEMMA "STAT_inv2_aux2_aux4") (("13" (EXPAND "invariant") (("13" (INST - "r" "n") (("13" (INST - "r(n)`SR_receiver_index" "k") (("13" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux2_aux2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2_aux2_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2_aux2_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("j" "k")) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "j" "k") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "j" "k") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "j" "k") (("3" (GRIND) NIL NIL)) NIL) ("4" (LEMMA "STAT_inv2_aux2_aux3") (("4" (EXPAND "invariant") (("4" (INST - "r" "n") (("4" (GROUND) (("4" (INST - "j") (("4" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("5" (INST - "j" "k") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "j" "k") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "j" "k") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "j" "k") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "j" "k") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "j" "k") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "j" "k") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "j" "k") (("12" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux2_aux1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (LEMMA "STAT_inv2_aux2_aux2") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`SR_receiver_index" "k!1") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL) ("4" (GRIND) NIL NIL) ("5" (LEMMA "STAT_inv2_aux2_aux2") (("5" (EXPAND "invariant") (("5" (INST - "r" "n") (("5" (INST - "r(n)`SR_receiver_index" "k!1") (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("6" (GRIND) NIL NIL) ("7" (GRIND) NIL NIL) ("8" (GRIND) NIL NIL) ("9" (GRIND) NIL NIL) ("10" (GRIND) NIL NIL) ("11" (GRIND) NIL NIL) ("12" (LEMMA "STAT_inv2_aux2_aux2") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (INST - "r(n)`SR_receiver_index" "k!1") (("12" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("13" (LEMMA "STAT_inv2_aux2_aux2") (("13" (EXPAND "invariant") (("13" (INST - "r" "n") (("13" (INST - "r(n)`SR_receiver_index" "k!1") (("13" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k!1" "l!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "k!1" "l!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "k!1" "l!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (GRIND) (("4" (LEMMA "STAT_inv2_aux2_aux1") (("4" (EXPAND "invariant") (("4" (INST - "r" "n") (("4" (GROUND) (("4" (INST - "l!1") (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("5" (INST - "k!1" "l!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "k!1" "l!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "k!1" "l!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "k!1" "l!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "k!1" "l!1") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "k!1" "l!1") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "k!1" "l!1") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "k!1" "l!1") (("12" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux5_aux2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux5_aux2_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux5_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM + "k") (("2" (INST - "k") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux5_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) (("1" (LEMMA "STAT_inv2_aux5_aux2") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`SR_receiver_index") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (LEMMA "STAT_inv2_aux5_aux2") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "r(n)`SR_receiver_index") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("3" (LEMMA "STAT_inv2_aux5_aux2") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "r(n)`SR_receiver_index") (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("4" (LEMMA "STAT_inv2_aux5_aux2") (("4" (EXPAND "invariant") (("4" (INST - "r" "n") (("4" (INST - "r(n)`SR_receiver_index") (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux5_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux5| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM + "k") (("2" (TYPEPRED "k") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "k") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "k") (("3" (GRIND) NIL NIL)) NIL) ("4" (LEMMA "STAT_inv2_aux5_aux1") (("4" (EXPAND "invariant") (("4" (INST - "r" "n") (("4" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("5" (INST - "k") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "k") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "k") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "k") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "k") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "k") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "k") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "k") (("12" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv5_aux4_aux2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv5_aux4_aux2_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv5_aux4_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM + ("k" "l")) (("2" (INST - "k" "l") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv5_aux4_aux1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv5_aux4_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "l!1") (("1" (LEMMA "OLD_SD_inv5_aux4_aux2") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "l!1" "r(n)`SR_receiver_index") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST - "l!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "l!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "l!1") (("4" (GRIND) NIL NIL)) NIL) ("5" (LEMMA "OLD_SD_inv5_aux4_aux2") (("5" (EXPAND "invariant") (("5" (INST - "r" "n") (("5" (INST - "l!1" "r(n)`SR_receiver_index") (("5" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("6" (INST - "l!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "l!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "l!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "l!1") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "l!1") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "l!1") (("11" (GRIND) NIL NIL)) NIL) ("12" (LEMMA "OLD_SD_inv5_aux4_aux2") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (INST - "l!1" "r(n)`SR_receiver_index") (("12" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("13" (LEMMA "OLD_SD_inv5_aux4_aux2") (("13" (EXPAND "invariant") (("13" (INST - "r" "n") (("13" (INST - "l!1" "r(n)`SR_receiver_index") (("13" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv5_aux4_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv5_aux4| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "l!1" "k!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "l!1" "k!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "l!1" "k!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (LEMMA "OLD_SD_inv5_aux4_aux1") (("4" (EXPAND "invariant") (("4" (INST - "r" "n") (("4" (GROUND) (("4" (INST - "l!1") (("4" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("5" (INST - "l!1" "k!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "l!1" "k!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "l!1" "k!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "l!1" "k!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "l!1" "k!1") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "l!1" "k!1") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "l!1" "k!1") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "l!1" "k!1") (("12" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv1_aux_aux2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv1_aux_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k!1" "l!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "k!1" "l!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "k!1" "l!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "k!1" "l!1") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "k!1" "l!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "k!1" "l!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "k!1" "l!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "k!1" "l!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "k!1" "l!1") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "k!1" "l!1") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "k!1" "l!1") (("11" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL) ("6" (HIDE 2) (("6" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (GRIND :IF-MATCH NIL) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux2_aux6| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (EXPAND* "run" "init") (("1" (FLATTEN) (("1" (HIDE -3) (("1" (HIDE-ALL-BUT (-27 1)) (("1" (SKOSIMP*) (("1" (INST - "k!1") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "k") (("2" (INST - "k") (("1" (GRIND) (("1" (LEMMA "STAT_inv2_aux1") (("1" (GRIND) NIL NIL)) NIL) ("2" (LEMMA "STAT_inv2_aux1") (("2" (GRIND) NIL NIL)) NIL)) NIL) ("2" (GRIND) (("2" (LEMMA "STAT_inv2_aux1") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux2_aux9| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM + "k") (("2" (INST - "k") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux2_aux8| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (GRIND :IF-MATCH NIL) (("1" (LEMMA "STAT_inv2_aux2_aux9") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`SR_receiver_index") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (LEMMA "STAT_inv2_aux2_aux9") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "r(n)`SR_receiver_index") (("2" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("3" (LEMMA "STAT_inv2_aux2_aux9") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "r(n)`SR_receiver_index") (("3" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("4" (LEMMA "STAT_inv2_aux2_aux9") (("4" (EXPAND "invariant") (("4" (INST - "r" "n") (("4" (INST - "r(n)`SR_receiver_index") (("4" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux2_aux7| "" (LEMMA "invariant_rule") (("" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (HIDE -1) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (EXPAND* "run" "init") (("1" (FLATTEN) (("1" (HIDE-ALL-BUT (-28 1)) (("1" (SKOLEM 1 "k") (("1" (INST - "k") (("1" (BETA) (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "k") (("2" (TYPEPRED "k") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "k") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "k") (("3" (GRIND) NIL NIL)) NIL) ("4" (LEMMA "STAT_inv2_aux2_aux8") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "k") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "k") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "k") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "k") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "k") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "k") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "k") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "k") (("12" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM + "k") (("2" (TYPEPRED "k") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "k") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "k") (("3" (GRIND) NIL NIL)) NIL) ("4" (LEMMA "VT_S_GE_VR_H") (("4" (LEMMA "VR_H_GE_VR_R") (("4" (GRIND) NIL NIL)) NIL)) NIL) ("5" (INST - "k") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "k") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "k") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "k") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "k") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "k") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "k") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "k") (("12" (GRIND) NIL NIL)) NIL) ("13" (GRIND) NIL NIL) ("14" (LEMMA "STAT_inv2_aux2_aux6") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (INST - "k") (("14" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("15" (LEMMA "STAT_inv2_aux2_aux6") (("15" (EXPAND "invariant") (("15" (INST - "r" "n") (("15" (INST - "k") (("15" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("16" (LEMMA "STAT_inv2_aux1") (("16" (GRIND) NIL NIL)) NIL) ("17" (LEMMA "STAT_inv2_aux2_aux6") (("17" (EXPAND "invariant") (("17" (INST - "r" "n") (("17" (INST - "k") (("17" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("18" (LEMMA "STAT_inv2_aux2_aux6") (("18" (EXPAND "invariant") (("18" (INST - "r" "n") (("18" (INST - "k") (("18" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("19" (LEMMA "STAT_inv2_aux2_aux6") (("19" (EXPAND "invariant") (("19" (INST - "r" "n") (("19" (INST - "k") (("19" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("20" (LEMMA "STAT_inv2_aux2_aux6") (("20" (EXPAND "invariant") (("20" (INST - "r" "n") (("20" (INST - "k") (("20" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("21" (LEMMA "STAT_inv2_aux2_aux6") (("21" (EXPAND "invariant") (("21" (INST - "r" "n") (("21" (INST - "k") (("21" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("22" (LEMMA "STAT_inv2_aux2_aux6") (("22" (EXPAND "invariant") (("22" (INST - "r" "n") (("22" (INST - "k") (("22" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("23" (LEMMA "STAT_inv2_aux2_aux6") (("23" (EXPAND "invariant") (("23" (INST - "r" "n") (("23" (INST - "k") (("23" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("24" (LEMMA "STAT_inv2_aux2_aux6") (("24" (EXPAND "invariant") (("24" (INST - "r" "n") (("24" (INST - "k") (("24" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("25" (INST - "k") (("25" (GRIND) NIL NIL)) NIL) ("26" (INST - "k") (("26" (GRIND) NIL NIL)) NIL) ("27" (INST - "k") (("27" (GRIND) NIL NIL)) NIL) ("28" (LEMMA "STAT_inv2_aux5_aux1") (("28" (EXPAND "invariant") (("28" (INST - "r" "n") (("28" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("29" (INST - "k") (("29" (GRIND) NIL NIL)) NIL) ("30" (INST - "k") (("30" (GRIND) NIL NIL)) NIL) ("31" (INST - "k") (("31" (GRIND) NIL NIL)) NIL) ("32" (INST - "k") (("32" (GRIND) NIL NIL)) NIL) ("33" (INST - "k") (("33" (GRIND) NIL NIL)) NIL) ("34" (INST - "k") (("34" (GRIND) NIL NIL)) NIL) ("35" (INST - "k") (("35" (GRIND) NIL NIL)) NIL) ("36" (INST - "k") (("36" (GRIND) NIL NIL)) NIL) ("37" (LEMMA "STAT_inv2_aux2_aux7") (("37" (EXPAND "invariant") (("37" (INST - "r" "n") (("37" (INST - "k") (("37" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("38" (LEMMA "STAT_inv2_aux2_aux7") (("38" (EXPAND "invariant") (("38" (INST - "r" "n") (("38" (INST - "k") (("38" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("39" (LEMMA "STAT_inv2_aux2_aux7") (("39" (EXPAND "invariant") (("39" (INST - "r" "n") (("39" (INST - "k") (("39" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("40" (LEMMA "STAT_inv2_aux2_aux8") (("40" (EXPAND "invariant") (("40" (INST - "r" "n") (("40" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("41" (LEMMA "STAT_inv2_aux2_aux7") (("41" (EXPAND "invariant") (("41" (INST - "r" "n") (("41" (INST - "k") (("41" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("42" (LEMMA "STAT_inv2_aux2_aux7") (("42" (EXPAND "invariant") (("42" (INST - "r" "n") (("42" (INST - "k") (("42" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("43" (LEMMA "STAT_inv2_aux2_aux7") (("43" (EXPAND "invariant") (("43" (INST - "r" "n") (("43" (INST - "k") (("43" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("44" (LEMMA "STAT_inv2_aux2_aux7") (("44" (EXPAND "invariant") (("44" (INST - "r" "n") (("44" (INST - "k") (("44" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("45" (LEMMA "STAT_inv2_aux2_aux7") (("45" (EXPAND "invariant") (("45" (INST - "r" "n") (("45" (INST - "k") (("45" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("46" (LEMMA "STAT_inv2_aux2_aux7") (("46" (EXPAND "invariant") (("46" (INST - "r" "n") (("46" (INST - "k") (("46" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("47" (LEMMA "STAT_inv2_aux2_aux7") (("47" (EXPAND "invariant") (("47" (INST - "r" "n") (("47" (INST - "k") (("47" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("48" (LEMMA "STAT_inv2_aux2_aux7") (("48" (EXPAND "invariant") (("48" (INST - "r" "n") (("48" (INST - "k") (("48" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL) ("6" (HIDE 2) (("6" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|xMitBuffer_inv2_aux_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|xMitBuffer_inv2_aux| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM + ("k" "l")) (("2" (TYPEPRED ("k" "l")) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k" "l") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "k" "l") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "k" "l") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "k" "l") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "k" "l") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "k" "l") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "k" "l") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "k" "l") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "k" "l") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "k" "l") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "k" "l") (("11" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) $$$sscop_USTAT_receiver.pvs sscop_USTAT_receiver: THEORY BEGIN IMPORTING sscop_datatypes control: TYPE = {DataTransferReady, DtrUstatTestAckInRange, DtrUstatTestIndicesAndBuffer, DtrUstatSequenceTest,OutOfDtr} State : TYPE = [# pc: control, VT_A: nat, %lower bound of sender's window VT_MS:nat, %upper bound of sender's window vReXmitQueue: QueueDataType, %retransmission queue vReXmitQueue_PtrIn : nat, %retransmission queue input index RS_sender_index: nat, %index in RS channel seq1:nat, %for internal computation seq2:nat, vN_R: nat, vN_MR:nat, vList : ListType #] %parameters VT_S:nat % sender's next message to send VR_H: nat%highest SD seq number the SD receiver knows about VR_R : nat %low bound of receiver's window vXmitBuffer:SendBufferType % sender's window vReXmitQueue_PtrOut:nat% sender retransmission queue out index RS_channel : [nat->(RS?)] %receiver-sender channel RS_receiver_index: nat % receiver's index in RS channel SR_channel : [nat->(SR?)]%sender-receiver channel SR_receiver_index: nat%receiver's index in SR channel SR_sender_index : nat %sender's index in SR channel vRecvBuffer : RecvBufferType %receiver's buffer VT_PA : nat VT_PS:nat receiver_Control: TYPE = {DtrRecvTestSeq,Idle} receiver_pc: receiver_Control vN_S : nat trans(s:State,a:Action,s_:State) : bool = %pick a USTAT PDU, memorize its fields s`pc = DataTransferReady AND s`RS_sender_index < RS_receiver_index AND a = RS_channel(s`RS_sender_index) AND USTAT?(a) AND s_ = s WITH [`pc := DtrUstatTestAckInRange, `RS_sender_index := s`RS_sender_index+1, `vN_R := mN_R(a), `vN_MR := mN_MR(a), `vList := mList(a)] OR %simluates loss of a USTAT PDU s`RS_sender_index < RS_receiver_index AND a = RS_channel(s`RS_sender_index) AND USTAT?(a) AND s_ = s WITH [`RS_sender_index := s`RS_sender_index+1] OR %checking some field values of the memorized PDU: they are OK, proceed s`pc = DtrUstatTestAckInRange AND s`VT_A <= s`vN_R AND s`vN_R < VT_S AND tau?(a) AND s_ = s WITH[`pc := DtrUstatTestIndicesAndBuffer, `VT_A := s`vN_R, `VT_MS := s`vN_MR, `seq1 := s`vList`Data(1), `seq2 := s`vList`Data(2)] OR %the fields values are not OK : go to OutOfDtr location %(will prove unreachable) s`pc = DtrUstatTestAckInRange AND NOT (s`VT_A <= s`vN_R AND s`vN_R < VT_S) AND tau?(a) AND s_ = s WITH[`pc := OutOfDtr] OR s`pc = DtrUstatTestIndicesAndBuffer AND s`VT_A <= s`seq1 AND s`seq1 < s`seq2 AND s`seq2 < VT_S AND vXmitBuffer`Data(s`seq1)`Seq = s`seq1 and tau?(a) AND s_ = s WITH[`pc := DtrUstatSequenceTest, `vReXmitQueue(s`vReXmitQueue_PtrIn)`Payload := vXmitBuffer`Data(s`seq1)`Payload, `vReXmitQueue(s`vReXmitQueue_PtrIn)`Seq := vXmitBuffer`Data(s`seq1)`Seq, `vReXmitQueue_PtrIn := s`vReXmitQueue_PtrIn+1, `seq1 := s`seq1 +1] OR s`pc = DtrUstatTestIndicesAndBuffer AND NOT (s`VT_A <= s`seq1 AND s`seq1 < s`seq2 AND s`seq2 < VT_S AND vXmitBuffer`Data(s`seq1)`Seq = s`seq1) and tau?(a) AND s_ = s WITH[`pc := OutOfDtr] OR s`pc = DtrUstatSequenceTest AND NOT (s`seq1 = s`seq2) AND tau?(a) AND s_ = s WITH[`pc := DtrUstatTestIndicesAndBuffer] OR s`pc = DtrUstatSequenceTest AND s`seq1 = s`seq2 AND MAA_ERROR_WITH_COUNT?(a) AND mCount(a) = s`vList`Data(1) - s`vList`Data(2) AND s_ = s WITH[`pc := DataTransferReady] END sscop_USTAT_receiver $$$sscop_USTAT_receiver.prf (|sscop_USTAT_receiver| (|RS_channel_TCC1| "" (INST + "LAMBDA (n:nat) : USTAT(0,0,(#Length:= 0, Data := LAMBDA(w:nat) : 0#))") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL) (|SR_channel_TCC1| "" (INST 1 "LAMBDA(x:nat) : NEW_SD(0,choose({d:Data_Type|TRUE}))") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL) (|trans_TCC1| "" (SUBTYPE-TCC) NIL NIL)) $$$sscop_USTAT_receiver_invariants1.pvs sscop_USTAT_receiver_invariants1: THEORY BEGIN IMPORTING sscop_USTAT_receiver init(s:State) : bool = s`pc = DataTransferReady AND %-xMitBuffer_inv1, %*sscop_SD_sender_invariants1.xMitBuffer_inv1, %sscop_SD_receiver_invariants2.USTAT_inv3_aux1, %sscop_STAT_receiver_invariants1.OLD_SD_inv3_aux3 (FORALL (i:below(VT_S)): vXmitBuffer`Data(i)`Seq = i) AND %*-xMitBuffer_inv2, %*sscop_SD_sender_invariants1.USTAT_inv1, %*sscop_SD_receiver_invariants2.USTAT_inv3, %sscop_STAT_receiver_invariants2.xMitBuffer_inv2 (FORALL (i :subrange(s`RS_sender_index, RS_receiver_index-1)): let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bot = ustat_list`Data(1), top = ustat_list`Data(2),vN_R = mN_R(pdu) IN s`VT_A <= vN_R AND vN_R <= bot AND bot < top AND top < VT_S AND (FORALL (j:subrange(bot,top-1)): vXmitBuffer`Data(j)`Seq = j)) AND %-USTAT_inv3, %*sscop_SD_receiver_invariants2.USTAT_inv %*sscop_SD_receiver_invariants2.USTAT_inv2 (split in two), %*sscop_POLL_receiver_invariants1.USTAT_inv, %sscop_STAT_receiver_invariants1.USTAT_inv (FORALL (i :subrange(s`RS_sender_index, RS_receiver_index-1)) : let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l: subrange(bottom,top-1)) : l < VR_H AND NOT vRecvBuffer`Arrived(l)) AND %*-USTAT_inv4, %sscop_SD_sender_invariants3.OLD_SD_inv3, %*sscop_SD_receiver_invariants1.init_inv7, %*sscop_POLL_receiver_invariants1.OLD_SD_inv3, %*sscop_STAT_receiver_invariants1.OLD_SD_inv3 (FORALL (i:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1)): s`vReXmitQueue(i)`Seq < VR_H) AND %cf. *-USTAT_inv7, %sscop_SD_receiver_invariants1.init_inv5, %*sscop_STAT_receiver_invariants1.OLD_SD_inv5, %*sscop_SD_sender_invariants3.OLD_SD_inv5, (FORALL (i:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1), j: subrange(SR_receiver_index,SR_sender_index-1)) : LET pdu = SR_channel(j) IN OLD_SD?(pdu) IMPLIES s`vReXmitQueue(i)`Seq /= mN_S(pdu)) AND %*-USTAT_inv8, %*sscop_SD_receiver_invariants1.init_inv6, %sscop_SD_sender_invariants3.retrans_inv1, %*sscop_STAT_receiver_invariants2.retrans_inv1, (FORALL (i:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1)) : NOT vRecvBuffer`Arrived(s`vReXmitQueue(i)`Seq)) AND %USTAT_inv6, %*sscop_SD_receiver_invariants2.USTAT_inv2_aux1, %*sscop_SD_sender_invariants1.OLD_SD_inv1, (FORALL (i :subrange(s`RS_sender_index, RS_receiver_index-1)): let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l: subrange(bottom,top-1), j : subrange(SR_receiver_index,SR_sender_index-1)): let pdu = SR_channel(j) in OLD_SD?(pdu) IMPLIES mN_S(pdu) < l) AND %-USTAT_inv5, %*sscop_SD_receiver_invariants2.OLD_SD_inv1, %sscop_SD_sender_invariants3.OLD_SD_inv1_aux, %*sscop_STAT_receiver_invariants1.OLD_SD_inv1_aux (FORALL (i :subrange(s`RS_sender_index, RS_receiver_index-1)): let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l:subrange(bottom,top-1), j:subrange(vReXmitQueue_PtrOut, s`vReXmitQueue_PtrIn-1)): s`vReXmitQueue(j)`Seq < l) AND %-USTAT_inv1, *sscop_SD_receiver_invariants2.USTAT_inv4 (FORALL (i,j:subrange(s`RS_sender_index,RS_receiver_index-1)) : LET pdu1 = RS_channel(i), pdu2 = RS_channel(j) IN i < j AND USTAT?(pdu1) AND USTAT?(pdu2) IMPLIES mN_R(pdu1) <=mN_R(pdu2)) AND %-USTAT_inv5_aux2, *sscop_SD_receiver_invariants2.USTAT_inv5 (FORALL (i,j :subrange(s`RS_sender_index, RS_receiver_index-1)): let pdu1 = RS_channel(i), pdu2 = RS_channel(j) IN USTAT?(pdu1) AND USTAT?(pdu2) AND i < j IMPLIES mList(pdu1)`Data(2) <= mList(pdu2)`Data(1)) AND %cf. *-ReXmit_inv1, sscop_SD_sender_invariants3.OLD_SD_inv6, %*sscop_STAT_receiver_invariants1.OLD_SD_inv6 (FORALL (i,j:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1)) : i /= j IMPLIES s`vReXmitQueue(i)`Seq /= s`vReXmitQueue(j)`Seq) AND %sscop_SD_sender_invariants7.final_result_aux, %sscop_POLL_receiver_invariants1.STAT_inv2_aux1 %*sscop_SD_receiver_invariants2.USTAT_inv3_aux2, %*sscop_USTAT_receiver_invariants1.VT_A_LEQ_VR_R, %*sscop_STAT_receiver_invariants1.VT_A_LEQ_VR_R s`VT_A <= VR_R AND %-VT_A_LEQ_VR_R_aux2, *sscop_SD_receiver_invariants2.USTAT_inv4_aux, %sscop_POLL_receiver_invariants3.STAT_inv2_aux3_aux1 (FORALL(i: subrange(s`RS_sender_index, RS_receiver_index-1)): LET pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES VR_R >= mN_R(pdu)) AND %*-indicated_equals_sent_aux1_aux1_aux2, %*sscop_SD_sender_invariants5.indicated_equals_sent_aux1_aux1_aux2, %*sscop_STAT_receiver_invariants1.indicated_equals_sent_aux1_aux1_aux2, (FORALL (i:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1)) : s`vReXmitQueue(i)`Payload = vXmitBuffer`Data(s`vReXmitQueue(i)`Seq)`Payload) AND %*-sscop_USTAT_receiver_invariants2.STAT_inv2, %*sscop_SD_sender_invariants5.STAT_inv2, %*sscop_STAT_receiver_invariants1.STAT_inv2, %*sscop_POLL_receiver_invariants3.STAT_inv2 (FORALL (k: subrange(s`RS_sender_index, RS_receiver_index - 1)): LET pdu = RS_channel(k) IN STAT?(pdu) IMPLIES (VT_PA <= mN_PS(pdu) AND mN_PS(pdu) <= VT_PS AND s`VT_A <= mN_R(pdu) AND mN_R(pdu) <= VT_S)) AND %-sscop_USTAT_receiver_invariants2.STAT_inv2_aux3 %*sscop_POLL_receiver_invariants3.STAT_inv2_aux3, %*sscop_SD_receiver_invariants3.STAT_inv2_aux3 (FORALL (k,l: subrange(s`RS_sender_index, RS_receiver_index-1)): let stat = RS_channel(k), ustat = RS_channel(l) IN STAT?(stat) AND USTAT?(ustat) AND l < k IMPLIES mN_R(ustat) <= mN_R(stat)) %AND % %sscop_SD_receiver_invariants2.USTAT_inv2_aux, % %sscop_USTAT_receiver_invariants3.USTAT_inv2_aux % (receiver_pc = DtrRecvTestSeq IMPLIES FORALL (i :subrange(s`RS_sender_index, RS_receiver_index-1)): % let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES % let ustat_list = mList(pdu), bottom = ustat_list`Data(1), % top = ustat_list`Data(2) IN % FORALL (l: subrange(bottom,top-1)) : % vN_S /= l) % AND % %sscop_SD_receiver_invariants1.init_inv6_aux, % %sscop_STAT_receiver_invariants3.init_inv6_aux, % %sscop_STAT_receiver_invariants3.init_inv6_aux % (receiver_pc = DtrRecvTestSeq % IMPLIES FORALL (i: subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1)) : % vN_S /= s`vReXmitQueue(i)`Seq) IMPORTING runs[State,init,LAMBDA(s,s_:State):EXISTS (a:Action): trans(s,a,s_)] %-inductive xMitBuffer_inv1 : LEMMA invariant(LAMBDA(s:State) : FORALL (i:below(VT_S)): vXmitBuffer`Data(i)`Seq = i) %-inductive USTAT_inv1: LEMMA invariant(LAMBDA(s:State) : FORALL (i,j:subrange(s`RS_sender_index,RS_receiver_index-1)) : LET pdu1 = RS_channel(i), pdu2 = RS_channel(j) IN i < j AND USTAT?(pdu1) AND USTAT?(pdu2) IMPLIES mN_R(pdu1) <=mN_R(pdu2)) %proved using USTAT_inv1 USTAT_inv2: LEMMA invariant(LAMBDA(s:State) :s`pc = DtrUstatTestAckInRange IMPLIES FORALL(i: subrange(s`RS_sender_index, RS_receiver_index-1)): LET pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES s`vN_R <= mN_R(pdu)) %-inductive VT_A_LEQ_VR_R_aux2 : LEMMA invariant(LAMBDA(s:State) : FORALL(i: subrange(s`RS_sender_index, RS_receiver_index-1)): LET pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES VR_R >= mN_R(pdu)) %proved using VT_A_LEQ_VR_R_aux2 VT_A_LEQ_VR_R_aux1 : LEMMA invariant(LAMBDA(s:State) : s`pc = DtrUstatTestAckInRange IMPLIES s`vN_R <= VR_R) %-proved using VT_A_LEQ_VR_R_aux1 VT_A_LEQ_VR_R: LEMMA invariant(LAMBDA(s: State) : s`VT_A <= VR_R) %-proved using USTAT_inv2 xMitBuffer_inv2: LEMMA invariant(LAMBDA(s:State) : (FORALL (i :subrange(s`RS_sender_index, RS_receiver_index-1)): let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bot = ustat_list`Data(1), top = ustat_list`Data(2), vN_R = mN_R(pdu) IN s`VT_A <= vN_R AND vN_R <= bot AND bot < top AND top < VT_S AND (FORALL (j:subrange(bot,top-1)): vXmitBuffer`Data(j)`Seq = j))) %-inductive USTAT_inv3: LEMMA invariant(LAMBDA(s:State) : FORALL (i :subrange(s`RS_sender_index, RS_receiver_index-1)) : let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l: subrange(bottom,top-1)) : l < VR_H AND NOT vRecvBuffer`Arrived(l)) %proved using USTAT_inv3, xMitBuffer_inv2 USTAT_inv4_aux2: LEMMA invariant(LAMBDA(s:State) : s`pc = DtrUstatTestAckInRange IMPLIES (s`vList`Data(1) < VR_H AND s`vList`Data(2) <= VR_H AND s`vList`Data(1) < s`vList`Data(2))) %each SD seq number in retrans queue is < VR_H, with some specialization %proved using USTAT_inv4_aux2 USTAT_inv4_aux: LEMMA invariant(LAMBDA(s:State) : (s`pc = DtrUstatTestIndicesAndBuffer IMPLIES (s`seq1 < VR_H AND s`seq2 <= VR_H AND s`seq1 < s`seq2)) AND (s`pc = DtrUstatSequenceTest IMPLIES (s`seq1 <= s`seq2 AND s`seq2 <= VR_H))) %-proved using USTAT_inv4_aux USTAT_inv4: LEMMA invariant(LAMBDA(s:State) : FORALL (i:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1)): s`vReXmitQueue(i)`Seq < VR_H) %-inductive USTAT_inv5_aux2 : LEMMA invariant(LAMBDA(s:State) : FORALL (i,j :subrange(s`RS_sender_index, RS_receiver_index-1)): let pdu1 = RS_channel(i), pdu2 = RS_channel(j) IN USTAT?(pdu1) AND USTAT?(pdu2) AND i < j IMPLIES mList(pdu1)`Data(2) <= mList(pdu2)`Data(1)) %proved using USTAT_inv5_aux2 USTAT_inv5_aux3 : LEMMA invariant(LAMBDA(s:State) : s`pc = DtrUstatTestAckInRange IMPLIES FORALL (i :subrange(s`RS_sender_index, RS_receiver_index-1)): let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES s`vList`Data(2) <= mList(pdu)`Data(1)) %proved using USTAT_inv5_aux3 USTAT_inv5_aux1 : LEMMA invariant(LAMBDA(s:State) : (s`pc = DtrUstatTestIndicesAndBuffer OR s`pc = DtrUstatSequenceTest) IMPLIES FORALL (i :subrange(s`RS_sender_index, RS_receiver_index-1)): let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES s`seq2 <= mList(pdu)`Data(1)) %-proved using USTAT_inv5_aux1 USTAT_inv5: LEMMA invariant(LAMBDA(s:State) : FORALL (i :subrange(s`RS_sender_index, RS_receiver_index-1)): let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l:subrange(bottom,top-1), j:subrange(vReXmitQueue_PtrOut, s`vReXmitQueue_PtrIn-1)): s`vReXmitQueue(j)`Seq < l) %inductive USTAT_inv6: LEMMA invariant(LAMBDA(s:State) : FORALL (i :subrange(s`RS_sender_index, RS_receiver_index-1)): let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l: subrange(bottom,top-1), j : subrange(SR_receiver_index,SR_sender_index-1)): let pdu = SR_channel(j) in OLD_SD?(pdu) IMPLIES mN_S(pdu) < l) %proved using USTAT_inv6 USTAT_inv7_aux2 : LEMMA invariant(LAMBDA(s:State) : s`pc = DtrUstatTestAckInRange IMPLIES FORALL (j:subrange(SR_receiver_index,SR_sender_index-1)): LET pdu = SR_channel(j) IN OLD_SD?(pdu) IMPLIES NOT (s`vList`Data(1) <= mN_S(pdu) AND mN_S(pdu)<= s`vList`Data(2)-1)) %proved using USTAT_inv7_aux2 USTAT_inv7_aux1 : LEMMA invariant(LAMBDA(s:State) : (s`pc = DtrUstatTestIndicesAndBuffer OR s`pc = DtrUstatSequenceTest) IMPLIES FORALL (j:subrange(SR_receiver_index,SR_sender_index-1)): LET pdu = SR_channel(j) IN OLD_SD?(pdu) IMPLIES FORALL (i:subrange(s`seq1,s`seq2-1) ) : i /= mN_S(pdu)) %-proved using USTAT_inv7_aux1 USTAT_inv7 : LEMMA invariant(LAMBDA(s:State) : FORALL (i:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1), j: subrange(SR_receiver_index,SR_sender_index-1)) : LET pdu = SR_channel(j) IN OLD_SD?(pdu) IMPLIES s`vReXmitQueue(i)`Seq /= mN_S(pdu)) %proved using USTAT_inv3 USTAT_inv8_aux2: LEMMA invariant(LAMBDA (s: State): s`pc = DtrUstatTestAckInRange IMPLIES (FORALL (i: subrange(s`vList`Data(1), s`vList`Data(2) - 1)): NOT vRecvBuffer`Arrived(i))) %proved using USTAT_inv8_aux2 USTAT_inv8_aux1: LEMMA invariant(LAMBDA (s: State): (s`pc = DtrUstatTestIndicesAndBuffer OR s`pc = DtrUstatSequenceTest) IMPLIES (FORALL (i: subrange(s`seq1, s`seq2 - 1)): NOT vRecvBuffer`Arrived(i))) %proved using xMitBuffer_inv1 OutOfDtr_unreachable_aux1 : LEMMA invariant(LAMBDA(s:State) : s`pc = DtrUstatTestAckInRange IMPLIES (s`VT_A <= s`vN_R and s`vN_R < VT_S)) %proved using xMitBuffer_inv1 OutOfDtrUnreachable_aux2: LEMMA invariant(LAMBDA (s: State): s`pc = DtrUstatTestAckInRange IMPLIES (s`VT_A <= s`vN_R AND s`vN_R <= s`vList`Data(1) AND s`vList`Data(1) < s`vList`Data(2) AND s`vList`Data(2) < VT_S AND (FORALL (i: subrange(s`vList`Data(1), s`vList`Data(2) - 1)): vXmitBuffer`Data(i)`Seq = i))) %-proved using USTAT_inv8_aux1 USTAT_inv8 : LEMMA invariant(LAMBDA(s:State) : FORALL (i:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1)) : NOT vRecvBuffer`Arrived(s`vReXmitQueue(i)`Seq)) %proved using USTAT_inv5 ReXmit_inv1_aux2: LEMMA invariant(LAMBDA(s:State) : s`pc = DtrUstatTestAckInRange IMPLIES FORALL (i:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1)) : NOT (s`vList`Data(1) <= s`vReXmitQueue(i)`Seq AND s`vReXmitQueue(i)`Seq <= s`vList`Data(2)-1)) %proved using ReXmit_inv1_aux2 ReXmit_inv1_aux1 : LEMMA invariant(LAMBDA(s:State) : (s`pc = DtrUstatTestIndicesAndBuffer IMPLIES s`seq1 < s`seq2 AND (FORALL (i: subrange(s`seq1, s`seq2 - 1), j:subrange(vReXmitQueue_PtrOut, s`vReXmitQueue_PtrIn-1)): s`vReXmitQueue(j)`Seq /= i)) AND (s`pc = DtrUstatSequenceTest IMPLIES s`seq1 <= s`seq2 AND (FORALL (i: subrange(s`seq1, s`seq2 - 1), j:subrange(vReXmitQueue_PtrOut, s`vReXmitQueue_PtrIn-1)): s`vReXmitQueue(j)`Seq /= i))) %-proved using ReXmit_inv1_aux1 ReXmit_inv1: LEMMA invariant(LAMBDA(s:State) : FORALL (i,j:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1)) : i /= j IMPLIES s`vReXmitQueue(i)`Seq /= s`vReXmitQueue(j)`Seq) %-inductive indicated_equals_sent_aux1_aux1_aux2: LEMMA invariant(LAMBDA(s:State) : FORALL (i:subrange(vReXmitQueue_PtrOut,s`vReXmitQueue_PtrIn-1)) : s`vReXmitQueue(i)`Payload = vXmitBuffer`Data(s`vReXmitQueue(i)`Seq)`Payload) %proved using OutOfDtrUnreachable_aux2 OutOfDtr_unreachable_aux0: LEMMA invariant(LAMBDA (s: State): (s`pc = DtrUstatTestIndicesAndBuffer IMPLIES(s`VT_A <= s`seq1 AND s`seq1 < s`seq2 AND s`seq2 < VT_S AND (FORALL (i: subrange(s`seq1, s`seq2 - 1)): vXmitBuffer`Data(i)`Seq = i))) AND (s`pc = DtrUstatSequenceTest IMPLIES s`VT_A <= s`seq1 AND s`seq1 <= s`seq2 AND s`seq2 < VT_S AND(FORALL (i: subrange(s`seq1, s`seq2 - 1)): vXmitBuffer`Data(i)`Seq = i))) %and the final goal for this theory OutOfDtr_unreachable : LEMMA invariant(LAMBDA (s: State): NOT s`pc = OutOfDtr) END sscop_USTAT_receiver_invariants1 $$$sscop_USTAT_receiver_invariants1.prf (|sscop_USTAT_receiver_invariants1| (|init_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC4| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC5| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC6| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC7| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC8| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC9| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC10| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC11| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC12| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC13| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC14| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC15| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC16| "" (SUBTYPE-TCC) NIL NIL) (|xMitBuffer_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|USTAT_inv1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv1_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv1_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv1_TCC4| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 ("i" "j")) (("2" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|USTAT_inv2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv2_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM + "i") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (LEMMA "USTAT_inv1") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`RS_sender_index" "i") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST - "i") (("2" (GRIND) NIL NIL)) NIL) ("3" (LEMMA "USTAT_inv1") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "r(n)`RS_sender_index" "i") (("3" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|VT_A_LEQ_VR_R_aux2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|VT_A_LEQ_VR_R_aux2_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|VT_A_LEQ_VR_R_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "i!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i!1") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "i!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "i!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "i!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "i!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "i!1") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "i!1") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "i!1") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "i!1") (("12" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|VT_A_LEQ_VR_R_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) (("1" (LEMMA "VT_A_LEQ_VR_R_aux2") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`RS_sender_index") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (LEMMA "VT_A_LEQ_VR_R_aux2") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "r(n)`RS_sender_index") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (VT_A_LEQ_VR_R "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) (("2" (LEMMA "VT_A_LEQ_VR_R_aux1") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|xMitBuffer_inv2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|xMitBuffer_inv2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM + "i") (("2" (INST - "i") (("1" (GROUND) (("1" (GRIND :IF-MATCH NIL) (("1" (COMMENT "need to prove that the vN_R fields of USTAT PDUs in RS channel form a deceasing sequence") (("1" (LEMMA "USTAT_inv2") (("1" (GRIND) NIL NIL)) ";;;need to prove that the vN_R fields of USTAT PDUs in RS channel form a deceasing sequence")) NIL)) NIL)) NIL) ("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|USTAT_inv3_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM + "i") (("2" (INST - "i") (("2" (GROUND) (("2" (GRIND :IF-MATCH NIL) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|USTAT_inv4_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) (("1" (LEMMA "USTAT_inv3") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`RS_sender_index") (("1" (GROUND) (("1" (LEMMA "xMitBuffer_inv2") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`RS_sender_index") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (LEMMA "USTAT_inv3") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "r(n)`RS_sender_index") (("2" (GROUND) (("2" (INST - "mList(RS_channel(r(n)`RS_sender_index))`Data(2) - 1") (("1" (GROUND) NIL NIL) ("2" (LEMMA "xMitBuffer_inv2") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "r(n)`RS_sender_index") (("2" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("3" (LEMMA "USTAT_inv3") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "r(n)`RS_sender_index") (("3" (GROUND) (("3" (INST - "mList(RS_channel(r(n)`RS_sender_index))`Data(2) - 1") (("3" (GROUND) (("3" (LEMMA "xMitBuffer_inv2") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "r(n)`RS_sender_index") (("3" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("4" (LEMMA "USTAT_inv3") (("4" (EXPAND "invariant") (("4" (INST - "r" "n") (("4" (INST - "r(n)`RS_sender_index") (("4" (GROUND) (("4" (LEMMA "xMitBuffer_inv2") (("4" (EXPAND "invariant") (("4" (INST - "r" "n") (("4" (INST - "r(n)`RS_sender_index") (("4" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("5" (LEMMA "USTAT_inv3") (("5" (EXPAND "invariant") (("5" (INST - "r" "n") (("5" (INST - "r(n)`RS_sender_index") (("5" (GROUND) (("5" (INST - "mList(RS_channel(r(n)`RS_sender_index))`Data(2) - 1") (("1" (GROUND) NIL NIL) ("2" (LEMMA "xMitBuffer_inv2") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "r(n)`RS_sender_index") (("2" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("6" (LEMMA "USTAT_inv3") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (INST - "r(n)`RS_sender_index") (("6" (GROUND) (("6" (INST - "mList(RS_channel(r(n)`RS_sender_index))`Data(1)") (("6" (LEMMA "xMitBuffer_inv2") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (INST - "r(n)`RS_sender_index") (("6" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|USTAT_inv4_aux| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (FLATTEN) (("2" (HIDE -2) (("2" (GRIND) NIL NIL)) NIL)) NIL) ("3" (HIDE -2) (("3" (SKOLEM 1 "n") (("3" (EXPAND "run_fragment") (("3" (INST - "n") (("3" (GRIND) (("1" (LEMMA "USTAT_inv4_aux2") (("1" (GRIND) NIL NIL)) NIL) ("2" (LEMMA "USTAT_inv4_aux2") (("2" (GRIND) NIL NIL)) NIL) ("3" (LEMMA "USTAT_inv4_aux2") (("3" (GRIND) NIL NIL)) NIL) ("4" (LEMMA "USTAT_inv4_aux2") (("4" (GRIND) NIL NIL)) NIL) ("5" (LEMMA "USTAT_inv4_aux2") (("5" (GRIND) NIL NIL)) NIL) ("6" (LEMMA "USTAT_inv4_aux2") (("6" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|USTAT_inv4_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv4| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "i") (("2" (TYPEPRED "i") (("2" (INST - "i") (("1" (GRIND) (("1" (COMMENT "will prove pc = DtrUstatTestIndicesAndBuffer => seq1 seq1 seq1 seq1 (RS?)], % receiver-sender channel RW RS_receiver_index : nat, % index of RS_channel RW AA_DATA_INDICATION_channel: [nat-> (AA_DATA_INDICATION?)], %data indication channel (to env) AA_DATA_INDICATION_channel_index:nat, %index of latter %for internal computations (memorize values of messages, etc ) vData: Data_Type, %RW vN_S: nat %RW #] %parameters SR_channel: [nat->(SR?)] %channel from sender SR_sender_index: nat % how far the sender has written in the SR channel VT_S: nat %latest sent SD PDU vReXmitQueue_PtrOut: nat %a view of the sender's retrans queue vReXmitQueue_PtrIn : nat %and vReXmitQueue: QueueDataType RS_sender_index : nat %a view of the senders pointer in the RS channel vXmitBuffer: SendBufferType % a view of sender's buffer VT_A : nat% a view of sender's window lower bound AA_DATA_REQUEST_channel: [nat->(AA_DATA_REQUEST?)] AA_DATA_REQUEST_channel_index : nat sender_pc : control % a view of the sender's pc VT_MS : nat % a view of the sender's window uper bound %transition relation of the SD receiver component. The initial conditions are %set according to what is guaranteed by the environment. trans(s:State, a: Action, s_: State) : bool = %receiving a SD PDU from SR channel*/ s`pc = DataTransferReady AND s`SR_receiver_index < SR_sender_index AND a = SR_channel(s`SR_receiver_index) AND SD?(a) AND s_ = s WITH[ `vN_S := mN_S(a), `vData := mData(a), `SR_receiver_index := s`SR_receiver_index+1, `pc := DtrRecvTestSeq ] OR %simluates loss of a SD PDU s`SR_receiver_index < SR_sender_index AND a = SR_channel(s`SR_receiver_index) AND SD?(a) AND s_ = s WITH [`SR_receiver_index := s`SR_receiver_index+1] OR % SD PDU is outside the receiver's window and VR_H is already geq VR_MR: %nothing to do s`pc = DtrRecvTestSeq AND (s`vN_S >= s`VR_MR) AND (s`VR_H >= s`VR_MR) AND tau?(a) AND s_ = s WITH[`pc := DataTransferReady] OR % the received PDU was out of sender' window, and there was space inside % generate & send a USTAT: protesting about PDU out of sequence, asking to % fill the hole between VR_H and VR_MR (this is why it did not protest when % VR_H >= VR_MR). s`pc = DtrRecvTestSeq AND (s`vN_S >= s`VR_MR) AND (s`VR_H < s`VR_MR) AND USTAT?(a) AND (mN_R(a) = s`VR_R) AND (mN_MR(a) = s`VR_MR) AND (mList(a)`Length = 2) AND (mList(a)`Data(1) = s`VR_H) AND (mList(a)`Data(2) = s`VR_MR) AND s_ = s WITH[ `VR_H := s`VR_MR, `RS_channel(s`RS_receiver_index):= a, `RS_receiver_index := s`RS_receiver_index+1, `pc := DataTransferReady] OR % SD PDU is within receiver's window, but it's not the next in sequence % check WRT the highest ever received. Here, the SD seq number is equal to % highest ever received: save it in the buffer, and advance VR_H s`pc = DtrRecvTestSeq AND (s`vN_S < s`VR_MR) AND not (s`vN_S = s`VR_R) AND (s`vN_S = s`VR_H) AND tau?(a) AND s_ = s WITH[ `vRecvBuffer`Data(s`vN_S)`Payload := s`vData, `vRecvBuffer`Data(s`vN_S)`Seq := s`vN_S , `vRecvBuffer`Arrived(s`vN_S) := true, `VR_H := s`VR_H +1, `pc := DataTransferReady ] OR % SD PDU is within receiver's window, but it's not the next in sequence % and higher than ever received: proceed like above but set VR_H := vN_S+1 % and generate a USTAT : complain about a hole between VR_H, vN_S s`pc = DtrRecvTestSeq AND (s`vN_S < s`VR_MR) AND not (s`vN_S = s`VR_R) AND (s`VR_H < s`vN_S) AND USTAT?(a) AND (mN_R(a) = s`VR_R) AND (mN_MR(a) = s`VR_MR) AND (mList(a)`Length = 2) AND (mList(a)`Data(1) = s`VR_H) AND (mList(a)`Data(2) = s`vN_S) AND s_ = s WITH[ `vRecvBuffer`Data(s`vN_S)`Payload :=s`vData, `vRecvBuffer`Data(s`vN_S)`Seq := s`vN_S , `vRecvBuffer`Arrived(s`vN_S) := true, `VR_H := (s`vN_S + 1), `RS_channel(s`RS_receiver_index) := a, `RS_receiver_index := s`RS_receiver_index +1, `pc := DataTransferReady ] OR % SD PDU is within receiver's window, but it's not the next in sequence. It is % strictly lower than ever received and already in rcv buffer : it's a duplicate % will prove it unreachable s`pc = DtrRecvTestSeq AND (s`vN_S < s`VR_MR) AND not (s`vN_S = s`VR_R) AND (s`VR_H > s`vN_S) AND (s`vRecvBuffer`Arrived(s`vN_S)) AND tau?(a) AND s_ = s WITH[`pc := OutOfDtr] OR % SD PDU is within receiver's window, but it's not the next in sequence. It is % strictly lower than ever received and not a duplicate: save it in rcv buffer s`pc = DtrRecvTestSeq AND (s`vN_S < s`VR_MR) AND NOT (s`vN_S = s`VR_R) AND (s`VR_H > s`vN_S) AND (NOT s`vRecvBuffer`Arrived(s`vN_S)) AND tau?(a) AND s_ = s WITH[ `vRecvBuffer`Data(s`vN_S)`Payload := s`vData, `vRecvBuffer`Data(s`vN_S)`Seq := s`vN_S , `vRecvBuffer`Arrived(s`vN_S) := true, `pc := DataTransferReady ] OR % SD PDU is within receiver's window, AND itis the next in sequence s`pc = DtrRecvTestSeq AND (s`vN_S < s`VR_MR) AND (s`vN_S = s`VR_R) AND tau?(a) AND s_ = s WITH[`pc := DtrRecvInOrder] OR % PDu is next in sequence, and it's equal to the highest ever received s`pc = DtrRecvInOrder AND (s`VR_R = s`VR_H) AND AA_DATA_INDICATION?(a) AND (mData(a) = s`vData) AND (mN_S(a) = s`VR_R) % deliver one data indication for a SDU PDU from receiver buffer. % Next and highest expected PDUS are update to the last % delivered PDU sequence number. Save also the data and seq in vRecvQueue % and increase the receiver's window size AND s_ = s WITH[ `VR_R := (s`VR_R + 1), `VR_H := (s`VR_H + 1), `VR_MR := s`VR_MR+1, `AA_DATA_INDICATION_channel(s`AA_DATA_INDICATION_channel_index) := a, `AA_DATA_INDICATION_channel_index:= s`AA_DATA_INDICATION_channel_index+1, `pc := DataTransferReady ] OR %have not reached the highest received PDU yet s`pc = DtrRecvInOrder AND (NOT (s`VR_R = s`VR_H)) AND AA_DATA_INDICATION?(a) AND (mData(a) = s`vData) AND (mN_S(a) = s`VR_R) AND % send a data indication for it, anyway. % then, go to next element in receiver's window % and increase the receiver's window size s_ = s WITH[ `VR_R := s`VR_R + 1, `VR_MR := s`VR_MR+1, `AA_DATA_INDICATION_channel(s`AA_DATA_INDICATION_channel_index) := a, `AA_DATA_INDICATION_channel_index:=s`AA_DATA_INDICATION_channel_index+1, `pc := DtrRecvInOrderDeliverNext ] OR % the current element is in receiver's buffer: remove it from there, % and continue, because there is a contiguous sequence to indicate s`pc = DtrRecvInOrderDeliverNext AND (s`vRecvBuffer`Arrived(s`VR_R)) AND tau?(a) AND s_ = s WITH[ `vData := s`vRecvBuffer`Data(s`VR_R)`Payload, `vN_S := s`vRecvBuffer`Data(s`VR_R)`Seq, `pc := DtrRecvInOrder ] OR % whatever contiguous sequence there was is over ... s`pc = DtrRecvInOrderDeliverNext AND not (s`vRecvBuffer`Arrived(s`VR_R)) AND tau?(a) AND s_ = s WITH[`pc := DataTransferReady] OR %if there is no SD or POLL, after a while the receiver goes idle s`pc = DataTransferReady AND s`VR_R = s`VR_H AND s`VR_H = s`VR_MR AND tau?(a) AND s_ = s WITH [`pc := Idle] END sscop_SD_receiver $$$sscop_SD_receiver.prf (|sscop_SD_receiver| (|SR_channel_TCC1| "" (INST 1 "LAMBDA(x:nat) : NEW_SD(0,choose({d:Data_Type|TRUE}))") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL) (|AA_DATA_REQUEST_channel_TCC1| "" (INST 1 "LAMBDA (c:nat) : AA_DATA_REQUEST(choose({d:Data_Type| TRUE}))") (("" (GRIND) NIL NIL)) NIL) (|trans_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC4| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC5| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC6| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC7| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC8| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC9| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC10| "" (SUBTYPE-TCC) NIL NIL)) $$$sscop_SD_receiver_invariants1.pvs sscop_SD_receiver_invariants1 : THEORY %facts about VR_H and receiver's buffer and about the USTAT PDUs in % the RS channel BEGIN IMPORTING sscop_SD_receiver init(s:State): bool = (s`pc = DataTransferReady OR s`pc = Idle) AND %cf. *VT_S_GE_VR_H and *sscop_SD_sender_invariants1.VT_S_GE_VR_H %and sscop_SD_sender_invariants2.VT_S_GE_VR_H and %*sscop_POLL_receiver_invariants1.VT_S_GE_VR_H, %sscop_SD_sender_invariants5.indicated_equals_sent_aux1_aux1_aux1, %sscop_STAT_receiver_invariants1.OLD_SD_inv3_aux VT_S >= s`VR_H AND %cf. NEW_SD_inv5 and *sscop_SD_sender_invariants1.NEW_SD_inv3 (FORALL (i: subrange(s`SR_receiver_index,SR_sender_index-1)) : LET pdu = SR_channel(i) IN NEW_SD?(pdu) IMPLIES VT_S > mN_S(pdu)) AND %cf init_inv1 and *sscop_SD_sender_invariants1.NEW_SD_inv2 (FORALL (j,k: subrange(s`SR_receiver_index,SR_sender_index-1)): LET pdu_1 = SR_channel(j), pdu_2 = SR_channel(k) IN (NEW_SD?(pdu_1)) and (NEW_SD?(pdu_2)) AND j < k IMPLIES mN_S(pdu_1) < mN_S(pdu_2)) AND % *NEW_SD_inv1 and *sscop_SD_sender_invariants1.NEW_SD_inv1 %and *sscop_POLL_receiver_invariants1.NEW_SD_inv1 (FORALL (i: subrange(s`SR_receiver_index,SR_sender_index-1)) : LET pdu = SR_channel(i) IN NEW_SD?(pdu) IMPLIES mN_S(pdu) >= s`VR_H) AND %*POLL_inv0, %*sscop_SD_sender_invariant2.POLL_inv0, %*sscop_POLL_receiver_invariants1.POLL_inv0 (FORALL (i: subrange(s`SR_receiver_index,SR_sender_index-1)) : LET pdu = SR_channel(i) IN POLL?(pdu) IMPLIES mN_S(pdu) >= s`VR_H) AND % init_inv5, *sscop_SD_sender_invariants3.OLD_SD_inv5, %*sscop_USTAT_receiver_invariants1.USTAT_inv7, %*sscop_STAT_receiver_invariants1.OLD_SD_inv5 (FORALL (i:subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1), j: subrange(s`SR_receiver_index,SR_sender_index-1)) : LET pdu = SR_channel(j) IN OLD_SD?(pdu) IMPLIES vReXmitQueue(i)`Seq /= mN_S(pdu)) AND %* init_inv4, *sscop_SD_sender_invariants3.OLD_SD_inv2, %*sscop_POLL_receiver_invariants1.OLD_SD_inv2 (FORALL (j: subrange(s`SR_receiver_index,SR_sender_index-1)): LET pdu = SR_channel(j) IN OLD_SD?(pdu) IMPLIES mN_S(pdu) < s`VR_H) AND % init_inv3, *sscop_SD_sender_invariants3.OLD_SD_inv4 (FORALL (j,k: subrange(s`SR_receiver_index,SR_sender_index-1)): LET pdu_1 = SR_channel(j), pdu_2 = SR_channel(k) IN OLD_SD?(pdu_1) AND OLD_SD?(pdu_2) AND j/= k IMPLIES mN_S(pdu_1) /= mN_S(pdu_2)) AND %* NEW_SD_inv2, *sscop_SD_sender_invariants1.NEW_SD_inv4 (FORALL (j: nat,k: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu = SR_channel(k) IN s`vRecvBuffer`Arrived(j) IMPLIES NEW_SD?(pdu) IMPLIES j < mN_S(pdu)) % cf. * OLD_SD_inv1, *sscop_SD_sender_invariants1.OLD_SD_inv7 AND (FORALL (j: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu = SR_channel(j) IN OLD_SD?(pdu) IMPLIES NOT s`vRecvBuffer`Arrived(mN_S(pdu))) % cf. * VT_S_GE_VR_H_aux3, % sscop_SD_sender_invariants4.indicated_equals_sent_aux % *sscop_POLL_receiver_invariants1.VR_H_GE_VR_R AND s`VR_H >= s`VR_R % cf. * VT_S_GE_VR_H_aux1, % sscop_SD_sender_invariants4.VR_MR_GE_VR_H, % *sscop_POLL_receiver_invariants1.VR_MR_GE_VR_H, % sscop_STAT_receiver_invariants3.retrans_inv1_aux0 AND s`VR_H <= s`VR_MR %cf. * VT_S_GE_VR_H and sscop_SD_sender_invariants1.NEW_SD_inv5 %and *sscop_POLL_receiver_invariants1.NEW_SD_inv5 AND (FORALL (k:nat) : k >= s`VR_H => NOT s`vRecvBuffer`Arrived(k)) AND % *init_inv6, *sscop_USTAT_receiver_invariants1.USTAT_inv8, %sscop_SD_sender_invariants3.retrans_inv1, %*sscop_STAT_receiver_invariants2.retrans_inv1 (FORALL (i:subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1)) : NOT s`vRecvBuffer`Arrived(vReXmitQueue(i)`Seq)) AND %* init_inv7 and sscop_SD_sender_invariants3.OLD_SD_inv3 and %*sscop_USTAT_receiver_invariants1.USTAT_inv4 and %*sscop_POLL_receiver_invariants1.OLD_SD_inv3 and %*sscop_STAT_receiver_invariants1.OLD_SD_inv3 (FORALL (i: subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1)) : vReXmitQueue(i)`Seq < s`VR_H) AND %*sscop_SD_receiver_invariants2.USTAT_inv, %*sscop_SD_receiver_invariants2.USTAT_inv2 (split) %and sscop_USTAT_receiver_invariants1.USTAT_inv3, %*sscop_POLL_receiver_invariants1.USTAT_inv, %sscop_STAT_receiver__invariants1.USTAT_inv (FORALL (i :subrange(RS_sender_index, s`RS_receiver_index-1)) : let pdu = s`RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l: subrange(bottom,top-1)) : l < s`VR_H AND NOT s`vRecvBuffer`Arrived(l)) AND %*sscop_SD_receiver_invariants2.USTAT_inv2_aux1, %*sscop_SD_sender_invariants3.OLD_SD_inv1, %sscop_USTAT_receiver_invariants1.USTAT_inv6 (FORALL (i :subrange(RS_sender_index, s`RS_receiver_index-1)): let pdu = s`RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l: subrange(bottom,top-1), j : subrange(s`SR_receiver_index, SR_sender_index-1)): let pdu = SR_channel(j) in OLD_SD?(pdu) IMPLIES mN_S(pdu) < l) AND %*sscop_SD_receiver_invariants2.OLD_SD_inv1, %sscop_SD_sender_invariants3.OLD_SD_inv1_aux, %*sscop_USTAT_receiver_invariants1.USTAT_inv5, %*sscop_STAT_receiver_invariants1.OLD_SD_inv1_aux (FORALL (i :subrange(RS_sender_index, s`RS_receiver_index-1)): let pdu = s`RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL(l:subrange(bottom,top-1), j:subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1)): vReXmitQueue(j)`Seq < l) AND %*sscop_SD_receiver_invariants2.USTAT_inv3, %*sscop_USTAT_receiver_invariants1.xMitBuffer_inv2, %*sscop_SD_sender_invariants1.USTAT_inv1, %*sscop_STAT_receiver_invariants2.xMitBuffer_inv2 (FORALL (i :subrange(RS_sender_index, s`RS_receiver_index-1)): let pdu = s`RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bot = ustat_list`Data(1), top = ustat_list`Data(2), vN_R = mN_R(pdu) IN VT_A <= vN_R AND vN_R <= bot AND bot < top AND top < VT_S AND FORALL (j:subrange(bot,top-1)): vXmitBuffer`Data(j)`Seq = j) AND %sscop_SD_receiver_invariants2.USTAT_inv3_aux1, %*sscop_SD_sender_invariants1.xMitBuffer_inv1 %sscop_STAT_receiver_invariants1.OLD_SD_inv3_aux3 %%sscop_USTAT_receiver_invariants1.xMitBuffer_inv1 (FORALL (i:below(VT_S)): vXmitBuffer`Data(i)`Seq = i) AND %sscop_SD_sender_invariants6.final_result_aux, %sscop_POLL_receiver_invariants1.STAT_inv2_aux1 %*sscop_SD_receiver_invariants2.USTAT_inv3_aux2, %*sscop_USTAT_receiver_invariants1.VT_A_LEQ_VR_R, %*sscop_STAT_receiver_invariants1.VT_A_LEQ_VR_R VT_A <= s`VR_R AND %*sscop_SD_receiver_invariants2.USTAT_inv4, %sscop_USTAT_receiver_invariants1.USTAT_inv1 (FORALL (i,j:subrange(RS_sender_index,s`RS_receiver_index-1)) : LET pdu1 = s`RS_channel(i), pdu2 = s`RS_channel(j) IN i < j AND USTAT?(pdu1) AND USTAT?(pdu2) IMPLIES mN_R(pdu1) <=mN_R(pdu2)) AND %*sscop_SD_receiver_invariants2.USTAT_inv4_aux, %sscop_USTAT_receiver_invariants1.VT_A_LEQ_VR_R_aux2, %sscop_POLL_receiver_invariants3.STAT_inv2_aux3_aux1 (FORALL (i:subrange(RS_sender_index,s`RS_receiver_index-1)) : LET pdu = s`RS_channel(i) IN USTAT?(pdu) IMPLIES s`VR_R >= mN_R(pdu)) AND %*sscop_SD_receiver_invariants2.USTAT_inv5, %sscop_USTAT_receiver_invariants1.USTAT_inv1 (FORALL (i,j :subrange(RS_sender_index, s`RS_receiver_index-1)): let pdu1 = s`RS_channel(i), pdu2 = s`RS_channel(j) IN USTAT?(pdu1) AND USTAT?(pdu2) AND i < j IMPLIES mList(pdu1)`Data(2) <= mList(pdu2)`Data(1)) AND %*sscop_SD_receiver_invariants3.indicated_equals_sent, %*sscop_SD_sender_invariants4.indicated_equals_sent (FORALL (i: below(s`VR_R)) : mData(s`AA_DATA_INDICATION_channel(i)) = vXmitBuffer`Data(i)`Payload) AND %*sscop_SD_receiver_invariants3.VR_R_eq_AA_DATA_INDICATION_channel_index s`VR_R = s`AA_DATA_INDICATION_channel_index AND %*sscop_SD_receiver_invariants3.indicated_equals_sent_aux2_aux2, (FORALL (i:below(s`VR_MR)): s`vRecvBuffer`Arrived(i) IMPLIES s`vRecvBuffer`Data(i)`Seq = i) AND %indicated_equals_sent_aux2_aux2, %*sscop_SD_sender_invariants4.indicated_equals_sent_aux1_aux2 (FORALL (i:below(s`VR_MR)) : s`vRecvBuffer`Arrived(i) IMPLIES s`vRecvBuffer`Data(i)`Payload = vXmitBuffer`Data(i)`Payload) AND %sscop_SD_receiver_invariants3.indicated_equals_sent_aux1_aux1, %*sscop_SD_sender_invariants4.indicated_equals_sent_aux1_aux1, %*sscop_SD_sender_invariants5.OLD_SD_inv2 %(invariants from two sender theories because both OLD and NEW SD %are considered) (FORALL (i:subrange(s`SR_receiver_index,SR_sender_index-1)) : LET pdu = SR_channel(i) IN SD?(pdu) IMPLIES mData(pdu) = vXmitBuffer`Data(mN_S(pdu))`Payload) AND %sscop_SD_receiver_invariants3.sent_equals_requested, %*sscop_SD_sender_invariants4.sent_equals_requested (FORALL (i : below(VT_S)) : mData(AA_DATA_REQUEST_channel(i)) = vXmitBuffer`Data(i)`Payload) AND %sscop_USTAT_receiver_invariants2.STAT_inv2_aux3 %*sscop_POLL_receiver_invariants3.STAT_inv2_aux3, %*sscop_SD_receiver_invariants3.STAT_inv2_aux3 (FORALL (k,l: subrange(RS_sender_index, s`RS_receiver_index-1)): let stat = s`RS_channel(k), ustat = s`RS_channel(l) IN STAT?(stat) AND USTAT?(ustat) AND l < k IMPLIES mN_R(ustat) <= mN_R(stat)) AND %sscop_STAT_receiver_invariants1.VT_A_LEQ_VR_R_aux %*sscop_SD_receiver_invariants3.VT_A_LEQ_VR_R_aux, %*sscop_POLL_receiver_invariants3.VT_A_LEQ_VR_R_aux (FORALL (k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET pdu = s`RS_channel(k) IN STAT?(pdu) IMPLIES mN_R(pdu) <= s`VR_R) AND %sscop_STAT_receiver_invariants1.OLD_SD_inv1_aux_aux2, %*sscop_SD_receiver_invariants3.OLD_SD_inv1_aux_aux2, %*sscop_POLL_receiver_invariants3.OLD_SD_inv1_aux_aux2 (FORALL (k, l: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET ustat = s`RS_channel(k), stat = s`RS_channel(l) IN USTAT?(ustat) AND STAT?(stat) AND k > l IMPLIES (FORALL (m: nat): even?(m) AND m <= mList(stat)`Length-2 IMPLIES mList(stat)`Data(2 + m) <= mList(ustat)`Data(1))) AND %*sscop_SD_receiver_invariants3.OLD_SD_inv1_aux_aux3, %sscop_STAT_receiver_invariants1.STAT_inv1, %*sscop_POLL_receiver_invariants2.STAT_inv1 (FORALL (k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET pdu = s`RS_channel(k) IN STAT?(pdu) IMPLIES LET statlist = mList(pdu) IN statlist`Length >= 2 IMPLIES (FORALL (i: upto(statlist`Length - 2)): even?(i) IMPLIES LET elt1 = statlist`Data(i + 1), elt2 = statlist`Data(i + 2) IN elt1 < elt2 AND elt2 <= s`VR_H)) AND %NEW_SD_POLL2, *sscop_SD_sender_invariants1.NEW_SD_POLL2 (FORALL (i,j: subrange(s`SR_receiver_index, SR_sender_index-1)): LET poll = SR_channel(i), new_sd = SR_channel(j) IN POLL?(poll) AND NEW_SD?(new_sd) AND i > j IMPLIES mN_S(poll) > mN_S(new_sd)) AND %sscop_STAT_receiver_invariants2.retrans_inv1_aux3, %*sscop_POLL_receiver_invariants2.retrans_inv1_aux3, %*sscop_SD_receiver_invariants4.retrans_inv1_aux3, %*sscop_SD_sender_invariants2.retrans_inv1_aux3 (FORALL (k: subrange(RS_sender_index, s` RS_receiver_index - 1)): LET pdu = s`RS_channel(k) IN STAT?(pdu) IMPLIES LET statlist = mList(pdu) IN statlist`Length >= 2 IMPLIES (FORALL (l: upto(statlist`Length - 2)): even?(l) IMPLIES LET elt1 = statlist`Data(l + 1), elt2 = statlist`Data(l + 2) IN FORALL (m: subrange(elt1,elt2-1)): NOT s`vRecvBuffer`Arrived(m) OR vXmitBuffer`PollSeq(m) >= mN_PS(pdu))) AND %sscop_STAT_receiver_invariants1.OLD_SD_inv5_aux4, %*sscop_SD_sender_invariants5.OLD_SD_inv5_aux4, %*sscop_POLL_receiver_invariants3.OLD_SD_inv5_aux4, %sscop_SD_receiver_invariants4.retrans_inv1_aux5 (FORALL (l: subrange(s`SR_receiver_index, SR_sender_index - 1), k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET old_sd = SR_channel(l), stat = s`RS_channel(k) IN OLD_SD?(old_sd) AND STAT?(stat) IMPLIES vXmitBuffer`PollSeq(mN_S(old_sd)) >= mN_PS(stat)) AND %sscop_STAT_receiver_invariants2.xMitBuffer_inv2_aux, %*sscop_SD_receiver_invariants4.xMitBuffer_inv2_aux, %*sscop_POLL_receiver_invariants3.xMitBuffer_inv2_aux (FORALL (k,l: subrange(RS_sender_index, s`RS_receiver_index-1)): let stat = s`RS_channel(k), ustat = s`RS_channel(l) IN STAT?(stat) AND USTAT?(ustat) AND k < l IMPLIES mN_R(stat) <= mN_R(ustat)) %sscop_SD_receiver_invariants5.Idle_inv1 %sscop_SD_sender_invariants6.Idle_inv2 AND (s`pc = Idle IMPLIES s`VR_R = s`VR_H AND s`VR_H = s`VR_MR) %sscop_SD_sender_invariants6.Idle_inv1, %sscop_SD_receiver_invariants5.Indle_inv2 AND (sender_pc= Idle IMPLIES (VT_A = VT_S AND VT_S = AA_DATA_REQUEST_channel_index)) IMPORTING runs[State,init,LAMBDA(s,s_:State):EXISTS(a:Action): trans(s,a,s_)] %inductive init_inv1 : LEMMA invariant(LAMBDA(s:State) : FORALL (j,k: subrange(s`SR_receiver_index,SR_sender_index-1)): LET pdu_1 = SR_channel(j), pdu_2 = SR_channel(k) IN (NEW_SD?(pdu_1)) and (NEW_SD?(pdu_2)) AND j < k IMPLIES mN_S(pdu_1) < mN_S(pdu_2)) %inductive init_inv2: LEMMA invariant(LAMBDA (s: State): FORALL (j, k: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu_1 = SR_channel(j), pdu_2 = SR_channel(k) IN OLD_SD?(pdu_1) AND NEW_SD?(pdu_2) IMPLIES mN_S(pdu_1) < mN_S(pdu_2)) %inductive init_inv3: LEMMA invariant(LAMBDA (s: State): FORALL (j,k: subrange(s`SR_receiver_index,SR_sender_index-1)): LET pdu_1 = SR_channel(j), pdu_2 = SR_channel(k) IN OLD_SD?(pdu_1) AND OLD_SD?(pdu_2) AND j/= k IMPLIES mN_S(pdu_1) /= mN_S(pdu_2)) %inductive init_inv4: LEMMA invariant(LAMBDA (s: State): FORALL (j: subrange(s`SR_receiver_index,SR_sender_index-1)): LET pdu = SR_channel(j) IN OLD_SD?(pdu) IMPLIES mN_S(pdu) < s`VR_H) %inductive init_inv5: LEMMA invariant(LAMBDA(s:State) : FORALL (i:subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1), j: subrange(s`SR_receiver_index,SR_sender_index-1)) : LET pdu = SR_channel(j) IN OLD_SD?(pdu) IMPLIES vReXmitQueue(i)`Seq /= mN_S(pdu)) %inductive NEW_SD_inv5: LEMMA invariant(LAMBDA (s: State): FORALL (i: subrange(s`SR_receiver_index,SR_sender_index-1)) : LET pdu = SR_channel(i) IN NEW_SD?(pdu) IMPLIES VT_S > mN_S(pdu)) %proved using init_inv1, init_inv2 NEW_SD_inv4: LEMMA invariant(LAMBDA (s: State): s`pc = DtrRecvTestSeq IMPLIES (FORALL (j: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu = SR_channel(j) IN NEW_SD?(pdu) IMPLIES s`vN_S < mN_S(pdu))) %proved using NEW_SD_inv4 NEW_SD_inv3: LEMMA invariant(LAMBDA (s: State): s`pc = DtrRecvInOrder IMPLIES (s`vRecvBuffer`Arrived(s`VR_R) OR (FORALL (j: subrange(s`SR_receiver_index,SR_sender_index - 1)): LET pdu = SR_channel(j) IN NEW_SD?(pdu) IMPLIES s`VR_R < mN_S(pdu)))) %proved using NEW_SD_inv4 NEW_SD_inv2: LEMMA invariant(LAMBDA (s: State): FORALL (j:nat,k:subrange(s`SR_receiver_index, SR_sender_index-1)): LET pdu = SR_channel(k) IN s`vRecvBuffer`Arrived(j) IMPLIES NEW_SD?(pdu) IMPLIES j < mN_S(pdu)) %proved using NEW_SD_inv2, NEW_SD_inv3, NEW_SD_inv4 NEW_SD_inv1: LEMMA invariant(LAMBDA (s: State): FORALL (i: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu = SR_channel(i) IN NEW_SD?(pdu) IMPLIES s`VR_H <= mN_S(pdu)) %inductive init_inv7: LEMMA invariant(LAMBDA(s:State) : FORALL (i: subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1)) : vReXmitQueue(i)`Seq < s`VR_H) %proved using init_inv7, NEW_SD_inv1 init_inv6_aux : LEMMA invariant(LAMBDA(s:State) : s`pc = DtrRecvTestSeq IMPLIES FORALL (i: subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1)) : s`vN_S /= vReXmitQueue(i)`Seq) %proved using init_inv6_aux, init_inv7 init_inv6: LEMMA invariant(LAMBDA(s:State) : FORALL (i:subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1)) : NOT s`vRecvBuffer`Arrived(vReXmitQueue(i)`Seq)) VT_S_GE_VR_H_aux3 : LEMMA invariant(LAMBDA(s:State) : s`VR_H >= s`VR_R) VT_S_GE_VR_H_aux2: LEMMA invariant(LAMBDA(s:State) : FORALL (i: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu = SR_channel(i) IN OLD_SD?(pdu) IMPLIES VT_S > mN_S(pdu)) VT_S_GE_VR_H_aux1 : LEMMA invariant(LAMBDA(s:State) : s`VR_H <= s`VR_MR) %proved using init_inv4, NEW_SD_inv5, VT_S_GE_VR_H_aux3, VT_S_GE_VR_H_aux1, VT_S_GE_VR_H_aux2 VT_S_GE_VR_H : LEMMA invariant(LAMBDA(s:State) : VT_S >= s`VR_H AND (s`pc = DtrRecvInOrder IMPLIES VT_S > s`VR_R) AND (s`pc = DtrRecvInOrderDeliverNext IMPLIES VT_S >= s`VR_R) AND (s`pc = DtrRecvTestSeq => VT_S > s`vN_S) AND FORALL (k:nat) : k >= s`VR_H => NOT s`vRecvBuffer`Arrived(k)) %proved using init_inv2, init_inv3 OLD_SD_inv2: LEMMA invariant(LAMBDA (s: State): s`pc = DtrRecvTestSeq IMPLIES (FORALL (i: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu = SR_channel(i) IN OLD_SD?(pdu) IMPLIES s`vN_S /= mN_S(pdu))) %proved using OLD_SD_inv2 OLD_SD_inv1: LEMMA invariant(LAMBDA (s: State): FORALL (j: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu = SR_channel(j) IN OLD_SD?(pdu) IMPLIES NOT s`vRecvBuffer`Arrived(mN_S(pdu))) %proved using VT_S_GE_VR_H_aux1, VT_S_GE_VR_H indicated_equals_sent_aux2_aux2: LEMMA invariant(LAMBDA(s:State) : FORALL (i:below(s`VR_MR)): s`vRecvBuffer`Arrived(i) IMPLIES s`vRecvBuffer`Data(i)`Seq = i) %proved using VT_S_GE_VR_H indicated_equals_sent_aux2_aux1: LEMMA invariant(LAMBDA(s:State) : s`pc = DtrRecvInOrderDeliverNext IMPLIES s`VR_H < s`VR_MR) %proved using indicated_equals_sent_aux2_aux1, %indicated_equals_sent_aux2_aux2, %VT_S_GE_VR_H_aux3 indicated_equals_sent_aux2 : LEMMA invariant(LAMBDA(s:State): s`pc = DtrRecvInOrder IMPLIES s`vN_S = s`VR_R) %inductive NEW_SD_POLL2: LEMMA invariant(LAMBDA(s:State) : FORALL (i,j: subrange(s`SR_receiver_index, SR_sender_index-1)): LET poll = SR_channel(i), new_sd = SR_channel(j) IN POLL?(poll) AND NEW_SD?(new_sd) AND i > j IMPLIES mN_S(poll) > mN_S(new_sd)) %proved using NEW_SD_POLL2 POLL_inv0_aux1 : LEMMA invariant(LAMBDA(s:State) : s`pc = DtrRecvTestSeq IMPLIES FORALL (i: subrange(s`SR_receiver_index, SR_sender_index-1)): LET poll = SR_channel(i) IN POLL?(poll) AND s`vN_S >= s`VR_H IMPLIES s`vN_S < mN_S(poll)) %proved using VT_S_GE_VR_H_aux1 POLL_inv0_aux2: LEMMA invariant(LAMBDA (s: State): s`pc = DtrRecvInOrder IMPLIES (FORALL (i: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET poll = SR_channel(i) IN POLL?(poll) AND s`VR_R = s`VR_H IMPLIES s`VR_R < mN_S(poll))) %proved using indicated_equals_sent_aux2, POLL_inv0_aux1,POLL_inv0_aux2 POLL_inv0: LEMMA invariant(LAMBDA(s:State) : FORALL (i: subrange(s`SR_receiver_index, SR_sender_index - 1)): LET pdu = SR_channel(i) IN POLL?(pdu) IMPLIES s`VR_H <= mN_S(pdu)) %proved using OLD_SD_inv1, NEW_SD_inv1 %preserved by STAT receiver: sscop_STAT_receiver_invariants3.retrans_inv1_aux2 OutOfDtr_unreachable_aux: LEMMA invariant(LAMBDA(s:State): s`pc = DtrRecvTestSeq AND s`vN_S < s`VR_H AND s`vN_S < s`VR_MR IMPLIES NOT s`vRecvBuffer`Arrived(s`vN_S)) %and the final goal for this theory... %proved using OutOfDtr_unreachable_aux OutOfDtr_unreachable : LEMMA invariant(LAMBDA(s:State) : NOT s`pc = OutOfDtr) END sscop_SD_receiver_invariants1 $$$sscop_SD_receiver_invariants1.prf (|sscop_SD_receiver_invariants1| (|init_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC4| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC5| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC6| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC7| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC8| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC9| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC10| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC11| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC12| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC13| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC14| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC15| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC16| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC17| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC18| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC19| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC20| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC21| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC22| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC23| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC24| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC25| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC26| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC27| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC28| "" (SUBTYPE-TCC) NIL NIL) (|init_inv1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|init_inv1_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|init_inv1_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|init_inv1_TCC4| "" (SUBTYPE-TCC) NIL NIL) (|init_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (EXPAND* "run" "init") (("1" (FLATTEN) (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (INST -2 "n") (("2" (SKOLEM 1 ("j" "k")) (("2" (TYPEPRED ("j" "k")) (("2" (INST - "j" "k") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|init_inv2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|init_inv2_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|init_inv2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (EXPAND* "run" "init") (("1" (FLATTEN) (("1" (HIDE -3) (("1" (HIDE-ALL-BUT (-4 -7 1)) (("1" (SKOSIMP*) (("1" (INST - "k!1") (("1" (INST - "j!1") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (INST -2 "n") (("2" (SKOLEM + ("j" "k")) (("2" (INST - "j" "k") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|init_inv3_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|init_inv3_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|init_inv3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (INST -2 "n") (("2" (SKOLEM 1 ("j" "k")) (("2" (TYPEPRED ("j" "k")) (("2" (INST - "j" "k") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|init_inv4_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|init_inv4_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|init_inv4| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (INST -2 "n") (("2" (SKOLEM + "k") (("2" (INST - "k") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|init_inv5_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|init_inv5| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (INST -2 "n") (("2" (BETA) (("2" (SKOLEM + ("i" "j")) (("2" (TYPEPRED ("i" "j")) (("2" (INST - "i" "j") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|NEW_SD_inv5_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|NEW_SD_inv5| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (INST -2 "n") (("2" (SKOLEM + "k") (("2" (INST - "k") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|NEW_SD_inv4| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (BETA) (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (SKOLEM 1 "j") (("2" (INST - "n") (("2" (GRIND :IF-MATCH NIL) (("1" (LEMMA "init_inv2") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`SR_receiver_index" "j") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (LEMMA "init_inv1") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (TYPEPRED "j") (("2" (GRIND :IF-MATCH NIL) (("2" (INST - "r(n)`SR_receiver_index" "j") (("2" (GRIND :IF-MATCH NIL) (("2" (INST - "j") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("3" (LEMMA "init_inv2") (("3" (TYPEPRED "j") (("3" (GRIND :IF-MATCH NIL) (("3" (INST - "r" "n") (("3" (INST - "r(n)`SR_receiver_index" "j") (("3" (GRIND :IF-MATCH NIL) (("3" (LEMMA "init_inv1") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "r(n)`SR_receiver_index" "j") (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("4" (LEMMA "init_inv1") (("4" (EXPAND "invariant") (("4" (INST - "r" "n") (("4" (TYPEPRED "j") (("4" (GRIND :IF-MATCH NIL) (("4" (INST - "r(n)`SR_receiver_index" "j") (("4" (GRIND :IF-MATCH NIL) (("4" (INST - "j") (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("5" (LEMMA "init_inv2") (("5" (EXPAND "invariant") (("5" (INST - "r" "n") (("5" (INST - "r(n)`SR_receiver_index" "j") (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("6" (LEMMA "init_inv1") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (INST - "r(n)`SR_receiver_index" "j") (("6" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|NEW_SD_inv3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (GRIND :IF-MATCH NIL) (("1" (LEMMA "NEW_SD_inv4") (("1" (GRIND) NIL NIL)) NIL) ("2" (LEMMA "NEW_SD_inv4") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "j!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (LEMMA "NEW_SD_inv4") (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|NEW_SD_inv2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "j!1" "k!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "j!1" "k!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "j!1" "k!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "j!1" "k!1") (("4" (GRIND) NIL NIL)) NIL) ("5" (LEMMA "NEW_SD_inv4") (("5" (EXPAND "invariant") (("5" (INST - "r" "n") (("5" (INST - "j!1" "k!1") (("5" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("6" (INST - "j!1" "k!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "j!1" "k!1") (("7" (ASSERT) NIL NIL)) NIL) ("8" (INST - "j!1" "k!1") (("8" (ASSERT) (("8" (LEMMA "NEW_SD_inv4") (("8" (EXPAND "invariant") (("8" (INST - "r" "n") (("8" (ASSERT) (("8" (INST - "k!1") (("8" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("9" (INST - "j!1" "k!1") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "j!1" "k!1") (("10" (ASSERT) NIL NIL)) NIL) ("11" (LEMMA "NEW_SD_inv4") (("11" (INST - "j!1" "k!1") (("11" (GRIND :IF-MATCH NIL) (("11" (INST - "r" "n") (("11" (ASSERT) (("11" (INST - "k!1") (("11" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("12" (INST - "j!1" "k!1") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "j!1" "k!1") (("13" (ASSERT) NIL NIL)) NIL) ("14" (LEMMA "NEW_SD_inv4") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (ASSERT) (("14" (INST - "k!1") (("14" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("15" (INST - "j!1" "k!1") (("15" (GRIND) NIL NIL)) NIL) ("16" (INST - "j!1" "k!1") (("16" (GRIND) NIL NIL)) NIL) ("17" (INST - "j!1" "k!1") (("17" (GRIND) NIL NIL)) NIL) ("18" (INST - "j!1" "k!1") (("18" (GRIND) NIL NIL)) NIL) ("19" (INST - "j!1" "k!1") (("19" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|NEW_SD_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (EXPAND* "run" "init") (("1" (FLATTEN) (("1" (HIDE -3) (("1" (HIDE-ALL-BUT (-4 1)) (("1" (SKOSIMP*) (("1" (INST - "i!1") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (BETA) (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (INST -2 "n") (("2" (SKOLEM 1 "j") (("2" (GRIND :IF-MATCH NIL) (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL) ("4" (GRIND) NIL NIL) ("5" (COMMENT "need to prove FORALL j ; NEW_SD?(SR_channel(j)) => pc = DtrRecvTestSeq => vN_S < mN_S(SR_channel(j))") (("5" (LEMMA "NEW_SD_inv2") (("5" (GRIND) NIL NIL)) ";;;need to prove FORALL j ; NEW_SD?(SR_channel(j)) => pc = DtrRecvTestSeq => vN_S < mN_S(SR_channel(j))")) NIL) ("6" (GRIND) NIL NIL) ("7" (LEMMA "NEW_SD_inv4") (("7" (GRIND) NIL NIL)) NIL) ("8" (LEMMA "NEW_SD_inv4") (("8" (EXPAND "invariant") (("8" (INST - "r" "n") (("8" (ASSERT) (("8" (INST - "j") (("8" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("9" (COMMENT "need to prove FORALL j ; NEW_SD?(SR_channel(j)) => pc = DtrRecvTestSeq => vN_S < mN_S(SR_channel(j))") (("9" (LEMMA "NEW_SD_inv2") (("9" (GRIND) NIL NIL)) ";;;need to prove FORALL j ; NEW_SD?(SR_channel(j)) => pc = DtrRecvTestSeq => vN_S < mN_S(SR_channel(j))")) NIL) ("10" (GRIND) NIL NIL) ("11" (GRIND) (("11" (LEMMA "NEW_SD_inv4") (("11" (GRIND) NIL NIL)) NIL)) NIL) ("12" (TYPEPRED "j") (("12" (GRIND :IF-MATCH NIL) (("12" (LEMMA "NEW_SD_inv3") (("12" (GRIND -1) (("12" (LEMMA "NEW_SD_inv4") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (ASSERT) (("12" (INST - "j") (("12" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("13" (GRIND) NIL NIL) ("14" (INST - "j") (("14" (ASSERT) NIL NIL)) NIL) ("15" (LEMMA "NEW_SD_inv3") (("15" (EXPAND "invariant") (("15" (INST - "r" "n") (("15" (ASSERT) (("15" (SPLIT) (("1" (LEMMA "NEW_SD_inv2") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`VR_H" "j") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST - "j") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("16" (INST - "j") (("16" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|init_inv7_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|init_inv7| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (INST - "i") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|init_inv6_aux| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (LEMMA "init_inv5") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "i" "r(n)`SR_receiver_index") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST - "i") NIL NIL) ("3" (LEMMA "init_inv7") (("3" (GRIND) (("3" (LEMMA "NEW_SD_inv1") (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) ("4" (INST - "i") NIL NIL) ("5" (LEMMA "init_inv5") (("5" (EXPAND "invariant") (("5" (INST - "r" "n") (("5" (INST - "i" "r(n)`SR_receiver_index") (("5" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("6" (LEMMA "NEW_SD_inv1") (("6" (LEMMA "init_inv7") (("6" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|init_inv6| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (INST -2 "n") (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") NIL NIL) ("2" (INST - "i") NIL NIL) ("3" (INST - "i") NIL NIL) ("4" (INST - "i") NIL NIL) ("5" (INST - "i") NIL NIL) ("6" (INST - "i") NIL NIL) ("7" (COMMENT "need to prove forall i an index of rexmitqueue, VR_H > vReXmitQueue(i)`Seq") (("7" (LEMMA "init_inv7") (("7" (GRIND) NIL NIL)) ";;;need to prove forall i an index of rexmitqueue, VR_H > vReXmitQueue(i)`Seq")) NIL) ("8" (LEMMA "init_inv7") (("8" (EXPAND "invariant") (("8" (INST - "r" "n") (("8" (INST - "i") (("8" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("9" (INST - "i") NIL NIL) ("10" (NAME "w" "vReXmitQueue(i)`Seq") (("10" (REPLACE -1) (("10" (COMMENT "use the fact that seq numbers in the retrans queue are not in the SR channel") (("10" (LEMMA "init_inv6_aux") (("10" (GRIND) NIL NIL)) ";;;use the fact that seq numbers in the retrans queue are not in the SR channel")) NIL)) NIL)) NIL) ("11" (LEMMA "init_inv6_aux") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (ASSERT) (("11" (INST - "i") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("12" (INST - "i") NIL NIL) ("13" (COMMENT "need to prove forall i an index of rexmitqueue, VR_H > vReXmitQueue(i)`Seq") (("13" (LEMMA "init_inv7") (("13" (GRIND) NIL NIL)) ";;;need to prove forall i an index of rexmitqueue, VR_H > vReXmitQueue(i)`Seq")) NIL) ("14" (LEMMA "init_inv6_aux") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (ASSERT) (("14" (INST - "i") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("15" (INST - "i") NIL NIL) ("16" (INST - "i") NIL NIL) ("17" (INST - "i") NIL NIL) ("18" (INST - "i") NIL NIL) ("19" (INST - "i") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|VT_S_GE_VR_H_aux3| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|VT_S_GE_VR_H_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (EXPAND "run") (("1" (EXPAND "init") (("1" (FLATTEN) (("1" (HIDE-ALL-BUT (-2 -3 -8 1)) (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (BETA) (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (INST -4 "n") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "i") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "i") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "i") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "i") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "i") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "i") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "i") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "i") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "i") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "i") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "i") (("14" (GRIND) NIL NIL)) NIL) ("15" (INST - "i") (("15" (GRIND) NIL NIL)) NIL) ("16" (INST - "i") (("16" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|VT_S_GE_VR_H_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (EXPAND "run") (("1" (GRIND) NIL NIL)) NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (VT_S_GE_VR_H "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -1) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE -1) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE -1) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE -1) (("5" (GRIND) NIL NIL)) NIL) ("6" (HIDE -2) (("6" (SKOLEM 1 "n") (("6" (EXPAND "run_fragment") (("6" (INST - "n") (("6" (FLATTEN) (("6" (GRIND :IF-MATCH NIL) (("1" (INST - "k!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "k!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "k!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "k!1") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "k!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "k!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "k!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "k!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (LEMMA "VT_S_GE_VR_H_aux3") (("9" (INST - "r(n)`VR_R") (("9" (GRIND) NIL NIL)) NIL)) NIL) ("10" (INST - "k!1") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "k!1") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "k!1") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "k!1") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "k!1") (("14" (GRIND) NIL NIL)) NIL) ("15" (INST - "k!1") (("15" (GRIND) NIL NIL)) NIL) ("16" (INST - "k!1") (("16" (GRIND) NIL NIL)) NIL) ("17" (INST - "k!1") (("17" (GRIND) NIL NIL)) NIL) ("18" (INST - "k!1") (("18" (GRIND) NIL NIL)) NIL) ("19" (COMMENT "need to prove VR_H <= VR_MR") (("19" (LEMMA "VT_S_GE_VR_H_aux1") (("19" (EXPAND "invariant") (("19" (INST - "r" "n") (("19" (INST - "k!1") (("19" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) ";;;need to prove VR_H <= VR_MR")) NIL) ("20" (INST - "k!1") (("20" (GRIND) NIL NIL)) NIL) ("21" (LEMMA "VT_S_GE_VR_H_aux2") (("21" (EXPAND "invariant") (("21" (INST - "r" "n") (("21" (INST -5 "k!1") (("21" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("22" (LEMMA "init_inv4") (("22" (EXPAND "invariant") (("22" (INST - "r" "n") (("22" (INST - "r(n)`SR_receiver_index") (("22" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("23" (LEMMA "NEW_SD_inv5") (("23" (EXPAND "invariant") (("23" (INST - "r" "n") (("23" (INST - "r(n)`SR_receiver_index") (("23" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("24" (INST - "k!1") (("24" (GRIND) NIL NIL)) NIL) ("25" (INST - "k!1") (("25" (GRIND) NIL NIL)) NIL) ("26" (INST - "k!1") (("26" (GRIND) NIL NIL)) NIL) ("27" (INST - "k!1") (("27" (ASSERT) NIL NIL)) NIL) ("28" (INST - "k!1") (("28" (ASSERT) NIL NIL)) NIL) ("29" (LEMMA "init_inv4") (("29" (EXPAND "invariant") (("29" (INST - "r" "n") (("29" (INST - "r(n)`SR_receiver_index") (("29" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("30" (LEMMA "NEW_SD_inv5") (("30" (EXPAND "invariant") (("30" (INST - "r" "n") (("30" (INST - "r(n)`SR_receiver_index") (("30" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (BETA) (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (INST - "n") (("2" (GRIND :IF-MATCH NIL) (("1" (LEMMA "init_inv3") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "i" "r(n)`SR_receiver_index") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (LEMMA "init_inv3") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "i" "r(n)`SR_receiver_index") (("2" (INST - "i") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("3" (LEMMA "init_inv2") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "i" "r(n)`SR_receiver_index") (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("4" (INST - "i") NIL NIL) ("5" (LEMMA "init_inv3") (("5" (EXPAND "invariant") (("5" (INST - "r" "n") (("5" (INST - "i" "r(n)`SR_receiver_index") (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("6" (LEMMA "init_inv2") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (INST - "i" "r(n)`SR_receiver_index") (("6" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (INST -2 "n") (("2" (SKOLEM 1 "j") (("2" (TYPEPRED "j") (("2" (INST - "j") (("1" (BETA) (("1" (FLATTEN) (("1" (GRIND :IF-MATCH NIL) (("1" (COMMENT "will prove FORALL (j) : OLD_SD?(SR_channel(j)) => vN_S /= mN_S(SR_channel(j)") (("1" (LEMMA "OLD_SD_inv2") (("1" (GRIND) NIL NIL)) ";;;will prove FORALL (j) : OLD_SD?(SR_channel(j)) => vN_S /= mN_S(SR_channel(j)")) NIL) ("2" (COMMENT "will prove FORALL (j) : OLD_SD?(SR_channel(j)) => vN_S /= mN_S(SR_channel(j)") (("2" (LEMMA "OLD_SD_inv2") (("2" (GRIND) NIL NIL)) ";;;will prove FORALL (j) : OLD_SD?(SR_channel(j)) => vN_S /= mN_S(SR_channel(j)")) NIL) ("3" (COMMENT "will prove FORALL (j) : OLD_SD?(SR_channel(j)) => vN_S /= mN_S(SR_channel(j)") (("3" (LEMMA "OLD_SD_inv2") (("3" (GRIND) NIL NIL)) ";;;will prove FORALL (j) : OLD_SD?(SR_channel(j)) => vN_S /= mN_S(SR_channel(j)")) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|indicated_equals_sent_aux2_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "i") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "i") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "i") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "i") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "i") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "i") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "i") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "i") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "i") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "i") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "i") (("14" (GRIND) NIL NIL)) NIL) ("15" (INST - "i") (("1" (GRIND) NIL NIL) ("2" (GRIND) (("2" (LEMMA "VT_S_GE_VR_H_aux1") (("2" (GRIND) (("2" (LEMMA "VT_S_GE_VR_H") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (FLATTEN) (("2" (HIDE -1 -2 -3 -4) (("2" (INST - "r(n)`VR_MR") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("16" (INST - "i") (("1" (GROUND) NIL NIL) ("2" (LEMMA "VT_S_GE_VR_H_aux1") (("2" (GRIND) (("2" (LEMMA "VT_S_GE_VR_H") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (FLATTEN) (("2" (INST - "i") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|indicated_equals_sent_aux2_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) (("2" (LEMMA "VT_S_GE_VR_H_aux1") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|indicated_equals_sent_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) (("1" (LEMMA "indicated_equals_sent_aux2_aux2") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`VR_R") (("1" (GRIND) NIL NIL) ("2" (LEMMA "indicated_equals_sent_aux2_aux1") (("2" (GRIND) (("2" (LEMMA "VT_S_GE_VR_H_aux3") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (LEMMA "indicated_equals_sent_aux2_aux2") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "r(n)`VR_R") (("1" (GRIND) NIL NIL) ("2" (LEMMA "indicated_equals_sent_aux2_aux1") (("2" (GRIND) (("2" (LEMMA "VT_S_GE_VR_H_aux3") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (NEW_SD_POLL2_TCC1 "" (SUBTYPE-TCC) NIL NIL) (NEW_SD_POLL2_TCC2 "" (SUBTYPE-TCC) NIL NIL) (NEW_SD_POLL2_TCC3 "" (SUBTYPE-TCC) NIL NIL) (NEW_SD_POLL2 "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("i" "j")) (("2" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|POLL_inv0_aux1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|POLL_inv0_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (LEMMA "init_inv4") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`SR_receiver_index") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST - "i") (("2" (GRIND) NIL NIL)) NIL) ("3" (LEMMA "NEW_SD_POLL2") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "i" "r(n)`SR_receiver_index") (("3" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("4" (INST - "i") (("4" (GRIND) NIL NIL)) NIL) ("5" (LEMMA "init_inv4") (("5" (EXPAND "invariant") (("5" (INST - "r" "n") (("5" (INST - "r(n)`SR_receiver_index") (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("6" (LEMMA "NEW_SD_POLL2") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (INST - "i" "r(n)`SR_receiver_index") (("6" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|POLL_inv0_aux2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|POLL_inv0_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "i") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i") (("3" (GRIND) NIL NIL)) NIL) ("4" (LEMMA "indicated_equals_sent_aux2_aux1") (("4" (GRIND) NIL NIL)) NIL) ("5" (LEMMA "POLL_inv0_aux1") (("5" (GRIND) NIL NIL)) NIL) ("6" (LEMMA "POLL_inv0_aux1") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (GRIND) (("6" (LEMMA "VT_S_GE_VR_H") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (FLATTEN) (("6" (HIDE (-1 -2 -3 -4)) (("6" (INST - "r(n)`VR_H") (("6" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|POLL_inv0_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|POLL_inv0| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (EXPAND* "run" "init") (("1" (FLATTEN) (("1" (HIDE -3) (("1" (HIDE-ALL-BUT (-5 1)) (("1" (SKOSIMP*) (("1" (INST - "i!1") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (BETA) (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (INST -2 "n") (("2" (SKOLEM + "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (COMMENT "will prove pc = DtrRecvTestSeq AND vN_S >= VR_H => FORALL i: POLL(SR_Channel(i)) => vN_S < mN_S(SR_channel(i))") (("1" (LEMMA "POLL_inv0_aux1") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "i") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) ";;;will prove pc = DtrRecvTestSeq AND vN_S >= VR_H => FORALL i: POLL(SR_Channel(i)) => vN_S < mN_S(SR_channel(i))")) NIL) ("2" (INST - "i") (("2" (GROUND) NIL NIL)) NIL) ("3" (INST - "i") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i") (("4" (GRIND) NIL NIL)) NIL) ("5" (COMMENT "will prove s`pc = DtrRecvInOrder AND VR_R = VR_H => FORALL i: POLL(SR_Channel(i)) => VR_H < mN_S(SR_channel(i))") (("5" (INST - "i") (("5" (GRIND) NIL NIL)) ";;;will prove s`pc = DtrRecvInOrder AND VR_R = VR_H => FORALL i: POLL(SR_Channel(i)) => VR_H < mN_S(SR_channel(i))")) NIL) ("6" (INST - "i") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "i") (("7" (GRIND) NIL NIL)) NIL) ("8" (LEMMA "POLL_inv0_aux1") (("8" (EXPAND "invariant") (("8" (INST - "r" "n") (("8" (GROUND) (("8" (INST - "i") (("8" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("9" (INST - "i") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "i") (("10" (ASSERT) NIL NIL)) NIL) ("11" (LEMMA "POLL_inv0_aux1") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (GROUND) (("11" (INST - "i") (("11" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("12" (INST - "i") (("12" (GRIND) (("12" (LEMMA "POLL_inv0_aux1") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (ASSERT) (("12" (INST - "i") (("12" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("13" (INST - "i") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "i") (("14" (ASSERT) NIL NIL)) NIL) ("15" (INST - "i") (("15" (GRIND) (("15" (LEMMA "POLL_inv0_aux2") (("15" (EXPAND "invariant") (("15" (INST - "r" "n") (("15" (ASSERT) (("15" (INST - "i") (("15" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("16" (INST - "i") (("16" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OutOfDtr_unreachable_aux| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (GRIND) (("1" (LEMMA "OLD_SD_inv1") (("1" (GRIND) NIL NIL)) NIL) ("2" (LEMMA "NEW_SD_inv1") (("2" (GRIND) NIL NIL)) NIL) ("3" (LEMMA "OLD_SD_inv1") (("3" (GRIND) NIL NIL)) NIL) ("4" (LEMMA "NEW_SD_inv1") (("4" (GRIND) NIL NIL)) NIL) ("5" (LEMMA "OLD_SD_inv1") (("5" (GRIND) NIL NIL)) NIL) ("6" (LEMMA "NEW_SD_inv1") (("6" (GRIND) NIL NIL)) NIL) ("7" (LEMMA "OLD_SD_inv1") (("7" (GRIND) NIL NIL)) NIL) ("8" (LEMMA "NEW_SD_inv1") (("8" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|OutOfDtr_unreachable| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -2) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM 1 "n") (("2" (INST - "n") (("2" (GRIND) (("2" (COMMENT "will prove pc = DtrRecvTestSeq and `VR_H > r(n)`vN_S => not r(n)`vRecvBuffer`Arrived(r(n)`vN_S)") (("2" (LEMMA "OutOfDtr_unreachable_aux") (("2" (GRIND) NIL NIL)) ";;;will prove pc = DtrRecvTestSeq and `VR_H > r(n)`vN_S => not r(n)`vRecvBuffer`Arrived(r(n)`vN_S)")) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) $$$sscop_SD_receiver_invariants2.pvs sscop_SD_receiver_invariants2 : THEORY %facts about the USTAT PDUs in the RS channel BEGIN IMPORTING sscop_SD_receiver_invariants1 %inductive USTAT_inv : LEMMA invariant(LAMBDA(s:State) : FORALL (i :subrange(RS_sender_index, s`RS_receiver_index-1)) : let pdu = s`RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l: subrange(bottom,top-1)) : l < s`VR_H) %proved using init_inv4 USTAT_inv2_aux1 : LEMMA invariant(LAMBDA(s:State) : FORALL (i :subrange(RS_sender_index, s`RS_receiver_index-1)): let pdu = s`RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l: subrange(bottom,top-1), j : subrange(s`SR_receiver_index, SR_sender_index-1)): let pdu = SR_channel(j) in OLD_SD?(pdu) IMPLIES mN_S(pdu) < l) %proved using USTAT_inv2_aux1 USTAT_inv2_aux : LEMMA invariant(LAMBDA(s:State) : s`pc = DtrRecvTestSeq IMPLIES FORALL (i :subrange(RS_sender_index, s`RS_receiver_index-1)): let pdu = s`RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l: subrange(bottom,top-1)) : s`vN_S /= l) %proved using USTAT_inv2_aux, VT_S_GE_VR_H USTAT_inv2 : LEMMA invariant(LAMBDA(s:State) : FORALL (i :subrange(RS_sender_index, s`RS_receiver_index-1)) : let pdu = s`RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l: subrange(bottom,top-1)) : NOT s`vRecvBuffer`Arrived(l)) %proved using init_inv7 OLD_SD_inv1: LEMMA invariant(LAMBDA(s:State) : FORALL (i :subrange(RS_sender_index, s`RS_receiver_index-1)): let pdu = s`RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL(l:subrange(bottom,top-1), j:subrange(vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1)): vReXmitQueue(j)`Seq < l) %inductive USTAT_inv3_aux1: LEMMA invariant(LAMBDA(s:State) : FORALL (i:below(VT_S)): vXmitBuffer`Data(i)`Seq = i) %inductive USTAT_inv3_aux2: LEMMA invariant(LAMBDA(s:State) : VT_A <= s`VR_R) %proved using VT_S_GE_VR_H, USTAT_inv3_aux1, VT_S_GE_VR_H_aux3, USTAT_inv3_aux2 USTAT_inv3: LEMMA invariant(LAMBDA(s:State) : FORALL (i :subrange(RS_sender_index, s`RS_receiver_index-1)): let pdu = s`RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bot = ustat_list`Data(1), top = ustat_list`Data(2), vN_R = mN_R(pdu) IN VT_A <= vN_R AND vN_R <= bot AND bot < top AND top < VT_S AND FORALL (j:subrange(bot,top-1)): vXmitBuffer`Data(j)`Seq = j) %inductive USTAT_inv4_aux: LEMMA invariant(LAMBDA(s:State) : FORALL (i:subrange(RS_sender_index,s`RS_receiver_index-1)) : LET pdu = s`RS_channel(i) IN USTAT?(pdu) IMPLIES s`VR_R >= mN_R(pdu)) %proved using USTAT_inv4_aux USTAT_inv4: LEMMA invariant(LAMBDA(s:State) : FORALL (i,j:subrange(RS_sender_index,s`RS_receiver_index-1)) : LET pdu1 = s`RS_channel(i), pdu2 = s`RS_channel(j) IN i < j AND USTAT?(pdu1) AND USTAT?(pdu2) IMPLIES mN_R(pdu1) <=mN_R(pdu2)) %proved using USTAT_inv and USTAT_inv3 USTAT_inv5: LEMMA invariant(LAMBDA(s:State) : FORALL (i,j :subrange(RS_sender_index, s`RS_receiver_index-1)): let pdu1 = s`RS_channel(i), pdu2 = s`RS_channel(j) IN USTAT?(pdu1) AND USTAT?(pdu2) AND i < j IMPLIES mList(pdu1)`Data(2) <= mList(pdu2)`Data(1)) END sscop_SD_receiver_invariants2 $$$sscop_SD_receiver_invariants2.prf (|sscop_SD_receiver_invariants2| (|USTAT_inv_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (EXPAND* "run" "init") (("1" (FLATTEN) (("1" (HIDE -3) (("1" (SPLIT -2) (("1" (FLATTEN) (("1" (HIDE-ALL-BUT (-16 1)) (("1" (SKOSIMP*) (("1" (INST - "i!1") (("1" (GROUND) (("1" (FLATTEN) (("1" (SKOSIMP*) (("1" (INST - "l!1") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (PROPAX) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "i") (("2" (INST - "i") (("1" (BETA) (("1" (GROUND) (("1" (SKOLEM + "l") (("1" (TYPEPRED "l") (("1" (GRIND :IF-MATCH NIL) (("1" (INST - "l") NIL NIL) ("2" (INST - "l") NIL NIL) ("3" (INST - "l") NIL NIL) ("4" (INST - "l") NIL NIL) ("5" (INST - "l") NIL NIL) ("6" (INST - "l") NIL NIL) ("7" (INST - "l") NIL NIL) ("8" (INST - "l") (("8" (ASSERT) NIL NIL)) NIL) ("9" (INST - "l") NIL NIL) ("10" (INST - "l") NIL NIL) ("11" (INST - "l") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "l") (("12" (ASSERT) NIL NIL)) NIL) ("13" (INST - "l") NIL NIL) ("14" (INST - "l") NIL NIL) ("15" (INST - "l") (("15" (ASSERT) NIL NIL)) NIL) ("16" (INST - "l") NIL NIL)) NIL)) NIL)) NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|USTAT_inv2_aux1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv2_aux1_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv2_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (BETA) (("2" (SPLIT) (("1" (HIDE -1) (("1" (EXPAND "run") (("1" (EXPAND* "run" "init") (("1" (FLATTEN) (("1" (HIDE -3) (("1" (SPLIT -2) (("1" (FLATTEN) NIL NIL) ("2" (PROPAX) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (SKOLEM 1 "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (FLATTEN) (("2" (SKOLEM 1 ("l" "j")) (("2" (TYPEPRED "l" "j") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (GROUND) (("1" (INST - "l" "j") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("2" (INST - "i") (("2" (GROUND) (("2" (INST - "l" "j") (("2" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("3" (INST - "i") (("3" (GROUND) (("3" (INST - "l" "j") (("3" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("4" (INST - "i") (("4" (GROUND) (("4" (INST - "l" "j") (("4" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("5" (INST - "i") (("5" (GROUND) (("5" (INST - "l" "j") (("5" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("6" (INST - "i") (("6" (GROUND) (("6" (INST - "l" "j") (("6" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("7" (INST - "i") (("7" (GROUND) (("7" (INST - "l" "j") (("7" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("8" (INST - "i") (("8" (GROUND) (("8" (INST - "l" "j") (("8" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("9" (INST - "i") (("9" (GROUND) (("9" (INST - "l" "j") (("9" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("10" (LEMMA "init_inv4") (("10" (EXPAND "invariant") (("10" (INST - "r" "n") (("10" (INST - "j") (("10" (GROUND) (("10" (INST - "i") (("10" (ASSERT) (("10" (INST - "l" "j") (("10" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("11" (LEMMA "init_inv4") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "j") (("11" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("12" (LEMMA "init_inv4") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (INST - "j") (("12" (GROUND) (("12" (INST - "i") (("12" (ASSERT) (("12" (INST - "l" "j") (("12" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("13" (LEMMA "init_inv4") (("13" (EXPAND "invariant") (("13" (INST - "r" "n") (("13" (INST - "j") (("13" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("14" (INST - "i") (("14" (GROUND) (("14" (INST - "l" "j") (("14" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("15" (INST - "i") (("15" (GROUND) (("15" (INST - "l" "j") (("15" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("16" (INST - "i") (("16" (GROUND) (("16" (INST - "l" "j") (("16" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("17" (INST - "i") (("17" (GROUND) (("17" (INST - "l" "j") (("17" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("18" (INST - "i") (("18" (ASSERT) (("18" (INST - "l" "j") (("18" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|USTAT_inv2_aux| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (BETA) (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND :IF-MATCH NIL) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM 1 "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (FLATTEN) (("2" (SKOLEM 1 "l") (("2" (TYPEPRED "l") (("2" (GRIND :IF-MATCH NIL) (("1" (LEMMA "USTAT_inv2_aux1") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "i") (("1" (GROUND) (("1" (INST - "l" "r(n)`SR_receiver_index") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST - "i") (("2" (GROUND) NIL NIL)) NIL) ("3" (LEMMA "NEW_SD_inv1") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "r(n)`SR_receiver_index") (("3" (GROUND) (("3" (LEMMA "USTAT_inv") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "i") (("3" (GROUND) (("3" (INST - "l") (("3" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("4" (INST - "i") (("4" (GROUND) NIL NIL)) NIL) ("5" (LEMMA "USTAT_inv2_aux1") (("5" (EXPAND "invariant") (("5" (INST - "r" "n") (("5" (INST - "i") (("5" (ASSERT) (("5" (INST - "l" "r(n)`SR_receiver_index") (("5" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("6" (LEMMA "USTAT_inv") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (INST - "i") (("6" (ASSERT) (("6" (INST - "l") (("6" (ASSERT) (("6" (LEMMA "NEW_SD_inv1") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (INST - "r(n)`SR_receiver_index") (("6" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|USTAT_inv2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (BETA) (("2" (SPLIT) (("1" (HIDE -1) (("1" (EXPAND "run") (("1" (EXPAND "init") (("1" (FLATTEN) (("1" (HIDE -3) (("1" (SPLIT -2) (("1" (FLATTEN) (("1" (HIDE-ALL-BUT (-16 1)) (("1" (SKOSIMP*) (("1" (INST - "i!1") (("1" (ASSERT) (("1" (INST - "l!1") (("1" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (PROPAX) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "i") (("2" (TYPEPRED "i") (("2" (FLATTEN) (("2" (SKOLEM + "l") (("2" (TYPEPRED "l") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (SPLIT) (("1" (INST - "l") NIL NIL) ("2" (PROPAX) NIL NIL)) NIL)) NIL) ("2" (INST - "i") (("2" (SPLIT) (("1" (INST - "l") NIL NIL) ("2" (PROPAX) NIL NIL)) NIL)) NIL) ("3" (INST - "i") (("3" (SPLIT) (("1" (INST - "l") NIL NIL) ("2" (PROPAX) NIL NIL)) NIL)) NIL) ("4" (INST - "i") (("4" (SPLIT) (("1" (INST - "l") NIL NIL) ("2" (PROPAX) NIL NIL)) NIL)) NIL) ("5" (INST - "i") (("5" (SPLIT) (("1" (INST - "l") NIL NIL) ("2" (PROPAX) NIL NIL)) NIL)) NIL) ("6" (INST - "i") (("6" (SPLIT) (("1" (INST - "l") NIL NIL) ("2" (PROPAX) NIL NIL)) NIL)) NIL) ("7" (LEMMA "USTAT_inv") (("7" (EXPAND "invariant") (("7" (INST - "r" "n") (("7" (INST - "i") (("7" (SPLIT) (("1" (INST - "l") (("1" (ASSERT) (("1" (INST - "i") (("1" (ASSERT) (("1" (INST - "l") NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (PROPAX) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("8" (LEMMA "USTAT_inv2_aux") (("8" (EXPAND "invariant") (("8" (INST - "r" "n") (("8" (GROUND) (("8" (INST - "i") (("8" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("9" (INST - "i") (("9" (SPLIT) (("1" (INST - "l") NIL NIL) ("2" (PROPAX) NIL NIL)) NIL)) NIL) ("10" (COMMENT "need to prove pc = DtrRecvTestSeq => vN_S is not in any USTAT list") (("10" (LEMMA "USTAT_inv2_aux") (("10" (GRIND) NIL NIL)) ";;;need to prove pc = DtrRecvTestSeq => vN_S is not in any USTAT list")) NIL) ("11" (INST - "i") (("11" (SPLIT) (("1" (LEMMA "USTAT_inv2_aux") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (ASSERT) (("1" (INST - "i") (("1" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (PROPAX) NIL NIL)) NIL)) NIL) ("12" (INST - "i") (("12" (ASSERT) (("12" (INST - "l") NIL NIL)) NIL)) NIL) ("13" (LEMMA "VT_S_GE_VR_H") (("13" (EXPAND "invariant") (("13" (INST - "r" "n") (("13" (ASSERT) (("13" (FLATTEN) (("13" (INST - "l") (("13" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("14" (INST - "i") (("14" (ASSERT) (("14" (INST - "l") NIL NIL)) NIL)) NIL) ("15" (LEMMA "VT_S_GE_VR_H") (("15" (EXPAND "invariant") (("15" (INST - "r" "n") (("15" (ASSERT) (("15" (FLATTEN) (("15" (INST - "l") (("15" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("16" (LEMMA "USTAT_inv2_aux") (("16" (EXPAND "invariant") (("16" (INST - "r" "n") (("16" (ASSERT) (("16" (INST - "i") (("16" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("17" (INST - "i") (("17" (SPLIT) (("1" (INST - "l") NIL NIL) ("2" (PROPAX) NIL NIL)) NIL)) NIL) ("18" (INST - "i") (("18" (SPLIT) (("1" (INST - "l") NIL NIL) ("2" (PROPAX) NIL NIL)) NIL)) NIL) ("19" (INST - "i") (("19" (GROUND) (("19" (INST - "l") NIL NIL)) NIL)) NIL) ("20" (INST - "i") (("20" (GROUND) (("20" (INST - "l") NIL NIL)) NIL)) NIL) ("21" (INST - "i") (("21" (ASSERT) (("21" (INST - "l") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (BETA) (("2" (SPLIT) (("1" (HIDE -1) (("1" (EXPAND "run") (("1" (EXPAND* "run" "init") (("1" (FLATTEN) (("1" (SPLIT -2) (("1" (FLATTEN) NIL NIL) ("2" (PROPAX) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (SKOLEM 1 "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (FLATTEN) (("2" (SKOLEM 1 ("l" "j")) (("2" (TYPEPRED "l" "j") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (GROUND) (("1" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("2" (INST - "i") (("2" (GROUND) (("2" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("3" (INST - "i") (("3" (GROUND) (("3" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("4" (INST - "i") (("4" (GROUND) (("4" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("5" (INST - "i") (("5" (GROUND) (("5" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("6" (INST - "i") (("6" (GROUND) (("6" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("7" (INST - "i") (("7" (GROUND) (("7" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("8" (INST - "i") (("8" (GROUND) (("8" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("9" (INST - "i") (("9" (GROUND) (("9" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("10" (LEMMA "init_inv7") (("10" (EXPAND "invariant") (("10" (INST - "r" "n") (("10" (INST - "j") (("10" (GROUND) (("10" (INST - "i") (("10" (ASSERT) (("10" (INST - "l" "j") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("11" (LEMMA "init_inv7") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "j") (("11" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("12" (LEMMA "init_inv7") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (INST - "j") (("12" (GROUND) (("12" (INST - "i") (("12" (ASSERT) (("12" (INST - "l" "j") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("13" (LEMMA "init_inv7") (("13" (EXPAND "invariant") (("13" (INST - "r" "n") (("13" (ASSERT) (("13" (INST - "j") (("13" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("14" (INST - "i") (("14" (GROUND) (("14" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("15" (INST - "i") (("15" (GROUND) (("15" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("16" (INST - "i") (("16" (GROUND) (("16" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("17" (INST - "i") (("17" (GROUND) (("17" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("18" (INST - "i") (("18" (ASSERT) (("18" (INST - "l" "j") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|USTAT_inv3_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM 1 "n") (("2" (INST - "n") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|USTAT_inv3_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM 1 "n") (("2" (INST - "n") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|USTAT_inv3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (EXPAND* "run" "init") (("1" (FLATTEN) (("1" (BETA) (("1" (SPLIT -2) (("1" (FLATTEN) NIL NIL) ("2" (PROPAX) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM 1 "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i!1") (("1" (GROUND) (("1" (INST - "j!1") NIL NIL)) NIL)) NIL) ("2" (INST - "i!1") (("2" (GROUND) (("2" (INST - "j!1") NIL NIL)) NIL)) NIL) ("3" (INST - "i!1") (("3" (GROUND) (("3" (INST - "j!1") NIL NIL)) NIL)) NIL) ("4" (INST - "i!1") (("4" (GROUND) (("4" (INST - "j!1") NIL NIL)) NIL)) NIL) ("5" (INST - "i!1") (("5" (GROUND) (("5" (INST - "j!1") NIL NIL)) NIL)) NIL) ("6" (INST - "i!1") (("6" (GROUND) (("6" (INST - "j!1") NIL NIL)) NIL)) NIL) ("7" (INST - "i!1") (("7" (GROUND) (("7" (INST - "j!1") NIL NIL)) NIL)) NIL) ("8" (INST - "i!1") (("8" (GROUND) (("8" (INST - "j!1") NIL NIL)) NIL)) NIL) ("9" (INST - "i!1") (("9" (GROUND) (("9" (INST - "j!1") NIL NIL)) NIL)) NIL) ("10" (INST - "i!1") (("10" (GROUND) (("10" (INST - "j!1") NIL NIL)) NIL)) NIL) ("11" (LEMMA "USTAT_inv3_aux1") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "j!1") (("11" (LEMMA "VT_S_GE_VR_H") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (FLATTEN) (("11" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("12" (INST - "i!1") (("12" (GROUND) (("12" (INST - "j!1") NIL NIL)) NIL)) NIL) ("13" (LEMMA "USTAT_inv3_aux1") (("13" (EXPAND "invariant") (("13" (INST - "r" "n") (("13" (INST - "j!1") (("13" (LEMMA "VT_S_GE_VR_H") (("13" (EXPAND "invariant") (("13" (INST - "r" "n") (("13" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("14" (INST - "i!1") (("14" (GROUND) (("14" (INST - "j!1") NIL NIL)) NIL)) NIL) ("15" (INST - "i!1") (("15" (GROUND) (("15" (INST - "j!1") NIL NIL)) NIL)) NIL) ("16" (INST - "i!1") (("16" (GROUND) (("16" (INST - "j!1") NIL NIL)) NIL)) NIL) ("17" (INST - "i!1") (("17" (GROUND) (("17" (INST - "j!1") NIL NIL)) NIL)) NIL) ("18" (INST - "i!1") (("18" (GROUND) (("18" (INST - "j!1") NIL NIL)) NIL)) NIL) ("19" (INST - "i!1") (("19" (GROUND) NIL NIL)) NIL) ("20" (INST - "i!1") (("20" (GROUND) NIL NIL)) NIL) ("21" (INST - "i!1") (("21" (GROUND) NIL NIL)) NIL) ("22" (INST - "i!1") (("22" (GROUND) NIL NIL)) NIL) ("23" (INST - "i!1") (("23" (GROUND) NIL NIL)) NIL) ("24" (INST - "i!1") (("24" (GROUND) NIL NIL)) NIL) ("25" (INST - "i!1") (("25" (GROUND) NIL NIL)) NIL) ("26" (INST - "i!1") (("26" (GROUND) NIL NIL)) NIL) ("27" (INST - "i!1") (("27" (GROUND) NIL NIL)) NIL) ("28" (INST - "i!1") (("28" (GROUND) NIL NIL)) NIL) ("29" (LEMMA "VT_S_GE_VR_H") (("29" (EXPAND "invariant") (("29" (INST - "r" "n") (("29" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("30" (INST - "i!1") (("30" (GROUND) NIL NIL)) NIL) ("31" (LEMMA "VT_S_GE_VR_H") (("31" (EXPAND "invariant") (("31" (INST - "r" "n") (("31" (ASSERT) NIL NIL)) NIL)) NIL)) NIL) ("32" (INST - "i!1") (("32" (GROUND) NIL NIL)) NIL) ("33" (INST - "i!1") (("33" (GROUND) NIL NIL)) NIL) ("34" (INST - "i!1") (("34" (GROUND) NIL NIL)) NIL) ("35" (INST - "i!1") (("35" (GROUND) NIL NIL)) NIL) ("36" (INST - "i!1") (("36" (GROUND) NIL NIL)) NIL) ("37" (INST - "i!1") (("37" (GROUND) NIL NIL)) NIL) ("38" (INST - "i!1") (("38" (GROUND) NIL NIL)) NIL) ("39" (INST - "i!1") (("39" (GROUND) NIL NIL)) NIL) ("40" (INST - "i!1") (("40" (GROUND) NIL NIL)) NIL) ("41" (INST - "i!1") (("41" (GROUND) NIL NIL)) NIL) ("42" (INST - "i!1") (("42" (GROUND) NIL NIL)) NIL) ("43" (INST - "i!1") (("43" (GROUND) NIL NIL)) NIL) ("44" (INST - "i!1") (("44" (GROUND) NIL NIL)) NIL) ("45" (INST - "i!1") (("45" (GROUND) NIL NIL)) NIL) ("46" (INST - "i!1") (("46" (GROUND) NIL NIL)) NIL) ("47" (INST - "i!1") (("47" (GROUND) NIL NIL)) NIL) ("48" (INST - "i!1") (("48" (GROUND) NIL NIL)) NIL) ("49" (INST - "i!1") (("49" (GROUND) NIL NIL)) NIL) ("50" (INST - "i!1") (("50" (GROUND) NIL NIL)) NIL) ("51" (INST - "i!1") (("51" (GROUND) NIL NIL)) NIL) ("52" (INST - "i!1") (("52" (GROUND) NIL NIL)) NIL) ("53" (INST - "i!1") (("53" (GROUND) NIL NIL)) NIL) ("54" (INST - "i!1") (("54" (GROUND) NIL NIL)) NIL) ("55" (INST - "i!1") (("55" (GROUND) NIL NIL)) NIL) ("56" (INST - "i!1") (("56" (GROUND) NIL NIL)) NIL) ("57" (INST - "i!1") (("57" (GROUND) NIL NIL)) NIL) ("58" (INST - "i!1") (("58" (GROUND) NIL NIL)) NIL) ("59" (LEMMA "VT_S_GE_VR_H_aux3") (("59" (EXPAND "invariant") (("59" (INST - "r" "n") (("59" (GROUND) (("59" (INST - "i!1") (("59" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("60" (INST - "i!1") (("60" (GROUND) NIL NIL)) NIL) ("61" (LEMMA "VT_S_GE_VR_H_aux3") (("61" (EXPAND "invariant") (("61" (INST - "r" "n") (("61" (GROUND) (("61" (INST - "i!1") (("61" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("62" (INST - "i!1") (("62" (GROUND) NIL NIL)) NIL) ("63" (LEMMA "VT_S_GE_VR_H_aux3") (("63" (GRIND) NIL NIL)) NIL) ("64" (INST - "i!1") (("64" (GROUND) NIL NIL)) NIL) ("65" (LEMMA "VT_S_GE_VR_H_aux3") (("65" (GRIND) NIL NIL)) NIL) ("66" (INST - "i!1") (("66" (GROUND) NIL NIL)) NIL) ("67" (INST - "i!1") (("67" (GROUND) NIL NIL)) NIL) ("68" (INST - "i!1") (("68" (GROUND) NIL NIL)) NIL) ("69" (INST - "i!1") (("69" (GROUND) NIL NIL)) NIL) ("70" (INST - "i!1") (("70" (GROUND) NIL NIL)) NIL) ("71" (INST - "i!1") (("71" (GROUND) NIL NIL)) NIL) ("72" (INST - "i!1") (("72" (GROUND) NIL NIL)) NIL) ("73" (INST - "i!1") (("73" (GROUND) NIL NIL)) NIL) ("74" (INST - "i!1") (("74" (GROUND) NIL NIL)) NIL) ("75" (INST - "i!1") (("75" (GROUND) NIL NIL)) NIL) ("76" (LEMMA "USTAT_inv3_aux2") (("76" (EXPAND "invariant") (("76" (INST - "r" "n") (("76" (INST - "i!1") (("76" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("77" (INST - "i!1") (("77" (GROUND) NIL NIL)) NIL) ("78" (LEMMA "USTAT_inv3_aux2") (("78" (EXPAND "invariant") (("78" (INST - "r" "n") (("78" (INST - "i!1") (("78" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("79" (INST - "i!1") (("79" (GROUND) NIL NIL)) NIL) ("80" (INST - "i!1") (("80" (GROUND) NIL NIL)) NIL) ("81" (LEMMA "USTAT_inv3_aux2") (("81" (GRIND) NIL NIL)) NIL) ("82" (INST - "i!1") (("82" (GROUND) NIL NIL)) NIL) ("83" (LEMMA "USTAT_inv3_aux2") (("83" (GRIND) NIL NIL)) NIL) ("84" (INST - "i!1") (("84" (ASSERT) NIL NIL)) NIL) ("85" (INST - "i!1") (("85" (ASSERT) NIL NIL)) NIL) ("86" (INST - "i!1") (("86" (ASSERT) NIL NIL)) NIL) ("87" (INST - "i!1") (("87" (ASSERT) NIL NIL)) NIL) ("88" (INST - "i!1") (("88" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|USTAT_inv4_aux| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (BETA) (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (INST - "i") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|USTAT_inv4_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv4_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv4| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM 1 "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM + ("i" "j")) (("2" (TYPEPRED ("i" "j")) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i" "j") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "i" "j") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i" "j") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i" "j") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "i" "j") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "i" "j") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "i" "j") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "i" "j") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "i" "j") (("9" (GRIND) NIL NIL)) NIL) ("10" (LEMMA "USTAT_inv4_aux") (("10" (EXPAND "invariant") (("10" (INST - "r" "n") (("10" (INST - "i") (("10" (GROUND) (("10" (INST - "i" "j") (("10" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("11" (LEMMA "USTAT_inv4_aux") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "i") (("11" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("12" (LEMMA "USTAT_inv4_aux") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (INST - "i") (("12" (GROUND) (("12" (INST - "i" "j") (("12" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("13" (GRIND) (("13" (LEMMA "USTAT_inv4_aux") (("13" (EXPAND "invariant") (("13" (INST - "r" "n") (("13" (INST - "i") (("13" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("14" (INST - "i" "j") (("14" (GRIND) NIL NIL)) NIL) ("15" (INST - "i" "j") (("15" (GRIND) NIL NIL)) NIL) ("16" (INST - "i" "j") (("16" (GRIND) NIL NIL)) NIL) ("17" (INST - "i" "j") (("17" (GRIND) NIL NIL)) NIL) ("18" (INST - "i" "j") (("18" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|USTAT_inv5| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM 1 ("i" "j")) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i" "j") (("1" (GROUND) NIL NIL)) NIL) ("2" (INST - "i" "j") (("2" (GROUND) NIL NIL)) NIL) ("3" (INST - "i" "j") (("3" (GROUND) NIL NIL)) NIL) ("4" (INST - "i" "j") (("4" (GROUND) NIL NIL)) NIL) ("5" (INST - "i" "j") (("5" (GROUND) NIL NIL)) NIL) ("6" (INST - "i" "j") (("6" (GROUND) NIL NIL)) NIL) ("7" (INST - "i" "j") (("7" (GROUND) NIL NIL)) NIL) ("8" (INST - "i" "j") (("8" (GROUND) NIL NIL)) NIL) ("9" (INST - "i" "j") (("9" (GROUND) NIL NIL)) NIL) ("10" (INST - "i" "j") (("10" (ASSERT) NIL NIL)) NIL) ("11" (LEMMA "USTAT_inv") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "i") (("11" (GROUND) (("11" (INST -1 "mList(r(n)`RS_channel(i))`Data(2) - 1") (("1" (GROUND) NIL NIL) ("2" (LEMMA "USTAT_inv3") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "i") (("2" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("3" (TYPEPRED "i") (("3" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("12" (LEMMA "USTAT_inv") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (INST - "i") (("12" (ASSERT) (("12" (INST - "mList(r(n)`RS_channel(i))`Data(2) - 1") (("1" (ASSERT) NIL NIL) ("2" (LEMMA "USTAT_inv3") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "i") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("3" (TYPEPRED "i") (("3" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("13" (INST - "i" "j") (("13" (ASSERT) NIL NIL)) NIL) ("14" (LEMMA "USTAT_inv") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (INST - "i") (("14" (GROUND) (("14" (INST -1 "mList(r(n)`RS_channel(i))`Data(2) - 1") (("1" (GROUND) NIL NIL) ("2" (LEMMA "USTAT_inv3") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "i") (("2" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("3" (TYPEPRED "i") (("3" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("15" (LEMMA "USTAT_inv") (("15" (EXPAND "invariant") (("15" (INST - "r" "n") (("15" (ASSERT) (("15" (INST - "i") (("15" (ASSERT) (("15" (INST - "mList(r(n)`RS_channel(i))`Data(2) - 1") (("1" (ASSERT) NIL NIL) ("2" (LEMMA "USTAT_inv3") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "i") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("3" (TYPEPRED "i") (("3" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("16" (INST - "i" "j") (("16" (GROUND) NIL NIL)) NIL) ("17" (INST - "i" "j") (("17" (GROUND) NIL NIL)) NIL) ("18" (INST - "i" "j") (("18" (GROUND) NIL NIL)) NIL) ("19" (INST - "i" "j") (("19" (GROUND) NIL NIL)) NIL) ("20" (INST - "i" "j") (("20" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) $$$sscop_SD_receiver_invariants3.pvs sscop_SD_receiver_invariants3: THEORY BEGIN IMPORTING sscop_SD_receiver_invariants2 %inductive indicated_equals_sent_aux1_aux1: LEMMA invariant(LAMBDA(s:State) : FORALL (i:subrange(s`SR_receiver_index,SR_sender_index-1)) : LET pdu = SR_channel(i) IN SD?(pdu) IMPLIES mData(pdu) = vXmitBuffer`Data(mN_S(pdu))`Payload) %proved using indicated_equals_sent_aux1_aux1 indicated_equals_sent_aux1_aux3 : LEMMA invariant(LAMBDA(s:State) : s`pc = DtrRecvTestSeq IMPLIES s`vData = vXmitBuffer`Data(s`vN_S)`Payload) %proved using indicated_equals_sent_aux1_aux3, VT_S_GE_VR_H,VT_S_GE_VR_H_aux1 indicated_equals_sent_aux1_aux2: LEMMA invariant(LAMBDA(s:State): FORALL (i:below(s`VR_MR)) : s`vRecvBuffer`Arrived(i) IMPLIES s`vRecvBuffer`Data(i)`Payload = vXmitBuffer`Data(i)`Payload) %proved using indicated_equals_sent_aux2_aux1, %indicated_equals_sent_aux2_aux2, %VT_S_GE_VR_H_aux3, %indicated_equals_sent_aux1_aux1, %indicated_equals_sent_aux1_aux2 indicated_equals_sent_aux1 : LEMMA invariant(LAMBDA(s:State) : s`pc = DtrRecvInOrder IMPLIES s`vData = vXmitBuffer`Data(s`vN_S)`Payload) %inductive STAT_inv2_aux3 : LEMMA invariant(LAMBDA(s:State) : FORALL (k,l: subrange(RS_sender_index, s`RS_receiver_index-1)): let stat = s`RS_channel(k), ustat = s`RS_channel(l) IN STAT?(stat) AND USTAT?(ustat) AND l < k IMPLIES mN_R(ustat) <= mN_R(stat)) %inductive VT_A_LEQ_VR_R_aux : LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET pdu = s`RS_channel(k) IN STAT?(pdu) IMPLIES mN_R(pdu) <= s`VR_R) %inductive OLD_SD_inv1_aux_aux3 : LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET pdu = s`RS_channel(k) IN STAT?(pdu) IMPLIES LET statlist = mList(pdu) IN statlist`Length >= 2 IMPLIES (FORALL (i: upto(statlist`Length - 2)): even?(i) IMPLIES LET elt1 = statlist`Data(i + 1), elt2 = statlist`Data(i + 2) IN elt1 < elt2 AND elt2 <= s`VR_H)) %proved using OLD_SD_inv1_aux_aux3 OLD_SD_inv1_aux_aux2 : LEMMA invariant(LAMBDA(s:State) : FORALL (k, l: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET ustat = s`RS_channel(k), stat = s`RS_channel(l) IN USTAT?(ustat) AND STAT?(stat) AND k > l IMPLIES (FORALL (m: nat): even?(m) AND m <= mList(stat)`Length-2 IMPLIES mList(stat)`Data(2 + m) <= mList(ustat)`Data(1))) %inductive VR_R_eq_AA_DATA_INDICATION_channel_index : LEMMA invariant(LAMBDA(s:State) : s`VR_R = s`AA_DATA_INDICATION_channel_index) %proved using VR_R_eq_AA_DATA_INDICATION_channel_index,indicated_equals_sent_aux2, %indicated_equals_sent_aux1 indicated_equals_sent : LEMMA invariant(LAMBDA(s:State) : FORALL (i: below(s`VR_R)) : mData(s`AA_DATA_INDICATION_channel(i)) = vXmitBuffer`Data(i)`Payload) %inductive sent_equals_requested : LEMMA invariant(LAMBDA(s:State) : FORALL (i : below(VT_S)) : mData(AA_DATA_REQUEST_channel(i)) = vXmitBuffer`Data(i)`Payload) %towards final goal : the protocol correctly delivers messages in sequence %proved using sent_equals_requested, indicated_equals_sent, %VR_R_eq_AA_DATA_INDICATION_channel_index, VT_S_GE_VR_H_aux3, VT_S_GE_VR_H requested_equals_indicated : LEMMA invariant(LAMBDA(s:State) : FORALL (i : below(s`AA_DATA_INDICATION_channel_index)) : mData(s`AA_DATA_INDICATION_channel(i)) = mData(AA_DATA_REQUEST_channel(i))) END sscop_SD_receiver_invariants3 $$$sscop_SD_receiver_invariants3.prf (|sscop_SD_receiver_invariants3| (|indicated_equals_sent_aux1_aux1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|indicated_equals_sent_aux1_aux1_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|indicated_equals_sent_aux1_aux1_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|indicated_equals_sent_aux1_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "i") (("2" (TYPEPRED "i") (("2" (INST - "i") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|indicated_equals_sent_aux1_aux3| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) (("1" (LEMMA "indicated_equals_sent_aux1_aux1") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`SR_receiver_index") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (LEMMA "indicated_equals_sent_aux1_aux1") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "r(n)`SR_receiver_index") (("2" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("3" (LEMMA "indicated_equals_sent_aux1_aux1") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "r(n)`SR_receiver_index") (("3" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("4" (LEMMA "indicated_equals_sent_aux1_aux1") (("4" (EXPAND "invariant") (("4" (INST - "r" "n") (("4" (INST - "r(n)`SR_receiver_index") (("4" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|indicated_equals_sent_aux1_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "i!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i!1") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "i!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "i!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (LEMMA "indicated_equals_sent_aux1_aux3") (("7" (EXPAND "invariant") (("7" (INST - "r" "n") (("7" (GRIND) NIL NIL)) NIL)) NIL)) NIL) ("8" (LEMMA "indicated_equals_sent_aux1_aux3") (("8" (EXPAND "invariant") (("8" (INST - "r" "n") (("8" (ASSERT) NIL NIL)) NIL)) NIL)) NIL) ("9" (INST - "i!1") (("9" (GRIND) NIL NIL)) NIL) ("10" (LEMMA "indicated_equals_sent_aux1_aux3") (("10" (GRIND) NIL NIL)) NIL) ("11" (LEMMA "indicated_equals_sent_aux1_aux3") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("12" (INST - "i!1") (("12" (GRIND) NIL NIL)) NIL) ("13" (LEMMA "indicated_equals_sent_aux1_aux3") (("13" (GRIND) NIL NIL)) NIL) ("14" (LEMMA "indicated_equals_sent_aux1_aux3") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (ASSERT) NIL NIL)) NIL)) NIL)) NIL) ("15" (INST - "i!1") (("15" (GRIND) NIL NIL)) NIL) ("16" (INST - "i!1") (("16" (GRIND) NIL NIL)) NIL) ("17" (LEMMA "VT_S_GE_VR_H") (("17" (EXPAND "invariant") (("17" (INST - "r" "n") (("17" (FLATTEN) (("17" (HIDE -1 -2 -3 -4) (("17" (INST - "r(n)`VR_MR") (("17" (INST - "i!1") (("17" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("18" (INST - "i!1") (("1" (GRIND) NIL NIL) ("2" (LEMMA "VT_S_GE_VR_H_aux1") (("2" (GRIND) (("2" (LEMMA "VT_S_GE_VR_H") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (FLATTEN) (("2" (HIDE -1 -2 -3 -4) (("2" (INST - "r(n)`VR_MR") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("19" (LEMMA "VT_S_GE_VR_H") (("19" (EXPAND "invariant") (("19" (INST - "r" "n") (("19" (FLATTEN) (("19" (INST - "i!1") (("19" (ASSERT) (("19" (INST - "i!1") (("1" (ASSERT) NIL NIL) ("2" (LEMMA "VT_S_GE_VR_H_aux1") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|indicated_equals_sent_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (LEMMA "indicated_equals_sent_aux2_aux1") (("1" (GRIND) (("1" (LEMMA "VT_S_GE_VR_H_aux3") (("1" (GRIND) (("1" (LEMMA "indicated_equals_sent_aux2_aux2") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`VR_R") (("1" (GROUND) (("1" (REPLACE -1) (("1" (COMMENT "need to prove FORALL i < VR_MR : vRecvBuffer`Arrived(i) => vRecvBuffer`Data(i)`Payload = vXmitBuffer`Data(i)`Payload") (("1" (LEMMA "indicated_equals_sent_aux2_aux2") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`VR_R") (("1" (GRIND) (("1" (LEMMA "indicated_equals_sent_aux1_aux2") (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) ";;;need to prove FORALL i < VR_MR : vRecvBuffer`Arrived(i) => vRecvBuffer`Data(i)`Payload = ;;; vXmitBuffer`Data(i)`Payload")) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (COMMENT "need to prove FORALL i: SD?(SR_channel(i)) => mData(SR_channel(i)) = vXmitBuffer`Data(mN_S(SR_channel(i)))`Payload") (("2" (LEMMA "indicated_equals_sent_aux1_aux1") (("2" (EXPAND "invariant") (("2" (INST - "r" "n") (("2" (INST - "r(n)`SR_receiver_index") (("1" (GRIND) (("1" (LEMMA "indicated_equals_sent_aux1_aux3") (("1" (GRIND) NIL NIL)) NIL) ("2" (LEMMA "indicated_equals_sent_aux1_aux3") (("2" (GRIND) NIL NIL)) NIL)) NIL) ("2" (LEMMA "indicated_equals_sent_aux1_aux3") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) ";;;need to prove FORALL i: SD?(SR_channel(i)) => mData(SR_channel(i)) = vXmitBuffer`Data(mN_S(SR_channel(i)))`Payload")) NIL) ("3" (LEMMA "VT_S_GE_VR_H_aux3") (("3" (GRIND) (("3" (LEMMA "indicated_equals_sent_aux2_aux1") (("3" (GRIND) (("3" (LEMMA "indicated_equals_sent_aux2_aux2") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "r(n)`VR_R") (("3" (GRIND) (("3" (LEMMA "indicated_equals_sent_aux2_aux2") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "r(n)`VR_R") (("3" (GRIND) (("3" (LEMMA "indicated_equals_sent_aux1_aux2") (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux3_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux3_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux3_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux3_TCC4| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM + ("k" "l")) (("2" (TYPEPRED "k" "l") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k" "l") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "k" "l") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "k" "l") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "k" "l") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "k" "l") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "k" "l") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "k" "l") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "k" "l") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "k" "l") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "k" "l") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "k" "l") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "k" "l") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "k" "l") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "k" "l") (("14" (GRIND) NIL NIL)) NIL) ("15" (INST - "k" "l") (("15" (GRIND) NIL NIL)) NIL) ("16" (INST - "k" "l") (("16" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|VT_A_LEQ_VR_R_aux_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|VT_A_LEQ_VR_R_aux_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|VT_A_LEQ_VR_R_aux| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "k") (("2" (BETA) (("2" (INST - "k") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv1_aux_aux3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM + "k") (("2" (INST - "k") (("1" (GROUND) (("1" (SKOLEM + "i") (("1" (INST - "i") (("1" (GROUND) (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv1_aux_aux2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv1_aux_aux2_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv1_aux_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM + ("k" "l")) (("2" (TYPEPRED "k" "l") (("2" (GRIND :IF-MATCH NIL) (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL) ("4" (GRIND) NIL NIL) ("5" (GRIND) NIL NIL) ("6" (GRIND) NIL NIL) ("7" (GRIND) NIL NIL) ("8" (GRIND) NIL NIL) ("9" (GRIND) NIL NIL) ("10" (LEMMA "OLD_SD_inv1_aux_aux3") (("10" (EXPAND "invariant") (("10" (INST - "r" "n") (("10" (INST - "l") (("10" (GROUND) (("10" (INST - "2*j!1") (("10" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("11" (GRIND) (("11" (LEMMA "OLD_SD_inv1_aux_aux3") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "l") (("11" (ASSERT) (("11" (INST - "m!1") (("11" (ASSERT) (("11" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("12" (LEMMA "OLD_SD_inv1_aux_aux3") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (INST - "l") (("12" (GROUND) (("12" (INST - "2*j!1") (("12" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("13" (GRIND) (("13" (LEMMA "OLD_SD_inv1_aux_aux3") (("13" (EXPAND "invariant") (("13" (INST - "r" "n") (("13" (INST - "l") (("13" (ASSERT) (("13" (INST - "m!1") (("13" (ASSERT) (("13" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("14" (GRIND) NIL NIL) ("15" (GRIND) NIL NIL) ("16" (GRIND) NIL NIL) ("17" (GRIND) NIL NIL) ("18" (INST - "k" "l") (("18" (ASSERT) (("18" (INST - "m!1") (("18" (ASSERT) (("18" (INST + "j!1") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL) ("6" (HIDE 2) (("6" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|VR_R_eq_AA_DATA_INDICATION_channel_index| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|indicated_equals_sent| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") NIL NIL) ("2" (INST - "i") NIL NIL) ("3" (INST - "i") NIL NIL) ("4" (INST - "i") NIL NIL) ("5" (INST - "i") NIL NIL) ("6" (INST - "i") NIL NIL) ("7" (INST - "i") NIL NIL) ("8" (INST - "i") NIL NIL) ("9" (INST - "i") NIL NIL) ("10" (INST - "i") NIL NIL) ("11" (INST - "i") NIL NIL) ("12" (INST - "i") NIL NIL) ("13" (INST - "i") NIL NIL) ("14" (INST - "i") NIL NIL) ("15" (LEMMA "VR_R_eq_AA_DATA_INDICATION_channel_index") (("15" (GRIND) (("15" (LEMMA "indicated_equals_sent_aux2") (("15" (LEMMA "indicated_equals_sent_aux1") (("15" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("16" (COMMENT "have proved pc = DtrRecvInOrder IMPLIES VT_S > VR_R. will prove pc = DtrRecvInOrder IMPLIES FORALL i < VT_S: vData = vXmitBuffer`Data(i)`Payload") (("16" (LEMMA "VR_R_eq_AA_DATA_INDICATION_channel_index") (("16" (GRIND) NIL NIL)) ";;;have proved pc = DtrRecvInOrder IMPLIES VT_S > VR_R. will prove pc = DtrRecvInOrder IMPLIES FORALL i < VT_S: vData = vXmitBuffer`Data(i)`Payload")) NIL) ("17" (LEMMA "VR_R_eq_AA_DATA_INDICATION_channel_index") (("17" (GRIND) (("17" (LEMMA "indicated_equals_sent_aux1") (("17" (LEMMA "indicated_equals_sent_aux2") (("17" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("18" (LEMMA "VR_R_eq_AA_DATA_INDICATION_channel_index") (("18" (INST - "i") (("18" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|sent_equals_requested| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|requested_equals_indicated| "" (LEMMA "sent_equals_requested") (("" (LEMMA "indicated_equals_sent") (("" (LEMMA "VT_S_GE_VR_H") (("" (LEMMA "VT_S_GE_VR_H_aux3") (("" (LEMMA "VR_R_eq_AA_DATA_INDICATION_channel_index") (("" (EXPAND "invariant") (("" (SKOLEM 1 ("r" "n")) (("" (INST - "r" "n") (("" (INST - "r" "n") (("" (INST - "r" "n") (("" (INST - "r" "n") (("" (INST - "r" "n") (("" (SKOLEM 1 "i") (("" (INST - "i") (("1" (INST - "i") (("1" (FLATTEN) (("1" (HIDE -4 -5 -6 -7) (("1" (GRIND) NIL NIL)) NIL)) NIL) ("2" (FLATTEN) (("2" (HIDE -4 -5 -6 -7) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL) ("2" (FLATTEN) (("2" (HIDE -4 -5 -6 -7) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) $$$sscop_SD_receiver_invariants4.pvs sscop_SD_receiver_invariants4 : THEORY BEGIN IMPORTING sscop_SD_receiver_invariants3 %inductive retrans_inv1_aux5 : LEMMA invariant(LAMBDA(s:State): FORALL (l: subrange(s`SR_receiver_index, SR_sender_index - 1), k: subrange(RS_sender_index, s`RS_receiver_index - 1)): LET old_sd = SR_channel(l), stat = s`RS_channel(k) IN OLD_SD?(old_sd) AND STAT?(stat) IMPLIES vXmitBuffer`PollSeq(mN_S(old_sd)) >= mN_PS(stat)) %proved using retrans_inv1_aux5, NEW_SD_inv1 retrans_inv1_aux4 : LEMMA invariant(LAMBDA(s:State): s`pc = DtrRecvTestSeq IMPLIES FORALL (k: subrange(RS_sender_index, s` RS_receiver_index - 1)): LET pdu = s`RS_channel(k) IN STAT?(pdu) IMPLIES (s`vN_S < s`VR_H IMPLIES vXmitBuffer`PollSeq(s`vN_S) >= mN_PS(pdu))) %proved using retrans_inv1_aux4, OLD_SD_inv1_aux_aux3 retrans_inv1_aux3: LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(RS_sender_index, s` RS_receiver_index - 1)): LET pdu = s`RS_channel(k) IN STAT?(pdu) IMPLIES LET statlist = mList(pdu) IN statlist`Length >= 2 IMPLIES (FORALL (l: upto(statlist`Length - 2)): even?(l) IMPLIES LET elt1 = statlist`Data(l + 1), elt2 = statlist`Data(l + 2) IN FORALL (m: subrange(elt1,elt2-1)): NOT s`vRecvBuffer`Arrived(m) OR vXmitBuffer`PollSeq(m) >= mN_PS(pdu))) %proved using sscop_SD_receiver_invariants3.VT_A_LEQ_VR_R_aux xMitBuffer_inv2_aux: LEMMA invariant(LAMBDA(s:State) : FORALL (k,l: subrange(RS_sender_index, s`RS_receiver_index-1)): let stat = s`RS_channel(k), ustat = s`RS_channel(l) IN STAT?(stat) AND USTAT?(ustat) AND k < l IMPLIES mN_R(stat) <= mN_R(ustat)) END sscop_SD_receiver_invariants4 $$$sscop_SD_receiver_invariants4.prf (|sscop_SD_receiver_invariants4| (|retrans_inv1_aux5_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux5_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux5_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux5_TCC4| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux5| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("k" "l")) (("2" (BETA) (("2" (INST - "k" "l") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|retrans_inv1_aux4_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux4_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux4| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "k") (("2" (BETA) (("2" (TYPEPRED "k") (("2" (GRIND :IF-MATCH NIL) (("1" (LEMMA "retrans_inv1_aux5") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`SR_receiver_index" "k") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST - "k") (("2" (GRIND) NIL NIL)) NIL) ("3" (LEMMA "NEW_SD_inv1") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "r(n)`SR_receiver_index") (("3" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("4" (INST - "k") (("4" (GRIND) NIL NIL)) NIL) ("5" (LEMMA "retrans_inv1_aux5") (("5" (EXPAND "invariant") (("5" (INST - "r" "n") (("5" (INST - "r(n)`SR_receiver_index" "k") (("5" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("6" (LEMMA "NEW_SD_inv1") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (INST - "r(n)`SR_receiver_index") (("6" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|retrans_inv1_aux3_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux3_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux3_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux3_TCC4| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "k") (("2" (BETA) (("2" (TYPEPRED "k") (("2" (GROUND) (("2" (SKOLEM + "l") (("2" (TYPEPRED "l") (("2" (GROUND) (("2" (SKOLEM + "m") (("2" (TYPEPRED "m") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k") (("1" (GROUND) (("1" (INST - "l") (("1" (GROUND) (("1" (INST - "m") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST - "k") (("2" (GROUND) (("2" (INST - "l") (("2" (GROUND) (("2" (INST - "m") (("2" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("3" (INST - "k") (("3" (GROUND) (("3" (INST - "l") (("3" (GROUND) (("3" (INST - "m") (("3" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("4" (INST - "k") (("4" (GROUND) (("4" (INST - "l") (("4" (GROUND) (("4" (INST - "m") (("4" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("5" (INST - "k") (("5" (GROUND) (("5" (INST - "l") (("5" (GROUND) (("5" (INST - "m") (("5" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("6" (INST - "k") (("6" (GROUND) (("6" (INST - "l") (("6" (GROUND) (("6" (INST - "m") (("6" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("7" (INST - "k") (("7" (GROUND) (("7" (INST - "l") (("7" (GROUND) (("7" (INST - "m") (("7" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("8" (LEMMA "OLD_SD_inv1_aux_aux3") (("8" (EXPAND "invariant") (("8" (INST - "r" "n") (("8" (ASSERT) (("8" (INST - "k") (("8" (ASSERT) (("8" (INST - "l") (("8" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("9" (INST - "k") (("9" (GROUND) (("9" (INST - "l") (("9" (GROUND) (("9" (INST - "m") (("9" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("10" (INST - "k") (("10" (GROUND) (("10" (INST - "l") (("10" (GROUND) (("10" (INST - "m") (("10" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("11" (INST - "k") (("11" (GROUND) (("11" (INST - "l") (("11" (GROUND) (("11" (INST - "m") (("11" (GROUND) (("11" (LEMMA "retrans_inv1_aux4") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (ASSERT) (("11" (INST - "k") (("11" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("12" (INST - "k") (("12" (GROUND) (("12" (INST - "l") (("12" (GROUND) (("12" (INST - "m") (("12" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("13" (INST - "k") (("13" (GROUND) (("13" (INST - "l") (("13" (GROUND) (("13" (INST - "m") (("13" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("14" (LEMMA "OLD_SD_inv1_aux_aux3") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (INST - "k") (("14" (ASSERT) (("14" (INST - "l") (("14" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("15" (INST - "k") (("15" (GROUND) (("15" (INST - "l") (("15" (GROUND) (("15" (INST - "m") (("15" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("16" (INST - "k") (("16" (GROUND) (("16" (INST - "l") (("16" (GROUND) (("16" (INST - "m") (("16" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("17" (INST - "k") (("17" (GROUND) (("17" (INST - "l") (("17" (GROUND) (("17" (INST - "m") (("17" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("18" (INST - "k") (("18" (GROUND) (("18" (INST - "l") (("18" (GROUND) (("18" (INST - "m") (("18" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("19" (INST - "k") (("19" (ASSERT) (("19" (INST - "l") (("19" (GROUND) (("19" (INST - "m") (("19" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|xMitBuffer_inv2_aux_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|xMitBuffer_inv2_aux_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|xMitBuffer_inv2_aux| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (SKOLEM + "n") (("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("k" "l")) (("2" (BETA) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k" "l") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "k" "l") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "k" "l") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "k" "l") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "k" "l") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "k" "l") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "k" "l") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "k" "l") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "k" "l") (("9" (GRIND) NIL NIL)) NIL) ("10" (LEMMA "VT_A_LEQ_VR_R_aux") (("10" (EXPAND "invariant") (("10" (INST - "r" "n") (("10" (INST - "k") (("10" (GROUND) (("10" (INST - "k" "l") (("10" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("11" (LEMMA "VT_A_LEQ_VR_R_aux") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "k") (("11" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("12" (LEMMA "VT_A_LEQ_VR_R_aux") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (INST - "k") (("12" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("13" (LEMMA "VT_A_LEQ_VR_R_aux") (("13" (EXPAND "invariant") (("13" (INST - "r" "n") (("13" (INST - "k") (("13" (GROUND) (("13" (INST - "k" "l") (("13" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("14" (LEMMA "VT_A_LEQ_VR_R_aux") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (INST - "k") (("14" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("15" (GRIND) (("15" (LEMMA "VT_A_LEQ_VR_R_aux") (("15" (EXPAND "invariant") (("15" (INST - "r" "n") (("15" (ASSERT) (("15" (INST - "k") (("15" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("16" (INST - "k" "l") (("16" (GRIND) NIL NIL)) NIL) ("17" (INST - "k" "l") (("17" (GRIND) NIL NIL)) NIL) ("18" (INST - "k" "l") (("18" (GRIND) NIL NIL)) NIL) ("19" (INST - "k" "l") (("19" (GRIND) NIL NIL)) NIL) ("20" (INST - "k" "l") (("20" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) $$$sscop_SD_receiver_invariants5.pvs sscop_SD_receiver_invariants5 : THEORY BEGIN IMPORTING sscop_SD_receiver_invariants4 %inductive %preserved by SD sender cf. sscop_SD_sender_invariants7.Idle_inv2 Idle_inv1 : LEMMA invariant(LAMBDA(s:State) : (s`pc = Idle IMPLIES (s`VR_R = s`VR_H))) %inductive %preserved by SD sender cf. sscop_SD_sender_invariants7.Idle_inv1 Idle_inv2: LEMMA invariant(LAMBDA(s:State) : (sender_pc = Idle IMPLIES (VT_A = VT_S AND VT_S = AA_DATA_REQUEST_channel_index))) %final result, receiver's view: when both the sender and the receiver are %in their Idle locations, the request and indication sequences are %equal. Uses Idle_inv1,Idle_inv2,VT_S_GE_VR_H,VT_S_GE_VR_H_aux3, %VR_R_eq_AA_DATA_INDICATION_channel_index, requested_equals_indicated, USTAT_inv3_aux2 %preserved by SD sender, cf. sscop_SD_sender_invariants7.final_result final_result: THEOREM invariant(LAMBDA(s:State) : ((s`pc = Idle AND sender_pc = Idle) IMPLIES FORALL (i : below(AA_DATA_REQUEST_channel_index)) : mData(s`AA_DATA_INDICATION_channel(i)) = mData(AA_DATA_REQUEST_channel(i)))) END sscop_SD_receiver_invariants5 $$$sscop_SD_receiver_invariants5.prf (|sscop_SD_receiver_invariants5| (|retrans_inv1_aux_2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux_2_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux_2_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux_2_TCC4| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux_2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (SKOLEM 1 "k") (("2" (BETA) (("2" (FLATTEN) (("2" (SKOLEM 1 "l") (("2" (FLATTEN) (("2" (SKOLEM 1 "m") (("2" (FLATTEN) (("2" (INST -8 "n") (("2" (TYPEPRED ("k" "l" "m")) (("2" (GRIND :IF-MATCH NIL) (("1" (LEMMA "retrans_inv1_aux5") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "r(n)`SR_receiver_index" "k") (("1" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST - "k") (("2" (GROUND) (("2" (INST - "l") (("2" (GROUND) NIL NIL)) NIL)) NIL)) NIL) ("3" (LEMMA "NEW_SD_inv1") (("3" (EXPAND "invariant") (("3" (INST - "r" "n") (("3" (INST - "r(n)`SR_receiver_index") (("3" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("4" (INST - "k") (("4" (ASSERT) (("4" (INST - "l") (("4" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|Idle_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (EXPAND* "run" "init") (("1" (FLATTEN) (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|Idle_inv2| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (EXPAND* "run" "init") (("1" (FLATTEN) (("1" (GRIND) NIL NIL)) NIL)) NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|final_result| "" (LEMMA "USTAT_inv3_aux2") (("" (LEMMA "requested_equals_indicated") (("" (LEMMA "VR_R_eq_AA_DATA_INDICATION_channel_index") (("" (LEMMA "VT_S_GE_VR_H_aux3") (("" (LEMMA "VT_S_GE_VR_H") (("" (LEMMA "Idle_inv2") (("" (LEMMA "Idle_inv1") (("" (EXPAND "invariant") (("" (SKOLEM + ("r" "n")) (("" (INST - "r" "n") (("" (INST - "r" "n") (("" (INST - "r" "n") (("" (INST - "r" "n") (("" (INST - "r" "n") (("" (INST - "r" "n") (("" (INST - "r" "n") (("" (FLATTEN) (("" (BASH) (("" (INST - "i!1") (("" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) $$$sscop_SD_sender_invariants3.pvs sscop_SD_sender_invariants3 : THEORY %facts about OLD SD PDUs in SR channel BEGIN IMPORTING sscop_SD_sender init(s:State) : bool = (s`pc = DataTransferReady OR s`pc = Idle) AND %cf. -OLD_SD_inv3, *sscop_SD_receiver_invariants1.init_inv7, %and *sscop_USTAT_receiver_invariants1.USTAT_inv4, %*sscop_POLL_receiver.invariants1.OLD_SD_inv3, %*sscop_STAT_receiver_invariants1.OLD_SD_inv3 (FORALL (i:subrange(s`vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1)): vReXmitQueue(i)`Seq < VR_H) AND %cf. -OLD_SD_inv6, *sscop_USTAT_receiver_invariants1.ReXmit_inv1, %*sscop_STAT_receiver_invariants1.OLD_SD_inv6 (FORALL(i,j:subrange(s`vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1)): i /= j IMPLIES vReXmitQueue(i)`Seq /= vReXmitQueue(j)`Seq) AND %cf. *-OLD_SD_inv5, sscop_SD_receiver_invariants1.init_inv5, %*sscop_USTAT_receiver_invariants1.USTAT_inv7, %*sscop_STAT_receiver_invariants1.OLD_SD_inv5 (FORALL (i:subrange(s`vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1), j: subrange(SR_receiver_index,s`SR_sender_index-1)) : LET pdu = s`SR_channel(j) IN OLD_SD?(pdu) IMPLIES vReXmitQueue(i)`Seq /= mN_S(pdu)) AND %cf. *-OLD_SD_inv2, *sscop_SD_receiver_invariants1.init_inv4, % *sscop_POLL_receiverinvariants1.OLD_SD_inv2 (FORALL (j: subrange(SR_receiver_index,s`SR_sender_index-1)): LET pdu = s`SR_channel(j) IN OLD_SD?(pdu) IMPLIES mN_S(pdu) < VR_H) AND %*-OLD_SD_inv4, sscop_SD_receiver_invariants1.init_inv3 (FORALL (k,l: subrange(SR_receiver_index,s`SR_sender_index-1)) : LET pdu_1 = s`SR_channel(k), pdu_2 = s`SR_channel(l) IN OLD_SD?(pdu_1) AND OLD_SD?(pdu_2) AND k /= l IMPLIES mN_S(pdu_1) /= mN_S(pdu_2)) AND %-OLD_SD_inv7, *sscop_SD_receiver_invariants1.OLD_SD_inv1 (FORALL (j: subrange(SR_receiver_index, s`SR_sender_index - 1)): LET pdu = s`SR_channel(j) IN OLD_SD?(pdu) IMPLIES NOT vRecvBuffer`Arrived(mN_S(pdu))) AND %-retrans_inv1, *sscop_SD_receiver_invariants1.init_inv6, %*sscop_USTAT_receiver_invariants1.USTAT_inv8, %*sscop_STAT_receiver_invariants2.retrans_inv1 (FORALL (i:subrange(s`vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1)) : NOT vRecvBuffer`Arrived(vReXmitQueue(i)`Seq)) AND %*-OLD_SD_inv1,*sscop_SD_receiver_invariants2.USTAT_inv2_aux1, %sscop_USTAT_receiver_invariants1.USTAT_inv6 (FORALL (i :subrange(RS_sender_index, RS_receiver_index-1)): let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l: subrange(bottom,top-1), j : subrange(SR_receiver_index, s`SR_sender_index-1)): let pdu = s`SR_channel(j) in OLD_SD?(pdu) IMPLIES mN_S(pdu) < l) AND %-OLD_SD_inv1_aux, *sscop_USTAT_receiver_invariants1.USTAT_inv5, %*sscop_SD_receiver_invariants2.OLD_SD_inv1, %*sscop_STAT_receiver_invariants1.OLD_SD_inv1_aux (FORALL (i :subrange(RS_sender_index, RS_receiver_index-1)): let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l:subrange(bottom,top-1), j:subrange(s`vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1)): vReXmitQueue(j)`Seq < l) AND %*-sscop_SD_sender_invariants5.indicated_equals_sent_aux1_aux1_aux1, %cf. *sscop_POLL_receiver_invariants1.VT_S_GE_VR_H, %sscop_SD_sender_invariants1.VT_S_GE_VR_H and %sscop_SD_sender_invariants2.VT_S_GE_VR_H, % *sscop_SD_receiver_invariants1.VT_S_GE_VR_H, %sscop_STAT_receiver_invariants1.OLD_SD_inv3_aux s`VT_S >= VR_H AND %*-sscop_SD_sender_invariants5.indicated_equals_sent_aux1_aux1_aux2, %*sscop_USTAT_receiver_invariants1.indicated_equals_sent_aux1_aux1_aux2, %*sscop_STAT_receiver_invariants1.indicated_equals_sent_aux1_aux1_aux2, (FORALL (i:subrange(s`vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1)) : vReXmitQueue(i)`Payload = s`vXmitBuffer`Data(vReXmitQueue(i)`Seq)`Payload) AND %*sscop_SD_sender_invariants4.indicated_equals_sent_aux1_aux1, %sscop_SD_receiver_invariants3.indicated_equals_sent_aux1_aux1, %*-sscop_SD_sender_invariants5.indicated_equals_sent_aux1_aux1 %(invariants from two sender theories because both OLD and NEW SD % are considered) (FORALL (i:subrange(SR_receiver_index,s`SR_sender_index-1)) : LET pdu = s`SR_channel(i) IN OLD_SD?(pdu) IMPLIES mData(pdu) = s`vXmitBuffer`Data(mN_S(pdu))`Payload) AND %*-sscop_STAT_receiver_invariants1.OLD_SD_inv5_aux3, %*sscop_SD_sender_invariants5.OLD_SD_inv5_aux3 (FORALL (l:subrange(SR_receiver_index, s`SR_sender_index - 1)): LET pdu = s`SR_channel(l) IN OLD_SD?(pdu) IMPLIES s`vXmitBuffer`PollSeq(mN_S(pdu)) >= VT_PA) AND %*-sscop_SD_sender_invariants5.STAT_inv2, %*sscop_STAT_receiver_invariants1.STAT_inv2, %*sscop_USTAT_receiver_invariants2.STAT_inv2 %*sscop_POLL_receiver_invariants3.STAT_inv2 (FORALL (k: subrange(RS_sender_index, RS_receiver_index - 1)): LET pdu = RS_channel(k) IN STAT?(pdu) IMPLIES (VT_PA <= mN_PS(pdu) AND mN_PS(pdu) <= s`VT_PS AND VT_A <= mN_R(pdu) AND mN_R(pdu) <= s`VT_S)) AND %*-sscop_SD_sender_invariants5.OLD_SD_inv5_aux3_inv1, %*sscop_STAT_receiver_invariants1.OLD_SD_inv5_aux3_inv1, %sscop_SD_sender_invariants2.STAT_inv2_aux10, (s`VT_PS >= VT_PA) AND %-sscop_STAT_receiver_invariants1.OLD_SD_inv5_aux4, %*sscop_SD_sender_invariants5.OLD_SD_inv5_aux4, %*sscop_POLL_receiver_invariants3.OLD_SD_inv5_aux4, %sscop_SD_receiver_invariants4.retrans_inv1_aux5 (FORALL (l: subrange(SR_receiver_index, s`SR_sender_index - 1), k: subrange(RS_sender_index, RS_receiver_index - 1)): LET old_sd = s`SR_channel(l), stat = RS_channel(k) IN OLD_SD?(old_sd) AND STAT?(stat) IMPLIES s`vXmitBuffer`PollSeq(mN_S(old_sd)) >= mN_PS(stat)) %-sscop_POLL_receiver_invariants3.OLD_SD_inv5_aux4_aux2, %*sscop_SD_sender_invariants5.OLD_SD_inv5_aux4_aux2 AND (FORALL (l,k: subrange(SR_receiver_index, s`SR_sender_index - 1)): LET old_sd = s`SR_channel(l), poll = s`SR_channel(k) IN OLD_SD?(old_sd) AND POLL?(poll) AND l > k IMPLIES s`vXmitBuffer`PollSeq(mN_S(old_sd)) >= mN_PS(poll)) AND %*-sscop_SD_sender_invariants2.STAT_inv2_aux2_aux5, %sscop_POLL_receiver_invariants3.STAT_inv2_aux5_aux2, %sscop_SD_sender_invariants5.OLD_SD_inv5_aux4_aux3 (FORALL (k: subrange(SR_receiver_index, s`SR_sender_index - 1)): LET poll = s`SR_channel(k) IN POLL?(poll) IMPLIES s`VT_PS >= mN_PS(poll)) % AND !!!!!!!!!!!! % %sscop_SD_sender_invariants6.Idle_inv1, % %sscop_SD_receiver_invariants5.Idle_inv2 % (s`pc = Idle IMPLIES (VT_A = s`VT_S AND s`VT_S = s`AA_DATA_REQUEST_channel_index)) IMPORTING runs[State,init,LAMBDA(s,s_: State): EXISTS(a:Action): trans(s,a,s_)] %-inductive retrans_inv1: LEMMA invariant(LAMBDA(s:State) : FORALL (i:subrange(s`vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1)) : NOT vRecvBuffer`Arrived(vReXmitQueue(i)`Seq)) %-proved using retrans_inv1 OLD_SD_inv7: LEMMA invariant(LAMBDA(s:State): FORALL (j: subrange(SR_receiver_index, s`SR_sender_index - 1)): LET pdu = s`SR_channel(j) IN OLD_SD?(pdu) IMPLIES NOT vRecvBuffer`Arrived(mN_S(pdu))) %-proved (inductive) OLD_SD_inv6: LEMMA invariant(LAMBDA(s:State): FORALL (i,j:subrange(s`vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1)) : i /= j IMPLIES vReXmitQueue(i)`Seq /= vReXmitQueue(j)`Seq) %-proved using OLD_SD_inv6 OLD_SD_inv5 : LEMMA invariant(LAMBDA(s:State): FORALL (i:subrange(s`vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1), j: subrange(SR_receiver_index,s`SR_sender_index-1)) : LET pdu = s`SR_channel(j) IN OLD_SD?(pdu) IMPLIES vReXmitQueue(i)`Seq /= mN_S(pdu)) %-proved using OLD_SD_inv5 OLD_SD_inv4 : LEMMA invariant(LAMBDA(s:State): FORALL (k,l: subrange(SR_receiver_index,s`SR_sender_index-1)) : LET pdu_1 = s`SR_channel(k), pdu_2 = s`SR_channel(l) IN OLD_SD?(pdu_1) AND OLD_SD?(pdu_2) AND k /= l IMPLIES mN_S(pdu_1) /= mN_S(pdu_2)) %-inductive OLD_SD_inv3: LEMMA invariant(LAMBDA (s: State): FORALL (i: subrange(s`vReXmitQueue_PtrOut, vReXmitQueue_PtrIn - 1)): vReXmitQueue(i)`Seq < VR_H) %-proved using OLD_SD_inv3 OLD_SD_inv2: LEMMA invariant(LAMBDA(s:State): FORALL(j: subrange(SR_receiver_index,s`SR_sender_index-1)): LET pdu = s`SR_channel(j) IN OLD_SD?(pdu) IMPLIES mN_S(pdu) < VR_H) %-inductive OLD_SD_inv1_aux: LEMMA invariant(LAMBDA(s:State) : FORALL (i :subrange(RS_sender_index, RS_receiver_index-1)): let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l:subrange(bottom,top-1), j:subrange(s`vReXmitQueue_PtrOut, vReXmitQueue_PtrIn-1)): vReXmitQueue(j)`Seq < l) %-proved using OLD_SD_inv1_aux OLD_SD_inv1: LEMMA invariant(LAMBDA(s:State): FORALL (i :subrange(RS_sender_index, RS_receiver_index-1)): let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bottom = ustat_list`Data(1), top = ustat_list`Data(2) IN FORALL (l: subrange(bottom,top-1), j : subrange(SR_receiver_index, s`SR_sender_index-1)): let pdu = s`SR_channel(j) in OLD_SD?(pdu) IMPLIES mN_S(pdu) < l) END sscop_SD_sender_invariants3 $$$sscop_SD_sender_invariants3.prf (|sscop_SD_sender_invariants3| (|init_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC4| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC5| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC6| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC7| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC8| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC9| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC10| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC11| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC12| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC13| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC14| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC15| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC16| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC17| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (EXPAND "run_fragment") (("2" (INST -5 "n") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") NIL NIL) ("2" (INST - "i") NIL NIL) ("3" (INST - "i") NIL NIL) ("4" (INST - "i") NIL NIL) ("5" (INST - "i") NIL NIL) ("6" (INST - "i") NIL NIL) ("7" (INST - "i") NIL NIL) ("8" (INST - "i") NIL NIL) ("9" (INST - "i") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv7_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv7_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv7| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "j") (("2" (TYPEPRED "j") (("2" (EXPAND "run_fragment") (("2" (INST -4 "n") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "j") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "j") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "j") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "j") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "j") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "j") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "j") (("7" (GRIND) NIL NIL)) NIL) ("8" (COMMENT "need to prove that elements in the retrans queue have not arrived") (("8" (LEMMA "retrans_inv1") (("8" (EXPAND "invariant") (("8" (INST - "r" "n") (("8" (INST -4 "j") (("8" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) ";;;need to prove that elements in the retrans queue have not arrived")) NIL) ("9" (LEMMA "retrans_inv1") (("9" (EXPAND "invariant") (("9" (INST - "r" "n") (("9" (INST - "r(n)`vReXmitQueue_PtrOut") NIL NIL)) NIL)) NIL)) NIL) ("10" (INST - "j") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "j") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "j") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "j") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "j") (("14" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv6_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv6| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (FLATTEN) (("2" (SKOLEM 1 ("i" "j")) (("2" (TYPEPRED ("i" "j")) (("2" (EXPAND "run_fragment") (("2" (INST -6 "n") (("2" (SKOLEM - "a") (("2" (FLATTEN) (("2" (EXPAND "trans") (("2" (SPLIT) (("1" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("2" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("3" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("5" (GRIND) NIL NIL) ("6" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("7" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("8" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("9" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("10" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("11" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv5| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (BETA) (("2" (SKOLEM 1 "n") (("2" (FLATTEN) (("2" (SKOLEM 1 ("i" "j")) (("2" (TYPEPRED ("i" "j")) (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (INST -8 "n") (("2" (SKOLEM - "a") (("2" (EXPAND "trans") (("2" (SPLIT) (("1" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("2" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("3" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("4" (FLATTEN) (("4" (GRIND :IF-MATCH NIL) (("1" (COMMENT "need the fact that all elements in the retransmission queue are different") (("1" (LEMMA "OLD_SD_inv6") (("1" (EXPAND "invariant") (("1" (INST - "r" "n") (("1" (INST - "i" "r(n)`vReXmitQueue_PtrOut") (("1" (GRIND :IF-MATCH NIL) NIL NIL)) NIL)) NIL)) NIL)) ";;;need the fact that all elements in the retransmission queue are different")) NIL) ("2" (INST - "i" "j") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL) ("5" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("6" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("7" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("8" (GRIND) NIL NIL) ("9" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("10" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("11" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv4_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv4_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv4| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (BETA) (("2" (SKOLEM 1 "n") (("2" (FLATTEN) (("2" (SKOLEM 1 ("i" "j")) (("2" (TYPEPRED ("i" "j")) (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (INST -9 "n") (("2" (SKOLEM - "a") (("2" (EXPAND "trans") (("2" (SPLIT) (("1" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("2" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("3" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("4" (FLATTEN) (("4" (LEMMA "OLD_SD_inv5") (("4" (EXPAND "invariant") (("4" (INST - "r" "n") (("4" (GRIND :IF-MATCH NIL) (("1" (INST - "r(n)`vReXmitQueue_PtrOut" "j") (("1" (GRIND :IF-MATCH NIL) NIL NIL)) NIL) ("2" (INST - "r(n)`vReXmitQueue_PtrOut" "i") (("2" (GRIND :IF-MATCH NIL) NIL NIL)) NIL) ("3" (INST - "r(n)`vReXmitQueue_PtrOut" "i") (("3" (GRIND :IF-MATCH NIL) NIL NIL)) NIL) ("4" (INST -12 "i" "j") (("4" (GRIND :IF-MATCH NIL) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("5" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("6" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("7" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("8" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("9" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("10" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL) ("11" (INST - "i" "j") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (FLATTEN) (("2" (EXPAND "run_fragment") (("2" (INST -2 "n") (("2" (SKOLEM 1 "j") (("2" (TYPEPRED "j") (("2" (INST - "j") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (FLATTEN) (("2" (BETA) (("2" (EXPAND "run_fragment") (("2" (INST -2 "n") (("2" (SKOLEM 1 "j") (("2" (TYPEPRED "j") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "j") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "j") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "j") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "j") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "j") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "j") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "j") (("7" (GRIND) NIL NIL)) NIL) ("8" (LEMMA "OLD_SD_inv3") (("8" (EXPAND "invariant") (("8" (INST - "r" "n") (("8" (GRIND) NIL NIL)) NIL)) NIL)) NIL) ("9" (LEMMA "OLD_SD_inv3") (("9" (EXPAND "invariant") (("9" (INST - "r" "n") (("9" (INST - "r(n)`vReXmitQueue_PtrOut") NIL NIL)) NIL)) NIL)) NIL) ("10" (INST - "j") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "j") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "j") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "j") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "j") (("14" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv1_aux_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv1_aux_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv1_aux| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (BETA) (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM 1 "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (GROUND) (("2" (SKOLEM 1 ("l" "j")) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (GROUND) (("1" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("2" (INST - "i") (("2" (GROUND) (("2" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("3" (INST - "i") (("3" (GROUND) (("3" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("4" (INST - "i") (("4" (GROUND) (("4" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("5" (INST - "i") (("5" (GROUND) (("5" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("6" (INST - "i") (("6" (GROUND) (("6" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("7" (INST - "i") (("7" (GROUND) (("7" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("8" (INST - "i") (("8" (GROUND) (("8" (INST - "l" "j") NIL NIL)) NIL)) NIL) ("9" (INST - "i") (("9" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (BETA) (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM 1 "n") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (GROUND) (("2" (SKOLEM 1 ("l" "j")) (("2" (TYPEPRED "j") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "i") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "i") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "i") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "i") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "i") (("8" (GRIND) NIL NIL)) NIL) ("9" (LEMMA "OLD_SD_inv1_aux") (("9" (EXPAND "invariant") (("9" (INST - "r" "n") (("9" (INST - "i") (("9" (ASSERT) (("9" (INST - "l" "r(n)`vReXmitQueue_PtrOut") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("10" (INST - "i") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "i") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "i") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "i") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "i") (("14" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) $$$sscop_SD_sender_invariants5.pvs sscop_SD_sender_invariants5 : THEORY %prove that the protocol is correct - sender's side for OLD SD and %auxiliary stuff BEGIN IMPORTING sscop_SD_sender_invariants3 %inductive indicated_equals_sent_aux1_aux1_aux1 : LEMMA invariant(LAMBDA(s:State) : s`VT_S >= VR_H) %-inductive indicated_equals_sent_aux1_aux1_aux2: LEMMA invariant(LAMBDA(s:State) : FORALL (i:subrange(s`vReXmitQueue_PtrOut,vReXmitQueue_PtrIn-1)) : vReXmitQueue(i)`Payload = s`vXmitBuffer`Data(vReXmitQueue(i)`Seq)`Payload) %-proved using indicated_equals_sent_aux1_aux1_aux1, %indicated_equals_sent_aux1_aux1_aux2, %OLD_SD_inv2 indicated_equals_sent_aux1_aux1 : LEMMA invariant(LAMBDA(s:State) : FORALL (i:subrange(SR_receiver_index,s`SR_sender_index-1)) : LET pdu = s`SR_channel(i) IN OLD_SD?(pdu) IMPLIES mData(pdu) = s`vXmitBuffer`Data(mN_S(pdu))`Payload) %-inductive STAT_inv2 : LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(RS_sender_index, RS_receiver_index - 1)): LET pdu = RS_channel(k) IN STAT?(pdu) IMPLIES (VT_PA <= mN_PS(pdu) AND mN_PS(pdu) <= s`VT_PS AND VT_A <= mN_R(pdu) AND mN_R(pdu) <= s`VT_S)) %-inductive OLD_SD_inv5_aux3_aux1: LEMMA invariant(LAMBDA(s:State) : s`VT_PS >= VT_PA) %-proved using OLD_SD_inv5_aux3_inv1 OLD_SD_inv5_aux3: LEMMA invariant(LAMBDA (s: State): FORALL (l: subrange(SR_receiver_index, s`SR_sender_index - 1)): LET pdu = s`SR_channel(l) IN OLD_SD?(pdu) IMPLIES s`vXmitBuffer`PollSeq(mN_S(pdu)) >= VT_PA) %-proved using STAT_inv2 OLD_SD_inv5_aux4: LEMMA invariant(LAMBDA (s: State): FORALL (l: subrange(SR_receiver_index, s`SR_sender_index - 1), k: subrange(RS_sender_index, RS_receiver_index - 1)): LET old_sd = s`SR_channel(l), stat = RS_channel(k) IN OLD_SD?(old_sd) AND STAT?(stat) IMPLIES s`vXmitBuffer`PollSeq(mN_S(old_sd)) >= mN_PS(stat)) %-inductive OLD_SD_inv5_aux4_aux3: LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(SR_receiver_index, s`SR_sender_index - 1)): LET poll = s`SR_channel(k) IN POLL?(poll) IMPLIES s`VT_PS >= mN_PS(poll)) %-proved using OLD_SD_inv5_aux4_aux3 OLD_SD_inv5_aux4_aux2: LEMMA invariant(LAMBDA(s:State) : FORALL (l,k: subrange(SR_receiver_index, s`SR_sender_index - 1)): LET old_sd = s`SR_channel(l), poll = s`SR_channel(k) IN OLD_SD?(old_sd) AND POLL?(poll) AND l > k IMPLIES s`vXmitBuffer`PollSeq(mN_S(old_sd)) >= mN_PS(poll)) END sscop_SD_sender_invariants5 $$$sscop_SD_sender_invariants5.prf (|sscop_SD_sender_invariants5| (|indicated_equals_sent_aux1_aux1_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|indicated_equals_sent_aux1_aux1_aux2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|indicated_equals_sent_aux1_aux1_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") NIL NIL) ("2" (INST - "i") NIL NIL) ("3" (INST - "i") NIL NIL) ("4" (INST - "i") NIL NIL) ("5" (INST - "i") NIL NIL) ("6" (INST - "i") NIL NIL) ("7" (INST - "i") NIL NIL) ("8" (INST - "i") NIL NIL) ("9" (INST - "i") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|indicated_equals_sent_aux1_aux1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|indicated_equals_sent_aux1_aux1_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|indicated_equals_sent_aux1_aux1_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|indicated_equals_sent_aux1_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (BETA) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "i") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "i") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "i") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "i") (("7" (GRIND) NIL NIL)) NIL) ("8" (LEMMA "indicated_equals_sent_aux1_aux1_aux2") (("8" (EXPAND "invariant") (("8" (INST - "r" "n") (("8" (INST - "i") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("9" (LEMMA "indicated_equals_sent_aux1_aux1_aux2") (("9" (EXPAND "invariant") (("9" (INST - "r" "n") (("9" (INST - "r(n)`vReXmitQueue_PtrOut") NIL NIL)) NIL)) NIL)) NIL) ("10" (INST - "i") (("10" (GRIND) NIL NIL)) NIL) ("11" (LEMMA "indicated_equals_sent_aux1_aux1_aux1") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (LEMMA "OLD_SD_inv2") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "i") (("11" (GROUND) (("11" (INST - "i") (("11" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("12" (LEMMA "OLD_SD_inv2") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (INST - "i") (("12" (GROUND) (("12" (LEMMA "indicated_equals_sent_aux1_aux1_aux1") (("12" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("13" (INST - "i") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "i") (("14" (GRIND) NIL NIL)) NIL) ("15" (INST - "i") (("15" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM + "k") (("2" (INST - "k") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL) ("6" (HIDE 2) (("6" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv5_aux3_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv5_aux3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "l") (("2" (TYPEPRED "l") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "l") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "l") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "l") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "l") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "l") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "l") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "l") (("7" (GRIND) NIL NIL)) NIL) ("8" (LEMMA "OLD_SD_inv5_aux3_aux1") (("8" (GRIND) NIL NIL)) NIL) ("9" (LEMMA "OLD_SD_inv5_aux3_aux1") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "l") (("10" (GRIND) (("10" (LEMMA "OLD_SD_inv5_aux3_aux1") (("10" (GRIND) NIL NIL)) NIL)) NIL)) NIL) ("11" (INST - "l") (("11" (GRIND) NIL NIL)) NIL) ("12" (LEMMA "OLD_SD_inv5_aux3_aux1") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "l") (("13" (GRIND) (("13" (LEMMA "OLD_SD_inv5_aux3_aux1") (("13" (GRIND) NIL NIL)) NIL)) NIL)) NIL) ("14" (INST - "l") (("14" (GRIND) NIL NIL)) NIL) ("15" (INST - "l") (("15" (GRIND) NIL NIL)) NIL) ("16" (INST - "l") (("16" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv5_aux4| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("l" "k")) (("2" (TYPEPRED ("l" "k")) (("2" (GRIND :IF-MATCH NIL) (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL) ("4" (GRIND) NIL NIL) ("5" (GRIND) NIL NIL) ("6" (GRIND) NIL NIL) ("7" (GRIND) NIL NIL) ("8" (LEMMA "STAT_inv2") (("8" (EXPAND "invariant") (("8" (INST - "r" "n") (("8" (INST - "k") (("8" (GROUND) (("8" (INST - "l" "k") (("8" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("9" (LEMMA "STAT_inv2") (("9" (EXPAND "invariant") (("9" (INST - "r" "n") (("9" (INST - "k") (("9" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("10" (GRIND) (("10" (LEMMA "STAT_inv2") (("10" (EXPAND "invariant") (("10" (INST - "r" "n") (("10" (INST - "k") (("10" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("11" (GRIND) NIL NIL) ("12" (LEMMA "STAT_inv2") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (INST - "k") (("12" (GROUND) (("12" (INST - "l" "k") (("12" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("13" (GRIND) (("13" (LEMMA "STAT_inv2") (("13" (EXPAND "invariant") (("13" (INST - "r" "n") (("13" (INST - "k") (("13" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("14" (GRIND) NIL NIL) ("15" (GRIND) NIL NIL) ("16" (INST - "l" "k") (("16" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv5_aux4_aux3_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv5_aux4_aux3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM + "k") (("2" (TYPEPRED "k") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "k") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "k") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "k") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "k") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "k") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "k") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "k") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "k") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "k") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "k") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "k") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "k") (("13" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|OLD_SD_inv5_aux4_aux2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv5_aux4_aux2_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|OLD_SD_inv5_aux4_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("l" "k")) (("2" (TYPEPRED ("l" "k")) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "l" "k") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "l" "k") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "l" "k") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "l" "k") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "l" "k") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "l" "k") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "l" "k") (("7" (GRIND) NIL NIL)) NIL) ("8" (LEMMA "OLD_SD_inv5_aux4_aux3") (("8" (EXPAND "invariant") (("8" (INST - "r" "n") (("8" (INST - "k") (("8" (GROUND) (("8" (INST - "l" "k") (("8" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("9" (LEMMA "OLD_SD_inv5_aux4_aux3") (("9" (EXPAND "invariant") (("9" (INST - "r" "n") (("9" (INST - "k") (("9" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("10" (INST - "l" "k") (("10" (GRIND) (("10" (LEMMA "OLD_SD_inv5_aux4_aux3") (("10" (EXPAND "invariant") (("10" (INST - "r" "n") (("10" (INST - "k") (("10" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("11" (INST - "l" "k") (("11" (GRIND) NIL NIL)) NIL) ("12" (LEMMA "OLD_SD_inv5_aux4_aux3") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (INST - "k") (("12" (GROUND) (("12" (INST - "l" "k") (("12" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("13" (INST - "l" "k") (("13" (GRIND) (("13" (LEMMA "OLD_SD_inv5_aux4_aux3") (("13" (EXPAND "invariant") (("13" (INST - "r" "n") (("13" (INST - "k") (("13" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("14" (INST - "l" "k") (("14" (GRIND) NIL NIL)) NIL) ("15" (INST - "l" "k") (("15" (GRIND) NIL NIL)) NIL) ("16" (INST - "l" "k") (("16" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) $$$sscop_SD_sender_invariants1.pvs sscop_SD_sender_invariants1 : THEORY %facts about NEW SD PDUs in SR channel BEGIN IMPORTING sscop_SD_sender init(s: State): bool = (s`pc = DataTransferReady OR s`pc = Idle) AND %cf. -VT_S_GE_VR_H and *sscop_SD_receiver_invariants1.VT_S_GE_VR_H %and sscop_SD_sender_invariants2.VT_S_GE_VR_H and %*sscop_POLL_receiver_invariants1.VT_S_GE_VR_H, %*sscop_SD_sender_invariants5.indicated_equals_sent_aux1_aux1_aux1 %sscop_STAT_receiver_invariants1.OLD_SD_inv3_aux s`VT_S >= VR_H AND %cf. *-NEW_SD_inv3 and *sscop_SD_receiver_invariants1.NEW_SD_inv5 (FORALL (i: subrange(SR_receiver_index, s`SR_sender_index - 1)): LET pdu = s`SR_channel(i) IN NEW_SD?(pdu) IMPLIES s`VT_S > mN_S(pdu)) %cf. *N-EW_SD_inv2 and *sscop_SD_receiver_invariants1.init_inv1 AND (FORALL (j, k: subrange(SR_receiver_index, s`SR_sender_index - 1)): LET pdu_1 = s`SR_channel(j), pdu_2 = s`SR_channel(k) IN NEW_SD?(pdu_1) AND NEW_SD?(pdu_2) AND j < k IMPLIES mN_S(pdu_1) < mN_S(pdu_2)) %cf. *-NEW_SD_inv1 and *sscop_SD_receiver_invariants1.NEW_SD_inv1 %and *sscop_POLL_receiver_invariants1.NEW_SD_inv1 AND (FORALL (i: subrange(SR_receiver_index, s`SR_sender_index - 1)): LET pdu = s`SR_channel(i) IN NEW_SD?(pdu) IMPLIES mN_S(pdu) >= VR_H) AND %cf. *-NEW_SD_inv4 and *sscop_SD_receiver_invariants1.NEW_SD_inv2 (FORALL (j: nat,k: subrange(SR_receiver_index, s`SR_sender_index - 1)): LET pdu = s`SR_channel(k) IN vRecvBuffer`Arrived(j) IMPLIES NEW_SD?(pdu) IMPLIES j < mN_S(pdu)) AND %cf. *-NEW_SD_inv5 and *sscop_SD_receiver_invariants1.VT_S_GE_VR_H %and *sscop_POLL_receiver_invariants1.NEW_SD_inv5 (FORALL (k:nat) : k >= VR_H => NOT vRecvBuffer`Arrived(k)) AND %cf. *-xMitBuffer_inv1 and sscop_SD_receiver_invariants2.USTAT_inv3_aux1 %and sscop_STAT_receiver_invariants1.OLD_SD_inv3_aux3, %sscop_USTAT_receiver_invariants1.xMitBuffer_inv1 (FORALL (i:below(s`VT_S)): s`vXmitBuffer`Data(i)`Seq = i) AND %cf. *-USTAT_inv1 and *sscop_SD_receiver_invariants2.USTAT_inv3 and %*sscop_USTAT_receiver_invariants1.xMitBuffer_inv2, %*sscop_STAT_receiver_invariants1.xMitBuffer_inv2 (FORALL (i :subrange(RS_sender_index, RS_receiver_index-1)): let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bot = ustat_list`Data(1), top = ustat_list`Data(2), vN_R = mN_R(pdu) IN VT_A <= vN_R AND vN_R <= bot AND bot < top AND top < s`VT_S AND (FORALL (j:subrange(bot,top-1)): s`vXmitBuffer`Data(j)`Seq = j)) AND %*-sscop_SD_sender_invariants4.indicated_equals_sent, %*scop_SD_receiver_invariants3.indicated_equals_sent (FORALL (i: below(VR_R)) : mData(AA_DATA_INDICATION_channel(i)) = s`vXmitBuffer`Data(i)`Payload) AND %*-sscop_SD_sender_invariants4.indicated_equals_sent_aux1_aux2, %*sscop_SD_receiver_invariants3.indicated_equals_sent_aux1_aux2 (FORALL (i:below(VR_MR)) : vRecvBuffer`Arrived(i) IMPLIES vRecvBuffer`Data(i)`Payload = s`vXmitBuffer`Data(i)`Payload) AND %*-sscop_SD_sender_invariants4.indicated_equals_sent_aux1_aux1, %sscop_SD_receiver_invariants3.indicated_equals_sent_aux1_aux1, %*sscop_SD_sender_invariants5.OLD_SD_inv2 (FORALL (i:subrange(SR_receiver_index,s`SR_sender_index-1)) : LET pdu = s`SR_channel(i) IN NEW_SD?(pdu) IMPLIES mData(pdu) = s`vXmitBuffer`Data(mN_S(pdu))`Payload) AND %*-sscop_SD_sender_invariants4.sent_equals_requested %sscop_SD_receiver_invariants3.sent_equals_requested (FORALL (i : below(s`VT_S)) : mData(AA_DATA_REQUEST_channel(i)) = s`vXmitBuffer`Data(i)`Payload) AND %sscop_SD_sender_invariants4.VR_MR_GE_VR_H, %*scop_SD_receiver_invariants1.VT_S_GE_VR_H_aux1, %*sscop_POLL_receiver_invariants1.VR_MR_GE_VR_H, %sscop_STAT_receiver_invariants3.retrans_inv1_aux0 VR_MR >= VR_H AND %-sscop_SD_sender_invariants4.indicated_equals_sent_aux, %*sscop_SD_receiver_invariants1.VT_S_GE_VR_H_aux3 %*sscop_POLL_receiver_invariants1.VR_H_GE_VR_R VR_H >= VR_R %next three : *-sscop_SD_sender_invariants4.sent_equals_requested_aux2 (local) AND (s`vXmitQueue_PtrOut = s`VT_S) AND (s`vXmitQueue_PtrOut <= s`vXmitQueue_PtrIn) AND (s`AA_DATA_REQUEST_channel_index = s`vXmitQueue_PtrIn) AND %*-sscop_SD_sender_invariants4.sent_equals_requested_aux1 (local) (FORALL (i :below(s`AA_DATA_REQUEST_channel_index)): mData(AA_DATA_REQUEST_channel(i)) = s`vXmitQueue(i)`Payload) AND %*-NEW_SD_POLL2, sscop_SD_receiver_invariants1.NEW_SD_POLL2 (FORALL (i,j: subrange(SR_receiver_index, s`SR_sender_index-1)): LET poll = s`SR_channel(i), new_sd = s`SR_channel(j) IN POLL?(poll) AND NEW_SD?(new_sd) AND i > j IMPLIES mN_S(poll) > mN_S(new_sd)) AND %sscop_SD_sender_invariants5.STAT_inv2, %*sscop_STAT_receiver_invariants1.STAT_inv2, %*sscop_USTAT_receiver_invariants2.STAT_inv2 %*-sscop_POLL_receiver_invariants3.STAT_inv2 (FORALL (k: subrange(RS_sender_index, RS_receiver_index - 1)): LET pdu = RS_channel(k) IN STAT?(pdu) IMPLIES (VT_PA <= mN_PS(pdu) AND mN_PS(pdu) <= s`VT_PS AND VT_A <= mN_R(pdu) AND mN_R(pdu) <= s`VT_S)) AND %sscop_SD_sender_invariants6.Idle_inv1, %sscop_SD_receiver_invariants5.Idle_inv2 (s`pc = Idle IMPLIES (VT_A = s`VT_S AND s`VT_S = s`AA_DATA_REQUEST_channel_index)) AND %sscop_SD_sender_invariants6.Idle_inv2, %sscop_SD_receiver_invariants5.Idle_inv6 (receiver_pc = Idle IMPLIES (VR_R = VR_H)) AND %sscop_SD_sender_invariants7.final_result_aux, %sscop_POLL_receiver_invariants1.STAT_inv2_aux1 %*sscop_SD_receiver_invariants2.USTAT_inv3_aux2, %*sscop_USTAT_receiver_invariants1.VT_A_LEQ_VR_R, %*sscop_STAT_receiver_invariants1.VT_A_LEQ_VR_R VR_R >= VT_A IMPORTING runs[State,init,LAMBDA(s,s_: State): EXISTS(a:Action): trans(s,a,s_)] %-inductive VT_S_GE_VR_H : LEMMA invariant(LAMBDA(s:State): s`VT_S >= VR_H) %-inductive NEW_SD_inv5: LEMMA invariant(LAMBDA(s:State): FORALL (k:nat) : k >= VR_H => NOT vRecvBuffer`Arrived(k)) %-proved using VT_S_GE_VR_H, NEW_SD_inv5 NEW_SD_inv4: LEMMA invariant(LAMBDA(s:State) : FORALL (j: nat,k: subrange(SR_receiver_index, s`SR_sender_index - 1)): LET pdu = s`SR_channel(k) IN vRecvBuffer`Arrived(j) IMPLIES NEW_SD?(pdu) IMPLIES j < mN_S(pdu)) %-inductive NEW_SD_inv3 : LEMMA invariant(LAMBDA (s:State) : FORALL (i: subrange(SR_receiver_index,s`SR_sender_index-1)): LET pdu = s`SR_channel(i) IN NEW_SD?(pdu) IMPLIES s`VT_S > mN_S(pdu)) %-proved using NEW_SD_inv3 NEW_SD_inv2 : LEMMA invariant(LAMBDA(s:State) : FORALL (j,k: subrange(SR_receiver_index,s`SR_sender_index-1)) : LET pdu_1 = s`SR_channel(j), pdu_2 = s`SR_channel(k) IN NEW_SD?(pdu_1) AND NEW_SD?(pdu_2) AND j < k IMPLIES mN_S(pdu_1) < mN_S(pdu_2)) %-proved using VT_S_GE_VR_H NEW_SD_inv1: LEMMA invariant(LAMBDA(s:State) : FORALL (i: subrange(SR_receiver_index,s`SR_sender_index-1)): LET pdu = s`SR_channel(i) IN NEW_SD?(pdu) IMPLIES mN_S(pdu) >= VR_H) %-inductive xMitBuffer_inv1: LEMMA invariant(LAMBDA(s:State) : FORALL (i:below(s`VT_S)): s`vXmitBuffer`Data(i)`Seq = i) %-idem USTAT_inv1: LEMMA invariant(LAMBDA(s:State) : FORALL (i :subrange(RS_sender_index, RS_receiver_index-1)): let pdu = RS_channel(i) IN USTAT?(pdu) IMPLIES let ustat_list = mList(pdu), bot = ustat_list`Data(1), top = ustat_list`Data(2), vN_R = mN_R(pdu) IN VT_A <= vN_R AND vN_R <= bot AND bot < top AND top < s`VT_S AND (FORALL (j:subrange(bot,top-1)): s`vXmitBuffer`Data(j)`Seq = j)) %proved using NEW_SD_inv3 NEW_SD_POLL2 : LEMMA invariant(LAMBDA(s:State) : FORALL (i,j: subrange(SR_receiver_index, s`SR_sender_index-1)): LET poll = s`SR_channel(i), new_sd = s`SR_channel(j) IN POLL?(poll) AND NEW_SD?(new_sd) AND i > j IMPLIES mN_S(poll) > mN_S(new_sd)) END sscop_SD_sender_invariants1 $$$sscop_SD_sender_invariants1.prf (|sscop_SD_sender_invariants1| (|init_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC4| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC5| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC6| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC7| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC8| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC9| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC10| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC11| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC12| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC13| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC14| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC15| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC16| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC17| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC18| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC19| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC20| "" (SUBTYPE-TCC) NIL NIL) (VT_S_GE_VR_H "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|NEW_SD_inv5| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|NEW_SD_inv4_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|NEW_SD_inv4_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|NEW_SD_inv4| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 ("j" "k")) (("2" (TYPEPRED ("j" "k")) (("2" (GRIND :IF-MATCH NIL) (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL) ("4" (GRIND) NIL NIL) ("5" (GRIND) NIL NIL) ("6" (LEMMA "VT_S_GE_VR_H") (("6" (LEMMA "NEW_SD_inv5") (("6" (EXPAND "invariant") (("6" (INST - "r" "n") (("6" (INST - "r" "n") (("6" (INST - "j") (("6" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("7" (INST - "j" "k") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "j" "k") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "j" "k") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "j" "k") (("10" (GRIND) NIL NIL)) NIL) ("11" (LEMMA "NEW_SD_inv5") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "j") (("11" (GROUND) (("11" (LEMMA "VT_S_GE_VR_H") (("11" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("12" (INST - "j" "k") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "j" "k") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "j" "k") (("14" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|NEW_SD_inv3_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|NEW_SD_inv3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (BETA) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "i") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "i") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "i") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "i") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "i") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "i") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "i") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "i") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "i") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "i") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "i") (("13" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|NEW_SD_inv2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|NEW_SD_inv2_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|NEW_SD_inv2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (BETA) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("j" "k")) (("2" (TYPEPRED ("j" "k")) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "j" "k") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "j" "k") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "j" "k") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "j" "k") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "j" "k") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "j" "k") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "j" "k") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "j" "k") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "j" "k") (("9" (GRIND) NIL NIL)) NIL) ("10" (LEMMA "NEW_SD_inv3") (("10" (GRIND) NIL NIL)) NIL) ("11" (GRIND) (("11" (LEMMA "NEW_SD_inv3") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "j") (("11" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("12" (INST - "j" "k") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "j" "k") (("13" (GRIND) NIL NIL)) NIL) ("14" (LEMMA "NEW_SD_inv3") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (INST - "j") (("14" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|NEW_SD_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (BETA) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "i") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "i") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "i") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "i") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "i") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "i") (("8" (GRIND) NIL NIL)) NIL) ("9" (LEMMA "VT_S_GE_VR_H") (("9" (GRIND) NIL NIL)) NIL) ("10" (LEMMA "VT_S_GE_VR_H") (("10" (GRIND) NIL NIL)) NIL) ("11" (LEMMA "VT_S_GE_VR_H") (("11" (GRIND) NIL NIL)) NIL) ("12" (LEMMA "VT_S_GE_VR_H") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "i") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "i") (("14" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|xMitBuffer_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (EXPAND* "run" "init") (("1" (FLATTEN) NIL NIL)) NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (INST - "i") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|USTAT_inv1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv1_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv1_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|USTAT_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (EXPAND* "run" "init") (("1" (FLATTEN) (("1" (BETA) (("1" (PROPAX) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (BETA) (("2" (SKOLEM 1 "i") (("2" (FLATTEN) (("2" (INST - "i") (("2" (GROUND) (("1" (GRIND :IF-MATCH NIL) NIL NIL) ("2" (SKOLEM 1 "j") (("2" (INST - "j") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (NEW_SD_POLL2_TCC1 "" (SUBTYPE-TCC) NIL NIL) (NEW_SD_POLL2_TCC2 "" (SUBTYPE-TCC) NIL NIL) (NEW_SD_POLL2 "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (BETA) (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + ("j" "k")) (("2" (TYPEPRED ("j" "k")) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "j" "k") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "j" "k") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "j" "k") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "j" "k") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "j" "k") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "j" "k") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "j" "k") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "j" "k") (("8" (GRIND) NIL NIL)) NIL) ("9" (LEMMA "NEW_SD_inv3") (("9" (EXPAND "invariant") (("9" (INST - "r" "n") (("9" (INST - "k") (("9" (GROUND) (("9" (INST - "j" "k") (("9" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("10" (GRIND) (("10" (LEMMA "NEW_SD_inv3") (("10" (EXPAND "invariant") (("10" (INST - "r" "n") (("10" (INST - "k") (("10" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("11" (INST - "j" "k") (("11" (GRIND) NIL NIL)) NIL) ("12" (LEMMA "NEW_SD_inv3") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (INST - "k") (("12" (GROUND) (("12" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("13" (GRIND) (("13" (LEMMA "NEW_SD_inv3") (("13" (EXPAND "invariant") (("13" (INST - "r" "n") (("13" (INST - "k") (("13" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("14" (LEMMA "NEW_SD_inv3") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (INST - "k") (("14" (GROUND) (("14" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("15" (GRIND) (("15" (LEMMA "NEW_SD_inv3") (("15" (EXPAND "invariant") (("15" (INST - "r" "n") (("15" (INST - "k") (("15" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("16" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) $$$sscop_SD_sender_invariants4.pvs sscop_SD_sender_invariants4 : THEORY %prove that the protocol is correct - sender's side for new SD and %auxiliary stuff BEGIN IMPORTING sscop_SD_sender_invariants1 %sscop_SD_receiver_invariants1.VT_S_GE_VR_H_aux1 %inductive VR_MR_GE_VR_H: LEMMA invariant(LAMBDA(s:State) : VR_MR >= VR_H) %-inductive indicated_equals_sent_aux: LEMMA invariant(LAMBDA (s: State): VR_H >= VR_R) %-proved using VT_S_GE_VR_H,indicated_equals_sent_aux indicated_equals_sent : LEMMA invariant(LAMBDA(s:State) : FORALL (i: below(VR_R)) : mData(AA_DATA_INDICATION_channel(i)) = s`vXmitBuffer`Data(i)`Payload) %-inductive sent_equals_requested_aux2: LEMMA invariant(LAMBDA(s:State) : (s`vXmitQueue_PtrOut = s`VT_S) AND (s`vXmitQueue_PtrOut <= s`vXmitQueue_PtrIn) AND (s`AA_DATA_REQUEST_channel_index = s`vXmitQueue_PtrIn)) %-proved using sent_equals_requested_aux2 sent_equals_requested_aux1 : LEMMA invariant(LAMBDA(s:State) : FORALL (i :below(s`AA_DATA_REQUEST_channel_index)): mData(AA_DATA_REQUEST_channel(i)) = s`vXmitQueue(i)`Payload) %-proved using sent_equals_requested_aux1,sent_equals_requested_aux2 sent_equals_requested: LEMMA invariant(LAMBDA(s:State) : FORALL (i : below(s`VT_S)) : mData(AA_DATA_REQUEST_channel(i)) = s`vXmitBuffer`Data(i)`Payload) %-proved using NEW_SD_inv5, VT_S_GE_VR_H indicated_equals_sent_aux1_aux2: LEMMA invariant(LAMBDA(s:State) : FORALL (i:below(VR_MR)) : vRecvBuffer`Arrived(i) IMPLIES vRecvBuffer`Data(i)`Payload = s`vXmitBuffer`Data(i)`Payload) %-sscop_SD_receiver_invariants3.indicated_equals_sent_aux1_aux1 %proved using NEW_SD_inv3 indicated_equals_sent_aux1_aux1 : LEMMA invariant(LAMBDA(s:State) : FORALL (i:subrange(SR_receiver_index,s`SR_sender_index-1)) : LET pdu = s`SR_channel(i) IN NEW_SD?(pdu) IMPLIES mData(pdu) = s`vXmitBuffer`Data(mN_S(pdu))`Payload) END sscop_SD_sender_invariants4 $$$sscop_SD_sender_invariants4.prf (|sscop_SD_sender_invariants4| (VR_MR_GE_VR_H "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|indicated_equals_sent_aux| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|indicated_equals_sent| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") NIL NIL) ("2" (INST - "i") NIL NIL) ("3" (INST - "i") NIL NIL) ("4" (INST - "i") NIL NIL) ("5" (INST - "i") NIL NIL) ("6" (INST - "i") NIL NIL) ("7" (INST - "i") NIL NIL) ("8" (INST - "i") NIL NIL) ("9" (INST - "i") NIL NIL) ("10" (LEMMA "VT_S_GE_VR_H") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "i") (("11" (LEMMA "VT_S_GE_VR_H") (("11" (GRIND) (("11" (LEMMA "indicated_equals_sent_aux") (("11" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("12" (INST - "i") NIL NIL) ("13" (INST - "i") NIL NIL) ("14" (INST - "i") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|sent_equals_requested_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -1) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE -1) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE -2) (("4" (SKOLEM 1 "n") (("4" (EXPAND "run_fragment") (("4" (INST - "n") (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|sent_equals_requested_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (LEMMA "sent_equals_requested_aux2") (("1" (GRIND) NIL NIL)) NIL) ("2" (LEMMA "sent_equals_requested_aux2") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i") NIL NIL) ("4" (INST - "i") NIL NIL) ("5" (INST - "i") NIL NIL) ("6" (INST - "i") NIL NIL) ("7" (INST - "i") NIL NIL) ("8" (INST - "i") NIL NIL) ("9" (INST - "i") NIL NIL) ("10" (INST - "i") NIL NIL) ("11" (INST - "i") NIL NIL) ("12" (INST - "i") NIL NIL) ("13" (INST - "i") NIL NIL) ("14" (INST - "i") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|sent_equals_requested| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") NIL NIL) ("2" (INST - "i") NIL NIL) ("3" (INST - "i") NIL NIL) ("4" (INST - "i") NIL NIL) ("5" (INST - "i") NIL NIL) ("6" (INST - "i") NIL NIL) ("7" (INST - "i") NIL NIL) ("8" (INST - "i") NIL NIL) ("9" (INST - "i") NIL NIL) ("10" (LEMMA "sent_equals_requested_aux1") (("10" (EXPAND "invariant") (("10" (INST - "r" "n") (("10" (INST - "i") (("1" (LEMMA "sent_equals_requested_aux2") (("1" (GRIND) NIL NIL)) NIL) ("2" (LEMMA "sent_equals_requested_aux2") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("11" (LEMMA "sent_equals_requested_aux1") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (LEMMA "sent_equals_requested_aux2") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "i") (("1" (GRIND) NIL NIL) ("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("12" (INST - "i") NIL NIL) ("13" (INST - "i") NIL NIL) ("14" (INST - "i") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|indicated_equals_sent_aux1_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "i") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "i") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "i") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "i") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "i") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "i") (("9" (GRIND) NIL NIL)) NIL) ("10" (LEMMA "NEW_SD_inv5") (("10" (EXPAND "invariant") (("10" (INST - "r" "n") (("10" (INST - "i") (("10" (GROUND) (("10" (LEMMA "VT_S_GE_VR_H") (("10" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("11" (INST - "i") (("11" (GRIND) (("11" (LEMMA "VT_S_GE_VR_H") (("11" (LEMMA "NEW_SD_inv5") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "r" "n") (("11" (INST - "i") (("11" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("12" (INST - "i") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "i") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "i") (("14" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|indicated_equals_sent_aux1_aux1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|indicated_equals_sent_aux1_aux1_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|indicated_equals_sent_aux1_aux1_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|indicated_equals_sent_aux1_aux1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM 1 "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM 1 "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM 1 "i") (("2" (TYPEPRED "i") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "i") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "i") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "i") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "i") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "i") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "i") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "i") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "i") (("11" (GRIND) (("11" (LEMMA "NEW_SD_inv3") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "i") (("11" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("12" (INST - "i") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "i") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "i") (("14" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) $$$sscop_SD_sender_invariants6.pvs sscop_SD_sender_invariants6 : THEORY BEGIN IMPORTING sscop_SD_sender_invariants4 %inductive Idle_inv1: LEMMA invariant (LAMBDA (s:State) : (s`pc = Idle IMPLIES (VT_A = s`VT_S AND s`VT_S = s`AA_DATA_REQUEST_channel_index))) %inductive Idle_inv2: LEMMA invariant (LAMBDA (s:State) : (receiver_pc = Idle IMPLIES (VR_R = VR_H))) %inductive final_result_aux : LEMMA invariant (LAMBDA (s:State) : VR_R >= VT_A) %final result, sender's view: when both the sender and the receiver are %in their Idle locations, the request and indication sequences are %equal. Proved using sscop_SD_sender_invariants4.indicated_equals_sent, %sscop_SD_sender_invariants4.sent_equals_requested, %sscop_SD_sender_invariants7.final_result_aux, %sscop_SD_sender_invariants7.Idle_inv1, %sscop_SD_sender_invariants7.Idle_inv2, %sscop_SD_sender_invariants4.sent_equals_requested_aux2 %preserved by SD receiver, cf. sscop_SD_receiver_invariants5.final_result final_result: THEOREM invariant(LAMBDA(s:State) : ((s`pc = Idle AND receiver_pc = Idle) IMPLIES FORALL (i : below(s`AA_DATA_REQUEST_channel_index)) : mData(AA_DATA_INDICATION_channel(i)) = mData(AA_DATA_REQUEST_channel(i)))) END sscop_SD_sender_invariants6 $$$sscop_SD_sender_invariants6.prf (|sscop_SD_sender_invariants6| (|Idle_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (GRIND :IF-MATCH NIL) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|Idle_inv2| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (GRIND :IF-MATCH NIL) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|final_result_aux| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (GRIND :IF-MATCH NIL) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|final_result| "" (LEMMA "indicated_equals_sent") (("" (LEMMA "sent_equals_requested") (("" (LEMMA "final_result_aux") (("" (LEMMA "Idle_inv1") (("" (LEMMA "Idle_inv2") (("" (EXPAND "invariant") (("" (SKOLEM + ("r" "n")) (("" (INST - "r" "n") (("" (INST - "r" "n") (("" (INST - "r" "n") (("" (INST - "r" "n") (("" (INST - "r" "n") (("" (FLATTEN) (("" (ASSERT) (("" (SKOLEM + "i") (("" (INST - "i") (("1" (INST - "i") (("1" (ASSERT) NIL NIL) ("2" (TYPEPRED "i") (("2" (LEMMA "sent_equals_requested_aux2") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL) ("2" (INST - "i") (("1" (TYPEPRED "i") (("1" (ASSERT) NIL NIL)) NIL) ("2" (TYPEPRED "i") (("2" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) $$$runs.pvs runs[State : TYPE, initial : PRED[State], transition : [State, State -> bool]] : THEORY BEGIN %runs are infinite sequences of transition-related states, starting in an initial state run_fragment: pred[sequence[State]] = {r : sequence[State] | FORALL (n : nat): transition(r(n),r(n+1))} run : pred[(run_fragment)] = {r : (run_fragment) | initial(r(0))} r: VAR (run) p :VAR [State->boolean] invariant(p) : bool = FORALL (r : (run), n:nat ): p(r(n)) invariant_rule : LEMMA (FORALL (r : (run)) : p(r(0)) AND FORALL (n : nat) : p(r(n)) IMPLIES p(r(n+1))) IMPLIES invariant(p) END runs $$$runs.prf (|runs| (|invariant_rule| "" (SKOLEM + "p") (("" (FLATTEN) (("" (EXPAND "invariant") (("" (SKOLEM + ("r" "_")) (("" (INST - "r") (("" (INDUCT-AND-SIMPLIFY "n") NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) $$$sscop_datatypes.pvs sscop_datatypes : THEORY % data types for the sscop protocol BEGIN Data_Type : TYPE+ SD_PDU_DATA : TYPE = [# Payload : Data_Type, Seq : nat #] %sender's buffer type : an array of SD PDU (including seq number) and % an array of poll seq numbers. The sender's buffer is the sender's window SendBufferDataType : TYPE = [nat -> SD_PDU_DATA] SendBufferSeqType : TYPE = [nat-> nat] SendBufferType:TYPE =[# Data: SendBufferDataType, PollSeq: SendBufferSeqType #] RecvBufferDataType : TYPE = [nat-> SD_PDU_DATA] RecvBufferFlagType : TYPE = [nat-> bool] %receiver buffer's type : an array of SD PDU (includes seq number) %and an array of Boolean flags to indicate arrived data RecvBufferType : TYPE = [#Data : RecvBufferDataType, Arrived : RecvBufferFlagType #] QueueDataType : TYPE = [nat ->SD_PDU_DATA] %queue data type, e.g., for transmission and retransmission queue and from %receiver to env ListDataType : TYPE = [posnat->nat] %list type, for building a STAT PDU ListType : TYPE = [# Length : nat, Data : ListDataType #] %actions Action: DATATYPE BEGIN AA_DATA_REQUEST(mData : Data_Type): AA_DATA_REQUEST? %receive a request to send AA_DATA_INDICATION(mData : Data_Type,mN_S:nat) : AA_DATA_INDICATION? % NEW_SD(mN_S: nat, mData : Data_Type) : NEW_SD? %output a new SD PDU OLD_SD(mN_S: nat, mData : Data_Type) : OLD_SD? %output an old SD PDU POLL(mN_S: nat, mN_PS : nat) : POLL? : POLL? %POLL PDU USTAT(mN_R: nat, mN_MR: nat, mList : ListType) : USTAT? %USTAT PDU STAT(mN_R: nat, mN_MR: nat, mN_PS: nat,mList : ListType): STAT? %STAT PDU MAA_ERROR_WITH_COUNT(mCount:nat) : MAA_ERROR_WITH_COUNT?% error message tau: tau? : tau END Action SD?(a:Action): bool = OLD_SD?(a) OR NEW_SD?(a) SR?(a:Action) : bool = SD?(a) OR POLL?(a) RS?(a:Action) : bool = USTAT?(a) OR STAT?(a) END sscop_datatypes $$$sscop_SD_sender.pvs sscop_SD_sender: THEORY % PVS theory for the SSCOP SD PDU sender component % cf. ITU recommendation Q2110 BEGIN IMPORTING sscop_datatypes control: TYPE = {DataTransferReady, DtrPduQueuedUp, DtrReXmit, DtrTestVT_PD, Idle} State : TYPE = [# pc: control, vXmitBuffer: SendBufferType, % sender's window RW vXmitQueue: QueueDataType,%sender's queue RW vXmitQueue_PtrIn : nat,%sender's queue in-pointer RW vXmitQueue_PtrOut: nat,%sender's queue out-pointer RW vReXmitQueue_PtrOut : nat,% sender's retransmission queue out pointer RW VT_S: nat, %next position of SDU PDU to store in sender's window RW VT_PS: nat,%current POLL PDU sequence number RW VT_PD: nat,%stores number of PDU's between POLLs RW SR_channel : [nat ->(SR?)], % sender-receiver channel AA_DATA_REQUEST_channel_index: nat,% index of channel from environment SR_sender_index : nat, %for internal computations (memorize values of messages, etc ) vN_S: nat %RW #] %parameters MaxPD : nat %max number of PDU's between POLLs R VT_MS: nat %top of sender's window R, it is a variable in other components AA_DATA_REQUEST_channel: [nat->(AA_DATA_REQUEST?)] %channel from environment SR_receiver_index: nat %receiver's index in the SR channel vReXmitQueue : QueueDataType % sender's retransmission queue vReXmitQueue_PtrIn : nat %sender's retransmission queue in-pointer VR_H : nat % the highest SD PDU the sender knows about vRecvBuffer: RecvBufferType RS_channel : [nat->(RS?)] RS_sender_index: nat RS_receiver_index: nat VT_A : nat VR_R :nat VR_MR : nat VT_PA : nat AA_DATA_INDICATION_channel: [nat->(AA_DATA_INDICATION?)] vN_S:nat vN_PS:nat receiver_Control: TYPE = {DtrRecvTestSeq,DtrPollSendList,Idle} receiver_pc: receiver_Control vData : Data_Type %initial condition init(s:State) : bool = (s`pc = DataTransferReady AND s`vXmitQueue_PtrIn = 0 AND s`vXmitQueue_PtrOut = 0 AND s`vReXmitQueue_PtrOut = 0 AND s`VT_S = 0 AND s`VT_PS = 0 AND s`VT_PD = 0 AND s`AA_DATA_REQUEST_channel_index = 0 AND s`SR_sender_index = 0) %transition relation trans(s:State, a: Action, s_: State) : bool = %data request: place into transmission queue s`pc = DataTransferReady AND AA_DATA_REQUEST?(a) AND a = AA_DATA_REQUEST_channel(s`AA_DATA_REQUEST_channel_index) AND s_ = s WITH [`vXmitQueue_PtrIn := s`vXmitQueue_PtrIn+1, `vXmitQueue(s`vXmitQueue_PtrIn)`Payload := mData(a), `vXmitQueue(s`vXmitQueue_PtrIn)`Seq := s`vXmitQueue_PtrIn, `AA_DATA_REQUEST_channel_index := s`AA_DATA_REQUEST_channel_index+1, `pc := DataTransferReady] %do something only if there is something to transmit or to retransmit OR s`pc = DataTransferReady AND tau?(a) AND (s`vXmitQueue_PtrIn > s`vXmitQueue_PtrOut OR vReXmitQueue_PtrIn > s`vReXmitQueue_PtrOut OR s`VT_S < VT_MS) AND s_ = s WITH [`pc := DtrPduQueuedUp] %otherwise, do nothing OR s`pc = DtrPduQueuedUp AND tau?(a) AND s`vXmitQueue_PtrIn = s`vXmitQueue_PtrOut AND vReXmitQueue_PtrIn = s`vReXmitQueue_PtrOut AND s_ = s WITH [`pc := DataTransferReady] %retransmission queue is not empty: it has priority. Pick a SD PDU in %the retransmission queue (thus, it is OLD) and put it in the SR %(Sender-Receiver) channel, and save its poll sequence number in the %sender's window OR s`pc = DtrPduQueuedUp AND vReXmitQueue_PtrIn > s`vReXmitQueue_PtrOut AND OLD_SD?(a) AND mN_S(a) = vReXmitQueue(s`vReXmitQueue_PtrOut)`Seq AND mData(a) = vReXmitQueue(s`vReXmitQueue_PtrOut)`Payload AND s_ = s WITH [`SR_channel(s`SR_sender_index) := a, `SR_sender_index := s`SR_sender_index+1, `vReXmitQueue_PtrOut := s`vReXmitQueue_PtrOut+1, `vXmitBuffer`PollSeq(mN_S(a)) := s`VT_PS, `pc := DtrReXmit ] %check retransmission queue: there is nothing more to retransmit, then % POLL and go back to initial location OR s`pc = DtrReXmit AND vReXmitQueue_PtrIn = s`vReXmitQueue_PtrOut AND POLL?(a) AND mN_PS(a) = s`VT_PS+1 AND mN_S(a) = s`VT_S AND s_ = s WITH[`VT_PS := s`VT_PS +1, `VT_PD := 0, `SR_channel(s`SR_sender_index) := a, `SR_sender_index := s`SR_sender_index +1, `pc := DataTransferReady] %check retransmission queue: there is still something to retranmsmit OR s`pc = DtrReXmit AND tau?(a) AND vReXmitQueue_PtrIn > s`vReXmitQueue_PtrOut AND s_ = s WITH[`VT_PD := s`VT_PD+1, `pc := DtrTestVT_PD] %retransmission queue is empty, but transmission queue is not. %take a SD PDU from transmission queue only if there is space in the %sender's window, then send it as a NEW SD on the SR channel and save %in the sender's window. OR s`pc = DtrPduQueuedUp AND s`vXmitQueue_PtrIn > s`vXmitQueue_PtrOut AND vReXmitQueue_PtrIn=s`vReXmitQueue_PtrOut AND s`VT_S < VT_MS AND NEW_SD?(a) AND mData(a) = s`vXmitQueue(s`vXmitQueue_PtrOut)`Payload AND mN_S(a) = s`VT_S AND s_ = s WITH [ `vXmitQueue_PtrOut := s`vXmitQueue_PtrOut+1, `SR_channel(s`SR_sender_index) := a, `SR_sender_index := s`SR_sender_index+1, `vXmitBuffer`Data(s`VT_S)`Payload := mData(a), `vXmitBuffer`Data(s`VT_S)`Seq := s`VT_S, `vXmitBuffer`PollSeq(s`VT_S) := s`VT_PS, `VT_S := s`VT_S + 1, `VT_PD := s`VT_PD+1, `pc := DtrTestVT_PD ] %retransmission queue is empty, transmission queue is not, but % there is no space in the sender's window: just do a POLL OR s`pc = DtrPduQueuedUp AND s`vXmitQueue_PtrIn > s`vXmitQueue_PtrOut AND vReXmitQueue_PtrIn = s`vReXmitQueue_PtrOut AND s`VT_S >= VT_MS AND POLL?(a) AND mN_PS(a) = s`VT_PS+1 AND mN_S(a) = s`VT_S AND s_ = s WITH[`VT_PS := s`VT_PS +1, `VT_PD := 0, `SR_channel(s`SR_sender_index) := a, `SR_sender_index := s`SR_sender_index +1, `pc := DataTransferReady] %a POLL is performed systematically after retransmission, or after %transmission if the VT_PD counter has reached MaxPD OR s`pc = DtrTestVT_PD AND s`VT_PD >= MaxPD AND POLL?(a) AND mN_PS(a) = s`VT_PS+1 AND mN_S(a) = s`VT_S AND s_ = s WITH[`VT_PS := s`VT_PS +1, `VT_PD := 0, `SR_channel(s`SR_sender_index) := a, `SR_sender_index := s`SR_sender_index +1, `pc := DataTransferReady] %the VT_PD counter has NOT reached MaxPD: just go back to initial location OR s`pc = DtrTestVT_PD AND tau?(a) AND s`VT_PD < MaxPD AND s_ = s WITH [`pc := DataTransferReady] %if, after a while, there are no more AA_DATA_REQUESTs, the control goes to % an Idle location OR s`pc = DataTransferReady AND VT_A = s`VT_S AND s`VT_S = s`AA_DATA_REQUEST_channel_index AND tau?(a) AND s_ = s WITH [`pc := Idle] END sscop_SD_sender $$$sscop_SD_sender.prf (|sscop_SD_sender| (|AA_DATA_REQUEST_channel_TCC1| "" (INST + "LAMBDA (n:nat) : AA_DATA_REQUEST(choose({a:Data_Type | TRUE}))") (("" (GRIND) NIL NIL)) NIL) (|RS_channel_TCC1| "" (INST + "LAMBDA (n:nat) : USTAT(0,0, (# Length :=0, Data := (LAMBDA(x:posnat) : 0) #))") (("" (GRIND) NIL NIL)) NIL) (|AA_DATA_INDICATION_channel_TCC1| "" (INST + "LAMBDA (n:nat) : AA_DATA_INDICATION(choose({a:Data_Type | TRUE}),0)") (("" (GRIND) NIL NIL)) NIL) (|trans_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC4| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC5| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC6| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC7| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC8| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC9| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC10| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC11| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC12| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC13| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC14| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC15| "" (SUBTYPE-TCC) NIL NIL) (|trans_TCC16| "" (SUBTYPE-TCC) NIL NIL)) $$$sscop_SD_sender_invariants2.pvs sscop_SD_sender_invariants2 : THEORY %invariants about the POLL PDUs in the SR channel BEGIN IMPORTING sscop_SD_sender init(s: State): bool = (s`pc = DataTransferReady OR s`pc = Idle) AND % cf. *-VT_S_GE_VR_H, sscop_SD_sender_invariants1.VT_S_GE_VR_H, %*sscop_POLL_receiver_invariants1.VT_S_GE_VR_H, %*sscop_SD_receiver_invariants1.VT_S_GE_VR_H, %sscop_SD_sender_invariants5.indicated_equals_sent_aux1_aux1_aux1 %sscop_STAT_receiver_invariants1.OLD_SD_inv3_aux s`VT_S >= VR_H AND %cf. *-POLL_inv2, sscop_POLL_receiver_invariants1.POLL_inv2 (FORALL (i: subrange(SR_receiver_index, s`SR_sender_index - 1)): LET pdu = s`SR_channel(i) IN POLL?(pdu) IMPLIES s`VT_S >= mN_S(pdu)) AND %cf. *-POLL_inv1, sscop_POLL_receiver_invariants1.POLL_inv1 (FORALL (j, k: subrange(SR_receiver_index, s`SR_sender_index - 1)): LET pdu_1 = s`SR_channel(j), pdu_2 = s`SR_channel(k) IN POLL?(pdu_1) AND POLL?(pdu_2) AND j < k IMPLIES mN_S(pdu_1) <= mN_S(pdu_2)) AND %cf. *-POLL_inv0, *sscop_POLL_receiver_invariants1.POLL_inv0 %*sscop_SD_receiver_invariants1.POLL_inv0 (FORALL (i: subrange(SR_receiver_index, s`SR_sender_index - 1)): LET pdu = s`SR_channel(i) IN POLL?(pdu) IMPLIES mN_S(pdu) >= VR_H) AND %cf. *-NEW_SD_POLL and scop_POLL_receiver_invariants1.NEW_SD_POLL (FORALL (i,j : subrange(SR_receiver_index, s`SR_sender_index - 1)): LET pdu1 = s`SR_channel(i), pdu2 = s`SR_channel(j) IN NEW_SD?(pdu1) AND POLL?(pdu2) AND i > j IMPLIES mN_S(pdu1) >= mN_S(pdu2)) AND %*-STAT_inv2_aux2_aux4, %sscop_POLL_receiver_invariants3.STAT_inv2_aux2_aux4 (FORALL (j,k: subrange(SR_receiver_index, s`SR_sender_index-1)): LET poll1 = s`SR_channel(j), poll2 = s`SR_channel(k) IN POLL?(poll1) AND POLL?(poll2) AND j < k IMPLIES mN_PS(poll1) <= mN_PS(poll2)) AND %*-STAT_inv2_aux2_aux5, %sscop_POLL_receiver_invariants3.STAT_inv2_aux5_aux2, %sscop_SD_sender_invariants5.OLD_SD_inv5_aux4_aux3 (FORALL (j: subrange(SR_receiver_index, s`SR_sender_index-1)): LET poll = s`SR_channel(j) IN POLL?(poll) IMPLIES s`VT_PS >= mN_PS(poll)) AND %*-STAT_inv2_aux2, %*sscop_POLL_receiver_invariants3.STAT_inv2_aux2_aux2, %sscop_STAT_receiver_invariants1.STAT_inv2_aux2_aux10 (FORALL (j: subrange(SR_receiver_index, s`SR_sender_index-1), k: subrange(RS_sender_index, RS_receiver_index - 1)): LET poll = s`SR_channel(j), stat = RS_channel(k) IN POLL?(poll) AND STAT?(stat) IMPLIES mN_PS(poll) >= mN_PS(stat)) AND %*-STAT_inv2_aux3, *sscop_POLL_receiver_invariants3.STAT_inv2_aux5 (FORALL (k: subrange(RS_sender_index, RS_receiver_index - 1)): LET stat = RS_channel(k) IN STAT?(stat) IMPLIES s`VT_PS >= mN_PS(stat)) AND %*-STAT_inv2_aux2_aux9, %*sscop_POLL_receiver_invariants3.STAT_inv2_aux2_aux9, %*sscop_STAT_receiver_invariants1.STAT_inv2_aux2_aux9 (FORALL (k: subrange(SR_receiver_index, s`SR_sender_index-1)): LET poll = s`SR_channel(k) IN POLL?(poll) IMPLIES VT_PA <= mN_PS(poll)) AND %*-STAT_inv2_aux10, %sscop_SD_sender_invariants5.OLD_SD_inv5_aux3_inv1, %*sscop_STAT_receiver_invariants1.OLD_SD_inv5_aux3_inv1 s`VT_PS >= VT_PA AND %*-retrans_inv1_aux3 %*sscop_POLL_receiver_invariants2.retrans_inv1_aux3, %sscop_STAT_receiver_invariants2.retrans_inv1_aux3, %*sscop_SD_receiver_invariants4.retrans_inv1_aux3 (FORALL (k: subrange(RS_sender_index, RS_receiver_index - 1)): LET pdu = RS_channel(k) IN STAT?(pdu) IMPLIES LET statlist = mList(pdu) IN statlist`Length >= 2 IMPLIES (FORALL (l: upto(statlist`Length - 2)): even?(l) IMPLIES LET elt1 = statlist`Data(l + 1), elt2 = statlist`Data(l + 2) IN FORALL (m: subrange(elt1,elt2-1)): NOT vRecvBuffer`Arrived(m) OR s`vXmitBuffer`PollSeq(m) >= mN_PS(pdu))) %AND !!!!!!!!!!!!!!! %sscop_SD_sender_invariants6.Idle_inv1, %sscop_SD_receiver_invariants5.Idle_inv2 %(s`pc = Idle IMPLIES (VT_A = s`VT_S AND s`VT_S = s`AA_DATA_REQUEST_channel_index)) IMPORTING runs[State, init, LAMBDA(s,s_: State): EXISTS(a:Action): trans(s,a,s_)] %-inductive VT_S_GE_VR_H : LEMMA invariant(LAMBDA(s:State): s`VT_S >= VR_H) %-inductive POLL_inv2 : LEMMA invariant(LAMBDA(s:State) : FORALL (i: subrange(SR_receiver_index,s`SR_sender_index-1)) : LET pdu = s`SR_channel(i) IN POLL?(pdu) IMPLIES s`VT_S >= mN_S(pdu)) %-proved using POLL_inv2 POLL_inv1 : LEMMA invariant(LAMBDA (s:State) : FORALL (j,k: subrange(SR_receiver_index,s`SR_sender_index-1)) : LET pdu_1 = s`SR_channel(j), pdu_2 = s`SR_channel(k) IN POLL?(pdu_1) AND POLL?(pdu_2) AND j < k IMPLIES mN_S(pdu_1) <= mN_S(pdu_2)) %-proved using VT_S_GE_VR_H POLL_inv0 : LEMMA invariant(LAMBDA(s:State) : FORALL (i: subrange(SR_receiver_index, s`SR_sender_index - 1)): LET pdu = s`SR_channel(i) IN POLL?(pdu) IMPLIES mN_S(pdu) >= VR_H) %-proved using POLL_inv2 NEW_SD_POLL : LEMMA invariant(LAMBDA(s:State) : FORALL (i,j : subrange(SR_receiver_index, s`SR_sender_index - 1)): LET pdu1 = s`SR_channel(i), pdu2 = s`SR_channel(j) IN NEW_SD?(pdu1) AND POLL?(pdu2) AND i > j IMPLIES mN_S(pdu1) >= mN_S(pdu2)) %-inductive STAT_inv2_aux2_aux5 : LEMMA invariant(LAMBDA(s:State) : FORALL (j: subrange(SR_receiver_index, s`SR_sender_index-1)): LET poll = s`SR_channel(j) IN POLL?(poll) IMPLIES s`VT_PS >= mN_PS(poll)) %-proved using STAT_inv2_aux2_aux5 STAT_inv2_aux2_aux4 : LEMMA invariant(LAMBDA(s:State) : FORALL (j,k: subrange(SR_receiver_index, s`SR_sender_index-1)): LET poll1 = s`SR_channel(j), poll2 = s`SR_channel(k) IN POLL?(poll1) AND POLL?(poll2) AND j < k IMPLIES mN_PS(poll1) <= mN_PS(poll2)) %-inductive STAT_inv2_aux3: LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(RS_sender_index, RS_receiver_index - 1)): LET stat = RS_channel(k) IN STAT?(stat) IMPLIES s`VT_PS >= mN_PS(stat)) %-proved using STAT_inv2_aux3 STAT_inv2_aux2: LEMMA invariant(LAMBDA(s:State) : FORALL (j: subrange(SR_receiver_index, s`SR_sender_index-1), k: subrange(RS_sender_index, RS_receiver_index - 1)): LET poll = s`SR_channel(j), stat = RS_channel(k) IN POLL?(poll) AND STAT?(stat) IMPLIES mN_PS(poll) >= mN_PS(stat)) %-inductive STAT_inv2_aux10 : LEMMA invariant(LAMBDA(s:State) : s`VT_PS >= VT_PA) %-proved using STAT_inv2_aux10 STAT_inv2_aux9 : LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(SR_receiver_index, s`SR_sender_index-1)): LET poll = s`SR_channel(k) IN POLL?(poll) IMPLIES VT_PA <= mN_PS(poll)) %-proved using STAT_inv2_aux3 retrans_inv1_aux3 : LEMMA invariant(LAMBDA(s:State) : FORALL (k: subrange(RS_sender_index, RS_receiver_index - 1)): LET pdu = RS_channel(k) IN STAT?(pdu) IMPLIES LET statlist = mList(pdu) IN statlist`Length >= 2 IMPLIES (FORALL (l: upto(statlist`Length - 2)): even?(l) IMPLIES LET elt1 = statlist`Data(l + 1), elt2 = statlist`Data(l + 2) IN FORALL (m: subrange(elt1,elt2-1)): NOT vRecvBuffer`Arrived(m) OR s`vXmitBuffer`PollSeq(m) >= mN_PS(pdu))) END sscop_SD_sender_invariants2 $$$sscop_SD_sender_invariants2.prf (|sscop_SD_sender_invariants2| (|init_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC3| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC4| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC5| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC6| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC7| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC8| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC9| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC10| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC11| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC12| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC13| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC14| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC15| "" (SUBTYPE-TCC) NIL NIL) (|init_TCC16| "" (SUBTYPE-TCC) NIL NIL) (VT_S_GE_VR_H "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|POLL_inv2_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|POLL_inv2_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|POLL_inv2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "i!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i!1") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "i!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "i!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "i!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "i!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "i!1") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "i!1") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "i!1") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "i!1") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "i!1") (("13" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|POLL_inv1_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|POLL_inv1_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|POLL_inv1| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "j!1" "k!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "j!1" "k!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "j!1" "k!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "j!1" "k!1") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "j!1" "k!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "j!1" "k!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "j!1" "k!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "j!1" "k!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (LEMMA "POLL_inv2") (("9" (EXPAND "invariant") (("9" (INST - "r" "n") (("9" (INST - "j!1") (("9" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("10" (GRIND) (("10" (LEMMA "POLL_inv2") (("10" (EXPAND "invariant") (("10" (INST - "r" "n") (("10" (INST - "j!1") (("10" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("11" (INST - "j!1" "k!1") (("11" (GRIND) NIL NIL)) NIL) ("12" (LEMMA "POLL_inv2") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (INST - "j!1") (("12" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("13" (GRIND) (("13" (LEMMA "POLL_inv2") (("13" (EXPAND "invariant") (("13" (INST - "r" "n") (("13" (INST - "j!1") (("13" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("14" (LEMMA "POLL_inv2") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (INST - "j!1") (("14" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("15" (GRIND) (("15" (LEMMA "POLL_inv2") (("15" (EXPAND "invariant") (("15" (INST - "r" "n") (("15" (INST - "j!1") (("15" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("16" (INST - "j!1" "k!1") (("16" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|POLL_inv0| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "i!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i!1") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "i!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "i!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "i!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "i!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (LEMMA "VT_S_GE_VR_H") (("9" (GRIND) NIL NIL)) NIL) ("10" (LEMMA "VT_S_GE_VR_H") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "i!1") (("11" (GRIND) NIL NIL)) NIL) ("12" (LEMMA "VT_S_GE_VR_H") (("12" (GRIND) NIL NIL)) NIL) ("13" (LEMMA "VT_S_GE_VR_H") (("13" (GRIND) NIL NIL)) NIL) ("14" (LEMMA "VT_S_GE_VR_H") (("14" (GRIND) NIL NIL)) NIL) ("15" (LEMMA "VT_S_GE_VR_H") (("15" (GRIND) NIL NIL)) NIL) ("16" (INST - "i!1") (("16" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (NEW_SD_POLL_TCC1 "" (SUBTYPE-TCC) NIL NIL) (NEW_SD_POLL_TCC2 "" (SUBTYPE-TCC) NIL NIL) (NEW_SD_POLL_TCC3 "" (SUBTYPE-TCC) NIL NIL) (NEW_SD_POLL "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "i!1" "j!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "i!1" "j!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "i!1" "j!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "i!1" "j!1") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "i!1" "j!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "i!1" "j!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "i!1" "j!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "i!1" "j!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "i!1" "j!1") (("9" (GRIND) NIL NIL)) NIL) ("10" (LEMMA "POLL_inv2") (("10" (EXPAND "invariant") (("10" (INST - "r" "n") (("10" (INST - "j!1") (("10" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("11" (GRIND) (("11" (LEMMA "POLL_inv2") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "j!1") (("11" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("12" (INST - "i!1" "j!1") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "i!1" "j!1") (("13" (GRIND) NIL NIL)) NIL) ("14" (INST - "i!1" "j!1") (("14" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux2_aux5_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2_aux5| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "j!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "j!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "j!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "j!1") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "j!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "j!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "j!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "j!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "j!1") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "j!1") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "j!1") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "j!1") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "j!1") (("13" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux2_aux4_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux2_aux4| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "j!1" "k!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "j!1" "k!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "j!1" "k!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "j!1" "k!1") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "j!1" "k!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "j!1" "k!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "j!1" "k!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "j!1" "k!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (LEMMA "STAT_inv2_aux2_aux5") (("9" (EXPAND "invariant") (("9" (INST - "r" "n") (("9" (INST - "j!1") (("9" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("10" (LEMMA "STAT_inv2_aux2_aux5") (("10" (EXPAND "invariant") (("10" (INST - "r" "n") (("10" (INST - "j!1") (("10" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("11" (INST - "j!1" "k!1") (("11" (GRIND) NIL NIL)) NIL) ("12" (LEMMA "STAT_inv2_aux2_aux5") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (INST - "j!1") (("12" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("13" (GRIND) (("13" (LEMMA "STAT_inv2_aux2_aux5") (("13" (EXPAND "invariant") (("13" (INST - "r" "n") (("13" (INST - "j!1") (("13" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("14" (LEMMA "STAT_inv2_aux2_aux5") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (INST - "j!1") (("14" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("15" (GRIND) (("15" (LEMMA "STAT_inv2_aux2_aux5") (("15" (EXPAND "invariant") (("15" (INST - "r" "n") (("15" (INST - "j!1") (("15" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("16" (INST - "j!1" "k!1") (("16" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux3_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux3_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|STAT_inv2_aux3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "k!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "k!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "k!1") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "k!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "k!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "k!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "k!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (INST - "k!1") (("9" (GRIND) NIL NIL)) NIL) ("10" (INST - "k!1") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "k!1") (("11" (GRIND) NIL NIL)) NIL) ("12" (INST - "k!1") (("12" (GRIND) NIL NIL)) NIL) ("13" (INST - "k!1") (("13" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux2| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "j!1" "k!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "j!1" "k!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "j!1" "k!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "j!1" "k!1") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "j!1" "k!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "j!1" "k!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "j!1" "k!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "j!1" "k!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (LEMMA "STAT_inv2_aux3") (("9" (EXPAND "invariant") (("9" (INST - "r" "n") (("9" (INST - "k!1") (("9" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("10" (LEMMA "STAT_inv2_aux3") (("10" (EXPAND "invariant") (("10" (INST - "r" "n") (("10" (INST - "k!1") (("10" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("11" (INST - "j!1" "k!1") (("11" (GRIND) NIL NIL)) NIL) ("12" (LEMMA "STAT_inv2_aux3") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (INST - "k!1") (("12" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("13" (LEMMA "STAT_inv2_aux3") (("13" (EXPAND "invariant") (("13" (INST - "r" "n") (("13" (INST - "k!1") (("13" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("14" (LEMMA "STAT_inv2_aux3") (("14" (EXPAND "invariant") (("14" (INST - "r" "n") (("14" (INST - "k!1") (("14" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("15" (LEMMA "STAT_inv2_aux3") (("15" (EXPAND "invariant") (("15" (INST - "r" "n") (("15" (INST - "k!1") (("15" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL) ("16" (INST - "j!1" "k!1") (("16" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (GRIND) NIL NIL) ("3" (GRIND) NIL NIL) ("4" (GRIND) NIL NIL) ("5" (HIDE 2) (("5" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux10| "" (LEMMA "invariant_rule") (("" (INST?) (("" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (EXPAND "run_fragment") (("2" (SKOLEM + "n") (("2" (INST - "n") (("2" (GRIND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) (|STAT_inv2_aux9| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k!1") (("1" (GRIND) NIL NIL)) NIL) ("2" (INST - "k!1") (("2" (GRIND) NIL NIL)) NIL) ("3" (INST - "k!1") (("3" (GRIND) NIL NIL)) NIL) ("4" (INST - "k!1") (("4" (GRIND) NIL NIL)) NIL) ("5" (INST - "k!1") (("5" (GRIND) NIL NIL)) NIL) ("6" (INST - "k!1") (("6" (GRIND) NIL NIL)) NIL) ("7" (INST - "k!1") (("7" (GRIND) NIL NIL)) NIL) ("8" (INST - "k!1") (("8" (GRIND) NIL NIL)) NIL) ("9" (LEMMA "STAT_inv2_aux10") (("9" (GRIND) NIL NIL)) NIL) ("10" (LEMMA "STAT_inv2_aux10") (("10" (GRIND) NIL NIL)) NIL) ("11" (INST - "k!1") (("11" (GRIND) NIL NIL)) NIL) ("12" (LEMMA "STAT_inv2_aux10") (("12" (GRIND) NIL NIL)) NIL) ("13" (LEMMA "STAT_inv2_aux10") (("13" (GRIND) NIL NIL)) NIL) ("14" (LEMMA "STAT_inv2_aux10") (("14" (GRIND) NIL NIL)) NIL) ("15" (LEMMA "STAT_inv2_aux10") (("15" (GRIND) NIL NIL)) NIL) ("16" (INST - "k!1") (("16" (ASSERT) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL)) NIL)) NIL) (|retrans_inv1_aux3_TCC1| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux3_TCC2| "" (SUBTYPE-TCC) NIL NIL) (|retrans_inv1_aux3| "" (LEMMA "invariant_rule") (("" (INST?) (("1" (SPLIT) (("1" (PROPAX) NIL NIL) ("2" (HIDE 2) (("2" (SKOLEM + "r") (("2" (TYPEPRED "r") (("2" (SPLIT) (("1" (HIDE -1) (("1" (GRIND) NIL NIL)) NIL) ("2" (HIDE -2) (("2" (SKOLEM + "n") (("2" (EXPAND "run_fragment") (("2" (INST - "n") (("2" (FLATTEN) (("2" (SKOLEM + "k") (("2" (BETA) (("2" (FLATTEN) (("2" (SKOLEM + "l") (("2" (TYPEPRED "l") (("2" (GROUND) (("2" (SKOLEM + "m") (("2" (TYPEPRED "m") (("2" (GRIND :IF-MATCH NIL) (("1" (INST - "k") (("1" (GROUND) (("1" (INST - "l") (("1" (GROUND) (("1" (INST - "m") (("1" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (INST - "k") (("2" (GROUND) (("2" (INST - "l") (("2" (GROUND) (("2" (INST - "m") (("2" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("3" (INST - "k") (("3" (GROUND) (("3" (INST - "l") (("3" (GROUND) (("3" (INST - "m") (("3" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("4" (INST - "k") (("4" (GROUND) (("4" (INST - "l") (("4" (GROUND) (("4" (INST - "m") (("4" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("5" (INST - "k") (("5" (GROUND) (("5" (INST - "l") (("5" (GROUND) (("5" (INST - "m") (("5" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("6" (INST - "k") (("6" (GROUND) (("6" (INST - "l") (("6" (GROUND) (("6" (INST - "m") (("6" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("7" (INST - "k") (("7" (GROUND) (("7" (INST - "l") (("7" (GROUND) (("7" (INST - "m") (("7" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("8" (INST - "k") (("8" (GROUND) (("8" (INST - "l") (("8" (GROUND) (("8" (INST - "m") (("8" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("9" (INST - "k") (("9" (GROUND) (("9" (INST - "l") (("9" (GROUND) (("9" (INST - "m") (("9" (GROUND) (("9" (LEMMA "STAT_inv2_aux3") (("9" (EXPAND "invariant") (("9" (INST - "r" "n") (("9" (INST - "k") (("9" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("10" (INST - "k") (("10" (GROUND) (("10" (INST - "l") (("10" (GROUND) (("10" (INST - "m") (("10" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("11" (LEMMA "STAT_inv2_aux3") (("11" (EXPAND "invariant") (("11" (INST - "r" "n") (("11" (INST - "k") (("11" (GROUND) (("11" (INST - "k") (("11" (GROUND) (("11" (INST - "l") (("11" (GROUND) (("11" (INST - "m") (("11" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("12" (INST - "k") (("12" (GROUND) (("12" (INST - "l") (("12" (GROUND) (("12" (INST - "m") (("12" (GROUND) (("12" (LEMMA "STAT_inv2_aux3") (("12" (EXPAND "invariant") (("12" (INST - "r" "n") (("12" (INST - "k") (("12" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("13" (INST - "k") (("13" (GROUND) (("13" (INST - "l") (("13" (GROUND) (("13" (INST - "m") (("13" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("14" (INST - "k") (("14" (GROUND) (("14" (INST - "l") (("14" (GROUND) (("14" (INST - "m") (("14" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("15" (INST - "k") (("15" (GROUND) (("15" (INST - "l") (("15" (GROUND) (("15" (INST - "m") (("15" (GROUND) NIL NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL)) NIL) ("2" (HIDE 2) (("2" (GRIND) NIL NIL)) NIL) ("3" (HIDE 2) (("3" (GRIND) NIL NIL)) NIL) ("4" (HIDE 2) (("4" (GRIND) NIL NIL)) NIL)) NIL)) NIL))