explicitly described states
Consider a scenario where arbitrarily many PCs are connected to a Cloud in order to exchange messages – for simplicity, we treat these messages as natural values. Each of the PCs can fetch the latest value from the cloud, compare it with their own value, and update the Cloud or their own value depending on which is larger; see the Cloud in images.
For the Cloud example we are interested in verifying the following property:
If a PC is in updated state, then the values of Cloud and PC agree.
This is achieved in three main steps.
We prove the following five invariants by simulteneous induction. Each of them shows that certain values of the attributes of the system are jointly inconsistent.
idlec
.
ceq [inv1]: true = false if [< idlec,CV:Nat >,< updated,PV:Nat,TMP:Nat > A:MSet]: Reach .
gotval
then the status of Cloud cannot be idlec
.
ceq [inv2]: true = false if [< idlec,CV:Nat >,< gotvalue,PV:Nat,TMP:Nat > A:MSet]: Reach .
updated
and gotval
.
ceq [inv3]: true = false if [< CS:C-Status,CV:Nat >,< gotvalue,PV1:Nat,TMP1:Nat > < gotvalue,PV2:Nat,TMP2:Nat > A:MSet]: Reach .
gotval
.
ceq [inv4]: true = false if [< CS:C-Status,CV:Nat >,< gotvalue,PV1:Nat,TMP1:Nat > < updated,PV2:Nat,TMP2:Nat > A:MSet]: Reach .
updated
.
ceq [inv5]: true = false if [< CS:C-Status,CV:Nat >,< updated,PV1:Nat,TMP1:Nat > < updated,PV2:Nat,TMP2:Nat > A:MSet]: Reach .
See inv.maude for the full proof.
We prove another invariant, inv6, using the five results above as lemmas.
gotval
, then its temporal value is equal to the value of the Cloud.
ceq [inv6]: CV:Nat = TMP:Nat if [< CS:C-Status,CV:Nat >, < gotvalue,PV:Nat,TMP:Nat > A:MSet]: Reach .
See inv6.maude for the full proof.
The property of interest is formalized as follows:
updated
, then its value is equal to that of the Cloud.
ceq [goal]: CV:Nat = PV:Nat if [< CS:C-Status,CV:Nat >, < updated,PV:Nat,TMP:Nat > A:MSet]: Reach .
See goal.maude for the full proof.