From 3db13be766c27930c823a7eb12cef8e729056a26 Mon Sep 17 00:00:00 2001 From: Haniel Barbosa Date: Sat, 2 Mar 2024 02:35:15 -0300 Subject: [PATCH] alessio benchmarks --- Allocator.tlaps/tlapm_0803d7.smt | 381 ++++++++++++++++++++++ Allocator.tlaps/tlapm_099ad8.smt | 465 ++++++++++++++++++++++++++ Allocator.tlaps/tlapm_0a355e.smt | 292 +++++++++++++++++ Allocator.tlaps/tlapm_0ad495.smt | 123 +++++++ Allocator.tlaps/tlapm_0b9140.smt | 232 +++++++++++++ Allocator.tlaps/tlapm_1d08e0.smt | 516 +++++++++++++++++++++++++++++ Allocator.tlaps/tlapm_2197e4.smt | 184 +++++++++++ Allocator.tlaps/tlapm_23bce6.smt | 518 +++++++++++++++++++++++++++++ Allocator.tlaps/tlapm_3cbc97.smt | 216 ++++++++++++ Allocator.tlaps/tlapm_4222fc.smt | 544 +++++++++++++++++++++++++++++++ Allocator.tlaps/tlapm_4561b7.smt | 218 +++++++++++++ Allocator.tlaps/tlapm_48700e.smt | 263 +++++++++++++++ Allocator.tlaps/tlapm_4b71cb.smt | 389 ++++++++++++++++++++++ Allocator.tlaps/tlapm_4d89a4.smt | 514 +++++++++++++++++++++++++++++ Allocator.tlaps/tlapm_50579e.smt | 238 ++++++++++++++ Allocator.tlaps/tlapm_5473da.smt | 356 ++++++++++++++++++++ Allocator.tlaps/tlapm_5cb998.smt | 237 ++++++++++++++ Allocator.tlaps/tlapm_5ef628.smt | 467 ++++++++++++++++++++++++++ Allocator.tlaps/tlapm_6f89fe.smt | 404 +++++++++++++++++++++++ Allocator.tlaps/tlapm_81962a.smt | 367 +++++++++++++++++++++ Allocator.tlaps/tlapm_81e00a.smt | 406 +++++++++++++++++++++++ Allocator.tlaps/tlapm_9deec9.smt | 542 ++++++++++++++++++++++++++++++ Allocator.tlaps/tlapm_a0df54.smt | 497 ++++++++++++++++++++++++++++ Allocator.tlaps/tlapm_ae2802.smt | 280 ++++++++++++++++ Allocator.tlaps/tlapm_ae2a83.smt | 509 +++++++++++++++++++++++++++++ Allocator.tlaps/tlapm_b01e66.smt | 151 +++++++++ Allocator.tlaps/tlapm_c42a04.smt | 293 +++++++++++++++++ Allocator.tlaps/tlapm_c85796.smt | 392 ++++++++++++++++++++++ Allocator.tlaps/tlapm_ce8057.smt | 499 ++++++++++++++++++++++++++++ Allocator.tlaps/tlapm_dbde78.smt | 438 +++++++++++++++++++++++++ Allocator.tlaps/tlapm_dd19c4.smt | 383 ++++++++++++++++++++++ Allocator.tlaps/tlapm_e03cb1.smt | 460 ++++++++++++++++++++++++++ Allocator.tlaps/tlapm_e8eaa3.smt | 520 +++++++++++++++++++++++++++++ Allocator.tlaps/tlapm_f52471.smt | 189 +++++++++++ Allocator.tlaps/tlapm_f84230.smt | 458 ++++++++++++++++++++++++++ Allocator.tlaps/tlapm_fa32ac.smt | 259 +++++++++++++++ 36 files changed, 13200 insertions(+) create mode 100644 Allocator.tlaps/tlapm_0803d7.smt create mode 100644 Allocator.tlaps/tlapm_099ad8.smt create mode 100644 Allocator.tlaps/tlapm_0a355e.smt create mode 100644 Allocator.tlaps/tlapm_0ad495.smt create mode 100644 Allocator.tlaps/tlapm_0b9140.smt create mode 100644 Allocator.tlaps/tlapm_1d08e0.smt create mode 100644 Allocator.tlaps/tlapm_2197e4.smt create mode 100644 Allocator.tlaps/tlapm_23bce6.smt create mode 100644 Allocator.tlaps/tlapm_3cbc97.smt create mode 100644 Allocator.tlaps/tlapm_4222fc.smt create mode 100644 Allocator.tlaps/tlapm_4561b7.smt create mode 100644 Allocator.tlaps/tlapm_48700e.smt create mode 100644 Allocator.tlaps/tlapm_4b71cb.smt create mode 100644 Allocator.tlaps/tlapm_4d89a4.smt create mode 100644 Allocator.tlaps/tlapm_50579e.smt create mode 100644 Allocator.tlaps/tlapm_5473da.smt create mode 100644 Allocator.tlaps/tlapm_5cb998.smt create mode 100644 Allocator.tlaps/tlapm_5ef628.smt create mode 100644 Allocator.tlaps/tlapm_6f89fe.smt create mode 100644 Allocator.tlaps/tlapm_81962a.smt create mode 100644 Allocator.tlaps/tlapm_81e00a.smt create mode 100644 Allocator.tlaps/tlapm_9deec9.smt create mode 100644 Allocator.tlaps/tlapm_a0df54.smt create mode 100644 Allocator.tlaps/tlapm_ae2802.smt create mode 100644 Allocator.tlaps/tlapm_ae2a83.smt create mode 100644 Allocator.tlaps/tlapm_b01e66.smt create mode 100644 Allocator.tlaps/tlapm_c42a04.smt create mode 100644 Allocator.tlaps/tlapm_c85796.smt create mode 100644 Allocator.tlaps/tlapm_ce8057.smt create mode 100644 Allocator.tlaps/tlapm_dbde78.smt create mode 100644 Allocator.tlaps/tlapm_dd19c4.smt create mode 100644 Allocator.tlaps/tlapm_e03cb1.smt create mode 100644 Allocator.tlaps/tlapm_e8eaa3.smt create mode 100644 Allocator.tlaps/tlapm_f52471.smt create mode 100644 Allocator.tlaps/tlapm_f84230.smt create mode 100644 Allocator.tlaps/tlapm_fa32ac.smt diff --git a/Allocator.tlaps/tlapm_0803d7.smt b/Allocator.tlaps/tlapm_0803d7.smt new file mode 100644 index 00000000000..1643e1a7b02 --- /dev/null +++ b/Allocator.tlaps/tlapm_0803d7.smt @@ -0,0 +1,381 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; /\ /\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ \A CONSTANT_c1__1, CONSTANT_c2__1 \in CONSTANT_Client_ : +;; \A CONSTANT_r__1 \in CONSTANT_Resource_ : +;; CONSTANT_r__1 +;; \in VARIABLE_alloc_[CONSTANT_c1__1] +;; \cap VARIABLE_alloc_[CONSTANT_c2__1] +;; => CONSTANT_c1__1 = CONSTANT_c2__1 +;; /\ ACTION_Return_(CONSTANT_clt_, CONSTANT_S_) +;; /\ CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] , +;; ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \subseteq VARIABLE_alloc_[CONSTANT_c1_] , +;; ?VARIABLE_alloc_#prime[CONSTANT_c2_] +;; \subseteq VARIABLE_alloc_[CONSTANT_c2_] +;; PROVE CONSTANT_c1_ = CONSTANT_c2_ +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #22 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 202, characters 3-4 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (forall ((smt__CONSTANT___c1____1 Idv) (smt__CONSTANT___c2____1 Idv)) + (=> + (and + (smt__TLA______Mem smt__CONSTANT___c1____1 + smt__CONSTANT___Client___) + (smt__TLA______Mem smt__CONSTANT___c2____1 + smt__CONSTANT___Client___)) + (forall ((smt__CONSTANT___r____1 Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___r____1 + smt__CONSTANT___Resource___) + (=> + (smt__TLA______Mem smt__CONSTANT___r____1 + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c1____1) + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c2____1))) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1____1 + smt__CONSTANT___c2____1)))))) + (= (smt__ACTION___Return___ smt__CONSTANT___clt___ smt__CONSTANT___S___) + smt__TLA______Tt___Idv) + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___))))) + +(assert + (smt__TLA______SubsetEq + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___c1___))) + +(assert + (smt__TLA______SubsetEq + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___c2___))) + +;; Goal +(assert + (! + (not + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___)) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_099ad8.smt b/Allocator.tlaps/tlapm_099ad8.smt new file mode 100644 index 00000000000..2433e864adf --- /dev/null +++ b/Allocator.tlaps/tlapm_099ad8.smt @@ -0,0 +1,465 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; /\ /\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ STATE_Mutex_ +;; /\ CONSTANT_S_ # {} +;; /\ CONSTANT_S_ \subseteq VARIABLE_alloc_[CONSTANT_clt_] +;; /\ CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] , +;; ?VARIABLE_alloc_#prime +;; = [VARIABLE_alloc_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_alloc_[CONSTANT_clt_] \ CONSTANT_S_] , +;; ?VARIABLE_unsat_#prime = VARIABLE_unsat_ +;; PROVE ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \subseteq VARIABLE_alloc_[CONSTANT_c1_] +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #27 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 196, characters 3-4 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +(declare-fun smt__TLA______FunExcept (Idv Idv Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______SetMinus (Idv Idv) Idv) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ (Idv + Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: SetMinusDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______SetMinus smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (not (smt__TLA______Mem smt__x smt__b)))) + :pattern ((smt__TLA______Mem smt__x + (smt__TLA______SetMinus smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______SetMinus smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______SetMinus smt__a smt__b)))) + :named |SetMinusDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: FunExceptIsafcn +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______FunIsafcn + (smt__TLA______FunExcept smt__f smt__x smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptIsafcn|)) + +;; Axiom: FunExceptDomDef +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______FunDom + (smt__TLA______FunExcept smt__f smt__x smt__y)) + (smt__TLA______FunDom smt__f)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptDomDef|)) + +;; Axiom: FunExceptAppDef1 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__x) + smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptAppDef1|)) + +;; Axiom: FunExceptAppDef2 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> (smt__TLA______Mem smt__z (smt__TLA______FunDom smt__f)) + (and + (=> (= smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + smt__y)) + (=> (distinct smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + (smt__TLA______FunApp smt__f smt__z))))) + :pattern ((smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y) + (smt__TLA______FunApp smt__f smt__z)))) + :named |FunExceptAppDef2|)) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +;; Axiom: ExtTrigEqDef Set$Idv$ +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ smt__x + smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqDef Set$Idv$|)) + +;; Axiom: ExtTrigEqTrigger Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (smt__TLA______SetExtTrigger smt__x smt__y) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqTrigger Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv) + (and + (not + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__CONSTANT___S___ smt__TLA______SetEnum___0)) + (smt__TLA______SubsetEq smt__CONSTANT___S___ + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___clt___))) + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___))))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc______prime + (smt__TLA______FunExcept smt__VARIABLE___alloc___ smt__CONSTANT___clt___ + (smt__TLA______SetMinus + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat______prime + smt__VARIABLE___unsat___)) + +;; Goal +(assert + (! + (not + (smt__TLA______SubsetEq + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___c1___))) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_0a355e.smt b/Allocator.tlaps/tlapm_0a355e.smt new file mode 100644 index 00000000000..be1b95746c7 --- /dev/null +++ b/Allocator.tlaps/tlapm_0a355e.smt @@ -0,0 +1,292 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_ +;; PROVE (/\ VARIABLE_unsat_ = [CONSTANT_c_ \in CONSTANT_Client_ |-> {}] +;; /\ VARIABLE_alloc_ = [CONSTANT_c_ \in CONSTANT_Client_ |-> {}]) +;; => (/\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_]) +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #1 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 128, characters 1-2 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +(declare-fun smt__TLA______FunFcn___flatnd___1 (Idv) Idv) + +;; Axiom: FunConstrIsafcn TLA__FunFcn_flatnd_1 +(assert + (! + (forall ((smt__a Idv)) + (! (smt__TLA______FunIsafcn (smt__TLA______FunFcn___flatnd___1 smt__a)) + :pattern ((smt__TLA______FunFcn___flatnd___1 smt__a)))) + :named |FunConstrIsafcn TLA__FunFcn_flatnd_1|)) + +;; Axiom: FunDomDef TLA__FunFcn_flatnd_1 +(assert + (! + (forall ((smt__a Idv)) + (! + (= (smt__TLA______FunDom (smt__TLA______FunFcn___flatnd___1 smt__a)) + smt__a) :pattern ((smt__TLA______FunFcn___flatnd___1 smt__a)))) + :named |FunDomDef TLA__FunFcn_flatnd_1|)) + +;; Axiom: FunAppDef TLA__FunFcn_flatnd_1 +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (=> (smt__TLA______Mem smt__x smt__a) + (= + (smt__TLA______FunApp (smt__TLA______FunFcn___flatnd___1 smt__a) + smt__x) smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______FunApp + (smt__TLA______FunFcn___flatnd___1 smt__a) smt__x)) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______FunFcn___flatnd___1 smt__a)))) + :named |FunAppDef TLA__FunFcn_flatnd_1|)) + +;; Axiom: FunTyping TLA__FunFcn_flatnd_1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv)) + (! + (=> + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__TLA______SetEnum___0 smt__b))) + (smt__TLA______Mem (smt__TLA______FunFcn___flatnd___1 smt__a) + (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______FunFcn___flatnd___1 smt__a) + (smt__TLA______FunSet smt__a smt__b)))) + :named |FunTyping TLA__FunFcn_flatnd_1|)) + +;; Goal +(assert + (! + (not + (=> + (and + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat___ + (smt__TLA______FunFcn___flatnd___1 smt__CONSTANT___Client___)) + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc___ + (smt__TLA______FunFcn___flatnd___1 smt__CONSTANT___Client___))) + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))))) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_0ad495.smt b/Allocator.tlaps/tlapm_0ad495.smt new file mode 100644 index 00000000000..80525402b6c --- /dev/null +++ b/Allocator.tlaps/tlapm_0ad495.smt @@ -0,0 +1,123 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; ASSUME STATE_TypeInvariant_ , +;; ACTION_Next_ +;; PROVE ?h12c0a , +;; STATE_TypeInvariant_ /\ ?h6fbaa = STATE_vars_ => ?h12c0a +;; PROVE STATE_TypeInvariant_ /\ (ACTION_Next_ \/ ?h6fbaa = STATE_vars_) +;; => ?h12c0a +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #5 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 165, characters 3-4 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Anon___OPAQUE___h12c0a () Idv) + +(declare-fun smt__TLA______Anon___OPAQUE___h6fbaa () Idv) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___TypeInvariant___ () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (=> (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (=> (= smt__ACTION___Next___ smt__TLA______Tt___Idv) + (= smt__TLA______Anon___OPAQUE___h12c0a smt__TLA______Tt___Idv)))) + +(assert + (=> + (and (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (smt__TLA______TrigEq___Idv smt__TLA______Anon___OPAQUE___h6fbaa + smt__STATE___vars___)) + (= smt__TLA______Anon___OPAQUE___h12c0a smt__TLA______Tt___Idv))) + +;; Goal +(assert + (! + (not + (=> + (and (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (or (= smt__ACTION___Next___ smt__TLA______Tt___Idv) + (smt__TLA______TrigEq___Idv smt__TLA______Anon___OPAQUE___h6fbaa + smt__STATE___vars___))) + (= smt__TLA______Anon___OPAQUE___h12c0a smt__TLA______Tt___Idv))) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_0b9140.smt b/Allocator.tlaps/tlapm_0b9140.smt new file mode 100644 index 00000000000..cad5df0a443 --- /dev/null +++ b/Allocator.tlaps/tlapm_0b9140.smt @@ -0,0 +1,232 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; ASSUME ~(CONSTANT_c1_ = CONSTANT_clt_ \/ CONSTANT_c2_ = CONSTANT_clt_) +;; PROVE CONSTANT_c1_ = CONSTANT_c2_ , +;; ASSUME CONSTANT_c1_ = CONSTANT_clt_ +;; PROVE CONSTANT_c1_ = CONSTANT_c2_ , +;; ASSUME CONSTANT_c2_ = CONSTANT_clt_ +;; PROVE CONSTANT_c1_ = CONSTANT_c2_ +;; PROVE CONSTANT_c1_ = CONSTANT_c2_ +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #31 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 277, characters 3-4 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___TypeInvariant___ () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (=> + (not + (or + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ + smt__CONSTANT___clt___) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c2___ + smt__CONSTANT___clt___))) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___))) + +(assert + (=> + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___clt___) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___))) + +(assert + (=> + (smt__TLA______TrigEq___Idv smt__CONSTANT___c2___ smt__CONSTANT___clt___) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___))) + +;; Goal +(assert + (! + (not + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___)) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_1d08e0.smt b/Allocator.tlaps/tlapm_1d08e0.smt new file mode 100644 index 00000000000..06971b87edd --- /dev/null +++ b/Allocator.tlaps/tlapm_1d08e0.smt @@ -0,0 +1,516 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; /\ /\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ STATE_Mutex_ +;; /\ CONSTANT_S_ # {} +;; /\ CONSTANT_S_ +;; \subseteq STATE_available_ \cap VARIABLE_unsat_[CONSTANT_clt_] , +;; ?VARIABLE_alloc_#prime +;; = [VARIABLE_alloc_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_alloc_[CONSTANT_clt_] +;; \cup CONSTANT_S_] , +;; ?VARIABLE_unsat_#prime +;; = [VARIABLE_unsat_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_unsat_[CONSTANT_clt_] \ CONSTANT_S_] , +;; CONSTANT_r_ \notin VARIABLE_alloc_[CONSTANT_c1_] , +;; CONSTANT_r_ \notin CONSTANT_S_ +;; PROVE CONSTANT_r_ \notin ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #73 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 247, characters 5-6 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______Cup (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +(declare-fun smt__TLA______FunExcept (Idv Idv Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______SetMinus (Idv Idv) Idv) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ (Idv + Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CupDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b)) + (or (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cup smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cup smt__a smt__b)))) :named |CupDef|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: SetMinusDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______SetMinus smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (not (smt__TLA______Mem smt__x smt__b)))) + :pattern ((smt__TLA______Mem smt__x + (smt__TLA______SetMinus smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______SetMinus smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______SetMinus smt__a smt__b)))) + :named |SetMinusDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: FunExceptIsafcn +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______FunIsafcn + (smt__TLA______FunExcept smt__f smt__x smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptIsafcn|)) + +;; Axiom: FunExceptDomDef +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______FunDom + (smt__TLA______FunExcept smt__f smt__x smt__y)) + (smt__TLA______FunDom smt__f)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptDomDef|)) + +;; Axiom: FunExceptAppDef1 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__x) + smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptAppDef1|)) + +;; Axiom: FunExceptAppDef2 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> (smt__TLA______Mem smt__z (smt__TLA______FunDom smt__f)) + (and + (=> (= smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + smt__y)) + (=> (distinct smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + (smt__TLA______FunApp smt__f smt__z))))) + :pattern ((smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y) + (smt__TLA______FunApp smt__f smt__z)))) + :named |FunExceptAppDef2|)) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +;; Axiom: ExtTrigEqDef Set$Idv$ +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ smt__x + smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqDef Set$Idv$|)) + +;; Axiom: ExtTrigEqTrigger Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (smt__TLA______SetExtTrigger smt__x smt__y) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqTrigger Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv) + (and + (not + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__CONSTANT___S___ smt__TLA______SetEnum___0)) + (smt__TLA______SubsetEq smt__CONSTANT___S___ + (smt__TLA______Cap smt__STATE___available___ + (smt__TLA______FunApp smt__VARIABLE___unsat___ + smt__CONSTANT___clt___)))))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc______prime + (smt__TLA______FunExcept smt__VARIABLE___alloc___ smt__CONSTANT___clt___ + (smt__TLA______Cup + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat______prime + (smt__TLA______FunExcept smt__VARIABLE___unsat___ smt__CONSTANT___clt___ + (smt__TLA______SetMinus + (smt__TLA______FunApp smt__VARIABLE___unsat___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (not + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___c1___)))) + +(assert (not (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___S___))) + +;; Goal +(assert + (! + (not + (not + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___)))) :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_2197e4.smt b/Allocator.tlaps/tlapm_2197e4.smt new file mode 100644 index 00000000000..cf8b501c2b8 --- /dev/null +++ b/Allocator.tlaps/tlapm_2197e4.smt @@ -0,0 +1,184 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; ASSUME STATE_TypeInvariant_ , +;; STATE_Mutex_ , +;; ACTION_Allocate_(CONSTANT_clt_, CONSTANT_S_) +;; PROVE ?h93432 +;; PROVE STATE_TypeInvariant_ /\ STATE_Mutex_ +;; /\ ACTION_Allocate_(CONSTANT_clt_, CONSTANT_S_) => ?h93432 +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #35 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 214, characters 3-9 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Anon___OPAQUE___h93432 () Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___TypeInvariant___ () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +(assert + (=> (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (=> (= smt__STATE___Mutex___ smt__TLA______Tt___Idv) + (=> + (= + (smt__ACTION___Allocate___ smt__CONSTANT___clt___ + smt__CONSTANT___S___) smt__TLA______Tt___Idv) + (= smt__TLA______Anon___OPAQUE___h93432 smt__TLA______Tt___Idv))))) + +;; Goal +(assert + (! + (not + (=> + (and + (and (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv)) + (= + (smt__ACTION___Allocate___ smt__CONSTANT___clt___ + smt__CONSTANT___S___) smt__TLA______Tt___Idv)) + (= smt__TLA______Anon___OPAQUE___h93432 smt__TLA______Tt___Idv))) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_23bce6.smt b/Allocator.tlaps/tlapm_23bce6.smt new file mode 100644 index 00000000000..228d5d3327f --- /dev/null +++ b/Allocator.tlaps/tlapm_23bce6.smt @@ -0,0 +1,518 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; /\ /\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ STATE_Mutex_ +;; /\ CONSTANT_S_ # {} +;; /\ CONSTANT_S_ +;; \subseteq STATE_available_ \cap VARIABLE_unsat_[CONSTANT_clt_] , +;; ?VARIABLE_alloc_#prime +;; = [VARIABLE_alloc_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_alloc_[CONSTANT_clt_] +;; \cup CONSTANT_S_] , +;; ?VARIABLE_unsat_#prime +;; = [VARIABLE_unsat_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_unsat_[CONSTANT_clt_] \ CONSTANT_S_] , +;; CONSTANT_r_ \notin VARIABLE_alloc_[CONSTANT_c2_] , +;; CONSTANT_r_ \notin CONSTANT_S_ +;; PROVE CONSTANT_r_ \notin ?VARIABLE_alloc_#prime[CONSTANT_c2_] +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #105 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 270, characters 5-6 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______Cup (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +(declare-fun smt__TLA______FunExcept (Idv Idv Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______SetMinus (Idv Idv) Idv) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ (Idv + Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CupDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b)) + (or (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cup smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cup smt__a smt__b)))) :named |CupDef|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: SetMinusDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______SetMinus smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (not (smt__TLA______Mem smt__x smt__b)))) + :pattern ((smt__TLA______Mem smt__x + (smt__TLA______SetMinus smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______SetMinus smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______SetMinus smt__a smt__b)))) + :named |SetMinusDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: FunExceptIsafcn +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______FunIsafcn + (smt__TLA______FunExcept smt__f smt__x smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptIsafcn|)) + +;; Axiom: FunExceptDomDef +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______FunDom + (smt__TLA______FunExcept smt__f smt__x smt__y)) + (smt__TLA______FunDom smt__f)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptDomDef|)) + +;; Axiom: FunExceptAppDef1 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__x) + smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptAppDef1|)) + +;; Axiom: FunExceptAppDef2 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> (smt__TLA______Mem smt__z (smt__TLA______FunDom smt__f)) + (and + (=> (= smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + smt__y)) + (=> (distinct smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + (smt__TLA______FunApp smt__f smt__z))))) + :pattern ((smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y) + (smt__TLA______FunApp smt__f smt__z)))) + :named |FunExceptAppDef2|)) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +;; Axiom: ExtTrigEqDef Set$Idv$ +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ smt__x + smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqDef Set$Idv$|)) + +;; Axiom: ExtTrigEqTrigger Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (smt__TLA______SetExtTrigger smt__x smt__y) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqTrigger Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv) + (and + (not + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__CONSTANT___S___ smt__TLA______SetEnum___0)) + (smt__TLA______SubsetEq smt__CONSTANT___S___ + (smt__TLA______Cap smt__STATE___available___ + (smt__TLA______FunApp smt__VARIABLE___unsat___ + smt__CONSTANT___clt___)))))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc______prime + (smt__TLA______FunExcept smt__VARIABLE___alloc___ smt__CONSTANT___clt___ + (smt__TLA______Cup + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat______prime + (smt__TLA______FunExcept smt__VARIABLE___unsat___ smt__CONSTANT___clt___ + (smt__TLA______SetMinus + (smt__TLA______FunApp smt__VARIABLE___unsat___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (not + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___c2___)))) + +(assert (not (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___S___))) + +;; Goal +(assert + (! + (not + (not + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___)))) :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_3cbc97.smt b/Allocator.tlaps/tlapm_3cbc97.smt new file mode 100644 index 00000000000..7d7a9d23554 --- /dev/null +++ b/Allocator.tlaps/tlapm_3cbc97.smt @@ -0,0 +1,216 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; ASSUME CONSTANT_c1_ # CONSTANT_c2_ +;; PROVE FALSE +;; PROVE CONSTANT_c1_ = CONSTANT_c2_ +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #54 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 233, characters 5-11 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___TypeInvariant___ () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (=> + (not + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___)) + false)) + +;; Goal +(assert + (! + (not + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___)) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_4222fc.smt b/Allocator.tlaps/tlapm_4222fc.smt new file mode 100644 index 00000000000..7a3e4a6e004 --- /dev/null +++ b/Allocator.tlaps/tlapm_4222fc.smt @@ -0,0 +1,544 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; /\ /\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ STATE_Mutex_ +;; /\ CONSTANT_S_ # {} +;; /\ CONSTANT_S_ +;; \subseteq STATE_available_ \cap VARIABLE_unsat_[CONSTANT_clt_] , +;; ?VARIABLE_alloc_#prime +;; = [VARIABLE_alloc_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_alloc_[CONSTANT_clt_] +;; \cup CONSTANT_S_] , +;; ?VARIABLE_unsat_#prime +;; = [VARIABLE_unsat_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_unsat_[CONSTANT_clt_] \ CONSTANT_S_] , +;; CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] , +;; CONSTANT_c1_ # CONSTANT_c2_ , +;; ?VARIABLE_alloc_#prime[CONSTANT_c1_] = VARIABLE_alloc_[CONSTANT_c1_] , +;; CONSTANT_r_ \notin VARIABLE_alloc_[CONSTANT_c2_] , +;; CONSTANT_r_ \notin STATE_available_ , +;; CONSTANT_r_ \notin CONSTANT_S_ , +;; CONSTANT_r_ \notin ?VARIABLE_alloc_#prime[CONSTANT_c2_] +;; PROVE FALSE +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #77 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 273, characters 5-6 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______Cup (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +(declare-fun smt__TLA______FunExcept (Idv Idv Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______SetMinus (Idv Idv) Idv) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ (Idv + Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CupDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b)) + (or (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cup smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cup smt__a smt__b)))) :named |CupDef|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: SetMinusDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______SetMinus smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (not (smt__TLA______Mem smt__x smt__b)))) + :pattern ((smt__TLA______Mem smt__x + (smt__TLA______SetMinus smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______SetMinus smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______SetMinus smt__a smt__b)))) + :named |SetMinusDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: FunExceptIsafcn +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______FunIsafcn + (smt__TLA______FunExcept smt__f smt__x smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptIsafcn|)) + +;; Axiom: FunExceptDomDef +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______FunDom + (smt__TLA______FunExcept smt__f smt__x smt__y)) + (smt__TLA______FunDom smt__f)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptDomDef|)) + +;; Axiom: FunExceptAppDef1 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__x) + smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptAppDef1|)) + +;; Axiom: FunExceptAppDef2 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> (smt__TLA______Mem smt__z (smt__TLA______FunDom smt__f)) + (and + (=> (= smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + smt__y)) + (=> (distinct smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + (smt__TLA______FunApp smt__f smt__z))))) + :pattern ((smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y) + (smt__TLA______FunApp smt__f smt__z)))) + :named |FunExceptAppDef2|)) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +;; Axiom: ExtTrigEqDef Set$Idv$ +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ smt__x + smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqDef Set$Idv$|)) + +;; Axiom: ExtTrigEqTrigger Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (smt__TLA______SetExtTrigger smt__x smt__y) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqTrigger Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv) + (and + (not + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__CONSTANT___S___ smt__TLA______SetEnum___0)) + (smt__TLA______SubsetEq smt__CONSTANT___S___ + (smt__TLA______Cap smt__STATE___available___ + (smt__TLA______FunApp smt__VARIABLE___unsat___ + smt__CONSTANT___clt___)))))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc______prime + (smt__TLA______FunExcept smt__VARIABLE___alloc___ smt__CONSTANT___clt___ + (smt__TLA______Cup + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat______prime + (smt__TLA______FunExcept smt__VARIABLE___unsat___ smt__CONSTANT___clt___ + (smt__TLA______SetMinus + (smt__TLA______FunApp smt__VARIABLE___unsat___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___)))) + +(assert + (not + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___))) + +(assert + (smt__TLA______TrigEq___Idv + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___c1___))) + +(assert + (not + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___c2___)))) + +(assert + (not (smt__TLA______Mem smt__CONSTANT___r___ smt__STATE___available___))) + +(assert (not (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___S___))) + +(assert + (not + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___)))) + +;; Goal +(assert (! (not false) :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_4561b7.smt b/Allocator.tlaps/tlapm_4561b7.smt new file mode 100644 index 00000000000..a297297e7a6 --- /dev/null +++ b/Allocator.tlaps/tlapm_4561b7.smt @@ -0,0 +1,218 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; ASSUME CONSTANT_c1_ # CONSTANT_c2_ +;; PROVE FALSE +;; PROVE CONSTANT_c1_ = CONSTANT_c2_ +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #86 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 256, characters 5-11 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___TypeInvariant___ () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (=> + (not + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___)) + false)) + +;; Goal +(assert + (! + (not + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___)) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_48700e.smt b/Allocator.tlaps/tlapm_48700e.smt new file mode 100644 index 00000000000..f47326ecbc1 --- /dev/null +++ b/Allocator.tlaps/tlapm_48700e.smt @@ -0,0 +1,263 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; ?VARIABLE_unsat_#prime = VARIABLE_unsat_ , +;; ?VARIABLE_alloc_#prime = VARIABLE_alloc_ +;; PROVE STATE_TypeInvariant_ +;; /\ (\A CONSTANT_c1_, CONSTANT_c2_ \in CONSTANT_Client_ : +;; \A CONSTANT_r_ \in CONSTANT_Resource_ : +;; CONSTANT_r_ +;; \in VARIABLE_alloc_[CONSTANT_c1_] +;; \cap VARIABLE_alloc_[CONSTANT_c2_] +;; => CONSTANT_c1_ = CONSTANT_c2_) +;; /\ (ACTION_Next_ +;; \/ (/\ ?VARIABLE_unsat_#prime = VARIABLE_unsat_ +;; /\ ?VARIABLE_alloc_#prime = VARIABLE_alloc_)) +;; => (\A CONSTANT_c1_, CONSTANT_c2_ \in CONSTANT_Client_ : +;; \A CONSTANT_r_ \in CONSTANT_Resource_ : +;; CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] +;; => CONSTANT_c1_ = CONSTANT_c2_) +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #117 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 283, characters 3-4 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___TypeInvariant___ () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat______prime + smt__VARIABLE___unsat___)) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc______prime + smt__VARIABLE___alloc___)) + +;; Goal +(assert + (! + (not + (=> + (and + (and (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (forall ((smt__CONSTANT___c1___ Idv) (smt__CONSTANT___c2___ Idv)) + (=> + (and + (smt__TLA______Mem smt__CONSTANT___c1___ + smt__CONSTANT___Client___) + (smt__TLA______Mem smt__CONSTANT___c2___ + smt__CONSTANT___Client___)) + (forall ((smt__CONSTANT___r___ Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + smt__CONSTANT___Resource___) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c2___))) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ + smt__CONSTANT___c2___))))))) + (or (= smt__ACTION___Next___ smt__TLA______Tt___Idv) + (and + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat______prime + smt__VARIABLE___unsat___) + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc______prime + smt__VARIABLE___alloc___)))) + (forall ((smt__CONSTANT___c1___ Idv) (smt__CONSTANT___c2___ Idv)) + (=> + (and + (smt__TLA______Mem smt__CONSTANT___c1___ + smt__CONSTANT___Client___) + (smt__TLA______Mem smt__CONSTANT___c2___ + smt__CONSTANT___Client___)) + (forall ((smt__CONSTANT___r___ Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + smt__CONSTANT___Resource___) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___))) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ + smt__CONSTANT___c2___)))))))) :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_4b71cb.smt b/Allocator.tlaps/tlapm_4b71cb.smt new file mode 100644 index 00000000000..9cad35a5d82 --- /dev/null +++ b/Allocator.tlaps/tlapm_4b71cb.smt @@ -0,0 +1,389 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_c_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_ +;; PROVE (/\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_]) +;; /\ (/\ CONSTANT_S_ # {} +;; /\ CONSTANT_S_ \subseteq VARIABLE_alloc_[CONSTANT_c_] +;; /\ ?VARIABLE_alloc_#prime +;; = [VARIABLE_alloc_ EXCEPT +;; ![CONSTANT_c_] = VARIABLE_alloc_[CONSTANT_c_] +;; \ CONSTANT_S_] +;; /\ ?VARIABLE_unsat_#prime = VARIABLE_unsat_) +;; => (/\ ?VARIABLE_unsat_#prime +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ ?VARIABLE_alloc_#prime +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_]) +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #4 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 146, characters 1-2 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +(declare-fun smt__TLA______FunExcept (Idv Idv Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______SetMinus (Idv Idv) Idv) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ (Idv + Idv) Bool) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: SetMinusDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______SetMinus smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (not (smt__TLA______Mem smt__x smt__b)))) + :pattern ((smt__TLA______Mem smt__x + (smt__TLA______SetMinus smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______SetMinus smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______SetMinus smt__a smt__b)))) + :named |SetMinusDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: FunExceptIsafcn +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______FunIsafcn + (smt__TLA______FunExcept smt__f smt__x smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptIsafcn|)) + +;; Axiom: FunExceptDomDef +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______FunDom + (smt__TLA______FunExcept smt__f smt__x smt__y)) + (smt__TLA______FunDom smt__f)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptDomDef|)) + +;; Axiom: FunExceptAppDef1 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__x) + smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptAppDef1|)) + +;; Axiom: FunExceptAppDef2 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> (smt__TLA______Mem smt__z (smt__TLA______FunDom smt__f)) + (and + (=> (= smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + smt__y)) + (=> (distinct smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + (smt__TLA______FunApp smt__f smt__z))))) + :pattern ((smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y) + (smt__TLA______FunApp smt__f smt__z)))) + :named |FunExceptAppDef2|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +;; Axiom: ExtTrigEqDef Set$Idv$ +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ smt__x + smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqDef Set$Idv$|)) + +;; Axiom: ExtTrigEqTrigger Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (smt__TLA______SetExtTrigger smt__x smt__y) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqTrigger Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +;; Goal +(assert + (! + (not + (=> + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (and + (and + (not + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__CONSTANT___S___ smt__TLA______SetEnum___0)) + (smt__TLA______SubsetEq smt__CONSTANT___S___ + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c___))) + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc______prime + (smt__TLA______FunExcept smt__VARIABLE___alloc___ + smt__CONSTANT___c___ + (smt__TLA______SetMinus + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c___) smt__CONSTANT___S___))) + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat______prime + smt__VARIABLE___unsat___))) + (and + (smt__TLA______Mem smt__VARIABLE___unsat______prime + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc______prime + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))))) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_4d89a4.smt b/Allocator.tlaps/tlapm_4d89a4.smt new file mode 100644 index 00000000000..f94c7ebbc48 --- /dev/null +++ b/Allocator.tlaps/tlapm_4d89a4.smt @@ -0,0 +1,514 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; /\ /\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ STATE_Mutex_ +;; /\ CONSTANT_S_ # {} +;; /\ CONSTANT_S_ +;; \subseteq STATE_available_ \cap VARIABLE_unsat_[CONSTANT_clt_] , +;; ?VARIABLE_alloc_#prime +;; = [VARIABLE_alloc_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_alloc_[CONSTANT_clt_] +;; \cup CONSTANT_S_] , +;; ?VARIABLE_unsat_#prime +;; = [VARIABLE_unsat_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_unsat_[CONSTANT_clt_] \ CONSTANT_S_] , +;; ASSUME CONSTANT_c1_ = CONSTANT_clt_ +;; PROVE CONSTANT_c1_ = CONSTANT_c2_ , +;; CONSTANT_c1_ # CONSTANT_c2_ +;; PROVE ?VARIABLE_alloc_#prime[CONSTANT_c1_] = VARIABLE_alloc_[CONSTANT_c1_] +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #87 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 258, characters 5-6 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______Cup (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +(declare-fun smt__TLA______FunExcept (Idv Idv Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______SetMinus (Idv Idv) Idv) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ (Idv + Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CupDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b)) + (or (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cup smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cup smt__a smt__b)))) :named |CupDef|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: SetMinusDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______SetMinus smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (not (smt__TLA______Mem smt__x smt__b)))) + :pattern ((smt__TLA______Mem smt__x + (smt__TLA______SetMinus smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______SetMinus smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______SetMinus smt__a smt__b)))) + :named |SetMinusDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: FunExceptIsafcn +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______FunIsafcn + (smt__TLA______FunExcept smt__f smt__x smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptIsafcn|)) + +;; Axiom: FunExceptDomDef +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______FunDom + (smt__TLA______FunExcept smt__f smt__x smt__y)) + (smt__TLA______FunDom smt__f)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptDomDef|)) + +;; Axiom: FunExceptAppDef1 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__x) + smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptAppDef1|)) + +;; Axiom: FunExceptAppDef2 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> (smt__TLA______Mem smt__z (smt__TLA______FunDom smt__f)) + (and + (=> (= smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + smt__y)) + (=> (distinct smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + (smt__TLA______FunApp smt__f smt__z))))) + :pattern ((smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y) + (smt__TLA______FunApp smt__f smt__z)))) + :named |FunExceptAppDef2|)) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +;; Axiom: ExtTrigEqDef Set$Idv$ +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ smt__x + smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqDef Set$Idv$|)) + +;; Axiom: ExtTrigEqTrigger Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (smt__TLA______SetExtTrigger smt__x smt__y) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqTrigger Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv) + (and + (not + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__CONSTANT___S___ smt__TLA______SetEnum___0)) + (smt__TLA______SubsetEq smt__CONSTANT___S___ + (smt__TLA______Cap smt__STATE___available___ + (smt__TLA______FunApp smt__VARIABLE___unsat___ + smt__CONSTANT___clt___)))))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc______prime + (smt__TLA______FunExcept smt__VARIABLE___alloc___ smt__CONSTANT___clt___ + (smt__TLA______Cup + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat______prime + (smt__TLA______FunExcept smt__VARIABLE___unsat___ smt__CONSTANT___clt___ + (smt__TLA______SetMinus + (smt__TLA______FunApp smt__VARIABLE___unsat___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (=> + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___clt___) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___))) + +(assert + (not + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___))) + +;; Goal +(assert + (! + (not + (smt__TLA______TrigEq___Idv + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___c1___))) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_50579e.smt b/Allocator.tlaps/tlapm_50579e.smt new file mode 100644 index 00000000000..110938a48e5 --- /dev/null +++ b/Allocator.tlaps/tlapm_50579e.smt @@ -0,0 +1,238 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_ +;; PROVE (/\ VARIABLE_unsat_ = [CONSTANT_c_ \in CONSTANT_Client_ |-> {}] +;; /\ VARIABLE_alloc_ = [CONSTANT_c_ \in CONSTANT_Client_ |-> {}]) +;; => (\A CONSTANT_c1_, CONSTANT_c2_ \in CONSTANT_Client_ : +;; \A CONSTANT_r_ \in CONSTANT_Resource_ : +;; CONSTANT_r_ +;; \in VARIABLE_alloc_[CONSTANT_c1_] +;; \cap VARIABLE_alloc_[CONSTANT_c2_] +;; => CONSTANT_c1_ = CONSTANT_c2_) +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #20 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 173, characters 1-2 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___TypeInvariant___ () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__TLA______FunFcn___flatnd___1 (Idv) Idv) + +;; Axiom: FunConstrIsafcn TLA__FunFcn_flatnd_1 +(assert + (! + (forall ((smt__a Idv)) + (! (smt__TLA______FunIsafcn (smt__TLA______FunFcn___flatnd___1 smt__a)) + :pattern ((smt__TLA______FunFcn___flatnd___1 smt__a)))) + :named |FunConstrIsafcn TLA__FunFcn_flatnd_1|)) + +;; Axiom: FunDomDef TLA__FunFcn_flatnd_1 +(assert + (! + (forall ((smt__a Idv)) + (! + (= (smt__TLA______FunDom (smt__TLA______FunFcn___flatnd___1 smt__a)) + smt__a) :pattern ((smt__TLA______FunFcn___flatnd___1 smt__a)))) + :named |FunDomDef TLA__FunFcn_flatnd_1|)) + +;; Axiom: FunAppDef TLA__FunFcn_flatnd_1 +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (=> (smt__TLA______Mem smt__x smt__a) + (= + (smt__TLA______FunApp (smt__TLA______FunFcn___flatnd___1 smt__a) + smt__x) smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______FunApp + (smt__TLA______FunFcn___flatnd___1 smt__a) smt__x)) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______FunFcn___flatnd___1 smt__a)))) + :named |FunAppDef TLA__FunFcn_flatnd_1|)) + +;; Goal +(assert + (! + (not + (=> + (and + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat___ + (smt__TLA______FunFcn___flatnd___1 smt__CONSTANT___Client___)) + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc___ + (smt__TLA______FunFcn___flatnd___1 smt__CONSTANT___Client___))) + (forall ((smt__CONSTANT___c1___ Idv) (smt__CONSTANT___c2___ Idv)) + (=> + (and + (smt__TLA______Mem smt__CONSTANT___c1___ + smt__CONSTANT___Client___) + (smt__TLA______Mem smt__CONSTANT___c2___ + smt__CONSTANT___Client___)) + (forall ((smt__CONSTANT___r___ Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + smt__CONSTANT___Resource___) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c2___))) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ + smt__CONSTANT___c2___)))))))) :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_5473da.smt b/Allocator.tlaps/tlapm_5473da.smt new file mode 100644 index 00000000000..b3abb540e6c --- /dev/null +++ b/Allocator.tlaps/tlapm_5473da.smt @@ -0,0 +1,356 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; ASSUME STATE_TypeInvariant_ , +;; \A CONSTANT_c1_, CONSTANT_c2_ \in CONSTANT_Client_ : +;; \A CONSTANT_r_ \in CONSTANT_Resource_ : +;; CONSTANT_r_ +;; \in VARIABLE_alloc_[CONSTANT_c1_] +;; \cap VARIABLE_alloc_[CONSTANT_c2_] +;; => CONSTANT_c1_ = CONSTANT_c2_ , +;; ACTION_Return_(CONSTANT_clt_, CONSTANT_S_) , +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] +;; PROVE CONSTANT_c1_ = CONSTANT_c2_ +;; PROVE STATE_TypeInvariant_ +;; /\ (\A CONSTANT_c1_, CONSTANT_c2_ \in CONSTANT_Client_ : +;; \A CONSTANT_r_ \in CONSTANT_Resource_ : +;; CONSTANT_r_ +;; \in VARIABLE_alloc_[CONSTANT_c1_] +;; \cap VARIABLE_alloc_[CONSTANT_c2_] +;; => CONSTANT_c1_ = CONSTANT_c2_) +;; /\ ACTION_Return_(CONSTANT_clt_, CONSTANT_S_) +;; => (\A CONSTANT_c1_, CONSTANT_c2_ \in CONSTANT_Client_ : +;; \A CONSTANT_r_ \in CONSTANT_Resource_ : +;; CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] +;; => CONSTANT_c1_ = CONSTANT_c2_) +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #26 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 194, characters 3-4 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___TypeInvariant___ () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +(assert + (=> (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (=> + (forall ((smt__CONSTANT___c1___ Idv) (smt__CONSTANT___c2___ Idv)) + (=> + (and + (smt__TLA______Mem smt__CONSTANT___c1___ + smt__CONSTANT___Client___) + (smt__TLA______Mem smt__CONSTANT___c2___ + smt__CONSTANT___Client___)) + (forall ((smt__CONSTANT___r___ Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + smt__CONSTANT___Resource___) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c2___))) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ + smt__CONSTANT___c2___)))))) + (=> + (= + (smt__ACTION___Return___ smt__CONSTANT___clt___ + smt__CONSTANT___S___) smt__TLA______Tt___Idv) + (forall ((smt__CONSTANT___c1___ Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___c1___ + smt__CONSTANT___Client___) + (forall ((smt__CONSTANT___c2___ Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___c2___ + smt__CONSTANT___Client___) + (forall ((smt__CONSTANT___r___ Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + smt__CONSTANT___Resource___) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp + smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp + smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___))) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ + smt__CONSTANT___c2___)))))))))))) + +;; Goal +(assert + (! + (not + (=> + (and + (and (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (forall ((smt__CONSTANT___c1___ Idv) (smt__CONSTANT___c2___ Idv)) + (=> + (and + (smt__TLA______Mem smt__CONSTANT___c1___ + smt__CONSTANT___Client___) + (smt__TLA______Mem smt__CONSTANT___c2___ + smt__CONSTANT___Client___)) + (forall ((smt__CONSTANT___r___ Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + smt__CONSTANT___Resource___) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c2___))) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ + smt__CONSTANT___c2___))))))) + (= + (smt__ACTION___Return___ smt__CONSTANT___clt___ + smt__CONSTANT___S___) smt__TLA______Tt___Idv)) + (forall ((smt__CONSTANT___c1___ Idv) (smt__CONSTANT___c2___ Idv)) + (=> + (and + (smt__TLA______Mem smt__CONSTANT___c1___ + smt__CONSTANT___Client___) + (smt__TLA______Mem smt__CONSTANT___c2___ + smt__CONSTANT___Client___)) + (forall ((smt__CONSTANT___r___ Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + smt__CONSTANT___Resource___) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___))) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ + smt__CONSTANT___c2___)))))))) :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_5cb998.smt b/Allocator.tlaps/tlapm_5cb998.smt new file mode 100644 index 00000000000..0c1c8183df5 --- /dev/null +++ b/Allocator.tlaps/tlapm_5cb998.smt @@ -0,0 +1,237 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_c_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; \/ ACTION_Request_(CONSTANT_c_, CONSTANT_S_) +;; \/ ACTION_Allocate_(CONSTANT_c_, CONSTANT_S_) +;; \/ ACTION_Return_(CONSTANT_c_, CONSTANT_S_) , +;; /\ STATE_TypeInvariant_ +;; /\ ACTION_Next_ , +;; ASSUME NEW CONSTANT CONSTANT_c__1 \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S__1 \in SUBSET CONSTANT_Resource_ +;; PROVE STATE_TypeInvariant_ +;; /\ ACTION_Request_(CONSTANT_c__1, CONSTANT_S__1) => ?h12c0a , +;; ASSUME NEW CONSTANT CONSTANT_c__1 \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S__1 \in SUBSET CONSTANT_Resource_ +;; PROVE STATE_TypeInvariant_ +;; /\ ACTION_Allocate_(CONSTANT_c__1, CONSTANT_S__1) => ?h12c0a , +;; ASSUME NEW CONSTANT CONSTANT_c__1 \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S__1 \in SUBSET CONSTANT_Resource_ +;; PROVE STATE_TypeInvariant_ +;; /\ ACTION_Return_(CONSTANT_c__1, CONSTANT_S__1) => ?h12c0a +;; PROVE ?h12c0a +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #8 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 158, characters 5-6 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Anon___OPAQUE___h12c0a () Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___TypeInvariant___ () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +(assert + (or + (= (smt__ACTION___Request___ smt__CONSTANT___c___ smt__CONSTANT___S___) + smt__TLA______Tt___Idv) + (= (smt__ACTION___Allocate___ smt__CONSTANT___c___ smt__CONSTANT___S___) + smt__TLA______Tt___Idv) + (= (smt__ACTION___Return___ smt__CONSTANT___c___ smt__CONSTANT___S___) + smt__TLA______Tt___Idv))) + +; hidden fact + +; hidden fact + +(assert + (and (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (= smt__ACTION___Next___ smt__TLA______Tt___Idv))) + +(assert + (forall ((smt__CONSTANT___c____1 Idv)) + (=> (smt__TLA______Mem smt__CONSTANT___c____1 smt__CONSTANT___Client___) + (forall ((smt__CONSTANT___S____1 Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___S____1 + (smt__TLA______Subset smt__CONSTANT___Resource___)) + (=> + (and (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (= + (smt__ACTION___Request___ smt__CONSTANT___c____1 + smt__CONSTANT___S____1) smt__TLA______Tt___Idv)) + (= smt__TLA______Anon___OPAQUE___h12c0a smt__TLA______Tt___Idv))))))) + +(assert + (forall ((smt__CONSTANT___c____1 Idv)) + (=> (smt__TLA______Mem smt__CONSTANT___c____1 smt__CONSTANT___Client___) + (forall ((smt__CONSTANT___S____1 Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___S____1 + (smt__TLA______Subset smt__CONSTANT___Resource___)) + (=> + (and (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (= + (smt__ACTION___Allocate___ smt__CONSTANT___c____1 + smt__CONSTANT___S____1) smt__TLA______Tt___Idv)) + (= smt__TLA______Anon___OPAQUE___h12c0a smt__TLA______Tt___Idv))))))) + +(assert + (forall ((smt__CONSTANT___c____1 Idv)) + (=> (smt__TLA______Mem smt__CONSTANT___c____1 smt__CONSTANT___Client___) + (forall ((smt__CONSTANT___S____1 Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___S____1 + (smt__TLA______Subset smt__CONSTANT___Resource___)) + (=> + (and (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (= + (smt__ACTION___Return___ smt__CONSTANT___c____1 + smt__CONSTANT___S____1) smt__TLA______Tt___Idv)) + (= smt__TLA______Anon___OPAQUE___h12c0a smt__TLA______Tt___Idv))))))) + +;; Goal +(assert + (! (not (= smt__TLA______Anon___OPAQUE___h12c0a smt__TLA______Tt___Idv)) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_5ef628.smt b/Allocator.tlaps/tlapm_5ef628.smt new file mode 100644 index 00000000000..6ab201e80cd --- /dev/null +++ b/Allocator.tlaps/tlapm_5ef628.smt @@ -0,0 +1,467 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; /\ /\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ STATE_Mutex_ +;; /\ CONSTANT_S_ # {} +;; /\ CONSTANT_S_ \subseteq VARIABLE_alloc_[CONSTANT_clt_] +;; /\ CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] , +;; ?VARIABLE_alloc_#prime +;; = [VARIABLE_alloc_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_alloc_[CONSTANT_clt_] \ CONSTANT_S_] , +;; ?VARIABLE_unsat_#prime = VARIABLE_unsat_ +;; PROVE ?VARIABLE_alloc_#prime[CONSTANT_c2_] +;; \subseteq VARIABLE_alloc_[CONSTANT_c2_] +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #29 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 199, characters 3-4 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +(declare-fun smt__TLA______FunExcept (Idv Idv Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______SetMinus (Idv Idv) Idv) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ (Idv + Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: SetMinusDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______SetMinus smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (not (smt__TLA______Mem smt__x smt__b)))) + :pattern ((smt__TLA______Mem smt__x + (smt__TLA______SetMinus smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______SetMinus smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______SetMinus smt__a smt__b)))) + :named |SetMinusDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: FunExceptIsafcn +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______FunIsafcn + (smt__TLA______FunExcept smt__f smt__x smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptIsafcn|)) + +;; Axiom: FunExceptDomDef +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______FunDom + (smt__TLA______FunExcept smt__f smt__x smt__y)) + (smt__TLA______FunDom smt__f)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptDomDef|)) + +;; Axiom: FunExceptAppDef1 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__x) + smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptAppDef1|)) + +;; Axiom: FunExceptAppDef2 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> (smt__TLA______Mem smt__z (smt__TLA______FunDom smt__f)) + (and + (=> (= smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + smt__y)) + (=> (distinct smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + (smt__TLA______FunApp smt__f smt__z))))) + :pattern ((smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y) + (smt__TLA______FunApp smt__f smt__z)))) + :named |FunExceptAppDef2|)) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +;; Axiom: ExtTrigEqDef Set$Idv$ +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ smt__x + smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqDef Set$Idv$|)) + +;; Axiom: ExtTrigEqTrigger Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (smt__TLA______SetExtTrigger smt__x smt__y) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqTrigger Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv) + (and + (not + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__CONSTANT___S___ smt__TLA______SetEnum___0)) + (smt__TLA______SubsetEq smt__CONSTANT___S___ + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___clt___))) + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___))))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc______prime + (smt__TLA______FunExcept smt__VARIABLE___alloc___ smt__CONSTANT___clt___ + (smt__TLA______SetMinus + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat______prime + smt__VARIABLE___unsat___)) + +;; Goal +(assert + (! + (not + (smt__TLA______SubsetEq + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___c2___))) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_6f89fe.smt b/Allocator.tlaps/tlapm_6f89fe.smt new file mode 100644 index 00000000000..6317d021211 --- /dev/null +++ b/Allocator.tlaps/tlapm_6f89fe.smt @@ -0,0 +1,404 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; /\ /\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ \A CONSTANT_c1__1, CONSTANT_c2__1 \in CONSTANT_Client_ : +;; \A CONSTANT_r__1 \in CONSTANT_Resource_ : +;; CONSTANT_r__1 +;; \in VARIABLE_alloc_[CONSTANT_c1__1] +;; \cap VARIABLE_alloc_[CONSTANT_c2__1] +;; => CONSTANT_c1__1 = CONSTANT_c2__1 +;; /\ ACTION_Allocate_(CONSTANT_clt_, CONSTANT_S_) , +;; CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] , +;; CONSTANT_c1_ # CONSTANT_c2_ , +;; ?VARIABLE_alloc_#prime[CONSTANT_c2_] = VARIABLE_alloc_[CONSTANT_c2_] +;; PROVE CONSTANT_r_ \notin VARIABLE_alloc_[CONSTANT_c1_] +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #59 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 238, characters 5-6 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (forall ((smt__CONSTANT___c1____1 Idv) (smt__CONSTANT___c2____1 Idv)) + (=> + (and + (smt__TLA______Mem smt__CONSTANT___c1____1 + smt__CONSTANT___Client___) + (smt__TLA______Mem smt__CONSTANT___c2____1 + smt__CONSTANT___Client___)) + (forall ((smt__CONSTANT___r____1 Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___r____1 + smt__CONSTANT___Resource___) + (=> + (smt__TLA______Mem smt__CONSTANT___r____1 + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c1____1) + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c2____1))) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1____1 + smt__CONSTANT___c2____1)))))) + (= + (smt__ACTION___Allocate___ smt__CONSTANT___clt___ smt__CONSTANT___S___) + smt__TLA______Tt___Idv))) + +(assert + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___)))) + +(assert + (not + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___))) + +(assert + (smt__TLA______TrigEq___Idv + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___c2___))) + +;; Goal +(assert + (! + (not + (not + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c1___)))) :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_81962a.smt b/Allocator.tlaps/tlapm_81962a.smt new file mode 100644 index 00000000000..cd8f64c58c7 --- /dev/null +++ b/Allocator.tlaps/tlapm_81962a.smt @@ -0,0 +1,367 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_c_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_ +;; PROVE (/\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_]) +;; /\ (/\ VARIABLE_unsat_[CONSTANT_c_] = {} +;; /\ VARIABLE_alloc_[CONSTANT_c_] = {} +;; /\ CONSTANT_S_ # {} +;; /\ ?VARIABLE_unsat_#prime +;; = [VARIABLE_unsat_ EXCEPT ![CONSTANT_c_] = CONSTANT_S_] +;; /\ ?VARIABLE_alloc_#prime = VARIABLE_alloc_) +;; => (/\ ?VARIABLE_unsat_#prime +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ ?VARIABLE_alloc_#prime +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_]) +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #2 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 134, characters 1-2 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +(declare-fun smt__TLA______FunExcept (Idv Idv Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ (Idv + Idv) Bool) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: FunExceptIsafcn +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______FunIsafcn + (smt__TLA______FunExcept smt__f smt__x smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptIsafcn|)) + +;; Axiom: FunExceptDomDef +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______FunDom + (smt__TLA______FunExcept smt__f smt__x smt__y)) + (smt__TLA______FunDom smt__f)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptDomDef|)) + +;; Axiom: FunExceptAppDef1 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__x) + smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptAppDef1|)) + +;; Axiom: FunExceptAppDef2 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> (smt__TLA______Mem smt__z (smt__TLA______FunDom smt__f)) + (and + (=> (= smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + smt__y)) + (=> (distinct smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + (smt__TLA______FunApp smt__f smt__z))))) + :pattern ((smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y) + (smt__TLA______FunApp smt__f smt__z)))) + :named |FunExceptAppDef2|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +;; Axiom: ExtTrigEqDef Set$Idv$ +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ smt__x + smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqDef Set$Idv$|)) + +;; Axiom: ExtTrigEqTrigger Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (smt__TLA______SetExtTrigger smt__x smt__y) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqTrigger Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +(declare-fun smt__CONSTANT___c___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +;; Goal +(assert + (! + (not + (=> + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (and + (and + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + (smt__TLA______FunApp smt__VARIABLE___unsat___ + smt__CONSTANT___c___) smt__TLA______SetEnum___0) + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c___) smt__TLA______SetEnum___0)) + (and + (not + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__CONSTANT___S___ smt__TLA______SetEnum___0)) + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat______prime + (smt__TLA______FunExcept smt__VARIABLE___unsat___ + smt__CONSTANT___c___ smt__CONSTANT___S___))) + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc______prime + smt__VARIABLE___alloc___))) + (and + (smt__TLA______Mem smt__VARIABLE___unsat______prime + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc______prime + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))))) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_81e00a.smt b/Allocator.tlaps/tlapm_81e00a.smt new file mode 100644 index 00000000000..d2fd8c7f9fd --- /dev/null +++ b/Allocator.tlaps/tlapm_81e00a.smt @@ -0,0 +1,406 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; /\ /\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ \A CONSTANT_c1__1, CONSTANT_c2__1 \in CONSTANT_Client_ : +;; \A CONSTANT_r__1 \in CONSTANT_Resource_ : +;; CONSTANT_r__1 +;; \in VARIABLE_alloc_[CONSTANT_c1__1] +;; \cap VARIABLE_alloc_[CONSTANT_c2__1] +;; => CONSTANT_c1__1 = CONSTANT_c2__1 +;; /\ ACTION_Allocate_(CONSTANT_clt_, CONSTANT_S_) , +;; CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] , +;; CONSTANT_c1_ # CONSTANT_c2_ , +;; ?VARIABLE_alloc_#prime[CONSTANT_c1_] = VARIABLE_alloc_[CONSTANT_c1_] +;; PROVE CONSTANT_r_ \notin VARIABLE_alloc_[CONSTANT_c2_] +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #91 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 261, characters 5-6 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (forall ((smt__CONSTANT___c1____1 Idv) (smt__CONSTANT___c2____1 Idv)) + (=> + (and + (smt__TLA______Mem smt__CONSTANT___c1____1 + smt__CONSTANT___Client___) + (smt__TLA______Mem smt__CONSTANT___c2____1 + smt__CONSTANT___Client___)) + (forall ((smt__CONSTANT___r____1 Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___r____1 + smt__CONSTANT___Resource___) + (=> + (smt__TLA______Mem smt__CONSTANT___r____1 + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c1____1) + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c2____1))) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1____1 + smt__CONSTANT___c2____1)))))) + (= + (smt__ACTION___Allocate___ smt__CONSTANT___clt___ smt__CONSTANT___S___) + smt__TLA______Tt___Idv))) + +(assert + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___)))) + +(assert + (not + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___))) + +(assert + (smt__TLA______TrigEq___Idv + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___c1___))) + +;; Goal +(assert + (! + (not + (not + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c2___)))) :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_9deec9.smt b/Allocator.tlaps/tlapm_9deec9.smt new file mode 100644 index 00000000000..e5687fe7c7f --- /dev/null +++ b/Allocator.tlaps/tlapm_9deec9.smt @@ -0,0 +1,542 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; /\ /\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ STATE_Mutex_ +;; /\ CONSTANT_S_ # {} +;; /\ CONSTANT_S_ +;; \subseteq STATE_available_ \cap VARIABLE_unsat_[CONSTANT_clt_] , +;; ?VARIABLE_alloc_#prime +;; = [VARIABLE_alloc_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_alloc_[CONSTANT_clt_] +;; \cup CONSTANT_S_] , +;; ?VARIABLE_unsat_#prime +;; = [VARIABLE_unsat_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_unsat_[CONSTANT_clt_] \ CONSTANT_S_] , +;; CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] , +;; CONSTANT_c1_ # CONSTANT_c2_ , +;; ?VARIABLE_alloc_#prime[CONSTANT_c2_] = VARIABLE_alloc_[CONSTANT_c2_] , +;; CONSTANT_r_ \notin VARIABLE_alloc_[CONSTANT_c1_] , +;; CONSTANT_r_ \notin STATE_available_ , +;; CONSTANT_r_ \notin CONSTANT_S_ , +;; CONSTANT_r_ \notin ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; PROVE FALSE +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #45 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 250, characters 5-6 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______Cup (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +(declare-fun smt__TLA______FunExcept (Idv Idv Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______SetMinus (Idv Idv) Idv) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ (Idv + Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CupDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b)) + (or (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cup smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cup smt__a smt__b)))) :named |CupDef|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: SetMinusDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______SetMinus smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (not (smt__TLA______Mem smt__x smt__b)))) + :pattern ((smt__TLA______Mem smt__x + (smt__TLA______SetMinus smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______SetMinus smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______SetMinus smt__a smt__b)))) + :named |SetMinusDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: FunExceptIsafcn +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______FunIsafcn + (smt__TLA______FunExcept smt__f smt__x smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptIsafcn|)) + +;; Axiom: FunExceptDomDef +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______FunDom + (smt__TLA______FunExcept smt__f smt__x smt__y)) + (smt__TLA______FunDom smt__f)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptDomDef|)) + +;; Axiom: FunExceptAppDef1 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__x) + smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptAppDef1|)) + +;; Axiom: FunExceptAppDef2 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> (smt__TLA______Mem smt__z (smt__TLA______FunDom smt__f)) + (and + (=> (= smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + smt__y)) + (=> (distinct smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + (smt__TLA______FunApp smt__f smt__z))))) + :pattern ((smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y) + (smt__TLA______FunApp smt__f smt__z)))) + :named |FunExceptAppDef2|)) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +;; Axiom: ExtTrigEqDef Set$Idv$ +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ smt__x + smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqDef Set$Idv$|)) + +;; Axiom: ExtTrigEqTrigger Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (smt__TLA______SetExtTrigger smt__x smt__y) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqTrigger Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv) + (and + (not + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__CONSTANT___S___ smt__TLA______SetEnum___0)) + (smt__TLA______SubsetEq smt__CONSTANT___S___ + (smt__TLA______Cap smt__STATE___available___ + (smt__TLA______FunApp smt__VARIABLE___unsat___ + smt__CONSTANT___clt___)))))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc______prime + (smt__TLA______FunExcept smt__VARIABLE___alloc___ smt__CONSTANT___clt___ + (smt__TLA______Cup + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat______prime + (smt__TLA______FunExcept smt__VARIABLE___unsat___ smt__CONSTANT___clt___ + (smt__TLA______SetMinus + (smt__TLA______FunApp smt__VARIABLE___unsat___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___)))) + +(assert + (not + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___))) + +(assert + (smt__TLA______TrigEq___Idv + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___c2___))) + +(assert + (not + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___c1___)))) + +(assert + (not (smt__TLA______Mem smt__CONSTANT___r___ smt__STATE___available___))) + +(assert (not (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___S___))) + +(assert + (not + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___)))) + +;; Goal +(assert (! (not false) :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_a0df54.smt b/Allocator.tlaps/tlapm_a0df54.smt new file mode 100644 index 00000000000..73ff8cb1636 --- /dev/null +++ b/Allocator.tlaps/tlapm_a0df54.smt @@ -0,0 +1,497 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; /\ /\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ STATE_Mutex_ +;; /\ ACTION_Allocate_(CONSTANT_clt_, CONSTANT_S_) , +;; CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] , +;; ?VARIABLE_alloc_#prime[CONSTANT_c2_] = VARIABLE_alloc_[CONSTANT_c2_] , +;; CONSTANT_c1_ # CONSTANT_c2_ +;; PROVE CONSTANT_r_ +;; \notin CONSTANT_Resource_ +;; \ (UNION {VARIABLE_alloc_[CONSTANT_c_] : +;; CONSTANT_c_ \in CONSTANT_Client_}) +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #64 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 241, characters 5-6 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______IsSetOf (Idv) Bool) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______SetMinus (Idv Idv) Idv) + +; omitted declaration of 'TLA__SetOf_1' (second-order) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +(declare-fun smt__TLA______Union (Idv) Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: UnionIntro +(assert + (! + (forall ((smt__a Idv) (smt__x Idv) (smt__y Idv)) + (! + (=> + (and (smt__TLA______Mem smt__y smt__a) + (smt__TLA______Mem smt__x smt__y)) + (smt__TLA______Mem smt__x (smt__TLA______Union smt__a))) + :pattern ((smt__TLA______Mem smt__y smt__a) + (smt__TLA______Mem smt__x (smt__TLA______Union smt__a))) + :pattern ((smt__TLA______Mem smt__x smt__y) + (smt__TLA______Mem smt__x (smt__TLA______Union smt__a))) + :pattern ((smt__TLA______Mem smt__y smt__a) + (smt__TLA______Mem smt__x smt__y) + (smt__TLA______Union smt__a)))) :named |UnionIntro|)) + +;; Axiom: UnionElim +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (=> (smt__TLA______Mem smt__x (smt__TLA______Union smt__a)) + (exists ((smt__y Idv)) + (and (smt__TLA______Mem smt__y smt__a) + (smt__TLA______Mem smt__x smt__y)))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Union smt__a))))) + :named |UnionElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: SetMinusDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______SetMinus smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (not (smt__TLA______Mem smt__x smt__b)))) + :pattern ((smt__TLA______Mem smt__x + (smt__TLA______SetMinus smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______SetMinus smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______SetMinus smt__a smt__b)))) + :named |SetMinusDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: CompareSetOfTrigger +(assert + (! + (forall ((smt__a Idv) (smt__b Idv)) + (! (smt__TLA______SetExtTrigger smt__a smt__b) + :pattern ((smt__TLA______IsSetOf smt__a) + (smt__TLA______IsSetOf smt__b)))) + :named |CompareSetOfTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +; omitted fact (second-order) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv) + (= + (smt__ACTION___Allocate___ smt__CONSTANT___clt___ smt__CONSTANT___S___) + smt__TLA______Tt___Idv))) + +(assert + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___)))) + +(assert + (smt__TLA______TrigEq___Idv + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___c2___))) + +(assert + (not + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___))) + +(declare-fun smt__TLA______SetOf___1___flatnd___1 (Idv) Idv) + +;; Axiom: SetOfIntro 1 TLA__SetOf_1_flatnd_1 +(assert + (! + (forall ((smt__a1 Idv) (smt__y1 Idv)) + (! + (=> (and (smt__TLA______Mem smt__y1 smt__a1)) + (smt__TLA______Mem + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__y1) + (smt__TLA______SetOf___1___flatnd___1 smt__a1))) + :pattern ((smt__TLA______FunApp smt__VARIABLE___alloc___ smt__y1) + (smt__TLA______SetOf___1___flatnd___1 smt__a1)) + :pattern ((smt__TLA______SetOf___1___flatnd___1 smt__a1) + (smt__TLA______Mem smt__y1 smt__a1)))) + :named |SetOfIntro 1 TLA__SetOf_1_flatnd_1|)) + +;; Axiom: SetOfElim 1 TLA__SetOf_1_flatnd_1 +(assert + (! + (forall ((smt__a1 Idv) (smt__x Idv)) + (! + (=> + (smt__TLA______Mem smt__x + (smt__TLA______SetOf___1___flatnd___1 smt__a1)) + (exists ((smt__y1 Idv)) + (and (smt__TLA______Mem smt__y1 smt__a1) + (= smt__x + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__y1))))) + :pattern ((smt__TLA______Mem smt__x + (smt__TLA______SetOf___1___flatnd___1 smt__a1))))) + :named |SetOfElim 1 TLA__SetOf_1_flatnd_1|)) + +;; Axiom: AssertIsSetOf 1 TLA__SetOf_1_flatnd_1 +(assert + (! + (forall ((smt__a Idv)) + (! + (smt__TLA______IsSetOf (smt__TLA______SetOf___1___flatnd___1 smt__a)) + :pattern ((smt__TLA______SetOf___1___flatnd___1 smt__a)))) + :named |AssertIsSetOf 1 TLA__SetOf_1_flatnd_1|)) + +;; Goal +(assert + (! + (not + (not + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______SetMinus smt__CONSTANT___Resource___ + (smt__TLA______Union + (smt__TLA______SetOf___1___flatnd___1 smt__CONSTANT___Client___)))))) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_ae2802.smt b/Allocator.tlaps/tlapm_ae2802.smt new file mode 100644 index 00000000000..a2b9e25a70f --- /dev/null +++ b/Allocator.tlaps/tlapm_ae2802.smt @@ -0,0 +1,280 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; \E CONSTANT_c_ \in CONSTANT_Client_, +;; CONSTANT_S_ \in SUBSET CONSTANT_Resource_ : +;; ACTION_Request_(CONSTANT_c_, CONSTANT_S_) +;; \/ ACTION_Allocate_(CONSTANT_c_, CONSTANT_S_) +;; \/ ACTION_Return_(CONSTANT_c_, CONSTANT_S_) , +;; ASSUME NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_ +;; PROVE STATE_Mutex_ /\ ACTION_Request_(CONSTANT_clt_, CONSTANT_S_) +;; => ?h93432 , +;; ASSUME NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_ +;; PROVE STATE_TypeInvariant_ /\ STATE_Mutex_ +;; /\ ACTION_Allocate_(CONSTANT_clt_, CONSTANT_S_) => ?h93432 , +;; ASSUME NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_ +;; PROVE STATE_TypeInvariant_ /\ STATE_Mutex_ +;; /\ ACTION_Return_(CONSTANT_clt_, CONSTANT_S_) => ?h93432 +;; PROVE STATE_TypeInvariant_ /\ STATE_Mutex_ +;; /\ ((\E CONSTANT_c_ \in CONSTANT_Client_, +;; CONSTANT_S_ \in SUBSET CONSTANT_Resource_ : +;; ACTION_Request_(CONSTANT_c_, CONSTANT_S_) +;; \/ ACTION_Allocate_(CONSTANT_c_, CONSTANT_S_) +;; \/ ACTION_Return_(CONSTANT_c_, CONSTANT_S_)) +;; \/ ?h6fbaa = STATE_vars_) +;; => ?h93432 +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #112 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 281, characters 3-4 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Anon___OPAQUE___h6fbaa () Idv) + +(declare-fun smt__TLA______Anon___OPAQUE___h93432 () Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___TypeInvariant___ () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (exists ((smt__CONSTANT___c___ Idv) (smt__CONSTANT___S___ Idv)) + (and (smt__TLA______Mem smt__CONSTANT___c___ smt__CONSTANT___Client___) + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___)) + (or + (or + (= + (smt__ACTION___Request___ smt__CONSTANT___c___ + smt__CONSTANT___S___) smt__TLA______Tt___Idv) + (= + (smt__ACTION___Allocate___ smt__CONSTANT___c___ + smt__CONSTANT___S___) smt__TLA______Tt___Idv)) + (= + (smt__ACTION___Return___ smt__CONSTANT___c___ smt__CONSTANT___S___) + smt__TLA______Tt___Idv))))) + +(assert + (forall ((smt__CONSTANT___clt___ Idv)) + (=> (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___) + (forall ((smt__CONSTANT___S___ Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___)) + (=> + (and (= smt__STATE___Mutex___ smt__TLA______Tt___Idv) + (= + (smt__ACTION___Request___ smt__CONSTANT___clt___ + smt__CONSTANT___S___) smt__TLA______Tt___Idv)) + (= smt__TLA______Anon___OPAQUE___h93432 smt__TLA______Tt___Idv))))))) + +(assert + (forall ((smt__CONSTANT___clt___ Idv)) + (=> (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___) + (forall ((smt__CONSTANT___S___ Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___)) + (=> + (and + (and (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv)) + (= + (smt__ACTION___Allocate___ smt__CONSTANT___clt___ + smt__CONSTANT___S___) smt__TLA______Tt___Idv)) + (= smt__TLA______Anon___OPAQUE___h93432 smt__TLA______Tt___Idv))))))) + +(assert + (forall ((smt__CONSTANT___clt___ Idv)) + (=> (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___) + (forall ((smt__CONSTANT___S___ Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___)) + (=> + (and + (and (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv)) + (= + (smt__ACTION___Return___ smt__CONSTANT___clt___ + smt__CONSTANT___S___) smt__TLA______Tt___Idv)) + (= smt__TLA______Anon___OPAQUE___h93432 smt__TLA______Tt___Idv))))))) + +;; Goal +(assert + (! + (not + (=> + (and + (and (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv)) + (or + (exists ((smt__CONSTANT___c___ Idv) (smt__CONSTANT___S___ Idv)) + (and + (smt__TLA______Mem smt__CONSTANT___c___ + smt__CONSTANT___Client___) + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___)) + (or + (or + (= + (smt__ACTION___Request___ smt__CONSTANT___c___ + smt__CONSTANT___S___) smt__TLA______Tt___Idv) + (= + (smt__ACTION___Allocate___ smt__CONSTANT___c___ + smt__CONSTANT___S___) smt__TLA______Tt___Idv)) + (= + (smt__ACTION___Return___ smt__CONSTANT___c___ + smt__CONSTANT___S___) smt__TLA______Tt___Idv)))) + (smt__TLA______TrigEq___Idv smt__TLA______Anon___OPAQUE___h6fbaa + smt__STATE___vars___))) + (= smt__TLA______Anon___OPAQUE___h93432 smt__TLA______Tt___Idv))) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_ae2a83.smt b/Allocator.tlaps/tlapm_ae2a83.smt new file mode 100644 index 00000000000..ba6be7e36fb --- /dev/null +++ b/Allocator.tlaps/tlapm_ae2a83.smt @@ -0,0 +1,509 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; /\ /\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ STATE_Mutex_ +;; /\ CONSTANT_S_ # {} +;; /\ CONSTANT_S_ +;; \subseteq STATE_available_ \cap VARIABLE_unsat_[CONSTANT_clt_] , +;; ?VARIABLE_alloc_#prime +;; = [VARIABLE_alloc_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_alloc_[CONSTANT_clt_] +;; \cup CONSTANT_S_] , +;; ?VARIABLE_unsat_#prime +;; = [VARIABLE_unsat_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_unsat_[CONSTANT_clt_] \ CONSTANT_S_] , +;; CONSTANT_c1_ = CONSTANT_clt_ , +;; CONSTANT_c1_ # CONSTANT_c2_ +;; PROVE ?VARIABLE_alloc_#prime[CONSTANT_c2_] = VARIABLE_alloc_[CONSTANT_c2_] +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #55 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 235, characters 5-6 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______Cup (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +(declare-fun smt__TLA______FunExcept (Idv Idv Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______SetMinus (Idv Idv) Idv) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ (Idv + Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CupDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b)) + (or (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cup smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cup smt__a smt__b)))) :named |CupDef|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: SetMinusDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______SetMinus smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (not (smt__TLA______Mem smt__x smt__b)))) + :pattern ((smt__TLA______Mem smt__x + (smt__TLA______SetMinus smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______SetMinus smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______SetMinus smt__a smt__b)))) + :named |SetMinusDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: FunExceptIsafcn +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______FunIsafcn + (smt__TLA______FunExcept smt__f smt__x smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptIsafcn|)) + +;; Axiom: FunExceptDomDef +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______FunDom + (smt__TLA______FunExcept smt__f smt__x smt__y)) + (smt__TLA______FunDom smt__f)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptDomDef|)) + +;; Axiom: FunExceptAppDef1 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__x) + smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptAppDef1|)) + +;; Axiom: FunExceptAppDef2 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> (smt__TLA______Mem smt__z (smt__TLA______FunDom smt__f)) + (and + (=> (= smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + smt__y)) + (=> (distinct smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + (smt__TLA______FunApp smt__f smt__z))))) + :pattern ((smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y) + (smt__TLA______FunApp smt__f smt__z)))) + :named |FunExceptAppDef2|)) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +;; Axiom: ExtTrigEqDef Set$Idv$ +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ smt__x + smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqDef Set$Idv$|)) + +;; Axiom: ExtTrigEqTrigger Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (smt__TLA______SetExtTrigger smt__x smt__y) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqTrigger Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv) + (and + (not + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__CONSTANT___S___ smt__TLA______SetEnum___0)) + (smt__TLA______SubsetEq smt__CONSTANT___S___ + (smt__TLA______Cap smt__STATE___available___ + (smt__TLA______FunApp smt__VARIABLE___unsat___ + smt__CONSTANT___clt___)))))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc______prime + (smt__TLA______FunExcept smt__VARIABLE___alloc___ smt__CONSTANT___clt___ + (smt__TLA______Cup + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat______prime + (smt__TLA______FunExcept smt__VARIABLE___unsat___ smt__CONSTANT___clt___ + (smt__TLA______SetMinus + (smt__TLA______FunApp smt__VARIABLE___unsat___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___clt___)) + +(assert + (not + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___))) + +;; Goal +(assert + (! + (not + (smt__TLA______TrigEq___Idv + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___c2___))) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_b01e66.smt b/Allocator.tlaps/tlapm_b01e66.smt new file mode 100644 index 00000000000..82d46a08469 --- /dev/null +++ b/Allocator.tlaps/tlapm_b01e66.smt @@ -0,0 +1,151 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; ASSUME ACTION_Next_ +;; PROVE STATE_TypeInvariant_ /\ STATE_Mutex_ +;; /\ (ACTION_Next_ \/ ?h6fbaa = STATE_vars_) => ?h93432 , +;; ASSUME ?h6fbaa = STATE_vars_ +;; PROVE STATE_TypeInvariant_ /\ STATE_Mutex_ +;; /\ (ACTION_Next_ \/ ?h6fbaa = STATE_vars_) => ?h93432 +;; PROVE STATE_TypeInvariant_ /\ STATE_Mutex_ +;; /\ (ACTION_Next_ \/ ?h6fbaa = STATE_vars_) => ?h93432 +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #109 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 284, characters 11-12 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Anon___OPAQUE___h6fbaa () Idv) + +(declare-fun smt__TLA______Anon___OPAQUE___h93432 () Idv) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___TypeInvariant___ () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (=> (= smt__ACTION___Next___ smt__TLA______Tt___Idv) + (=> + (and + (and (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv)) + (or (= smt__ACTION___Next___ smt__TLA______Tt___Idv) + (smt__TLA______TrigEq___Idv smt__TLA______Anon___OPAQUE___h6fbaa + smt__STATE___vars___))) + (= smt__TLA______Anon___OPAQUE___h93432 smt__TLA______Tt___Idv)))) + +(assert + (=> + (smt__TLA______TrigEq___Idv smt__TLA______Anon___OPAQUE___h6fbaa + smt__STATE___vars___) + (=> + (and + (and (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv)) + (or (= smt__ACTION___Next___ smt__TLA______Tt___Idv) + (smt__TLA______TrigEq___Idv smt__TLA______Anon___OPAQUE___h6fbaa + smt__STATE___vars___))) + (= smt__TLA______Anon___OPAQUE___h93432 smt__TLA______Tt___Idv)))) + +;; Goal +(assert + (! + (not + (=> + (and + (and (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv)) + (or (= smt__ACTION___Next___ smt__TLA______Tt___Idv) + (smt__TLA______TrigEq___Idv smt__TLA______Anon___OPAQUE___h6fbaa + smt__STATE___vars___))) + (= smt__TLA______Anon___OPAQUE___h93432 smt__TLA______Tt___Idv))) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_c42a04.smt b/Allocator.tlaps/tlapm_c42a04.smt new file mode 100644 index 00000000000..ecdbf557a6d --- /dev/null +++ b/Allocator.tlaps/tlapm_c42a04.smt @@ -0,0 +1,293 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; ASSUME NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] +;; PROVE CONSTANT_c1_ = CONSTANT_c2_ +;; PROVE \A CONSTANT_c1_, CONSTANT_c2_ \in CONSTANT_Client_ : +;; \A CONSTANT_r_ \in CONSTANT_Resource_ : +;; CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] +;; => CONSTANT_c1_ = CONSTANT_c2_ +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #36 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 221, characters 3-4 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___TypeInvariant___ () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (forall ((smt__CONSTANT___c1___ Idv)) + (=> (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___) + (forall ((smt__CONSTANT___c2___ Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___) + (forall ((smt__CONSTANT___r___ Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + smt__CONSTANT___Resource___) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___))) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ + smt__CONSTANT___c2___))))))))) + +;; Goal +(assert + (! + (not + (forall ((smt__CONSTANT___c1___ Idv) (smt__CONSTANT___c2___ Idv)) + (=> + (and + (smt__TLA______Mem smt__CONSTANT___c1___ + smt__CONSTANT___Client___) + (smt__TLA______Mem smt__CONSTANT___c2___ + smt__CONSTANT___Client___)) + (forall ((smt__CONSTANT___r___ Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + smt__CONSTANT___Resource___) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___))) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ + smt__CONSTANT___c2___))))))) :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_c85796.smt b/Allocator.tlaps/tlapm_c85796.smt new file mode 100644 index 00000000000..d82109b33a5 --- /dev/null +++ b/Allocator.tlaps/tlapm_c85796.smt @@ -0,0 +1,392 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; /\ /\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ \A CONSTANT_c1__1, CONSTANT_c2__1 \in CONSTANT_Client_ : +;; \A CONSTANT_r__1 \in CONSTANT_Resource_ : +;; CONSTANT_r__1 +;; \in VARIABLE_alloc_[CONSTANT_c1__1] +;; \cap VARIABLE_alloc_[CONSTANT_c2__1] +;; => CONSTANT_c1__1 = CONSTANT_c2__1 +;; /\ ACTION_Allocate_(CONSTANT_clt_, CONSTANT_S_) , +;; CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] , +;; ?VARIABLE_alloc_#prime[CONSTANT_c1_] = VARIABLE_alloc_[CONSTANT_c1_] , +;; ?VARIABLE_alloc_#prime[CONSTANT_c2_] = VARIABLE_alloc_[CONSTANT_c2_] +;; PROVE CONSTANT_c1_ = CONSTANT_c2_ +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #37 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 227, characters 5-6 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (forall ((smt__CONSTANT___c1____1 Idv) (smt__CONSTANT___c2____1 Idv)) + (=> + (and + (smt__TLA______Mem smt__CONSTANT___c1____1 + smt__CONSTANT___Client___) + (smt__TLA______Mem smt__CONSTANT___c2____1 + smt__CONSTANT___Client___)) + (forall ((smt__CONSTANT___r____1 Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___r____1 + smt__CONSTANT___Resource___) + (=> + (smt__TLA______Mem smt__CONSTANT___r____1 + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c1____1) + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c2____1))) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1____1 + smt__CONSTANT___c2____1)))))) + (= + (smt__ACTION___Allocate___ smt__CONSTANT___clt___ smt__CONSTANT___S___) + smt__TLA______Tt___Idv))) + +(assert + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___)))) + +(assert + (smt__TLA______TrigEq___Idv + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___c1___))) + +(assert + (smt__TLA______TrigEq___Idv + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___c2___))) + +;; Goal +(assert + (! + (not + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___)) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_ce8057.smt b/Allocator.tlaps/tlapm_ce8057.smt new file mode 100644 index 00000000000..76de76658dc --- /dev/null +++ b/Allocator.tlaps/tlapm_ce8057.smt @@ -0,0 +1,499 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; /\ /\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ STATE_Mutex_ +;; /\ ACTION_Allocate_(CONSTANT_clt_, CONSTANT_S_) , +;; CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] , +;; ?VARIABLE_alloc_#prime[CONSTANT_c1_] = VARIABLE_alloc_[CONSTANT_c1_] , +;; CONSTANT_c1_ # CONSTANT_c2_ +;; PROVE CONSTANT_r_ +;; \notin CONSTANT_Resource_ +;; \ (UNION {VARIABLE_alloc_[CONSTANT_c_] : +;; CONSTANT_c_ \in CONSTANT_Client_}) +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #96 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 264, characters 5-6 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______IsSetOf (Idv) Bool) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______SetMinus (Idv Idv) Idv) + +; omitted declaration of 'TLA__SetOf_1' (second-order) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +(declare-fun smt__TLA______Union (Idv) Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: UnionIntro +(assert + (! + (forall ((smt__a Idv) (smt__x Idv) (smt__y Idv)) + (! + (=> + (and (smt__TLA______Mem smt__y smt__a) + (smt__TLA______Mem smt__x smt__y)) + (smt__TLA______Mem smt__x (smt__TLA______Union smt__a))) + :pattern ((smt__TLA______Mem smt__y smt__a) + (smt__TLA______Mem smt__x (smt__TLA______Union smt__a))) + :pattern ((smt__TLA______Mem smt__x smt__y) + (smt__TLA______Mem smt__x (smt__TLA______Union smt__a))) + :pattern ((smt__TLA______Mem smt__y smt__a) + (smt__TLA______Mem smt__x smt__y) + (smt__TLA______Union smt__a)))) :named |UnionIntro|)) + +;; Axiom: UnionElim +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (=> (smt__TLA______Mem smt__x (smt__TLA______Union smt__a)) + (exists ((smt__y Idv)) + (and (smt__TLA______Mem smt__y smt__a) + (smt__TLA______Mem smt__x smt__y)))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Union smt__a))))) + :named |UnionElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: SetMinusDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______SetMinus smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (not (smt__TLA______Mem smt__x smt__b)))) + :pattern ((smt__TLA______Mem smt__x + (smt__TLA______SetMinus smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______SetMinus smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______SetMinus smt__a smt__b)))) + :named |SetMinusDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: CompareSetOfTrigger +(assert + (! + (forall ((smt__a Idv) (smt__b Idv)) + (! (smt__TLA______SetExtTrigger smt__a smt__b) + :pattern ((smt__TLA______IsSetOf smt__a) + (smt__TLA______IsSetOf smt__b)))) + :named |CompareSetOfTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +; omitted fact (second-order) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv) + (= + (smt__ACTION___Allocate___ smt__CONSTANT___clt___ smt__CONSTANT___S___) + smt__TLA______Tt___Idv))) + +(assert + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___)))) + +(assert + (smt__TLA______TrigEq___Idv + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___c1___))) + +(assert + (not + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ smt__CONSTANT___c2___))) + +(declare-fun smt__TLA______SetOf___1___flatnd___1 (Idv) Idv) + +;; Axiom: SetOfIntro 1 TLA__SetOf_1_flatnd_1 +(assert + (! + (forall ((smt__a1 Idv) (smt__y1 Idv)) + (! + (=> (and (smt__TLA______Mem smt__y1 smt__a1)) + (smt__TLA______Mem + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__y1) + (smt__TLA______SetOf___1___flatnd___1 smt__a1))) + :pattern ((smt__TLA______FunApp smt__VARIABLE___alloc___ smt__y1) + (smt__TLA______SetOf___1___flatnd___1 smt__a1)) + :pattern ((smt__TLA______SetOf___1___flatnd___1 smt__a1) + (smt__TLA______Mem smt__y1 smt__a1)))) + :named |SetOfIntro 1 TLA__SetOf_1_flatnd_1|)) + +;; Axiom: SetOfElim 1 TLA__SetOf_1_flatnd_1 +(assert + (! + (forall ((smt__a1 Idv) (smt__x Idv)) + (! + (=> + (smt__TLA______Mem smt__x + (smt__TLA______SetOf___1___flatnd___1 smt__a1)) + (exists ((smt__y1 Idv)) + (and (smt__TLA______Mem smt__y1 smt__a1) + (= smt__x + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__y1))))) + :pattern ((smt__TLA______Mem smt__x + (smt__TLA______SetOf___1___flatnd___1 smt__a1))))) + :named |SetOfElim 1 TLA__SetOf_1_flatnd_1|)) + +;; Axiom: AssertIsSetOf 1 TLA__SetOf_1_flatnd_1 +(assert + (! + (forall ((smt__a Idv)) + (! + (smt__TLA______IsSetOf (smt__TLA______SetOf___1___flatnd___1 smt__a)) + :pattern ((smt__TLA______SetOf___1___flatnd___1 smt__a)))) + :named |AssertIsSetOf 1 TLA__SetOf_1_flatnd_1|)) + +;; Goal +(assert + (! + (not + (not + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______SetMinus smt__CONSTANT___Resource___ + (smt__TLA______Union + (smt__TLA______SetOf___1___flatnd___1 smt__CONSTANT___Client___)))))) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_dbde78.smt b/Allocator.tlaps/tlapm_dbde78.smt new file mode 100644 index 00000000000..b2908b18ab1 --- /dev/null +++ b/Allocator.tlaps/tlapm_dbde78.smt @@ -0,0 +1,438 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_c_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_ +;; PROVE (/\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_]) +;; /\ (/\ CONSTANT_S_ # {} +;; /\ CONSTANT_S_ +;; \subseteq STATE_available_ \cap VARIABLE_unsat_[CONSTANT_c_] +;; /\ ?VARIABLE_alloc_#prime +;; = [VARIABLE_alloc_ EXCEPT +;; ![CONSTANT_c_] = VARIABLE_alloc_[CONSTANT_c_] +;; \cup CONSTANT_S_] +;; /\ ?VARIABLE_unsat_#prime +;; = [VARIABLE_unsat_ EXCEPT +;; ![CONSTANT_c_] = VARIABLE_unsat_[CONSTANT_c_] +;; \ CONSTANT_S_]) +;; => (/\ ?VARIABLE_unsat_#prime +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ ?VARIABLE_alloc_#prime +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_]) +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #3 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 140, characters 1-2 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______Cup (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +(declare-fun smt__TLA______FunExcept (Idv Idv Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______SetMinus (Idv Idv) Idv) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ (Idv + Idv) Bool) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CupDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b)) + (or (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cup smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cup smt__a smt__b)))) :named |CupDef|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: SetMinusDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______SetMinus smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (not (smt__TLA______Mem smt__x smt__b)))) + :pattern ((smt__TLA______Mem smt__x + (smt__TLA______SetMinus smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______SetMinus smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______SetMinus smt__a smt__b)))) + :named |SetMinusDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: FunExceptIsafcn +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______FunIsafcn + (smt__TLA______FunExcept smt__f smt__x smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptIsafcn|)) + +;; Axiom: FunExceptDomDef +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______FunDom + (smt__TLA______FunExcept smt__f smt__x smt__y)) + (smt__TLA______FunDom smt__f)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptDomDef|)) + +;; Axiom: FunExceptAppDef1 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__x) + smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptAppDef1|)) + +;; Axiom: FunExceptAppDef2 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> (smt__TLA______Mem smt__z (smt__TLA______FunDom smt__f)) + (and + (=> (= smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + smt__y)) + (=> (distinct smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + (smt__TLA______FunApp smt__f smt__z))))) + :pattern ((smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y) + (smt__TLA______FunApp smt__f smt__z)))) + :named |FunExceptAppDef2|)) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +;; Axiom: ExtTrigEqDef Set$Idv$ +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ smt__x + smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqDef Set$Idv$|)) + +;; Axiom: ExtTrigEqTrigger Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (smt__TLA______SetExtTrigger smt__x smt__y) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqTrigger Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +;; Goal +(assert + (! + (not + (=> + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (and + (and + (not + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__CONSTANT___S___ smt__TLA______SetEnum___0)) + (smt__TLA______SubsetEq smt__CONSTANT___S___ + (smt__TLA______Cap smt__STATE___available___ + (smt__TLA______FunApp smt__VARIABLE___unsat___ + smt__CONSTANT___c___)))) + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc______prime + (smt__TLA______FunExcept smt__VARIABLE___alloc___ + smt__CONSTANT___c___ + (smt__TLA______Cup + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c___) smt__CONSTANT___S___))) + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat______prime + (smt__TLA______FunExcept smt__VARIABLE___unsat___ + smt__CONSTANT___c___ + (smt__TLA______SetMinus + (smt__TLA______FunApp smt__VARIABLE___unsat___ + smt__CONSTANT___c___) smt__CONSTANT___S___))))) + (and + (smt__TLA______Mem smt__VARIABLE___unsat______prime + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc______prime + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))))) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_dd19c4.smt b/Allocator.tlaps/tlapm_dd19c4.smt new file mode 100644 index 00000000000..78e8bbeb5a8 --- /dev/null +++ b/Allocator.tlaps/tlapm_dd19c4.smt @@ -0,0 +1,383 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_ +;; PROVE (\A CONSTANT_c1_, CONSTANT_c2_ \in CONSTANT_Client_ : +;; \A CONSTANT_r_ \in CONSTANT_Resource_ : +;; CONSTANT_r_ +;; \in VARIABLE_alloc_[CONSTANT_c1_] +;; \cap VARIABLE_alloc_[CONSTANT_c2_] +;; => CONSTANT_c1_ = CONSTANT_c2_) +;; /\ (/\ VARIABLE_unsat_[CONSTANT_clt_] = {} +;; /\ VARIABLE_alloc_[CONSTANT_clt_] = {} +;; /\ CONSTANT_S_ # {} +;; /\ ?VARIABLE_unsat_#prime +;; = [VARIABLE_unsat_ EXCEPT ![CONSTANT_clt_] = CONSTANT_S_] +;; /\ ?VARIABLE_alloc_#prime = VARIABLE_alloc_) +;; => (\A CONSTANT_c1_, CONSTANT_c2_ \in CONSTANT_Client_ : +;; \A CONSTANT_r_ \in CONSTANT_Resource_ : +;; CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] +;; => CONSTANT_c1_ = CONSTANT_c2_) +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #21 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 179, characters 1-2 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +(declare-fun smt__TLA______FunExcept (Idv Idv Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ (Idv + Idv) Bool) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: FunExceptIsafcn +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______FunIsafcn + (smt__TLA______FunExcept smt__f smt__x smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptIsafcn|)) + +;; Axiom: FunExceptDomDef +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______FunDom + (smt__TLA______FunExcept smt__f smt__x smt__y)) + (smt__TLA______FunDom smt__f)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptDomDef|)) + +;; Axiom: FunExceptAppDef1 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__x) + smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptAppDef1|)) + +;; Axiom: FunExceptAppDef2 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> (smt__TLA______Mem smt__z (smt__TLA______FunDom smt__f)) + (and + (=> (= smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + smt__y)) + (=> (distinct smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + (smt__TLA______FunApp smt__f smt__z))))) + :pattern ((smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y) + (smt__TLA______FunApp smt__f smt__z)))) + :named |FunExceptAppDef2|)) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +;; Axiom: ExtTrigEqDef Set$Idv$ +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ smt__x + smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqDef Set$Idv$|)) + +;; Axiom: ExtTrigEqTrigger Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (smt__TLA______SetExtTrigger smt__x smt__y) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqTrigger Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___TypeInvariant___ () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +;; Goal +(assert + (! + (not + (=> + (and + (forall ((smt__CONSTANT___c1___ Idv) (smt__CONSTANT___c2___ Idv)) + (=> + (and + (smt__TLA______Mem smt__CONSTANT___c1___ + smt__CONSTANT___Client___) + (smt__TLA______Mem smt__CONSTANT___c2___ + smt__CONSTANT___Client___)) + (forall ((smt__CONSTANT___r___ Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + smt__CONSTANT___Resource___) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c2___))) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ + smt__CONSTANT___c2___)))))) + (and + (and + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + (smt__TLA______FunApp smt__VARIABLE___unsat___ + smt__CONSTANT___clt___) smt__TLA______SetEnum___0) + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___clt___) smt__TLA______SetEnum___0)) + (and + (not + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__CONSTANT___S___ smt__TLA______SetEnum___0)) + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat______prime + (smt__TLA______FunExcept smt__VARIABLE___unsat___ + smt__CONSTANT___clt___ smt__CONSTANT___S___))) + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc______prime + smt__VARIABLE___alloc___))) + (forall ((smt__CONSTANT___c1___ Idv) (smt__CONSTANT___c2___ Idv)) + (=> + (and + (smt__TLA______Mem smt__CONSTANT___c1___ + smt__CONSTANT___Client___) + (smt__TLA______Mem smt__CONSTANT___c2___ + smt__CONSTANT___Client___)) + (forall ((smt__CONSTANT___r___ Idv)) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + smt__CONSTANT___Resource___) + (=> + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___))) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ + smt__CONSTANT___c2___)))))))) :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_e03cb1.smt b/Allocator.tlaps/tlapm_e03cb1.smt new file mode 100644 index 00000000000..e9bb5db3e08 --- /dev/null +++ b/Allocator.tlaps/tlapm_e03cb1.smt @@ -0,0 +1,460 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; /\ STATE_TypeInvariant_ +;; /\ STATE_Mutex_ +;; /\ CONSTANT_S_ # {} +;; /\ CONSTANT_S_ +;; \subseteq STATE_available_ \cap VARIABLE_unsat_[CONSTANT_clt_] , +;; ?VARIABLE_alloc_#prime +;; = [VARIABLE_alloc_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_alloc_[CONSTANT_clt_] +;; \cup CONSTANT_S_] , +;; ?VARIABLE_unsat_#prime +;; = [VARIABLE_unsat_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_unsat_[CONSTANT_clt_] \ CONSTANT_S_] , +;; CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] , +;; CONSTANT_r_ \notin STATE_available_ +;; PROVE CONSTANT_r_ \notin CONSTANT_S_ +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #101 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 267, characters 5-6 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______Cup (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +(declare-fun smt__TLA______FunExcept (Idv Idv Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______SetMinus (Idv Idv) Idv) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ (Idv + Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CupDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b)) + (or (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cup smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cup smt__a smt__b)))) :named |CupDef|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: SetMinusDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______SetMinus smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (not (smt__TLA______Mem smt__x smt__b)))) + :pattern ((smt__TLA______Mem smt__x + (smt__TLA______SetMinus smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______SetMinus smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______SetMinus smt__a smt__b)))) + :named |SetMinusDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: FunExceptIsafcn +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______FunIsafcn + (smt__TLA______FunExcept smt__f smt__x smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptIsafcn|)) + +;; Axiom: FunExceptDomDef +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______FunDom + (smt__TLA______FunExcept smt__f smt__x smt__y)) + (smt__TLA______FunDom smt__f)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptDomDef|)) + +;; Axiom: FunExceptAppDef1 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__x) + smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptAppDef1|)) + +;; Axiom: FunExceptAppDef2 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> (smt__TLA______Mem smt__z (smt__TLA______FunDom smt__f)) + (and + (=> (= smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + smt__y)) + (=> (distinct smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + (smt__TLA______FunApp smt__f smt__z))))) + :pattern ((smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y) + (smt__TLA______FunApp smt__f smt__z)))) + :named |FunExceptAppDef2|)) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +;; Axiom: ExtTrigEqDef Set$Idv$ +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ smt__x + smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqDef Set$Idv$|)) + +;; Axiom: ExtTrigEqTrigger Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (smt__TLA______SetExtTrigger smt__x smt__y) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqTrigger Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___TypeInvariant___ () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (and (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv) + (and + (not + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__CONSTANT___S___ smt__TLA______SetEnum___0)) + (smt__TLA______SubsetEq smt__CONSTANT___S___ + (smt__TLA______Cap smt__STATE___available___ + (smt__TLA______FunApp smt__VARIABLE___unsat___ + smt__CONSTANT___clt___)))))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc______prime + (smt__TLA______FunExcept smt__VARIABLE___alloc___ smt__CONSTANT___clt___ + (smt__TLA______Cup + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat______prime + (smt__TLA______FunExcept smt__VARIABLE___unsat___ smt__CONSTANT___clt___ + (smt__TLA______SetMinus + (smt__TLA______FunApp smt__VARIABLE___unsat___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___)))) + +(assert + (not (smt__TLA______Mem smt__CONSTANT___r___ smt__STATE___available___))) + +;; Goal +(assert + (! + (not (not (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___S___))) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_e8eaa3.smt b/Allocator.tlaps/tlapm_e8eaa3.smt new file mode 100644 index 00000000000..20db42efcca --- /dev/null +++ b/Allocator.tlaps/tlapm_e8eaa3.smt @@ -0,0 +1,520 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; /\ /\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ STATE_Mutex_ +;; /\ CONSTANT_S_ # {} +;; /\ CONSTANT_S_ +;; \subseteq STATE_available_ \cap VARIABLE_unsat_[CONSTANT_clt_] , +;; ?VARIABLE_alloc_#prime +;; = [VARIABLE_alloc_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_alloc_[CONSTANT_clt_] +;; \cup CONSTANT_S_] , +;; ?VARIABLE_unsat_#prime +;; = [VARIABLE_unsat_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_unsat_[CONSTANT_clt_] \ CONSTANT_S_] , +;; CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] , +;; ~(CONSTANT_c1_ = CONSTANT_clt_ \/ CONSTANT_c2_ = CONSTANT_clt_) +;; PROVE ?VARIABLE_alloc_#prime[CONSTANT_c1_] = VARIABLE_alloc_[CONSTANT_c1_] +;; /\ ?VARIABLE_alloc_#prime[CONSTANT_c2_] +;; = VARIABLE_alloc_[CONSTANT_c2_] +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #41 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 224, characters 5-6 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______Cup (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +(declare-fun smt__TLA______FunExcept (Idv Idv Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______SetMinus (Idv Idv) Idv) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ (Idv + Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CupDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b)) + (or (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cup smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cup smt__a smt__b)))) :named |CupDef|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: SetMinusDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______SetMinus smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (not (smt__TLA______Mem smt__x smt__b)))) + :pattern ((smt__TLA______Mem smt__x + (smt__TLA______SetMinus smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______SetMinus smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______SetMinus smt__a smt__b)))) + :named |SetMinusDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: FunExceptIsafcn +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______FunIsafcn + (smt__TLA______FunExcept smt__f smt__x smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptIsafcn|)) + +;; Axiom: FunExceptDomDef +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______FunDom + (smt__TLA______FunExcept smt__f smt__x smt__y)) + (smt__TLA______FunDom smt__f)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptDomDef|)) + +;; Axiom: FunExceptAppDef1 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__x) + smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptAppDef1|)) + +;; Axiom: FunExceptAppDef2 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> (smt__TLA______Mem smt__z (smt__TLA______FunDom smt__f)) + (and + (=> (= smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + smt__y)) + (=> (distinct smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + (smt__TLA______FunApp smt__f smt__z))))) + :pattern ((smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y) + (smt__TLA______FunApp smt__f smt__z)))) + :named |FunExceptAppDef2|)) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +;; Axiom: ExtTrigEqDef Set$Idv$ +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ smt__x + smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqDef Set$Idv$|)) + +;; Axiom: ExtTrigEqTrigger Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (smt__TLA______SetExtTrigger smt__x smt__y) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqTrigger Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv) + (and + (not + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__CONSTANT___S___ smt__TLA______SetEnum___0)) + (smt__TLA______SubsetEq smt__CONSTANT___S___ + (smt__TLA______Cap smt__STATE___available___ + (smt__TLA______FunApp smt__VARIABLE___unsat___ + smt__CONSTANT___clt___)))))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc______prime + (smt__TLA______FunExcept smt__VARIABLE___alloc___ smt__CONSTANT___clt___ + (smt__TLA______Cup + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat______prime + (smt__TLA______FunExcept smt__VARIABLE___unsat___ smt__CONSTANT___clt___ + (smt__TLA______SetMinus + (smt__TLA______FunApp smt__VARIABLE___unsat___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___)))) + +(assert + (not + (or + (smt__TLA______TrigEq___Idv smt__CONSTANT___c1___ + smt__CONSTANT___clt___) + (smt__TLA______TrigEq___Idv smt__CONSTANT___c2___ + smt__CONSTANT___clt___)))) + +;; Goal +(assert + (! + (not + (and + (smt__TLA______TrigEq___Idv + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c1___)) + (smt__TLA______TrigEq___Idv + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___) + (smt__TLA______FunApp smt__VARIABLE___alloc___ + smt__CONSTANT___c2___)))) :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_f52471.smt b/Allocator.tlaps/tlapm_f52471.smt new file mode 100644 index 00000000000..569aa66305d --- /dev/null +++ b/Allocator.tlaps/tlapm_f52471.smt @@ -0,0 +1,189 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; \E CONSTANT_c_ \in CONSTANT_Client_, +;; CONSTANT_S_ \in SUBSET CONSTANT_Resource_ : +;; ACTION_Request_(CONSTANT_c_, CONSTANT_S_) +;; \/ ACTION_Allocate_(CONSTANT_c_, CONSTANT_S_) +;; \/ ACTION_Return_(CONSTANT_c_, CONSTANT_S_) +;; PROVE \E CONSTANT_c_ \in CONSTANT_Client_, +;; CONSTANT_S_ \in SUBSET CONSTANT_Resource_ : +;; \/ ACTION_Request_(CONSTANT_c_, CONSTANT_S_) +;; \/ ACTION_Allocate_(CONSTANT_c_, CONSTANT_S_) +;; \/ ACTION_Return_(CONSTANT_c_, CONSTANT_S_) +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #13 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 156, characters 5-6 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___TypeInvariant___ () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (exists ((smt__CONSTANT___c___ Idv) (smt__CONSTANT___S___ Idv)) + (and (smt__TLA______Mem smt__CONSTANT___c___ smt__CONSTANT___Client___) + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___)) + (or + (or + (= + (smt__ACTION___Request___ smt__CONSTANT___c___ + smt__CONSTANT___S___) smt__TLA______Tt___Idv) + (= + (smt__ACTION___Allocate___ smt__CONSTANT___c___ + smt__CONSTANT___S___) smt__TLA______Tt___Idv)) + (= + (smt__ACTION___Return___ smt__CONSTANT___c___ smt__CONSTANT___S___) + smt__TLA______Tt___Idv))))) + +;; Goal +(assert + (! + (not + (exists ((smt__CONSTANT___c___ Idv) (smt__CONSTANT___S___ Idv)) + (and + (smt__TLA______Mem smt__CONSTANT___c___ smt__CONSTANT___Client___) + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___)) + (or + (= + (smt__ACTION___Request___ smt__CONSTANT___c___ + smt__CONSTANT___S___) smt__TLA______Tt___Idv) + (= + (smt__ACTION___Allocate___ smt__CONSTANT___c___ + smt__CONSTANT___S___) smt__TLA______Tt___Idv) + (= + (smt__ACTION___Return___ smt__CONSTANT___c___ + smt__CONSTANT___S___) smt__TLA______Tt___Idv))))) + :named |Goal|)) + +(check-sat) +; (get-proof) diff --git a/Allocator.tlaps/tlapm_f84230.smt b/Allocator.tlaps/tlapm_f84230.smt new file mode 100644 index 00000000000..9531fb1d52a --- /dev/null +++ b/Allocator.tlaps/tlapm_f84230.smt @@ -0,0 +1,458 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_, +;; NEW CONSTANT CONSTANT_clt_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_S_ \in SUBSET CONSTANT_Resource_, +;; NEW CONSTANT CONSTANT_c1_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_c2_ \in CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_r_ \in CONSTANT_Resource_, +;; /\ STATE_TypeInvariant_ +;; /\ STATE_Mutex_ +;; /\ CONSTANT_S_ # {} +;; /\ CONSTANT_S_ +;; \subseteq STATE_available_ \cap VARIABLE_unsat_[CONSTANT_clt_] , +;; ?VARIABLE_alloc_#prime +;; = [VARIABLE_alloc_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_alloc_[CONSTANT_clt_] +;; \cup CONSTANT_S_] , +;; ?VARIABLE_unsat_#prime +;; = [VARIABLE_unsat_ EXCEPT +;; ![CONSTANT_clt_] = VARIABLE_unsat_[CONSTANT_clt_] \ CONSTANT_S_] , +;; CONSTANT_r_ +;; \in ?VARIABLE_alloc_#prime[CONSTANT_c1_] +;; \cap ?VARIABLE_alloc_#prime[CONSTANT_c2_] , +;; CONSTANT_r_ \notin STATE_available_ +;; PROVE CONSTANT_r_ \notin CONSTANT_S_ +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #69 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 244, characters 5-6 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______Cap (Idv Idv) Idv) + +(declare-fun smt__TLA______Cup (Idv Idv) Idv) + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +(declare-fun smt__TLA______FunExcept (Idv Idv Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetEnum___0 () Idv) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______SetMinus (Idv Idv) Idv) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ (Idv + Idv) Bool) + +(declare-fun smt__TLA______Tt___Idv () Idv) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: CupDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b)) + (or (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cup smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cup smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cup smt__a smt__b)))) :named |CupDef|)) + +;; Axiom: CapDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem smt__x smt__b))) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Cap smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______Cap smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______Cap smt__a smt__b)))) :named |CapDef|)) + +;; Axiom: SetMinusDef +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______SetMinus smt__a smt__b)) + (and (smt__TLA______Mem smt__x smt__a) + (not (smt__TLA______Mem smt__x smt__b)))) + :pattern ((smt__TLA______Mem smt__x + (smt__TLA______SetMinus smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__x smt__a) + (smt__TLA______SetMinus smt__a smt__b)) + :pattern ((smt__TLA______Mem smt__x smt__b) + (smt__TLA______SetMinus smt__a smt__b)))) + :named |SetMinusDef|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: FunExceptIsafcn +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______FunIsafcn + (smt__TLA______FunExcept smt__f smt__x smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptIsafcn|)) + +;; Axiom: FunExceptDomDef +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______FunDom + (smt__TLA______FunExcept smt__f smt__x smt__y)) + (smt__TLA______FunDom smt__f)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptDomDef|)) + +;; Axiom: FunExceptAppDef1 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv)) + (! + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__x) + smt__y)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y)))) + :named |FunExceptAppDef1|)) + +;; Axiom: FunExceptAppDef2 +(assert + (! + (forall ((smt__f Idv) (smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> (smt__TLA______Mem smt__z (smt__TLA______FunDom smt__f)) + (and + (=> (= smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + smt__y)) + (=> (distinct smt__z smt__x) + (= + (smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z) + (smt__TLA______FunApp smt__f smt__z))))) + :pattern ((smt__TLA______FunApp + (smt__TLA______FunExcept smt__f smt__x smt__y) smt__z)) + :pattern ((smt__TLA______FunExcept smt__f smt__x smt__y) + (smt__TLA______FunApp smt__f smt__z)))) + :named |FunExceptAppDef2|)) + +;; Axiom: DisjointTrigger +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (smt__TLA______SetExtTrigger (smt__TLA______Cap smt__x smt__y) + smt__TLA______SetEnum___0) + :pattern ((smt__TLA______Cap smt__x smt__y)))) + :named |DisjointTrigger|)) + +;; Axiom: EnumDefElim 0 +(assert + (! + (forall ((smt__x Idv)) + (! (not (smt__TLA______Mem smt__x smt__TLA______SetEnum___0)) + :pattern ((smt__TLA______Mem smt__x smt__TLA______SetEnum___0)))) + :named |EnumDefElim 0|)) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +;; Axiom: ExtTrigEqDef Set$Idv$ +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (= + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ smt__x + smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqDef Set$Idv$|)) + +;; Axiom: ExtTrigEqTrigger Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (smt__TLA______SetExtTrigger smt__x smt__y) + :pattern ((smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__x smt__y)))) :named |ExtTrigEqTrigger Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___TypeInvariant___ () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__STATE___vars___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___clt___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___clt___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___S___ () Idv) + +(assert + (smt__TLA______Mem smt__CONSTANT___S___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(declare-fun smt__CONSTANT___c1___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c1___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___c2___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___c2___ smt__CONSTANT___Client___)) + +(declare-fun smt__CONSTANT___r___ () Idv) + +(assert (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___Resource___)) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +(assert + (and (= smt__STATE___TypeInvariant___ smt__TLA______Tt___Idv) + (= smt__STATE___Mutex___ smt__TLA______Tt___Idv) + (and + (not + (smt__TLA______TrigEq___Setdollarsign___Idvdollarsign___ + smt__CONSTANT___S___ smt__TLA______SetEnum___0)) + (smt__TLA______SubsetEq smt__CONSTANT___S___ + (smt__TLA______Cap smt__STATE___available___ + (smt__TLA______FunApp smt__VARIABLE___unsat___ + smt__CONSTANT___clt___)))))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc______prime + (smt__TLA______FunExcept smt__VARIABLE___alloc___ smt__CONSTANT___clt___ + (smt__TLA______Cup + (smt__TLA______FunApp smt__VARIABLE___alloc___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat______prime + (smt__TLA______FunExcept smt__VARIABLE___unsat___ smt__CONSTANT___clt___ + (smt__TLA______SetMinus + (smt__TLA______FunApp smt__VARIABLE___unsat___ smt__CONSTANT___clt___) + smt__CONSTANT___S___)))) + +(assert + (smt__TLA______Mem smt__CONSTANT___r___ + (smt__TLA______Cap + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c1___) + (smt__TLA______FunApp smt__VARIABLE___alloc______prime + smt__CONSTANT___c2___)))) + +(assert + (not (smt__TLA______Mem smt__CONSTANT___r___ smt__STATE___available___))) + +;; Goal +(assert + (! + (not (not (smt__TLA______Mem smt__CONSTANT___r___ smt__CONSTANT___S___))) + :named |Goal|)) + +(check-sat) +; ; (get-proof) diff --git a/Allocator.tlaps/tlapm_fa32ac.smt b/Allocator.tlaps/tlapm_fa32ac.smt new file mode 100644 index 00000000000..d537a56f3de --- /dev/null +++ b/Allocator.tlaps/tlapm_fa32ac.smt @@ -0,0 +1,259 @@ +;; Proof obligation: +;; ASSUME NEW CONSTANT CONSTANT_Client_, +;; NEW CONSTANT CONSTANT_Resource_, +;; NEW VARIABLE VARIABLE_unsat_, +;; NEW VARIABLE VARIABLE_alloc_ +;; PROVE (/\ VARIABLE_unsat_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ VARIABLE_alloc_ +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_]) +;; /\ (/\ ?VARIABLE_unsat_#prime = VARIABLE_unsat_ +;; /\ ?VARIABLE_alloc_#prime = VARIABLE_alloc_) +;; => (/\ ?VARIABLE_unsat_#prime +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_] +;; /\ ?VARIABLE_alloc_#prime +;; \in [CONSTANT_Client_ -> SUBSET CONSTANT_Resource_]) +;; TLA+ Proof Manager 1.5.0 +;; Proof obligation #15 +;; Generated from file "/home/rosalied/Documents/work/thesis-eval/tla_specs/tlaps_examples/Allocator.tla", line 163, characters 3-4 + +(set-logic UFNIA) + +;; Sorts + +(declare-sort Idv 0) + +;; Hypotheses + +(declare-fun smt__TLA______FunApp (Idv Idv) Idv) + +(declare-fun smt__TLA______FunDom (Idv) Idv) + +; omitted declaration of 'TLA__FunFcn' (second-order) + +(declare-fun smt__TLA______FunIsafcn (Idv) Bool) + +(declare-fun smt__TLA______FunSet (Idv Idv) Idv) + +(declare-fun smt__TLA______Mem (Idv Idv) Bool) + +(declare-fun smt__TLA______SetExtTrigger (Idv Idv) Bool) + +(declare-fun smt__TLA______Subset (Idv) Idv) + +(declare-fun smt__TLA______SubsetEq (Idv Idv) Bool) + +(declare-fun smt__TLA______TrigEq___Idv (Idv Idv) Bool) + +;; Axiom: SetExt +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (= (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) (= smt__x smt__y)) + :pattern ((smt__TLA______SetExtTrigger smt__x smt__y)))) + :named |SetExt|)) + +;; Axiom: SubsetEqIntro +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! + (=> + (forall ((smt__z Idv)) + (=> (smt__TLA______Mem smt__z smt__x) + (smt__TLA______Mem smt__z smt__y))) + (smt__TLA______SubsetEq smt__x smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y)))) + :named |SubsetEqIntro|)) + +;; Axiom: SubsetEqElim +(assert + (! + (forall ((smt__x Idv) (smt__y Idv) (smt__z Idv)) + (! + (=> + (and (smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)) + (smt__TLA______Mem smt__z smt__y)) + :pattern ((smt__TLA______SubsetEq smt__x smt__y) + (smt__TLA______Mem smt__z smt__x)))) :named |SubsetEqElim|)) + +;; Axiom: SubsetDefAlt +(assert + (! + (forall ((smt__a Idv) (smt__x Idv)) + (! + (= (smt__TLA______Mem smt__x (smt__TLA______Subset smt__a)) + (smt__TLA______SubsetEq smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__x (smt__TLA______Subset smt__a))) + :pattern ((smt__TLA______SubsetEq smt__x smt__a) + (smt__TLA______Subset smt__a)))) :named |SubsetDefAlt|)) + +;; Axiom: FunExt +(assert + (! + (forall ((smt__f Idv) (smt__g Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g) + (= (smt__TLA______FunDom smt__f) (smt__TLA______FunDom smt__g)) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x (smt__TLA______FunDom smt__f)) + (= (smt__TLA______FunApp smt__f smt__x) + (smt__TLA______FunApp smt__g smt__x))))) (= smt__f smt__g)) + :pattern ((smt__TLA______FunIsafcn smt__f) + (smt__TLA______FunIsafcn smt__g)))) :named |FunExt|)) + +; omitted fact (second-order) + +;; Axiom: FunSetIntro +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a) + (forall ((smt__x Idv)) + (=> (smt__TLA______Mem smt__x smt__a) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) + smt__b)))) + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetIntro|)) + +;; Axiom: FunSetElim1 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv)) + (! + (=> (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (and (smt__TLA______FunIsafcn smt__f) + (= (smt__TLA______FunDom smt__f) smt__a))) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b))))) + :named |FunSetElim1|)) + +;; Axiom: FunSetElim2 +(assert + (! + (forall ((smt__a Idv) (smt__b Idv) (smt__f Idv) (smt__x Idv)) + (! + (=> + (and + (smt__TLA______Mem smt__f (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + (smt__TLA______Mem (smt__TLA______FunApp smt__f smt__x) smt__b)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______Mem smt__x smt__a)) + :pattern ((smt__TLA______Mem smt__f + (smt__TLA______FunSet smt__a smt__b)) + (smt__TLA______FunApp smt__f smt__x)))) + :named |FunSetElim2|)) + +; omitted fact (second-order) + +; omitted fact (second-order) + +; omitted fact (second-order) + +;; Axiom: ExtTrigEqDef Idv +(assert + (! + (forall ((smt__x Idv) (smt__y Idv)) + (! (= (smt__TLA______TrigEq___Idv smt__x smt__y) (= smt__x smt__y)) + :pattern ((smt__TLA______TrigEq___Idv smt__x smt__y)))) + :named |ExtTrigEqDef Idv|)) + +; hidden fact + +; hidden fact + +; omitted declaration of 'CONSTANT_EnabledWrapper_' (second-order) + +; omitted declaration of 'CONSTANT_CdotWrapper_' (second-order) + +(declare-fun smt__CONSTANT___Client___ () Idv) + +(declare-fun smt__CONSTANT___Resource___ () Idv) + +(declare-fun smt__VARIABLE___unsat___ () Idv) + +(declare-fun smt__VARIABLE___unsat______prime () Idv) + +(declare-fun smt__VARIABLE___alloc___ () Idv) + +(declare-fun smt__VARIABLE___alloc______prime () Idv) + +(declare-fun smt__STATE___available___ () Idv) + +(declare-fun smt__STATE___Init___ () Idv) + +(declare-fun smt__ACTION___Request___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Allocate___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Return___ (Idv Idv) Idv) + +(declare-fun smt__ACTION___Next___ () Idv) + +(declare-fun smt__TEMPORAL___SimpleAllocator___ () Idv) + +(declare-fun smt__STATE___Mutex___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillReturn___ () Idv) + +(declare-fun smt__TEMPORAL___ClientsWillObtain___ () Idv) + +(declare-fun smt__TEMPORAL___InfOftenSatisfied___ () Idv) + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +; hidden fact + +;; Goal +(assert + (! + (not + (=> + (and + (and + (smt__TLA______Mem smt__VARIABLE___unsat___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc___ + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))) + (and + (smt__TLA______TrigEq___Idv smt__VARIABLE___unsat______prime + smt__VARIABLE___unsat___) + (smt__TLA______TrigEq___Idv smt__VARIABLE___alloc______prime + smt__VARIABLE___alloc___))) + (and + (smt__TLA______Mem smt__VARIABLE___unsat______prime + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___))) + (smt__TLA______Mem smt__VARIABLE___alloc______prime + (smt__TLA______FunSet smt__CONSTANT___Client___ + (smt__TLA______Subset smt__CONSTANT___Resource___)))))) + :named |Goal|)) + +(check-sat) +; ; (get-proof)