-
Notifications
You must be signed in to change notification settings - Fork 201
/
Copy pathMCPrisoners.tla
27 lines (25 loc) · 1.79 KB
/
MCPrisoners.tla
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
----------------------------- MODULE MCPrisoners ----------------------------
(***************************************************************************)
(* This module checks that the invariant CountInvariant of module *)
(* Prisoners is actually an inductive invariant of specification Spec. *)
(* More precisely, its conjunction with TypeOK is an inductive invariant *)
(* of the next-state action Next, meaning that it satisfies *)
(* *)
(* (TypeOK /\ CountInvariant) /\ Next => (TypeOK /\ CountInvariant)' *)
(* *)
(* Because Init implies TypeOK, it's easy to see that this implies that *)
(* TypeOK /\ CountInvariant is also an invariant of Spec. *)
(***************************************************************************)
EXTENDS Prisoners
InductiveInvariant == TypeOK /\ CountInvariant
InvTestSpec == InductiveInvariant /\ [][Next]_vars
(*************************************************************************)
(* InductiveInvariant is an invariant of this specification iff it is an *)
(* inductive invariant of Next. *)
(* *)
(* Specification Spec is unusual because the number of states satisfying *)
(* the type invariant is not much greater than the number of reachable *)
(* states, so TLC can compute all reachable states for InvTestSpec *)
(* almost as quickly as it can for Spec. *)
(*************************************************************************)
=============================================================================