enrich IINV-props , AASM with functions iintransit : name × ipaydetailsset × (name → imessage) → nat; ilostafterabort : name × ipaydetailsset × (name → ipaydetailsset) → nat; predicates AIINV : (name → nat) × (name → nat) × (name → nat) × (name → imessageset) × (name → imessage) × (name → ipaydetailsset) × (name → ipaydetailsset) × tidset; LAIINV : name × (name → nat) × (name → nat) × (name → nat) × (name → imessageset) × (name → imessage) × (name → ipaydetailsset) × (name → ipaydetailsset) × tidset; axioms AIINV-def : ⊦ AIINV(balance0, lost, balance, inbox, outbox, exLogfrom, exLogto, ts) ↔ (∀ na. authentic(na) → LAIINV(na, balance0, lost, balance, inbox, outbox, exLogfrom, exLogto, ts)) ; LAIINV-def : ⊦ LAIINV(na, balance0, lost, balance, inbox, outbox, exLogfrom, exLogto, ts) ↔ 〈ipds := (isIVal(outbox(na)) ⊃ exLogfrom(na) ++ outbox(na) .pd; exLogfrom(na))〉 (balance0(na) = balance(na) + iintransit(na, ipds, outbox) ∧ lost(na) = ilostafterabort(na, ipds, exLogto)) ; iintransit-base : ⊦ iintransit(na, ∅, outbox) = 0; used for : s, ls; iintransit-rec : ⊦ iintransit(na, ipds ++ ipd, outbox) = (((¬ ipd ∈ ipds ∧ outbox(ipd .na) = IReq(mkipd(na, ipd .value, ipd .tid))) ⊃ ipd .value + iintransit(na, ipds, outbox) ; iintransit(na, ipds, outbox) ) ) ; used for : s, ls ; ilostafterabort-base : ⊦ ilostafterabort(na, ∅, exLogto) = 0; used for : s, ls; ilostafterabort-rec : ⊦ ilostafterabort(na, ipds ++ ipd, exLogto) = (((¬ ipd ∈ ipds ∧ mkipd(na, ipd .value, ipd .tid) ∈ exLogto(ipd .na)) ⊃ ipd .value + ilostafterabort(na, ipds, exLogto) ; ilostafterabort(na, ipds, exLogto) ) ) ; used for : s, ls ; end enrich