enrich simple-BASM-orig with predicates BINV : (name → nat) × (name → PayDetailsSet) × (name → status) × (name → nat) × (name → PayDetails) × messageset; purseok : (name → nat) × (name → status) × (name → nat) × (name → PayDetails); etherok : (name → PayDetailsSet) × (name → status) × (name → nat) × (name → PayDetails) × messageset; reqok : (name → PayDetailsSet) × (name → status) × (name → nat) × (name → PayDetails) × messageset; valok : (name → PayDetailsSet) × (name → status) × (name → nat) × (name → PayDetails) × messageset; ackok : (name → PayDetailsSet) × (name → status) × (name → nat) × (name → PayDetails) × messageset; exLogok : (name → PayDetailsSet) × (name → status) × (name → nat) × (name → PayDetails); fromLogged : PayDetails × (name → PayDetailsSet); toLogged : PayDetails × (name → PayDetailsSet); fromInEpa : PayDetails × (name → PayDetails) × (name → status); fromInEpr : PayDetails × (name → PayDetails) × (name → status); toInEpv : PayDetails × (name → PayDetails) × (name → status); logsfin : (name → PayDetailsSet); axioms toLogged-def : ⊦ toLogged(pd, exLog) ↔ authentic(pd .to) ∧ pd ∈ exLog(pd .to); fromLogged-def : ⊦ fromLogged(pd, exLog) ↔ authentic(pd .from) ∧ pd ∈ exLog(pd .from); fromInEpa-def : ⊦ fromInEpa(pd, pdAuth, state) ↔ pd = pdAuth(pd .from) ∧ state(pd .from) = epa; fromInEpr-def : ⊦ fromInEpr(pd, pdAuth, state) ↔ pd = pdAuth(pd .from) ∧ state(pd .from) = epr; toInEpv-def : ⊦ toInEpv(pd, pdAuth, state) ↔ pd = pdAuth(pd .to) ∧ state(pd .to) = epv; purseok-def : ⊦ purseok(balance, state, nextSeqNo, pdAuth) ↔ (∀ na. authentic(na) → ( state(na) = epr → pdAuth(na) .from = na ∧ pdAuth(na) .from ≠ pdAuth(na) .to ∧ pdAuth(na) .value ≤ balance(na) ∧ pdAuth(na) .fromno < nextSeqNo(na)) ∧ (state(na) = epv → pdAuth(na) .from ≠ pdAuth(na) .to ∧ pdAuth(na) .tono < nextSeqNo(na)) ∧ (state(na) = epa → pdAuth(na) .from ≠ pdAuth(na) .to ∧ pdAuth(na) .fromno < nextSeqNo(na))) ; etherok-def : ⊦ etherok(exLog, state, nextSeqNo, pdAuth, ether) ↔ (∀ pd. (req(pd) ∈ ether → pd .tono < nextSeqNo(pd .to) ∧ authentic(pd .to)) ∧ ( val(pd) ∈ ether ∨ ack(pd) ∈ ether → pd .fromno < nextSeqNo(pd .from) ∧ pd .tono < nextSeqNo(pd .to) ∧ authentic(pd .to) ∧ authentic(pd .from)) ∧ (fromInEpr(pd, pdAuth, state) → ¬ val(pd) ∈ ether ∧ ¬ ack(pd) ∈ ether) ∧ (req(pd) ∈ ether ∧ ¬ ack(pd) ∈ ether ↔ toInEpv(pd, pdAuth, state) ∨ toLogged(pd, exLog)) ∧ (val(pd) ∈ ether ∧ toInEpv(pd, pdAuth, state) → fromInEpa(pd, pdAuth, state) ∨ fromLogged(pd, exLog)) ∧ (fromInEpa(pd, pdAuth, state) ∨ fromLogged(pd, exLog) → req(pd) ∈ ether) ∧ (∃ pds. ∀ pd. toLogged(pd, exLog) ↔ pd ∈ pds)) ; logsfin-def : ⊦ logsfin(exLog) ↔ (∃ pds. ∀ pd. toLogged(pd, exLog) ↔ pd ∈ pds); exLogok-def : ⊦ exLogok(exLog, state, nextSeqNo, pdAuth) ↔ (∀ pd, na. ( fromLogged(pd, exLog) → pd .fromno < nextSeqNo(pd .from) ∧ (state(pd .from) = epr ∨ state(pd .from) = epa → pd .fromno < pdAuth(pd .from) .fromno)) ∧ (toLogged(pd, exLog) → pd .tono < nextSeqNo(pd .to) ∧ (state(pd .to) = epv → pd .tono < pdAuth(pd .to) .tono)) ∧ (authentic(na) ∧ pd ∈ exLog(na) → (pd .to = na ∨ pd .from = na) ∧ pd .to ≠ pd .from)) ; BINV-def : ⊦ BINV(balance, exLog, state, nextSeqNo, pdAuth, ether) ↔ purseok(balance, state, nextSeqNo, pdAuth) ∧ etherok(exLog, state, nextSeqNo, pdAuth, ether) ∧ initether(ether) ∧ exLogok(exLog, state, nextSeqNo, pdAuth) ; comment: This specification defines the invariant BINV for the intermediate level of the Mondex case. BINV is defined as the conjunction of properties P-1 to P-4 and B-1 to B-16 together with the PayDetails-property pd.from ≠ pd.to for all relevant PayDetails pd. The unfinished proof for theorem 'BINV' shows that the original BINV is too weak to be proved as an invariant of of the intermediate level. Propery initether is included in BINV to always have some message available for the ASM. final flag is used to stop ASM run at any time. The property and the flag are removed in the final version (in 'BINV') by setting final states to be those with ether = ∅; end enrich