0specs/Mondex-ASM-refine/proofs/3349528890
definitelyLost-def⊦
definitelyLost(exLog, pdAuth, state, definitelylost)
↔ (∀ pd. pd ∈ definitelylost ↔ toLogged(pd, exLog) ∧ (fromLogged(pd, exLog) ∨ fromInEpa(pd, pdAuth, state)))
00definitelyLost-def-proofdefinitelyLost-def-proof-info
maybeLost-def⊦
maybeLost(exLog, pdAuth, state, maybelost)
↔ (∀ pd. pd ∈ maybelost ↔ toInEpv(pd, pdAuth, state) ∧ (fromLogged(pd, exLog) ∨ fromInEpa(pd, pdAuth, state)))
00maybeLost-def-proofmaybeLost-def-proof-info
filter-insert ⊦ filter(Ppd, pds ++ pd) = ((Ppd(pd) ⊃ filter(Ppd, pds) ++ pd; filter(Ppd, pds)))
00filter-insert-prooffilter-insert-proof-info
simplocalsimp
filter-empty ⊦ filter(Ppd, ∅) = ∅
00filter-empty-prooffilter-empty-proof-info
simplocalsimp
sum-insert ⊦ Σ (pds ++ pd) = ((pd ∈ pds ⊃ Σ pds; Σ pds + pd .value))
00sum-insert-proofsum-insert-proof-info
simplocalsimp
sum-empty ⊦ Σ ∅ = 0
00sum-empty-proofsum-empty-proof-info
simplocalsimp
ABINV-def⊦
ABINV(balance, lost, balance0, exLog, state, nextSeqNo, pdAuth, ether, outmsg)
↔ (∃ maybelost, chosenlost, definitelylost.
maybeLost(exLog, pdAuth, state, maybelost) ∧ definitelyLost(exLog, pdAuth, state, definitelylost) ∧ chosenlost ⊆ maybelost
∧ balandlostok(balance, lost, balance0, chosenlost, definitelylost, maybelost))
00ABINV-def-proofABINV-def-proof-info
localsimpsimp
balandlostok-def⊦
balandlostok(balance, lost, balance0, chosenlost, definitelylost, maybelost)
↔ (∀ na.
authentic(na)
→ lost(na) = Σ filter(λ pd. pd .from = na, definitelylost ∪ chosenlost)
∧ balance(na) = balance0(na) + Σ filter(λ pd. pd .to = na, maybelost \ chosenlost))
00balandlostok-def-proofbalandlostok-def-proof-info
correctness〈BSTEP#(; balance0, exLog, state, nextSeqNo, pdAuth, ether, outmsg)〉 ABINV(balance', lost', balance0, exLog, state, nextSeqNo, pdAuth, ether, outmsg),
BINV(balance0, exLog, state, nextSeqNo, pdAuth, ether), ether ≠ ∅
⊦
∃ balance, lost.
ABINV(balance, lost, balance0, exLog, state, nextSeqNo, pdAuth, ether, outmsg)
∧ (〈ASTEP#(; balance, lost)〉 (balance = balance' ∧ lost = lost') ∨ balance = balance' ∧ lost = lost')
filter-insum-insertfilter-insertdiff-filter-not-leqsum-filter-delsum-filter-not-leqsum-filter-union-delbalandlostok-defdefinitelyLost-defmaybeLost-defABINV-def
197655correctness-proofcorrectness-proof-info
diff-filter-not-leqPpd(pd) ⊦ ¬ pd ∈ chosenlost ∧ pd ∈ maybelost → (Σ filter(Ppd, maybelost \ chosenlost) < pd .value ↔ false)
filter-insum-insertfilter-insert
716diff-filter-not-leq-proofdiff-filter-not-leq-proof-info
localsimpsimp
diff-filter-not-zeroPpd(pd) ⊦ pd .value ≠ 0 ∧ ¬ pd ∈ chosenlost ∧ pd ∈ maybelost → Σ filter(Ppd, maybelost \ chosenlost) ≠ 0
filter-insum-insertfilter-insert
322diff-filter-not-zero-proofdiff-filter-not-zero-proof-info
simp
filter-del ⊦ ¬ Ppd(pd) → filter(Ppd, pds -- pd) = filter(Ppd, pds)
filter-insertfilter-empty
514filter-del-prooffilter-del-proof-info
simplocalsimp
filter-in ⊦ pd ∈ filter(Ppd, pds) ↔ ¬ ¬ (Ppd(pd) ∧ pd ∈ pds)
filter-insertfilter-empty
423filter-in-prooffilter-in-proof-info
localsimp
sum-filter-del ⊦ Σ filter(Ppd, pds -- pd) = (((Ppd(pd) ∧ pd ∈ pds) ⊃ Σ filter(Ppd, pds) - pd .value; Σ filter(Ppd, pds)))
sum-filter-geqfilter-delfilter-insum-insertfilter-insert
623sum-filter-del-proofsum-filter-del-proof-info
simplocalsimp
sum-filter-geq ⊦ Ppd(pd) ∧ pd ∈ pds → pd .value ≤ Σ filter(Ppd, pds)
filter-insum-insertfilter-insert
112sum-filter-geq-proofsum-filter-geq-proof-info
simplocalsimp
sum-filter-not-leqPpd(pd) ⊦ Σ filter(Ppd, definitelylost ∪ chosenlost) = n ∧ pd ∈ definitelylost → (n < pd .value ↔ false)
sum-filter-geq
12sum-filter-not-leq-proofsum-filter-not-leq-proof-info
simp
sum-filter-union-del ⊦ Σ filter(Ppd, pds0 ∪ (pds -- pd)) = (((Ppd(pd) ∧ pd ∈ pds ∧ ¬ pd ∈ pds0) ⊃ Σ filter(Ppd, pds0 ∪ pds) - pd .value; Σ filter(Ppd, pds0 ∪ pds)))
sum-filter-del
22sum-filter-union-del-proofsum-filter-union-del-proof-info
simplocalsimp