instantiate IOconbackward-INV < IOconbackwardINV-is-IOconrefine with Mondex-ACINV , Mondex-COP , Mondex-AOP , finite-authentic-names comment: This specification instantiates the backward simulation conditions of 'IOconbackward-INV' (contract approach with IO and invariants) with the concrete definitions as used in the Mondex case study). We prove the instances of the proof obligations here, the instantiation guarantees that the refinement theorem of the contract approach (as defined in 'IOconrefine') holds then.; by mapping : globalinput → ainput; : globalstate → (name → nat), (name → nat); : globaloutput → dummyoutput; : cinput → message; : coutput → dummyoutput; : aoutput → dummyoutput; : astate → (name → nat), (name → nat); : cstate → (name → nat), (name → PayDetailsSet), (name → status), (name → nat), (name → PayDetails), messageset; : index → mindex; dom → [λ afin. λ balance, lost. ∃ balance', lost'. afin(balance, lost, balance', lost')]; dom → [λ cfin. λ balance, exLog, status, nextSeqNo, pdAuth, ether. ∃ balance', lost'. cfin(balance, exLog, status, nextSeqNo, pdAuth, ether, balance', lost')]; dom → [λ aop. λ ain, balance, lost. ∃ balance', lost', dum. aop(ain, balance, lost, balance', lost', dum)]; dom → [λ cop. λ msg, balance, exLog, status, nextSeqNo, pdAuth, ether. ∃ balance', exLog', status', nextSeqNo', pdAuth', ether', dum. cop(msg, balance, exLog, status, nextSeqNo, pdAuth, ether, balance', exLog', status', nextSeqNo', pdAuth', ether', dum)]; COP → [COP]; AOP → [AOP]; OT → [λ dum, dum0. true]; IT → [λ msg, ain. ain = ((isreq(msg) ⊃ Transfer(msg .pd .from, msg .pd .to, msg .pd .value); null))]; T → [λ balance, exLog, status, nextSeqNo, pdAuth, ether, balance0, lost. ACINV(balance, exLog, status, pdAuth, balance0, lost)]; CINV → [CINV]; AINV → [λ balance, lost. true]; AIN → [λ ain, ain0. ain = ain0]; AOUT → [λ dum, dum0. true]; CIN → [λ ain, msg. ain = ((isreq(msg) ⊃ Transfer(msg .pd .from, msg .pd .to, msg .pd .value); null))]; COUT → [λ dum, dum0. true]; AINIT → [λ balance, lost. true]; AFIN → [λ balance, lost, balance0, lost0. balance = balance0 ∧ lost = lost0]; CINIT → [CINV]; CFIN → [λ balance, exLog, status, nextSeqNo, pdAuth, ether, balance0, lost. ∃ maybelost, definitelylost. balance = balance0 ∧ maybeLost(exLog, pdAuth, status, maybelost) ∧ definitelyLost(exLog, pdAuth, status, definitelylost) ∧ lost = (λ na. Σ filter(λ pd. pd .from = na, definitelylost ∪ maybelost))]; gin → ain; gs → balance1, lost1; gou → dum; cin → msg; cou → dum0; aou → dum1; as → balance0, lost0; as' → balance'0, lost'; cs → balance, exLog, status, nextSeqNo, pdAuth, ether; cs' → balance', exLog', status', nextSeqNo', pdAuth', ether'; i → mi; cdp → cdp; csp → csp; cfin → cfin; cop → cop; adp → adp; asp → asp; afin → afin; aop → aop; rename .cs → .cbal, .exLog, .status, .nextSeqNo, .pdAuth, .ether; .as → .abal, .lost; .gs → .abal, .lost; ^* → ^*; ^* → ^*; embed → embed; embedfin → embedfin; embedinit → embedinit; ^* → ^*; ^* → ^*; fillfirst → fillfirst; mklist → mklist; .last → .last; ++ → ++; + → +; + → +; ' → '; hd → hd; + → +; ASEM → ASEM; APROG → APROG; ran → ran; ran → ran; ran → ran; dom → dom; dom → dom; dom → dom; ⊗ → ⊗; ⊗ → ⊗; ⊗ → ⊗; ⊗ → ⊗; embed → embed; embedfin → embedfin; embedinit → embedinit; ^* → ^*; ^* → ^*; fillfirst → fillfirst; mklist → mklist; .last → .last; ++ → ++; + → +; + → +; ' → '; hd → hd; + → +; fillfirst → fillfirst; mklist → mklist; .last → .last; ++ → ++; + → +; + → +; ' → '; hd → hd; + → +; fillfirst → fillfirst; mklist → mklist; .last → .last; ++ → ++; + → +; + → +; ' → '; hd → hd; + → +; fillfirst → fillfirst; mklist → mklist; .last → .last; ++ → ++; + → +; + → +; ' → '; hd → hd; + → +; CSEM → CSEM; CPROG → CPROG; fillfirst → fillfirst; mklist → mklist; .last → .last; ++ → ++; + → +; + → +; ' → '; hd → hd; + → +; ran → ran; ran → ran; ran → ran; dom → dom; dom → dom; dom → dom; ⊗ → ⊗; ⊗ → ⊗; ⊗ → ⊗; ⊗ → ⊗; ^ → ^; ^ → ^; ^ → ^; ^ → ^; ^ → ^; mkcsio → mkcsio; ^ → ^; ^ → ^; ^ → ^; mkgsio → mkgsio; mkasio → mkasio; dom → dom; ran → ran; dom → dom; ran → ran; -≫ → -≫; ≪- → ≪-; ≪ → ≪; ⊗ → ⊗; ⊗ → ⊗; ⊗ → ⊗; ⊗ → ⊗; ⊗ → ⊗; ⊗ → ⊗; ⊗ → ⊗; ⊗ → ⊗; ∈ → ∈; ∈ → ∈; ∈ → ∈; ∈ → ∈; ∈ → ∈; ∈ → ∈; ⊆ → ⊆; ⊆ → ⊆; ⊆ → ⊆; ⊆ → ⊆; ⊆ → ⊆; ⊆ → ⊆; ⊆ → ⊆; ⊆ → ⊆; ⊆ → ⊆; as0 → (balance10, lost10); as1 → (balance11, lost11); as2 → (balance12, lost12); as3 → (balance13, lost13); as4 → (balance14, lost14); as5 → (balance15, lost15); gs' → (balance'1, lost'1); gs11 → (balance21, lost21); gs12 → (balance22, lost22); gs13 → (balance23, lost23); gs0 → (balance16, lost16); gs1 → (balance17, lost17); gs2 → (balance18, lost18); cs0 → (balance3, exLog3, status3, nextSeqNo3, pdAuth3, ether3); cs1 → (balance4, exLog4, status4, nextSeqNo4, pdAuth4, ether4); cs2 → (balance5, exLog5, status5, nextSeqNo5, pdAuth5, ether5); cs3 → (balance6, exLog6, status6, nextSeqNo6, pdAuth6, ether6); cs4 → (balance7, exLog7, status7, nextSeqNo7, pdAuth7, ether7); cs5 → (balance8, exLog8, status8, nextSeqNo8, pdAuth8, ether8); aou' → (dum'); aou0 → (dum2); aou1 → (dum3); aou2 → (dum4); gou' → (dum'0); gou0 → (dum5); gou1 → (dum6); gou2 → (dum7); cou' → (dum'1); cou0 → (dum8); cou1 → (dum9); cou2 → (dum10); gin' → (ain'0); gin0 → (ain3); gin1 → (ain4); gin2 → (ain5); cin' → (msg'); cin0 → (msg5); cin1 → (msg6); cin2 → (msg7); i0 → (mi0); i1 → (mi1); i2 → (mi2); cil → (cil); cil' → (cil'); cil0 → (cil0); cil1 → (cil1); cil2 → (cil2); cil3 → (cil3); cil4 → (cil4); cil5 → (cil5); cil6 → (cil6); cil7 → (cil7); cil8 → (cil8); cil9 → (cil9); cil10 → (cil10); cil11 → (cil11); cil12 → (cil12); cil13 → (cil13); col → (col); col' → (col'); col0 → (col0); col1 → (col1); col2 → (col2); col3 → (col3); col4 → (col4); col5 → (col5); col6 → (col6); col7 → (col7); col8 → (col8); col9 → (col9); col10 → (col10); col11 → (col11); col12 → (col12); col13 → (col13); aol → (aol); aol' → (aol'); aol0 → (aol0); aol1 → (aol1); aol2 → (aol2); aol3 → (aol3); aol4 → (aol4); aol5 → (aol5); aol6 → (aol6); aol7 → (aol7); aol8 → (aol8); aol9 → (aol9); aol10 → (aol10); aol11 → (aol11); aol12 → (aol12); aol13 → (aol13); gil → (gil); gil' → (gil'); gil0 → (gil0); gil1 → (gil1); gil2 → (gil2); gil3 → (gil3); gil4 → (gil4); gil5 → (gil5); gil6 → (gil6); gil7 → (gil7); gil8 → (gil8); gil9 → (gil9); gil10 → (gil10); gil11 → (gil11); gil12 → (gil12); gil13 → (gil13); gol → (gol); gol' → (gol'); gol0 → (gol0); gol1 → (gol1); gol2 → (gol2); gol3 → (gol3); gol4 → (gol4); gol5 → (gol5); gol6 → (gol6); gol7 → (gol7); gol8 → (gol8); gol9 → (gol9); gol10 → (gol10); gol11 → (gol11); gol12 → (gol12); gol13 → (gol13); oT → oT; iT → iT; ainit → ainit; aioout → aioout; aioin → aioin; aiofin0 → aiofin0; aioinit0 → aioinit0; cinit → cinit; cioout → cioout; cioin → cioin; ciofin0 → ciofin0; cioinit0 → cioinit0; r → r; cp1 → cp1; cp2 → cp2; r1 → r1; r2 → r2; t → t; t1 → t1; t2 → t2; csem → csem; cp → cp; gp → gp; asem → asem; ap → ap; aiofin2 → aiofin2; aiofin1 → aiofin1; aioinit2 → aioinit2; aioinit1 → aioinit1; ciofin2 → ciofin2; ciofin1 → ciofin1; cioinit2 → cioinit2; cioinit1 → cioinit1; aiofin → aiofin; aioinit → aioinit; aioop2 → aioop2; aioop1 → aioop1; aioop → aioop; ciofin → ciofin; cioinit → cioinit; cioop2 → cioop2; cioop1 → cioop1; cioop → cioop; end instantiate