Proofs for file C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd

Generated by Perfect Developer at 11:15:33 UTC on Tuesday January 17th 2006

Tool file versions: PDTool 3.03.03, builtin 3.03, rubric 3.03.03

Proved 30 of 30 verification conditions.



Proof of verification condition: Type constraint for 'nat' satisfied
In the context of class: AbPurse, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (9,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (27,14)
To prove: 0 ≤ (self.balance + (amt as int))
Given: 0 ≤ amt
Proof:
[Take goal term]
[1.0] 0 ≤ (self.balance + (amt as int))
→ [simplify]
[1.3] -1 < (self.balance + amt)
→ [negate goal and search for contradiction]
[1.4] ~(-1 < (self.balance + amt))
→ [simplify]
[1.7] 0 < (-self.balance + -amt)
[Take given term]
[2.0] 0 ≤ amt
→ [simplify]
[2.2] -1 < amt
[Assume known post-assertion, class invariant or type constraint for term 1.7]
[3.0] 0self.balance
→ [simplify]
[3.2] -1 < self.balance
[Create new term from terms 1.7, 3.2 using rule: transitivity 2]
[4.0] (-1 + 0 + 1) < -amt
→ [simplify]
[4.1] 0 < -amt
→ [from term 2.2, literala < -amt is false whenever -2 < (-1 + literala)]
[4.2] false
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Type constraint for 'nat' satisfied
In the context of class: AbPurse, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (9,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (18,29)
To prove: 0 ≤ (self.lost + (amt as int))
Given: 0 ≤ amt, amt ≤ self.balance, (self.balance - (amt as int)) = self′.balance
Proof:
[Take goal term]
[1.0] 0 ≤ (self.lost + (amt as int))
→ [simplify]
[1.3] -1 < (self.lost + amt)
→ [negate goal and search for contradiction]
[1.4] ~(-1 < (self.lost + amt))
→ [simplify]
[1.7] 0 < (-self.lost + -amt)
[Take given term]
[2.0] 0 ≤ amt
→ [simplify]
[2.2] -1 < amt
[Assume known post-assertion, class invariant or type constraint for term 1.7]
[7.0] 0self.lost
→ [simplify]
[7.2] -1 < self.lost
[Create new term from terms 1.7, 7.2 using rule: transitivity 2]
[8.0] (-1 + 0 + 1) < -amt
→ [simplify]
[8.1] 0 < -amt
→ [from term 2.2, literala < -amt is false whenever -2 < (-1 + literala)]
[8.2] false
(Rewriter time: 0.0s, Prover time: 0.1s)


Proof of verification condition: Type constraint for 'nat' satisfied
In the context of class: AbPurse, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (9,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (18,14)
To prove: 0 ≤ (self.balance - (amt as int))
Given: 0 ≤ amt, amt ≤ self.balance
Proof:
[Take given term]
[3.0] amt ≤ self.balance
→ [simplify]
[3.7] -1 < (-amt + self.balance)
[Take goal term]
[1.0] 0 ≤ (self.balance - (amt as int))
→ [simplify]
[1.4] -1 < (-amt + self.balance)
→ [from term 3.7, literala < (-amt + self.balance) is true whenever -1 < (-1 + -literala)]
[1.5] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Type constraint for 'nat' satisfied
In the context of class: AbPurse, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (9,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (23,14)
To prove: 0 ≤ (self.balance - (amt as int))
Given: 0 ≤ amt, amt ≤ self.balance
Proof:
[Take given term]
[3.0] amt ≤ self.balance
→ [simplify]
[3.7] -1 < (-amt + self.balance)
[Take goal term]
[1.0] 0 ≤ (self.balance - (amt as int))
→ [simplify]
[1.4] -1 < (-amt + self.balance)
→ [from term 3.7, literala < (-amt + self.balance) is true whenever -1 < (-1 + -literala)]
[1.5] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Type constraint satisfied
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (31,36)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Bin\builtin.pd (83,18)
To prove: 00
Given: self ≈ (anything{} to AbPurse), self′.balance = (0 as nat)
Proof:
[Take goal term]
[1.0] 00
→ [simplify]
[1.1] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Type constraint satisfied
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (31,25)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Bin\builtin.pd (83,18)
To prove: 00
Given: self ≈ (anything{} to AbPurse)
Proof:
[Take goal term]
[1.0] 00
→ [simplify]
[1.1] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Precondition of 'lose' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (80,105)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (17,17)
To prove: details.val ≤ it.balance
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to), self.SufficientFundsProperty(details), it = self.AbAuthPurse[details.frm]
Proof:
[Take given term]
[5.0] self.SufficientFundsProperty(details)
[Take given term]
[7.0] self.AbAuthPurse[details.frm] = it
[Take goal term]
[1.0] details.val ≤ it.balance
→ [from term 7.0, it is equal to self.AbAuthPurse[details.frm]]
[1.1] details.val ≤ self.AbAuthPurse[details.frm].balance
→ [simplify]
[1.8] -1 < (-details.val + self.AbAuthPurse[details.frm].balance)
→ [negate goal and search for contradiction]
[1.9] ~(-1 < (-details.val + self.AbAuthPurse[details.frm].balance))
→ [simplify]
[1.13] 0 < (details.val + -self.AbAuthPurse[details.frm].balance)
[Copy term 5.0]
[15.0] self.SufficientFundsProperty(details)
→ [expand function]
[15.1] -1 < (-details.val + self.AbAuthPurse[details.frm].balance)
→ [from term 1.13, literala < (-details.val + self.AbAuthPurse[details.frm].balance) is false whenever -2 < (0 + literala)]
[15.2] false
(Rewriter time: 0.0s, Prover time: 0.4s)


Proof of verification condition: Precondition of '[]' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (80,82)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Bin\builtin.pd (760,15)
To prove: details.frm in self.AbAuthPurse.dom
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to), self.SufficientFundsProperty(details)
Proof:
[Take given term]
[2.0] self.Authentic(details.frm)
→ [expand function 'Authentic']
[2.1] details.frm in self.AbAuthPurse
→ [simplify]
[2.2] details.frm in self.AbAuthPurse.dom
[Take goal term]
[1.0] details.frm in self.AbAuthPurse.dom
→ [from term 2.2, details.frm in self.AbAuthPurse.dom is true]
[1.1] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Precondition of 'replace' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (80,48)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Bin\builtin.pd (802,15)
To prove: details.frm in self.AbAuthPurse
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to), self.SufficientFundsProperty(details)
Proof:
[Take given term]
[2.0] self.Authentic(details.frm)
→ [expand function 'Authentic']
[2.1] details.frm in self.AbAuthPurse
→ [simplify]
[2.2] details.frm in self.AbAuthPurse.dom
[Take goal term]
[1.0] details.frm in self.AbAuthPurse
→ [simplify]
[1.1] details.frm in self.AbAuthPurse.dom
→ [from term 2.2, details.frm in self.AbAuthPurse.dom is true]
[1.2] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Precondition of 'remove' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (89,105)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (22,17)
To prove: details.val ≤ it.balance
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to), self.SufficientFundsProperty(details), it = self.AbAuthPurse[details.frm]
Proof:
[Take given term]
[5.0] self.SufficientFundsProperty(details)
[Take given term]
[7.0] self.AbAuthPurse[details.frm] = it
[Take goal term]
[1.0] details.val ≤ it.balance
→ [from term 7.0, it is equal to self.AbAuthPurse[details.frm]]
[1.1] details.val ≤ self.AbAuthPurse[details.frm].balance
→ [simplify]
[1.8] -1 < (-details.val + self.AbAuthPurse[details.frm].balance)
→ [negate goal and search for contradiction]
[1.9] ~(-1 < (-details.val + self.AbAuthPurse[details.frm].balance))
→ [simplify]
[1.13] 0 < (details.val + -self.AbAuthPurse[details.frm].balance)
[Copy term 5.0]
[15.0] self.SufficientFundsProperty(details)
→ [expand function]
[15.1] -1 < (-details.val + self.AbAuthPurse[details.frm].balance)
→ [from term 1.13, literala < (-details.val + self.AbAuthPurse[details.frm].balance) is false whenever -2 < (0 + literala)]
[15.2] false
(Rewriter time: 0.0s, Prover time: 0.4s)


Proof of verification condition: Precondition of '[]' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (89,82)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Bin\builtin.pd (760,15)
To prove: details.frm in self.AbAuthPurse.dom
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to), self.SufficientFundsProperty(details)
Proof:
[Take given term]
[2.0] self.Authentic(details.frm)
→ [expand function 'Authentic']
[2.1] details.frm in self.AbAuthPurse
→ [simplify]
[2.2] details.frm in self.AbAuthPurse.dom
[Take goal term]
[1.0] details.frm in self.AbAuthPurse.dom
→ [from term 2.2, details.frm in self.AbAuthPurse.dom is true]
[1.1] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Precondition of 'replace' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (89,48)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Bin\builtin.pd (802,15)
To prove: details.frm in self.AbAuthPurse
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to), self.SufficientFundsProperty(details)
Proof:
[Take given term]
[2.0] self.Authentic(details.frm)
→ [expand function 'Authentic']
[2.1] details.frm in self.AbAuthPurse
→ [simplify]
[2.2] details.frm in self.AbAuthPurse.dom
[Take goal term]
[1.0] details.frm in self.AbAuthPurse
→ [simplify]
[1.1] details.frm in self.AbAuthPurse.dom
→ [from term 2.2, details.frm in self.AbAuthPurse.dom is true]
[1.2] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Precondition of '[]' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (90,81)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Bin\builtin.pd (760,15)
To prove: details.to in self.AbAuthPurse.dom
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to), self.SufficientFundsProperty(details)
Proof:
[Take given term]
[3.0] self.Authentic(details.to)
→ [expand function 'Authentic']
[3.1] details.to in self.AbAuthPurse
→ [simplify]
[3.2] details.to in self.AbAuthPurse.dom
[Take goal term]
[1.0] details.to in self.AbAuthPurse.dom
→ [from term 3.2, details.to in self.AbAuthPurse.dom is true]
[1.1] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Precondition of 'replace' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (90,48)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Bin\builtin.pd (802,15)
To prove: details.to in self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {itit′}!remove(details.val))
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to), self.SufficientFundsProperty(details)
Proof:
[Take given term]
[3.0] self.Authentic(details.to)
→ [expand function 'Authentic']
[3.1] details.to in self.AbAuthPurse
→ [simplify]
[3.2] details.to in self.AbAuthPurse.dom
[Take goal term]
[1.0] details.to in self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {itit′}!remove(details.val))
→ [simplify]
[1.2] details.to in self.AbAuthPurse.dom
→ [from term 3.2, details.to in self.AbAuthPurse.dom is true]
[1.3] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Precondition of '[]' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (66,38)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Bin\builtin.pd (760,15)
To prove: details.frm in self.AbAuthPurse.dom
Given: self.Authentic(details.frm)
Proof:
[Take given term]
[2.0] self.Authentic(details.frm)
→ [expand function 'Authentic']
[2.1] details.frm in self.AbAuthPurse
→ [simplify]
[2.2] details.frm in self.AbAuthPurse.dom
[Take goal term]
[1.0] details.frm in self.AbAuthPurse.dom
→ [from term 2.2, details.frm in self.AbAuthPurse.dom is true]
[1.1] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Post-assertion valid
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (94,14)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (103,37)
To prove: self′.totalAbBalance ≤ self.totalAbBalance
Given: (opaque [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details)), forall $x::$attributeNames(AbWorld) • different(self′.$x; [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: self′, [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: self′, [true]: self′) ==> self.$x=self′.$x
Proof:
[Take goal term]
[1.0] self′.totalAbBalance ≤ self.totalAbBalance
→ [simplify]
[1.7] -1 < (-self′.totalAbBalance + self.totalAbBalance)
→ [negate goal and search for contradiction]
[1.8] ~(-1 < (-self′.totalAbBalance + self.totalAbBalance))
→ [simplify]
[1.12] 0 < (self′.totalAbBalance + -self.totalAbBalance)
[Take given term]
[2.0] (opaque [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details))
→ [expand function 'Authentic']
[2.1] (opaque [(((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details))
→ [simplify]
[2.2] (opaque [(((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details))
→ [expand function 'Authentic']
[2.3] (opaque [(((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details))
→ [simplify]
[2.9] (opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details))
→ [expand function 'Authentic']
[2.10] (opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [(((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details))
→ [simplify]
[2.11] (opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [(((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details))
→ [expand function 'Authentic']
[2.12] (opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [(((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details))
→ [simplify]
[2.18] (opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details))
[Copy term 1.12]
[18.0] 0 < (-self.totalAbBalance + self′.totalAbBalance)
→ [expand function]
[18.1] 0 < (-(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self′.AbAuthPurse.ranb yield x.balance)))
[From definition temp_g_2 = self.AbAuthPurse[details.frm] after {itit′}!lose(details.val)]
[31.0] {self.AbAuthPurse[details.frm]→temp_g_2}!lose(details.val)
[Copy term 31.0]
[32.0] {self.AbAuthPurse[details.frm]→temp_g_2}!lose(details.val)
→ [expand schema 'lose']
[32.1] ((self.AbAuthPurse[details.frm].lost + (details.val as int)) = temp_g_2.lost) .& ((self.AbAuthPurse[details.frm].balance - (details.val as int)) = temp_g_2.balance) .& (forall $x::$attributeNames(AbPurse) • different(temp_g_2.$x; self′.balance, self′.lost) ==> self.AbAuthPurse[details.frm].$x=temp_g_2.$x)
→ [simplify]
[32.8] (0 = (-temp_g_2.lost + self.AbAuthPurse[details.frm].lost + details.val)) .& (0 = (-temp_g_2.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& (forall $x::$attributeNames(AbPurse) • different(temp_g_2.$x; self′.balance, self′.lost) ==> self.AbAuthPurse[details.frm].$x=temp_g_2.$x)
→ [expand all members]
[32.9] (0 = (-temp_g_2.lost + self.AbAuthPurse[details.frm].lost + details.val)) .& (0 = (-temp_g_2.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& ((forall $x::$attributeNames(int) • different(temp_g_2.lost.$x; lost) ==> self.AbAuthPurse[details.frm].lost.$x=temp_g_2.lost.$x) .& (forall $x::$attributeNames(int) • different(temp_g_2.balance.$x; balance) ==> self.AbAuthPurse[details.frm].balance.$x=temp_g_2.balance.$x))
→ [simplify]
[32.13] (0 = (-temp_g_2.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& (0 = (-temp_g_2.lost + self.AbAuthPurse[details.frm].lost + details.val))
→ [separate conjunction and work on first sub-term]
[32.14] 0 = (-temp_g_2.balance + -details.val + self.AbAuthPurse[details.frm].balance)
[From definition temp_l_1_2 = self.AbAuthPurse[details.to] after {itit′}!add(details.val)]
[64.0] {self.AbAuthPurse[details.to]→temp_l_1_2}!add(details.val)
[From definition temp_l_1_3 = self.AbAuthPurse[details.frm] after {itit′}!remove(details.val)]
[65.0] {self.AbAuthPurse[details.frm]→temp_l_1_3}!remove(details.val)
[Copy term 64.0]
[66.0] {self.AbAuthPurse[details.to]→temp_l_1_2}!add(details.val)
→ [expand schema 'add']
[66.1] ((self.AbAuthPurse[details.to].balance + (details.val as int)) = temp_l_1_2.balance) .& (forall $x::$attributeNames(AbPurse) • different(temp_l_1_2.$x; self′.balance) ==> self.AbAuthPurse[details.to].$x=temp_l_1_2.$x)
→ [simplify]
[66.4] (0 = (-temp_l_1_2.balance + self.AbAuthPurse[details.to].balance + details.val)) .& (forall $x::$attributeNames(AbPurse) • different(temp_l_1_2.$x; self′.balance) ==> self.AbAuthPurse[details.to].$x=temp_l_1_2.$x)
→ [expand all members]
[66.5] (0 = (-temp_l_1_2.balance + self.AbAuthPurse[details.to].balance + details.val)) .& ((self.AbAuthPurse[details.to].lost = temp_l_1_2.lost) .& (forall $x::$attributeNames(int) • different(temp_l_1_2.balance.$x; balance) ==> self.AbAuthPurse[details.to].balance.$x=temp_l_1_2.balance.$x))
→ [simplify]
[66.8] (0 = (-temp_l_1_2.balance + self.AbAuthPurse[details.to].balance + details.val)) .& (0 = (-temp_l_1_2.lost + self.AbAuthPurse[details.to].lost))
→ [separate conjunction and work on first sub-term]
[66.9] 0 = (-temp_l_1_2.balance + self.AbAuthPurse[details.to].balance + details.val)
[Copy term 65.0]
[70.0] {self.AbAuthPurse[details.frm]→temp_l_1_3}!remove(details.val)
→ [expand schema 'remove']
[70.1] ((self.AbAuthPurse[details.frm].balance - (details.val as int)) = temp_l_1_3.balance) .& (forall $x::$attributeNames(AbPurse) • different(temp_l_1_3.$x; self′.balance) ==> self.AbAuthPurse[details.frm].$x=temp_l_1_3.$x)
→ [simplify]
[70.5] (0 = (-temp_l_1_3.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& (forall $x::$attributeNames(AbPurse) • different(temp_l_1_3.$x; self′.balance) ==> self.AbAuthPurse[details.frm].$x=temp_l_1_3.$x)
Proof branches here giving 3 sub-goals:
(Rewriter time: 0.0s, Prover time: 14.7s)


Proof of verification condition: Post-assertion valid
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (94,14)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (104,57)
To prove: (self.totalAbBalance + self.totalAbLost) = (self′.totalAbBalance + self′.totalAbLost)
Given: (opaque [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details)), forall $x::$attributeNames(AbWorld) • different(self′.$x; [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: self′, [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: self′, [true]: self′) ==> self.$x=self′.$x
Proof:
[Take goal term]
[1.0] (self.totalAbBalance + self.totalAbLost) = (self′.totalAbBalance + self′.totalAbLost)
→ [simplify]
[1.3] 0 = (-self′.totalAbBalance + -self′.totalAbLost + self.totalAbBalance + self.totalAbLost)
→ [negate goal and search for contradiction]
[1.4] ~(0 = (-self′.totalAbBalance + -self′.totalAbLost + self.totalAbBalance + self.totalAbLost))
[Take given term]
[2.0] (opaque [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details))
→ [expand function 'Authentic']
[2.1] (opaque [(((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details))
→ [simplify]
[2.2] (opaque [(((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details))
→ [expand function 'Authentic']
[2.3] (opaque [(((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details))
→ [simplify]
[2.9] (opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details))
→ [expand function 'Authentic']
[2.10] (opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [(((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details))
→ [simplify]
[2.11] (opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [(((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details))
→ [expand function 'Authentic']
[2.12] (opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [(((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details))
→ [simplify]
[2.18] (opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {selfself′}!AbTransferLost(details), [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {selfself′}!AbTransferOkay(details), [true]: {selfself′}!AbIgnore(details))
[Copy term 1.4]
[20.0] ~(0 = (-self′.totalAbBalance + -self′.totalAbLost + self.totalAbBalance + self.totalAbLost))
→ [expand function]
[20.1] ~(0 = (-(+ over (for x::self′.AbAuthPurse.ranb yield x.balance)) + -(+ over (for x::self′.AbAuthPurse.ranb yield x.lost)) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
[From definition temp_g_2 = self.AbAuthPurse[details.frm] after {itit′}!lose(details.val)]
[35.0] {self.AbAuthPurse[details.frm]→temp_g_2}!lose(details.val)
[Copy term 35.0]
[36.0] {self.AbAuthPurse[details.frm]→temp_g_2}!lose(details.val)
→ [expand schema 'lose']
[36.1] ((self.AbAuthPurse[details.frm].lost + (details.val as int)) = temp_g_2.lost) .& ((self.AbAuthPurse[details.frm].balance - (details.val as int)) = temp_g_2.balance) .& (forall $x::$attributeNames(AbPurse) • different(temp_g_2.$x; self′.balance, self′.lost) ==> self.AbAuthPurse[details.frm].$x=temp_g_2.$x)
→ [simplify]
[36.8] (0 = (-temp_g_2.lost + self.AbAuthPurse[details.frm].lost + details.val)) .& (0 = (-temp_g_2.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& (forall $x::$attributeNames(AbPurse) • different(temp_g_2.$x; self′.balance, self′.lost) ==> self.AbAuthPurse[details.frm].$x=temp_g_2.$x)
→ [expand all members]
[36.9] (0 = (-temp_g_2.lost + self.AbAuthPurse[details.frm].lost + details.val)) .& (0 = (-temp_g_2.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& ((forall $x::$attributeNames(int) • different(temp_g_2.lost.$x; lost) ==> self.AbAuthPurse[details.frm].lost.$x=temp_g_2.lost.$x) .& (forall $x::$attributeNames(int) • different(temp_g_2.balance.$x; balance) ==> self.AbAuthPurse[details.frm].balance.$x=temp_g_2.balance.$x))
→ [simplify]
[36.13] (0 = (-temp_g_2.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& (0 = (-temp_g_2.lost + self.AbAuthPurse[details.frm].lost + details.val))
→ [separate conjunction and work on first sub-term]
[36.14] 0 = (-temp_g_2.balance + -details.val + self.AbAuthPurse[details.frm].balance)
[Work on sub-term 2 of conjunction in term 36.13]
[37.0] 0 = (-temp_g_2.lost + self.AbAuthPurse[details.frm].lost + details.val)
[From definition temp_l_1_0 = self.AbAuthPurse[details.to] after {itit′}!add(details.val)]
[67.0] {self.AbAuthPurse[details.to]→temp_l_1_0}!add(details.val)
[From definition temp_l_1_1 = self.AbAuthPurse[details.frm] after {itit′}!remove(details.val)]
[68.0] {self.AbAuthPurse[details.frm]→temp_l_1_1}!remove(details.val)
[Copy term 67.0]
[69.0] {self.AbAuthPurse[details.to]→temp_l_1_0}!add(details.val)
→ [expand schema 'add']
[69.1] ((self.AbAuthPurse[details.to].balance + (details.val as int)) = temp_l_1_0.balance) .& (forall $x::$attributeNames(AbPurse) • different(temp_l_1_0.$x; self′.balance) ==> self.AbAuthPurse[details.to].$x=temp_l_1_0.$x)
→ [simplify]
[69.4] (0 = (-temp_l_1_0.balance + self.AbAuthPurse[details.to].balance + details.val)) .& (forall $x::$attributeNames(AbPurse) • different(temp_l_1_0.$x; self′.balance) ==> self.AbAuthPurse[details.to].$x=temp_l_1_0.$x)
→ [expand all members]
[69.5] (0 = (-temp_l_1_0.balance + self.AbAuthPurse[details.to].balance + details.val)) .& ((self.AbAuthPurse[details.to].lost = temp_l_1_0.lost) .& (forall $x::$attributeNames(int) • different(temp_l_1_0.balance.$x; balance) ==> self.AbAuthPurse[details.to].balance.$x=temp_l_1_0.balance.$x))
→ [simplify]
[69.8] (0 = (-temp_l_1_0.balance + self.AbAuthPurse[details.to].balance + details.val)) .& (0 = (-temp_l_1_0.lost + self.AbAuthPurse[details.to].lost))
→ [separate conjunction and work on first sub-term]
[69.9] 0 = (-temp_l_1_0.balance + self.AbAuthPurse[details.to].balance + details.val)
[Copy term 68.0]
[71.0] {self.AbAuthPurse[details.frm]→temp_l_1_1}!remove(details.val)
→ [expand schema 'remove']
[71.1] ((self.AbAuthPurse[details.frm].balance - (details.val as int)) = temp_l_1_1.balance) .& (forall $x::$attributeNames(AbPurse) • different(temp_l_1_1.$x; self′.balance) ==> self.AbAuthPurse[details.frm].$x=temp_l_1_1.$x)
→ [simplify]
[71.5] (0 = (-temp_l_1_1.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& (forall $x::$attributeNames(AbPurse) • different(temp_l_1_1.$x; self′.balance) ==> self.AbAuthPurse[details.frm].$x=temp_l_1_1.$x)
→ [expand all members]
[71.6] (0 = (-temp_l_1_1.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& ((self.AbAuthPurse[details.frm].lost = temp_l_1_1.lost) .& (forall $x::$attributeNames(int) • different(temp_l_1_1.balance.$x; balance) ==> self.AbAuthPurse[details.frm].balance.$x=temp_l_1_1.balance.$x))
→ [simplify]
[71.9] (0 = (-temp_l_1_1.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& (0 = (-temp_l_1_1.lost + self.AbAuthPurse[details.frm].lost))
Proof branches here giving 3 sub-goals:
(Rewriter time: 0.0s, Prover time: 19.5s)


Proof of verification condition: Precondition of 'AbTransferLost' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (96,21)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (75,13)
To prove: self.Authentic(details.frm)
Given: ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
Proof:
[Take given term]
[2.0] ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [expand function 'Authentic']
[2.1] (((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [simplify]
[2.2] (((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [expand function 'Authentic']
[2.3] (((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [simplify]
[2.9] ~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
[Work on sub-term 2 of conjunction in term 2.9]
[4.0] details.frm in self.AbAuthPurse.dom
[Take goal term]
[1.0] self.Authentic(details.frm)
→ [expand function 'Authentic']
[1.1] details.frm in self.AbAuthPurse
→ [simplify]
[1.2] details.frm in self.AbAuthPurse.dom
→ [from term 4.0, details.frm in self.AbAuthPurse.dom is true]
[1.3] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Precondition of 'AbTransferLost' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (96,21)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (76,13)
To prove: self.Authentic(details.to)
Given: ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
Proof:
[Take given term]
[2.0] ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [expand function 'Authentic']
[2.1] (((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [simplify]
[2.2] (((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [expand function 'Authentic']
[2.3] (((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [simplify]
[2.9] ~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
[Work on sub-term 3 of conjunction in term 2.9]
[5.0] details.to in self.AbAuthPurse.dom
[Take goal term]
[1.0] self.Authentic(details.to)
→ [expand function 'Authentic']
[1.1] details.to in self.AbAuthPurse
→ [simplify]
[1.2] details.to in self.AbAuthPurse.dom
→ [from term 5.0, details.to in self.AbAuthPurse.dom is true]
[1.3] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Precondition of 'AbTransferLost' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (96,21)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (77,25)
To prove: ~(details.frm = details.to)
Given: ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
Proof:
[Take given term]
[2.0] ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [expand function 'Authentic']
[2.1] (((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [simplify]
[2.2] (((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [expand function 'Authentic']
[2.3] (((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [simplify]
[2.9] ~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
→ [separate conjunction and work on first sub-term]
[2.10] ~(details.frm = details.to)
[Take goal term]
[1.0] ~(details.frm = details.to)
→ [from term 2.10, details.frm = details.to is false]
[1.1] ~false
→ [simplify]
[1.2] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Precondition of 'AbTransferLost' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (96,21)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (78,13)
To prove: self.SufficientFundsProperty(details)
Given: ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
Proof:
[Take given term]
[2.0] ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [expand function 'Authentic']
[2.1] (((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [simplify]
[2.2] (((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [expand function 'Authentic']
[2.3] (((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [simplify]
[2.9] ~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
[Work on sub-term 4 of conjunction in term 2.9]
[6.0] self.SufficientFundsProperty(details)
[Take goal term]
[1.0] self.SufficientFundsProperty(details)
→ [from term 6.0, self.SufficientFundsProperty(details) is true]
[1.1] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Precondition of 'SufficientFundsProperty' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (95,95)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (65,13)
To prove: self.Authentic(details.frm)
Given: (self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)
Proof:
[Take given term]
[2.0] (self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)
→ [expand function 'Authentic']
[2.1] ((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)
→ [simplify]
[2.2] ((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)
→ [expand function 'Authentic']
[2.3] ((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)
→ [simplify]
[2.7] (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& ~(details.frm = details.to)
[Work on sub-term 2 of conjunction in term 2.7]
[4.0] details.frm in self.AbAuthPurse.dom
[Take goal term]
[1.0] self.Authentic(details.frm)
→ [expand function 'Authentic']
[1.1] details.frm in self.AbAuthPurse
→ [simplify]
[1.2] details.frm in self.AbAuthPurse.dom
→ [from term 4.0, details.frm in self.AbAuthPurse.dom is true]
[1.3] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Precondition of 'AbTransferOkay' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (98,21)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (84,13)
To prove: self.Authentic(details.frm)
Given: ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
Proof:
[Take given term]
[2.0] ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [expand function 'Authentic']
[2.1] (((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [simplify]
[2.2] (((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [expand function 'Authentic']
[2.3] (((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [simplify]
[2.9] ~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
[Work on sub-term 2 of conjunction in term 2.9]
[4.0] details.frm in self.AbAuthPurse.dom
[Take goal term]
[1.0] self.Authentic(details.frm)
→ [expand function 'Authentic']
[1.1] details.frm in self.AbAuthPurse
→ [simplify]
[1.2] details.frm in self.AbAuthPurse.dom
→ [from term 4.0, details.frm in self.AbAuthPurse.dom is true]
[1.3] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Precondition of 'AbTransferOkay' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (98,21)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (85,13)
To prove: self.Authentic(details.to)
Given: ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
Proof:
[Take given term]
[2.0] ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [expand function 'Authentic']
[2.1] (((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [simplify]
[2.2] (((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [expand function 'Authentic']
[2.3] (((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [simplify]
[2.9] ~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
[Work on sub-term 3 of conjunction in term 2.9]
[5.0] details.to in self.AbAuthPurse.dom
[Take goal term]
[1.0] self.Authentic(details.to)
→ [expand function 'Authentic']
[1.1] details.to in self.AbAuthPurse
→ [simplify]
[1.2] details.to in self.AbAuthPurse.dom
→ [from term 5.0, details.to in self.AbAuthPurse.dom is true]
[1.3] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Precondition of 'AbTransferOkay' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (98,21)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (86,25)
To prove: ~(details.frm = details.to)
Given: ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
Proof:
[Take given term]
[2.0] ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [expand function 'Authentic']
[2.1] (((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [simplify]
[2.2] (((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [expand function 'Authentic']
[2.3] (((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [simplify]
[2.9] ~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
→ [separate conjunction and work on first sub-term]
[2.10] ~(details.frm = details.to)
[Take goal term]
[1.0] ~(details.frm = details.to)
→ [from term 2.10, details.frm = details.to is false]
[1.1] ~false
→ [simplify]
[1.2] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Precondition of 'AbTransferOkay' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (98,21)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (87,13)
To prove: self.SufficientFundsProperty(details)
Given: ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
Proof:
[Take given term]
[2.0] ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [expand function 'Authentic']
[2.1] (((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [simplify]
[2.2] (((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [expand function 'Authentic']
[2.3] (((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
→ [simplify]
[2.9] ~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
[Work on sub-term 4 of conjunction in term 2.9]
[6.0] self.SufficientFundsProperty(details)
[Take goal term]
[1.0] self.SufficientFundsProperty(details)
→ [from term 6.0, self.SufficientFundsProperty(details) is true]
[1.1] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Precondition of 'SufficientFundsProperty' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (97,95)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (65,13)
To prove: self.Authentic(details.frm)
Given: (self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)
Proof:
[Take given term]
[2.0] (self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)
→ [expand function 'Authentic']
[2.1] ((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)
→ [simplify]
[2.2] ((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)
→ [expand function 'Authentic']
[2.3] ((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)
→ [simplify]
[2.7] (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& ~(details.frm = details.to)
[Work on sub-term 2 of conjunction in term 2.7]
[4.0] details.frm in self.AbAuthPurse.dom
[Take goal term]
[1.0] self.Authentic(details.frm)
→ [expand function 'Authentic']
[1.1] details.frm in self.AbAuthPurse
→ [simplify]
[1.2] details.frm in self.AbAuthPurse.dom
→ [from term 4.0, details.frm in self.AbAuthPurse.dom is true]
[1.3] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: At least one guard is true
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (94,14)
To prove: true .| (((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)) .| (((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details))
Proof:
[Take goal term]
[1.0] true .| (((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)) .| (((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details))
→ [simplify]
[1.1] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Precondition of 'SufficientFundsProperty' satisfied
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (78,13)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (65,13)
To prove: self.Authentic(details.frm)
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to)
Proof:
[Take given term]
[2.0] self.Authentic(details.frm)
→ [expand function 'Authentic']
[2.1] details.frm in self.AbAuthPurse
→ [simplify]
[2.2] details.frm in self.AbAuthPurse.dom
[Take goal term]
[1.0] self.Authentic(details.frm)
→ [expand function 'Authentic']
[1.1] details.frm in self.AbAuthPurse
→ [simplify]
[1.2] details.frm in self.AbAuthPurse.dom
→ [from term 2.2, details.frm in self.AbAuthPurse.dom is true]
[1.3] true
(Rewriter time: 0.0s, Prover time: 0.0s)


Proof of verification condition: Precondition of 'SufficientFundsProperty' satisfied
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (87,13)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (65,13)
To prove: self.Authentic(details.frm)
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to)
Proof:
[Take given term]
[2.0] self.Authentic(details.frm)
→ [expand function 'Authentic']
[2.1] details.frm in self.AbAuthPurse
→ [simplify]
[2.2] details.frm in self.AbAuthPurse.dom
[Take goal term]
[1.0] self.Authentic(details.frm)
→ [expand function 'Authentic']
[1.1] details.frm in self.AbAuthPurse
→ [simplify]
[1.2] details.frm in self.AbAuthPurse.dom
→ [from term 2.2, details.frm in self.AbAuthPurse.dom is true]
[1.3] true
(Rewriter time: 0.0s, Prover time: 0.0s)


End of proofs for file C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd