Proofs for file C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd
Generated by Perfect Developer at 11:15:33 UTC on Tuesday January 17th 2006
Tool file versions: PDTool 3.03.03, builtin 3.03, rubric 3.03.03
Proved 30 of 30 verification conditions.
Proof of verification condition: Type constraint for 'nat' satisfied
In the context of class: AbPurse, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (9,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (27,14)
To prove: 0 ≤ (self.balance + (amt as int))
Given: 0 ≤ amt
Proof:
0 ≤ (self.balance + (amt as int))
-1 < (self.balance + amt)
~(-1 < (self.balance + amt))
0 < (-self.balance + -amt)
0 ≤ amt
-1 < amt
0 ≤ self.balance
-1 < self.balance
(-1 + 0 + 1) < -amt
0 < -amt
- Proof of rule precondition:
-2 < (-1 + 0)
true
false
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Type constraint for 'nat' satisfied
In the context of class: AbPurse, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (9,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (18,29)
To prove: 0 ≤ (self.lost + (amt as int))
Given: 0 ≤ amt, amt ≤ self.balance, (self.balance - (amt as int)) = self′.balance
Proof:
0 ≤ (self.lost + (amt as int))
-1 < (self.lost + amt)
~(-1 < (self.lost + amt))
0 < (-self.lost + -amt)
0 ≤ amt
-1 < amt
0 ≤ self.lost
-1 < self.lost
(-1 + 0 + 1) < -amt
0 < -amt
- Proof of rule precondition:
-2 < (-1 + 0)
true
false
(Rewriter time: 0.0s, Prover time: 0.1s)
Proof of verification condition: Type constraint for 'nat' satisfied
In the context of class: AbPurse, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (9,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (18,14)
To prove: 0 ≤ (self.balance - (amt as int))
Given: 0 ≤ amt, amt ≤ self.balance
Proof:
amt ≤ self.balance
-1 < (-amt + self.balance)
0 ≤ (self.balance - (amt as int))
-1 < (-amt + self.balance)
- Proof of rule precondition:
-1 < (-1 + --1)
true
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Type constraint for 'nat' satisfied
In the context of class: AbPurse, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (9,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (23,14)
To prove: 0 ≤ (self.balance - (amt as int))
Given: 0 ≤ amt, amt ≤ self.balance
Proof:
amt ≤ self.balance
-1 < (-amt + self.balance)
0 ≤ (self.balance - (amt as int))
-1 < (-amt + self.balance)
- Proof of rule precondition:
-1 < (-1 + --1)
true
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Type constraint satisfied
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (31,36)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Bin\builtin.pd (83,18)
To prove: 0 ≤ 0
Given: self ≈ (anything{} to AbPurse), self′.balance = (0 as nat)
Proof:
0 ≤ 0
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Type constraint satisfied
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (31,25)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Bin\builtin.pd (83,18)
To prove: 0 ≤ 0
Given: self ≈ (anything{} to AbPurse)
Proof:
0 ≤ 0
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Precondition of 'lose' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (80,105)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (17,17)
To prove: details.val ≤ it.balance
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to), self.SufficientFundsProperty(details), it = self.AbAuthPurse[details.frm]
Proof:
self.SufficientFundsProperty(details)
self.AbAuthPurse[details.frm] = it
details.val ≤ it.balance
details.val ≤ self.AbAuthPurse[details.frm].balance
-1 < (-details.val + self.AbAuthPurse[details.frm].balance)
~(-1 < (-details.val + self.AbAuthPurse[details.frm].balance))
0 < (details.val + -self.AbAuthPurse[details.frm].balance)
self.SufficientFundsProperty(details)
- Expansion detail:
self.SufficientFundsProperty(details)
details.val ≤ self.AbAuthPurse[details.frm].balance
-1 < (-details.val + self.AbAuthPurse[details.frm].balance)
-1 < (-details.val + self.AbAuthPurse[details.frm].balance)
- Proof of rule precondition:
-2 < (-1 + 0)
true
false
(Rewriter time: 0.0s, Prover time: 0.4s)
Proof of verification condition: Precondition of '[]' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (80,82)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Bin\builtin.pd (760,15)
To prove: details.frm in self.AbAuthPurse.dom
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to), self.SufficientFundsProperty(details)
Proof:
self.Authentic(details.frm)
details.frm in self.AbAuthPurse
details.frm in self.AbAuthPurse.dom
details.frm in self.AbAuthPurse.dom
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Precondition of 'replace' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (80,48)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Bin\builtin.pd (802,15)
To prove: details.frm in self.AbAuthPurse
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to), self.SufficientFundsProperty(details)
Proof:
self.Authentic(details.frm)
details.frm in self.AbAuthPurse
details.frm in self.AbAuthPurse.dom
details.frm in self.AbAuthPurse
details.frm in self.AbAuthPurse.dom
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Precondition of 'remove' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (89,105)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (22,17)
To prove: details.val ≤ it.balance
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to), self.SufficientFundsProperty(details), it = self.AbAuthPurse[details.frm]
Proof:
self.SufficientFundsProperty(details)
self.AbAuthPurse[details.frm] = it
details.val ≤ it.balance
details.val ≤ self.AbAuthPurse[details.frm].balance
-1 < (-details.val + self.AbAuthPurse[details.frm].balance)
~(-1 < (-details.val + self.AbAuthPurse[details.frm].balance))
0 < (details.val + -self.AbAuthPurse[details.frm].balance)
self.SufficientFundsProperty(details)
- Expansion detail:
self.SufficientFundsProperty(details)
details.val ≤ self.AbAuthPurse[details.frm].balance
-1 < (-details.val + self.AbAuthPurse[details.frm].balance)
-1 < (-details.val + self.AbAuthPurse[details.frm].balance)
- Proof of rule precondition:
-2 < (-1 + 0)
true
false
(Rewriter time: 0.0s, Prover time: 0.4s)
Proof of verification condition: Precondition of '[]' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (89,82)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Bin\builtin.pd (760,15)
To prove: details.frm in self.AbAuthPurse.dom
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to), self.SufficientFundsProperty(details)
Proof:
self.Authentic(details.frm)
details.frm in self.AbAuthPurse
details.frm in self.AbAuthPurse.dom
details.frm in self.AbAuthPurse.dom
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Precondition of 'replace' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (89,48)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Bin\builtin.pd (802,15)
To prove: details.frm in self.AbAuthPurse
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to), self.SufficientFundsProperty(details)
Proof:
self.Authentic(details.frm)
details.frm in self.AbAuthPurse
details.frm in self.AbAuthPurse.dom
details.frm in self.AbAuthPurse
details.frm in self.AbAuthPurse.dom
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Precondition of '[]' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (90,81)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Bin\builtin.pd (760,15)
To prove: details.to in self.AbAuthPurse.dom
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to), self.SufficientFundsProperty(details)
Proof:
self.Authentic(details.to)
details.to in self.AbAuthPurse
details.to in self.AbAuthPurse.dom
details.to in self.AbAuthPurse.dom
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Precondition of 'replace' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (90,48)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Bin\builtin.pd (802,15)
To prove: details.to in self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val))
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to), self.SufficientFundsProperty(details)
Proof:
self.Authentic(details.to)
details.to in self.AbAuthPurse
details.to in self.AbAuthPurse.dom
details.to in self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val))
details.to in self.AbAuthPurse.dom
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Precondition of '[]' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (66,38)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Bin\builtin.pd (760,15)
To prove: details.frm in self.AbAuthPurse.dom
Given: self.Authentic(details.frm)
Proof:
self.Authentic(details.frm)
details.frm in self.AbAuthPurse
details.frm in self.AbAuthPurse.dom
details.frm in self.AbAuthPurse.dom
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Post-assertion valid
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (94,14)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (103,37)
To prove: self′.totalAbBalance ≤ self.totalAbBalance
Given: (opaque [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details)), forall $x::$attributeNames(AbWorld) • different(self′.$x; [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: self′, [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: self′, [true]: self′) ==> self.$x=self′.$x
Proof:
self′.totalAbBalance ≤ self.totalAbBalance
-1 < (-self′.totalAbBalance + self.totalAbBalance)
~(-1 < (-self′.totalAbBalance + self.totalAbBalance))
0 < (self′.totalAbBalance + -self.totalAbBalance)
(opaque [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details))
(opaque [(((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details))
(opaque [(((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details))
(opaque [(((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details))
(opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details))
(opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [(((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details))
(opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [(((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details))
(opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [(((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details))
(opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details))
0 < (-self.totalAbBalance + self′.totalAbBalance)
- Expansion detail 1:
self.totalAbBalance
+ over (for x::self.AbAuthPurse.ranb yield x.balance)
- Expansion detail 2:
self′.totalAbBalance
+ over (for x::self′.AbAuthPurse.ranb yield x.balance)
0 < (-(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self′.AbAuthPurse.ranb yield x.balance)))
{self.AbAuthPurse[details.frm]→temp_g_2}!lose(details.val)
{self.AbAuthPurse[details.frm]→temp_g_2}!lose(details.val)
((self.AbAuthPurse[details.frm].lost + (details.val as int)) = temp_g_2.lost) .& ((self.AbAuthPurse[details.frm].balance - (details.val as int)) = temp_g_2.balance) .& (forall $x::$attributeNames(AbPurse) • different(temp_g_2.$x; self′.balance, self′.lost) ==> self.AbAuthPurse[details.frm].$x=temp_g_2.$x)
(0 = (-temp_g_2.lost + self.AbAuthPurse[details.frm].lost + details.val)) .& (0 = (-temp_g_2.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& (forall $x::$attributeNames(AbPurse) • different(temp_g_2.$x; self′.balance, self′.lost) ==> self.AbAuthPurse[details.frm].$x=temp_g_2.$x)
(0 = (-temp_g_2.lost + self.AbAuthPurse[details.frm].lost + details.val)) .& (0 = (-temp_g_2.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& ((forall $x::$attributeNames(int) • different(temp_g_2.lost.$x; lost) ==> self.AbAuthPurse[details.frm].lost.$x=temp_g_2.lost.$x) .& (forall $x::$attributeNames(int) • different(temp_g_2.balance.$x; balance) ==> self.AbAuthPurse[details.frm].balance.$x=temp_g_2.balance.$x))
(0 = (-temp_g_2.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& (0 = (-temp_g_2.lost + self.AbAuthPurse[details.frm].lost + details.val))
0 = (-temp_g_2.balance + -details.val + self.AbAuthPurse[details.frm].balance)
{self.AbAuthPurse[details.to]→temp_l_1_2}!add(details.val)
{self.AbAuthPurse[details.frm]→temp_l_1_3}!remove(details.val)
{self.AbAuthPurse[details.to]→temp_l_1_2}!add(details.val)
((self.AbAuthPurse[details.to].balance + (details.val as int)) = temp_l_1_2.balance) .& (forall $x::$attributeNames(AbPurse) • different(temp_l_1_2.$x; self′.balance) ==> self.AbAuthPurse[details.to].$x=temp_l_1_2.$x)
(0 = (-temp_l_1_2.balance + self.AbAuthPurse[details.to].balance + details.val)) .& (forall $x::$attributeNames(AbPurse) • different(temp_l_1_2.$x; self′.balance) ==> self.AbAuthPurse[details.to].$x=temp_l_1_2.$x)
(0 = (-temp_l_1_2.balance + self.AbAuthPurse[details.to].balance + details.val)) .& ((self.AbAuthPurse[details.to].lost = temp_l_1_2.lost) .& (forall $x::$attributeNames(int) • different(temp_l_1_2.balance.$x; balance) ==> self.AbAuthPurse[details.to].balance.$x=temp_l_1_2.balance.$x))
(0 = (-temp_l_1_2.balance + self.AbAuthPurse[details.to].balance + details.val)) .& (0 = (-temp_l_1_2.lost + self.AbAuthPurse[details.to].lost))
0 = (-temp_l_1_2.balance + self.AbAuthPurse[details.to].balance + details.val)
{self.AbAuthPurse[details.frm]→temp_l_1_3}!remove(details.val)
((self.AbAuthPurse[details.frm].balance - (details.val as int)) = temp_l_1_3.balance) .& (forall $x::$attributeNames(AbPurse) • different(temp_l_1_3.$x; self′.balance) ==> self.AbAuthPurse[details.frm].$x=temp_l_1_3.$x)
(0 = (-temp_l_1_3.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& (forall $x::$attributeNames(AbPurse) • different(temp_l_1_3.$x; self′.balance) ==> self.AbAuthPurse[details.frm].$x=temp_l_1_3.$x)
Proof branches here giving 3 sub-goals:
- Proof of sub-goal 1:
{self→self′}!AbTransferLost(details)
~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
self.SufficientFundsProperty(details)
{self→self′}!AbTransferLost(details)
(self′.AbAuthPurse ≈ self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!lose(details.val))) .& (forall $x::$attributeNames(AbWorld) • different(self′.$x; self′.AbAuthPurse) ==> self.$x=self′.$x)
(self′.AbAuthPurse ≈ self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!lose(details.val))) .& (forall $x::$attributeNames(map of (NAME → AbPurse)) • different(self′.AbAuthPurse.$x; AbAuthPurse) ==> self.AbAuthPurse.$x=self′.AbAuthPurse.$x)
self′.AbAuthPurse ≈ self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!lose(details.val))
self.SufficientFundsProperty(details)
- Expansion detail:
self.SufficientFundsProperty(details)
details.val ≤ self.AbAuthPurse[details.frm].balance
-1 < (-details.val + self.AbAuthPurse[details.frm].balance)
-1 < (-details.val + self.AbAuthPurse[details.frm].balance)
0 ≤ details.val
-1 < details.val
0 < (-(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self′.AbAuthPurse.ranb yield x.balance)))
0 < (-(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!lose(details.val)).ranb yield x.balance)))
0 < (-(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (((self.AbAuthPurse[details.frm] after {it→it′}!lose(details.val)).balance + (+ over (for x::self.AbAuthPurse.ranb yield x.balance))) - self.AbAuthPurse[details.frm].balance))
0 < (-self.AbAuthPurse[details.frm].balance + (self.AbAuthPurse[details.frm] after {it→it′}!lose(details.val)).balance)
0 < (-self.AbAuthPurse[details.frm].balance + temp_g_2.balance)
0 < (-self.AbAuthPurse[details.frm].balance + (-details.val + self.AbAuthPurse[details.frm].balance))
0 < -details.val
- Proof of rule precondition:
-2 < (-1 + 0)
true
false
- Proof of sub-goal 2:
{self→self′}!AbTransferOkay(details)
~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
~(details.frm = details.to)
{self→self′}!AbTransferOkay(details)
(self′.AbAuthPurse ≈ self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).replace(details.to → self.AbAuthPurse[details.to] after {it→it′}!add(details.val))) .& (forall $x::$attributeNames(AbWorld) • different(self′.$x; self′.AbAuthPurse) ==> self.$x=self′.$x)
(self′.AbAuthPurse ≈ self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).replace(details.to → self.AbAuthPurse[details.to] after {it→it′}!add(details.val))) .& (forall $x::$attributeNames(map of (NAME → AbPurse)) • different(self′.AbAuthPurse.$x; AbAuthPurse) ==> self.AbAuthPurse.$x=self′.AbAuthPurse.$x)
self′.AbAuthPurse ≈ self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).replace(details.to → self.AbAuthPurse[details.to] after {it→it′}!add(details.val))
0 < (-(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self′.AbAuthPurse.ranb yield x.balance)))
0 < (-(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).replace(details.to → self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).ranb yield x.balance)))
0 < (-(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (((self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).balance + (((self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).balance + (+ over (for x::self.AbAuthPurse.ranb yield x.balance))) - self.AbAuthPurse[details.frm].balance)) - self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val))[details.to].balance))
0 < (-(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + ((-self.AbAuthPurse[details.frm].balance + (self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).balance + (self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).balance + (+ over (for x::self.AbAuthPurse.ranb yield x.balance))) - ([details.frm ≈ details.to]: self.AbAuthPurse[details.frm]
after {it→it′}!remove(details.val), []: self.AbAuthPurse[details.to]).balance))
0 < (-(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + ((-self.AbAuthPurse[details.frm].balance + (self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).balance + (self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).balance + (+ over (for x::self.AbAuthPurse.ranb yield x.balance))) - ([details.frm ≈ details.to]: self.AbAuthPurse[details.frm]
after {it→it′}!remove(details.val), [~(details.frm ≈ details.to)]: self.AbAuthPurse[details.to]).balance))
0 < (-(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + ((-self.AbAuthPurse[details.frm].balance + (self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).balance + (self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).balance + (+ over (for x::self.AbAuthPurse.ranb yield x.balance))) - ([false]: self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val), [~false]: self.AbAuthPurse[details.to]).balance))
0 < (-self.AbAuthPurse[details.frm].balance + -self.AbAuthPurse[details.to].balance + (self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).balance + (self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).balance)
0 < (-self.AbAuthPurse[details.frm].balance + -self.AbAuthPurse[details.to].balance + temp_l_1_2.balance + (self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).balance)
0 < (-self.AbAuthPurse[details.frm].balance + -self.AbAuthPurse[details.to].balance + temp_l_1_2.balance + temp_l_1_3.balance)
0 < (-self.AbAuthPurse[details.frm].balance + -self.AbAuthPurse[details.to].balance + (self.AbAuthPurse[details.to].balance + details.val) + temp_l_1_3.balance)
0 < (-self.AbAuthPurse[details.frm].balance + temp_l_1_3.balance + details.val)
(0 = (-temp_l_1_3.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& (forall $x::$attributeNames(AbPurse) • different(temp_l_1_3.$x; self′.balance) ==> self.AbAuthPurse[details.frm].$x=temp_l_1_3.$x)
- Proof of rule precondition:
-1 < (0 + 0)
true
false .& (forall $x::$attributeNames(AbPurse) • different(temp_l_1_3.$x; self′.balance) ==> self.AbAuthPurse[details.frm].$x=temp_l_1_3.$x)
false
- Proof of sub-goal 3:
{self→self′}!AbIgnore(details)
{self→self′}!AbIgnore(details)
(self′ as from AbWorld) = (self as from AbWorld)
self = self′
0 < (-self.totalAbBalance + self′.totalAbBalance)
0 < (-self.totalAbBalance + self.totalAbBalance)
false
(Rewriter time: 0.0s, Prover time: 14.7s)
Proof of verification condition: Post-assertion valid
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (94,14)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (104,57)
To prove: (self.totalAbBalance + self.totalAbLost) = (self′.totalAbBalance + self′.totalAbLost)
Given: (opaque [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details)), forall $x::$attributeNames(AbWorld) • different(self′.$x; [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: self′, [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: self′, [true]: self′) ==> self.$x=self′.$x
Proof:
(self.totalAbBalance + self.totalAbLost) = (self′.totalAbBalance + self′.totalAbLost)
0 = (-self′.totalAbBalance + -self′.totalAbLost + self.totalAbBalance + self.totalAbLost)
~(0 = (-self′.totalAbBalance + -self′.totalAbLost + self.totalAbBalance + self.totalAbLost))
(opaque [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details))
(opaque [(((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details))
(opaque [(((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details))
(opaque [(((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details))
(opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details))
(opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [(((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details))
(opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [(((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details))
(opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [(((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details))
(opaque [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {self→self′}!AbTransferLost(details), [~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)]: {self→self′}!AbTransferOkay(details), [true]: {self→self′}!AbIgnore(details))
~(0 = (-self′.totalAbBalance + -self′.totalAbLost + self.totalAbBalance + self.totalAbLost))
- Expansion detail 1:
self′.totalAbBalance
+ over (for x::self′.AbAuthPurse.ranb yield x.balance)
- Expansion detail 2:
self′.totalAbLost
+ over (for x::self′.AbAuthPurse.ranb yield x.lost)
- Expansion detail 3:
self.totalAbBalance
+ over (for x::self.AbAuthPurse.ranb yield x.balance)
- Expansion detail 4:
self.totalAbLost
+ over (for x::self.AbAuthPurse.ranb yield x.lost)
~(0 = (-(+ over (for x::self′.AbAuthPurse.ranb yield x.balance)) + -(+ over (for x::self′.AbAuthPurse.ranb yield x.lost)) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
{self.AbAuthPurse[details.frm]→temp_g_2}!lose(details.val)
{self.AbAuthPurse[details.frm]→temp_g_2}!lose(details.val)
((self.AbAuthPurse[details.frm].lost + (details.val as int)) = temp_g_2.lost) .& ((self.AbAuthPurse[details.frm].balance - (details.val as int)) = temp_g_2.balance) .& (forall $x::$attributeNames(AbPurse) • different(temp_g_2.$x; self′.balance, self′.lost) ==> self.AbAuthPurse[details.frm].$x=temp_g_2.$x)
(0 = (-temp_g_2.lost + self.AbAuthPurse[details.frm].lost + details.val)) .& (0 = (-temp_g_2.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& (forall $x::$attributeNames(AbPurse) • different(temp_g_2.$x; self′.balance, self′.lost) ==> self.AbAuthPurse[details.frm].$x=temp_g_2.$x)
(0 = (-temp_g_2.lost + self.AbAuthPurse[details.frm].lost + details.val)) .& (0 = (-temp_g_2.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& ((forall $x::$attributeNames(int) • different(temp_g_2.lost.$x; lost) ==> self.AbAuthPurse[details.frm].lost.$x=temp_g_2.lost.$x) .& (forall $x::$attributeNames(int) • different(temp_g_2.balance.$x; balance) ==> self.AbAuthPurse[details.frm].balance.$x=temp_g_2.balance.$x))
(0 = (-temp_g_2.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& (0 = (-temp_g_2.lost + self.AbAuthPurse[details.frm].lost + details.val))
0 = (-temp_g_2.balance + -details.val + self.AbAuthPurse[details.frm].balance)
0 = (-temp_g_2.lost + self.AbAuthPurse[details.frm].lost + details.val)
{self.AbAuthPurse[details.to]→temp_l_1_0}!add(details.val)
{self.AbAuthPurse[details.frm]→temp_l_1_1}!remove(details.val)
{self.AbAuthPurse[details.to]→temp_l_1_0}!add(details.val)
((self.AbAuthPurse[details.to].balance + (details.val as int)) = temp_l_1_0.balance) .& (forall $x::$attributeNames(AbPurse) • different(temp_l_1_0.$x; self′.balance) ==> self.AbAuthPurse[details.to].$x=temp_l_1_0.$x)
(0 = (-temp_l_1_0.balance + self.AbAuthPurse[details.to].balance + details.val)) .& (forall $x::$attributeNames(AbPurse) • different(temp_l_1_0.$x; self′.balance) ==> self.AbAuthPurse[details.to].$x=temp_l_1_0.$x)
(0 = (-temp_l_1_0.balance + self.AbAuthPurse[details.to].balance + details.val)) .& ((self.AbAuthPurse[details.to].lost = temp_l_1_0.lost) .& (forall $x::$attributeNames(int) • different(temp_l_1_0.balance.$x; balance) ==> self.AbAuthPurse[details.to].balance.$x=temp_l_1_0.balance.$x))
(0 = (-temp_l_1_0.balance + self.AbAuthPurse[details.to].balance + details.val)) .& (0 = (-temp_l_1_0.lost + self.AbAuthPurse[details.to].lost))
0 = (-temp_l_1_0.balance + self.AbAuthPurse[details.to].balance + details.val)
{self.AbAuthPurse[details.frm]→temp_l_1_1}!remove(details.val)
((self.AbAuthPurse[details.frm].balance - (details.val as int)) = temp_l_1_1.balance) .& (forall $x::$attributeNames(AbPurse) • different(temp_l_1_1.$x; self′.balance) ==> self.AbAuthPurse[details.frm].$x=temp_l_1_1.$x)
(0 = (-temp_l_1_1.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& (forall $x::$attributeNames(AbPurse) • different(temp_l_1_1.$x; self′.balance) ==> self.AbAuthPurse[details.frm].$x=temp_l_1_1.$x)
(0 = (-temp_l_1_1.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& ((self.AbAuthPurse[details.frm].lost = temp_l_1_1.lost) .& (forall $x::$attributeNames(int) • different(temp_l_1_1.balance.$x; balance) ==> self.AbAuthPurse[details.frm].balance.$x=temp_l_1_1.balance.$x))
(0 = (-temp_l_1_1.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& (0 = (-temp_l_1_1.lost + self.AbAuthPurse[details.frm].lost))
Proof branches here giving 3 sub-goals:
- Proof of sub-goal 1:
{self→self′}!AbTransferLost(details)
{self→self′}!AbTransferLost(details)
(self′.AbAuthPurse ≈ self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!lose(details.val))) .& (forall $x::$attributeNames(AbWorld) • different(self′.$x; self′.AbAuthPurse) ==> self.$x=self′.$x)
(self′.AbAuthPurse ≈ self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!lose(details.val))) .& (forall $x::$attributeNames(map of (NAME → AbPurse)) • different(self′.AbAuthPurse.$x; AbAuthPurse) ==> self.AbAuthPurse.$x=self′.AbAuthPurse.$x)
self′.AbAuthPurse ≈ self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!lose(details.val))
~(0 = (-(+ over (for x::self′.AbAuthPurse.ranb yield x.balance)) + -(+ over (for x::self′.AbAuthPurse.ranb yield x.lost)) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
~(0 = (-(+ over (for x::self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!lose(details.val)).ranb yield x.balance)) + -(+ over (for x::self′.AbAuthPurse.ranb yield x.lost)) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
~(0 = (-(((self.AbAuthPurse[details.frm] after {it→it′}!lose(details.val)).balance + (+ over (for x::self.AbAuthPurse.ranb yield x.balance))) - self.AbAuthPurse[details.frm].balance) + -(+ over (for x::self′.AbAuthPurse.ranb yield x.lost)) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
~(0 = ((-(self.AbAuthPurse[details.frm] after {it→it′}!lose(details.val)).balance + -(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + self.AbAuthPurse[details.frm].balance) + -(+ over (for x::self′.AbAuthPurse.ranb yield x.lost)) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
~(0 = ((-(self.AbAuthPurse[details.frm] after {it→it′}!lose(details.val)).balance + -(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + self.AbAuthPurse[details.frm].balance) + -(+ over (for x::self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!lose(details.val)).ranb yield x.lost)) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
~(0 = ((-(self.AbAuthPurse[details.frm] after {it→it′}!lose(details.val)).balance + -(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + self.AbAuthPurse[details.frm].balance) + -(((self.AbAuthPurse[details.frm] after {it→it′}!lose(details.val)).lost + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))) - self.AbAuthPurse[details.frm].lost) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
~(0 = (-(self.AbAuthPurse[details.frm] after {it→it′}!lose(details.val)).balance + -(self.AbAuthPurse[details.frm] after {it→it′}!lose(details.val)).lost + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.frm].lost))
~(0 = (-temp_g_2.balance + -temp_g_2.lost + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.frm].lost))
~(0 = (-(-details.val + self.AbAuthPurse[details.frm].balance) + -temp_g_2.lost + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.frm].lost))
~(0 = (-self.AbAuthPurse[details.frm].balance + -temp_g_2.lost + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.frm].lost + details.val))
~(0 = (0 + -self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.frm].balance))
false
- Proof of sub-goal 2:
{self→self′}!AbTransferOkay(details)
~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
~(details.frm = details.to)
{self→self′}!AbTransferOkay(details)
(self′.AbAuthPurse ≈ self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).replace(details.to → self.AbAuthPurse[details.to] after {it→it′}!add(details.val))) .& (forall $x::$attributeNames(AbWorld) • different(self′.$x; self′.AbAuthPurse) ==> self.$x=self′.$x)
(self′.AbAuthPurse ≈ self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).replace(details.to → self.AbAuthPurse[details.to] after {it→it′}!add(details.val))) .& (forall $x::$attributeNames(map of (NAME → AbPurse)) • different(self′.AbAuthPurse.$x; AbAuthPurse) ==> self.AbAuthPurse.$x=self′.AbAuthPurse.$x)
self′.AbAuthPurse ≈ self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).replace(details.to → self.AbAuthPurse[details.to] after {it→it′}!add(details.val))
~(0 = (-(+ over (for x::self′.AbAuthPurse.ranb yield x.balance)) + -(+ over (for x::self′.AbAuthPurse.ranb yield x.lost)) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
~(0 = (-(+ over (for x::self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).replace(details.to → self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).ranb yield x.balance)) + -(+ over (for x::self′.AbAuthPurse.ranb yield x.lost)) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
~(0 = (-(((self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).balance + (((self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).balance + (+ over (for x::self.AbAuthPurse.ranb yield x.balance))) - self.AbAuthPurse[details.frm].balance)) - self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val))[details.to].balance) + -(+ over (for x::self′.AbAuthPurse.ranb yield x.lost)) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
~(0 = (-((-self.AbAuthPurse[details.frm].balance + (self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).balance + (self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).balance + (+ over (for x::self.AbAuthPurse.ranb yield x.balance))) - ([details.frm ≈ details.to]: self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val), []: self.AbAuthPurse[details.to]).balance) + -(+ over (for x::self′.AbAuthPurse.ranb yield x.lost)) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
~(0 = (-((-self.AbAuthPurse[details.frm].balance + (self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).balance + (self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).balance + (+ over (for x::self.AbAuthPurse.ranb yield x.balance))) - ([details.frm ≈ details.to]: self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val), [~(details.frm ≈ details.to)]: self.AbAuthPurse[details.to]).balance) + -(+ over (for x::self′.AbAuthPurse.ranb yield x.lost)) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
~(0 = (-((-self.AbAuthPurse[details.frm].balance + (self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).balance + (self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).balance + (+ over (for x::self.AbAuthPurse.ranb yield x.balance))) - ([false]: self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val), [~false]: self.AbAuthPurse[details.to]).balance) + -(+ over (for x::self′.AbAuthPurse.ranb yield x.lost)) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
~(0 = ((-(self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).balance + -(self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).balance + -(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.to].balance) + -(+ over (for x::self′.AbAuthPurse.ranb yield x.lost)) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
~(0 = ((-(self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).balance + -(self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).balance + -(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.to].balance) + -(+ over (for x::self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).replace(details.to → self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).ranb yield x.lost)) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
~(0 = ((-(self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).balance + -(self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).balance + -(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.to].balance) + -(((self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).lost +
(((self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).lost + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))) - self.AbAuthPurse[details.frm].lost)) - self.AbAuthPurse.replace(details.frm → self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val))[details.to].lost) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
~(0 = ((-(self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).balance + -(self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).balance + -(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.to].balance) + -((-self.AbAuthPurse[details.frm].lost + (self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).lost + (self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).lost + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))) - ([details.frm ≈ details.to]: self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val), []: self.AbAuthPurse[details.to]).lost) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
~(0 = ((-(self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).balance + -(self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).balance + -(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.to].balance) + -((-self.AbAuthPurse[details.frm].lost + (self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).lost + (self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).lost + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))) - ([details.frm ≈ details.to]: self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val), [~(details.frm ≈ details.to)]: self.AbAuthPurse[details.to]).lost) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
~(0 = ((-(self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).balance + -(self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).balance + -(+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.to].balance) + -((-self.AbAuthPurse[details.frm].lost + (self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).lost + (self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).lost + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))) - ([false]: self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val), [~false]: self.AbAuthPurse[details.to]).lost) + (+ over (for x::self.AbAuthPurse.ranb yield x.balance)) + (+ over (for x::self.AbAuthPurse.ranb yield x.lost))))
~(0 = (-(self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).balance + -(self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).balance + -(self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).lost + -(self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).lost + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.to].balance + self.AbAuthPurse[details.frm].lost + self.AbAuthPurse[details.to].lost))
~(0 = (-temp_l_1_0.balance + -(self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).balance + -(self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).lost + -(self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).lost + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.to].balance + self.AbAuthPurse[details.frm].lost + self.AbAuthPurse[details.to].lost))
~(0 = (-temp_l_1_0.balance + -temp_l_1_1.balance + -(self.AbAuthPurse[details.to] after {it→it′}!add(details.val)).lost + -(self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).lost + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.to].balance + self.AbAuthPurse[details.frm].lost + self.AbAuthPurse[details.to].lost))
~(0 = (-temp_l_1_0.balance + -temp_l_1_1.balance + -temp_l_1_0.lost + -(self.AbAuthPurse[details.frm] after {it→it′}!remove(details.val)).lost + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.to].balance + self.AbAuthPurse[details.frm].lost + self.AbAuthPurse[details.to].lost))
~(0 = (-temp_l_1_0.balance + -temp_l_1_1.balance + -temp_l_1_0.lost + -temp_l_1_1.lost + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.to].balance + self.AbAuthPurse[details.frm].lost + self.AbAuthPurse[details.to].lost))
~(0 = (0 + -temp_l_1_0.balance + -temp_l_1_1.balance + -temp_l_1_1.lost + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.to].balance + self.AbAuthPurse[details.frm].lost))
~((-temp_l_1_0.balance + -temp_l_1_1.balance + -temp_l_1_1.lost + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.to].balance + self.AbAuthPurse[details.frm].lost) = 0)
~(0 = (-(self.AbAuthPurse[details.to].balance + details.val) + -temp_l_1_1.balance + -temp_l_1_1.lost + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.to].balance + self.AbAuthPurse[details.frm].lost))
~(0 = (-temp_l_1_1.balance + -temp_l_1_1.lost + -details.val + self.AbAuthPurse[details.frm].balance + self.AbAuthPurse[details.frm].lost))
~(0 = (0 + -temp_l_1_1.lost + self.AbAuthPurse[details.frm].lost))
~((-temp_l_1_1.lost + self.AbAuthPurse[details.frm].lost) = 0)
(0 = (-temp_l_1_1.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& (0 = (-temp_l_1_1.lost + self.AbAuthPurse[details.frm].lost))
(0 = (-temp_l_1_1.balance + -details.val + self.AbAuthPurse[details.frm].balance)) .& false
false
- Proof of sub-goal 3:
{self→self′}!AbIgnore(details)
{self→self′}!AbIgnore(details)
(self′ as from AbWorld) = (self as from AbWorld)
self = self′
~(0 = (-self′.totalAbBalance + -self′.totalAbLost + self.totalAbBalance + self.totalAbLost))
~(0 = (-self.totalAbBalance + -self.totalAbLost + self.totalAbBalance + self.totalAbLost))
false
(Rewriter time: 0.0s, Prover time: 19.5s)
Proof of verification condition: Precondition of 'AbTransferLost' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (96,21)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (75,13)
To prove: self.Authentic(details.frm)
Given: ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
Proof:
((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
details.frm in self.AbAuthPurse.dom
self.Authentic(details.frm)
details.frm in self.AbAuthPurse
details.frm in self.AbAuthPurse.dom
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Precondition of 'AbTransferLost' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (96,21)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (76,13)
To prove: self.Authentic(details.to)
Given: ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
Proof:
((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
details.to in self.AbAuthPurse.dom
self.Authentic(details.to)
details.to in self.AbAuthPurse
details.to in self.AbAuthPurse.dom
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Precondition of 'AbTransferLost' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (96,21)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (77,25)
To prove: ~(details.frm = details.to)
Given: ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
Proof:
((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
~(details.frm = details.to)
~(details.frm = details.to)
~false
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Precondition of 'AbTransferLost' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (96,21)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (78,13)
To prove: self.SufficientFundsProperty(details)
Given: ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
Proof:
((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
self.SufficientFundsProperty(details)
self.SufficientFundsProperty(details)
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Precondition of 'SufficientFundsProperty' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (95,95)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (65,13)
To prove: self.Authentic(details.frm)
Given: (self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)
Proof:
(self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)
((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)
((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)
((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)
(details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& ~(details.frm = details.to)
details.frm in self.AbAuthPurse.dom
self.Authentic(details.frm)
details.frm in self.AbAuthPurse
details.frm in self.AbAuthPurse.dom
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Precondition of 'AbTransferOkay' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (98,21)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (84,13)
To prove: self.Authentic(details.frm)
Given: ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
Proof:
((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
details.frm in self.AbAuthPurse.dom
self.Authentic(details.frm)
details.frm in self.AbAuthPurse
details.frm in self.AbAuthPurse.dom
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Precondition of 'AbTransferOkay' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (98,21)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (85,13)
To prove: self.Authentic(details.to)
Given: ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
Proof:
((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
details.to in self.AbAuthPurse.dom
self.Authentic(details.to)
details.to in self.AbAuthPurse
details.to in self.AbAuthPurse.dom
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Precondition of 'AbTransferOkay' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (98,21)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (86,25)
To prove: ~(details.frm = details.to)
Given: ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
Proof:
((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
~(details.frm = details.to)
~(details.frm = details.to)
~false
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Precondition of 'AbTransferOkay' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (98,21)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (87,13)
To prove: self.SufficientFundsProperty(details)
Given: ((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
Proof:
((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
(((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)
~(details.frm = details.to) .& (details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& self.SufficientFundsProperty(details)
self.SufficientFundsProperty(details)
self.SufficientFundsProperty(details)
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Precondition of 'SufficientFundsProperty' satisfied
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (97,95)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (65,13)
To prove: self.Authentic(details.frm)
Given: (self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)
Proof:
(self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)
((details.frm in self.AbAuthPurse) & self.Authentic(details.to)) & ~(details.frm = details.to)
((details.frm in self.AbAuthPurse.dom) & self.Authentic(details.to)) & ~(details.frm = details.to)
((details.frm in self.AbAuthPurse.dom) & (details.to in self.AbAuthPurse)) & ~(details.frm = details.to)
(details.frm in self.AbAuthPurse.dom) .& (details.to in self.AbAuthPurse.dom) .& ~(details.frm = details.to)
details.frm in self.AbAuthPurse.dom
self.Authentic(details.frm)
details.frm in self.AbAuthPurse
details.frm in self.AbAuthPurse.dom
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: At least one guard is true
In the context of class: AbWorld, declared at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (47,1)
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (94,14)
To prove: true .| (((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)) .| (((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details))
Proof:
true .| (((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details)) .| (((self.Authentic(details.frm) & self.Authentic(details.to)) & ~(details.frm = details.to)) & self.SufficientFundsProperty(details))
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Precondition of 'SufficientFundsProperty' satisfied
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (78,13)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (65,13)
To prove: self.Authentic(details.frm)
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to)
Proof:
self.Authentic(details.frm)
details.frm in self.AbAuthPurse
details.frm in self.AbAuthPurse.dom
self.Authentic(details.frm)
details.frm in self.AbAuthPurse
details.frm in self.AbAuthPurse.dom
true
(Rewriter time: 0.0s, Prover time: 0.0s)
Proof of verification condition: Precondition of 'SufficientFundsProperty' satisfied
Condition generated at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (87,13)
Condition defined at: C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd (65,13)
To prove: self.Authentic(details.frm)
Given: self.Authentic(details.frm), self.Authentic(details.to), ~(details.frm = details.to)
Proof:
self.Authentic(details.frm)
details.frm in self.AbAuthPurse
details.frm in self.AbAuthPurse.dom
self.Authentic(details.frm)
details.frm in self.AbAuthPurse
details.frm in self.AbAuthPurse.dom
true
(Rewriter time: 0.0s, Prover time: 0.0s)
End of proofs for file C:\Program Files\Escher Technologies\Perfect Developer\Examples\Mondex\AbWorld.pd