New state resulting from a sequence of events.
(events-next events systate) → new-systate
The sequence of events must be possible, as expressed by events-possiblep in the guard. If the sequence is empty, we return the input state. Otherwise, we execute the events from left to right.
Function:
(defun events-next (events systate) (declare (xargs :guard (and (event-listp events) (system-statep systate)))) (declare (xargs :guard (events-possiblep events systate))) (let ((__function__ 'events-next)) (declare (ignorable __function__)) (b* (((when (endp events)) (system-state-fix systate)) (systate (event-next (car events) systate))) (events-next (cdr events) systate))))
Theorem:
(defthm system-statep-of-events-next (b* ((new-systate (events-next events systate))) (system-statep new-systate)) :rule-classes :rewrite)
Theorem:
(defthm correct-addresses-of-events-next (implies (events-possiblep events systate) (b* ((?new-systate (events-next events systate))) (equal (correct-addresses new-systate) (correct-addresses systate)))))