|
|
|---|
|
|
|
|---|
Initial system state.
(system-init correct-vals faulty-vals) → systate
The initial state of the sytem depends on the addresses of the correct validators and the addresses of the faulty validators; in fact, it is completely determined by them.
The initial map associates
the initial validator state to each correct validator address,
and
Function:
(defun system-init-loop1 (correct-vals) (declare (xargs :guard (address-setp correct-vals))) (let ((__function__ 'system-init-loop1)) (declare (ignorable __function__)) (cond ((emptyp correct-vals) nil) (t (omap::update (head correct-vals) (validator-init) (system-init-loop1 (tail correct-vals)))))))
Theorem:
(defthm validators-statep-of-system-init-loop1 (implies (address-setp correct-vals) (b* ((map (system-init-loop1 correct-vals))) (validators-statep map))) :rule-classes :rewrite)
Function:
(defun system-init-loop2 (faulty-vals) (declare (xargs :guard (address-setp faulty-vals))) (let ((__function__ 'system-init-loop2)) (declare (ignorable __function__)) (cond ((emptyp faulty-vals) nil) (t (omap::update (head faulty-vals) nil (system-init-loop2 (tail faulty-vals)))))))
Theorem:
(defthm validators-statep-of-system-init-loop2 (implies (address-setp faulty-vals) (b* ((map (system-init-loop2 faulty-vals))) (validators-statep map))) :rule-classes :rewrite)
Function:
(defun system-init (correct-vals faulty-vals) (declare (xargs :guard (and (address-setp correct-vals) (address-setp faulty-vals)))) (declare (xargs :guard (emptyp (intersect correct-vals faulty-vals)))) (let ((__function__ 'system-init)) (declare (ignorable __function__)) (b* ((correct-map (system-init-loop1 correct-vals)) (faulty-map (system-init-loop2 faulty-vals)) (vstates (omap::update* correct-map faulty-map))) (make-system-state :validators vstates :network nil))))
Theorem:
(defthm system-statep-of-system-init (b* ((systate (system-init correct-vals faulty-vals))) (system-statep systate)) :rule-classes :rewrite)