| | 48 | == Ample set and the exact interpretation of $depends == |
| | 49 | |
| | 50 | Fix a state s, a process q, and a statement S. |
| | 51 | |
| | 52 | Let T(s,S,q) denote the set of transitions specified by having q execute S from s. We say this is a set because some statements S are nondeterministic, meaning they can generate multiple transitions. Note that T(s,S,q) includes all transitions specified by S, even those that are not enabled. |
| | 53 | |
| | 54 | Suppose A(s,S,q) is a set of procs which satisfies the following: |
| | 55 | |
| | 56 | In any execution departing from s, no transition dependent on a transition in T(s,S,q) can occur without a transition from a proc in A(s,S,q) occurring first. |
| | 57 | |
| | 58 | Then define AMPLE as follows: |
| | 59 | {{{ |
| | 60 | Function AMPLE(s:State, p:proc) : set of proc is |
| | 61 | let AmpleProcs = {p}; |
| | 62 | let WorkSet = {p}; |
| | 63 | // invariant: WorkSet is a subset of AmpleProcs |
| | 64 | while (WorkSet not empty) { |
| | 65 | choose q in WorkSet; |
| | 66 | WorkSet := WorkSet - {q}; |
| | 67 | forall statements S emanating from current location of q in s: |
| | 68 | foreach r in A(s,S,q): if r is not in AmpleProcs, add r to AmpleProcs and to WorkSet |
| | 69 | end forall; |
| | 70 | } |
| | 71 | return AmpleProcs; |
| | 72 | end Function AMPLE |
| | 73 | }}} |
| | 74 | |
| | 75 | Claim: for any process p, if AMPLE(s,p) contains a process with at least one enabled transition in s, then it defines an ample set, i.e., from any execution departing from s, no transition dependent |
| | 76 | on a transition from a proc in AMPLE(s,p) can occur without a transition from a proc in AMPLE(s,p) occurring first. |
| | 77 | |
| | 78 | Proof: Let AMPLE=AMPLE(s,p). |
| | 79 | Let |
| | 80 | |
| | 81 | (E) t_1, t_2, ..., t_n, t |
| | 82 | |
| | 83 | be any execution prefix starting from s for which t is dependent on a transition from a proc in AMPLE. |
| | 84 | |
| | 85 | ASSUME that none of the t_i are from procs in AMPLE. |
| | 86 | |
| | 87 | Say t is dependent on transition t0, and that t0 has statement S0 in process q0, and q0 is in AMPLE. |
| | 88 | |
| | 89 | Throughout the entire execution prefix (E), q0 remains at the location it had in state s. In particular, S0 emanates |
| | 90 | from the current location of q0 in s. |
| | 91 | |
| | 92 | Since q0 is in AMPLE, that means from the algorithm that defines AMPLE that we must |
| | 93 | have A(s,S0,q0) is a subset of AMPLE. |
| | 94 | |
| | 95 | From the contract defining A, we know that no transition dependent on a transition in T(s,S0,q0) can occur without a transition |
| | 96 | from a proc in A(s,S0,q0) occurring first. Hence for some i, t_i is from a proc in A(s,S0,q0), and therefore t_i is in AMPLE. |
| | 97 | |
| | 98 | We conclude that no transition dependent on a transition from a proc in AMPLE can occur without a transition from a proc |
| | 99 | in AMPLE occurring first. QED. |
| | 100 | |
| | 101 | |
