State Machine: Dependently Typed Behavioral Model #
Defines Transition (with invariant preservation embedded as a type-level proof),
StateMachine, the inductive proposition Reachable, and the safety theorem
Reachable.inv_holds.
Key Design Decision #
Embedding invariant preservation in Transition.preserves makes transitions that
violate the invariant unconstructible (type error).
Transition: transition defined over control state S and data type D.
The preserves field guarantees invariant preservation at the type level.
- source : S
Source control state
- target : S
Target control state
- guard : D → Prop
Guard condition
- effect : D → D
Effect (data transformation)
Type-level contract for invariant preservation
Instances For
StateMachine: state machine consisting of an initial state and a list of transitions.
- initialState : S
Initial control state
- transitions : List (Transition S D inv)
List of transitions
Instances For
Well-formedness of StateMachine: data satisfying the invariant exists in the initial state.
Equations
- sm.WellFormed = ∃ (d₀ : D), inv sm.initialState d₀
Instances For
Reachable: inductive proposition for reachable (control state, data value) pairs. Tracking both enables induction for inv_holds.
- init
{S D : Type}
{inv : S → D → Prop}
{sm : StateMachine S D inv}
(d₀ : D)
: inv sm.initialState d₀ → Reachable sm sm.initialState d₀
The initial state is reachable
- step
{S D : Type}
{inv : S → D → Prop}
{sm : StateMachine S D inv}
{s : S}
{d : D}
(t : Transition S D inv)
: Reachable sm s d → t ∈ sm.transitions → t.source = s → t.guard d → Reachable sm t.target (t.effect d)
The next state is reachable via a transition
Instances For
Safety theorem: all reachable pairs satisfy the invariant. Directly provable by induction since Transition.preserves is embedded in the type.
The initial state of a WellFormed state machine has data satisfying the invariant.