| Definitions |  x:A. B(x), P   Q, R-frame-compat(A;B), ma-frame-compat(A;B), R-base-ma(R), Prop, t  T,   x. t(x), if b t else f fi, Reffect?(x1), Rframe?(x1), Rframe-x(x1), Reffect-x(x1), Reffect-knd(x1), Rframe-L(x1), Raframe?(x1), Raframe-k(x1), Raframe-L(x1), Rrframe?(x1),  b, x dom(f), Rrframe-x(x1), Reffect-ds(x1), Rrframe-L(x1), Rsends?(x1), Rsframe?(x1), Rsframe-lnk(x1), Rsends-l(x1), Rsframe-tag(x1), 1of(t), Rsends-g(x1), Rsends-knd(x1), Rsframe-L(x1), Rbframe?(x1), Rbframe-k(x1), Rbframe-L(x1), Rsends-ds(x1), Rpre?(x1), Rpre-ds(x1), Rpre-a(x1), , x : t initially x = v, only members of L affect x :t, only L sends on (l with tg), with declarations ds:dsda:daeffect of k(v) is x := f s v, x : v, with declarations ds:dsda:dak(v) sends f s v on link l, (with ds: ds action a:T precondition a(v) is P s v), k affects only members of L, k sends only on links in L, only members of L read x, false, true, P & Q, xdom(f). v=f(x) P(x;v), 2of(t), mk-ma, , M.rframe(A.pre p for a), M.frame(k affects x), M.aframe(k affects x), M.rframe(A.effect f of k on y), M.sframe(k sends <l,tg>), M.bframe(k sends on l), M.rframe(A.sends tfL of k on l), deq-member(eq;x;L), M.state, M.da(a), f(x), z != f(x) P(a;z), f(x)?z, reduce(f;k;as), Y, State(ds), Top, SQType(T), {T}, P  Q, State(ds), (s1  s2 mod x), M.ds(x), M.dout(l,tg),  A, A B, False, S  T, P  Q, P Q, Realizer, Unit, x(s), Dec(P), DeclaredType(ds;x),  , {i..j }, i j < k,  , , left  right, @loc x initially v:T, @loc only events in L change x:T, only events in L send on lnk with tag, @loc effect knd(v:T) x := f State(ds) v , sends knd(v:T) on l:tagged(g,State(ds),v):dt, @loc precondition for a(v:T):P State(ds) v, @loc: k writes only members of L, @loc: k sends only on links in L, @loc: only members of L read x, a = b |
| Lemmas | unit wf, Id wf, Knd wf, IdLnk wf, fpf wf, decl-state wf, decl-type wf, false wf, true wf, R-Feasible wf, Rnone wf, es realizer wf, Rplus wf, Rinit wf, Rframe wf, Rsframe wf, assert wf, fpf-dom wf, product-deq wf, Kind-deq wf, id-deq wf, fpf-single wf, top wf, Reffect wf, pi2 wf, l member wf, pi1 wf, fpf-trivial-subtype-top, map wf, idlnk-deq wf, Rsends wf, Rpre wf, locl wf, Raframe wf, Rbframe wf, Rrframe wf, assert-deq-member, fpf-single-dom, Knd sq, Id sq, decidable assert, deq-member wf, fpf-cap-single1, not wf, fpf-cap wf, not functionality wrt iff, decidable equal Id, bool wf, eqtt to assert, iff transitivity, bnot wf, eqff to assert, assert of bnot, equal-top, IdLnk sq, fpf-cap-single-join, int seg wf, length wf1, rcv wf, select wf, fpf-join-cap, lnk-decl wf, fpf-cap-single, eq knd wf, assert-eq-knd, lnk-decl-cap, subtype rel self, fpf-join wf, iff wf |