| Definitions | s = t, t  T, x:A  B(x),  x:A. B(x), ES, EState(T), a:A fp B(a), f(a), Id,  , strong-subtype(A;B), P   Q, Type, EqDecider(T), Unit, left + right, IdLnk, x:A  B(x), EOrderAxioms(E; pred?; info), kindcase(k; a.f(a); l,t.g(l;t) ), Knd, loc(e), kind(e), Msg(M), type List,  , val-axiom(E;V;M;info;pred?;init;Trans;Choose;Send;val;time), r  s, e < e',  ,  b, constant_function(f;A;B), SWellFounded(R(x;y)),  , pred!(e;e'),   x,y. t(x;y), Void,  x:A.B(x), Top, S  T, suptype(S; T), first(e),  A, <a, b>, pred(e), x.A(x), x. t(x), P & Q, chain_sys(Cmd), E, AbsInterface(A), chain_config(), e  X, P  Q, {x:A| B(x)} , E(X), case b of inl(x) => s(x) | inr(y) => t(y), if b then t else f fi , X(e), csupdate?(x), tt, inr x , "$token", ff, inl x , Atom, False, True, (e < e'), let x = a in b(x), valid-sys(es;Config;Sys;e), (e <loc e'), a < b, chain_sys_ind(x;cmd.input(cmd);from,cmds.update(from;cmds)), let x,y = A in B(x;y), t.1, cmd-history(e), nth_tl(n;as), csupdate-cmds(x), ||as||, ccsucc-num(x), loc(e), ccsucc-id(x), ccsucc?(x), sys-cmds(x),  x:A. B(x), A c B, ccpred?(x), e<e'. P(e), ccpred-id(x), e<e'.P(e), cctail?(x), cchead?(x), Atom$n,  , A B, #$n, Outcome, |g|, update-antecedent{i:l}(es;Cmd;Sys;Config;u) |
| Lemmas | sys-cmds wf, ccsucc-id wf, length wf1, cmd-history wf, nth tl wf, let wf, ccsucc-num wf, csupdate-cmds wf, le wf, es-causl wf, cchead? wf, cctail? wf, existse-before wf, ccpred-id wf, pi1 wf, alle-lt wf, es-locl wf, ccpred? wf, es-loc wf, valid-sys wf, ccsucc? wf, es-interface-val wf, csupdate? wf, es-interface-val wf2, true wf, false wf, es-E-interface wf, bfalse wf, btrue wf, es-is-interface wf, chain config wf, es-interface wf, es-E wf, chain sys wf, deq wf, EOrderAxioms wf, kind wf, Msg wf, nat wf, val-axiom wf, cless wf, qle wf, bool wf, Knd wf, kindcase wf, IdLnk wf, constant function wf, loc wf, not wf, assert wf, first wf, top wf, unit wf, pred! wf, strongwellfounded wf, member wf, rationals wf, Id wf, EState wf, subtype rel wf, event system wf |
u:({e:E(Sys)|