Thm*  A:ioa{i:l}(), I:Fmla, rho:Decl, de:sig(), e:{[[de]] rho}, te:(Label  Label ). tc_ioa(A;de)    ioa_mentions_trace(A) trace_consistent_pred(rho;A.da;te;I) guarded_trace(A.da;te;I) tc_pred(I;A.ds; < > ;de) covers_pred(A;I) closed_pred(I) single_valued_decls(A.ds) let M = [[A]] rho de e in (s:M.state, tr:( [[A.da]] rho) List. (M -tr- > s) [[VCs(A;I)]] rho A.ds A.da de e s mk_trace_env(tr, te)) (M |= always s,tr.[[I]] rho A.ds < > de e s  mk_trace_env(tr, te)) | [vc_trace_correctness] |
Thm* A:ioa{i:l}(), I:Fmla, rho:Decl, de:sig(), e:{[[de]] rho}, te:(LabelLabel). tc_ioa(A;de) ioa_mentions_trace(A) trace_consistent_pred(rho;A.da;te;I) tc_pred(I;A.ds; < > ;de) covers_pred(A;I) guarded_trace(A.da;te;I) closed_pred(I) single_valued_decls(A.ds) (s0,x:[[A]] rho de e.state, act:[[A]] rho de e.action, x':[[A]] rho de e.state, tr:([[A.da]] rho) List. [[A]] rho de e.init(s0) trace_reachable([[A]] rho de e;s0;mk_trace_env(tr, te).trace;x) [[I]] rho A.ds < > de e x mk_trace_env(tr, te) [[A]] rho de e.trans(x,act,x') (( t:dec(). t  A.da & t.lbl = kind(act)) [[I]] rho A.ds < > de e x' tappend(mk_trace_env(tr, te);act)) [[I]] rho A.ds < > de e x' tappend(mk_trace_env(tr, te);act)) | [vc_trace_correct_action_decl_lemma] |
| Thm* A:ioa{i:l}(), I:Fmla, de:sig(). tc_ioa(A;de) tc_pred(I;A.ds; < > ;de) covers_pred(A;I) closed_pred(I) single_valued_decls(A.ds) tc_vcs{i}(VCs(A;I);A.ds;A.da;de) | [tc_ioa_inv_vc] |
Thm* A:ioa{i:l}(), r:rel(), rho:Decl, de:sig(), e:{[[de]] rho}, a:([[A.da]] rho), tr:trace_env([[A.da]] rho). tc_ioa(A;de) ioa_mentions_trace(A) trace_consistent_rel(rho;A.da;tr.proj;r) single_valued_decls(A.ds) (s,x':[[A]] rho de e.state. tc(r;A.ds; < > ;de) closed_rel(r) covers_rel(A;r) [[A]] rho de e.trans(s,a,x') ([[r]] rho A.ds < > de e x' tr  [[wp_rel(A;kind(a);r)]] rho A.ds dec_lookup(A.da;kind(a)) de e s value(a) tr)) | [wp_rel_correctness] |
| Thm* A:ioa{i:l}(), de:sig(). tc_ioa(A;de) ioa_mentions_trace(A) (Q:Fmla, rho:Decl, e:{[[de]] rho}, a:[[A]] rho de e.action, tr:trace_env([[A.da]] rho). tc_ioa(A;de) ioa_mentions_trace(A) trace_consistent_pred(rho;A.da;tr.proj;Q) single_valued_decls(A.ds) (s,x':[[A]] rho de e.state. tc_pred(Q;A.ds; < > ;de) closed_pred(Q) covers_pred(A;Q) [[A]] rho de e.trans(s,a,x') ([[Q]] rho A.ds < > de e x' tr [[wp(A;kind(a);Q)]] rho A.ds dec_lookup(A.da;kind(a)) de e s value(a) tr))) | [wp_correctness] |
| Thm* A:ioa{i:l}(), de:sig(). tc_ioa(A;de) ioa_mentions_trace(A) (Q:Fmla, rho:Decl, e:{[[de]] rho}, a:[[A]] rho de e.action, tr:trace_env([[A.da]] rho). trace_consistent_pred(rho;A.da;tr.proj;Q) single_valued_decls(A.ds) (s,x':[[A]] rho de e.state. tc_pred(Q;A.ds; < > ;de) closed_pred(Q) covers_pred(A;Q) [[A]] rho de e.trans(s,a,x') (pred_mng_2(Q; rho; A.ds; < > ; de; e; s; x'; ; tr) [[wp2(A;kind(a);Q)]] rho A.ds dec_lookup(A.da;kind(a)) de e s value(a) tr))) | [wp2_correctness] |
| Thm* A:ioa{i:l}(), r:rel(), rho:Decl, de:sig(), e:{[[de]] rho}, a:([[A.da]] rho), tr:trace_env([[A.da]] rho). tc_ioa(A;de) ioa_mentions_trace(A) trace_consistent_rel(rho;A.da;tr.proj;r) single_valued_decls(A.ds) (s,x':[[A]] rho de e.state. tc(r;A.ds; < > ;de) closed_rel(r) covers_rel(A;r) [[A]] rho de e.trans(s,a,x') (rel_mng_2(r; rho; A.ds; < > ; de; e; s; x'; ; tr) [[wp2_rel(A;kind(a);r)]] rho A.ds dec_lookup(A.da;kind(a)) de e s value(a) tr)) | [wp2_rel_correctness] |
| Thm* A:ioa{i:l}(), Q:Fmla, de:sig(), a:Label. tc_ioa(A;de) single_valued_decls(A.ds) tc_pred(Q;A.ds;dec_lookup(A.da;a);de) tc_pred(wp(A;a;Q);A.ds;dec_lookup(A.da;a);de) | [tc_wp] |
| Thm* A:ioa{i:l}(), r:rel(), rho:Decl, de:sig(), e:{[[de]] rho}, a:([[A.da]] rho), tr:trace_env([[A.da]] rho). tc_ioa(A;de) ioa_mentions_trace(A) trace_consistent_rel(rho;A.da;tr.proj;r) single_valued_decls(A.ds) (s,x':[[A]] rho de e.state. tc(r;A.ds;dec_lookup(A.da;kind(a));de) covers_rel(A;r) [[A]] rho de e.trans(s,a,x') (rel_mng_2(r; rho; A.ds; dec_lookup(A.da;kind(a)); de; e; s; x'; value(a); tr) [[wp2_rel(A;kind(a);r)]] rho A.ds dec_lookup(A.da;kind(a)) de e s value(a) tr)) | [wp2_rel_correct] |
| Thm* A:ioa{i:l}(), Q:Fmla, de:sig(), a:Label. tc_ioa(A;de) tc_pred(Q;A.ds;dec_lookup(A.da;a);de) single_valued_decls(A.ds) tc_pred(wp2(A;a;Q);A.ds;dec_lookup(A.da;a);de) | [tc_wp2] |
Thm* as:(Label Term) List, A:ioa{i:l}(), de:sig(), x:Label, t:SimpleType, k:Label. single_valued_decls(A.ds) tc_ioa(A;de) (i: . i < ||as|| 2of(as[i]) smts_eff(action_effect(k;A.eff;A.frame);1of(as[i]))) mk_dec(x, t) A.ds t term_types(A.ds;dec_lookup(A.da;k);de;apply_alist(as;x;x)) | [tc_ioa_lemma] |
| Thm* A:(Iioa{i:l}()), rho:Decl, de:sig(), e:{[[de]] rho}, s:{[[ioa_all(I; i.A(i)).ds]] rho}, i:I. s [[A(i)]] rho de e.state | [ioa_all_mng_state] |
| Def tc_ioa(A;de) == tc_pred(A.init;A.ds; < > ;de) & (p:pre(). p A.pre tc(p.rel;A.ds;dec_lookup(A.da;p.kind);de)) & (ef:eff(). ef A.eff mk_dec(ef.kind, ef.typ) A.da & tc_eff(ef;A.ds;de)) & (f:frame(). f A.frame mk_dec(f.var, f.typ) A.ds) | [tc_ioa] |
Def [[A]] rho de e == mk_sm([[A.da]] rho, [[A.ds]] rho,  s.[[A.init]] rho A.ds < > de e s niltrace(), s1,a,s2. (p:pre(). p A.pre p.kind = kind(a) [[p.rel]] rho A.ds dec_lookup(A.da;kind(a)) de e s1 value(a) niltrace()) & (ef:eff(). ef A.eff ef.kind = kind(a) s2.ef.smt.lbl = [[ef.smt.term]] 1of(e) s1 value(a) niltrace() [[ef.smt.typ]] rho) & (fr:frame(). fr A.frame (kind(a) fr.acts) s2.fr.var = s1.fr.var [[fr.typ]] rho)) | [ioa_mng] |