Who Cites R safety?
R_safety	Def safetyR(E)(tr_1,tr_2) == tr_2 tr_1
	Thm* E:EventStruct. safetyR(E) (|E| List)(|E| List)Prop
R_strong_safety	Def R_strong_safety(E)(tr_1,tr_2) == sublist(|E|;tr_2;tr_1)
event_str	Def EventStruct == E:TypeM:MessageStruct(E|M|)(ELabel)(E)Top
	Thm* EventStruct Type{i'}
trace_property	Def TraceProperty(E) == (|E| List)Prop
message_str	Def MessageStruct == M:TypeC:DecidableEquiv(M|C|)(MLabel)(M)Top
	Thm* MessageStruct Type{i'}
carrier	Def |S| == 1of(S)
	Thm* S:Structure. |S| Type
iseg	Def l1 l2 == l:T List. l2 = (l1 @ l)
	Thm* T:Type, l1,l2:T List. l1 l2 Prop
preserved_by	Def R preserves P == x,y:T. P(x) (x R y) P(y)
	Thm* T:Type, P:(TProp), R:(TTProp). R preserves P Prop
sublist	Def sublist(T;L1;L2) == f:(||L1||||L2||). increasing(f;||L1||) & (j:||L1||. L1[j] = L2[(f(j))] T)
	Thm* T:Type, L1,L2:T List. sublist(T;L1;L2) Prop
pi1	Def 1of(t) == t.1
	Thm* A:Type, B:(AType), p:(a:AB(a)). 1of(p) A
dequiv	Def DecidableEquiv == T:TypeE:TTEquivRel(T)((_1 E _2))Top
	Thm* DecidableEquiv Type{i'}
top	Def Top == Void given Void
	Thm* Top Type
lbl	Def Label == {p:Pattern| ground_ptn(p) }
	Thm* Label Type
append	Def as @ bs == Case of as; nil bs ; a.as' [a / (as' @ bs)] (recursive)
	Thm* T:Type, as,bs:T List. (as @ bs) T List
select	Def l[i] == hd(nth_tl(i;l))
	Thm* A:Type, l:A List, n:. 0n n < ||l|| l[n] A
length	Def ||as|| == Case of as; nil 0 ; a.as' ||as'||+1 (recursive)
	Thm* A:Type, l:A List. ||l||
	Thm* ||nil||
increasing	Def increasing(f;k) == i:(k-1). f(i) < f(i+1)
	Thm* k:, f:(k). increasing(f;k) Prop
int_seg	Def {i..j} == {k:| i k < j }
	Thm* m,n:. {m..n} Type
ground_ptn	Def ground_ptn(p) == Case(p) Case ptn_var(v) = > false Case ptn_pr( < x, y > ) = > ground_ptn(x)ground_ptn(y) Default = > true (recursive)
	Thm* p:Pattern. ground_ptn(p)
assert	Def b == if b True else False fi
	Thm* b:. b Prop
ptn	Def Pattern == rec(T.ptn_con(T))
	Thm* Pattern Type
nth_tl	Def nth_tl(n;as) == if n0 as else nth_tl(n-1;tl(as)) fi (recursive)
	Thm* A:Type, as:A List, i:. nth_tl(i;as) A List
case_ptn_var	Def Case ptn_var(x) = > body(x) cont(x1,z) == (x1.inr(x2) = > (x1.inr(x2) = > (x1.inl(x2) = > body(hd([x2 / tl(x1)])) cont(hd(x1),z))([x2 / tl(x1)]) cont (hd(x1) ,z)) ([x2 / tl(x1)]) cont (hd(x1) ,z)) ([x1])
hd	Def hd(l) == Case of l; nil "?" ; h.t h
	Thm* A:Type, l:A List. ||l||1 hd(l) A
	Thm* A:Type, l:A List. hd(l) A
lelt	Def i j < k == ij & j < k
case_default	Def Default = > body(value,value) == body
band	Def pq == if p q else false fi
	Thm* p,q:. (pq)
case_lbl_pair	Def Case ptn_pr( < x, y > ) = > body(x;y) cont(x1,z) == InjCase(x1; _. cont(z,z); x2. InjCase(x2; _. cont(z,z); x2@0. InjCase(x2@0; _. cont(z,z); x2@1. x2@1/x3,x2@2. body(x3;x2@2))))
case	Def Case(value) body == body(value,value)
ptn_con	Def ptn_con(T) == Atom++Atom+(TT)
	Thm* T:Type. ptn_con(T) Type
equiv_rel	Def EquivRel x,y:T. E(x;y) == Refl(T;x,y.E(x;y)) & Sym x,y:T. E(x;y) & Trans x,y:T. E(x;y)
	Thm* T:Type, E:(TTProp). (EquivRel x,y:T. E(x,y)) Prop
tl	Def tl(l) == Case of l; nil nil ; h.t t
	Thm* A:Type, l:A List. tl(l) A List
le_int	Def ij == j < i
	Thm* i,j:. (ij)
le	Def AB == B < A
	Thm* i,j:. (ij) Prop
case_inl	Def inl(x) = > body(x) cont(value,contvalue) == InjCase(value; x. body(x); _. cont(contvalue,contvalue))
case_inr	Def inr(x) = > body(x) cont(value,contvalue) == InjCase(value; _. cont(contvalue,contvalue); x. body(x))
trans	Def Trans x,y:T. E(x;y) == a,b,c:T. E(a;b) E(b;c) E(a;c)
	Thm* T:Type, E:(TTProp). Trans x,y:T. E(x,y) Prop
sym	Def Sym x,y:T. E(x;y) == a,b:T. E(a;b) E(b;a)
	Thm* T:Type, E:(TTProp). Sym x,y:T. E(x,y) Prop
refl	Def Refl(T;x,y.E(x;y)) == a:T. E(a;a)
	Thm* T:Type, E:(TTProp). Refl(T;x,y.E(x,y)) Prop
lt_int	Def i < j == if i < j true ; false fi
	Thm* i,j:. (i < j)
bnot	Def b == if b false else true fi
	Thm* b:. b
not	Def A == A False
	Thm* A:Prop. (A) Prop

About: