| | Who Cites P causal? |
|
| P_causal |
Def Causal(E)(tr)
==  i: ||tr||.  j:||tr||. j i &  (is-send(E)(tr[j])) & (tr[j] =msg=(E) tr[i]) |
| | | Thm* E:EventStruct. Causal(E)  (|E| List)  Prop |
|
| P_no_dup |
Def No-dup-deliver(E)(tr)
== i,j:||tr||.
 (is-send(E)(tr[i]))  
(is-send(E)(tr[j])) (tr[j] =msg=(E) tr[i]) loc(E)(tr[i]) = loc(E)(tr[j]) i = j |
| | | Thm* E:EventStruct. No-dup-deliver(E) (|E| List)Prop |
|
| R_ad |
Def adR(E) == (delayableR(E)  asyncR(E))^* |
| | | Thm* E:EventStruct. adR(E) (|E| List)(|E| List)Prop |
|
| R_async |
Def asyncR(E)
== swap adjacent[loc(E)(x) = loc(E)(y)
& (is-send(E)(x)) & (is-send(E)(y)) (is-send(E)(x)) & (is-send(E)(y))] |
| | | Thm* E:EventStruct. asyncR(E) (|E| List)(|E| List)Prop |
|
| R_delayable |
Def delayableR(E)
== swap adjacent[(x =msg=(E) y)
& (is-send(E)(x)) & (is-send(E)(y)) (is-send(E)(x)) & (is-send(E)(y))] |
| | | Thm* E:EventStruct. delayableR(E) (|E| List)(|E| List)Prop |
|
| memoryless_composable_safety |
Def MCS(E)(P)
== memorylessR(E) preserves P & (ternary) composableR(E) preserves P & safetyR(E) preserves P |
| | | Thm* E:EventStruct. MCS(E) TraceProperty(E)Prop |
|
| tagged_event_str |
Def TaggedEventStruct
== E:Type M:MessageStruct(E|M|)(ELabel)(E )(ELabel)Top |
| | | Thm* TaggedEventStruct Type{i'} |
|
| tr_refines |
Def P refines Q == tr:|E| List. P(tr) Q(tr) |
| | | Thm* E:Structure, P,Q:((|E| List)Prop). (P refines Q) Prop |
|
| R_safety |
Def safetyR(E)(tr_1,tr_2) == tr_2 tr_1 |
| | | Thm* E:EventStruct. safetyR(E) (|E| List)(|E| List)Prop |
|
| R_composable |
Def composableR(E)(L_1,L_2,L)
== (xL_1.(yL_2.(x =msg=(E) y))) & L = (L_1 @ L_2) |E| List |
| | | Thm* E:EventStruct. composableR(E) (|E| List)(|E| List)(|E| List)Prop |
|
| R_memoryless |
Def memorylessR(E)(L_1,L_2)
== a:|E|. L_2 = filter( b. (b =msg=(E) a);L_1) |E| List |
| | | Thm* E:EventStruct. memorylessR(E) (|E| List)(|E| List)Prop |
|
| message_str |
Def MessageStruct == M:TypeC:DecidableEquiv(M|C|)(MLabel)(M )Top |
| | | Thm* MessageStruct Type{i'} |
|
| carrier |
Def |S| == 1of(S) |
| | | Thm* S:Structure. |S| Type |
|
| preserved_by |
Def R preserves P == x,y:T. P(x) (x R y) P(y) |
| | | Thm* T:Type, P:(TProp), R:(TTProp). R preserves P Prop |
|
| prop_and |
Def (P  Q)(L) == P(L) & Q(L) |
| | | Thm* T:Type, P,Q:(TProp). (P Q) TProp |
|
| swap_adjacent |
Def swap adjacent[P(x;y)](L1,L2)
== i:(||L1||-1). P(L1[i];L1[(i+1)]) & L2 = swap(L1;i;i+1) A List |
| | | Thm* A:Type, P:(AAProp). swap adjacent[P(x,y)] (A List)(A List)Prop |
|
| swap |
Def swap(L;i;j) == (L o (i, j)) |
| | | Thm* T:Type, L:T List, i,j:||L||. swap(L;i;j) T List |
|
| l_all |
Def (xL.P(x)) == x:T. (x L) P(x) |
| | | Thm* T:Type, L:T List, P:(TProp). (xL.P(x)) Prop |
|
| permute_list |
Def (L o f) == mklist(||L||;i.L[(f(i))]) |
| | | Thm* T:Type, L:T List, f:(||L||||L||). (L o f) T List |
|
| l_member |
Def (x l) == i:. i < ||l|| & x = l[i] T |
| | | Thm* T:Type, x:T, l:T List. (x l) Prop |
|
| select |
Def l[i] == hd(nth_tl(i;l)) |
| | |
Thm* A:Type, l:A List, n:. 0n n < ||l|| l[n] A |
|
| event_msg_eq |
Def =msg=(E)(e_1,e_2) == (msg(E)(e_1)) =(MS(E)) (msg(E)(e_2)) |
| | | Thm* E:EventStruct. =msg=(E) |E||E| |
|
| lbl |
Def Label == {p:Pattern| ground_ptn(p) } |
| | | Thm* Label Type |
|
| dequiv |
Def DecidableEquiv == T:TypeE:TTEquivRel(T)((_1 E _2))Top |
| | | Thm* DecidableEquiv Type{i'} |
|
| assert |
Def b == if b True else False fi |
| | | Thm* b:. b Prop |
|
| event_is_snd |
Def is-send(E) == 1of(2of(2of(2of(2of(E))))) |
| | |
Thm* E:EventStruct. is-send(E) |E| |
|
| int_seg |
Def {i..j } == {k:| i k < j } |
| | | Thm* m,n:. {m..n} Type |
|
| rel_star |
Def (R^*)(x,y) == n:. x R^n y |
| | | Thm* T:Type, R:(TTProp). (R^*) TTProp |
|
| lelt |
Def i j < k == ij & j < k |
|
| nat |
Def == {i:| 0i } |
| | | Thm* Type |
|
| le |
Def AB == B < A |
| | | Thm* i,j:. (ij) Prop |
|
| length |
Def ||as|| == Case of as; nil 0 ; a.as' ||as'||+1 (recursive) |
| | |
Thm* A:Type, l:A List. ||l|| |
| | |
Thm* ||nil|| |
|
| event_loc |
Def loc(E) == 1of(2of(2of(2of(E)))) |
| | |
Thm* E:EventStruct. loc(E) |E|Label |
|
| not |
Def A == A False |
| | | Thm* A:Prop. (A) Prop |
|
| rel_or |
Def (R1 R2)(x,y) == (x R1 y) (x R2 y) |
| | | Thm* T:Type, R1,R2:(TTProp). (R1 R2) TTProp |
|
| event_msg |
Def msg(E) == 1of(2of(2of(E))) |
| | |
Thm* E:EventStruct. msg(E) |E||MS(E)| |
|
| event_msg_str |
Def MS(E) == 1of(2of(E)) |
| | | Thm* E:EventStruct. MS(E) MessageStruct |
|
| msg_eq |
Def =(M)(m_1,m_2)
== ((content(M)(m_1)) =(cEQ(M)) (content(M)(m_2)))sender(M)(m_1) = sender(M)(m_2)
(uid(M)(m_1)=uid(M)(m_2)) |
| | | Thm* M:MessageStruct. =(M) |M||M| |
|
| msg_id |
Def uid(MS) == 1of(2of(2of(2of(2of(MS))))) |
| | |
Thm* M:MessageStruct. uid(M) |M| |
|
| msg_sender |
Def sender(MS) == 1of(2of(2of(2of(MS)))) |
| | |
Thm* M:MessageStruct. sender(M) |M|Label |
|
| msg_content |
Def content(MS) == 1of(2of(2of(MS))) |
| | |
Thm* M:MessageStruct. content(M) |M||cEQ(M)| |
|
| msg_content_eq |
Def cEQ(MS) == 1of(2of(MS)) |
| | | Thm* M:MessageStruct. cEQ(M) DecidableEquiv |
|
| eq_dequiv |
Def =(DE) == 1of(2of(DE)) |
| | | Thm* E:DecidableEquiv. =(E) |E||E| |
|
| pi1 |
Def 1of(t) == t.1 |
| | | Thm* A:Type, B:(AType), p:(a:AB(a)). 1of(p) A |
|
| preserved_by2 |
Def (ternary) R preserves P == x,y,z:T. P(x) P(y) R(x,y,z) P(z) |
| | | Thm* T:Type, P:(TProp), R:(TTTProp). (ternary) R preserves P Prop |
|
| top |
Def Top == Void given Void |
| | |
Thm* Top Type |
|
| nth_tl |
Def nth_tl(n;as) == if n0 as else nth_tl(n-1;tl(as)) fi (recursive) |
| | |
Thm* A:Type, as:A List, i:. nth_tl(i;as) A List |
|
| ground_ptn |
Def ground_ptn(p)
== Case(p)
Case ptn_var(v) = >
false
Case ptn_pr( < x, y > ) = >
ground_ptn(x)ground_ptn(y)
Default = > true
(recursive) |
| | |
Thm* p:Pattern. ground_ptn(p) |
|
| eq_lbl |
Def l1 = l2
== Case(l1)
Case ptn_atom(x) = >
Case(l2)
Case ptn_atom(y) = >
x=yAtom
Default = > false
Case ptn_int(x) = >
Case(l2)
Case ptn_int(y) = >
x=y
Default = > false
Case ptn_var(x) = >
Case(l2)
Case ptn_var(y) = >
x=yAtom
Default = > false
Case ptn_pr( < x, y > ) = >
Case(l2)
Case ptn_pr( < u, v > ) = >
x = uy = v
Default = > false
Default = > false
(recursive) |
| | |
Thm* l1,l2:Pattern. l1 = l2 |
|
| case_ptn_var |
Def Case ptn_var(x) = > body(x) cont(x1,z)
== (x1.inr(x2) = >
(x1.inr(x2) = >
(x1.inl(x2) = > body(hd([x2 / tl(x1)])) cont(hd(x1),z))([x2 / tl(x1)])
cont
(hd(x1)
,z))
([x2 / tl(x1)])
cont
(hd(x1)
,z))
([x1]) |
|
| case_ptn_int |
Def Case ptn_int(x) = > body(x) cont(x1,z)
== (x1.inr(x2) = >
(x1.inl(x2) = > body(hd([x2 / tl(x1)])) cont(hd(x1),z))([x2 / tl(x1)])
cont
(hd(x1)
,z))
([x1]) |
|
| hd |
Def hd(l) == Case of l; nil "?" ; h.t h |
| | |
Thm* A:Type, l:A List. ||l|| 1 hd(l) A |
| | |
Thm* A:Type, l:A List . hd(l) A |
|
| pi2 |
Def 2of(t) == t.2 |
| | |
Thm* A:Type, B:(AType), p:(a:AB(a)). 2of(p) B(1of(p)) |
|
| ptn |
Def Pattern == rec(T.ptn_con(T)) |
| | |
Thm* Pattern Type |
|
| rel_exp |
Def R^n == if n=0 x,y. x = y T else x,y. z:T. (x R z) & (z R^n-1 y) fi
(recursive) |
| | |
Thm* n:, T:Type, R:(TTProp). R^n TTProp |
|
| iseg |
Def l1 l2 == l:T List. l2 = (l1 @ l) |
| | | Thm* T:Type, l1,l2:T List. l1 l2 Prop |
|
| mklist |
Def mklist(n;f) == primrec(n;nil;i,l. l @ [(f(i))]) |
| | | Thm* T:Type, n:, f:(nT). mklist(n;f) T List |
|
| append |
Def as @ bs == Case of as; nil bs ; a.as' [a / (as' @ bs)] (recursive) |
| | |
Thm* T:Type, as,bs:T List. (as @ bs) T List |
|
| le_int |
Def ij == j < i |
| | | Thm* i,j:. (ij) |
|
| bnot |
Def b == if b false else true fi |
| | | Thm* b:. b |
|
| filter |
Def filter(P;l) == reduce(a,v. if P(a) [a / v] else v fi;nil;l) |
| | | Thm* T:Type, P:(T), l:T List. filter(P;l) T List |
|
| tl |
Def tl(l) == Case of l; nil nil ; h.t t |
| | |
Thm* A:Type, l:A List. tl(l) A List |
|
| flip |
Def (i, j)(x) == if x=ij ;x=ji else x fi |
| | | Thm* k:, i,j:k. (i, j) kk |
|
| primrec |
Def primrec(n;b;c) == if n=0 b else c(n-1,primrec(n-1;b;c)) fi (recursive) |
| | |
Thm* T:Type, n:, b:T, c:(nTT). primrec(n;b;c) T |
|
| eq_int |
Def i=j == if i=j true ; false fi |
| | | Thm* i,j:. (i=j) |
|
| band |
Def pq == if p q else false fi |
| | | Thm* p,q:. (pq) |
|
| case_default |
Def Default = > body(value,value) == body |
|
| case_lbl_pair |
Def Case ptn_pr( < x, y > ) = > body(x;y) cont(x1,z)
== InjCase(x1; _. cont(z,z); x2.
InjCase(x2; _. cont(z,z); x2@0. InjCase(x2@0; _. cont(z,z); x2@1. x2@1/x3,x2@2. body(x3;x2@2)))) |
|
| case |
Def Case(value) body == body(value,value) |
|
| ptn_con |
Def ptn_con(T) == Atom++Atom+(TT) |
| | | Thm* T:Type. ptn_con(T) Type |
|
| reduce |
Def reduce(f;k;as) == Case of as; nil k ; a.as' f(a,reduce(f;k;as')) (recursive) |
| | |
Thm* A,B:Type, f:(ABB), k:B, as:A List. reduce(f;k;as) B |
|
| equiv_rel |
Def EquivRel x,y:T. E(x;y)
== Refl(T;x,y.E(x;y)) & Sym x,y:T. E(x;y) & Trans x,y:T. E(x;y) |
| | | Thm* T:Type, E:(TTProp). (EquivRel x,y:T. E(x,y)) Prop |
|
| lt_int |
Def i < j == if i < j true ; false fi |
| | | Thm* i,j:. (i < j) |
|
| eq_atom |
Def x=yAtom == if x=yAtomtrue; false fi |
| | | Thm* x,y:Atom. x=yAtom |
|
| case_ptn_atom |
Def Case ptn_atom(x) = > body(x) cont(x1,z)
== InjCase(x1; x2. body(x2); _. cont(z,z)) |
|
| case_inl |
Def inl(x) = > body(x) cont(value,contvalue)
== InjCase(value; x. body(x); _. cont(contvalue,contvalue)) |
|
| case_inr |
Def inr(x) = > body(x) cont(value,contvalue)
== InjCase(value; _. cont(contvalue,contvalue); x. body(x)) |
|
| trans |
Def Trans x,y:T. E(x;y) == a,b,c:T. E(a;b) E(b;c) E(a;c) |
| | | Thm* T:Type, E:(TTProp). Trans x,y:T. E(x,y) Prop |
|
| sym |
Def Sym x,y:T. E(x;y) == a,b:T. E(a;b) E(b;a) |
| | | Thm* T:Type, E:(TTProp). Sym x,y:T. E(x,y) Prop |
|
| refl |
Def Refl(T;x,y.E(x;y)) == a:T. E(a;a) |
| | | Thm* T:Type, E:(TTProp). Refl(T;x,y.E(x,y)) Prop |
