Who Cites while?
while	Def (M |= x,tr.P(x;tr) while Q(x;tr)) == (M |= x,x',tr,tr'.P(x;tr) Q(x;tr) Q(x';tr') P(x';tr'))
	Thm* M:sm{i:l}(), P,Q:(M.state(M.action List)Prop). (M |= x,tr.P(x,tr) while Q(x,tr)) Prop
tla	Def (M |= x,x',tr,tr'.R(x;x';tr;tr')) == x,x':M.state, tr:M.action List, a:M.action. (M -tr- > x) M.trans(x,a,x') R(x;x';tr;tr @ [a])
	Thm* M:sm{i:l}(), R:(M.stateM.state(M.action List)(M.action List)Prop). (M |= x,x',tr,tr'.R(x,x',tr,tr')) Prop
append	Def as @ bs == Case of as; nil bs ; a.as' [a / (as' @ bs)] (recursive)
	Thm* T:Type, as,bs:T List. (as @ bs) T List
initially	Def (M |= initially x,tr.P(x;tr)) == x:M.state. M.init(x) P(x;nil)
	Thm* M:sm{i:l}(), P:(M.state(M.action List)Prop). (M |= initially s,tr.P(s,tr)) Prop
reachable_via	Def (M -tr- > s) == s0:M.state. M.init(s0) & trace_reachable(M;s0;tr;s)
	Thm* M:sm{i:l}(), s:M.state, tr:M.action List. (M -tr- > s) Prop
sm	Def sm{i:l}() == da:Declds:Decl({ds}Prop)({ds}(da){ds}Prop)
	Thm* sm{i:l}() Type{i'}
trace_inv	Def (M |= always s,t.P(s;t)) == t:M.action List, s0,s:M.state. M.init(s0) trace_reachable(M;s0;t;s) P(s;t)
	Thm* M:sm{i:l}(), P:(M.state(M.action List)Prop). (M |= always s,t.P(s,t)) Prop
sm_action	Def M.action == (M.da)
	Thm* M:sm{i:l}(). M.action Type
sm_init	Def t.init == 1of(2of(2of(t)))
	Thm* M:sm{i:l}(). M.init M.stateProp
trace_reachable	Def trace_reachable(M;s;l;s') == Case of l nil s = s' M.state a.l' x:M.state. M.trans(s,a,x) & trace_reachable(M;x;l';s') (recursive)
	Thm* M:sm{i:l}(), l:M.action List, s,s':M.state. trace_reachable(M;s;l;s') Prop
sm_state	Def M.state == {M.ds}
	Thm* M:sm{i:l}(). M.state Type
sm_trans	Def t.trans == 2of(2of(2of(t)))
	Thm* M:sm{i:l}(). M.trans M.stateM.actionM.stateProp
record	Def {d} == l:Labeldecl_type(d;l)
	Thm* d:Decl. {d} Type
sigma	Def (d) == l:Labeldecl_type(d;l)
	Thm* d:Decl. (d) Type
decl	Def Decl == LabelType
	Thm* decl{i:l} Type{i'}
sm_da	Def t.da == 1of(t)
	Thm* t:sm{i:l}(). t.da Decl
sm_ds	Def t.ds == 1of(2of(t))
	Thm* t:sm{i:l}(). t.ds Decl
pi2	Def 2of(t) == t.2
	Thm* A:Type, B:(AType), p:(a:AB(a)). 2of(p) B(1of(p))
pi1	Def 1of(t) == t.1
	Thm* A:Type, B:(AType), p:(a:AB(a)). 1of(p) A
decl_type	Def decl_type(d;x) == d(x)
	Thm* dec:Decl, x:Label. decl_type(dec;x) Type
lbl	Def Label == {p:Pattern| ground_ptn(p) }
	Thm* Label Type
ground_ptn	Def ground_ptn(p) == Case(p) Case ptn_var(v) = > false Case ptn_pr( < x, y > ) = > ground_ptn(x)ground_ptn(y) Default = > true (recursive)
	Thm* p:Pattern. ground_ptn(p)
assert	Def b == if b True else False fi
	Thm* b:. b Prop
ptn	Def Pattern == rec(T.ptn_con(T))
	Thm* Pattern Type
case_default	Def Default = > body(value,value) == body
band	Def pq == if p q else false fi
	Thm* p,q:. (pq)
case_lbl_pair	Def Case ptn_pr( < x, y > ) = > body(x;y) cont(x1,z) == InjCase(x1; _. cont(z,z); x2. InjCase(x2; _. cont(z,z); x2@0. InjCase(x2@0; _. cont(z,z); x2@1. x2@1/x3,x2@2. body(x3;x2@2))))
case_ptn_var	Def Case ptn_var(x) = > body(x) cont(x1,z) == (x1.inr(x2) = > (x1.inr(x2) = > (x1.inl(x2) = > body(hd([x2 / tl(x1)])) cont(hd(x1),z))([x2 / tl(x1)]) cont (hd(x1) ,z)) ([x2 / tl(x1)]) cont (hd(x1) ,z)) ([x1])
case	Def Case(value) body == body(value,value)
ptn_con	Def ptn_con(T) == Atom++Atom+(TT)
	Thm* T:Type. ptn_con(T) Type
hd	Def hd(l) == Case of l; nil "?" ; h.t h
	Thm* A:Type, l:A List. ||l||1 hd(l) A
	Thm* A:Type, l:A List. hd(l) A
tl	Def tl(l) == Case of l; nil nil ; h.t t
	Thm* A:Type, l:A List. tl(l) A List
case_inl	Def inl(x) = > body(x) cont(value,contvalue) == InjCase(value; x. body(x); _. cont(contvalue,contvalue))
case_inr	Def inr(x) = > body(x) cont(value,contvalue) == InjCase(value; _. cont(contvalue,contvalue); x. body(x))

About: