%Patch files loaded: patch2 version 2.417 $$$PVSHOME/pvs-strategies (defstep lazy-grind (&optional (if-match t) (defs !) rewrites theories exclude (updates? t)) (then (grind$ :if-match nil :defs defs :rewrites rewrites :theories theories :exclude exclude :updates? updates?) (reduce$ :if-match if-match :updates? updates?)) "Equiv. to (grind) with the instantiations postponed until after simplification." "By skolemization, if-lifting, simplification and instantiation") (defstep stew (&optional lazy-match (if-match t) (defs !) rewrites theories exclude (updates? t) &rest lemmas) (then (if lemmas (let ((lemmata (if (listp lemmas) lemmas (list lemmas))) (x `(then ,@(loop for lemma in lemmata append `((skosimp*)(use ,lemma)))))) x) (skip)) (if lazy-match (then (grind$ :if-match nil :defs defs :rewrites rewrites :theories theories :exclude exclude :updates? updates?) (reduce$ :if-match if-match :updates? updates?)) (grind$ :if-match if-match :defs defs :rewrites rewrites :theories theories :exclude exclude :updates? updates?))) "Does a combination of (lemma) and (grind)." "~%Grinding away with the supplied lemmas,") (defstep store-state (var) (let ((x (set var *ps*))) '(skip)) "" "") (defstep store-context (var) (let ((x (set var *current-context*))) '(skip)) "" "") $$$top.pvs % Authors : Todd Fine, Duane Olawsky % % Protection Notice : % % THIS IS AN UNPUBLISHED WORK CONTAINING SECURE COMPUTING % CORPORATION CONFIDENTIAL AND PROPRIETARY INFORMATION. % IF PUBLICATION OCCURS, THE FOLLOWING NOTICE APPLIES: % % (c) Copyright, 1995-1998, Secure Computing Corporation, All Rights Reserved. % % Revision Id : $Id: ac_translators.pvs.ref,v 1.2 1997/02/06 21:49:19 sundquis Exp $ % % Update Locker : $Locker: $ % % Contents : % % This file is part of the PVS version of the DTOS Composability Study. % It is the top theory. Its primary purpose is to pull everything % together to produce a PVS dump file. % % % Change History : % top : THEORY BEGIN IMPORTING system_props IMPORTING beh_equiv IMPORTING cmp_thm2 IMPORTING compose_associative IMPORTING compose_right END top $$$compose_right.pvs compose_right[ST: NONEMPTY_TYPE, AG: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING cmp_thm[ST,AG] IMPORTING compose_idempotent[ST,AG] cset: VAR (composable[ST,AG]) b: VAR trace_t[ST,AG] cmp: VAR (comp_t) n: VAR nat cr_init: THEOREM (forall cmp: member(cmp,cset) implies member(b,prop_for(cmp))) implies initial_okay(compose(cset),b) cr_rely: THEOREM (forall cmp: member(cmp,cset) implies member(b,prop_for(cmp)) and member((sts(b)(n),sts(b)(n+1),ags(b)(n)),rely(cmp))) implies member((sts(b)(n),sts(b)(n+1),ags(b)(n)),steps(compose(cset))) cr_guar: THEOREM (forall cmp: member(cmp,cset) implies member(b,prop_for(cmp))) and (exists cmp: member(cmp,cset) and not member((sts(b)(n),sts(b)(n+1),ags(b)(n)),rely(cmp))) implies member((sts(b)(n),sts(b)(n+1),ags(b)(n)),steps(compose(cset))) cr_steps: THEOREM (forall cmp: member(cmp,cset) implies member(b,prop_for(cmp))) implies steps_okay(compose(cset),b) cr_wfar: THEOREM (forall cmp: member(cmp,cset) implies member(b,prop_for(cmp))) implies is_wfar(compose(cset),b) cr_sfar: THEOREM (forall cmp: member(cmp,cset) implies member(b,prop_for(cmp))) implies is_sfar(compose(cset),b) cr_aux: THEOREM (forall cmp: member(cmp,cset) implies member(b,prop_for(cmp))) implies member(b,prop_for(compose(cset))) compose_right: THEOREM (forall cmp: member(cmp,cset) implies tolerates(singleton(cmp),cset)) implies ( (forall cmp: member(cmp,cset) implies member(b,prop_for(cmp))) iff member(b,prop_for(compose(cset)))) END compose_right $$$compose_right.prf (|compose_right| (|cr_init| "" (SKOSIMP*) (("" (EXPAND "initial_okay") (("" (EXPAND "compose") (("" (EXPAND "member" +) (("" (EXPAND "compose_init") (("" (EXPAND "gen_intersection") (("" (SKOSIMP*) (("" (EXPAND "member" -2) (("" (EXPAND "inits_for") (("" (SKOSIMP*) (("" (REPLACE -3 :HIDE? -3) (("" (INST?) (("" (GROUND) (("" (EXPAND "member" -1) (("" (EXPAND "prop_for") (("" (FLATTEN) (("" (EXPAND "initial_okay") (("" (PROPAX) NIL))))))))))))))))))))))))))))))))))) (|cr_rely| "" (SKOSIMP*) (("" (CASE "not member((sts(b!1)(n!1), sts(b!1)(n!1 + 1), ags(b!1)(n!1)),rely(compose(cset!1)))") (("1" (DELETE 2) (("1" (EXPAND "member" +) (("1" (EXPAND "compose") (("1" (EXPAND "compose_rely") (("1" (EXPAND "gen_intersection") (("1" (SKOSIMP*) (("1" (EXPAND "member" -1) (("1" (EXPAND "relys_for") (("1" (SKOSIMP*) (("1" (REPLACE -2 :HIDE? -2) (("1" (INST?) (("1" (GROUND) NIL))))))))))))))))))))))) ("2" (DELETE -2) (("2" (EXPAND "member") (("2" (EXPAND "steps") (("2" (GROUND) NIL))))))))))) (|cr_guar| "" (SKOSIMP*) (("" (CASE "not member((sts(b!1)(n!1), sts(b!1)(n!1 + 1), ags(b!1)(n!1)),guar(compose(cset!1)))") (("1" (DELETE 3) (("1" (EXPAND "member" 1) (("1" (EXPAND "compose") (("1" (EXPAND "compose_guar") (("1" (EXPAND "intersection") (("1" (SPLIT) (("1" (EXPAND "member" 1) (("1" (EXPAND "gen_intersection") (("1" (SKOSIMP*) (("1" (EXPAND "member" -1) (("1" (EXPAND "guar_or_hidds_for") (("1" (SKOSIMP*) (("1" (REPLACE -2 :HIDE? -2) (("1" (EXPAND "member" 1) (("1" (EXPAND "union") (("1" (EXPAND "member") (("1" (INST?) (("1" (GROUND) (("1" (EXPAND "prop_for") (("1" (EXPAND "steps_okay") (("1" (FLATTEN) (("1" (INST?) (("1" (EXPAND "member") (("1" (EXPAND "steps") (("1" (USE "component_rely_hidd") (("1" (EXPAND "rely_hidd_restriction") (("1" (EXPAND "subset?") (("1" (EXPAND "member") (("1" (INST?) (("1" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))) ("2" (INST?) (("2" (GROUND) (("2" (EXPAND "member" 1) (("2" (EXPAND "gen_union") (("2" (INSTANTIATE 1 "guar(cmp!1)") (("2" (GROUND) (("1" (EXPAND "member") (("1" (EXPAND "guars_for") (("1" (INST?) (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))))) ("2" (EXPAND "member") (("2" (EXPAND "prop_for") (("2" (EXPAND "steps_okay") (("2" (FLATTEN) (("2" (EXPAND "member") (("2" (EXPAND "steps") (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))) ("2" (EXPAND "member") (("2" (EXPAND "steps") (("2" (GROUND) NIL))))))))) (|cr_steps| "" (SKOSIMP*) (("" (EXPAND "steps_okay") (("" (SKOSIMP*) (("" (REWRITE "cr_guar") (("" (REWRITE "cr_rely") (("" (SKOSIMP*) (("" (INST?) (("" (INST?) (("" (GROUND) NIL))))))))))))))))) (|cr_wfar| "" (SKOSIMP*) (("" (EXPAND "is_wfar") (("" (SKOSIMP*) (("" (EXPAND "member" -2) (("" (EXPAND "compose") (("" (EXPAND "compose_wfar") (("" (EXPAND "gen_union") (("" (SKOSIMP*) (("" (EXPAND "member" -2) (("" (EXPAND "wfars_for") (("" (SKOSIMP*) (("" (INST?) (("" (REPLACE -3 :HIDE? -3) (("" (GROUND) (("" (EXPAND "member" -1) (("" (EXPAND "prop_for") (("" (EXPAND "is_wfar") (("" (FLATTEN) (("" (INST?) (("" (GROUND) (("" (INST?) NIL))))))))))))))))))))))))))))))))))))))))) (|cr_sfar| "" (SKOSIMP*) (("" (EXPAND "is_sfar") (("" (SKOSIMP*) (("" (EXPAND "member" -2) (("" (EXPAND "compose") (("" (EXPAND "compose_sfar") (("" (EXPAND "gen_union") (("" (SKOSIMP*) (("" (EXPAND "member" -2) (("" (EXPAND "sfars_for") (("" (SKOSIMP*) (("" (INST?) (("" (REPLACE -3 :HIDE? -3) (("" (GROUND) (("" (EXPAND "member" -1) (("" (EXPAND "prop_for") (("" (EXPAND "is_sfar") (("" (FLATTEN) (("" (INST?) (("" (GROUND) (("" (INST?) NIL))))))))))))))))))))))))))))))))))))))))) (|cr_aux| "" (SKOSIMP*) (("" (EXPAND "member" +) (("" (EXPAND "prop_for" +) (("" (REWRITE "cr_init") (("" (REWRITE "cr_steps") (("" (REWRITE "cr_wfar") (("" (REWRITE "cr_sfar") (("" (GROUND) NIL))))))))))))))) (|compose_right| "" (SKOSIMP*) (("" (GROUND) (("1" (REWRITE "cr_aux") NIL) ("2" (SKOSIMP*) (("2" (LEMMA "cmp_thm") (("2" (INSTANTIATE -1 ("singleton(cmp!1)" "cset!1" "prop_for(cmp!1)")) (("2" (CASE "compose(singleton(cmp!1)) = cmp!1") (("1" (REPLACE -1 :HIDE? -1) (("1" (INST?) (("1" (TYPEPRED "cset!1") (("1" (GROUND) (("1" (EXPAND "satisfies") (("1" (INST?) (("1" (EXPAND "member") (("1" (GROUND) NIL))))))) ("2" (EXPAND "subset?") (("2" (SKOSIMP*) (("2" (EXPAND "member") (("2" (EXPAND "singleton") (("2" (GROUND) NIL))))))))) ("3" (LEMMA "nonempty_th[(comp_t)]") (("3" (INSTANTIATE -1 "singleton(cmp!1)") (("3" (GROUND) (("3" (INST?) (("3" (EXPAND "member") (("3" (EXPAND "singleton") (("3" (PROPAX) NIL))))))))))))) ("4" (EXPAND "satisfies") (("4" (SKOSIMP*) NIL))))))))))) ("2" (REWRITE "ci_component") NIL) ("3" (REWRITE "ci_composable") NIL)))))))))))))) $$$compose_associative.pvs compose_associative[ST: NONEMPTY_TYPE, AG: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING compose[ST, AG] cset: VAR (composable) csets: VAR setof[(composable)] cmp: VAR (comp_t) ca_composable: THEOREM composable(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets))) IFF composable({cmp | (EXISTS cset: member(cset, csets) AND cmp = compose(cset))}) ca_init: THEOREM composable(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets))) IMPLIES init(compose(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets)))) = init(compose({cmp | (EXISTS cset: member(cset, csets) AND cmp = compose(cset))})) ca_cags: THEOREM composable(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets))) IMPLIES cags(compose(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets)))) = cags(compose({cmp | (EXISTS cset: member(cset, csets) AND cmp = compose(cset))})) tran: VAR [ST, ST, AG] ca_guar1: THEOREM composable(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets))) AND guar(compose(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets)))) (tran) IMPLIES gen_union(guars_for({cmp | (EXISTS cset: member(cset, csets) AND cmp = compose(cset))}))(tran) ca_guar2: THEOREM composable(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets))) AND guar(compose(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets)))) (tran) IMPLIES gen_intersection(guar_or_hidds_for({cmp | (EXISTS cset: member(cset, csets) AND cmp = compose(cset))})) (tran) ca_guar3: THEOREM composable(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets))) AND guar(compose(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets)))) (tran) IMPLIES guar(compose({cmp | (EXISTS cset: member(cset, csets) AND cmp = compose(cset))}))(tran) ca_guar4: THEOREM composable(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets))) AND guar(compose({cmp | (EXISTS cset: member(cset, csets) AND cmp = compose(cset))}))(tran) IMPLIES gen_union(guars_for(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets)))) (tran) ca_guar5: THEOREM composable(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets))) AND guar(compose({cmp | (EXISTS cset: member(cset, csets) AND cmp = compose(cset))}))(tran) IMPLIES gen_intersection (guar_or_hidds_for(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets)))) (tran) ca_guar6: THEOREM composable(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets))) AND guar(compose({cmp | (EXISTS cset: member(cset, csets) AND cmp = compose(cset))}))(tran) IMPLIES guar(compose(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets)))) (tran) ca_guar: THEOREM composable(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets))) IMPLIES guar(compose(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets)))) = guar(compose({cmp | (EXISTS cset: member(cset, csets) AND cmp = compose(cset))})) ca_rely: THEOREM composable(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets))) IMPLIES rely(compose(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets)))) = rely(compose({cmp | (EXISTS cset: member(cset, csets) AND cmp = compose(cset))})) ca_hidd: THEOREM composable(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets))) IMPLIES hidd(compose(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets)))) = hidd(compose({cmp | (EXISTS cset: member(cset, csets) AND cmp = compose(cset))})) ca_view: THEOREM composable(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets))) IMPLIES view(compose(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets)))) = view(compose({cmp | (EXISTS cset: member(cset, csets) AND cmp = compose(cset))})) ca_sfar: THEOREM composable(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets))) IMPLIES sfar(compose(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets)))) = sfar(compose({cmp | (EXISTS cset: member(cset, csets) AND cmp = compose(cset))})) ca_wfar: THEOREM composable(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets))) IMPLIES wfar(compose(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets)))) = wfar(compose({cmp | (EXISTS cset: member(cset, csets) AND cmp = compose(cset))})) ca_component: THEOREM composable(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets))) IMPLIES compose(gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets))) = compose({cmp | (EXISTS cset: member(cset, csets) AND cmp = compose(cset))}) END compose_associative $$$compose_associative.prf (|compose_associative| (|ca_composable| "" (SKOLEM!) (("" (CASE "not (csets!1 /= emptyset)") (("1" (FLATTEN) (("1" (REPLACE -1) (("1" (EXPAND "composable") (("1" (EXPAND "gen_union") (("1" (EXPAND "member") (("1" (EXPAND "extend") (("1" (EXPAND "emptyset") (("1" (PROPAX) NIL))))))))))))))) ("2" (REWRITE "nonempty_th") (("2" (SKOLEM!) (("2" (CASE "not (x!1 /= emptyset)") (("1" (DELETE -1 2) (("1" (TYPEPRED "x!1") (("1" (EXPAND "composable") (("1" (GROUND) NIL))))))) ("2" (REWRITE "nonempty_th") (("2" (SKOLEM!) (("2" (CASE "not (gen_union(extend[setof[((comp_t[ST, AG]))], ((composable)), bool, FALSE](csets!1)) /= emptyset)") (("1" (DELETE 2) (("1" (REWRITE "nonempty_th") (("1" (INST?) (("1" (EXPAND "member" +) (("1" (EXPAND "gen_union") (("1" (INST?) (("1" (GROUND) (("1" (EXPAND "extend") (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))))))))))))))) ("2" (CASE "not ({cmp: (comp_t) | (EXISTS (cset: (composable)): member(cset, csets!1) AND cmp = compose(cset))} /= emptyset)") (("1" (DELETE -1 2) (("1" (REWRITE "nonempty_th") (("1" (INSTANTIATE 1 "compose(x!1)") (("1" (EXPAND "member") (("1" (INST?) (("1" (GROUND) NIL))))))))))) ("2" (EXPAND "composable") (("2" (GROUND) (("1" (DELETE -2 -3 2 3 4) (("1" (EXPAND "agreeable_start") (("1" (SKOSIMP*) (("1" (INST?) (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (SKOSIMP*) (("1" (REPLACE -2 :HIDE? -2) (("1" (EXPAND "compose") (("1" (EXPAND "compose_init") (("1" (EXPAND "gen_intersection") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (EXPAND "inits_for") (("1" (SKOSIMP*) (("1" (REPLACE -3 :HIDE? -3) (("1" (INST?) (("1" (EXPAND "gen_union") (("1" (GROUND) (("1" (INST?) (("1" (EXPAND "member") (("1" (EXPAND "extend") (("1" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))))))) ("2" (DELETE -2 -3 2 3 4) (("2" (EXPAND "agreeable_start") (("2" (SKOSIMP*) (("2" (INST?) (("2" (SKOSIMP*) (("2" (EXPAND "member") (("2" (EXPAND "gen_union") (("2" (SKOSIMP*) (("2" (EXPAND "member") (("2" (EXPAND "extend") (("2" (GROUND) (("2" (INSTANTIATE -4 "compose(s!1)") (("2" (GROUND) (("1" (EXPAND "compose") (("1" (EXPAND "compose_init") (("1" (EXPAND "gen_intersection") (("1" (INST?) (("1" (EXPAND "member") (("1" (EXPAND "inits_for") (("1" (INST?) (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))))))))))))) ("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))))) (|ca_init_TCC1| "" (SKOSIMP*) (("" (REWRITE "ca_composable") NIL))) (|ca_init| "" (SKOSIMP*) (("" (EXTENSIONALITY "setof[ST]") (("" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (EXPAND "compose" 1 1) (("1" (EXPAND "compose" 1 1) (("1" (EXPAND "compose_init") (("1" (EXPAND "gen_intersection") (("1" (EXPAND "member") (("1" (EXPAND "inits_for") (("1" (EXPAND "member") (("1" (EXPAND "gen_union") (("1" (EXPAND "member") (("1" (EXPAND "extend") (("1" (GROUND) (("1" (SKOSIMP*) (("1" (REPLACE -4 :HIDE? -4) (("1" (REPLACE -3 :HIDE? -3) (("1" (EXPAND "compose" +) (("1" (EXPAND "compose_init") (("1" (EXPAND "gen_intersection") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (EXPAND "inits_for") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (REPLACE -4 :HIDE? -4) (("1" (INST?) (("1" (GROUND) (("1" (INST?) (("1" (GROUND) (("1" (INSTANTIATE 1 "cset!1") (("1" (GROUND) NIL))))))))))))))))))))))))))))))))))) ("2" (SKOSIMP*) (("2" (GROUND) (("2" (REPLACE -5 :HIDE? -5) (("2" (INSTANTIATE -3 "init(compose(s!2))") (("2" (GROUND) (("1" (EXPAND "compose") (("1" (EXPAND "compose_init") (("1" (EXPAND "gen_intersection") (("1" (INST?) (("1" (EXPAND "member") (("1" (GROUND) (("1" (EXPAND "inits_for") (("1" (INST?) (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))))))))))))))) ("2" (INSTANTIATE 1 "compose(s!2)") (("2" (GROUND) (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))) ("2" (REWRITE "ca_composable") NIL))))))) (|ca_cags| "" (SKOSIMP*) (("" (EXTENSIONALITY "setof[AG]") (("" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (EXPAND "compose" 1 1) (("1" (EXPAND "compose" 1 1) (("1" (EXPAND "compose_cags") (("1" (EXPAND "gen_union" +) (("1" (EXPAND "cagss_for") (("1" (EXPAND "member") (("1" (EXPAND "extend" +) (("1" (GROUND) (("1" (SKOSIMP*) (("1" (GROUND) (("1" (REPLACE -4 :HIDE? -4) (("1" (INSTANTIATE 1 "cags(compose(s!2))") (("1" (GROUND) (("1" (INSTANTIATE 1 "compose(s!2)") (("1" (GROUND) (("1" (INSTANTIATE 1 "s!2") (("1" (GROUND) NIL))))))) ("2" (EXPAND "compose") (("2" (EXPAND "compose_cags") (("2" (EXPAND "gen_union") (("2" (INST?) (("2" (EXPAND "member") (("2" (EXPAND "cagss_for") (("2" (INST?) (("2" (EXPAND "member") (("2" (PROPAX) NIL))))))))))))))))))))))))))) ("2" (SKOSIMP*) (("2" (REPLACE -2 :HIDE? -2) (("2" (REPLACE -2 :HIDE? -2) (("2" (EXPAND "compose") (("2" (EXPAND "compose_cags") (("2" (EXPAND "gen_union") (("2" (SKOSIMP*) (("2" (EXPAND "member") (("2" (EXPAND "cagss_for") (("2" (SKOSIMP*) (("2" (EXPAND "member") (("2" (REPLACE -3 :HIDE? -3) (("2" (INST?) (("2" (GROUND) (("2" (INST?) (("2" (GROUND) (("2" (INSTANTIATE 1 "cset!1") (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ("2" (REWRITE "ca_composable") NIL))))))) (|ca_guar1| "" (SKOSIMP*) (("" (EXPAND "compose" -) (("" (EXPAND "compose_guar") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (EXPAND "gen_intersection") (("" (FLATTEN) (("" (EXPAND "gen_union" -3 1) (("" (EXPAND "gen_union" +) (("" (EXPAND "member") (("" (SKOSIMP*) (("" (EXPAND "guars_for") (("" (EXPAND "guar_or_hidds_for") (("" (EXPAND "member") (("" (EXPAND "gen_union" -2) (("" (EXPAND "gen_union" -3) (("" (EXPAND "member") (("" (EXPAND "extend" -2) (("" (EXPAND "extend" -3) (("" (SKOSIMP*) (("" (REPLACE -5 :HIDE? -5) (("" (GROUND) (("" (INSTANTIATE 1 "guar(compose(s!2))") (("" (GROUND) (("1" (INSTANTIATE 1 "compose(s!2)") (("1" (GROUND) (("1" (INST?) (("1" (GROUND) NIL))))))) ("2" (EXPAND "compose") (("2" (EXPAND "compose_guar") (("2" (EXPAND "intersection") (("2" (EXPAND "member") (("2" (SPLIT) (("1" (EXPAND "gen_intersection") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (EXPAND "guar_or_hidds_for") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (INSTANTIATE -6 "s!3") (("1" (GROUND) (("1" (INSTANTIATE 1 "cmp!2") (("1" (GROUND) (("1" (INSTANTIATE 1 "s!2") (("1" (GROUND) NIL))))))))))))))))))))))) ("2" (EXPAND "gen_union" +) (("2" (INSTANTIATE 1 "guar(cmp!1)") (("2" (EXPAND "member") (("2" (EXPAND "guars_for") (("2" (EXPAND "member") (("2" (INSTANTIATE 1 "cmp!1") (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|ca_guar2| "" (SKOSIMP*) (("" (EXPAND "compose" -2) (("" (EXPAND "compose_guar") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (FLATTEN) (("" (DELETE -3) (("" (EXPAND "gen_intersection") (("" (EXPAND "member") (("" (SKOSIMP*) (("" (EXPAND "guar_or_hidds_for") (("" (SKOSIMP*) (("" (REPLACE -4 :HIDE? -4) (("" (EXPAND "member") (("" (SKOSIMP*) (("" (REPLACE -4 :HIDE? -4) (("" (EXPAND "union" +) (("" (EXPAND "member") (("" (EXPAND "compose") (("" (EXPAND "compose_guar") (("" (EXPAND "compose_hidd") (("" (FLATTEN) (("" (CASE "not (exists cmp: cset!1(cmp) and guar(cmp)(tran!1))") (("1" (EXPAND "gen_intersection") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (EXPAND "hidds_for") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (REPLACE -5 :HIDE? -5) (("1" (INSTANTIATE -2 "union(guar(cmp!2),hidd(cmp!2))") (("1" (EXPAND "union") (("1" (EXPAND "member") (("1" (GROUND) (("1" (INST?) (("1" (GROUND) NIL))) ("2" (INST?) (("2" (EXPAND "gen_union" +) (("2" (EXPAND "member") (("2" (EXPAND "extend") (("2" (INSTANTIATE 1 "cset!1") (("2" (GROUND) NIL))))))))))))))))))))))))))))))))) ("2" (DELETE 2) (("2" (SKOSIMP*) (("2" (EXPAND "intersection") (("2" (EXPAND "member") (("2" (SPLIT) (("1" (EXPAND "gen_intersection") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (EXPAND "guar_or_hidds_for") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (REPLACE -2 :HIDE? -2) (("1" (INSTANTIATE -5 "union(guar(cmp!3),hidd(cmp!3))") (("1" (GROUND) (("1" (INSTANTIATE 1 "cmp!3") (("1" (GROUND) (("1" (EXPAND "gen_union" +) (("1" (INSTANTIATE 1 "cset!1") (("1" (EXPAND "member") (("1" (EXPAND "extend") (("1" (PROPAX) NIL))))))))))))))))))))))))))))))) ("2" (EXPAND "gen_union") (("2" (INSTANTIATE 1 "guar(cmp!2)") (("2" (EXPAND "member") (("2" (EXPAND "guars_for") (("2" (GROUND) (("2" (INSTANTIATE 1 "cmp!2") (("2" (EXPAND "member") (("2" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|ca_guar3_TCC1| "" (SKOSIMP*) (("" (REWRITE "ca_composable") NIL))) (|ca_guar3| "" (SKOSIMP*) (("" (EXPAND "compose" 1 1) (("" (EXPAND "compose_guar") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (LEMMA "ca_guar1") (("" (INST?) (("" (GROUND) (("1" (LEMMA "ca_guar2") (("1" (INST?) (("1" (GROUND) (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))))) ("2" (EXPAND "member") (("2" (PROPAX) NIL))))))))))))))))))) (|ca_guar4| "" (SKOSIMP*) (("" (EXPAND "gen_union" +) (("" (EXPAND "member") (("" (EXPAND "guars_for") (("" (EXPAND "member") (("" (EXPAND "extend" +) (("" (EXPAND "compose" -2 1) (("" (EXPAND "compose_guar") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (FLATTEN) (("" (DELETE -2) (("" (EXPAND "gen_union" -2) (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "guars_for") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (SKOSIMP*) (("" (REPLACE -3 :HIDE? -3) (("" (REPLACE -3 :HIDE? -3) (("" (EXPAND "compose") (("" (EXPAND "compose_guar") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (FLATTEN) (("" (DELETE -3) (("" (EXPAND "gen_union") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "guars_for") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (REPLACE -4 :HIDE? -4) (("" (INST?) (("" (GROUND) (("" (INST?) (("" (GROUND) (("" (INSTANTIATE 1 "cset!1") (("" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|ca_guar5| "" (SKOSIMP*) (("" (EXPAND "gen_intersection") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "guar_or_hidds_for") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "gen_union" -3) (("" (REPLACE -4 :HIDE? -4) (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "extend" -3) (("" (GROUND) (("" (EXPAND "compose" -4 1) (("" (EXPAND "compose_guar") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (EXPAND "gen_intersection") (("" (EXPAND "member") (("" (EXPAND "guar_or_hidds_for") (("" (EXPAND "member") (("" (FLATTEN) (("" (INSTANTIATE -4 "union(guar(compose(s!2)),hidd(compose(s!2)))") (("" (GROUND) (("1" (EXPAND "union") (("1" (EXPAND "member") (("1" (EXPAND "compose" -1) (("1" (EXPAND "compose_guar") (("1" (FLATTEN) (("1" (SPLIT) (("1" (EXPAND "intersection") (("1" (EXPAND "member") (("1" (EXPAND "gen_intersection") (("1" (EXPAND "member") (("1" (EXPAND "guar_or_hidds_for") (("1" (EXPAND "member") (("1" (EXPAND "union") (("1" (EXPAND "member") (("1" (FLATTEN) (("1" (INSTANTIATE -1 "{x: transition[ST,AG] | (guar(cmp!1)(x) or hidd(cmp!1)(x))}") (("1" (GROUND) (("1" (INST?) (("1" (GROUND) NIL))))))))))))))))))))))))) ("2" (EXPAND "compose_hidd") (("2" (EXPAND "gen_intersection") (("2" (INSTANTIATE -1 "hidd(cmp!1)") (("2" (EXPAND "member") (("2" (GROUND) (("2" (EXPAND "hidds_for") (("2" (EXPAND "member") (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))) ("2" (INSTANTIATE 1 "compose(s!2)") (("2" (GROUND) (("2" (INSTANTIATE 1 "s!2") (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|ca_guar6_TCC1| "" (SKOSIMP*) NIL) (|ca_guar6| "" (SKOSIMP*) (("" (LEMMA "ca_guar4") (("" (INST?) (("" (EXPAND "member") (("" (GROUND) (("" (LEMMA "ca_guar5") (("" (INST?) (("" (EXPAND "member") (("" (INST?) (("" (GROUND) (("" (EXPAND "compose" +) (("" (EXPAND "compose_guar") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (PROPAX) NIL))))))))))))))))))))))))))))) (|ca_guar| "" (SKOSIMP*) (("" (EXTENSIONALITY "setof[transition]") (("" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (GROUND) (("1" (REWRITE "ca_guar3") NIL) ("2" (REWRITE "ca_guar6") NIL))))))))))) ("2" (REWRITE "ca_composable") NIL))))))) (|ca_rely| "" (SKOSIMP*) (("" (EXTENSIONALITY "setof[[ST,ST,AG]]") (("" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (EXPAND "compose" 1 1) (("1" (EXPAND "compose" 1 1) (("1" (EXPAND "compose_rely") (("1" (EXPAND "gen_intersection") (("1" (EXPAND "member") (("1" (EXPAND "relys_for") (("1" (EXPAND "member") (("1" (EXPAND "gen_union") (("1" (EXPAND "member") (("1" (EXPAND "extend") (("1" (GROUND) (("1" (SKOSIMP*) (("1" (REPLACE -4 :HIDE? -4) (("1" (REPLACE -3 :HIDE? -3) (("1" (EXPAND "compose" +) (("1" (EXPAND "compose_rely") (("1" (EXPAND "gen_intersection") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (EXPAND "relys_for") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (REPLACE -4 :HIDE? -4) (("1" (INST?) (("1" (GROUND) (("1" (INST?) (("1" (GROUND) (("1" (INSTANTIATE 1 "cset!1") (("1" (GROUND) NIL))))))))))))))))))))))))))))))))))) ("2" (SKOSIMP*) (("2" (GROUND) (("2" (REPLACE -5 :HIDE? -5) (("2" (INSTANTIATE -3 "rely(compose(s!2))") (("2" (GROUND) (("1" (EXPAND "compose") (("1" (EXPAND "compose_rely") (("1" (EXPAND "gen_intersection") (("1" (INST?) (("1" (EXPAND "member") (("1" (GROUND) (("1" (EXPAND "relys_for") (("1" (INST?) (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))))))))))))))) ("2" (INSTANTIATE 1 "compose(s!2)") (("2" (GROUND) (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))) ("2" (REWRITE "ca_composable") NIL))))))) (|ca_hidd| "" (SKOSIMP*) (("" (EXTENSIONALITY "setof[[ST,ST,AG]]") (("" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (EXPAND "compose" 1 1) (("1" (EXPAND "compose" 1 1) (("1" (EXPAND "compose_hidd") (("1" (EXPAND "gen_intersection") (("1" (EXPAND "member") (("1" (EXPAND "hidds_for") (("1" (EXPAND "member") (("1" (EXPAND "gen_union") (("1" (EXPAND "member") (("1" (EXPAND "extend") (("1" (GROUND) (("1" (SKOSIMP*) (("1" (REPLACE -4 :HIDE? -4) (("1" (REPLACE -3 :HIDE? -3) (("1" (EXPAND "compose" +) (("1" (EXPAND "compose_hidd") (("1" (EXPAND "gen_intersection") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (EXPAND "hidds_for") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (REPLACE -4 :HIDE? -4) (("1" (INST?) (("1" (GROUND) (("1" (INST?) (("1" (GROUND) (("1" (INSTANTIATE 1 "cset!1") (("1" (GROUND) NIL))))))))))))))))))))))))))))))))))) ("2" (SKOSIMP*) (("2" (GROUND) (("2" (REPLACE -5 :HIDE? -5) (("2" (INSTANTIATE -3 "hidd(compose(s!2))") (("2" (GROUND) (("1" (EXPAND "compose") (("1" (EXPAND "compose_hidd") (("1" (EXPAND "gen_intersection") (("1" (INST?) (("1" (EXPAND "member") (("1" (GROUND) (("1" (EXPAND "hidds_for") (("1" (INST?) (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))))))))))))))) ("2" (INSTANTIATE 1 "compose(s!2)") (("2" (GROUND) (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))) ("2" (REWRITE "ca_composable") NIL))))))) (|ca_view| "" (SKOSIMP*) (("" (EXTENSIONALITY "setof[[ST,ST]] ") (("" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (EXPAND "compose" 1 1) (("1" (EXPAND "compose" 1 1) (("1" (EXPAND "compose_view") (("1" (EXPAND "gen_intersection") (("1" (EXPAND "member") (("1" (EXPAND "extend" +) (("1" (EXPAND "views_for") (("1" (EXPAND "member") (("1" (EXPAND "gen_union" +) (("1" (EXPAND "member") (("1" (GROUND) (("1" (SKOSIMP*) (("1" (GROUND) (("1" (SKOSIMP*) (("1" (REPLACE -4 :HIDE? -4) (("1" (REPLACE -3 :HIDE? -3) (("1" (EXPAND "compose" +) (("1" (EXPAND "compose_view") (("1" (EXPAND "gen_intersection") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (EXPAND "extend" -4) (("1" (GROUND) (("1" (EXPAND "views_for") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (REPLACE -3 :HIDE? -3) (("1" (INST?) (("1" (GROUND) (("1" (INST?) (("1" (GROUND) (("1" (INSTANTIATE 1 "cset!1") (("1" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))) ("2" (SKOSIMP*) (("2" (GROUND) (("2" (SKOSIMP*) (("2" (REPLACE -4 :HIDE? -4) (("2" (INSTANTIATE -4 "view(compose(s!2))") (("1" (GROUND) (("1" (EXPAND "compose") (("1" (EXPAND "compose_view") (("1" (EXPAND "gen_intersection") (("1" (INST?) (("1" (EXPAND "member") (("1" (EXPAND "extend") (("1" (EXPAND "views_for") (("1" (INST?) (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))))))))))))))) ("2" (INSTANTIATE 1 "compose(s!2)") (("2" (GROUND) (("2" (INSTANTIATE 1 "s!2") (("2" (GROUND) NIL))))))))) ("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))) ("2" (REWRITE "ca_composable") NIL))))))) (|ca_sfar| "" (SKOSIMP*) (("" (EXTENSIONALITY "setof[TRANSITION_CLASS]") (("" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (EXPAND "compose" 1 1) (("1" (EXPAND "compose" 1 1) (("1" (EXPAND "compose_sfar") (("1" (EXPAND "gen_union" +) (("1" (EXPAND "sfars_for") (("1" (EXPAND "member") (("1" (EXPAND "extend" +) (("1" (GROUND) (("1" (SKOSIMP*) (("1" (GROUND) (("1" (REPLACE -4 :HIDE? -4) (("1" (INSTANTIATE 1 "sfar(compose(s!2))") (("1" (GROUND) (("1" (INSTANTIATE 1 "compose(s!2)") (("1" (GROUND) (("1" (INSTANTIATE 1 "s!2") (("1" (GROUND) NIL))))))) ("2" (EXPAND "compose") (("2" (EXPAND "compose_sfar") (("2" (EXPAND "gen_union") (("2" (INST?) (("2" (EXPAND "member") (("2" (EXPAND "sfars_for") (("2" (INST?) (("2" (EXPAND "member") (("2" (PROPAX) NIL))))))))))))))))))))))))))) ("2" (SKOSIMP*) (("2" (REPLACE -2 :HIDE? -2) (("2" (REPLACE -2 :HIDE? -2) (("2" (EXPAND "compose") (("2" (EXPAND "compose_sfar") (("2" (EXPAND "gen_union") (("2" (SKOSIMP*) (("2" (EXPAND "member") (("2" (EXPAND "sfars_for") (("2" (SKOSIMP*) (("2" (EXPAND "member") (("2" (REPLACE -3 :HIDE? -3) (("2" (INST?) (("2" (GROUND) (("2" (INST?) (("2" (GROUND) (("2" (INSTANTIATE 1 "cset!1") (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ("2" (REWRITE "ca_composable") NIL))))))) (|ca_wfar| "" (SKOSIMP*) (("" (EXTENSIONALITY "setof[TRANSITION_CLASS]") (("" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (EXPAND "compose" 1 1) (("1" (EXPAND "compose" 1 1) (("1" (EXPAND "compose_wfar") (("1" (EXPAND "gen_union" +) (("1" (EXPAND "wfars_for") (("1" (EXPAND "member") (("1" (EXPAND "extend" +) (("1" (GROUND) (("1" (SKOSIMP*) (("1" (GROUND) (("1" (REPLACE -4 :HIDE? -4) (("1" (INSTANTIATE 1 "wfar(compose(s!2))") (("1" (GROUND) (("1" (INSTANTIATE 1 "compose(s!2)") (("1" (GROUND) (("1" (INSTANTIATE 1 "s!2") (("1" (GROUND) NIL))))))) ("2" (EXPAND "compose") (("2" (EXPAND "compose_wfar") (("2" (EXPAND "gen_union") (("2" (INST?) (("2" (EXPAND "member") (("2" (EXPAND "wfars_for") (("2" (INST?) (("2" (EXPAND "member") (("2" (PROPAX) NIL))))))))))))))))))))))))))) ("2" (SKOSIMP*) (("2" (REPLACE -2 :HIDE? -2) (("2" (REPLACE -2 :HIDE? -2) (("2" (EXPAND "compose") (("2" (EXPAND "compose_wfar") (("2" (EXPAND "gen_union") (("2" (SKOSIMP*) (("2" (EXPAND "member") (("2" (EXPAND "wfars_for") (("2" (SKOSIMP*) (("2" (EXPAND "member") (("2" (REPLACE -3 :HIDE? -3) (("2" (INST?) (("2" (GROUND) (("2" (INST?) (("2" (GROUND) (("2" (INSTANTIATE 1 "cset!1") (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ("2" (REWRITE "ca_composable") NIL))))))) (|ca_component| "" (SKOSIMP*) (("" (EXTENSIONALITY "(comp_t)") (("" (INST?) (("1" (GROUND) (("1" (REWRITE "ca_cags") NIL) ("2" (REWRITE "ca_guar") NIL) ("3" (REWRITE "ca_hidd") NIL) ("4" (REWRITE "ca_init") NIL) ("5" (REWRITE "ca_rely") NIL) ("6" (REWRITE "ca_sfar") NIL) ("7" (REWRITE "ca_view") NIL) ("8" (REWRITE "ca_wfar") NIL))) ("2" (REWRITE "ca_composable") NIL)))))))) $$$compose2.pvs compose2[ST: NONEMPTY_TYPE, ST1: NONEMPTY_TYPE, ST2: NONEMPTY_TYPE, AG: NONEMPTY_TYPE, AG1: NONEMPTY_TYPE, AG2: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING cmp_translators[ST1,AG1,ST,AG] IMPORTING cmp_translators[ST2,AG2,ST,AG] IMPORTING compose[ST,AG] cset: VAR setof[(comp_t[ST,AG])] cmp, cmpa, cmpb: VAR (comp_t[ST,AG]) cmp1 : VAR (comp_t[ST1,AG1]) cmp2 : VAR (comp_t[ST2,AG2]) sttran1 : VAR (translator_t[ST1,ST]) agtran1 : VAR (weak_translator_t[AG1,AG]) sttran2 : VAR (translator_t[ST2,ST]) agtran2 : VAR (weak_translator_t[AG2,AG]) make_two_set(cmpa,cmpb) : setof[(comp_t[ST,AG])] = (LAMBDA cmp: cmp = cmpa or cmp = cmpb) make_two_set_tr(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2) : setof[(comp_t[ST,AG])] = make_two_set(tran_cmp(cmp1,sttran1,agtran1),tran_cmp(cmp2,sttran2,agtran2)) compose_init2(cmp1, cmp2, sttran1, sttran2, agtran1, agtran2): setof[ST] = intersection(tmap(sttran1, init(cmp1)), tmap(sttran2, init(cmp2))) compose_init2_def: THEOREM compose_init(make_two_set_tr(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2)) = compose_init2(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2) compose_guar2(cmp1, cmp2, sttran1, sttran2, agtran1, agtran2): setof[[ST, ST, AG]] = union(intersection(tr_ac(guar(cmp1),sttran1,agtran1), union(tr_ac(hidd(cmp2),sttran2, agtran2), env_stutter(cmp2,sttran2,agtran2))), union(intersection(tr_ac(guar(cmp2),sttran2,agtran2), union(tr_ac(hidd(cmp1),sttran1,agtran1), env_stutter(cmp1,sttran1,agtran1))), intersection(tr_ac(guar(cmp1),sttran1,agtran1), tr_ac(guar(cmp2),sttran2,agtran2)))) compose_guar2_def: THEOREM compose_guar(make_two_set_tr(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2)) = compose_guar2(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2) compose_rely2(cmp1, cmp2, sttran1, sttran2, agtran1, agtran2): setof[[ST, ST, AG]] = intersection(union(tr_ac(rely(cmp1),sttran1,agtran1), env_stutter(cmp1,sttran1,agtran1)), union(tr_ac(rely(cmp2), sttran2, agtran2), env_stutter(cmp2,sttran2,agtran2))) compose_rely2_def: THEOREM compose_rely(make_two_set_tr(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2)) = compose_rely2(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2) compose_cags2(cmp1, cmp2, sttran1, sttran2, agtran1, agtran2): setof[AG] = union(tmap(agtran1, cags(cmp1)), tmap(agtran2, cags(cmp2))) compose_cags2_def: THEOREM compose_cags(make_two_set_tr(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2)) = compose_cags2(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2) compose_view2(cmp1, cmp2, sttran1, sttran2, agtran1, agtran2): setof[[ST, ST]] = intersection(vmap(sttran1, view(cmp1)), vmap(sttran2, view(cmp2))) compose_view2_def: THEOREM compose_view(make_two_set_tr(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2)) = compose_view2(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2) compose_hidd2(cmp1, cmp2, sttran1, sttran2, agtran1, agtran2): setof[[ST, ST,AG]] = intersection(union(tr_ac(hidd(cmp1),sttran1,agtran1), env_stutter(cmp1,sttran1,agtran1)), union(tr_ac(hidd(cmp2), sttran2, agtran2), env_stutter(cmp2,sttran2,agtran2))) compose_hidd2_def: THEOREM compose_hidd(make_two_set_tr(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2)) = compose_hidd2(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2) compose_wfar2(cmp1, cmp2,sttran1,sttran2,agtran1,agtran2): setof[TRANSITION_CLASS[ST,AG]] = union(tr_tcs(wfar(cmp1), sttran1,agtran1), tr_tcs(wfar(cmp2), sttran2,agtran2)) compose_wfar2_def: THEOREM compose_wfar(make_two_set_tr(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2)) = compose_wfar2(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2) compose_sfar2(cmp1, cmp2,sttran1,sttran2,agtran1,agtran2): setof[TRANSITION_CLASS[ST,AG]] = union(tr_tcs(sfar(cmp1), sttran1,agtran1), tr_tcs(sfar(cmp2), sttran2,agtran2)) compose_sfar2_def: THEOREM compose_sfar(make_two_set_tr(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2)) = compose_sfar2(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2) composable_init2(cmp1, cmp2, sttran1, sttran2, agtran1, agtran2): bool = compose_init2(cmp1, cmp2, sttran1, sttran2, agtran1, agtran2) /= emptyset composable_init2_def: THEOREM agreeable_start(make_two_set_tr(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2)) = composable_init2(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2) composable2(cmp1, cmp2, sttran1, sttran2, agtran1, agtran2): bool = composable_init2(cmp1, cmp2, sttran1, sttran2, agtran1, agtran2) composable2_def: THEOREM composable(make_two_set_tr(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2)) = composable2(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2) c: VAR (composable2) compose_base2(c): base_comp_t[ST, AG] = (# init := compose_init2(c), guar := compose_guar2(c), rely := compose_rely2(c), cags := compose_cags2(c), view := compose_view2(c), wfar := compose_wfar2(c), sfar := compose_sfar2(c), hidd := compose_hidd2(c) #) compose_base2_def: THEOREM compose_base2(c) = compose_base(make_two_set_tr(c)) compose2(c): (comp_t[ST, AG]) = compose_base2(c) compose2_def: THEOREM compose2(c) = compose(make_two_set_tr(c)) END compose2 $$$compose2.prf (|compose2| (|compose_init2_def| "" (SKOLEM!) (("" (EXTENSIONALITY "setof[ST]") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (IFF) (("" (EXPAND "compose_init") (("" (EXPAND "compose_init2") (("" (EXPAND "gen_intersection") (("" (EXPAND "member") (("" (EXPAND "inits_for") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (EXPAND "make_two_set_tr") (("" (EXPAND "make_two_set") (("" (GROUND) (("1" (INST?) (("1" (GROUND) (("1" (INST?) (("1" (GROUND) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))))))))) ("2" (INST?) (("2" (GROUND) (("2" (INSTANTIATE 1 "tran_cmp(cmp2!1, sttran2!1, agtran2!1)") (("2" (GROUND) (("2" (EXPAND "tran_cmp") (("2" (EXPAND "tr_cmp") (("2" (PROPAX) NIL))))))))))))) ("3" (SKOSIMP*) (("3" (SPLIT) (("1" (REPLACE -1 :HIDE? -1) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (GROUND) NIL))))))) ("2" (REPLACE -1 :HIDE? -1) (("2" (EXPAND "tran_cmp") (("2" (EXPAND "tr_cmp") (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))) (|compose_guar2_def| "" (SKOLEM!) (("" (EXTENSIONALITY "setof[[ST,ST,AG]]") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (IFF) (("" (GROUND) (("1" (EXPAND "compose_guar") (("1" (EXPAND "intersection") (("1" (FLATTEN) (("1" (EXPAND "member") (("1" (EXPAND "gen_union") (("1" (EXPAND "gen_intersection") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (EXPAND "guars_for") (("1" (EXPAND "guar_or_hidds_for") (("1" (EXPAND "member") (("1" (EXPAND "make_two_set_tr") (("1" (EXPAND "make_two_set") (("1" (SKOSIMP*) (("1" (REPLACE -3 :HIDE? -3) (("1" (EXPAND "compose_guar2") (("1" (EXPAND "union" +) (("1" (EXPAND "intersection" +) (("1" (EXPAND "member") (("1" (SPLIT -2) (("1" (REPLACE -1 :HIDE? -1) (("1" (INSTANTIATE -1 "union(guar(tran_cmp(cmp2!1,sttran2!1,agtran2!1)),hidd(tran_cmp(cmp2!1,sttran2!1,agtran2!1)))") (("1" (SPLIT -1) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (EXPAND "union") (("1" (EXPAND "member") (("1" (FLATTEN) (("1" (DELETE 2) (("1" (GROUND) NIL))))))))))))) ("2" (INSTANTIATE 1 "tran_cmp(cmp2!1,sttran2!1,agtran2!1)") (("2" (GROUND) NIL))))))))) ("2" (REPLACE -1 :HIDE? -1) (("2" (INSTANTIATE -1 "union(guar(tran_cmp(cmp1!1,sttran1!1,agtran1!1)),hidd(tran_cmp(cmp1!1,sttran1!1,agtran1!1)))") (("2" (SPLIT -1) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (EXPAND "union") (("1" (EXPAND "member") (("1" (GROUND) NIL))))))))) ("2" (INSTANTIATE 1 "tran_cmp(cmp1!1,sttran1!1,agtran1!1)") (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))) ("2" (EXPAND "compose_guar") (("2" (EXPAND "intersection") (("2" (EXPAND "compose_guar2") (("2" (EXPAND "union") (("2" (EXPAND "intersection") (("2" (EXPAND "member") (("2" (EXPAND "gen_intersection") (("2" (EXPAND "gen_union") (("2" (EXPAND "member") (("2" (EXPAND "guar_or_hidds_for") (("2" (EXPAND "guars_for") (("2" (EXPAND "member") (("2" (EXPAND "make_two_set_tr") (("2" (EXPAND "make_two_set") (("2" (SPLIT -1) (("1" (FLATTEN) (("1" (SPLIT 1) (("1" (SKOSIMP*) (("1" (REPLACE -2 :HIDE? -2) (("1" (SPLIT -1) (("1" (REPLACE -1 :HIDE? -1) (("1" (EXPAND "union") (("1" (EXPAND "member") (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (GROUND) NIL))))))))))) ("2" (REPLACE -1 :HIDE? -1) (("2" (EXPAND "tran_cmp") (("2" (EXPAND "tr_cmp") (("2" (EXPAND "union") (("2" (EXPAND "member") (("2" (GROUND) NIL))))))))))))))))) ("2" (INST?) (("2" (GROUND) (("1" (INST?) (("1" (GROUND) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))))) ("2" (INST?) (("2" (GROUND) (("2" (EXPAND "tran_cmp") (("2" (EXPAND "tr_cmp") (("2" (PROPAX) NIL))))))))))))))))) ("2" (FLATTEN) (("2" (SPLIT 1) (("1" (SKOSIMP*) (("1" (REPLACE -2 :HIDE? -2) (("1" (SPLIT -1) (("1" (REPLACE -1 :HIDE? -1) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (EXPAND "union") (("1" (EXPAND "member") (("1" (GROUND) NIL))))))))))) ("2" (REPLACE -1 :HIDE? -1) (("2" (EXPAND "tran_cmp") (("2" (EXPAND "tr_cmp") (("2" (EXPAND "union") (("2" (EXPAND "member") (("2" (GROUND) NIL))))))))))))))))) ("2" (INST?) (("2" (GROUND) (("1" (INSTANTIATE 1 "tran_cmp(cmp2!1,sttran2!1,agtran2!1)") (("1" (GROUND) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))))) ("2" (INSTANTIATE 1 "tran_cmp(cmp2!1,sttran2!1,agtran2!1)") (("2" (GROUND) (("2" (EXPAND "tran_cmp") (("2" (EXPAND "tr_cmp") (("2" (PROPAX) NIL))))))))))))))))) ("3" (FLATTEN) (("3" (SPLIT) (("1" (SKOSIMP*) (("1" (REPLACE -2 :HIDE? -2) (("1" (EXPAND "union") (("1" (EXPAND "member") (("1" (SPLIT) (("1" (REPLACE -1 :HIDE? -1) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (GROUND) NIL))))))) ("2" (REPLACE -1 :HIDE? -1) (("2" (EXPAND "tran_cmp") (("2" (EXPAND "tr_cmp") (("2" (GROUND) NIL))))))))))))))))) ("2" (INST?) (("2" (GROUND) (("2" (INST?) (("2" (GROUND) (("2" (EXPAND "tran_cmp") (("2" (EXPAND "tr_cmp") (("2" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|compose_rely2_def| "" (SKOLEM!) (("" (EXTENSIONALITY "setof[[ST,ST,AG]]") (("" (INST?) (("" (GROUND) (("" (EXPAND "compose_rely") (("" (EXPAND "compose_rely2") (("" (DELETE 2) (("" (SKOLEM!) (("" (IFF) (("" (EXPAND "gen_intersection") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (EXPAND "relys_for") (("" (EXPAND "union") (("" (EXPAND "member") (("" (EXPAND "make_two_set_tr") (("" (EXPAND "make_two_set") (("" (SPLIT) (("1" (FLATTEN) (("1" (INSTANTIATE -1 "rely(tran_cmp(cmp1!1,sttran1!1,agtran1!1))" T) (("1" (INSTANTIATE -1 "rely(tran_cmp(cmp2!1,sttran2!1,agtran2!1))") (("1" (SPLIT -1) (("1" (SPLIT -2) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (EXPAND "union") (("1" (EXPAND "member") (("1" (GROUND) NIL))))))))) ("2" (INSTANTIATE 1 "tran_cmp(cmp1!1,sttran1!1,agtran1!1)") (("2" (GROUND) NIL))))) ("2" (INSTANTIATE 1 "tran_cmp(cmp2!1,sttran2!1,agtran2!1)") (("2" (GROUND) NIL))))))))))) ("2" (SKOSIMP*) (("2" (REPLACE -4 :HIDE? -4) (("2" (SPLIT -3) (("1" (REPLACE -1 :HIDE? -1) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (EXPAND "union") (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))))))) ("2" (REPLACE -1 :HIDE? -1) (("2" (EXPAND "tran_cmp") (("2" (EXPAND "tr_cmp") (("2" (EXPAND "union") (("2" (EXPAND "member") (("2" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))) (|compose_cags2_def| "" (SKOLEM!) (("" (EXTENSIONALITY "setof[AG]") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (IFF) (("" (EXPAND "compose_cags") (("" (EXPAND "compose_cags2") (("" (EXPAND "gen_union") (("" (EXPAND "union") (("" (EXPAND "member") (("" (EXPAND "cagss_for") (("" (EXPAND "member") (("" (EXPAND "make_two_set_tr") (("" (EXPAND "make_two_set") (("" (GROUND) (("1" (SKOSIMP*) (("1" (REPLACE -2 :HIDE? -2) (("1" (SPLIT) (("1" (REPLACE -1 :HIDE? -1) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))) ("2" (REPLACE -1 :HIDE? -1) (("2" (EXPAND "tran_cmp") (("2" (EXPAND "tr_cmp") (("2" (PROPAX) NIL))))))))))))) ("2" (INST?) (("2" (GROUND) (("2" (INST?) (("1" (GROUND) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))) ("2" (REWRITE "tr_cmp_type") NIL))))))) ("3" (INST?) (("3" (GROUND) (("3" (INSTANTIATE 1 "tran_cmp(cmp2!1,sttran2!1,agtran2!1)") (("1" (GROUND) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))) ("2" (REWRITE "tr_cmp_type") NIL))))))))))))))))))))))))))))))))))))))))) (|compose_view2_def| "" (SKOLEM!) (("" (EXTENSIONALITY "setof[[ST,ST]]") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (IFF) (("" (EXPAND "compose_view") (("" (EXPAND "compose_view2") (("" (EXPAND "gen_intersection") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (EXPAND "extend") (("" (EXPAND "views_for") (("" (EXPAND "member") (("" (EXPAND "make_two_set_tr") (("" (EXPAND "make_two_set") (("" (GROUND) (("1" (INST?) (("1" (ASSERT) (("1" (INST?) (("1" (GROUND) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))) ("2" (REWRITE "tr_cmp_type") NIL))))))) ("2" (INST?) (("2" (ASSERT) (("2" (INSTANTIATE 2 "tran_cmp(cmp2!1,sttran2!1,agtran2!1)") (("1" (GROUND) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))) ("2" (REWRITE "tr_cmp_type") NIL))))))) ("3" (SKOSIMP*) (("3" (SPLIT) (("1" (SKOSIMP*) (("1" (REPLACE -3 :HIDE? -3) (("1" (SPLIT) (("1" (REPLACE -1 :HIDE? -1) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))) ("2" (REPLACE -1 :HIDE? -1) (("2" (EXPAND "tran_cmp") (("2" (EXPAND "tr_cmp") (("2" (PROPAX) NIL))))))))))))) ("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))) (|compose_hidd2_def| "" (SKOLEM!) (("" (EXTENSIONALITY "setof[[ST,ST,AG]]") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (IFF) (("" (EXPAND "compose_hidd") (("" (EXPAND "compose_hidd2") (("" (EXPAND "gen_intersection") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (EXPAND "hidds_for") (("" (EXPAND "member") (("" (EXPAND "make_two_set_tr") (("" (EXPAND "make_two_set") (("" (GROUND) (("1" (INST?) (("1" (GROUND) (("1" (INST?) (("1" (GROUND) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))) ("2" (REWRITE "tr_cmp_type") NIL))))))) ("2" (INST?) (("2" (GROUND) (("2" (INSTANTIATE 1 "tran_cmp(cmp2!1,sttran2!1,agtran2!1)") (("1" (GROUND) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))) ("2" (REWRITE "tr_cmp_type") NIL))))))) ("3" (SKOSIMP*) (("3" (REPLACE -4 :HIDE? -4) (("3" (SPLIT) (("1" (REPLACE -1 :HIDE? -1) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))) ("2" (REPLACE -1 :HIDE? -1) (("2" (EXPAND "tran_cmp") (("2" (EXPAND "tr_cmp") (("2" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))))))))) (|compose_wfar2_def| "" (SKOLEM!) (("" (EXTENSIONALITY "setof[setof[[ST,ST,AG]]]") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (IFF) (("" (EXPAND "compose_wfar") (("" (EXPAND "compose_wfar2") (("" (EXPAND "gen_union") (("" (EXPAND "union") (("" (EXPAND "member") (("" (EXPAND "wfars_for") (("" (EXPAND "member") (("" (EXPAND "make_two_set_tr") (("" (EXPAND "make_two_set") (("" (GROUND) (("1" (SKOSIMP*) (("1" (REPLACE -2 :HIDE? -2) (("1" (SPLIT) (("1" (REPLACE -1 :HIDE? -1) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))) ("2" (REPLACE -1 :HIDE? -1) (("2" (EXPAND "tran_cmp") (("2" (EXPAND "tr_cmp") (("2" (PROPAX) NIL))))))))))))) ("2" (INST?) (("2" (GROUND) (("2" (INST?) (("1" (GROUND) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))) ("2" (REWRITE "tr_cmp_type") NIL))))))) ("3" (INST?) (("3" (GROUND) (("3" (INSTANTIATE 1 "tran_cmp(cmp2!1,sttran2!1,agtran2!1)") (("1" (GROUND) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))) ("2" (REWRITE "tr_cmp_type") NIL))))))))))))))))))))))))))))))))))))))))) (|compose_sfar2_def| "" (SKOLEM!) (("" (EXTENSIONALITY "setof[setof[[ST,ST,AG]]]") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (IFF) (("" (EXPAND "compose_sfar") (("" (EXPAND "compose_sfar2") (("" (EXPAND "gen_union") (("" (EXPAND "union") (("" (EXPAND "member") (("" (EXPAND "sfars_for") (("" (EXPAND "member") (("" (EXPAND "make_two_set_tr") (("" (EXPAND "make_two_set") (("" (GROUND) (("1" (SKOSIMP*) (("1" (REPLACE -2 :HIDE? -2) (("1" (SPLIT) (("1" (REPLACE -1 :HIDE? -1) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))) ("2" (REPLACE -1 :HIDE? -1) (("2" (EXPAND "tran_cmp") (("2" (EXPAND "tr_cmp") (("2" (PROPAX) NIL))))))))))))) ("2" (INST?) (("2" (GROUND) (("2" (INST?) (("1" (GROUND) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))) ("2" (REWRITE "tr_cmp_type") NIL))))))) ("3" (INST?) (("3" (GROUND) (("3" (INSTANTIATE 1 "tran_cmp(cmp2!1,sttran2!1,agtran2!1)") (("1" (GROUND) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))) ("2" (REWRITE "tr_cmp_type") NIL))))))))))))))))))))))))))))))))))))))))) (|composable_init2_def| "" (SKOLEM!) (("" (IFF) (("" (EXPAND "agreeable_start") (("" (EXPAND "make_two_set_tr") (("" (EXPAND "composable_init2") (("" (EXPAND "member") (("" (EXPAND "make_two_set") (("" (EXPAND "compose_init2") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (REWRITE "nonempty_th[ST]") (("" (EXPAND "member") (("" (GROUND) (("1" (SKOSIMP*) (("1" (INSTANTIATE -1 "tran_cmp(cmp1!1,sttran1!1,agtran1!1)" T) (("1" (INSTANTIATE -1 "tran_cmp(cmp2!1,sttran2!1,agtran2!1)") (("1" (GROUND) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (INST?) (("1" (GROUND) NIL))))))))) ("2" (REWRITE "tr_cmp_type") NIL))) ("2" (REWRITE "tr_cmp_type") NIL))))) ("2" (SKOSIMP*) (("2" (INST?) (("2" (SKOSIMP*) (("2" (SPLIT) (("1" (REPLACE -1 :HIDE? -1) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (PROPAX) NIL))))))) ("2" (REPLACE -1 :HIDE? -1) (("2" (EXPAND "tran_cmp") (("2" (EXPAND "tr_cmp") (("2" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))) (|composable2_def| "" (SKOLEM!) (("" (IFF) (("" (EXPAND "composable") (("" (EXPAND "composable2") (("" (REWRITE "composable_init2_def") (("" (REWRITE "nonempty_th[(comp_t[ST,AG])]") (("" (GROUND) (("" (EXPAND "member") (("" (EXPAND "make_two_set_tr") (("" (INST?) (("" (EXPAND "make_two_set") (("" (PROPAX) NIL))))))))))))))))))))))) (|compose_base2_TCC1| "" (SKOLEM!) (("" (EXPAND "compose_view2") (("" (REWRITE "view_and_prop") NIL))))) (|compose_base2_def| "" (SKOLEM!) (("" (EXPAND "compose_base2") (("" (EXPAND "compose_base") (("" (CASE "c!1 /= (PROJ_1(c!1),PROJ_2(c!1),PROJ_3(c!1),PROJ_4(c!1),PROJ_5(c!1),PROJ_6(c!1))") (("1" (DELETE 1) (("1" (FLATTEN) (("1" (EXTENSIONALITY "(composable2)") (("1" (INST?) (("1" (GROUND) NIL))))))))) ("2" (FLATTEN) (("2" (REPLACE -1 :HIDE? -1) (("2" (GROUND) (("1" (USE "compose_init2_def") (("1" (GROUND) NIL))) ("2" (USE "compose_guar2_def") (("2" (GROUND) NIL))) ("3" (USE "compose_rely2_def") (("3" (GROUND) NIL))) ("4" (USE "compose_cags2_def") (("4" (GROUND) NIL))) ("5" (USE "compose_view2_def") (("5" (GROUND) NIL))) ("6" (USE "compose_wfar2_def") (("6" (GROUND) NIL))) ("7" (USE "compose_sfar2_def") (("7" (GROUND) NIL))) ("8" (USE "compose_hidd2_def") (("8" (GROUND) NIL))))))))))))))))) (|compose2_TCC1| "" (SKOLEM!) (("" (REWRITE "compose_base2_def") (("" (REWRITE "compose_base_tc") (("" (LEMMA "composable2_def") (("" (INSTANTIATE -1 ("PROJ_5(c!1)" "PROJ_6(c!1)" "PROJ_1(c!1)" "PROJ_2(c!1)" "PROJ_3(c!1)" "PROJ_4(c!1)")) (("" (TYPEPRED "c!1") (("" (GROUND) (("" (CASE "c!1 /= (PROJ_1(c!1),PROJ_2(c!1),PROJ_3(c!1),PROJ_4(c!1),PROJ_5(c!1),PROJ_6(c!1))") (("1" (DELETE -2 -3 1 2) (("1" (EXTENSIONALITY "(composable2)") (("1" (INSTANTIATE -1 ("c!1" "(PROJ_1(c!1), PROJ_2(c!1), PROJ_3(c!1), PROJ_4(c!1), PROJ_5(c!1), PROJ_6(c!1))")) (("1" (GROUND) NIL))))))) ("2" (FLATTEN) (("2" (REPLACE -1 :HIDE? -1) (("2" (GROUND) NIL))))))))))))))))))))) (|compose2_def_TCC1| "" (SKOSIMP*) (("" (TYPEPRED "c!1") (("" (LEMMA "composable2_def") (("" (INSTANTIATE -1 ("PROJ_5(c!1)" "PROJ_6(c!1)" "PROJ_1(c!1)" "PROJ_2(c!1)" "PROJ_3(c!1)" "PROJ_4(c!1)")) (("" (CASE "c!1 /= (PROJ_1(c!1),PROJ_2(c!1),PROJ_3(c!1),PROJ_4(c!1),PROJ_5(c!1),PROJ_6(c!1))") (("1" (EXTENSIONALITY "(composable2)") (("1" (INSTANTIATE -1 ("c!1" "(PROJ_1(c!1), PROJ_2(c!1), PROJ_3(c!1), PROJ_4(c!1), PROJ_5(c!1), PROJ_6(c!1))")) (("1" (GROUND) NIL))))) ("2" (FLATTEN) (("2" (REPLACE -1 -2 RL :HIDE? -1) (("2" (GROUND) NIL))))))))))))))) (|compose2_def| "" (SKOLEM!) (("" (EXPAND "compose2") (("" (EXPAND "compose") (("" (REWRITE "compose_base2_def") (("" (EXPAND "compose_base") (("" (PROPAX) NIL)))))))))))) $$$cmp_thm2.pvs cmp_thm2[ST: NONEMPTY_TYPE, ST1: NONEMPTY_TYPE, ST2 : NONEMPTY_TYPE, AG: NONEMPTY_TYPE, AG1: NONEMPTY_TYPE, AG2: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING compose2[ST, ST1,ST2,AG,AG1,AG2] IMPORTING compose_idempotent[ST,AG] IMPORTING cmp_thm[ST, AG] p: VAR prop_t[ST, AG] cmp1: VAR (comp_t[ST1, AG1]) cmp2: VAR (comp_t[ST2, AG2]) st, st1, st2: VAR ST ag: VAR AG sttran1 : VAR (translator_t[ST1,ST]) agtran1 : VAR (translator_t[AG1,AG]) sttran2 : VAR (translator_t[ST2,ST]) agtran2 : VAR (translator_t[AG2,AG]) respects_restrictions1(cmp1, cmp2, sttran1, sttran2, agtran1, agtran2): bool = (FORALL st1, st2, ag: member((st1,st2,ag),tr_ac(guar(cmp1), sttran1, agtran1)) AND not member((st1, st2, ag),tr_ac(guar(cmp2), sttran2, agtran2)) and member((st1, st2, ag),tr_ac(hidd(cmp2), sttran2, agtran2)) implies member((st1, st2, ag), tr_ac(rely(cmp2), sttran2, agtran2))) respects_restrictions2(cmp1, cmp2, sttran1, sttran2, agtran1, agtran2): bool = (FORALL st1, st2, ag: member((st1,st2,ag),tr_ac(guar(cmp2), sttran2, agtran2)) AND not member((st1, st2, ag),tr_ac(guar(cmp1), sttran1, agtran1)) and member((st1, st2, ag),tr_ac(hidd(cmp1), sttran1, agtran1)) implies member((st1, st2, ag), tr_ac(rely(cmp1), sttran1, agtran1))) respects_and_tolerates_same2: THEOREM respects_restrictions2(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2) implies tolerates(singleton(tran_cmp(cmp1,sttran1,agtran1)), make_two_set_tr(cmp1,cmp2,sttran1,sttran2,agtran1, agtran2)) respects_and_tolerates_same1: THEOREM respects_restrictions1(cmp1,cmp2,sttran1,sttran2,agtran1,agtran2) implies tolerates(singleton(tran_cmp(cmp2,sttran2,agtran2)), make_two_set_tr(cmp1,cmp2,sttran1,sttran2,agtran1, agtran2)) compose_thm1: THEOREM composable2(cmp1, cmp2,sttran1,sttran2,agtran1,agtran2) AND respects_restrictions2(cmp1, cmp2,sttran1,sttran2,agtran1,agtran2) IMPLIES (satisfies(tran_cmp(cmp1,sttran1,agtran1), p) IMPLIES satisfies(compose2(cmp1, cmp2,sttran1,sttran2,agtran1,agtran2), p)) compose_thm2: THEOREM composable2(cmp1, cmp2,sttran1,sttran2,agtran1,agtran2) AND respects_restrictions1(cmp1, cmp2,sttran1,sttran2,agtran1,agtran2) IMPLIES (satisfies(tran_cmp(cmp2,sttran2,agtran2), p) IMPLIES satisfies(compose2(cmp1, cmp2,sttran1,sttran2,agtran1,agtran2), p)) compose_thm: THEOREM composable2(cmp1, cmp2,sttran1,sttran2,agtran1,agtran2) AND respects_restrictions1(cmp1, cmp2,sttran1,sttran2,agtran1,agtran2) and respects_restrictions2(cmp1, cmp2,sttran1,sttran2,agtran1,agtran2) IMPLIES ((satisfies(tran_cmp(cmp1,sttran1,agtran1), p) OR satisfies(tran_cmp(cmp2,sttran2,agtran2), p)) IMPLIES satisfies(compose2(cmp1, cmp2,sttran1,sttran2,agtran1,agtran2), p)) END cmp_thm2 $$$cmp_thm2.prf (|cmp_thm2| (|respects_and_tolerates_same2| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "tolerates") (("" (SKOSIMP*) (("" (EXPAND "tolerates_cmp") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "make_two_set_tr") (("" (EXPAND "make_two_set") (("" (EXPAND "respects_restrictions2") (("" (EXPAND "member") (("" (SPLIT -2) (("1" (REPLACE -1 :HIDE? -1) (("1" (DELETE -1) (("1" (INST?) (("1" (EXPAND "singleton") (("1" (GROUND) NIL))))))))) ("2" (REPLACE -1 :HIDE? -1) (("2" (INSTANTIATE -1 ("PROJ_1(tran!1)" "PROJ_2(tran!1)" "PROJ_3(tran!1)")) (("2" (EXPAND "singleton") (("2" (REPLACE -3 :HIDE? -3) (("2" (INSTANTIATE 1 "tran_cmp(cmp1!1,sttran1!1,agtran1!1)") (("2" (EXPAND "tran_cmp") (("2" (GROUND) (("1" (EXPAND "tr_cmp") (("1" (EXPAND "union") (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))) ("2" (EXPAND "tr_cmp") (("2" (GROUND) NIL))) ("3" (EXPAND "tr_cmp") (("3" (GROUND) NIL))) ("4" (EXPAND "tr_cmp") (("4" (EXPAND "union") (("4" (EXPAND "member") (("4" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))) (|respects_and_tolerates_same1| "" (SKOSIMP*) (("" (EXPAND "tolerates") (("" (SKOSIMP*) (("" (EXPAND "tolerates_cmp") (("" (SKOSIMP*) (("" (EXPAND "respects_restrictions1") (("" (EXPAND "member") (("" (EXPAND "make_two_set_tr") (("" (EXPAND "make_two_set") (("" (EXPAND "singleton") (("" (REPLACE -4 :HIDE? -4) (("" (INSTANTIATE 1 "tran_cmp(cmp2!1,sttran2!1,agtran2!1)") (("" (GROUND) (("" (EXPAND "tran_cmp" +) (("" (REPLACE -1 :HIDE? -1) (("" (EXPAND "tr_cmp") (("" (EXPAND "union") (("" (EXPAND "member") (("" (INSTANTIATE -1 ("PROJ_1(tran!1)" "PROJ_2(tran!1)" "PROJ_3(tran!1)")) (("" (GROUND) (("1" (EXPAND "tran_cmp") (("1" (EXPAND "tr_cmp") (("1" (EXPAND "union") (("1" (EXPAND "member") (("1" (CASE "(PROJ_1(tran!1),PROJ_2(tran!1),PROJ_3(tran!1)) /= tran!1") (("1" (FLATTEN) (("1" (GROUND) NIL))) ("2" (FLATTEN) (("2" (REPLACE -1 :HIDE? -1) (("2" (PROPAX) NIL))))))))))))))) ("2" (EXPAND "tran_cmp") (("2" (EXPAND "tr_cmp") (("2" (EXPAND "union") (("2" (EXPAND "member") (("2" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))))))))))) (|compose_thm1_TCC1| "" (SUBTYPE-TCC) NIL) (|compose_thm1| "" (SKOSIMP*) (("" (LEMMA "cmp_thm") (("" (REWRITE "compose2_def") (("" (LEMMA "ci_component") (("" (INSTANTIATE -1 "tran_cmp(cmp1!1,sttran1!1,agtran1!1)") (("" (REPLACE -1 -5 RL :HIDE? -1) (("" (INSTANTIATE -1 ("singleton(tran_cmp(cmp1!1,sttran1!1,agtran1!1))" "make_two_set_tr(cmp1!1,cmp2!1,sttran1!1,sttran2!1,agtran1!1,agtran2!1)" "p!1")) (("" (SPLIT -1) (("1" (PROPAX) NIL) ("2" (EXPAND "subset?") (("2" (EXPAND "member") (("2" (EXPAND "singleton" 1) (("2" (EXPAND "make_two_set_tr" 1) (("2" (EXPAND "make_two_set") (("2" (SKOSIMP*) NIL))))))))))) ("3" (REWRITE "respects_and_tolerates_same2") NIL) ("4" (REWRITE "composable2_def") NIL) ("5" (REWRITE "nonempty_th") (("5" (EXPAND "member") (("5" (EXPAND "singleton" +) (("5" (INST?) NIL))))))) ("6" (PROPAX) NIL))))))))))))))))) (|compose_thm2_TCC1| "" (SUBTYPE-TCC) NIL) (|compose_thm2| "" (SKOSIMP*) (("" (REWRITE "compose2_def") (("" (LEMMA "composable2_def") (("" (INST?) (("" (REPLACE -1 -2 RL :HIDE? -1) (("" (LEMMA "respects_and_tolerates_same1") (("" (INST?) (("" (GROUND) (("" (DELETE -3) (("" (LEMMA "cmp_thm") (("" (INSTANTIATE -1 ("singleton(tran_cmp(cmp2!1,sttran2!1,agtran2!1))" "make_two_set_tr(cmp1!1,cmp2!1,sttran1!1,sttran2!1,agtran1!1,agtran2!1)" "p!1")) (("" (GROUND) (("1" (EXPAND "subset?") (("1" (EXPAND "member") (("1" (EXPAND "singleton") (("1" (EXPAND "make_two_set_tr") (("1" (EXPAND "make_two_set") (("1" (SKOSIMP*) NIL))))))))))) ("2" (LEMMA "nonempty_th[(comp_t[ST,AG])]") (("2" (INSTANTIATE -1 "singleton(tran_cmp(cmp2!1,sttran2!1,agtran2!1))") (("2" (GROUND) (("2" (INSTANTIATE 1 "tran_cmp(cmp2!1,sttran2!1,agtran2!1)") (("2" (EXPAND "member") (("2" (EXPAND "singleton" +) (("2" (PROPAX) NIL))))))))))))) ("3" (REWRITE "ci_component") NIL))))))))))))))))))))))))) (|compose_thm_TCC1| "" (SUBTYPE-TCC) NIL) (|compose_thm| "" (SKOSIMP*) (("" (REWRITE "compose_thm1") (("" (REWRITE "compose_thm2") NIL)))))) $$$beh_equiv.pvs beh_equiv[ST: NONEMPTY_TYPE, AG: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING cprops[ST, AG] IMPORTING views[trace_t[ST, AG]] b, b1, b2, b3: VAR trace_t p: VAR prop_t v: VAR (VIEWS[ST]) i: VAR nat cmp: VAR (comp_t) tranc: VAR setof[transition] beh_equiv(v)(b1, b2): bool = (FORALL i: v(sts(b1)(i), sts(b2)(i)) AND ags(b1)(i) = ags(b2)(i)) beh_equiv_is_refl: THEOREM beh_equiv(v)(b, b) beh_equiv_is_sym: THEOREM beh_equiv(v)(b1, b2) IMPLIES beh_equiv(v)(b2, b1) beh_equiv_is_trans: THEOREM beh_equiv(v)(b1, b2) AND beh_equiv(v)(b2, b3) IMPLIES beh_equiv(v)(b1, b3) beh_equiv_is_equiv: THEOREM VIEWS(beh_equiv(v)) beh_equiv_init: THEOREM beh_equiv(view(cmp))(b1, b2) AND initial_okay(cmp, b1) IMPLIES initial_okay(cmp, b2) beh_equiv_gen_steps: THEOREM beh_equiv(v)(b1, b2) AND gen_view_restriction(tranc, v) AND member((sts(b1)(i), sts(b1)(i + 1), ags(b1)(i)), tranc) IMPLIES member((sts(b2)(i), sts(b2)(i + 1), ags(b2)(i)), tranc) beh_equiv_steps: THEOREM beh_equiv(view(cmp))(b1, b2) AND steps_okay(cmp, b1) IMPLIES steps_okay(cmp, b2) beh_equiv_enabled: THEOREM beh_equiv(v)(b1, b2) AND gen_view_restriction(tranc, v) AND enabled(tranc, sts(b1)(i)) IMPLIES enabled(tranc, sts(b2)(i)) beh_equiv_wfar: THEOREM beh_equiv(view(cmp))(b1, b2) AND is_wfar(cmp, b1) IMPLIES is_wfar(cmp, b2) beh_equiv_sfar: THEOREM beh_equiv(view(cmp))(b1, b2) AND is_sfar(cmp, b1) IMPLIES is_sfar(cmp, b2) beh_equiv_prop_help: THEOREM beh_equiv(view(cmp))(b1, b2) AND member(b1, prop_for(cmp)) IMPLIES member(b2, prop_for(cmp)) beh_equiv_prop: THEOREM beh_equiv(view(cmp))(b1, b2) IMPLIES (member(b1, prop_for(cmp)) IFF member(b2, prop_for(cmp))) property(p, v): bool = (FORALL b1, b2: beh_equiv(v)(b1, b2) IMPLIES (member(b1, p) IFF member(b2, p))) cmp_property(p, cmp): bool = property(p, view(cmp)) END beh_equiv $$$beh_equiv.prf (|beh_equiv| (|beh_equiv_is_refl| "" (SKOLEM!) (("" (EXPAND "beh_equiv") (("" (SKOLEM!) (("" (REWRITE "refl_view") NIL))))))) (|beh_equiv_is_sym| "" (SKOSIMP*) (("" (EXPAND "beh_equiv") (("" (SKOSIMP*) (("" (INST?) (("" (GROUND) (("" (REWRITE "sym_view") NIL))))))))))) (|beh_equiv_is_trans| "" (SKOSIMP*) (("" (EXPAND "beh_equiv") (("" (SKOSIMP*) (("" (INST?) (("" (INST?) (("" (GROUND) (("" (LEMMA "trans_view[ST]") (("" (INSTANTIATE -1 ("v!1" "sts(b1!1)(i!1)" "sts(b2!1)(i!1)" "sts(b3!1)(i!1)")) (("" (GROUND) NIL))))))))))))))))) (|beh_equiv_is_equiv| "" (SKOLEM!) (("" (EXPAND "VIEWS") (("" (GROUND) (("1" (SKOLEM!) (("1" (REWRITE "beh_equiv_is_refl") NIL))) ("2" (SKOSIMP*) (("2" (LEMMA "beh_equiv_is_sym") (("2" (INSTANTIATE -1 ("x1!1" "x2!1" "v!1")) (("2" (GROUND) NIL))))))) ("3" (LEMMA "beh_equiv_is_trans") (("3" (SKOSIMP*) (("3" (INSTANTIATE -1 ("x1!1" "x2!1" "x3!1" "v!1")) (("3" (GROUND) NIL))))))))))))) (|beh_equiv_init| "" (SKOSIMP*) (("" (EXPAND "initial_okay") (("" (USE "component_view_init") (("" (EXPAND "view_init_restriction") (("" (EXPAND "beh_equiv") (("" (INSTANTIATE -2 "0") (("" (INST?) (("" (GROUND) NIL))))))))))))))) (|beh_equiv_gen_steps| "" (SKOSIMP*) (("" (EXPAND "beh_equiv") (("" (INSTANTIATE -1 "i!1" T) (("" (INSTANTIATE -1 "i!1+1") (("" (EXPAND "gen_view_restriction") (("" (INSTANTIATE -3 ("ags(b1!1)(i!1)" "sts(b1!1)(i!1)" "sts(b1!1)(i!1+1)" "sts(b2!1)(i!1)" "sts(b2!1)(i!1+1)")) (("" (GROUND) NIL))))))))))))) (|beh_equiv_steps| "" (SKOSIMP*) (("" (EXPAND "steps_okay") (("" (EXPAND "member") (("" (EXPAND "steps") (("" (SKOLEM!) (("" (INSTANTIATE -2 "n!1") (("" (LEMMA "beh_equiv_gen_steps") (("" (INSTANTIATE -1 ("b1!1" "b2!1" "n!1" _ "view(cmp!1)")) (("" (GROUND) (("1" (INST?) (("1" (EXPAND "member") (("1" (USE "component_view_guar") (("1" (EXPAND "view_guar_restriction") (("1" (PROPAX) NIL))))))))) ("2" (INST?) (("2" (EXPAND "member") (("2" (USE "component_view_rely") (("2" (EXPAND "view_rely_restriction") (("2" (PROPAX) NIL))))))))) ("3" (DELETE -2) (("3" (LEMMA "square_view[ST]") (("3" (INSTANTIATE -1 ("view(cmp!1)" "sts(b1!1)(n!1)" "sts(b1!1)(n!1+1)" "sts(b2!1)(n!1)" "sts(b2!1)(n!1+1)")) (("3" (EXPAND "beh_equiv") (("3" (INSTANTIATE -3 "n!1" T) (("3" (INSTANTIATE -3 "n!1+1" T) (("3" (GROUND) NIL))))))))))))))))))))))))))))))) (|beh_equiv_enabled| "" (SKOSIMP*) (("" (EXPAND "enabled") (("" (SKOSIMP*) (("" (INSTANTIATE 1 ("st2!1" "ag!1")) (("" (EXPAND "gen_view_restriction") (("" (INSTANTIATE -2 ("ag!1" "sts(b1!1)(i!1)" "st2!1" "sts(b2!1)(i!1)" "st2!1")) (("" (GROUND) (("1" (EXPAND "beh_equiv") (("1" (INST?) (("1" (GROUND) NIL))))) ("2" (REWRITE "refl_view") NIL))))))))))))))) (|beh_equiv_wfar| "" (SKOSIMP*) (("" (EXPAND "is_wfar") (("" (SKOSIMP*) (("" (INST?) (("" (GROUND) (("" (INST?) (("" (SKOSIMP*) (("" (INST?) (("" (SPLIT -2) (("1" (LEMMA "beh_equiv_enabled") (("1" (INSTANTIATE -1 ("b2!1" "b1!1" "j!1" "tranc!1" "view(cmp!1)")) (("1" (LEMMA "beh_equiv_is_sym") (("1" (INSTANTIATE -1 ("b1!1" "b2!1" "view(cmp!1)")) (("1" (LEMMA "component_view_wfar") (("1" (INST?) (("1" (EXPAND "view_wfar_restriction") (("1" (INST?) (("1" (GROUND) NIL))))))))))))))))) ("2" (LEMMA "beh_equiv_gen_steps") (("2" (INSTANTIATE -1 ("b1!1" "b2!1" "j!1" "tranc!1" "view(cmp!1)")) (("2" (USE "component_view_wfar") (("2" (EXPAND "view_wfar_restriction") (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))) (|beh_equiv_sfar| "" (SKOSIMP*) (("" (EXPAND "is_sfar") (("" (SKOSIMP*) (("" (INST?) (("" (GROUND) (("" (INST?) (("" (SKOSIMP*) (("" (INST?) (("" (USE "component_view_sfar") (("" (EXPAND "view_sfar_restriction") (("" (INST?) (("" (GROUND) (("1" (SKOSIMP*) (("1" (DELETE 1) (("1" (INST?) (("1" (GROUND) (("1" (LEMMA "beh_equiv_enabled") (("1" (INSTANTIATE -1 ("b2!1" "b1!1" "k!1" "tranc!1" "view(cmp!1)")) (("1" (GROUND) (("1" (REWRITE "beh_equiv_is_sym") NIL))))))))))))))) ("2" (DELETE 1) (("2" (SKOSIMP*) (("2" (INST?) (("2" (GROUND) (("2" (LEMMA "beh_equiv_gen_steps") (("2" (INSTANTIATE -1 ("b1!1" "b2!1" "l!1" "tranc!1" "view(cmp!1)")) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))) (|beh_equiv_prop_help| "" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "prop_for") (("" (GROUND) (("1" (USE "beh_equiv_init") (("1" (GROUND) NIL))) ("2" (USE "beh_equiv_steps") (("2" (GROUND) NIL))) ("3" (USE "beh_equiv_wfar") (("3" (GROUND) NIL))) ("4" (USE "beh_equiv_sfar") (("4" (GROUND) NIL))))))))))) (|beh_equiv_prop| "" (SKOSIMP*) (("" (GROUND) (("1" (USE "beh_equiv_prop_help") (("1" (GROUND) NIL))) ("2" (LEMMA "beh_equiv_prop_help") (("2" (INSTANTIATE -1 ("b2!1" "b1!1" "cmp!1")) (("2" (GROUND) (("2" (REWRITE "beh_equiv_is_sym") NIL))))))))))) (|cmp_property_fact| "" (SKOSIMP*) (("" (EXPAND "cmp_property") (("" (EXPAND "property") (("" (EXPAND "satisfies") (("" (SKOSIMP*) (("" (INSTANTIATE -1 "b1!1" T) (("" (INSTANTIATE -1 "b2!1") (("" (LEMMA "beh_equiv_prop") (("" (INST?) (("" (EXPAND "member") (("" (SPLIT -1) (("1" (CASE "prop_for(cmp!1)(b1!1)") (("1" (GROUND) NIL) ("2" (CASE "prop_for(cmp!1)(b2!1)") (("1" (GROUND) NIL) ("2" (DELETE -1 -2 -3) (("2" (POSTPONE) NIL))))))) ("2" (POSTPONE) NIL)))))))))))))))))))))))) $$$tpreds.pvs tpreds[ST: NONEMPTY_TYPE, ST1: NONEMPTY_TYPE, AG: NONEMPTY_TYPE, AG1: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING tprops[ST, ST1, AG, AG1] IMPORTING ac_translators[ST1, AG1, ST, AG] IMPORTING preds[ST, AG] IMPORTING preds[ST1, AG1] IMPORTING unity xsp: VAR STATE_PRED[ST1, AG1] ysp: VAR STATE_PRED[ST, AG] xap: VAR ACTION_PRED[ST1, AG1] yap: VAR ACTION_PRED[ST, AG] xp1, xp2: VAR prop_t[ST1, AG1] yp1, yp2: VAR prop_t[ST, AG] xst, xst1, xst2: VAR ST1 yst, yst1, yst2: VAR ST xag: VAR AG1 yag: VAR AG sttran1: VAR (translator_t[ST1, ST]) agtran1: VAR (translator_t[AG1, AG]) sp_tran: THEOREM (FORALL yst: tmap(sttran1, xsp)(yst) IFF ysp(yst)) IMPLIES pmap(stbp(xsp), sttran1, agtran1) = (stbp(ysp)) always_sp_tran: THEOREM (FORALL yst: tmap(sttran1, xsp)(yst) IFF ysp(yst)) IMPLIES pmap(alwayss(xsp), sttran1, agtran1) = (alwayss(ysp)) always_tmap: THEOREM pmap(alwayss(xsp), sttran1, agtran1) = alwayss(tmap(sttran1, xsp)) pimplies_pmap: THEOREM pmap(pimplies(xp1, xp2), sttran1, agtran1) = pimplies(pmap(xp1, sttran1, agtran1), pmap(xp2, sttran1, agtran1)) ap_tran: THEOREM (FORALL yst1, yst2, yag: tr_ac[ST1, AG1, ST, AG](xap, sttran1, agtran1)(yst1, yst2, yag) IFF yap(yst1, yst2, yag)) IMPLIES pmap(atbp(xap), sttran1, agtran1) = (atbp(yap)) always_ap_tran: THEOREM (FORALL yst1, yst2, yag: tr_ac[ST1, AG1, ST, AG](xap, sttran1, agtran1)(yst1, yst2, yag) IFF yap(yst1, yst2, yag)) IMPLIES pmap(alwaysa(xap), sttran1, agtran1) = (alwaysa(yap)) END tpreds $$$tpreds.prf (|tpreds| (|sp_tran| "" (SKOSIMP*) (("" (EXTENSIONALITY "prop_t[ST,AG]") (("" (INST?) (("" (GROUND) (("" (HIDE 2) (("" (SKOSIMP) (("" (EXPAND "pmap") (("" (EXPAND "pmap1") (("" (EXPAND "stbp") (("" (EXPAND "bmap") (("" (EXPAND "bmap1") (("" (EXPAND "bmap1_base") (("" (IFF) (("" (GROUND) (("1" (SKOSIMP) (("1" (EXPAND "tmap") (("1" (EXPAND "member") (("1" (INST - "0") (("1" (INST? -) (("1" (GROUND) (("1" (INST? +) (("1" (GROUND) NIL))))))))))))))) ("2" (INSTANTIATE 1 "(# sts := (LAMBDA (n : nat): trinv(sttran1!1,sts(x!1)(n))), ags := (LAMBDA (n : nat): trinv(agtran1!1,ags(x!1)(n))) #)") (("2" (SIMPLIFY) (("2" (GROUND) (("1" (SKOSIMP) (("1" (REWRITE "trinv_def[ST1,ST]") (("1" (REWRITE "trinv_def[AG1,AG]") (("1" (GROUND) NIL))))))) ("2" (EXPAND "tmap") (("2" (EXPAND "member") (("2" (LEMMA "help3[ST1,ST]") (("2" (INST? -3) (("2" (GROUND) (("2" (SKOSIMP) (("2" (CASE "x!2=trinv(sttran1!1, sts(x!1)(0))") (("1" (REPLACE -1) (("1" (PROPAX) NIL))) ("2" (INST? -) (("2" (INST?) (("2" (GROUND) (("2" (REWRITE "trinv_def[ST1,ST]") NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|always_sp_tran| "" (SKOSIMP*) (("" (EXTENSIONALITY "prop_t[ST,AG]") (("" (INST?) (("" (GROUND) (("" (HIDE 2) (("" (SKOSIMP) (("" (EXPAND "pmap") (("" (EXPAND "pmap1") (("" (EXPAND "bmap") (("" (EXPAND "bmap1") (("" (EXPAND "bmap1_base") (("" (EXPAND "tmap") (("" (IFF) (("" (EXPAND "member") (("" (EXPAND "alwayss") (("" (EXPAND "always") (("" (EXPAND "stbp") (("" (EXPAND "shift") (("" (GROUND) (("1" (SKOSIMP*) (("1" (INST? -3) (("1" (GROUND) (("1" (INST - "i!1") (("1" (INST - "i!1") (("1" (INST? +) (("1" (GROUND) NIL))))))))))))) ("2" (INST + "(# sts := (LAMBDA (n : nat): trinv(sttran1!1,sts(x!1)(n))), ags := (LAMBDA (n : nat): trinv(agtran1!1,ags(x!1)(n))) #)") (("2" (SIMPLIFY) (("2" (GROUND) (("1" (SKOSIMP) (("1" (REWRITE "trinv_def[ST1,ST]") (("1" (REWRITE "trinv_def[AG1,AG]") (("1" (GROUND) NIL))))))) ("2" (SKOLEM!) (("2" (INSTANTIATE -1 "i!1") (("2" (INST?) (("2" (GROUND) (("2" (DELETE -2 -3) (("2" (SKOSIMP) (("2" (CASE "x!2=trinv(sttran1!1, sts(x!1)(i!1))") (("1" (REPLACE -1) (("1" (PROPAX) NIL))) ("2" (USE "help3[ST1,ST]") (("2" (GROUND) (("2" (REWRITE "trinv_def[ST1,ST]") NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|always_tmap| "" (SKOSIMP) (("" (REWRITE "always_sp_tran") NIL))) (|pimplies_pmap| "" (SKOSIMP) (("" (REWRITE "extensionality") (("" (HIDE 2) (("" (SKOSIMP) (("" (IFF) (("" (EXPAND "pmap") (("" (EXPAND "pmap1") (("" (EXPAND "bmap") (("" (EXPAND "bmap1") (("" (EXPAND "bmap1_base") (("" (EXPAND "pimplies") (("" (EXPAND "member") (("" (GROUND) (("1" (SKOSIMP*) (("1" (INST + "t1!1") (("1" (GROUND) (("1" (CASE-REPLACE "t1!1=t1!2") (("1" (EXTENSIONALITY "trace_t[ST1,AG1]") (("1" (INST?) (("1" (GROUND) (("1" (REWRITE "extensionality") (("1" (SKOSIMP) (("1" (INST?) (("1" (INST?) (("1" (USE "help3[AG1,AG]") (("1" (GROUND) NIL))))))))))) ("2" (REWRITE "extensionality") (("2" (SKOSIMP) (("2" (INST?) (("2" (INST?) (("2" (USE "help3[ST1,ST]") (("2" (GROUND) NIL))))))))))))))))))))))))) ("2" (SKOSIMP*) (("2" (INST? +) (("2" (GROUND) NIL))))) ("3" (CASE "(EXISTS (t1: trace_t[ST1, AG1]): ((FORALL (n: nat): sttran1!1(sts(t1)(n))(sts(x!1)(n)) AND agtran1!1(ags(t1)(n))(ags(x!1)(n)))))") (("1" (SKOSIMP) (("1" (INST? +) (("1" (INST? +) (("1" (GROUND) NIL))))))) ("2" (HIDE 2 3) (("2" (INST + "(# sts:= (LAMBDA (n: nat): epsilon! (st: ST1): sttran1!1(st)(sts(x!1)(n))), ags:= (LAMBDA (n: nat): epsilon! (ag: AG1): agtran1!1(ag)(ags(x!1)(n))) #)") (("2" (GROUND) (("2" (SKOSIMP) (("2" (GROUND) (("1" (USE "epsilon_ax[ST1]") (("1" (GROUND) (("1" (USE "help5[ST1,ST]") NIL))))) ("2" (USE "epsilon_ax[AG1]") (("2" (GROUND) (("2" (USE "help5[AG1,AG]") NIL))))))))))))))))))))))))))))))))))))))))))) (|ap_tran| "" (SKOSIMP*) (("" (EXTENSIONALITY "prop_t[ST,AG]") (("" (INST?) (("" (GROUND) (("" (HIDE 2) (("" (SKOSIMP) (("" (EXPAND "pmap") (("" (EXPAND "pmap1") (("" (EXPAND "bmap") (("" (EXPAND "bmap1") (("" (EXPAND "bmap1_base") (("" (EXPAND "atbp") (("" (EXPAND "tr_ac") (("" (EXPAND "member") (("" (IFF) (("" (GROUND) (("1" (SKOSIMP*) (("1" (INST? -3) (("1" (GROUND) (("1" (INST? +) (("1" (GROUND) (("1" (INST? -) (("1" (GROUND) NIL))) ("2" (INST? -) (("2" (GROUND) NIL))) ("3" (INST? -) (("3" (GROUND) NIL))))))))))))) ("2" (INST + "(# sts := (LAMBDA (n : nat): trinv(sttran1!1,sts(x!1)(n))), ags := (LAMBDA (n : nat): trinv(agtran1!1,ags(x!1)(n))) #)") (("2" (GROUND) (("1" (SKOSIMP) (("1" (REWRITE "trinv_def[ST1,ST]") (("1" (REWRITE "trinv_def[AG1,AG]") (("1" (GROUND) NIL))))))) ("2" (INST? -) (("2" (GROUND) (("2" (SKOSIMP*) (("2" (LEMMA "trinv_def[ST1,ST]") (("2" (CASE "a1!1=trinv(sttran1!1, sts(x!1)(0))" "a2!1=trinv(sttran1!1, sts(x!1)(1))" "b!1=trinv(agtran1!1, ags(x!1)(0))") (("1" (GROUND) NIL) ("2" (USE "help3[AG1,AG]") (("2" (GROUND) (("2" (USE "trinv_def[AG1,AG]") NIL))))) ("3" (LEMMA "help3[ST1,ST]") (("3" (INST? - :WHERE +) (("3" (INST?) (("3" (GROUND) (("3" (REWRITE "trinv_def[ST1,ST]") NIL))))))))) ("4" (USE "help3[ST1,ST]") (("4" (GROUND) (("4" (REWRITE "trinv_def[ST1,ST]") NIL))))))))))))))))))))))))))))))))))))))))))))))))))) (|always_ap_tran| "" (SKOSIMP*) (("" (EXTENSIONALITY "prop_t[ST,AG]") (("" (INST?) (("" (GROUND) (("" (HIDE 2) (("" (SKOSIMP) (("" (EXPAND "pmap") (("" (EXPAND "pmap1") (("" (EXPAND "bmap") (("" (EXPAND "bmap1") (("" (EXPAND "bmap1_base") (("" (EXPAND "alwaysa") (("" (EXPAND "always") (("" (EXPAND "atbp") (("" (EXPAND "tr_ac") (("" (EXPAND "member") (("" (EXPAND "shift") (("" (IFF) (("" (GROUND) (("1" (SKOSIMP*) (("1" (INST? -3) (("1" (GROUND) (("1" (INST - "i!1") (("1" (INST - "i!1") (("1" (INST? +) (("1" (GROUND) (("1" (REVEAL -2) (("1" (INST? -) (("1" (GROUND) NIL))))))))))))))))))) ("2" (INST + "(# sts := (LAMBDA (n : nat): trinv(sttran1!1,sts(x!1)(n))), ags := (LAMBDA (n : nat): trinv(agtran1!1,ags(x!1)(n))) #)") (("2" (GROUND) (("1" (SKOSIMP) (("1" (REWRITE "trinv_def[ST1,ST]") (("1" (REWRITE "trinv_def[AG1,AG]") (("1" (GROUND) NIL))))))) ("2" (SKOSIMP) (("2" (INST - "i!1") (("2" (INST? -) (("2" (GROUND) (("2" (SKOSIMP) (("2" (CASE "a1!1=trinv(sttran1!1, sts(x!1)(i!1))" "a2!1=trinv(sttran1!1, sts(x!1)(i!1+1))" "b!1=trinv(agtran1!1, ags(x!1)(i!1))") (("1" (GROUND) NIL) ("2" (USE "help3[AG1,AG]") (("2" (GROUND) (("2" (USE "trinv_def[AG1,AG]") NIL))))) ("3" (LEMMA "help3[ST1,ST]") (("3" (INST? - :WHERE +) (("3" (INST?) (("3" (GROUND) (("3" (REWRITE "trinv_def[ST1,ST]") NIL))))))))) ("4" (USE "help3[ST1,ST]") (("4" (GROUND) (("4" (REWRITE "trinv_def[ST1,ST]") NIL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) $$$ks_props.pvs ks_props : THEORY BEGIN IMPORTING ks_spec IMPORTING preds[(KS_STATE), THREAD ] st, st1, st2 : VAR (KS_STATE) thread: VAR THREAD to, handle, reply_port : VAR NAME key: VAR KEY kernel_req : VAR KERNEL_REQ seed : VAR SEED ks_valid_key_pred : STATE_PRED = (LAMBDA st : (FORALL thread, handle : (ks_threads(thread) AND key_handles(thst(st)(thread))(handle)) IMPLIES (EXISTS seed : handle_to_key(thst(st)(thread))(handle) = generate_key(server_mech(thst(st)(thread)),seed)))) ks_valid_key_prop1: THEOREM init_satisfies(ks_comp, ks_valid_key_pred) ks_valid_key_prop2: THEOREM steps_satisfy(ks_comp, stable(ks_valid_key_pred)) ks_valid_key_prop: THEOREM satisfies(ks_comp, alwayss(ks_valid_key_pred)) ks_provide_key_pred : STATE_PRED = (LAMBDA st: (FORALL kernel_req, thread, to, reply_port, key: (ks_threads(thread) AND pending_requests(kst(st))(kernel_req) AND kernel_req = send_message_req(thread, to, provide_key_op, reply_port, provide_key_msg(key)) IMPLIES (EXISTS handle : key_handles(thst(st)(thread))(handle) AND key = handle_to_key(thst(st)(thread))(handle))))) ks_provide_key_prop1: THEOREM init_satisfies(ks_comp, ks_provide_key_pred) ks_provide_key_prop2: CONJECTURE steps_satisfy(ks_comp, stable(ks_provide_key_pred)) ks_provide_key_prop: CONJECTURE satisfies(ks_comp, alwayss(ks_provide_key_pred)) ks_provide_valid_key_pred : STATE_PRED = (LAMBDA st: (FORALL kernel_req, thread, to, reply_port, key: (ks_threads(thread) AND pending_requests(kst(st))(kernel_req) AND kernel_req = send_message_req(thread, to, provide_key_op, reply_port, provide_key_msg(key)) IMPLIES (EXISTS seed : key = generate_key(server_mech(thst(st)(thread)),seed))))) ks_provide_valid_key_prop: CONJECTURE satisfies(ks_comp, alwayss(ks_provide_valid_key_pred)) END ks_props $$$ks_props.prf (|ks_props| (IMPORTING2_TCC1 "" (INST 1 "ks_state_witness") NIL) (|ks_valid_key_pred_TCC1| "" (SKOSIMP) NIL) (|ks_valid_key_pred_TCC2| "" (SKOSIMP) NIL) (|ks_valid_key_prop1| "" (EXPAND "init_satisfies") (("" (SKOSIMP) (("" (REWRITE "ks_comp") (("" (REWRITE "base_ks_comp") (("" (BETA) (("" (REWRITE "ks_valid_key_pred") (("" (SKOSIMP) (("" (HIDE 1) (("" (EXPAND "initial_ks_states") (("" (INST?) (("" (FLATTEN) (("" (REPLACE -1) (("" (EXPAND "emptyset") (("" (PROPAX) NIL))))))))))))))))))))))))))) (|ks_valid_key_prop2| "" (EXPAND "steps_satisfy") (("" (SKOSIMP) (("" (EXPAND "stable") (("" (FLATTEN) (("" (EXPAND "ks_valid_key_pred") (("" (SKOSIMP*) (("" (INST -2 "thread!1" "handle!1") (("" (EXPAND "ks_comp") (("" (EXPAND "base_ks_comp") (("" (SPLIT -1) (("1" (EXPAND "ks_guar") (("1" (FLATTEN) (("1" (SPLIT -2) (("1" (EXPAND "ks_view") (("1" (REPLACE -1) (("1" (SPLIT -3) (("1" (PROPAX) NIL) ("2" (PROPAX) NIL) ("3" (PROPAX) NIL))))))) ("2" (FLATTEN) (("2" (CASE "key_handle_inv(st1!1,st2!1)") (("1" (EXPAND "key_handle_inv") (("1" (EXPAND "ks_step") (("1" (FLATTEN) (("1" (EXPAND "ks_static") (("1" (SKOSIMP*) (("1" (INST -1 "thread!1") (("1" (INST -5 "thread!1") (("1" (FLATTEN) (("1" (REPLACE -2) (("1" (INST -3 "thread!1") (("1" (FLATTEN) (("1" (REPLACE -1) (("1" (REPLACE -4) (("1" (SPLIT -10) (("1" (PROPAX) NIL) ("2" (PROPAX) NIL) ("3" (PROPAX) NIL))))))))))))))))))))))))))))) ("2" (EXPAND "ks_op") (("2" (SPLIT -2) (("1" (EXPAND "ks_receive_request") (("1" (FLATTEN) (("1" (REPLACE -1) (("1" (GROUND) NIL))))))) ("2" (EXPAND "ks_init_key_retrieval") (("2" (SKOSIMP) (("2" (EXPAND "assign_key") (("2" (EXPAND "new_handle") (("2" (FLATTEN) (("2" (EXPAND "ks_step") (("2" (EXPAND "ks_static") (("2" (FLATTEN) (("2" (INST -12 "thread!1") (("2" (FLATTEN) (("2" (REPLACE -13) (("2" (INST -16 "thread!1") (("2" (HIDE -1 -2 -3 -4 -12 -14 -15 1) (("2" (SPLIT -9) (("1" (REPLACE -1) (("1" (SPLIT -11) (("1" (PROPAX) NIL) ("2" (PROPAX) NIL) ("3" (PROPAX) NIL))))) ("2" (REPLACE -1) (("2" (REPLACE -7) (("2" (REPLACE -5) (("2" (EXPAND "add") (("2" (SPLIT -13) (("1" (REPLACE -1) (("1" (BETA) (("1" (INST?) NIL))))) ("2" (EXPAND "member") (("2" (SPLIT -12) (("1" (CASE "handle!1 = handle!2") (("1" (REPLACE -1) (("1" (BETA) (("1" (SKOLEM!) (("1" (INST?) NIL))))))) ("2" (SKOLEM!) (("2" (INST?) (("2" (REPLACE -1 :DIR RL) (("2" (GROUND) NIL))))))))) ("2" (PROPAX) NIL) ("3" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))))) ("3" (EXPAND "ks_retrieve_key") (("3" (SKOSIMP) NIL))))))))))))))))) ("2" (EXPAND "ks_rely") (("2" (FLATTEN) (("2" (EXPAND "ks_environment") (("2" (FLATTEN) (("2" (REPLACE -2 :DIR RL) (("2" (BETA) (("2" (SPLIT -3) (("1" (PROPAX) NIL) ("2" (PROPAX) NIL) ("3" (PROPAX) NIL))))))))))))))))))))))))))))))))))) (|ks_valid_key_prop| "" (REWRITE "inv1") (("1" (REWRITE "ks_valid_key_prop1") NIL) ("2" (REWRITE "ks_valid_key_prop2") NIL))) (|ks_provide_key_pred_TCC1| "" (SKOSIMP) NIL) (|ks_provide_key_pred_TCC2| "" (SUBTYPE-TCC) NIL) (|ks_provide_key_prop1| "" (EXPAND "ks_comp") (("" (EXPAND "base_ks_comp") (("" (EXPAND "init_satisfies") (("" (SKOSIMP) (("" (EXPAND "initial_ks_states") (("" (EXPAND "ks_provide_key_pred") (("" (SKOSIMP) (("" (INST -1 "thread!1") (("" (FLATTEN) (("" (REPLACE -3) (("" (EXPAND "emptyset") (("" (PROPAX) NIL))))))))))))))))))))))) (|ks_provide_key_prop2| "" (EXPAND "ks_comp") (("" (EXPAND "base_ks_comp") (("" (EXPAND "steps_satisfy") (("" (SKOSIMP) (("" (EXPAND "stable") (("" (FLATTEN) (("" (SPLIT) (("1" (EXPAND "ks_state_step") (("1" (FLATTEN) (("1" (EXPAND "ks_provide_key_pred") (("1" (SKOSIMP) (("1" (EXPAND "ks_op") (("1" (CASE "(FORALL (kreq : KERNEL_REQ): (send_message_req?(kreq) AND smop(kreq) = provide_key_op AND pending_requests(kst(st2!1))(kreq)) IMPLIES pending_requests(kst(st1!1))(kreq))" "key_handle_inv(st1!1, st2!1)") (("1" (EXPAND "key_handle_inv") (("1" (INST -1 "thread!1") (("1" (INST? -2) (("1" (FLATTEN) (("1" (REPLACE -1) (("1" (REPLACE -2) (("1" (REPLACE -10 -3) (("1" (BETA) (("1" (SIMPLIFY) (("1" (REPLACE -10 -3 :DIR RL) (("1" (SPLIT -3) (("1" (INST? -7) (("1" (GROUND) NIL))) ("2" (PROPAX) NIL))))))))))))))))))))))) ("2" (EXPAND "ks_receive_request") (("2" (SPLIT -4) (("1" (FLATTEN) (("1" (PROPAX) NIL))) ("2" (INST -2 "kernel_req!1") (("2" (REPLACE -8 -2) (("2" (SIMPLIFY) (("2" (REPLACE -8 -2 :DIR RL) (("2" (GROUND) (("2" (INST? -5) (("2" (GROUND) (("2" (EXPAND "ks_init_key_retrieval") (("2" (SKOLEM! -1) (("2" (FLATTEN) (("2" (SKOLEM! -4) (("2" (FLATTEN) (("2" (INST 2 "handle!1") (("2" (SPLIT) (("1" (EXPAND "new_handle") (("1" (FLATTEN) (("1" (EXPAND "ks_step") (("1" (FLATTEN) (("1" (INST -16 "thread!1") (("1" (SPLIT -16) (("1" (REPLACE -1) (("1" (PROPAX) NIL))) ("2" (REPLACE -1) (("2" (REPLACE -12) (("2" (EXPAND "add") (("2" (FLATTEN) (("2" (EXPAND "member") (("2" (PROPAX) NIL))))))))))))))))))))))) ("2" (EXPAND "assign_key") (("2" (FLATTEN) (("2" (EXPAND "ks_step") (("2" (FLATTEN) (("2" (INST -16 "thread!1") (("2" (SPLIT -16) (("1" (REPLACE -1) (("1" (PROPAX) NIL))) ("2" (REPLACE -1) (("2" (REPLACE -13) (("2" (TYPEPRED "thst(st1!1)(ag!1)") (("2" (LIFT-IF) (("2" (SPLIT) (("1" (FLATTEN) (("1" (REPLACE -1) (("1" (EXPAND "KS_THREAD_STATE") (("1" (FLATTEN) (("1" (EXPAND "disjoint?") (("1" (EXPAND "empty?") (("1" (EXPAND "intersection") (("1" (EXPAND "member") (("1" (INST -2 "handle!1") (("1" (SPLIT 2) (("1" (PROPAX) NIL) ("2" (PROPAX) NIL))))))))))))))))))))) ("2" (FLATTEN) (("2" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))) ("3" (EXPAND "ks_retrieve_key") (("3" (SKOLEM!) (("3" (FLATTEN) (("3" (PROPAX) NIL))))))))))) ("3" (SPLIT -3) (("1" (EXPAND "ks_receive_request") (("1" (FLATTEN) (("1" (EXPAND "ks_receive_request_submit") (("1" (SKOSIMP) (("1" (EXPAND "receive_msg") (("1" (FLATTEN) (("1" (SKOSIMP) (("1" (REPLACE -10 -13) (("1" (EXPAND "add") (("1" (SPLIT -13) (("1" (REPLACE -1 :DIR RL) (("1" (BETA) (("1" (PROPAX) NIL))))) ("2" (EXPAND "member") (("2" (PROPAX) NIL))))))))))))))))))))))) ("2" (EXPAND "ks_init_key_retrieval") (("2" (SKOSIMP) (("2" (EXPAND "send_msg") (("2" (FLATTEN) (("2" (SKOSIMP) (("2" (REPLACE -14 -17) (("2" (EXPAND "add" -17) (("2" (SPLIT -17) (("1" (REPLACE -1 -17 :DIR RL) (("1" (BETA) (("1" (LEMMA "ks_provide_ops_distinct") (("1" (GROUND) NIL))))))) ("2" (EXPAND "member") (("2" (PROPAX) NIL))))))))))))))))))) ("3" (EXPAND "ks_retrieve_key") (("3" (SKOSIMP) (("3" (EXPAND "key_handle_inv") (("3" (INST -6 "ag!1") (("3" (EXPAND "send_msg") (("3" (FLATTEN) (("3" (EXPAND "add") (("3" (HIDE 1) (("3" (REPLACE -14) (("3" (HIDE -14) (("3" (EXPAND "member") (("3" (SPLIT -18) (("1" (REPLACE -19 -1) (("1" (LEMMA "KERNEL_REQ_smth_send_message_req") (("1" (INST-CP -1 "ag!1" "reply_port!2" "provide_key_op" "null_name" "provide_key_msg(key!2)") (("1" (REPLACE -3 -2) (("1" (BETA) (("1" (HIDE -1) (("1" (REPLACE -1) (("1" (REPLACE -8) (("1" (REPLACE -9) (("1" (INST 1 "service_port(ri!1)") (("1" (LEMMA "KERNEL_REQ_smusr_msg_send_message_req") (("1" (INST -1 "ag!1" "reply_port!2" "provide_key_op" "null_name" "provide_key_msg(key!2)") (("1" (REPLACE -3 -1) (("1" (BETA) (("1" (EXPAND "provide_key_msg") (("1" (EXPAND "null_user_msg") (("1" (GROUND) (("1" (CASE "user_data((# user_data := null_data, user_rights := null_seq:FSEQ[USER_RIGHT] #) WITH [(user_data) := key_to_data(key!1)]) = key_to_data(key!1)") (("1" (REPLACE -2) (("1" (BETA) (("1" (REWRITE "key_to_data_inj") NIL))))) ("2" (BETA) (("2" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))) ("2" (INST -17 "kernel_req!1" "thread!1" "to!1" "reply_port!1" "key!1") (("2" (GROUND) (("2" (EXPAND "ks_step") (("2" (FLATTEN) (("2" (INST -18 "thread!1") (("2" (GROUND) (("1" (REPLACE -1) (("1" (PROPAX) NIL))) ("2" (REPLACE -1) (("2" (REPLACE -9) (("2" (REPLACE -10) (("2" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ("2" (EXPAND "ks_env_step") (("2" (FLATTEN) (("2" (EXPAND "ks_environment") (("2" (FLATTEN) (("2" (EXPAND "environment_base") (("2" (FLATTEN) (("2" (EXPAND "pending_requests_rely") (("2" (EXPAND "ks_provide_key_pred") (("2" (SKOSIMP) (("2" (INST?) (("2" (INST?) (("2" (FLATTEN) (("2" (SPLIT -4) (("1" (SPLIT -6) (("1" (REPLACE -6 :DIR RL) (("1" (BETA) (("1" (PROPAX) NIL))))) ("2" (PROPAX) NIL) ("3" (PROPAX) NIL) ("4" (PROPAX) NIL))) ("2" (PROPAX) NIL))))))))))))))))))))))))))) ("3" (EXPAND "ks_view") (("3" (REPLACE -1) (("3" (PROPAX) NIL))))))))))))))))))) (|ks_provide_key_prop| "" (REWRITE "inv1") (("1" (REWRITE "ks_provide_key_prop1") NIL) ("2" (REWRITE "ks_provide_key_prop2") NIL))) (|ks_provide_valid_key_prop| "" (LEMMA "ks_provide_key_prop") (("" (LEMMA "ks_valid_key_prop") (("" (LEMMA "always_and") (("" (INST?) (("" (INST -1 "alwayss(ks_provide_key_pred)") (("" (IFF) (("" (FLATTEN) (("" (HIDE -2) (("" (SPLIT) (("1" (HIDE -2 -3) (("1" (REWRITE "inv6") (("1" (LEMMA "always_simplies") (("1" (INST -1 "ks_comp" "sand(ks_valid_key_pred, ks_provide_key_pred)" "ks_provide_valid_key_pred") (("1" (GROUND) (("1" (SKOLEM!) (("1" (EXPAND "simplies") (("1" (EXPAND "sand") (("1" (HIDE -1 2) (("1" (FLATTEN) (("1" (EXPAND "ks_valid_key_pred") (("1" (EXPAND "ks_provide_valid_key_pred") (("1" (EXPAND "ks_provide_key_pred") (("1" (SKOSIMP) (("1" (INST?) (("1" (INST? -2) (("1" (GROUND) (("1" (SKOSIMP) (("1" (INST?) (("1" (GROUND) NIL))))))))))))))))))))))))))))))))))))))) ("2" (PROPAX) NIL) ("3" (PROPAX) NIL)))))))))))))))))))) $$$preds.pvs preds[ST: NONEMPTY_TYPE, AG: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING cprops[ST, AG] STATE_PRED: TYPE = setof[ST] sp, sp1, sp2: VAR STATE_PRED cmp: VAR (comp_t[ST, AG]) st, st1, st2: VAR ST ag: VAR AG init_satisfies(cmp, sp): bool = (FORALL st: init(cmp)(st) IMPLIES sp(st)) ACTION_PRED: TYPE = setof[[ST, ST, AG]] ap, ap1, ap2: VAR ACTION_PRED steps_satisfy(cmp, ap): bool = (FORALL st1, st2, ag: (guar(cmp)(st1, st2, ag) OR rely(cmp)(st1, st2, ag)) IMPLIES ap(st1, st2, ag)) stable(sp): ACTION_PRED = (LAMBDA st1, st2, ag: sp(st1) IMPLIES sp(st2)) t: VAR trace_t p: VAR prop_t i, j: VAR nat shift(i, t): trace_t = (# sts := (LAMBDA j: sts(t)(i + j)), ags := (LAMBDA j: ags(t)(i + j)) #) always(p): prop_t = (LAMBDA t: (FORALL i: p(shift(i, t)))) eventually(p): prop_t = (LAMBDA t: (EXISTS i: p(shift(i, t)))) stbp(sp): prop_t = (LAMBDA t: sp(sts(t)(0))) atbp(ap): prop_t = (LAMBDA t: ap(sts(t)(0), sts(t)(1), ags(t)(0))) alwayss(sp): prop_t = always(stbp(sp)) eventuallys(sp): prop_t = eventually(stbp(sp)) alwayss_prop: THEOREM alwayss(sp) = (LAMBDA t: (FORALL i: sp(sts(t)(i)))) eventuallys_prop: THEOREM eventuallys(sp) = (LAMBDA t: (EXISTS i: sp(sts(t)(i)))) alwaysa(ap): prop_t = always(atbp(ap)) eventuallya(ap): prop_t = eventually(atbp(ap)) alwaysa_prop: THEOREM alwaysa(ap) = (LAMBDA t: (FORALL i: ap(sts(t)(i), sts(t)(i + 1), ags(t)(i)))) eventuallya_prop: THEOREM eventuallya(ap) = (LAMBDA t: (EXISTS i: ap(sts(t)(i), sts(t)(i + 1), ags(t)(i)))) inv1: THEOREM init_satisfies(cmp, sp) AND steps_satisfy(cmp, stable(sp)) IMPLIES satisfies(cmp, alwayss(sp)) inv2: THEOREM steps_satisfy(cmp, ap) IMPLIES satisfies(cmp, alwaysa(ap)) aandas(ap, sp): ACTION_PRED = (LAMBDA st1, st2, ag: ap(st1, st2, ag) AND sp(st1)) inv3: THEOREM intersection(alwaysa(ap), alwayss(sp)) = alwaysa(aandas(ap, sp)) inv4: THEOREM intersection(alwayss(sp), alwaysa(ap)) = alwaysa(aandas(ap, sp)) aand(ap1, ap2): ACTION_PRED = (LAMBDA st1, st2, ag: ap1(st1, st2, ag) AND ap2(st1, st2, ag)) aimplies(ap1, ap2): ACTION_PRED = (LAMBDA st1, st2, ag: ap1(st1, st2, ag) IMPLIES ap2(st1, st2, ag)) inv5: THEOREM intersection(alwaysa(ap1), alwaysa(ap2)) = alwaysa(aand(ap1, ap2)) sand(sp1, sp2): STATE_PRED = (LAMBDA st: sp1(st) AND sp2(st)) sor(sp1, sp2): STATE_PRED = (LAMBDA st: sp1(st) OR sp2(st)) simplies(sp1, sp2): STATE_PRED = (LAMBDA st: sp1(st) IMPLIES sp2(st)) inv6: THEOREM intersection(alwayss(sp1), alwayss(sp2)) = alwayss(sand(sp1, sp2)) p1, p2: VAR prop_t always_and: THEOREM (satisfies(cmp, p1) AND satisfies(cmp, p2)) = satisfies(cmp, intersection(p1, p2)) always_aimplies: THEOREM satisfies(cmp, alwaysa(ap1)) AND (FORALL st1, st2, ag: aimplies(ap1, ap2)(st1, st2, ag)) IMPLIES satisfies(cmp, alwaysa(ap2)) END preds $$$preds.prf (|preds| (|alwayss_prop| "" (SKOLEM!) (("" (EXTENSIONALITY "prop_t") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (EXPAND "alwayss") (("" (EXPAND "always") (("" (EXPAND "stbp") (("" (EXPAND "shift") (("" (PROPAX) NIL))))))))))))))))))))) (|eventuallys_prop| "" (SKOSIMP*) (("" (EXTENSIONALITY "prop_t") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (EXPAND "eventuallys") (("" (EXPAND "eventually") (("" (EXPAND "shift") (("" (EXPAND "stbp") (("" (PROPAX) NIL))))))))))))))))))))) (|alwaysa_prop| "" (SKOLEM!) (("" (EXPAND "alwaysa") (("" (EXPAND "always") (("" (EXPAND "atbp") (("" (EXPAND "shift") (("" (PROPAX) NIL))))))))))) (|eventuallya_prop| "" (SKOSIMP*) (("" (EXTENSIONALITY "prop_t") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (EXPAND "eventuallya") (("" (EXPAND "eventually") (("" (EXPAND "atbp") (("" (EXPAND "shift") (("" (PROPAX) NIL))))))))))))))))))))) (|inv1| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "satisfies") (("" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "alwayss") (("" (EXPAND "always") (("" (EXPAND "stbp") (("" (EXPAND "shift") (("" (INDUCT "i") (("1" (EXPAND "init_satisfies") (("1" (INST?) (("1" (GROUND) (("1" (EXPAND "prop_for") (("1" (EXPAND "initial_okay") (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))))))))) ("2" (SKOLEM!) (("2" (FLATTEN) (("2" (EXPAND "steps_satisfy") (("2" (EXPAND "stable") (("2" (INSTANTIATE -3 ("sts(t!1)(j!1)" "sts(t!1)(j!1+1)" "ags(t!1)(j!1)")) (("2" (EXPAND "prop_for") (("2" (FLATTEN) (("2" (EXPAND "steps_okay") (("2" (INSTANTIATE -5 "j!1") (("2" (EXPAND "steps") (("2" (EXPAND "union") (("2" (EXPAND "member") (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))) (|inv2| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "satisfies") (("" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "alwaysa") (("" (EXPAND "always") (("" (EXPAND "atbp") (("" (EXPAND "shift") (("" (SKOLEM!) (("" (EXPAND "prop_for") (("" (EXPAND "steps_okay") (("" (FLATTEN) (("" (EXPAND "member") (("" (INST?) (("" (EXPAND "steps") (("" (EXPAND "steps_satisfy") (("" (EXPAND "union") (("" (EXPAND "member") (("" (INST?) (("" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))) (|inv3| "" (SKOLEM!) (("" (EXTENSIONALITY "prop_t") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (IFF) (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (EXPAND "alwaysa") (("" (EXPAND "alwayss") (("" (EXPAND "always") (("" (EXPAND "atbp") (("" (EXPAND "shift") (("" (EXPAND "stbp") (("" (EXPAND "aandas") (("" (GROUND) (("1" (SKOLEM!) (("1" (INST?) (("1" (INST?) (("1" (GROUND) NIL))))))) ("2" (SKOLEM!) (("2" (INST?) (("2" (GROUND) NIL))))) ("3" (SKOLEM!) (("3" (INST?) (("3" (GROUND) NIL))))))))))))))))))))))))))))))))))))))) (|inv4| "" (SKOLEM!) (("" (EXTENSIONALITY "prop_t") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (IFF) (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (EXPAND "alwaysa") (("" (EXPAND "alwayss") (("" (EXPAND "stbp") (("" (EXPAND "atbp") (("" (EXPAND "always") (("" (EXPAND "shift") (("" (EXPAND "aandas") (("" (SPLIT) (("1" (FLATTEN) (("1" (SKOLEM!) (("1" (INST?) (("1" (INST?) (("1" (GROUND) NIL))))))))) ("2" (FLATTEN) (("2" (SPLIT) (("1" (SKOLEM!) (("1" (INST?) (("1" (GROUND) NIL))))) ("2" (SKOLEM!) (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))) (|inv5| "" (SKOLEM!) (("" (EXTENSIONALITY "prop_t") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (IFF) (("" (EXPAND "intersection") (("" (EXPAND "alwaysa") (("" (EXPAND "member") (("" (EXPAND "always") (("" (EXPAND "atbp") (("" (EXPAND "shift") (("" (EXPAND "aand") (("" (GROUND) (("1" (SKOLEM!) (("1" (INST?) (("1" (INST?) (("1" (GROUND) NIL))))))) ("2" (SKOLEM!) (("2" (INST?) (("2" (GROUND) NIL))))) ("3" (SKOLEM!) (("3" (INST?) (("3" (GROUND) NIL))))))))))))))))))))))))))))))))))) (|inv6| "" (SKOLEM!) (("" (EXTENSIONALITY "prop_t") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (IFF) (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (EXPAND "alwayss") (("" (EXPAND "always") (("" (EXPAND "stbp") (("" (EXPAND "shift") (("" (EXPAND "sand") (("" (GROUND) (("1" (SKOLEM!) (("1" (INST?) (("1" (INST?) (("1" (GROUND) NIL))))))) ("2" (SKOLEM!) (("2" (INST?) (("2" (GROUND) NIL))))) ("3" (SKOLEM!) (("3" (INST?) (("3" (GROUND) NIL))))))))))))))))))))))))))))))))))) (|always_and| "" (SKOLEM!) (("" (EXPAND "satisfies") (("" (IFF) (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (GROUND) (("1" (SKOLEM!) (("1" (INST?) (("1" (INST?) (("1" (GROUND) NIL))))))) ("2" (SKOLEM!) (("2" (INST?) (("2" (GROUND) NIL))))) ("3" (SKOLEM!) (("3" (INST?) (("3" (GROUND) NIL))))))))))))))))) (|always_aimplies| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "satisfies") (("" (SKOLEM!) (("" (INST?) (("" (GROUND) (("" (EXPAND "alwaysa") (("" (EXPAND "always") (("" (EXPAND "atbp") (("" (SKOLEM!) (("" (INST?) (("" (EXPAND "aimplies") (("" (INST?) (("" (GROUND) NIL)))))))))))))))))))))))))))) $$$unity.pvs unity[ST: NONEMPTY_TYPE, AG: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING preds[ST, AG] sp, sp1, sp2, sp3: VAR STATE_PRED cmp: VAR (comp_t) st, st1, st2: VAR ST ag: VAR AG tranc: VAR TRANSITION_CLASS t: VAR trace_t p1, p2: VAR prop_t pimplies(p1, p2): prop_t = (LAMBDA t: member(t, p1) IMPLIES member(t, p2)) por(p1, p2): prop_t = (LAMBDA t: member(t, p1) OR member(t, p2)) negate_sp(sp): STATE_PRED = (LAMBDA st: NOT sp(st)) unless_pred(sp1, sp2): ACTION_PRED = (LAMBDA st1, st2, ag: sand(sp1, negate_sp(sp2))(st1) IMPLIES sor(sp1, sp2)(st2)) unless(cmp, sp1, sp2): bool = satisfies(cmp, alwaysa(unless_pred(sp1, sp2))) unless_help: THEOREM steps_satisfy(cmp, unless_pred(sp1, sp2)) IMPLIES unless(cmp, sp1, sp2) i, j, k, l, m: VAR nat ip: VAR [nat -> bool] ip_help: THEOREM ip(m) AND (FORALL i: (FORALL j: m <= j AND j < i IMPLIES ip(j)) IMPLIES ip(i)) IMPLIES (FORALL k: (FORALL l: m <= l AND l <= k IMPLIES ip(l))) ip_help1: THEOREM ip(m) AND (FORALL i: (FORALL j: m <= j AND j < i IMPLIES ip(j)) IMPLIES ip(i)) IMPLIES (FORALL k: m <= k IMPLIES ip(k)) unless_prop1: THEOREM unless(cmp, sp1, sp2) IMPLIES satisfies(cmp, always(pimplies(stbp(sp1), por(alwayss(sp1), eventuallys(sp2))))) unless_prop2: THEOREM unless(cmp, sp1, sp2) AND prop_for(cmp)(t) AND sp1(sts(t)(i)) IMPLIES ((FORALL j: sp1(sts(t)(i + j))) OR (EXISTS k: sp2(sts(t)(i + k)) AND (FORALL l: l < k IMPLIES sp1(sts(t)(i + l))))) ensuresb(cmp, sp1, sp2, tranc): bool = unless(cmp, sp1, sp2) AND member(tranc, sfar(cmp)) AND (FORALL st1, st2, ag: (member((st1, st2, ag), tranc) AND sp1(st1) AND NOT sp2(st1)) IMPLIES sp2(st2)) ensures(cmp, sp1, sp2): bool = unless(cmp, sp1, sp2) AND (EXISTS tranc: ensuresb(cmp, sp1, sp2, tranc)) wensuresb(cmp, sp1, sp2, tranc): bool = unless(cmp, sp1, sp2) AND member(tranc, wfar(cmp)) AND (FORALL st1, st2, ag: (member((st1, st2, ag), tranc) AND sp1(st1) AND NOT sp2(st1)) IMPLIES sp2(st2)) wensures(cmp, sp1, sp2): bool = unless(cmp, sp1, sp2) AND (EXISTS tranc: wensuresb(cmp, sp1, sp2, tranc)) enabled_sp(tranc): STATE_PRED = (LAMBDA st: enabled(tranc, st)) leads_to(cmp, sp1, sp2): bool = satisfies(cmp, always(pimplies(stbp(sp1), eventuallys(sp2)))) leads_to1: THEOREM ensuresb(cmp, sp1, sp2, tranc) AND leads_to(cmp, sp1, enabled_sp(tranc)) IMPLIES leads_to(cmp, sp1, sp2) leads_to1w: THEOREM wensuresb(cmp, sand(enabled_sp(tranc), sp1), sp2, tranc) IMPLIES leads_to(cmp, sand(enabled_sp(tranc), sp1), sp2) leads_to_2: THEOREM (FORALL st: simplies(sp1, sp2)(st)) AND leads_to(cmp, sp2, sp) IMPLIES leads_to(cmp, sp1, sp) leads_to_3: THEOREM (FORALL st: simplies(sp1, sp2)(st)) AND leads_to(cmp, sp, sp1) IMPLIES leads_to(cmp, sp, sp2) leads_to_or: THEOREM leads_to(cmp, sp1, sp) AND leads_to(cmp, sp2, sp) IMPLIES leads_to(cmp, sor(sp1, sp2), sp) leads_to_tran: THEOREM leads_to(cmp, sp, sp1) AND leads_to(cmp, sp1, sp2) IMPLIES leads_to(cmp, sp, sp2) true_sp(st): bool = TRUE leads_to_true: THEOREM leads_to(cmp, true_sp, sp) IMPLIES satisfies(cmp, always(eventuallys(sp))) leads_to_stable: THEOREM leads_to(cmp, true_sp, sp) AND steps_satisfy(cmp, stable(sp)) IMPLIES satisfies(cmp, eventually(alwayss(sp))) leads_to_invariant: THEOREM leads_to(cmp, sp1, sp) AND satisfies(cmp, alwayss(sp2)) IMPLIES leads_to(cmp, sand(sp1, sp2), sp) AND leads_to(cmp, sp1, sand(sp, sp2)) AND leads_to(cmp, sand(sp1, sp2), sand(sp, sp2)) leads_to_invariant1: THEOREM leads_to(cmp, sp1, sp) AND satisfies(cmp, alwayss(sp2)) IMPLIES ((FORALL st: simplies(sand(sp3, sp2), sp1)(st)) IMPLIES leads_to(cmp, sp3, sp)) END unity $$$unity.prf (|unity| (|unless_help| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "unless") (("" (REWRITE "inv2") NIL))))))) (|ip_help| "" (SKOLEM!) (("" (FLATTEN) (("" (INDUCT "k") (("1" (SKOLEM!) (("1" (GROUND) NIL))) ("2" (SKOLEM!) (("2" (FLATTEN) (("2" (SKOLEM!) (("2" (FLATTEN) (("2" (CASE "l!1 = j!1+1") (("1" (INSTANTIATE -6 "l!1") (("1" (GROUND) (("1" (SKOLEM!) (("1" (INSTANTIATE -2 "j!2") (("1" (GROUND) NIL))))))))) ("2" (INSTANTIATE -5 "l!1") (("2" (GROUND) (("2" (SKOLEM!) (("2" (INSTANTIATE -1 "j!2") (("2" (GROUND) NIL))))))))))))))))))))))))) (|ip_help1| "" (SKOLEM!) (("" (LEMMA "ip_help") (("" (INST?) (("" (GROUND) (("" (SKOLEM!) (("" (INSTANTIATE -1 "k!1") (("" (INSTANTIATE -1 "k!1") (("" (GROUND) NIL))))))))))))))) (|unless_prop1| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "satisfies") (("" (SKOLEM!) (("" (EXPAND "unless") (("" (EXPAND "satisfies") (("" (INST?) (("" (GROUND) (("" (EXPAND "always") (("" (SKOLEM!) (("" (EXPAND "pimplies") (("" (FLATTEN) (("" (EXPAND "member") (("" (EXPAND "por") (("" (EXPAND "member") (("" (EXPAND "alwayss") (("" (EXPAND "eventuallys") (("" (EXPAND "always") (("" (EXPAND "eventually") (("" (EXPAND "stbp") (("" (EXPAND "shift") (("" (LEMMA "ip_help1") (("" (INSTANTIATE -1 ("(LAMBDA l: sp1!1(sts(t!1)(l+i!1)))" "0")) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (FLATTEN) (("" (CASE "i!2 = 0") (("1" (GROUND) NIL) ("2" (CASE "not i!2 > 0") (("1" (GROUND) NIL) ("2" (CASE "not i!2-1 >= 0") (("1" (GROUND) NIL) ("2" (INSTANTIATE 3 "i!2-1" T) (("1" (INSTANTIATE 3 "i!2") (("1" (INSTANTIATE -3 "i!2-1") (("1" (GROUND) (("1" (EXPAND "alwaysa") (("1" (EXPAND "always") (("1" (EXPAND "atbp") (("1" (EXPAND "unless_pred") (("1" (EXPAND "sand") (("1" (EXPAND "negate_sp") (("1" (EXPAND "sor") (("1" (EXPAND "shift") (("1" (INSTANTIATE -4 "i!1+i!2-1") (("1" (GROUND) NIL))))))))))))))))))))) ("2" (PROPAX) NIL))))) ("2" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|unless_prop2| "" (SKOLEM!) (("" (FLATTEN) (("" (LEMMA "ip_help1") (("" (SKOLEM!) (("" (INSTANTIATE -1 ("(LAMBDA i: sp1!1(sts(t!1)(i+i!1)))" "0")) (("" (GROUND) (("1" (INSTANTIATE -1 "j!1") (("1" (GROUND) NIL))) ("2" (SKOLEM!) (("2" (FLATTEN) (("2" (CASE "i!2 = 0") (("1" (GROUND) NIL) ("2" (CASE "not i!2-1 >= 0") (("1" (GROUND) NIL) ("2" (INSTANTIATE 4 "i!2-1" T) (("1" (INSTANTIATE 4 "i!2") (("1" (INSTANTIATE -2 "i!2-1" T) (("1" (EXPAND "unless") (("1" (EXPAND "satisfies") (("1" (INSTANTIATE -4 "t!1") (("1" (EXPAND "alwaysa") (("1" (EXPAND "always") (("1" (EXPAND "atbp") (("1" (EXPAND "unless_pred") (("1" (EXPAND "sand") (("1" (EXPAND "negate_sp") (("1" (EXPAND "sor") (("1" (EXPAND "shift") (("1" (INSTANTIATE -4 "i!2+i!1-1") (("1" (GROUND) (("1" (SKOLEM!) (("1" (INSTANTIATE -4 "l!1") (("1" (GROUND) NIL))))))) ("2" (GROUND) NIL))))))))))))))))))))))))) ("2" (PROPAX) NIL))))) ("2" (PROPAX) NIL))))))))))))))))))))))) (|leads_to1| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "ensuresb") (("" (FLATTEN) (("" (LEMMA "unless_prop2") (("" (INST?) (("" (GROUND) (("" (EXPAND "leads_to") (("" (EXPAND "satisfies") (("" (SKOLEM!) (("" (INST?) (("" (INST?) (("" (GROUND) (("" (EXPAND "always") (("" (SKOLEM!) (("" (EXPAND "pimplies") (("" (EXPAND "member") (("" (FLATTEN) (("" (EXPAND "eventuallys") (("" (EXPAND "eventually") (("" (EXPAND "stbp") (("" (EXPAND "shift") (("" (INSTANTIATE -2 "i!1") (("" (GROUND) (("1" (CASE "not (exists k : k >= i!1 and member((sts(t!1)(k),sts(t!1)(k+1),ags(t!1)(k)),tranc!1))") (("1" (EXPAND "prop_for") (("1" (FLATTEN) (("1" (EXPAND "is_sfar") (("1" (INSTANTIATE -9 "tranc!1") (("1" (GROUND) (("1" (INSTANTIATE -1 "i!1") (("1" (SKOLEM!) (("1" (FLATTEN) (("1" (SPLIT) (("1" (INSTANTIATE -4 "j!1") (("1" (INSTANTIATE -3 "j!1-i!1") (("1" (GROUND) (("1" (SKOLEM!) (("1" (INSTANTIATE -2 "i!2+j!1") (("1" (GROUND) (("1" (EXPAND "enabled_sp") (("1" (PROPAX) NIL))))))))))) ("2" (GROUND) NIL))))) ("2" (SKOLEM!) (("2" (INSTANTIATE 1 "l!1") (("2" (GROUND) NIL))))))))))))))))))))))) ("2" (SKOLEM!) (("2" (FLATTEN) (("2" (INSTANTIATE -7 ("sts(t!1)(k!1)" "sts(t!1)(k!1+1)" "ags(t!1)(k!1)")) (("2" (EXPAND "member") (("2" (INSTANTIATE -3 "k!1-i!1") (("1" (INSTANTIATE 1 "k!1-i!1" T) (("1" (INSTANTIATE 1 "k!1-i!1+1") (("1" (GROUND) NIL) ("2" (GROUND) NIL))) ("2" (GROUND) NIL))) ("2" (GROUND) NIL))))))))))))) ("2" (SKOLEM!) (("2" (INSTANTIATE 1 "k!1") (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))) (|leads_to1w| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "wensuresb") (("" (FLATTEN) (("" (EXPAND "leads_to") (("" (EXPAND "satisfies") (("" (SKOLEM!) (("" (FLATTEN) (("" (LEMMA "unless_prop2") (("" (INST?) (("" (INST?) (("" (EXPAND "always") (("" (SKOLEM!) (("" (INSTANTIATE -1 "i!1") (("" (EXPAND "pimplies") (("" (EXPAND "member") (("" (FLATTEN) (("" (EXPAND "stbp") (("" (EXPAND "shift") (("" (EXPAND "eventuallys") (("" (EXPAND "eventually") (("" (EXPAND "stbp") (("" (EXPAND "shift") (("" (GROUND) (("1" (CASE "not (exists k: k >= i!1 and member((sts(t!1)(k),sts(t!1)(k+1),ags(t!1)(k)),tranc!1))") (("1" (EXPAND "prop_for") (("1" (FLATTEN) (("1" (EXPAND "is_wfar") (("1" (INSTANTIATE -7 "tranc!1") (("1" (EXPAND "member") (("1" (GROUND) (("1" (INSTANTIATE -7 "i!1") (("1" (SKOLEM!) (("1" (INSTANTIATE 1 "j!1") (("1" (INSTANTIATE -1 "j!1-i!1") (("1" (GROUND) (("1" (EXPAND "sand") (("1" (EXPAND "enabled_sp") (("1" (PROPAX) NIL))))))) ("2" (GROUND) NIL))))))))))))))))))))) ("2" (SKOLEM!) (("2" (INSTANTIATE -5 ("sts(t!1)(k!1)" "sts(t!1)(k!1+1)" "ags(t!1)(k!1)")) (("2" (EXPAND "member") (("2" (INSTANTIATE -2 "k!1-i!1") (("1" (INSTANTIATE 1 "k!1-i!1" T) (("1" (INSTANTIATE 1 "k!1-i!1+1") (("1" (GROUND) NIL) ("2" (GROUND) NIL))) ("2" (GROUND) NIL))) ("2" (GROUND) NIL))))))))))) ("2" (SKOLEM!) (("2" (INSTANTIATE 1 "k!1") (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))) (|leads_to_2| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "leads_to") (("" (EXPAND "satisfies") (("" (SKOLEM!) (("" (INST?) (("" (GROUND) (("" (EXPAND "always") (("" (SKOLEM!) (("" (INST?) (("" (EXPAND "pimplies") (("" (EXPAND "stbp") (("" (EXPAND "member") (("" (EXPAND "eventuallys") (("" (EXPAND "eventually") (("" (EXPAND "stbp") (("" (EXPAND "shift") (("" (FLATTEN) (("" (INST?) (("" (EXPAND "simplies") (("" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))) (|leads_to_3| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "leads_to") (("" (EXPAND "satisfies") (("" (SKOLEM!) (("" (INST?) (("" (GROUND) (("" (EXPAND "always") (("" (SKOLEM!) (("" (INST?) (("" (EXPAND "pimplies") (("" (GROUND) (("" (EXPAND "member") (("" (EXPAND "eventuallys") (("" (EXPAND "eventually") (("" (SKOLEM!) (("" (INST?) (("" (EXPAND "stbp") (("" (EXPAND "shift") (("" (INST?) (("" (EXPAND "simplies") (("" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))) (|leads_to_or| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "leads_to") (("" (EXPAND "satisfies") (("" (SKOLEM!) (("" (INST?) (("" (INST?) (("" (GROUND) (("" (EXPAND "always") (("" (SKOLEM!) (("" (INST?) (("" (INST?) (("" (EXPAND "pimplies") (("" (EXPAND "member") (("" (EXPAND "stbp") (("" (EXPAND "sor") (("" (FLATTEN) (("" (EXPAND "eventuallys") (("" (EXPAND "eventually") (("" (EXPAND "stbp") (("" (EXPAND "shift") (("" (SPLIT -4) (("1" (DELETE -2) (("1" (GROUND) NIL))) ("2" (DELETE -3) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))) (|leads_to_tran| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "leads_to") (("" (EXPAND "satisfies") (("" (SKOLEM!) (("" (INST?) (("" (INST?) (("" (GROUND) (("" (EXPAND "always") (("" (SKOLEM!) (("" (INSTANTIATE -2 "i!1") (("" (EXPAND "pimplies") (("" (GROUND) (("" (EXPAND "member") (("" (EXPAND "eventuallys") (("" (EXPAND "eventually") (("" (EXPAND "stbp") (("" (EXPAND "shift") (("" (SKOLEM!) (("" (INSTANTIATE -2 "i!2+i!1") (("" (GROUND) (("" (SKOLEM!) (("" (INSTANTIATE 1 "i!2+i!3") (("" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))) (|leads_to_true| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "leads_to") (("" (CASE "not always(eventuallys(sp!1)) = always(pimplies(stbp(true_sp), eventuallys(sp!1)))") (("1" (DELETE -1 2) (("1" (EXTENSIONALITY "prop_t") (("1" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (EXPAND "always") (("1" (EXPAND "pimplies") (("1" (EXPAND "member") (("1" (EXPAND "stbp") (("1" (EXPAND "true_sp") (("1" (PROPAX) NIL))))))))))))))))))))))))) ("2" (REPLACE -1) (("2" (PROPAX) NIL))))))))))) (|leads_to_stable| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "satisfies") (("" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "eventually") (("" (LEMMA "leads_to_true") (("" (INST?) (("" (GROUND) (("" (EXPAND "satisfies") (("" (INST?) (("" (GROUND) (("" (EXPAND "always") (("" (INSTANTIATE -1 "0") (("" (EXPAND "eventuallys") (("" (EXPAND "eventually") (("" (SKOLEM!) (("" (EXPAND "stbp") (("" (EXPAND "shift") (("" (INSTANTIATE 1 "i!1") (("" (EXPAND "alwayss") (("" (EXPAND "always") (("" (EXPAND "stbp") (("" (EXPAND "shift") (("" (INDUCT "i") (("1" (GROUND) NIL) ("2" (SKOLEM!) (("2" (EXPAND "steps_satisfy") (("2" (FLATTEN) (("2" (INSTANTIATE -4 ("sts(t!1)(j!1+i!1)" "sts(t!1)(j!1+i!1+1)" "ags(t!1)(j!1+i!1)")) (("2" (EXPAND "stable") (("2" (GROUND) (("2" (DELETE -1 -2 -3 3) (("2" (EXPAND "prop_for") (("2" (FLATTEN) (("2" (DELETE -1 -3 -4) (("2" (EXPAND "steps_okay") (("2" (INST?) (("2" (GROUND) (("2" (EXPAND "member") (("2" (EXPAND "steps") (("2" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|leads_to_invariant| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "leads_to") (("" (EXPAND "satisfies") (("" (EXPAND "always") (("" (EXPAND "pimplies") (("" (EXPAND "member") (("" (EXPAND "eventuallys") (("" (EXPAND "alwayss") (("" (EXPAND "always") (("" (EXPAND "eventually") (("" (EXPAND "stbp") (("" (EXPAND "sand") (("" (EXPAND "shift") (("" (GROUND) (("1" (SKOLEM!) (("1" (INST?) (("1" (INST?) (("1" (GROUND) (("1" (SKOLEM!) (("1" (FLATTEN) (("1" (INSTANTIATE -2 "i!1") (("1" (GROUND) NIL))))))))))))))) ("2" (SKOLEM!) (("2" (INST?) (("2" (INST?) (("2" (GROUND) (("2" (SKOLEM!) (("2" (INSTANTIATE -2 "i!1") (("2" (GROUND) (("2" (SKOLEM!) (("2" (INSTANTIATE -2 "i!1+i!2") (("2" (INSTANTIATE 1 "i!2") (("2" (GROUND) NIL))))))))))))))))))))) ("3" (SKOLEM!) (("3" (INST?) (("3" (INST?) (("3" (GROUND) (("3" (SKOLEM!) (("3" (INSTANTIATE -2 "i!1") (("3" (GROUND) (("3" (SKOLEM!) (("3" (INSTANTIATE -2 "i!1+i!2") (("3" (INSTANTIATE 1 "i!2") (("3" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))))) (|leads_to_invariant1| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "leads_to") (("" (EXPAND "satisfies") (("" (SKOLEM!) (("" (INST?) (("" (INST?) (("" (GROUND) (("" (EXPAND "alwayss") (("" (EXPAND "always") (("" (EXPAND "pimplies") (("" (EXPAND "eventuallys") (("" (EXPAND "member") (("" (EXPAND "eventually") (("" (EXPAND "stbp") (("" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "shift") (("" (EXPAND "simplies") (("" (EXPAND "sand") (("" (INSTANTIATE -3 "sts(t!1)(i!1)") (("" (INSTANTIATE -1 "i!1") (("" (GROUND) (("" (INSTANTIATE -3 "i!1") (("" (GROUND) NIL)))))))))))))))))))))))))))))))))))))))))))))))))) $$$more_preds.pvs more_preds[ST: NONEMPTY_TYPE, AG: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING unity[ST,AG] sp, sp1, sp2: VAR STATE_PRED cmp: VAR (comp_t[ST, AG]) st, st1, st2: VAR ST p, p1, p2: VAR prop_t[ST,AG] ag: VAR AG stable_assuming(sp1, sp2): ACTION_PRED = (LAMBDA st1, st2, ag: sp1(st1) and sp1(st2) and sp2(st1) IMPLIES sp2(st2)) pimplies_always: THEOREM init_satisfies(cmp, simplies(sp1, sp2)) AND steps_satisfy(cmp, stable_assuming(sp1, sp2)) => satisfies(cmp, pimplies(alwayss(sp1),alwayss(sp2))) init_simplies: THEOREM init_satisfies(cmp, sp2) => init_satisfies(cmp, simplies(sp1, sp2)) satisfies_modus_ponens: THEOREM satisfies(cmp, p1) AND satisfies(cmp, pimplies(p1, p2)) => satisfies(cmp, p2) END more_preds $$$more_preds.prf (|more_preds| (|pimplies_always| "" (SKOSIMP) (("" (EXPAND "satisfies") (("" (SKOSIMP) (("" (EXPAND "pimplies") (("" (EXPAND "member") (("" (GROUND) (("" (EXPAND "alwayss") (("" (EXPAND "always") (("" (EXPAND "stbp") (("" (EXPAND "shift") (("" (INDUCT "i") (("1" (EXPAND "init_satisfies") (("1" (INST?) (("1" (EXPAND "prop_for") (("1" (EXPAND "initial_okay") (("1" (EXPAND "member") (("1" (GROUND) (("1" (EXPAND "simplies") (("1" (INST?) NIL))))))))))))))) ("2" (SKOSIMP) (("2" (EXPAND "steps_satisfy") (("2" (EXPAND "stable_assuming") (("2" (INST - "sts(t!1)(j!1)" "sts(t!1)(j!1+1)" "ags(t!1)(j!1)") (("2" (EXPAND "prop_for") (("2" (EXPAND "steps_okay") (("2" (EXPAND "member") (("2" (EXPAND "steps") (("2" (FLATTEN) (("2" (INST?) (("2" (INST-CP - "j!1") (("2" (INST - "j!1+1") (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))) (|init_simplies| "" (SKOSIMP) (("" (EXPAND "init_satisfies") (("" (SKOSIMP) (("" (EXPAND "simplies") (("" (GROUND) (("" (INST?) (("" (GROUND) NIL))))))))))))) (|satisfies_modus_ponens| "" (SKOSIMP) (("" (EXPAND "satisfies") (("" (SKOSIMP) (("" (INST?) (("" (EXPAND "pimplies") (("" (EXPAND "member") (("" (INST?) (("" (GROUND) NIL)))))))))))))))) $$$client_props.pvs client_props: THEORY BEGIN IMPORTING client_spec IMPORTING more_preds[(CLIENT_STATE), THREAD ] IMPORTING unity st, st1, st2 : VAR (CLIENT_STATE) pf: VAR PROT_FAMILY clear, cypher: VAR TEXT p : VAR FSEQ[[ENCRYPT_MECH, KEY]] seed : VAR SEED key_mech : VAR KEY_MECH th: VAR (client_threads) t: VAR TEXT ri: VAR RECEIVED_INFO %% Next two functions probably belong in crypto_shared_state.pvs map_protect(p, t): RECURSIVE TEXT = IF nonemptyfseq(p) THEN map_protect(pop(p),protect_text(PROJ_1(elem(p)(1)), PROJ_2(elem(p)(1)), t)) ELSE t ENDIF MEASURE size(p); encrypted_with_pf(pf, clear, cypher): bool = (EXISTS p: cypher = map_protect(p,clear) AND size(p) = size(pf) AND (FORALL (i: {i: nat | i>0 AND i <= size(pf)}): PROJ_1(elem(p)(i)) = encrypt_mech(elem(pf)(i)) AND (EXISTS seed, key_mech: PROJ_2(elem(p)(i)) = generate_key(key_mech, seed) AND key_mech = key_mech(elem(pf)(i))))) have_encrypted_text(st, pf, clear, cypher): bool = EXISTS th: requested_prot_family(thst(st)(th)) = pf AND pf_handle_provided(thst(st)(th)) AND handle(thst(st)(th)) /= null_name AND clear_text_sent(thst(st)(th)) = clear AND clear /= null_text AND cypher_text_received(thst(st)(th)) = cypher AND reply_received(thst(st)(th)) %%vvv DESIRED PROPERTY vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv %% %% This is the top-level desired property. We could try %% to prove it by decomposing it into other properties %% which eventually reduce to things you would prove about %% a single component (using the composition theorems to %% lift each result). correct_encryption_pred : STATE_PRED = (LAMBDA st: (FORALL pf, clear, cypher: have_encrypted_text(st, pf, clear, cypher) => encrypted_with_pf(pf, clear, cypher))) %% We can prove that it is satisfied in the initial state without %% considering any component other than the client. correct_encryption_prop1: THEOREM init_satisfies(client_comp, correct_encryption_pred) %% However, we cannot prove that the system steps satisfy %% correct_encryption_pred without considering properties of the %% entire system. %% %%^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ %% To demonstrate property lifting, we prove a lemma that says if %% the ri of the client always has things that are correct %% encryptions then encrypted_with_pf is satisfied correct_ppd_def(st): bool = (FORALL th, ri, cypher, pf, clear: (NOT reply_received(thst(st)(th)) AND existing_threads(kst(st))(th) AND received_info(kst(st))(th) = ri AND op(ri) = provide_protected_data_op AND provide_protected_data_msg(cypher) = user_msg(ri) AND ri_status(ri) = ri_unprocessed AND pf = requested_prot_family(thst(st)(th)) AND clear = clear_text_sent(thst(st)(th))) => encrypted_with_pf(pf, clear, cypher)) correct_ppd_pred: STATE_PRED = (LAMBDA st: correct_ppd_def(st)) correct_encryption_prop_steps: THEOREM steps_satisfy(client_comp, stable_assuming(correct_ppd_pred, correct_encryption_pred)) correct_encryption_prop: THEOREM satisfies(client_comp, pimplies(alwayss(correct_ppd_pred), alwayss(correct_encryption_pred))) END client_props $$$client_props.prf (|client_props| (IMPORTING2_TCC1 "" (INST + "client_state_witness") NIL) (|map_protect_TCC1| "" (EXPAND "nonemptyfseq") (("" (SKOSIMP) (("" (GROUND) NIL))))) (|map_protect_TCC2| "" (EXPAND "pop") (("" (PROPAX) NIL))) (|encrypted_with_pf_TCC1| "" (SKOSIMP*) (("" (GROUND) NIL))) (|encrypted_with_pf_TCC2| "" (SKOSIMP*) (("" (GROUND) NIL))) (|correct_encryption_prop1| "" (EXPAND "init_satisfies") (("" (SKOSIMP) (("" (EXPAND "client_comp") (("" (EXPAND "base_client_comp") (("" (EXPAND "initial_client_states") (("" (EXPAND "correct_encryption_pred") (("" (SKOSIMP) (("" (EXPAND "have_encrypted_text") (("" (SKOSIMP) (("" (INST?) (("" (GROUND) NIL))))))))))))))))))))) (|correct_encryption_prop_steps| "" (EXPAND "steps_satisfy") (("" (EXPAND "stable_assuming") (("" (SKOSIMP) (("" (EXPAND "client_comp") (("" (EXPAND "base_client_comp") (("" (HIDE -3) (("" (GROUND) (("1" (EXPAND "client_guar") (("1" (GROUND) (("1" (EXPAND "client_view") (("1" (REPLACE -1) (("1" (PROPAX) NIL))))) ("2" (EXPAND "correct_encryption_pred") (("2" (EXPAND "client_step") (("2" (SKOSIMP) (("2" (EXPAND "have_encrypted_text") (("2" (SKOSIMP) (("2" (INST? -7) (("2" (GROUND) (("2" (INST + "th!1") (("2" (CASE "NOT th!1=ag!1") (("1" (INST?) (("1" (GROUND) NIL))) ("2" (REPLACE -1 :HIDE? T) (("2" (CASE "thst(st1!1)(ag!1) = thst(st2!1)(ag!1) OR clear!1 = null_text OR client_provide_protected_data(st1!1,st2!1,ag!1)") (("1" (HIDE -4) (("1" (SPLIT -) (("1" (REPLACE -1) (("1" (GROUND) NIL))) ("2" (PROPAX) NIL) ("3" (HIDE 1) (("3" (EXPAND "client_provide_protected_data") (("3" (SKOSIMP) (("3" (REPLACE -3) (("3" (BETA) (("3" (HIDE -3) (("3" (EXPAND "correct_ppd_pred") (("3" (EXPAND "correct_ppd_def") (("3" (INST?) (("3" (INST?) (("3" (INST?) (("3" (EXPAND "client_receive_request_util") (("3" (EXPAND "receive_request") (("3" (GROUND) NIL))))))))))))))))))))))))))))))) ("2" (HIDE 2) (("2" (EXPAND "client_op") (("2" (GROUND) (("1" (EXPAND "client_receive_request") (("1" (PROPAX) NIL))) ("2" (EXPAND "client_select_prot_family") (("2" (PROPAX) NIL))) ("3" (EXPAND "client_provide_pf_handle") (("3" (SKOSIMP) (("3" (REPLACE -13 :DIR RL) (("3" (REPLACE -4) (("3" (BETA) (("3" (PROPAX) NIL))))))))))) ("4" (EXPAND "client_provide_crypto_context") (("4" (SKOSIMP) (("4" (REPLACE -13 :DIR RL) (("4" (REPLACE -5) (("4" (BETA) (("4" (PROPAX) NIL))))))))))) ("5" (EXPAND "client_protect") (("5" (PROPAX) NIL))))))))))))))))))))))))))))))))))) ("2" (EXPAND "client_rely") (("2" (EXPAND "client_environment") (("2" (GROUND) (("2" (EXPAND "correct_encryption_pred") (("2" (SKOSIMP) (("2" (INST?) (("2" (GROUND) (("2" (EXPAND "have_encrypted_text") (("2" (SKOSIMP) (("2" (INST + "th!1") (("2" (REPLACE -2 :DIR RL) (("2" (BETA) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))) (|correct_encryption_prop| "" (REWRITE "pimplies_always") (("1" (HIDE 2) (("1" (REWRITE "init_simplies") (("1" (REWRITE "correct_encryption_prop1") NIL))))) ("2" (HIDE 2) (("2" (REWRITE "correct_encryption_prop_steps") NIL)))))) $$$tolerates.pvs tolerates[ST: NONEMPTY_TYPE, AG: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING component[ST, AG] cset, cset1, cset2, cset3: VAR setof[(comp_t)] cmp, cmp1, cmp2: VAR (comp_t) st, st1, st2: VAR ST ag: VAR AG ags: VAR setof[AG] tran: VAR transition tolerates_cmp(cset1, cmp2): bool = (FORALL tran: member(tran, guar(cmp2)) IMPLIES ((EXISTS cmp1: member(cmp1, cset1) AND member(tran, guar(cmp1))) OR (FORALL cmp1: member(cmp1, cset1) AND member(tran, hidd(cmp1)) IMPLIES member(tran, rely(cmp1))))) tolerates_cmp_disj(cset1, cmp2): bool = (FORALL tran: member(tran, guar(cmp2)) IMPLIES ((FORALL cmp1: member(cmp1, cset1) AND member(tran, hidd(cmp1)) IMPLIES member(tran, rely(cmp1))))) tolerates_cmp_stutter(cset1, cmp2): bool = (FORALL st1, st2, ag, cmp1: member(cmp1, cset1) AND member((st1, st2, ag), guar(cmp2)) AND member((st1, st2, ag), hidd(cmp1)) IMPLIES member((st1, st2), view(cmp1))) tolerates_cmp_cags(cset1, cmp2): bool = (FORALL st1, st2, ag, cmp1: member(cmp1, cset1) AND member(ag, cags(cmp2)) AND member((st1, st2, ag), hidd(cmp1)) IMPLIES member((st1, st2), view(cmp1))) tolerates_cmp_disj_stronger: THEOREM tolerates_cmp_disj(cset1, cmp2) IMPLIES tolerates_cmp(cset1, cmp2) tolerates_cmp_stutter_stronger: THEOREM tolerates_cmp_stutter(cset1, cmp2) IMPLIES tolerates_cmp_disj(cset1, cmp2) tolerates_cmp_cags_stronger: THEOREM tolerates_cmp_cags(cset1, cmp2) IMPLIES tolerates_cmp_stutter(cset1, cmp2) tolerates_cmp_cags_stronger2: THEOREM tolerates_cmp_cags(cset1, cmp2) IMPLIES tolerates_cmp_disj(cset1, cmp2) tolerates(cset1, cset2): bool = (FORALL cmp2: member(cmp2, cset2) IMPLIES tolerates_cmp(cset1, cmp2)) tolerates_prop: THEOREM tolerates(cset1, cset2) AND subset?(cset, cset2) IMPLIES tolerates(cset1, cset) tolerates_union: THEOREM tolerates(cset1, cset2) AND tolerates(cset1, cset3) AND cset = union(cset2, cset3) => tolerates(cset1, cset) tolerates_disj(cset1, cset2): bool = (FORALL cmp2: member(cmp2, cset2) IMPLIES tolerates_cmp_disj(cset1, cmp2)) tolerates_stutter(cset1, cset2): bool = (FORALL cmp2: member(cmp2, cset2) IMPLIES tolerates_cmp_stutter(cset1, cmp2)) tolerates_cags(cset1, cset2): bool = (FORALL cmp2: member(cmp2, cset2) IMPLIES tolerates_cmp_cags(cset1, cmp2)) tolerates_cags_help: THEOREM (FORALL cmp1, cmp2, st1, st2, ag : (cset1(cmp1) AND hidd(cmp1)(st1, st2, ag) => ags(ag) OR view(cmp1)(st1, st2)) AND (cset2(cmp2) AND cags(cmp2)(ag) => NOT ags(ag))) IMPLIES tolerates_cags(cset1, cset2) tolerates_disj_stronger: THEOREM tolerates_disj(cset1, cset2) IMPLIES tolerates(cset1, cset2) tolerates_stutter_stronger: THEOREM tolerates_stutter(cset1, cset2) IMPLIES tolerates(cset1, cset2) tolerates_cags_stronger: THEOREM tolerates_cags(cset1, cset2) IMPLIES tolerates(cset1, cset2) tolerates_disj_prop2: THEOREM tolerates_disj(cset1, cset2) AND subset?(cset, cset2) IMPLIES tolerates_disj(cset1, cset) END tolerates $$$tolerates.prf (|tolerates| (|tolerates_cmp_disj_stronger| "" (SKOSIMP*) (("" (EXPAND "tolerates_cmp") (("" (EXPAND "tolerates_cmp_disj") (("" (SKOSIMP*) (("" (INST?) (("" (GROUND) (("1" (INST?) (("1" (GROUND) NIL))) ("2" (INST?) (("2" (GROUND) NIL))))))))))))))) (|tolerates_cmp_stutter_stronger| "" (SKOSIMP) (("" (EXPAND "tolerates_cmp_disj") (("" (EXPAND "tolerates_cmp_stutter") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (CASE "tran!1 = (PROJ_1(tran!1), PROJ_2(tran!1), PROJ_3(tran!1))") (("1" (REPLACE -1 :HIDE? T) (("1" (INST?) (("1" (GROUND) (("1" (TYPEPRED "cmp1!1") (("1" (USE "component_rely_stuttering") (("1" (EXPAND "rely_stuttering_restriction") (("1" (EXPAND "gen_stuttering_restriction") (("1" (EXPAND "member") (("1" (INST?) (("1" (GROUND) (("1" (EXPAND "complement") (("1" (EXPAND "member") (("1" (USE "component_hidd") (("1" (EXPAND "hidd_restriction") (("1" (EXPAND "member") (("1" (INST?) (("1" (GROUND) NIL))))))))))))))))))))))))))))))))) ("2" (EXTENSIONALITY "transition") (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))) (|tolerates_cmp_cags_stronger| "" (SKOSIMP) (("" (EXPAND "tolerates_cmp_cags") (("" (EXPAND "tolerates_cmp_stutter") (("" (SKOSIMP) (("" (EXPAND "member") (("" (INST?) (("" (GROUND) (("" (TYPEPRED "cmp2!1") (("" (USE "component_guar") (("" (REWRITE "guar_restriction") (("" (EXPAND "member") (("" (INST?) (("" (GROUND) NIL))))))))))))))))))))))))) (|tolerates_cmp_cags_stronger2| "" (SKOSIMP) (("" (REWRITE "tolerates_cmp_stutter_stronger") (("" (REWRITE "tolerates_cmp_cags_stronger") NIL))))) (|tolerates_prop| "" (SKOSIMP*) (("" (EXPAND "tolerates") (("" (SKOSIMP*) (("" (INST?) (("" (EXPAND "subset?") (("" (INST?) (("" (GROUND) NIL))))))))))))) (|tolerates_union| "" (SKOSIMP) (("" (EXPAND "tolerates") (("" (SKOSIMP) (("" (EXPAND "tolerates_cmp") (("" (EXPAND "member") (("" (SKOSIMP*) (("" (REPLACE -3 :HIDE? T) (("" (EXPAND "union") (("" (EXPAND "member") (("" (GROUND) (("1" (HIDE -3) (("1" (INST?) (("1" (GROUND) (("1" (INST?) (("1" (GROUND) (("1" (INST?) (("1" (GROUND) NIL))))))))))))) ("2" (HIDE -2) (("2" (INST?) (("2" (GROUND) (("2" (INST?) (("2" (GROUND) (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))) (|tolerates_cags_help| "" (SKOSIMP*) (("" (EXPAND "tolerates_cags") (("" (SKOSIMP) (("" (EXPAND "tolerates_cmp_cags") (("" (SKOSIMP) (("" (EXPAND "member") (("" (INST?) (("" (INST?) (("" (GROUND) NIL))))))))))))))))) (|tolerates_disj_stronger| "" (SKOSIMP*) (("" (EXPAND "tolerates") (("" (SKOSIMP*) (("" (EXPAND "tolerates_disj") (("" (INST?) (("" (GROUND) (("" (REWRITE "tolerates_cmp_disj_stronger") NIL))))))))))))) (|tolerates_stutter_stronger| "" (SKOSIMP) (("" (EXPAND "tolerates_stutter") (("" (EXPAND "tolerates") (("" (EXPAND "member") (("" (SKOSIMP) (("" (INST?) (("" (GROUND) (("" (REWRITE "tolerates_cmp_disj_stronger") (("" (REWRITE "tolerates_cmp_stutter_stronger") NIL))))))))))))))))) (|tolerates_cags_stronger| "" (SKOSIMP) (("" (EXPAND "tolerates_cags") (("" (EXPAND "tolerates") (("" (EXPAND "member") (("" (SKOSIMP) (("" (INST?) (("" (GROUND) (("" (REWRITE "tolerates_cmp_disj_stronger") (("" (REWRITE "tolerates_cmp_cags_stronger2") NIL))))))))))))))))) (|tolerates_disj_prop2| "" (SKOSIMP*) (("" (EXPAND "tolerates_disj") (("" (SKOSIMP*) (("" (INST?) (("" (GROUND) (("" (EXPAND "subset?") (("" (INST?) (("" (GROUND) NIL)))))))))))))))) $$$contains.pvs contains[ST: NONEMPTY_TYPE, AG: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING cmp_contains[ST, AG] cmp, cmp1, cmp2: VAR (comp_t) cset1, cset2: VAR setof[(comp_t)] contains(cset1, cset2): bool = (FORALL cmp1: member(cmp1, cset1) IMPLIES (EXISTS cmp2: member(cmp2, cset2) AND cmp_contains(cmp2, cmp1))) END contains $$$contains.prf (|contains| (|contains_one_def| "" (SKOLEM!) (("" (IFF) (("" (EXPAND "contains_one") (("" (EXPAND "contains") (("" (EXPAND "member") (("" (EXPAND "singleton") (("" (GROUND) (("1" (SKOSIMP*) (("1" (INST?) (("1" (GROUND) NIL))))) ("2" (INST?) (("2" (GROUND) NIL))))))))))))))))) (|contains_one_prop| "" (SKOSIMP*) (("" (EXPAND "contains_one") (("" (INST?) (("" (GROUND) (("" (EXPAND "cmp_contains") (("" (REWRITE "subset_reflexive") (("" (REWRITE "subset_reflexive") (("" (REWRITE "subset_reflexive") (("" (GROUND) (("1" (EXPAND "subset?") (("1" (EXPAND "steps") (("1" (EXPAND "member") (("1" (SKOSIMP*) (("1" (GROUND) NIL))))))))) ("2" (REWRITE "subset_reflexive") NIL) ("3" (REWRITE "subset_reflexive") NIL) ("4" (REWRITE "subset_reflexive") NIL)))))))))))))))))))) $$$cmp_thm_aux.pvs cmp_thm_aux[ST: NONEMPTY_TYPE, AG: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING compose[ST, AG] IMPORTING cprops[ST, AG] IMPORTING contains[ST, AG] IMPORTING tolerates[ST, AG] cset, cset1, cset2: VAR setof[(comp_t)] cmp1, cmp2: VAR (comp_t) tran: VAR [ST, ST, AG] st, st1, st2: VAR ST ag: VAR AG key_composable: THEOREM subset?(cset1, cset2) AND cset1 /= emptyset AND composable(cset2) IMPLIES composable(cset1) key_init: THEOREM contains(cset1, cset2) AND composable(cset2) AND member(st, init(compose(cset2))) IMPLIES (composable(cset1) IMPLIES member(st, init(compose(cset1)))) key_guar1: THEOREM contains(cset1, cset2) AND composable(cset2) AND member(tran, guar(compose(cset2))) IMPLIES member(tran, gen_intersection(guar_or_hidds_for(cset1))) key_guar2: THEOREM composable(cset2) AND member(tran, guar(compose(cset2))) AND tolerates(cset1, cset2) IMPLIES (member(tran, gen_union(guars_for(cset1))) OR (FORALL cmp1: member(cmp1, cset1) AND member(tran, hidd(cmp1)) IMPLIES member(tran, rely(cmp1)))) key_guar3: THEOREM NOT member(tran, gen_union(guars_for(cset1))) AND member(tran, gen_intersection(guar_or_hidds_for(cset1))) IMPLIES member(tran, gen_intersection(hidds_for(cset1))) key_guar4: THEOREM member(tran, gen_intersection(hidds_for(cset1))) AND (FORALL cmp1: member(cmp1, cset1) AND member(tran, hidd(cmp1)) IMPLIES member(tran, rely(cmp1))) IMPLIES member(tran, gen_intersection(relys_for(cset1))) key_guar: THEOREM contains(cset1, cset2) AND tolerates(cset1, cset2) AND composable(cset2) AND member(tran, guar(compose(cset2))) IMPLIES (composable(cset1) IMPLIES member(tran, steps(compose(cset1)))) key_rely: THEOREM contains(cset1, cset2) AND composable(cset2) AND member(tran, rely(compose(cset2))) IMPLIES (composable(cset1) IMPLIES member(tran, rely(compose(cset1)))) key_hidd: THEOREM contains(cset1, cset2) AND composable(cset2) AND member(tran, hidd(compose(cset2))) IMPLIES (composable(cset1) IMPLIES member(tran, hidd(compose(cset1)))) key_view: THEOREM contains(cset1, cset2) AND composable(cset2) AND member((st1, st2), view(compose(cset2))) IMPLIES (composable(cset1) IMPLIES member((st1, st2), view(compose(cset1)))) tranc: VAR TRANSITION_CLASS key_wfar: THEOREM contains(cset1, cset2) AND composable(cset1) AND member(tranc, wfar(compose(cset1))) IMPLIES (composable(cset2) IMPLIES member(tranc, wfar(compose(cset2)))) key_sfar: THEOREM contains(cset1, cset2) AND composable(cset1) AND member(tranc, sfar(compose(cset1))) IMPLIES (composable(cset2) IMPLIES member(tranc, sfar(compose(cset2)))) key_cags: THEOREM contains(cset1, cset2) AND composable(cset1) AND member(ag, cags(compose(cset1))) IMPLIES (composable(cset2) IMPLIES member(ag, cags(compose(cset2)))) key: THEOREM contains(cset1, cset2) AND tolerates(cset1, cset2) AND composable(cset2) AND cmp2 = compose(cset2) AND composable(cset1) AND cmp1 = compose(cset1) IMPLIES cmp_contains(cmp2, cmp1) END cmp_thm_aux $$$cmp_thm_aux.prf (|cmp_thm_aux| (|key_composable| "" (SKOSIMP*) (("" (EXPAND "composable") (("" (GROUND) (("" (EXPAND "agreeable_start") (("" (SKOLEM!) (("" (INST?) (("" (SKOSIMP*) (("" (INST?) (("" (GROUND) (("" (EXPAND "subset?") (("" (INST?) (("" (GROUND) NIL))))))))))))))))))))))) (|key_init| "" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "compose") (("" (EXPAND "compose_init") (("" (EXPAND "gen_intersection") (("" (SKOSIMP*) (("" (EXPAND "inits_for") (("" (EXPAND "member") (("" (SKOSIMP*) (("" (REPLACE -6 :HIDE? -6) (("" (EXPAND "contains") (("" (INST?) (("" (EXPAND "member") (("" (GROUND) (("" (SKOSIMP*) (("" (INSTANTIATE -4 "init(cmp2!1)") (("" (SPLIT) (("1" (CASE "not subset?(init(cmp2!1),init(cmp!1))") (("1" (EXPAND "cmp_contains") (("1" (GROUND) NIL))) ("2" (EXPAND "subset?") (("2" (EXPAND "member") (("2" (INST?) (("2" (GROUND) NIL))))))))) ("2" (INSTANTIATE 1 "cmp2!1") (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))) (|key_guar1| "" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "compose") (("" (EXPAND "compose_guar") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (EXPAND "gen_intersection") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "guar_or_hidds_for") (("" (SKOSIMP*) (("" (REPLACE -6 :HIDE? -6) (("" (EXPAND "contains") (("" (INST?) (("" (GROUND) (("" (SKOSIMP*) (("" (INSTANTIATE -4 "union(guar(cmp2!1),hidd(cmp2!1))") (("" (GROUND) (("1" (EXPAND "union") (("1" (EXPAND "cmp_contains") (("1" (FLATTEN) (("1" (EXPAND "subset?" -9) (("1" (INST?) (("1" (GROUND) (("1" (EXPAND "subset?" -5) (("1" (INST?) (("1" (GROUND) (("1" (EXPAND "steps") (("1" (EXPAND "member") (("1" (GROUND) (("1" (LEMMA "component_rely_hidd") (("1" (INSTANTIATE -1 "cmp!1") (("1" (EXPAND "rely_hidd_restriction") (("1" (EXPAND "subset?" -1) (("1" (INST?) (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))))))))))))))))))))))))))))))))) ("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))) (|key_guar2| "" (SKOSIMP*) (("" (EXPAND "tolerates") (("" (EXPAND "member") (("" (EXPAND "compose") (("" (EXPAND "compose_guar") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (EXPAND "gen_intersection") (("" (EXPAND "gen_union") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "guars_for") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (INSTANTIATE -6 "cmp!1") (("" (GROUND) (("" (EXPAND "tolerates_cmp") (("" (EXPAND "member") (("" (INST?) (("" (SPLIT) (("1" (SKOSIMP*) (("1" (INSTANTIATE 1 "guar(cmp1!2)") (("1" (GROUND) (("1" (INST?) (("1" (GROUND) NIL))))))))) ("2" (DELETE 1) (("2" (INST?) (("2" (GROUND) NIL))))) ("3" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))) (|key_guar3| "" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "gen_intersection") (("" (EXPAND "gen_union") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "hidds_for") (("" (EXPAND "guars_for") (("" (EXPAND "guar_or_hidds_for") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (INSTANTIATE -1 "union(guar(cmp!1),hidd(cmp!1))") (("" (INSTANTIATE 1 "guar(cmp!1)") (("" (GROUND) (("1" (INST?) (("1" (GROUND) NIL))) ("2" (INST?) (("2" (GROUND) NIL))) ("3" (EXPAND "union") (("3" (EXPAND "member") (("3" (PROPAX) NIL))))) ("4" (INST?) (("4" (GROUND) NIL))))))))))))))))))))))))))))))) (|key_guar4| "" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "gen_intersection") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "relys_for") (("" (SKOSIMP*) (("" (EXPAND "hidds_for") (("" (INSTANTIATE -1 "hidd(cmp!1)") (("" (INSTANTIATE -2 "cmp!1") (("" (EXPAND "member") (("" (GROUND) (("" (INST?) (("" (GROUND) NIL))))))))))))))))))))))))))) (|key_guar| "" (SKOSIMP*) (("" (LEMMA "key_guar1") (("" (INSTANTIATE -1 ("cset1!1" "cset2!1" "tran!1")) (("" (GROUND) (("" (LEMMA "key_guar2") (("" (INSTANTIATE -1 ("cset1!1" "cset2!1" "tran!1")) (("" (LEMMA "key_guar3") (("" (INSTANTIATE -1 ("cset1!1" "tran!1")) (("" (LEMMA "key_guar4") (("" (INSTANTIATE -1 ("cset1!1" "tran!1")) (("" (EXPAND "member") (("" (EXPAND "compose" +) (("" (EXPAND "steps") (("" (EXPAND "compose_guar") (("" (EXPAND "intersection") (("" (EXPAND "compose_rely") (("" (EXPAND "member") (("" (GROUND) NIL))))))))))))))))))))))))))))))))))) (|key_rely| "" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "compose") (("" (EXPAND "compose_rely") (("" (EXPAND "gen_intersection") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "relys_for") (("" (SKOSIMP*) (("" (EXPAND "contains") (("" (INSTANTIATE -1 "cmp!1") (("" (GROUND) (("" (SKOSIMP*) (("" (INSTANTIATE -4 "rely(cmp2!1)") (("" (CASE "not subset?(rely(cmp2!1),rely(cmp!1))") (("1" (EXPAND "cmp_contains") (("1" (GROUND) NIL))) ("2" (EXPAND "subset?") (("2" (INST?) (("2" (EXPAND "member") (("2" (GROUND) (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))) (|key_hidd| "" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "compose") (("" (EXPAND "compose_hidd") (("" (EXPAND "gen_intersection") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "hidds_for") (("" (SKOSIMP*) (("" (EXPAND "contains") (("" (INSTANTIATE -1 "cmp!1") (("" (GROUND) (("" (SKOSIMP*) (("" (INSTANTIATE -4 "hidd(cmp2!1)") (("" (CASE "not subset?(hidd(cmp2!1),hidd(cmp!1))") (("1" (EXPAND "cmp_contains") (("1" (GROUND) NIL))) ("2" (EXPAND "subset?") (("2" (INST?) (("2" (EXPAND "member") (("2" (GROUND) (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))) (|key_view| "" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "compose") (("" (EXPAND "compose_view") (("" (EXPAND "gen_intersection") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "extend") (("" (SPLIT) (("1" (EXPAND "views_for" -1) (("1" (FLATTEN) (("1" (SKOLEM!) (("1" (FLATTEN) (("1" (REPLACE -3 :HIDE? -3) (("1" (EXPAND "contains") (("1" (INST?) (("1" (GROUND) (("1" (SKOLEM!) (("1" (CASE "not subset?(view(cmp2!1),view(cmp!1))") (("1" (EXPAND "cmp_contains") (("1" (GROUND) NIL))) ("2" (EXPAND "subset?") (("2" (EXPAND "member") (("2" (INST?) (("2" (GROUND) (("2" (INST?) (("2" (GROUND) (("2" (EXPAND "views_for") (("2" (EXPAND "member") (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))) ("2" (GROUND) NIL))))))))))))))))))) (|key_wfar| "" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "compose") (("" (EXPAND "compose_wfar") (("" (EXPAND "gen_union") (("" (SKOLEM!) (("" (EXPAND "member") (("" (EXPAND "wfars_for") (("" (FLATTEN) (("" (SKOLEM!) (("" (EXPAND "contains") (("" (INST?) (("" (GROUND) (("" (SKOLEM!) (("" (REPLACE -4 :HIDE? -4) (("" (INSTANTIATE 1 "wfar(cmp2!1)") (("" (SPLIT) (("1" (INSTANTIATE 1 "cmp2!1") (("1" (GROUND) NIL))) ("2" (CASE "not subset?(wfar(cmp!1),wfar(cmp2!1))") (("1" (EXPAND "cmp_contains") (("1" (GROUND) NIL))) ("2" (EXPAND "subset?") (("2" (INST?) (("2" (EXPAND "member") (("2" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))))) (|key_sfar| "" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "compose") (("" (EXPAND "compose_sfar") (("" (EXPAND "gen_union") (("" (SKOLEM!) (("" (EXPAND "member") (("" (EXPAND "sfars_for") (("" (FLATTEN) (("" (SKOLEM!) (("" (FLATTEN) (("" (REPLACE -4 :HIDE? -4) (("" (EXPAND "contains") (("" (INST?) (("" (GROUND) (("" (SKOSIMP*) (("" (INSTANTIATE 1 "sfar(cmp2!1)") (("" (SPLIT) (("1" (INSTANTIATE 1 "cmp2!1") (("1" (GROUND) NIL))) ("2" (CASE "not subset?(sfar(cmp!1),sfar(cmp2!1))") (("1" (EXPAND "cmp_contains") (("1" (GROUND) NIL))) ("2" (EXPAND "subset?") (("2" (EXPAND "member") (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))) (|key_cags| "" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "compose") (("" (EXPAND "compose_cags") (("" (EXPAND "gen_union") (("" (SKOSIMP*) (("" (EXPAND* "member" "cagss_for") (("" (SKOSIMP*) (("" (EXPAND "contains") (("" (INST?) (("" (GROUND) (("" (SKOSIMP*) (("" (INSTANTIATE 1 "cags(cmp2!1)") (("" (GROUND) (("1" (INST?) (("1" (GROUND) NIL))) ("2" (CASE "not subset?(cags(cmp!1),cags(cmp2!1))") (("1" (EXPAND "cmp_contains") (("1" (GROUND) NIL))) ("2" (EXPAND "subset?") (("2" (INST?) (("2" (EXPAND "member") (("2" (PROPAX) NIL))))))))))))))))))))))))))))))))))))) (|key| "" (SKOSIMP*) (("" (EXPAND "cmp_contains") (("" (REPLACE -4 :HIDE? -4) (("" (REPLACE -5 :HIDE? -5) (("" (EXPAND "subset?") (("" (GROUND) (("1" (SKOSIMP*) (("1" (LEMMA "key_init") (("1" (INSTANTIATE -1 ("cset1!1" "cset2!1" "x!1")) (("1" (GROUND) NIL))))))) ("2" (SKOSIMP*) (("2" (LEMMA "key_cags") (("2" (INSTANTIATE -1 ("x!1" "cset1!1" "cset2!1")) (("2" (GROUND) NIL))))))) ("3" (SKOSIMP*) (("3" (LEMMA "key_guar") (("3" (INSTANTIATE -1 ("cset1!1" "cset2!1" "x!1")) (("3" (GROUND) NIL))))))) ("4" (SKOSIMP*) (("4" (LEMMA "key_wfar") (("4" (INSTANTIATE -1 ("cset1!1" "cset2!1" "x!1")) (("4" (GROUND) NIL))))))) ("5" (SKOSIMP*) (("5" (LEMMA "key_sfar") (("5" (INSTANTIATE -1 ("cset1!1" "cset2!1" "x!1")) (("5" (GROUND) NIL))))))) ("6" (LEMMA "key_rely") (("6" (SKOSIMP*) (("6" (INSTANTIATE -1 ("cset1!1" "cset2!1" "x!1")) (("6" (GROUND) NIL))))))) ("7" (LEMMA "key_hidd") (("7" (SKOSIMP*) (("7" (INSTANTIATE -1 ("cset1!1" "cset2!1" "x!1")) (("7" (GROUND) NIL))))))) ("8" (SKOSIMP*) (("8" (LEMMA "key_view") (("8" (INSTANTIATE -1 ("cset1!1" "cset2!1" "PROJ_1(x!1)" "PROJ_2(x!1)")) (("8" (GROUND) (("1" (EXPAND "member") (("1" (GROUND) NIL))) ("2" (EXPAND "member") (("2" (GROUND) NIL)))))))))))))))))))))))) $$$cmp_thm.pvs cmp_thm[ST: NONEMPTY_TYPE, AG: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING cmp_thm_aux[ST, AG] cset1, cset2: VAR setof[(comp_t)] p: VAR prop_t cmp_thm_base: THEOREM contains(cset1, cset2) AND tolerates(cset1, cset2) AND composable(cset1) AND satisfies(compose(cset1), p) IMPLIES (composable(cset2) IMPLIES satisfies(compose(cset2), p)) cmp_thm_base_disj: THEOREM contains(cset1, cset2) AND tolerates_disj(cset1, cset2) AND composable(cset1) AND satisfies(compose(cset1), p) IMPLIES (composable(cset2) IMPLIES satisfies(compose(cset2), p)) cmp_thm: THEOREM subset?(cset1, cset2) AND tolerates(cset1, cset2) AND composable(cset2) AND cset1 /= emptyset AND satisfies(compose(cset1), p) IMPLIES satisfies(compose(cset2), p) cmp_thm_disj: THEOREM subset?(cset1, cset2) AND tolerates_disj(cset1, cset2) AND cset1 /= emptyset AND composable(cset2) AND satisfies(compose(cset1), p) IMPLIES satisfies(compose(cset2), p) END cmp_thm $$$cmp_thm.prf (|cmp_thm| (|cmp_thm_base| "" (SKOSIMP*) (("" (LEMMA "satisfies_contains_prop") (("" (INSTANTIATE -1 ("compose(cset2!1)" "compose(cset1!1)" "p!1")) (("1" (GROUND) (("1" (LEMMA "key") (("1" (INSTANTIATE -1 ("compose(cset1!1)" "compose(cset2!1)" "cset1!1" "cset2!1")) (("1" (GROUND) NIL))))))) ("2" (PROPAX) NIL) ("3" (PROPAX) NIL))))))) (|cmp_thm_base_disj| "" (SKOSIMP*) (("" (LEMMA "cmp_thm_base") (("" (INSTANTIATE -1 ("cset1!1" "cset2!1" "p!1")) (("" (GROUND) (("" (REWRITE "tolerates_disj_stronger") NIL))))))))) (|cmp_thm_TCC1| "" (SKOSIMP*) (("" (LEMMA "key_composable") (("" (INSTANTIATE -1 ("cset1!1" "cset2!1")) (("" (GROUND) NIL))))))) (|cmp_thm_TCC2| "" (SKOSIMP*) NIL) (|cmp_thm| "" (SKOSIMP*) (("" (LEMMA "cmp_thm_base") (("" (INSTANTIATE -1 ("cset1!1" "cset2!1" "p!1")) (("" (GROUND) (("1" (EXPAND "contains") (("1" (SKOSIMP*) (("1" (INST?) (("1" (EXPAND "subset?") (("1" (INST?) (("1" (GROUND) (("1" (REWRITE "cmp_contains_reflexive") NIL))))))))))))) ("2" (LEMMA "key_composable") (("2" (INSTANTIATE -1 ("cset1!1" "cset2!1")) (("2" (GROUND) NIL))))))))))))) (|cmp_thm_disj_TCC1| "" (SKOSIMP*) (("" (LEMMA "key_composable") (("" (INSTANTIATE -1 ("cset1!1" "cset2!1")) (("" (GROUND) NIL))))))) (|cmp_thm_disj_TCC2| "" (SKOSIMP*) NIL) (|cmp_thm_disj| "" (SKOSIMP*) (("" (LEMMA "cmp_thm") (("" (INSTANTIATE -1 ("cset1!1" "cset2!1" "p!1")) (("" (GROUND) (("" (REWRITE "tolerates_disj_stronger") NIL)))))))))) $$$gen_set.pvs gen_set[X: TYPE]: THEORY BEGIN s, s1, s2: VAR setof[X] ss, ss1, ss2: VAR setof[setof[X]] x, x1: VAR X nonempty_th: THEOREM s /= emptyset IFF (EXISTS x: member(x, s)) gen_union(ss): setof[X] = (LAMBDA x: (EXISTS s: member(s, ss) AND member(x, s))) gen_intersection(ss): setof[X] = (LAMBDA x: (FORALL s: member(s, ss) IMPLIES member(x, s))) gen_union_zero: THEOREM gen_union(emptyset[setof[X]]) = emptyset gen_intersection_zero: THEOREM gen_intersection(emptyset[setof[X]]) = fullset gen_union_two: THEOREM gen_union({s | s = s1 OR s = s2}) = union(s1, s2) gen_intersection_two: THEOREM gen_intersection({s | s = s1 OR s = s2}) = intersection(s1, s2) gen_union_one: THEOREM gen_union(singleton(s)) = s gen_intersection_one: THEOREM gen_intersection(singleton(s)) = s gen_intersection_bigger: THEOREM subset?(ss1, ss2) IMPLIES subset?(gen_intersection(ss2), gen_intersection(ss1)) gen_union_smaller: THEOREM subset?(ss1, ss2) IMPLIES subset?(gen_union(ss1), gen_union(ss2)) contains_at_most_one(s): bool = (FORALL x, x1: member(x, s) AND member(x1, s) IMPLIES x = x1) contains_one(s): bool = s /= emptyset AND contains_at_most_one(s) contains_one_def: THEOREM contains_one(s) IFF (EXISTS x: s = singleton(x)) END gen_set $$$gen_set.prf (|gen_set| (|nonempty_th| "" (GROUND) (("" (SKOSIMP*) (("" (GROUND) (("1" (EXTENSIONALITY "setof[X]") (("1" (INST?) (("1" (GROUND) (("1" (SKOLEM!) (("1" (EXPAND "emptyset" 1) (("1" (INST?) (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))))))))))) ("2" (REPLACE -2 :HIDE? -2) (("2" (EXPAND "member") (("2" (EXPAND "emptyset") (("2" (PROPAX) NIL))))))))))))) (|gen_union_zero| "" (EXTENSIONALITY "setof[X]") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (EXPAND "gen_union") (("" (EXPAND "member") (("" (EXPAND "emptyset") (("" (PROPAX) NIL))))))))))))))))) (|gen_intersection_zero| "" (EXTENSIONALITY "setof[X]") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (EXPAND "gen_intersection") (("" (EXPAND "emptyset") (("" (EXPAND "member") (("" (EXPAND "fullset") (("" (PROPAX) NIL))))))))))))))))))) (|gen_union_two| "" (SKOLEM!) (("" (EXTENSIONALITY "setof[X]") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (IFF) (("" (EXPAND "gen_union") (("" (EXPAND "union") (("" (EXPAND "member") (("" (GROUND) (("1" (SKOLEM!) (("1" (GROUND) NIL))) ("2" (INST?) (("2" (GROUND) NIL))) ("3" (INST?) (("3" (GROUND) NIL))))))))))))))))))))))))) (|gen_intersection_two| "" (SKOLEM!) (("" (EXTENSIONALITY "setof[X]") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (IFF) (("" (EXPAND "gen_intersection") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (GROUND) (("1" (INST?) (("1" (GROUND) NIL))) ("2" (INST?) (("2" (GROUND) NIL))) ("3" (SKOSIMP*) (("3" (GROUND) NIL))))))))))))))))))))))))) (|gen_union_one| "" (SKOLEM!) (("" (CASE "singleton(s!1) /= {s | s = s!1 or s = s!1}") (("1" (DELETE 1) (("1" (FLATTEN) (("1" (EXTENSIONALITY "setof[setof[X]]") (("1" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (EXPAND "singleton") (("1" (GROUND) NIL))))))))))))))))))) ("2" (FLATTEN) (("2" (REPLACE -1 :HIDE? -1) (("2" (REWRITE "gen_union_two") (("2" (REWRITE "union_idempotent") NIL))))))))))) (|gen_intersection_one| "" (SKOLEM!) (("" (CASE "singleton(s!1) /= {s | s = s!1 or s = s!1}") (("1" (DELETE 1) (("1" (FLATTEN) (("1" (EXTENSIONALITY "setof[setof[X]]") (("1" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (EXPAND "singleton") (("1" (GROUND) NIL))))))))))))))))))) ("2" (FLATTEN) (("2" (REPLACE -1 :HIDE? -1) (("2" (REWRITE "gen_intersection_two") (("2" (REWRITE "intersection_idempotent") NIL))))))))))) (|gen_intersection_bigger| "" (SKOSIMP*) (("" (EXPAND "subset?") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "gen_intersection") (("" (SKOSIMP*) (("" (INST?) (("" (INST?) (("" (EXPAND "member") (("" (GROUND) NIL))))))))))))))))))) (|gen_union_smaller| "" (SKOSIMP*) (("" (EXPAND "subset?") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "gen_union") (("" (SKOSIMP*) (("" (INST?) (("" (INST?) (("" (EXPAND "member") (("" (GROUND) NIL))))))))))))))))))) (|contains_one_def| "" (SKOLEM!) (("" (EXPAND "contains_one") (("" (REWRITE "nonempty_th") (("" (EXPAND "contains_at_most_one") (("" (EXPAND "member") (("" (GROUND) (("1" (SKOSIMP*) (("1" (INSTANTIATE 1 "x!1") (("1" (EXTENSIONALITY "setof[X]") (("1" (INST?) (("1" (GROUND) (("1" (SKOLEM!) (("1" (DELETE 2) (("1" (EXPAND "singleton") (("1" (IFF) (("1" (GROUND) (("1" (INST?) (("1" (GROUND) NIL))))))))))))))))))))))) ("2" (SKOLEM!) (("2" (INST?) (("2" (REPLACE -1 :HIDE? -1) (("2" (EXPAND "singleton") (("2" (PROPAX) NIL))))))))) ("3" (SKOSIMP*) (("3" (REPLACE -3 :HIDE? -3) (("3" (EXPAND "singleton") (("3" (GROUND) NIL)))))))))))))))))))) $$$compose.pvs compose[ST: NONEMPTY_TYPE, AG: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING gen_set IMPORTING component[ST, AG] cset: VAR setof[(comp_t)] cmp, cmp1, cmp2: VAR (comp_t) st, st1, st2, st3, st4: VAR ST ag: VAR AG agreeable_start(cset): bool = (EXISTS st: (FORALL cmp: member(cmp, cset) IMPLIES member(st, init(cmp)))) composable(cset): bool = cset /= emptyset AND agreeable_start(cset) st_set: VAR setof[ST] inits_for(cset): setof[setof[ST]] = (LAMBDA st_set: (EXISTS cmp: member(cmp, cset) AND st_set = init(cmp))) compose_init(cset): setof[ST] = gen_intersection(inits_for(cset)) tranc: VAR TRANSITION_CLASS guars_for(cset): setof[TRANSITION_CLASS] = (LAMBDA tranc: (EXISTS cmp: member(cmp, cset) AND tranc = guar(cmp))) guar_or_hidds_for(cset): setof[TRANSITION_CLASS] = (LAMBDA tranc: (EXISTS cmp: member(cmp, cset) AND tranc = union(guar(cmp), hidd(cmp)))) relys_for(cset): setof[TRANSITION_CLASS] = (LAMBDA tranc: (EXISTS cmp: member(cmp, cset) AND tranc = rely(cmp))) hidds_for(cset): setof[TRANSITION_CLASS] = (LAMBDA tranc: (EXISTS cmp: member(cmp, cset) AND tranc = hidd(cmp))) v: VAR (VIEWS) views_for(cset): setof[(VIEWS)] = (LAMBDA v: (EXISTS cmp: member(cmp, cset) AND v = view(cmp))) ag_set: VAR setof[AG] cagss_for(cset): setof[setof[AG]] = (LAMBDA ag_set: (EXISTS cmp: member(cmp, cset) AND ag_set = cags(cmp))) tc_set: VAR setof[TRANSITION_CLASS] sfars_for(cset): setof[setof[TRANSITION_CLASS]] = (LAMBDA tc_set: (EXISTS cmp: member(cmp, cset) AND tc_set = sfar(cmp))) wfars_for(cset): setof[setof[TRANSITION_CLASS]] = (LAMBDA tc_set: (EXISTS cmp: member(cmp, cset) AND tc_set = wfar(cmp))) compose_guar(cset): setof[transition] = intersection(gen_intersection(guar_or_hidds_for(cset)), gen_union(guars_for(cset))) compose_rely(cset): setof[transition] = gen_intersection(relys_for(cset)) compose_hidd(cset): setof[transition] = gen_intersection(hidds_for(cset)) compose_cags(cset): setof[AG] = gen_union(cagss_for(cset)) compose_view_base(cset): setof[[ST, ST]] = gen_intersection(extend[setof[[ST, ST]], ((VIEWS)), bool, FALSE](views_for(cset))) compose_view_tc: THEOREM VIEWS(compose_view_base(cset)) compose_view(cset): (VIEWS[ST]) = gen_intersection(extend[setof[[ST, ST]], ((VIEWS)), bool, FALSE](views_for(cset))) compose_wfar(cset): setof[TRANSITION_CLASS] = gen_union(wfars_for(cset)) compose_sfar(cset): setof[TRANSITION_CLASS] = gen_union(sfars_for(cset)) compose_base(cset): base_comp_t[ST, AG] = (# init := compose_init(cset), guar := compose_guar(cset), rely := compose_rely(cset), hidd := compose_hidd(cset), cags := compose_cags(cset), view := compose_view(cset), wfar := compose_wfar(cset), sfar := compose_sfar(cset) #) compose_base_init: THEOREM cset /= emptyset AND agreeable_start(cset) IMPLIES init_restriction(compose_base(cset)) compose_base_guar: THEOREM guar_restriction(compose_base(cset)) compose_base_rely_hidd: THEOREM rely_hidd_restriction(compose_base(cset)) compose_base_hidd: THEOREM hidd_restriction(compose_base(cset)) compose_base_cags: THEOREM cset /= emptyset IMPLIES cags_restriction(compose_base(cset)) compose_base_view_rely: THEOREM view_rely_restriction(compose_base(cset)) compose_base_view_hidd: THEOREM view_hidd_restriction(compose_base(cset)) compose_base_view_guar: THEOREM view_guar_restriction(compose_base(cset)) compose_base_view_init: THEOREM view_init_restriction(compose_base(cset)) compose_base_view_sfar: THEOREM view_sfar_restriction(compose_base(cset)) compose_base_view_wfar: THEOREM view_wfar_restriction(compose_base(cset)) compose_base_guar_stuttering: THEOREM guar_stuttering_restriction(compose_base(cset)) compose_base_rely_stuttering: THEOREM rely_stuttering_restriction(compose_base(cset)) cmset: VAR (composable) compose_base_tc: THEOREM comp_t(compose_base(cmset)) compose(cmset): (comp_t) = (# init := compose_init(cmset), guar := compose_guar(cmset), rely := compose_rely(cmset), hidd := compose_hidd(cmset), cags := compose_cags(cmset), view := compose_view(cmset), wfar := compose_wfar(cmset), sfar := compose_sfar(cmset) #) END compose $$$compose.prf (|compose| (|compose_view_tc| "" (SKOLEM!) (("" (EXPAND "VIEWS") (("" (SPLIT) (("1" (EXPAND "compose_view_base") (("1" (EXPAND "gen_intersection") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (EXPAND "views_for") (("1" (EXPAND "extend") (("1" (SPLIT) (("1" (EXPAND "VIEWS") (("1" (FLATTEN) (("1" (INST?) NIL))))) ("2" (GROUND) NIL))))))))))))))) ("2" (SKOSIMP*) (("2" (EXPAND "compose_view_base") (("2" (EXPAND "extend") (("2" (EXPAND "gen_intersection") (("2" (SKOSIMP*) (("2" (EXPAND "member") (("2" (INST?) (("2" (SPLIT) (("1" (SPLIT) (("1" (EXPAND "VIEWS") (("1" (FLATTEN) (("1" (INSTANTIATE -2 ("x1!1" "x2!1")) (("1" (GROUND) NIL))))))) ("2" (GROUND) NIL))) ("2" (FLATTEN) (("2" (ASSERT) NIL))) ("3" (FLATTEN) (("3" (GROUND) NIL))))))))))))))))))) ("3" (SKOSIMP*) (("3" (EXPAND "compose_view_base") (("3" (EXPAND "gen_intersection") (("3" (SKOSIMP*) (("3" (INST?) (("3" (INST?) (("3" (EXPAND "member") (("3" (EXPAND "extend") (("3" (CASE "VIEWS(s!1)") (("1" (ASSERT) (("1" (GROUND) (("1" (EXPAND "VIEWS") (("1" (FLATTEN) (("1" (INSTANTIATE -5 ("x1!1" "x2!1" "x3!1")) (("1" (GROUND) NIL))))))))))) ("2" (ASSERT) NIL))))))))))))))))))))))))) (|compose_view_TCC1| "" (SKOLEM!) (("" (LEMMA "compose_view_tc") (("" (INST?) (("" (EXPAND "compose_view_base") (("" (PROPAX) NIL))))))))) (|compose_base_init| "" (SKOLEM!) (("" (REWRITE "nonempty_th") (("" (EXPAND "init_restriction") (("" (REWRITE "nonempty_th") (("" (SKOSIMP*) (("" (EXPAND "agreeable_start") (("" (SKOLEM!) (("" (INSTANTIATE 1 "st!1") (("" (EXPAND "member" +) (("" (EXPAND "compose_base") (("" (EXPAND "compose_init") (("" (EXPAND "gen_intersection") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "inits_for") (("" (SKOLEM!) (("" (INSTANTIATE -2 "cmp!1") (("" (EXPAND "member") (("" (GROUND) NIL))))))))))))))))))))))))))))))))))))) (|compose_base_guar| "" (SKOLEM!) (("" (EXPAND "guar_restriction") (("" (SKOSIMP*) (("" (EXPAND "compose_base") (("" (EXPAND "compose_cags") (("" (EXPAND "compose_guar") (("" (EXPAND "member") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (EXPAND "gen_union") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "guars_for") (("" (SKOSIMP*) (("" (INSTANTIATE 1 "cags(cmp!1)") (("" (EXPAND "cagss_for") (("" (SPLIT) (("1" (INST?) (("1" (GROUND) NIL))) ("2" (LEMMA "component_guar") (("2" (INST?) (("2" (EXPAND "guar_restriction") (("2" (EXPAND "member") (("2" (INSTANTIATE -1 ("st1!1" "st2!1" "ag!1")) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))) (|compose_base_rely_hidd| "" (SKOLEM!) (("" (EXPAND "rely_hidd_restriction") (("" (EXPAND "subset?") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "compose_base") (("" (EXPAND "compose_hidd") (("" (EXPAND "compose_rely") (("" (EXPAND "gen_intersection") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "relys_for") (("" (EXPAND "hidds_for") (("" (SKOSIMP*) (("" (INSTANTIATE -1 "rely(cmp!1)") (("" (CASE "not rely(cmp!1)(x!1)") (("1" (GROUND) (("1" (INST?) (("1" (GROUND) NIL))))) ("2" (DELETE -2) (("2" (LEMMA "component_rely_hidd") (("2" (INST?) (("2" (EXPAND "rely_hidd_restriction") (("2" (EXPAND "subset?") (("2" (INST?) (("2" (EXPAND "member") (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))) (|compose_base_hidd| "" (SKOLEM!) (("" (EXPAND "hidd_restriction") (("" (SKOSIMP*) (("" (EXPAND "compose_base") (("" (EXPAND "member") (("" (EXPAND "compose_hidd") (("" (EXPAND "compose_cags") (("" (EXPAND "gen_intersection") (("" (EXPAND "gen_union") (("" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "member") (("" (EXPAND "cagss_for") (("" (SKOLEM!) (("" (INSTANTIATE -1 "hidd(cmp!1)") (("" (CASE "not hidds_for(cset!1)(hidd(cmp!1))") (("1" (EXPAND "hidds_for" +) (("1" (INST?) (("1" (GROUND) NIL))))) ("2" (GROUND) (("2" (REPLACE -4 :HIDE? -4) (("2" (TYPEPRED "cmp!1") (("2" (EXPAND "comp_t") (("2" (EXPAND "hidd_restriction") (("2" (FLATTEN) (("2" (EXPAND "member") (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))) (|compose_base_cags| "" (SKOLEM!) (("" (REWRITE "nonempty_th") (("" (FLATTEN) (("" (SKOLEM!) (("" (EXPAND "cags_restriction") (("" (REWRITE "nonempty_th") (("" (LEMMA "component_cags") (("" (INST?) (("" (EXPAND "cags_restriction") (("" (REWRITE "nonempty_th") (("" (SKOSIMP*) (("" (INST?) (("" (EXPAND "member" +) (("" (EXPAND "compose_base") (("" (EXPAND "compose_cags") (("" (EXPAND "gen_union") (("" (INST?) (("" (GROUND) (("" (EXPAND "member" +) (("" (EXPAND "cagss_for") (("" (INST?) (("" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))) (|compose_base_view_rely| "" (SKOLEM!) (("" (EXPAND "view_rely_restriction") (("" (EXPAND "gen_view_restriction") (("" (SKOSIMP*) (("" (EXPAND "compose_base") (("" (EXPAND "compose_view") (("" (EXPAND "compose_rely") (("" (EXPAND "gen_intersection") (("" (EXPAND "member") (("" (SKOSIMP*) (("" (INST?) (("" (GROUND) (("" (EXPAND "relys_for") (("" (SKOLEM!) (("" (FLATTEN) (("" (REPLACE -5 :HIDE? -5) (("" (TYPEPRED "cmp!1") (("" (EXPAND "comp_t") (("" (EXPAND "view_rely_restriction") (("" (FLATTEN) (("" (EXPAND "gen_view_restriction") (("" (EXPAND "member") (("" (EXPAND "extend") (("" (CASE "not views_for(cset!1)(view(cmp!1))") (("1" (EXPAND "views_for" +) (("1" (INST?) (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))) ("2" (GROUND) (("2" (INSTANTIATE -7 ("ag!1" "st1!1" "st2!1" "st3!1" "st4!1")) (("2" (GROUND) (("1" (INST?) (("1" (GROUND) NIL))) ("2" (INST?) (("2" (GROUND) (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|compose_base_view_hidd| "" (SKOLEM!) (("" (EXPAND "view_hidd_restriction") (("" (EXPAND "gen_view_restriction") (("" (SKOSIMP*) (("" (EXPAND "compose_base") (("" (EXPAND "compose_view") (("" (EXPAND "compose_hidd") (("" (EXPAND "gen_intersection") (("" (EXPAND "member") (("" (SKOSIMP*) (("" (INST?) (("" (GROUND) (("" (EXPAND "hidds_for") (("" (SKOLEM!) (("" (FLATTEN) (("" (REPLACE -5 :HIDE? -5) (("" (TYPEPRED "cmp!1") (("" (EXPAND "comp_t") (("" (EXPAND "view_hidd_restriction") (("" (FLATTEN) (("" (EXPAND "gen_view_restriction") (("" (EXPAND "member") (("" (EXPAND "extend") (("" (CASE "not views_for(cset!1)(view(cmp!1))") (("1" (EXPAND "views_for" +) (("1" (INST?) (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))) ("2" (GROUND) (("2" (INSTANTIATE -8 ("ag!1" "st1!1" "st2!1" "st3!1" "st4!1")) (("2" (GROUND) (("1" (INST?) (("1" (GROUND) NIL))) ("2" (INST?) (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|compose_base_view_guar| "" (SKOSIMP*) (("" (EXPAND "view_guar_restriction") (("" (EXPAND "gen_view_restriction") (("" (SKOSIMP*) (("" (EXPAND "compose_base") (("" (EXPAND "compose_view") (("" (EXPAND "member") (("" (EXPAND "compose_guar") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (EXPAND "gen_intersection") (("" (EXPAND "gen_union") (("" (GROUND) (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (EXPAND "guar_or_hidds_for") (("1" (SKOSIMP*) (("1" (INSTANTIATE -3 "view(cmp!1)") (("1" (INSTANTIATE -4 "view(cmp!1)") (("1" (INSTANTIATE -5 "union(guar(cmp!1),hidd(cmp!1))") (("1" (EXPAND "extend") (("1" (CASE "not views_for(cset!1)(view(cmp!1))") (("1" (EXPAND "views_for") (("1" (INST?) (("1" (GROUND) NIL))))) ("2" (GROUND) (("1" (EXPAND "union") (("1" (EXPAND "member") (("1" (REPLACE -6 :HIDE? -6) (("1" (SIMPLIFY) (("1" (GROUND) (("1" (LEMMA "component_view_guar") (("1" (INST?) (("1" (EXPAND "view_guar_restriction") (("1" (EXPAND "gen_view_restriction") (("1" (EXPAND "member") (("1" (INSTANTIATE -1 ("ag!1" "st1!1" "st2!1" "st3!1" "st4!1")) (("1" (GROUND) NIL))))))))))))) ("2" (LEMMA "component_view_hidd") (("2" (INST?) (("2" (EXPAND "view_hidd_restriction") (("2" (EXPAND "gen_view_restriction") (("2" (EXPAND "member") (("2" (INSTANTIATE -1 ("ag!1" "st1!1" "st2!1" "st3!1" "st4!1")) (("2" (GROUND) NIL))))))))))))))))))))))) ("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))) ("2" (SKOSIMP*) (("2" (EXPAND "member") (("2" (EXPAND "guars_for") (("2" (SKOSIMP*) (("2" (INSTANTIATE -1 "view(cmp!1)") (("2" (INSTANTIATE -2 "view(cmp!1)") (("2" (INSTANTIATE 1 "guar(cmp!1)") (("2" (EXPAND "extend") (("2" (CASE "not views_for(cset!1)(view(cmp!1))") (("1" (EXPAND "views_for") (("1" (INST?) (("1" (GROUND) NIL))))) ("2" (GROUND) (("1" (INST?) (("1" (GROUND) NIL))) ("2" (LEMMA "component_view_guar") (("2" (INST?) (("2" (EXPAND "view_guar_restriction") (("2" (EXPAND "gen_view_restriction") (("2" (EXPAND "member") (("2" (INSTANTIATE -1 ("ag!1" "st1!1" "st2!1" "st3!1" "st4!1")) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|compose_base_view_init| "" (SKOLEM!) (("" (EXPAND "view_init_restriction") (("" (SKOSIMP*) (("" (EXPAND "compose_base") (("" (EXPAND "compose_init") (("" (EXPAND "compose_view") (("" (EXPAND "member") (("" (EXPAND "gen_intersection") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "inits_for") (("" (SKOSIMP*) (("" (INSTANTIATE -2 "init(cmp!1)") (("" (INSTANTIATE -1 "view(cmp!1)") (("" (EXPAND "extend") (("" (GROUND) (("1" (LEMMA "component_view_init") (("1" (INST?) (("1" (EXPAND "view_init_restriction") (("1" (INST?) (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))))))) ("2" (INST?) (("2" (GROUND) NIL))) ("3" (EXPAND "views_for") (("3" (INST?) (("3" (GROUND) NIL))))) ("4" (INST?) (("4" (GROUND) NIL))))))))))))))))))))))))))))))))))) (|compose_base_view_sfar| "" (SKOLEM!) (("" (EXPAND "view_sfar_restriction") (("" (SKOSIMP*) (("" (EXPAND "gen_view_restriction") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "compose_base") (("" (EXPAND "compose_sfar") (("" (EXPAND "gen_union") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "sfars_for") (("" (SKOSIMP*) (("" (EXPAND "compose_view") (("" (EXPAND "gen_intersection") (("" (INSTANTIATE -4 "view(cmp!1)") (("" (INSTANTIATE -5 "view(cmp!1)") (("" (EXPAND "member") (("" (EXPAND "extend") (("" (CASE "not views_for(cset!1)(view(cmp!1))") (("1" (EXPAND "views_for" +) (("1" (EXPAND "member") (("1" (INST?) (("1" (GROUND) NIL))))))) ("2" (GROUND) (("2" (LEMMA "component_view_sfar") (("2" (INST?) (("2" (EXPAND "view_sfar_restriction") (("2" (EXPAND "member") (("2" (INST?) (("2" (GROUND) (("2" (EXPAND "gen_view_restriction") (("2" (INSTANTIATE -1 ("ag!1" "st1!1" "st2!1" "st3!1" "st4!1")) (("2" (EXPAND "member") (("2" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|compose_base_view_wfar| "" (SKOLEM!) (("" (EXPAND "view_wfar_restriction") (("" (SKOSIMP*) (("" (EXPAND "gen_view_restriction") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "compose_base") (("" (EXPAND "compose_wfar") (("" (EXPAND "gen_union") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "wfars_for") (("" (SKOSIMP*) (("" (EXPAND "compose_view") (("" (EXPAND "gen_intersection") (("" (INSTANTIATE -4 "view(cmp!1)") (("" (INSTANTIATE -5 "view(cmp!1)") (("" (EXPAND "member") (("" (EXPAND "extend") (("" (CASE "not views_for(cset!1)(view(cmp!1))") (("1" (EXPAND "views_for" +) (("1" (EXPAND "member") (("1" (INST?) (("1" (GROUND) NIL))))))) ("2" (GROUND) (("2" (LEMMA "component_view_wfar") (("2" (INST?) (("2" (EXPAND "view_wfar_restriction") (("2" (EXPAND "member") (("2" (INST?) (("2" (GROUND) (("2" (EXPAND "gen_view_restriction") (("2" (INSTANTIATE -1 ("ag!1" "st1!1" "st2!1" "st3!1" "st4!1")) (("2" (EXPAND "member") (("2" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|compose_base_guar_stuttering| "" (SKOLEM!) (("" (EXPAND "guar_stuttering_restriction") (("" (EXPAND "gen_stuttering_restriction") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "compose_base") (("" (EXPAND "compose_guar") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (SPLIT) (("1" (EXPAND "compose_view") (("1" (EXPAND "gen_intersection") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (EXPAND "guar_or_hidds_for") (("1" (SKOSIMP*) (("1" (INSTANTIATE -4 "view(cmp!1)") (("1" (EXPAND "extend") (("1" (SPLIT -4) (("1" (REPLACE -3 :HIDE? -3) (("1" (EXPAND "union") (("1" (CASE "member(ag!1,cags(cmp!1))") (("1" (LEMMA "component_guar_stuttering") (("1" (INST?) (("1" (EXPAND "guar_stuttering_restriction") (("1" (EXPAND "gen_stuttering_restriction") (("1" (INST?) (("1" (GROUND) NIL))))))))))) ("2" (CASE "not member(ag!1,complement(cags(cmp!1)))") (("1" (EXPAND "member") (("1" (EXPAND "complement") (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))) ("2" (LEMMA "component_hidd_stuttering") (("2" (INST?) (("2" (GROUND) (("2" (EXPAND "hidd_stuttering_restriction") (("2" (EXPAND "gen_stuttering_restriction") (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))) ("2" (EXPAND "views_for") (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))) ("2" (EXPAND "compose_cags") (("2" (EXPAND "gen_union") (("2" (SKOSIMP*) (("2" (EXPAND "member") (("2" (EXPAND "cagss_for") (("2" (SKOSIMP*) (("2" (INSTANTIATE 1 "guar(cmp!1)") (("2" (GROUND) (("1" (EXPAND "guars_for") (("1" (INST?) (("1" (GROUND) NIL))))) ("2" (EXPAND "compose_view") (("2" (EXPAND "gen_intersection") (("2" (INSTANTIATE -4 "view(cmp!1)") (("2" (EXPAND "member") (("2" (EXPAND "extend") (("2" (GROUND) (("1" (LEMMA "component_guar_stuttering") (("1" (INST?) (("1" (EXPAND "guar_stuttering_restriction") (("1" (EXPAND "gen_stuttering_restriction") (("1" (EXPAND "member") (("1" (INST?) (("1" (GROUND) NIL))))))))))))) ("2" (EXPAND "views_for") (("2" (INST?) (("2" (EXPAND "member") (("2" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|compose_base_rely_stuttering| "" (SKOSIMP*) (("" (EXPAND "rely_stuttering_restriction") (("" (EXPAND "gen_stuttering_restriction") (("" (SKOSIMP*) (("" (EXPAND "compose_base") (("" (EXPAND "compose_rely") (("" (EXPAND "compose_view") (("" (EXPAND "compose_cags") (("" (EXPAND "member") (("" (EXPAND "complement") (("" (EXPAND "member") (("" (EXPAND "gen_intersection") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "relys_for") (("" (SKOSIMP*) (("" (INSTANTIATE -1 "view(cmp!1)") (("" (EXPAND "extend") (("" (GROUND) (("1" (EXPAND "gen_union") (("1" (INSTANTIATE 1 "cags(cmp!1)") (("1" (GROUND) (("1" (EXPAND "member") (("1" (EXPAND "cagss_for") (("1" (INST?) (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))))) ("2" (LEMMA "component_rely_stuttering") (("2" (INST?) (("2" (EXPAND "rely_stuttering_restriction") (("2" (EXPAND "gen_stuttering_restriction") (("2" (EXPAND "member") (("2" (INST?) (("2" (INST?) (("2" (EXPAND "complement") (("2" (PROPAX) NIL))))))))))))))))))))))) ("2" (EXPAND "views_for") (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))) (|compose_base_tc| "" (SKOLEM!) (("" (TYPEPRED "cmset!1") (("" (GROUND) (("" (EXPAND "composable") (("" (EXPAND "comp_t") (("" (REWRITE "compose_base_init") (("" (REWRITE "compose_base_guar") (("" (REWRITE "compose_base_rely_hidd") (("" (REWRITE "compose_base_hidd") (("" (REWRITE "compose_base_cags") (("" (REWRITE "compose_base_view_rely") (("" (REWRITE "compose_base_view_hidd") (("" (REWRITE "compose_base_view_guar") (("" (REWRITE "compose_base_view_init") (("" (REWRITE "compose_base_view_wfar") (("" (REWRITE "compose_base_view_sfar") (("" (REWRITE "compose_base_guar_stuttering") (("" (REWRITE "compose_base_rely_stuttering") (("" (GROUND) NIL))))))))))))))))))))))))))))))))))))) (|compose_TCC1| "" (SKOLEM!) (("" (LEMMA "compose_base_tc") (("" (INST?) (("" (EXPAND "compose_base") (("" (PROPAX) NIL)))))))))) $$$compose_idempotent.pvs compose_idempotent[ST: NONEMPTY_TYPE, AG: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING compose[ST, AG] cmp: VAR (comp_t) ci_init: THEOREM compose_init(singleton(cmp)) = init(cmp) ci_cags: THEOREM compose_cags(singleton(cmp)) = cags(cmp) ci_guar: THEOREM compose_guar(singleton(cmp)) = guar(cmp) ci_rely: THEOREM compose_rely(singleton(cmp)) = rely(cmp) ci_hidd: THEOREM compose_hidd(singleton(cmp)) = hidd(cmp) ci_view: THEOREM compose_view(singleton(cmp)) = view(cmp) ci_sfar: THEOREM compose_sfar(singleton(cmp)) = sfar(cmp) ci_wfar: THEOREM compose_wfar(singleton(cmp)) = wfar(cmp) ci_composable: THEOREM composable(singleton(cmp)) ci_component: THEOREM compose(singleton(cmp)) = cmp END compose_idempotent $$$compose_idempotent.prf (|compose_idempotent| (|ci_init| "" (SKOLEM!) (("" (EXPAND "compose_init") (("" (CASE "inits_for(singleton(cmp!1)) /= singleton(init(cmp!1))") (("1" (DELETE 1) (("1" (FLATTEN) (("1" (EXTENSIONALITY "setof[setof[ST]]") (("1" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (EXPAND "inits_for") (("1" (EXPAND "member") (("1" (EXPAND "singleton") (("1" (GROUND) (("1" (SKOSIMP*) (("1" (GROUND) NIL))) ("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))) ("2" (FLATTEN) (("2" (REPLACE -1 :HIDE? -1) (("2" (REWRITE "gen_intersection_one") NIL))))))))))) (|ci_cags| "" (SKOLEM!) (("" (CASE "cagss_for(singleton(cmp!1)) /= singleton(cags(cmp!1))") (("1" (DELETE 1) (("1" (EXTENSIONALITY "setof[setof[AG]]") (("1" (FLATTEN) (("1" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (EXPAND "cagss_for") (("1" (EXPAND "member") (("1" (EXPAND "singleton") (("1" (IFF) (("1" (GROUND) (("1" (SKOLEM!) (("1" (GROUND) NIL))) ("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))) ("2" (FLATTEN) (("2" (EXPAND "compose_cags") (("2" (REPLACE -1 :HIDE? -1) (("2" (REWRITE "gen_union_one") NIL))))))))))) (|ci_guar| "" (SKOLEM!) (("" (EXPAND "compose_guar") (("" (CASE "guar_or_hidds_for(singleton(cmp!1)) /= singleton(union(guar(cmp!1),hidd(cmp!1)))") (("1" (DELETE 1) (("1" (FLATTEN) (("1" (EXTENSIONALITY "setof[setof[[ST,ST,AG]]]") (("1" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (EXPAND "guar_or_hidds_for") (("1" (EXPAND "union") (("1" (EXPAND "singleton") (("1" (EXPAND "member") (("1" (GROUND) (("1" (SKOSIMP*) (("1" (GROUND) (("1" (REPLACE -2) (("1" (REPLACE -1) (("1" (PROPAX) NIL))))))))) ("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))) ("2" (FLATTEN) (("2" (REPLACE -1 :HIDE? -1) (("2" (CASE "guars_for(singleton(cmp!1)) /= singleton(guar(cmp!1))") (("1" (DELETE 1) (("1" (EXTENSIONALITY "setof[setof[[ST,ST,AG]]]") (("1" (FLATTEN) (("1" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (EXPAND "guars_for") (("1" (EXPAND "member") (("1" (EXPAND "singleton") (("1" (GROUND) (("1" (SKOLEM!) (("1" (GROUND) NIL))) ("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))) ("2" (FLATTEN) (("2" (REPLACE -1 :HIDE? -1) (("2" (REWRITE "gen_intersection_one") (("2" (REWRITE "gen_union_one") (("2" (REWRITE "intersection_commutative") (("2" (REWRITE "intersection_subset2") (("2" (REWRITE "union_subset1") NIL))))))))))))))))))))))))) (|ci_rely| "" (SKOLEM!) (("" (EXPAND "compose_rely") (("" (CASE "relys_for(singleton(cmp!1)) /= singleton(rely(cmp!1))") (("1" (DELETE 1) (("1" (FLATTEN) (("1" (EXTENSIONALITY "setof[setof[[ST,ST,AG]]]") (("1" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (EXPAND "relys_for") (("1" (EXPAND "member") (("1" (EXPAND "singleton") (("1" (GROUND) (("1" (SKOSIMP*) (("1" (GROUND) NIL))) ("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))) ("2" (FLATTEN) (("2" (REPLACE -1 :HIDE? -1) (("2" (REWRITE "gen_intersection_one") NIL))))))))))) (|ci_hidd| "" (SKOLEM!) (("" (EXPAND "compose_hidd") (("" (CASE "hidds_for(singleton(cmp!1)) /= singleton(hidd(cmp!1))") (("1" (DELETE 1) (("1" (FLATTEN) (("1" (EXTENSIONALITY "setof[setof[[ST,ST,AG]]]") (("1" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (EXPAND "hidds_for") (("1" (EXPAND "member") (("1" (EXPAND "singleton") (("1" (GROUND) (("1" (SKOSIMP*) (("1" (GROUND) NIL))) ("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))) ("2" (FLATTEN) (("2" (REPLACE -1 :HIDE? -1) (("2" (REWRITE "gen_intersection_one") NIL))))))))))) (|ci_view| "" (SKOLEM!) (("" (EXPAND "compose_view") (("" (EXPAND "extend") (("" (CASE "(LAMBDA (t:setof[[ST,ST]]): IF VIEWS[ST](t) THEN views_for(singleton(cmp!1))(t) ELSE FALSE ENDIF) /= singleton(view(cmp!1))") (("1" (DELETE 1) (("1" (FLATTEN) (("1" (EXTENSIONALITY "setof[setof[[ST,ST]]]") (("1" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (EXPAND "extend") (("1" (EXPAND "views_for") (("1" (EXPAND "member") (("1" (EXPAND "singleton") (("1" (GROUND) (("1" (SKOLEM!) (("1" (GROUND) NIL))) ("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))) ("2" (FLATTEN) (("2" (REPLACE -1 :HIDE? -1) (("2" (LEMMA "gen_intersection_one[[ST,ST]]") (("2" (INST?) (("2" (GROUND) (("2" (REPLACE -1 1 RL :HIDE? -1) (("2" (EXPAND "extend") (("2" (EXPAND "gen_intersection") (("2" (EXPAND "member") (("2" (EXPAND "singleton") (("2" (EXTENSIONALITY "setof[[ST,ST]]") (("2" (INST?) (("2" (GROUND) (("2" (DELETE 2) (("2" (SKOLEM!) (("2" (GROUND) (("2" (IFF) (("2" (GROUND) (("1" (SKOSIMP*) (("1" (INST?) (("1" (REPLACE -2 :HIDE? -2) (("1" (ASSERT) (("1" (EXTENSIONALITY "setof[[ST,ST]]") (("1" (INST?) (("1" (GROUND) (("1" (DELETE 2 3) (("1" (SKOLEM!) (("1" (IFF) (("1" (GROUND) (("1" (SKOSIMP*) (("1" (GROUND) NIL))) ("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))) ("2" (SKOSIMP*) (("2" (INST?) (("2" (GROUND) (("2" (REPLACE -2 :HIDE? -2) (("2" (DELETE -1 2) (("2" (EXTENSIONALITY "setof[[ST,ST]]") (("2" (INST?) (("2" (GROUND) (("2" (DELETE 2) (("2" (SKOSIMP*) (("2" (IFF) (("2" (GROUND) (("1" (INST?) (("1" (GROUND) NIL))) ("2" (SKOSIMP*) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|ci_sfar| "" (SKOLEM!) (("" (EXPAND "compose_sfar") (("" (CASE "sfars_for(singleton(cmp!1)) /= singleton(sfar(cmp!1))") (("1" (DELETE 1) (("1" (FLATTEN) (("1" (EXTENSIONALITY "setof[setof[setof[[ST,ST,AG]]]]") (("1" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (EXPAND "sfars_for") (("1" (EXPAND "member") (("1" (EXPAND "singleton") (("1" (GROUND) (("1" (SKOLEM!) (("1" (GROUND) NIL))) ("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))) ("2" (FLATTEN) (("2" (REPLACE -1 :HIDE? -1) (("2" (REWRITE "gen_union_one") NIL))))))))))) (|ci_wfar| "" (SKOLEM!) (("" (EXPAND "compose_wfar") (("" (CASE "wfars_for(singleton(cmp!1)) /= singleton(wfar(cmp!1))") (("1" (DELETE 1) (("1" (FLATTEN) (("1" (EXTENSIONALITY "setof[setof[setof[[ST,ST,AG]]]]") (("1" (INST?) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (IFF) (("1" (EXPAND "wfars_for") (("1" (EXPAND "member") (("1" (EXPAND "singleton") (("1" (GROUND) (("1" (SKOLEM!) (("1" (GROUND) NIL))) ("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))) ("2" (FLATTEN) (("2" (REPLACE -1 :HIDE? -1) (("2" (REWRITE "gen_union_one") NIL))))))))))) (|ci_composable| "" (SKOLEM!) (("" (EXPAND "composable") (("" (REWRITE "nonempty_th") (("" (GROUND) (("1" (INST?) (("1" (EXPAND "member") (("1" (EXPAND "singleton") (("1" (PROPAX) NIL))))))) ("2" (EXPAND "agreeable_start") (("2" (LEMMA "component_init") (("2" (INST?) (("2" (EXPAND "init_restriction") (("2" (REWRITE "nonempty_th") (("2" (SKOLEM!) (("2" (INST?) (("2" (SKOLEM!) (("2" (EXPAND "member") (("2" (EXPAND "singleton") (("2" (GROUND) NIL))))))))))))))))))))))))))))) (|ci_component_TCC1| "" (SKOLEM!) (("" (REWRITE "ci_composable") NIL))) (|ci_component| "" (SKOLEM!) (("" (EXTENSIONALITY "(comp_t)") (("" (INST?) (("1" (EXPAND "compose") (("1" (REWRITE "ci_cags") (("1" (REWRITE "ci_guar") (("1" (REWRITE "ci_init") (("1" (REWRITE "ci_rely") (("1" (REWRITE "ci_sfar") (("1" (REWRITE "ci_wfar") (("1" (REWRITE "ci_view") (("1" (REWRITE "ci_hidd") (("1" (GROUND) NIL))))))))))))))))))) ("2" (REWRITE "ci_composable") NIL)))))))) $$$ac_translators.pvs ac_translators[X1: NONEMPTY_TYPE, Y1: NONEMPTY_TYPE, X: NONEMPTY_TYPE, Y: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING translators[X1, X] IMPORTING translators[Y1, Y] ap, ap1, ap2: VAR setof[[X1, X1, Y1]] xt: VAR (translator_t[X1, X]) yt: VAR (weak_translator_t[Y1, Y]) x1, x2: VAR X y: VAR Y a1, a2: VAR X1 b: VAR Y1 tr_ac(ap, xt, yt): setof[[X, X, Y]] = (LAMBDA x1, x2, y: (EXISTS a1, a2, b: member((a1, a2, b), ap) AND member(x1, xt(a1)) AND member(x2, xt(a2)) AND member(y, yt(b)))) tr_ac_intersection: THEOREM tr_ac(intersection(ap1, ap2), xt, yt) = intersection(tr_ac(ap1, xt, yt), tr_ac(ap2, xt, yt)) tr_ac_union: THEOREM tr_ac(union(ap1, ap2), xt, yt) = union(tr_ac(ap1, xt, yt), tr_ac(ap2, xt, yt)) END ac_translators $$$ac_translators.prf (|ac_translators| (|tr_ac_intersection| "" (SKOLEM!) (("" (EXPAND "tr_ac") (("" (EXPAND "intersection") (("" (EXPAND "member") (("" (REWRITE "extensionality") (("" (HIDE 2) (("" (SKOLEM!) (("" (IFF) (("" (SPLIT) (("1" (FLATTEN) (("1" (SKOSIMP*) (("1" (SPLIT) (("1" (INST?) (("1" (GROUND) NIL))) ("2" (INST?) (("2" (GROUND) NIL))))))))) ("2" (FLATTEN) (("2" (SKOLEM!) (("2" (SKOLEM!) (("2" (FLATTEN) (("2" (INST?) (("2" (GROUND) (("2" (LEMMA "help3[X1,X]") (("2" (INST -1 "xt!1" "a1!1" "a1!2" "PROJ_1(x!1)") (("2" (LEMMA "help3[X1,X]") (("2" (INST -1 "xt!1" "a2!1" "a2!2" "PROJ_2(x!1)") (("2" (GROUND) (("2" (REPLACE -1) (("2" (REPLACE -2) (("2" (LEMMA "help3[Y1,Y]") (("2" (INST -1 "yt!1" "b!1" "b!2" "PROJ_3(x!1)") (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))) (|tr_ac_union| "" (SKOLEM!) (("" (REWRITE "extensionality") (("" (HIDE 2) (("" (SKOLEM!) (("" (IFF) (("" (EXPAND "tr_ac") (("" (EXPAND "union") (("" (EXPAND "member") (("" (SPLIT) (("1" (FLATTEN) (("1" (SKOSIMP*) (("1" (SPLIT) (("1" (HIDE 2) (("1" (INST?) (("1" (GROUND) NIL))))) ("2" (HIDE 1) (("2" (INST?) (("2" (GROUND) NIL))))))))))) ("2" (SKOSIMP*) (("2" (SPLIT) (("1" (SKOSIMP*) (("1" (INST?) (("1" (GROUND) NIL))))) ("2" (SKOSIMP*) (("2" (INST?) (("2" (GROUND) NIL)))))))))))))))))))))))))))) $$$tcs_translators.pvs tcs_translators[X1: NONEMPTY_TYPE, Y1: NONEMPTY_TYPE, X: NONEMPTY_TYPE, Y: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING ac_translators[X1, Y1, X, Y] tca : VAR setof[[X1,X1,Y1]] tcb : VAR setof[[X,X,Y]] tcsa, tcsa1, tcsa2 : VAR setof[setof[[X1,X1,Y1]]] xt: VAR (translator_t[X1, X]) yt: VAR (weak_translator_t[Y1, Y]) tr_tcs(tcsa, xt, yt): setof[setof[[X,X,Y]]] = (LAMBDA tcb: (exists tca: member(tca,tcsa) and tr_ac(tca,xt,yt) = tcb)) tr_tcs_union: THEOREM tr_tcs(union(tcsa1, tcsa2), xt, yt) = union(tr_tcs(tcsa1, xt, yt), tr_tcs(tcsa2, xt, yt)) END tcs_translators $$$tcs_translators.prf (|tcs_translators| (|tr_tcs_union| "" (SKOLEM!) (("" (EXTENSIONALITY "setof[setof[[X,X,Y]]]") (("" (INST?) (("" (GROUND) (("" (DELETE 2) (("" (SKOLEM!) (("" (IFF) (("" (EXPAND "tr_tcs") (("" (EXPAND "union") (("" (EXPAND "member") (("" (GROUND) (("1" (SKOSIMP*) (("1" (SPLIT) (("1" (DELETE 2) (("1" (INST?) (("1" (GROUND) NIL))))) ("2" (DELETE 1) (("2" (INST?) (("2" (GROUND) NIL))))))))) ("2" (SKOSIMP*) (("2" (INST?) (("2" (GROUND) NIL))))) ("3" (SKOSIMP*) (("3" (INST?) (("3" (GROUND) NIL)))))))))))))))))))))))))))) $$$translator_views.pvs translator_views[X: NONEMPTY_TYPE, Y: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING translators[X, Y] IMPORTING views[X] IMPORTING views[Y] t: VAR (translator_t) v, v1, v2: VAR (VIEWS[X]) vy: VAR (VIEWS[Y]) br, br1, br2: VAR BASE_RELATIONS[X] x, x1, x2: VAR X y, y1, y2: VAR Y vmap(t, v): (VIEWS[Y]) = (LAMBDA y1, y2: (EXISTS x1, x2: member((x1, x2), v) AND member(y1, t(x1)) AND member(y2, t(x2)))) brmap(t, br): BASE_RELATIONS[Y] = (LAMBDA y1, y2: (EXISTS x1, x2: member((x1, x2), br) AND member(y1, t(x1)) AND member(y2, t(x2)))) brmap_intersection: THEOREM brmap(t, intersection(br1, br2)) = intersection(brmap(t, br1), brmap(t, br2)) brmap_union: THEOREM brmap(t, union(br1, br2)) = union(brmap(t, br1), brmap(t, br2)) vmap_brmap: THEOREM vmap(t, v) = brmap(t, v) vmap_intersection: THEOREM vmap(t, intersection(v1, v2)) = intersection(vmap(t, v1), vmap(t, v2)) END translator_views $$$translator_views.prf (|translator_views| (|vmap_TCC1| "" (SKOLEM!) (("" (EXPAND "member") (("" (TYPEPRED "v!1") (("" (EXPAND "VIEWS") (("" (GROUND) (("1" (SKOLEM!) (("1" (LEMMA "help5[X,Y]") (("1" (INSTANTIATE -1 ("t!1" "x!1")) (("1" (SKOLEM!) (("1" (INST? -2) (("1" (INST? 1) (("1" (GROUND) NIL))))))))))))) ("2" (SKOLEM!) (("2" (FLATTEN) (("2" (SKOLEM!) (("2" (FLATTEN) (("2" (INSTANTIATE 1 ("x2!2" "x1!2")) (("2" (GROUND) (("2" (INST? -5) (("2" (GROUND) NIL))))))))))))))) ("3" (SKOLEM!) (("3" (FLATTEN) (("3" (SKOLEM!) (("3" (SKOLEM!) (("3" (FLATTEN) (("3" (INSTANTIATE 1 ("x1!2" "x2!3")) (("3" (GROUND) (("3" (INSTANTIATE -9 ("x1!2" _ "x2!3")) (("3" (GROUND) (("3" (INSTANTIATE -9 "x2!2") (("3" (DELETE 1) (("3" (GROUND) (("3" (LEMMA "help3[X,Y]") (("3" (INSTANTIATE -1 ("t!1" "x2!2" "x1!3" "x2!1")) (("3" (GROUND) NIL))))))))))))))))))))))))))))))))))))))) (|brmap_intersection| "" (SKOLEM!) (("" (EXPAND "intersection") (("" (EXPAND "brmap") (("" (EXPAND "member") (("" (REWRITE "extensionality") (("" (HIDE 2) (("" (SKOLEM!) (("" (IFF) (("" (SPLIT) (("1" (FLATTEN) (("1" (SKOSIMP*) (("1" (SPLIT) (("1" (INST?) (("1" (GROUND) NIL))) ("2" (INST?) (("2" (GROUND) NIL))))))))) ("2" (FLATTEN) (("2" (SKOSIMP*) (("2" (INST?) (("2" (GROUND) (("2" (LEMMA "help3[X,Y]") (("2" (INST?) (("2" (INST -1 "x1!2") (("2" (LEMMA "help3[X,Y]") (("2" (INST -1 "t!1" "x2!2" "x2!1" "PROJ_2(x!1)") (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))) (|brmap_union| "" (SKOLEM!) (("" (EXPAND "union") (("" (EXPAND "brmap") (("" (EXPAND "member") (("" (REWRITE "extensionality") (("" (HIDE 2) (("" (SKOLEM!) (("" (IFF) (("" (SPLIT) (("1" (FLATTEN) (("1" (SKOLEM!) (("1" (FLATTEN) (("1" (SPLIT) (("1" (INST?) (("1" (GROUND) NIL))) ("2" (INST? 2) (("2" (GROUND) NIL))))))))))) ("2" (FLATTEN) (("2" (SPLIT) (("1" (SKOSIMP*) (("1" (INST?) (("1" (GROUND) NIL))))) ("2" (SKOSIMP*) (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))) (|vmap_brmap| "" (EXPAND "vmap") (("" (EXPAND "brmap") (("" (PROPAX) NIL))))) (|vmap_intersection_TCC1| "" (LEMMA "view_and_prop[X]") (("" (PROPAX) NIL))) (|vmap_intersection| "" (SKOLEM!) (("" (REWRITE "vmap_brmap") (("1" (REWRITE "vmap_brmap") (("1" (REWRITE "vmap_brmap") (("1" (REWRITE "brmap_intersection") NIL))))) ("2" (HIDE 2) (("2" (REWRITE "view_and_prop") NIL)))))))) $$$cmp_translators.pvs cmp_translators[X1: NONEMPTY_TYPE, Y1: NONEMPTY_TYPE, X: NONEMPTY_TYPE, Y: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING translator_views[X1, X] IMPORTING tcs_translators[X1, Y1, X, Y] IMPORTING component[X1, Y1] IMPORTING component[X, Y] cmp1: VAR (comp_t[X1, Y1]) xt: VAR (translator_t[X1, X]) yt: VAR (weak_translator_t[Y1, Y]) x1, x2: VAR X y: VAR Y env_stutter(cmp1,xt,yt): setof[[X,X,Y]] = (LAMBDA x1,x2,y: not member(y,tmap(yt,cags(cmp1))) and vmap(xt,view(cmp1))(x1,x2)) tr_cmp(cmp1, xt, yt): base_comp_t[X, Y] = (# init := tmap(xt, init(cmp1)), cags := tmap(yt, cags(cmp1)), view := vmap(xt, view(cmp1)), hidd := union(tr_ac(hidd(cmp1),xt, yt),env_stutter(cmp1,xt,yt)), rely := union(tr_ac(rely(cmp1), xt, yt),env_stutter(cmp1,xt,yt)), guar := tr_ac(guar(cmp1), xt, yt), sfar := tr_tcs(sfar(cmp1), xt, yt), wfar := tr_tcs(wfar(cmp1), xt, yt) #) tranc : VAR setof[[X1,X1,Y1]] ag_set : VAR setof[Y1] v : VAR (VIEWS[X1]) tr_gen_view_restriction: THEOREM gen_view_restriction(tranc,v) implies gen_view_restriction(tr_ac(tranc,xt,yt),vmap(xt,v)) tr_gen_stuttering_restriction: THEOREM gen_stuttering_restriction(ag_set,tranc,v) implies gen_stuttering_restriction(tmap(yt,ag_set),tr_ac(tranc,xt,yt),vmap(xt,v)) tr_cmp_init: THEOREM init_restriction(tr_cmp(cmp1, xt, yt)) tr_cmp_guar: THEOREM guar_restriction(tr_cmp(cmp1, xt, yt)) tr_cmp_rely_hidd: THEOREM rely_hidd_restriction(tr_cmp(cmp1, xt, yt)) tr_cmp_hidd: THEOREM hidd_restriction(tr_cmp(cmp1, xt, yt)) tr_cmp_cags: THEOREM cags_restriction(tr_cmp(cmp1, xt, yt)) tr_cmp_view_rely: THEOREM view_rely_restriction(tr_cmp(cmp1, xt, yt)) tr_cmp_view_hidd: THEOREM view_hidd_restriction(tr_cmp(cmp1, xt, yt)) tr_cmp_view_guar: THEOREM view_guar_restriction(tr_cmp(cmp1, xt, yt)) tr_cmp_view_init: THEOREM view_init_restriction(tr_cmp(cmp1, xt, yt)) tr_cmp_view_wfar: THEOREM view_wfar_restriction(tr_cmp(cmp1, xt, yt)) tr_cmp_view_sfar: THEOREM view_sfar_restriction(tr_cmp(cmp1, xt, yt)) tr_cmp_guar_stuttering: THEOREM guar_stuttering_restriction(tr_cmp(cmp1, xt,yt)) tr_cmp_rely_stuttering: THEOREM rely_stuttering_restriction(tr_cmp(cmp1, xt,yt)) tr_cmp_type: THEOREM comp_t(tr_cmp(cmp1, xt, yt)) tran_cmp(cmp1, xt, yt): (comp_t[X, Y]) = tr_cmp(cmp1, xt, yt) END cmp_translators $$$cmp_translators.prf (|cmp_translators| (|tr_gen_view_restriction| "" (SKOSIMP*) (("" (EXPAND "gen_view_restriction") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "tr_ac") (("" (EXPAND "vmap") (("" (EXPAND "member") (("" (SKOSIMP*) (("" (INSTANTIATE -1 ("b!1" "x1!1" "x1!2" "x2!1" "x2!2")) (("" (LEMMA "help3[X1,X]") (("" (INSTANTIATE -1 ("xt!1" "x1!1" "a1!1" "st1!1") T) (("" (INSTANTIATE -1 ("xt!1" "x1!2" "a2!1" "st2!1")) (("" (GROUND) (("" (INST?) (("" (GROUND) NIL))))))))))))))))))))))))))))) (|tr_gen_stuttering_restriction| "" (SKOSIMP*) (("" (EXPAND "gen_stuttering_restriction") (("" (EXPAND "member" +) (("" (SKOSIMP*) (("" (EXPAND "tmap") (("" (EXPAND "vmap") (("" (EXPAND "tr_ac") (("" (EXPAND "member") (("" (SKOSIMP*) (("" (INST?) (("" (INST?) (("" (GROUND) (("" (INST?) (("" (GROUND) NIL))))))))))))))))))))))))))) (|tr_cmp_init| "" (SKOLEM!) (("" (EXPAND "init_restriction") (("" (REWRITE "help1[X1,X]") (("" (LEMMA "component_init[X1,Y1]") (("" (INST?) (("" (EXPAND "init_restriction") (("" (REWRITE "help1[X1,X1]") (("" (SKOLEM!) (("" (LEMMA "help4[X1,X]") (("" (INSTANTIATE -1 ("xt!1" "y!1")) (("" (SKOLEM!) (("" (INST?) (("" (EXPAND "tr_cmp") (("" (EXPAND "tmap") (("" (EXPAND "member") (("" (INST?) (("" (GROUND) NIL))))))))))))))))))))))))))))))))) (|tr_cmp_guar| "" (SKOLEM!) (("" (EXPAND "guar_restriction") (("" (SKOLEM!) (("" (EXPAND "tr_cmp") (("" (EXPAND "tr_ac") (("" (EXPAND "member") (("" (FLATTEN) (("" (SKOLEM!) (("" (FLATTEN) (("" (LEMMA "component_guar[X1,Y1]") (("" (INST?) (("" (EXPAND "guar_restriction") (("" (EXPAND "member") (("" (INST?) (("" (GROUND) (("" (EXPAND "tmap") (("" (INST?) (("" (EXPAND "member") (("" (PROPAX) NIL))))))))))))))))))))))))))))))))))))) (|tr_cmp_rely_hidd| "" (SKOLEM!) (("" (EXPAND "rely_hidd_restriction") (("" (EXPAND "subset?") (("" (EXPAND "member") (("" (SKOSIMP*) (("" (EXPAND "tr_cmp") (("" (EXPAND "tr_ac") (("" (GROUND) (("" (LEMMA "component_rely_hidd[X1,Y1]") (("" (INST?) (("" (EXPAND "rely_hidd_restriction") (("" (EXPAND "subset?") (("" (GROUND) (("" (EXPAND "union") (("" (EXPAND "member") (("" (SKOSIMP*) (("" (GROUND) (("" (SKOSIMP*) (("" (INST?) (("" (INST?) (("" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))) (|tr_cmp_hidd| "" (SKOLEM!) (("" (EXPAND "hidd_restriction") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "tr_cmp") (("" (EXPAND "tr_ac") (("" (EXPAND "tmap") (("" (SKOSIMP*) (("" (LEMMA "component_hidd[X1,Y1]") (("" (INST?) (("" (EXPAND "hidd_restriction") (("" (INST?) (("" (GROUND) (("" (LEMMA "help3[Y1,Y]") (("" (EXPAND "member") (("" (EXPAND "union") (("" (EXPAND "member") (("" (SPLIT) (("1" (SKOSIMP*) (("1" (INSTANTIATE -5 ("yt!1" "x!1" "b!1" "ag!1")) (("1" (GROUND) (("1" (INSTANTIATE -6 ("a1!1" "a2!1")) (("1" (GROUND) NIL))))))))) ("2" (EXPAND "env_stutter") (("2" (EXPAND "member") (("2" (EXPAND "tmap") (("2" (FLATTEN) (("2" (EXPAND "member") (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))) (|tr_cmp_cags| "" (SKOLEM!) (("" (EXPAND "cags_restriction") (("" (REWRITE "help1[Y1,Y]") (("" (EXPAND "tr_cmp") (("" (LEMMA "component_cags[X1,Y1]") (("" (INST?) (("" (EXPAND "cags_restriction") (("" (REWRITE "help1[Y1,Y1]") (("" (SKOLEM!) (("" (LEMMA "help4[Y1,Y]") (("" (INSTANTIATE -1 ("yt!1" "y!1")) (("" (SKOLEM!) (("" (INST?) (("" (EXPAND "tmap") (("" (EXPAND "member") (("" (INST?) (("" (GROUND) NIL))))))))))))))))))))))))))))))))) (|tr_cmp_view_rely| "" (SKOSIMP*) (("" (USE "component_view_rely[X1,Y1]") (("" (LEMMA "tr_gen_view_restriction") (("" (INSTANTIATE -1 ("rely(cmp1!1)" "view(cmp1!1)" "xt!1" "yt!1")) (("" (EXPAND "view_rely_restriction") (("" (GROUND) (("" (EXPAND "tr_cmp") (("" (DELETE -2) (("" (EXPAND "gen_view_restriction") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "union") (("" (EXPAND "member") (("" (SPLIT) (("1" (INSTANTIATE -2 ("ag!1" "st1!1" "st2!1" "st3!1" "st4!1")) (("1" (GROUND) NIL))) ("2" (FLATTEN) (("2" (DELETE -2 1) (("2" (EXPAND "env_stutter") (("2" (GROUND) (("2" (LEMMA "square_view[X]") (("2" (INSTANTIATE -1 ("vmap(xt!1,view(cmp1!1))" "st1!1" "st2!1" "st3!1" "st4!1")) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))) (|tr_cmp_view_hidd| "" (SKOSIMP*) (("" (USE "component_view_hidd[X1,Y1]") (("" (LEMMA "tr_gen_view_restriction") (("" (INSTANTIATE -1 ("hidd(cmp1!1)" "view(cmp1!1)" "xt!1" "yt!1")) (("" (EXPAND "view_hidd_restriction") (("" (GROUND) (("" (EXPAND "tr_cmp") (("" (DELETE -2) (("" (EXPAND "gen_view_restriction") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "union") (("" (EXPAND "member") (("" (SPLIT) (("1" (INSTANTIATE -2 ("ag!1" "st1!1" "st2!1" "st3!1" "st4!1")) (("1" (GROUND) NIL))) ("2" (FLATTEN) (("2" (DELETE -2 1) (("2" (EXPAND "env_stutter") (("2" (GROUND) (("2" (LEMMA "square_view[X]") (("2" (INSTANTIATE -1 ("vmap(xt!1,view(cmp1!1))" "st1!1" "st2!1" "st3!1" "st4!1")) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))) (|tr_cmp_view_guar| "" (SKOLEM!) (("" (LEMMA "component_view_guar[X1,Y1]") (("" (INST?) (("" (EXPAND "view_guar_restriction") (("" (EXPAND "tr_cmp") (("" (REWRITE "tr_gen_view_restriction") NIL))))))))))) (|tr_cmp_view_init| "" (SKOSIMP*) (("" (LEMMA "component_view_init[X1,Y1]") (("" (INST?) (("" (EXPAND "view_init_restriction") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "tr_cmp") (("" (EXPAND "vmap") (("" (EXPAND "tmap") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (LEMMA "help3[X1,X]") (("" (INSTANTIATE -1 ("xt!1" "x1!1" "x!1" "st1!1")) (("" (INST?) (("" (GROUND) (("" (INST?) (("" (GROUND) NIL))))))))))))))))))))))))))))))))) (|tr_cmp_view_wfar| "" (SKOLEM!) (("" (USE "component_view_wfar[X1,Y1]") (("" (EXPAND "view_wfar_restriction") (("" (SKOSIMP*) (("" (EXPAND "member" -2) (("" (EXPAND "tr_cmp") (("" (EXPAND "tr_tcs") (("" (SKOSIMP*) (("" (INST?) (("" (REPLACE -3 1 RL :HIDE? -3) (("" (GROUND) (("" (REWRITE "tr_gen_view_restriction") NIL))))))))))))))))))))))) (|tr_cmp_view_sfar| "" (SKOLEM!) (("" (USE "component_view_sfar[X1,Y1]") (("" (EXPAND "view_sfar_restriction") (("" (SKOSIMP*) (("" (EXPAND "member" -2) (("" (EXPAND "tr_cmp") (("" (EXPAND "tr_tcs") (("" (SKOSIMP*) (("" (INST?) (("" (REPLACE -3 1 RL :HIDE? -3) (("" (GROUND) (("" (REWRITE "tr_gen_view_restriction") NIL))))))))))))))))))))))) (|tr_cmp_guar_stuttering| "" (SKOLEM!) (("" (USE "component_guar_stuttering[X1,Y1]") (("" (EXPAND "guar_stuttering_restriction") (("" (EXPAND "tr_cmp") (("" (REWRITE "tr_gen_stuttering_restriction") NIL))))))))) (|tr_cmp_rely_stuttering| "" (SKOLEM!) (("" (USE "component_rely_stuttering[X1,Y1]") (("" (EXPAND "rely_stuttering_restriction") (("" (LEMMA "tr_gen_stuttering_restriction") (("" (INSTANTIATE -1 ("complement(cags(cmp1!1))" "rely(cmp1!1)" "view(cmp1!1)" "xt!1" "yt!1")) (("" (EXPAND "tr_cmp") (("" (GROUND) (("" (DELETE -2) (("" (EXPAND "gen_stuttering_restriction") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (EXPAND "union") (("" (EXPAND "member") (("" (FLATTEN) (("" (INST?) (("" (GROUND) (("" (EXPAND "env_stutter") (("" (EXPAND "member") (("" (EXPAND "complement" -) (("" (EXPAND "member") (("" (PROPAX) NIL))))))))))))))))))))))))))))))))))))))))) (|tr_cmp_type| "" (SKOLEM!) (("" (EXPAND "comp_t") (("" (REWRITE "tr_cmp_init") (("" (REWRITE "tr_cmp_guar") (("" (REWRITE "tr_cmp_rely_hidd") (("" (REWRITE "tr_cmp_hidd") (("" (REWRITE "tr_cmp_cags") (("" (REWRITE "tr_cmp_view_rely") (("" (REWRITE "tr_cmp_view_hidd") (("" (REWRITE "tr_cmp_view_guar") (("" (REWRITE "tr_cmp_view_init") (("" (REWRITE "tr_cmp_view_wfar") (("" (REWRITE "tr_cmp_view_sfar") (("" (REWRITE "tr_cmp_guar_stuttering") (("" (REWRITE "tr_cmp_rely_stuttering") (("" (GROUND) NIL))))))))))))))))))))))))))))))) (|tran_cmp_TCC1| "" (SKOLEM!) (("" (REWRITE "tr_cmp_type") NIL)))) $$$cmp_contains.pvs cmp_contains[ST: NONEMPTY_TYPE, AG: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING component[ST, AG] cmp1, cmp2, cmp3: VAR (comp_t) cmp_contains(cmp1, cmp2): bool = subset?(init(cmp1), init(cmp2)) AND subset?(cags(cmp2), cags(cmp1)) AND subset?(guar(cmp1), steps(cmp2)) AND subset?(wfar(cmp2), wfar(cmp1)) AND subset?(sfar(cmp2), sfar(cmp1)) AND subset?(rely(cmp1), rely(cmp2)) AND subset?(hidd(cmp1), hidd(cmp2)) AND subset?(view(cmp1), view(cmp2)) cmp_contains_reflexive: THEOREM cmp_contains(cmp1, cmp1) cmp_contains_as_guar: THEOREM cmp_contains(cmp1, cmp2) AND cmp_contains(cmp2, cmp1) IMPLIES subset?(guar(cmp1), guar(cmp2)) cmp_contains_antisymmetric: THEOREM cmp_contains(cmp1, cmp2) AND cmp_contains(cmp2, cmp1) IMPLIES cmp1 = cmp2 cmp_contains_tr_guar: THEOREM cmp_contains(cmp1, cmp2) AND cmp_contains(cmp2, cmp3) IMPLIES subset?(guar(cmp1), steps(cmp3)) cmp_contains_transitive: THEOREM cmp_contains(cmp1, cmp2) AND cmp_contains(cmp2, cmp3) IMPLIES cmp_contains(cmp1, cmp3) cmp_contains_po: THEOREM partial_order?(cmp_contains) END cmp_contains $$$cmp_contains.prf (|cmp_contains| (|cmp_contains_reflexive| "" (SKOLEM!) (("" (EXPAND "cmp_contains") (("" (REWRITE "subset_reflexive") (("" (REWRITE "subset_reflexive") (("" (REWRITE "subset_reflexive") (("" (REWRITE "subset_reflexive") (("" (REWRITE "subset_reflexive[[ST,ST]]") (("" (REWRITE "subset_reflexive[TRANSITION_CLASS]") (("" (REWRITE "subset_reflexive[TRANSITION_CLASS]") (("" (EXPAND "subset?") (("" (EXPAND "steps") (("" (EXPAND "member") (("" (SKOSIMP*) (("" (GROUND) NIL))))))))))))))))))))))))))) (|cmp_contains_as_guar| "" (SKOSIMP*) (("" (CASE "not subset?(guar(cmp1!1),steps(cmp2!1))") (("1" (EXPAND "cmp_contains") (("1" (GROUND) NIL))) ("2" (CASE "steps(cmp2!1) /= union(guar(cmp2!1),rely(cmp2!1))") (("1" (FLATTEN) (("1" (EXTENSIONALITY "setof[[ST,ST,AG]]") (("1" (INST?) (("1" (GROUND) (("1" (SKOSIMP*) (("1" (EXPAND "steps") (("1" (EXPAND "union") (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))))))))))))) ("2" (FLATTEN) (("2" (REPLACE -1 :HIDE? -1) (("2" (CASE "rely(cmp2!1) /= rely(cmp1!1)") (("1" (FLATTEN) (("1" (EXPAND "cmp_contains") (("1" (REWRITE "subset_antisymmetric") NIL))))) ("2" (FLATTEN) (("2" (REPLACE -1 :HIDE? -1) (("2" (CASE "forall (x:[ST,ST,AG]): member(x,guar(cmp1!1)) implies not member(x,rely(cmp1!1))") (("1" (EXPAND "subset?") (("1" (SKOSIMP*) (("1" (INST?) (("1" (INST?) (("1" (GROUND) (("1" (EXPAND "member" -1) (("1" (EXPAND "union") (("1" (PROPAX) NIL))))))))))))))) ("2" (DELETE -1 -2 -3 2) (("2" (SKOSIMP*) (("2" (LEMMA "component_guar") (("2" (INST?) (("2" (EXPAND "guar_restriction") (("2" (INSTANTIATE -1 ("PROJ_1(x!1)" "PROJ_2(x!1)" "PROJ_3(x!1)")) (("2" (GROUND) (("1" (LEMMA "component_rely") (("1" (INST?) (("1" (EXPAND "rely_restriction") (("1" (INSTANTIATE -1 ("PROJ_1(x!1)" "PROJ_2(x!1)" "PROJ_3(x!1)")) (("1" (GROUND) (("1" (EXPAND "member") (("1" (GROUND) NIL))))))))))))) ("2" (EXPAND "member") (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))) (|cmp_contains_antisymmetric| "" (SKOSIMP*) (("" (LEMMA "cmp_contains_as_guar") (("" (INSTANTIATE -1 ("cmp1!1" "cmp2!1") T) (("" (INSTANTIATE -1 ("cmp2!1" "cmp1!1")) (("" (GROUND) (("" (EXTENSIONALITY "base_comp_t") (("" (INST?) (("" (EXPAND "cmp_contains") (("" (GROUND) (("1" (REWRITE "subset_antisymmetric") NIL) ("2" (REWRITE "subset_antisymmetric") NIL) ("3" (REWRITE "subset_antisymmetric") NIL) ("4" (REWRITE "subset_antisymmetric") NIL) ("5" (REWRITE "subset_antisymmetric") NIL) ("6" (REWRITE "subset_antisymmetric") NIL) ("7" (REWRITE "subset_antisymmetric") NIL) ("8" (REWRITE "subset_antisymmetric") NIL))))))))))))))))))) (|cmp_contains_tr_guar| "" (SKOSIMP*) (("" (CASE "not subset?(guar(cmp1!1),steps(cmp2!1))") (("1" (EXPAND "cmp_contains") (("1" (GROUND) NIL))) ("2" (CASE "not (forall (c: base_comp_t): steps(c) = union(guar(c),rely(c)))") (("1" (SKOSIMP*) (("1" (EXTENSIONALITY "setof[[ST,ST,AG]]") (("1" (INST?) (("1" (GROUND) (("1" (SKOSIMP*) (("1" (EXPAND "steps") (("1" (EXPAND "union") (("1" (EXPAND "member") (("1" (PROPAX) NIL))))))))))))))))) ("2" (INSTANTIATE -1 "cmp2!1" T) (("2" (REPLACE -2 :HIDE? -2) (("2" (INSTANTIATE -1 "cmp3!1") (("2" (CASE "not subset?(guar(cmp2!1),steps(cmp3!1)) or not subset?(rely(cmp2!1),rely(cmp3!1))") (("1" (EXPAND "cmp_contains") (("1" (GROUND) NIL))) ("2" (REPLACE -1 :HIDE? -1) (("2" (FLATTEN) (("2" (CASE "not subset?(union(guar(cmp2!1),rely(cmp2!1)),union(guar(cmp3!1),rely(cmp3!1)))") (("1" (DELETE -3 -4 -5 2) (("1" (EXPAND "subset?") (("1" (SKOSIMP*) (("1" (INST?) (("1" (INST?) (("1" (EXPAND "union") (("1" (EXPAND "member") (("1" (GROUND) NIL))))))))))))))) ("2" (DELETE -2 -3 -5 -6) (("2" (LEMMA "subset_transitive[[ST,ST,AG]]") (("2" (INSTANTIATE -1 ("guar(cmp1!1)" "union(guar(cmp2!1),rely(cmp2!1))" "union(guar(cmp3!1),rely(cmp3!1))")) (("2" (GROUND) NIL))))))))))))))))))))))))))) (|cmp_contains_transitive| "" (SKOSIMP*) (("" (LEMMA "cmp_contains_tr_guar") (("" (INSTANTIATE -1 ("cmp1!1" "cmp2!1" "cmp3!1")) (("" (GROUND) (("" (EXPAND "cmp_contains") (("" (GROUND) (("1" (LEMMA "subset_transitive[ST]") (("1" (INSTANTIATE -1 ("init(cmp1!1)" "init(cmp2!1)" "init(cmp3!1)")) (("1" (GROUND) NIL))))) ("2" (LEMMA "subset_transitive[AG]") (("2" (INSTANTIATE -1 ("cags(cmp3!1)" "cags(cmp2!1)" "cags(cmp1!1)")) (("2" (GROUND) NIL))))) ("3" (LEMMA "subset_transitive[TRANSITION_CLASS]") (("3" (INSTANTIATE -1 ("wfar(cmp3!1)" "wfar(cmp2!1)" "wfar(cmp1!1)")) (("3" (GROUND) NIL))))) ("4" (LEMMA "subset_transitive[TRANSITION_CLASS]") (("4" (INSTANTIATE -1 ("sfar(cmp3!1)" "sfar(cmp2!1)" "sfar(cmp1!1)")) (("4" (GROUND) NIL))))) ("5" (LEMMA "subset_transitive[[ST,ST,AG]]") (("5" (INSTANTIATE -1 ("rely(cmp1!1)" "rely(cmp2!1)" "rely(cmp3!1)")) (("5" (GROUND) NIL))))) ("6" (LEMMA "subset_transitive[[ST,ST,AG]]") (("6" (INSTANTIATE -1 ("hidd(cmp1!1)" "hidd(cmp2!1)" "hidd(cmp3!1)")) (("6" (GROUND) NIL))))) ("7" (LEMMA "subset_transitive[[ST,ST]]") (("7" (INSTANTIATE -1 ("view(cmp1!1)" "view(cmp2!1)" "view(cmp3!1)")) (("7" (GROUND) NIL))))))))))))))))) (|cmp_contains_po| "" (EXPAND "partial_order?") (("" (GROUND) (("1" (EXPAND "preorder?") (("1" (GROUND) (("1" (EXPAND "reflexive?") (("1" (SKOLEM!) (("1" (REWRITE "cmp_contains_reflexive") NIL))))) ("2" (EXPAND "transitive?") (("2" (SKOSIMP*) (("2" (LEMMA "cmp_contains_transitive") (("2" (INSTANTIATE -1 ("x!1" "y!1" "z!1")) (("2" (GROUND) NIL))))))))))))) ("2" (EXPAND "antisymmetric?") (("2" (SKOSIMP*) (("2" (REWRITE "cmp_contains_antisymmetric") NIL)))))))))) $$$cprops.pvs cprops[ST: NONEMPTY_TYPE, AG: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING cmp_contains[ST, AG] IMPORTING props[ST, AG] cmp, cmp1, cmp2: VAR (comp_t) t: VAR trace_t n, i, j, k, l: VAR nat p: VAR prop_t st, st1, st2: VAR ST ag: VAR AG tranc, tranc1: VAR TRANSITION_CLASS initial_okay(cmp, t): bool = member((sts(t)(0)), init(cmp)) steps_okay(cmp, t): bool = (FORALL n: member((sts(t)(n), sts(t)(n + 1), ags(t)(n)), steps(cmp))) enabled(tranc, st1): bool = (EXISTS st2, ag: member((st1, st2, ag), tranc)) is_wfar(cmp, t): bool = (FORALL tranc: member(tranc, wfar(cmp)) IMPLIES (FORALL i: (EXISTS j: j > i AND (NOT enabled(tranc, sts(t)(j)) OR member((sts(t)(j), sts(t)(j + 1), ags(t)(j)), tranc))))) is_sfar(cmp, t): bool = (FORALL tranc: member(tranc, sfar(cmp)) IMPLIES (FORALL i: (EXISTS j: j > i AND ((FORALL k: k >= j IMPLIES NOT enabled(tranc, sts(t)(k))) OR (EXISTS l: l >= j AND member((sts(t)(l), sts(t)(l + 1), ags(t)(l)), tranc)))))) prop_for(cmp): prop_t = (LAMBDA t: initial_okay(cmp, t) AND steps_okay(cmp, t) AND is_wfar(cmp, t) AND is_sfar(cmp, t)) satisfies(cmp, p): bool = (FORALL t: prop_for(cmp)(t) IMPLIES p(t)) initial_okay_prop: THEOREM (FORALL st: member(st, init(cmp1)) IMPLIES member(st, init(cmp2))) AND initial_okay(cmp1, t) IMPLIES initial_okay(cmp2, t) steps_okay_prop: THEOREM (FORALL st1, st2, ag: member((st1, st2, ag), steps(cmp1)) IMPLIES member((st1, st2, ag), steps(cmp2))) AND steps_okay(cmp1, t) IMPLIES steps_okay(cmp2, t) is_wfar_prop: THEOREM (FORALL tranc: member(tranc, wfar(cmp2)) IMPLIES member(tranc, wfar(cmp1))) AND is_wfar(cmp1, t) IMPLIES is_wfar(cmp2, t) is_sfar_prop: THEOREM (FORALL tranc: member(tranc, sfar(cmp2)) IMPLIES member(tranc, sfar(cmp1))) AND is_sfar(cmp1, t) IMPLIES is_sfar(cmp2, t) satisfies_prop: THEOREM (FORALL st1, st2, ag: member((st1, st2, ag), steps(cmp1)) IMPLIES member((st1, st2, ag), steps(cmp2))) AND (FORALL st: member(st, init(cmp1)) IMPLIES member(st, init(cmp2))) AND (FORALL tranc: member(tranc, wfar(cmp2)) IMPLIES member(tranc, wfar(cmp1))) AND (FORALL tranc: member(tranc, sfar(cmp2)) IMPLIES member(tranc, sfar(cmp1))) AND satisfies(cmp2, p) IMPLIES satisfies(cmp1, p) satisfies_contains_prop: THEOREM satisfies(cmp2, p) AND cmp_contains(cmp1, cmp2) IMPLIES satisfies(cmp1, p) END cprops $$$cprops.prf (|cprops| (|initial_okay_prop| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "initial_okay") (("" (INST?) (("" (GROUND) NIL))))))))) (|steps_okay_prop| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "steps_okay") (("" (SKOLEM!) (("" (INST?) (("" (INST?) (("" (GROUND) NIL))))))))))))) (|is_wfar_prop| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "is_wfar") (("" (SKOSIMP*) (("" (INST?) (("" (GROUND) (("" (INST?) (("" (GROUND) (("" (INST?) NIL))))))))))))))))) (|is_sfar_prop| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "is_sfar") (("" (SKOLEM!) (("" (INST?) (("" (GROUND) (("" (INST?) (("" (GROUND) NIL))))))))))))))) (|satisfies_prop| "" (SKOLEM!) (("" (FLATTEN) (("" (EXPAND "satisfies") (("" (SKOLEM!) (("" (INSTANTIATE -5 "t!1") (("" (GROUND) (("" (DELETE 2) (("" (EXPAND "prop_for") (("" (GROUND) (("1" (LEMMA "initial_okay_prop") (("1" (INST?) (("1" (GROUND) (("1" (INST?) (("1" (GROUND) NIL))))))))) ("2" (LEMMA "steps_okay_prop") (("2" (INST?) (("2" (INST?) (("2" (GROUND) NIL))))))) ("3" (LEMMA "is_wfar_prop") (("3" (INST?) (("3" (INST?) (("3" (GROUND) NIL))))))) ("4" (LEMMA "is_sfar_prop") (("4" (INST?) (("4" (INST?) (("4" (GROUND) NIL))))))))))))))))))))))))) (|satisfies_contains_prop| "" (SKOSIMP*) (("" (LEMMA "satisfies_prop") (("" (INSTANTIATE -1 ("cmp1!1" "cmp2!1" "p!1")) (("" (EXPAND "cmp_contains") (("" (GROUND) (("1" (EXPAND "subset?") (("1" (SKOSIMP*) (("1" (EXPAND "member") (("1" (EXPAND "steps") (("1" (SPLIT) (("1" (INSTANTIATE -5 "(st1!1,st2!1,ag!1)") (("1" (GROUND) NIL))) ("2" (INSTANTIATE -8 "(st1!1,st2!1,ag!1)") (("2" (GROUND) (("1" (EXPAND "intersection") (("1" (EXPAND "member") (("1" (GROUND) (("1" (INSTANTIATE -10 "(st1!1, st2!1, ag!1)") (("1" (GROUND) NIL))))))))) ("2" (EXPAND "intersection") (("2" (EXPAND "member") (("2" (PROPAX) NIL))))))))) ("3" (INSTANTIATE -10 "(st1!1,st2!1)") (("3" (GROUND) NIL))))))))))))) ("2" (EXPAND "subset?") (("2" (PROPAX) NIL))) ("3" (EXPAND "subset?") (("3" (PROPAX) NIL))) ("4" (EXPAND "subset?") (("4" (PROPAX) NIL)))))))))))))) $$$props.pvs props[ST: NONEMPTY_TYPE, AG: NONEMPTY_TYPE]: THEORY BEGIN trace_t: TYPE = [# sts: [nat -> ST], ags: [nat -> AG] #] prop_t: TYPE = setof[trace_t] END props $$$tprops.pvs tprops[ST: NONEMPTY_TYPE, ST1: NONEMPTY_TYPE, AG: NONEMPTY_TYPE, AG1: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING props[ST, AG] IMPORTING props[ST1, AG1] IMPORTING translators[ST1, ST] IMPORTING translators[AG1, AG] t1: VAR trace_t[ST1, AG1] t: VAR trace_t[ST, AG] p1: VAR prop_t[ST1, AG1] p2: VAR prop_t[ST1,AG1] p: VAR prop_t[ST, AG] sttran1: VAR (translator_t[ST1, ST]) agtran1: VAR (weak_translator_t[AG1, AG]) n: VAR nat bmap1_base(sttran1, agtran1): [trace_t[ST1, AG1] -> [trace_t[ST, AG] -> bool]] = (LAMBDA t1: (LAMBDA t: (FORALL n: sttran1(sts(t1)(n))(sts(t)(n)) AND agtran1(ags(t1)(n))(ags(t)(n))))) bmap1(sttran1, agtran1): (weak_translator_t[(trace_t[ST1, AG1]), (trace_t[ST, AG])]) = bmap1_base(sttran1, agtran1) bmap1_strong: THEOREM translator_t(agtran1) => translator_t[(trace_t[ST1, AG1]), (trace_t[ST, AG])](bmap1(sttran1,agtran1)) bmap(t1, sttran1, agtran1): setof[trace_t[ST, AG]] = bmap1(sttran1, agtran1)(t1) pmap1(sttran1, agtran1): [prop_t[ST1, AG1] -> prop_t[ST, AG]] = (LAMBDA p1: (LAMBDA t: (EXISTS t1: bmap(t1, sttran1, agtran1)(t) AND p1(t1)))) pmap(p1, sttran1, agtran1): prop_t[ST, AG] = pmap1(sttran1, agtran1)(p1) END tprops $$$tprops.prf (|tprops| (|bmap1_TCC1| "" (SKOLEM!) (("" (EXPAND "weak_translator_t") (("" (SPLIT) (("1" (SKOLEM!) (("1" (REWRITE "help1[trace_t[ST,AG],trace_t[ST,AG]]") (("1" (EXPAND "bmap1_base") (("1" (INST? 1 :SUBST ("y" "(#sts := (LAMBDA (i : nat): trone(sttran1!1,sts(x!1)(i))), ags := (LAMBDA (i : nat): trone(agtran1!1,ags(x!1)(i)))#)")) (("1" (SKOLEM!) (("1" (LEMMA "trone_def[ST1,ST]") (("1" (SPLIT) (("1" (INST?) (("1" (GROUND) NIL))) ("2" (DELETE -1) (("2" (LEMMA "trone_def[AG1,AG]") (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))) ("2" (SKOLEM!) (("2" (FLATTEN) (("2" (LEMMA "help1[trace_t[ST,AG],trace_t[ST,AG]]") (("2" (INST? -1 :SUBST ("s1" "intersection(bmap1_base(sttran1!1, agtran1!1)(x1!1), bmap1_base(sttran1!1, agtran1!1)(x2!1))")) (("2" (GROUND) (("2" (DELETE 1 3) (("2" (SKOLEM!) (("2" (EXPAND "intersection") (("2" (EXPAND "member") (("2" (EXPAND "bmap1_base") (("2" (FLATTEN) (("2" (EXTENSIONALITY "trace_t[ST1,AG1]") (("2" (INST? -1) (("2" (GROUND) (("1" (DELETE 2) (("1" (EXTENSIONALITY "[nat->AG1]") (("1" (INST? -1) (("1" (GROUND) (("1" (DELETE 2) (("1" (SKOLEM!) (("1" (INST?) (("1" (INST?) (("1" (FLATTEN) (("1" (DELETE -1 -3) (("1" (LEMMA "help3[AG1,AG]") (("1" (INST?) (("1" (INST? -1 :SUBST ("x2" "ags(x2!1)(x!1)")) (("1" (GROUND) NIL))))))))))))))))))))))))))) ("2" (DELETE 2) (("2" (EXTENSIONALITY "[nat->ST1]") (("2" (INST? -1) (("2" (GROUND) (("2" (DELETE 2) (("2" (SKOLEM!) (("2" (INST?) (("2" (INST?) (("2" (FLATTEN) (("2" (DELETE -2 -4) (("2" (LEMMA "help3[ST1,ST]") (("2" (INST?) (("2" (INST? -1 ("x2" "sts(x2!1)(x!1)")) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|bmap1_strong| "" (SKOSIMP) (("" (EXPAND "translator_t") (("" (SKOSIMP) (("" (EXPAND "member") (("" (EXPAND "bmap1") (("" (EXPAND "bmap1_base") (("" (INST + "(# sts := (LAMBDA (n: nat) : (epsilon! (st: ST1): sttran1!1(st)(sts(y!1)(n)))), ags := (LAMBDA (n: nat) : (epsilon! (ag: AG1): agtran1!1(ag)(ags(y!1)(n)))) #)") (("" (SKOSIMP) (("" (SIMPLIFY) (("" (GROUND) (("1" (USE "epsilon_ax[ST1]") (("1" (GROUND) (("1" (USE "help5[ST1,ST]") NIL))))) ("2" (USE "epsilon_ax[AG1]") (("2" (GROUND) (("2" (INST? -) NIL)))))))))))))))))))))))))) $$$tcprops.pvs tcprops[ST: NONEMPTY_TYPE, ST1: NONEMPTY_TYPE, AG: NONEMPTY_TYPE, AG1: NONEMPTY_TYPE]: THEORY BEGIN IMPORTING tprops IMPORTING cprops IMPORTING cmp_translators IMPORTING compose_idempotent tcmp: VAR (comp_t[ST,AG]) cmp: VAR (comp_t[ST1,AG1]) p1: VAR prop_t[ST1, AG1] p: VAR prop_t[ST, AG] t: VAR trace_t[ST, AG] t1: VAR trace_t[ST1, AG1] st1,st2: VAR ST1 st3,st4: VAR ST ag1: VAR AG1 ag2: VAR AG ags: VAR setof[AG1] sttran1: VAR (translator_t[ST1, ST]) agtran1: VAR (translator_t[AG1, AG]) preimage_initial_okay : THEOREM (bmap(t1, sttran1, agtran1)(t) AND initial_okay(tran_cmp(cmp, sttran1, agtran1), t)) IMPLIES initial_okay(cmp, t1) preimage_steps_okay : THEOREM (bmap(t1, sttran1, agtran1)(t) AND steps_okay(tran_cmp(cmp, sttran1, agtran1), t)) IMPLIES steps_okay(cmp, t1) preimage_is_wfar : THEOREM (bmap(t1, sttran1, agtran1)(t) AND is_wfar(tran_cmp(cmp, sttran1, agtran1), t)) IMPLIES is_wfar(cmp, t1) preimage_is_sfar : THEOREM (bmap(t1, sttran1, agtran1)(t) AND is_sfar(tran_cmp(cmp, sttran1, agtran1), t)) IMPLIES is_sfar(cmp, t1) prop_for_preimage: LEMMA prop_for(tran_cmp(cmp, sttran1, agtran1))(t) => (EXISTS (t1: trace_t[ST1, AG1]): bmap(t1, sttran1, agtran1)(t) AND prop_for(cmp)(t1)) tcprop1: LEMMA satisfies(cmp, p1) AND pmap(p1, sttran1, agtran1) = p AND tcmp = tran_cmp(cmp, sttran1, agtran1) => satisfies(compose(singleton(tcmp)), p) tolerates_cags_trans_prop: LEMMA ((FORALL st1, st2, ag1: hidd(cmp)(st1, st2, ag1) => ags(ag1) OR view(cmp)(st1, st2))) IMPLIES (hidd(tran_cmp(cmp,sttran1,agtran1))(st3, st4, ag2) => tmap(agtran1,ags)(ag2) OR view(tran_cmp(cmp,sttran1,agtran1))(st3, st4)) disjoint_cags: LEMMA (cags(tran_cmp(cmp, sttran1, agtran1))(ag2) AND tmap(agtran1, ags)(ag2)) => (EXISTS ag1: (cags(cmp)(ag1) AND ags(ag1))) END tcprops $$$tcprops.prf (|tcprops| (|preimage_initial_okay| "" (SKOSIMP) (("" (EXPAND "bmap") (("" (EXPAND "bmap1") (("" (EXPAND "bmap1_base") (("" (EXPAND "tran_cmp") (("" (GROUND) (("" (EXPAND "initial_okay") (("" (EXPAND "member") (("" (EXPAND "tr_cmp") (("" (EXPAND "tmap") (("" (SKOSIMP) (("" (EXPAND "member") (("" (INST - "0") (("" (LEMMA "help3[ST1,ST]") (("" (GROUND) (("" (CASE "x!1 = sts(t1!1)(0)") (("1" (GROUND) NIL) ("2" (INST?) (("2" (INST - "x!1") (("2" (GROUND) NIL))))))))))))))))))))))))))))))))))))) (|preimage_steps_okay| "" (SKOSIMP) (("" (EXPAND "bmap") (("" (EXPAND "bmap1") (("" (EXPAND "bmap1_base") (("" (EXPAND "tran_cmp") (("" (GROUND) (("" (EXPAND "steps_okay") (("" (EXPAND "member") (("" (EXPAND "steps") (("" (EXPAND "tr_cmp") (("" (EXPAND "tr_ac") (("" (EXPAND "union") (("" (EXPAND "env_stutter") (("" (EXPAND "tmap") (("" (EXPAND "vmap") (("" (EXPAND "member") (("" (SKOSIMP) (("" (INST-CP - "n!1") (("" (INST - "1 + n!1") (("" (INST - "n!1") (("" (GROUND) (("1" (SKOSIMP) (("1" (LEMMA "help3[ST1,ST]") (("1" (LEMMA "help3[AG1,AG]") (("1" (CASE "a1!1 = sts(t1!1)(n!1)" "a2!1 = sts(t1!1)(1 + n!1)" "b!1 = ags(t1!1)(n!1)") (("1" (GROUND) NIL) ("2" (INST?) (("2" (INST?) (("2" (GROUND) NIL))))) ("3" (INST -3 "sttran1!1" "a2!1" "sts(t1!1)(1 + n!1)" "sts(t!1)(1 + n!1)") (("3" (GROUND) NIL))) ("4" (HIDE -1) (("4" (INST?) (("4" (INST?) (("4" (GROUND) NIL))))))))))))))) ("2" (SKOSIMP) (("2" (LEMMA "help3[AG1,AG]") (("2" (LEMMA "help3[ST1,ST]") (("2" (CASE "a1!1 = sts(t1!1)(n!1)" "a2!1 = sts(t1!1)(1 + n!1)" "b!1 = ags(t1!1)(n!1)") (("1" (GROUND) NIL) ("2" (INST? -4) (("2" (INST? -4) (("2" (GROUND) NIL))))) ("3" (INST? -2 :WHERE +) (("3" (INST? -) (("3" (GROUND) NIL))))) ("4" (INST? -) (("4" (INST? -) (("4" (GROUND) NIL))))))))))))) ("3" (SKOSIMP) (("3" (INST? +) (("3" (GROUND) (("3" (LEMMA "component_rely_stuttering[ST1,AG1]") (("3" (INST - "cmp!1") (("3" (EXPAND "rely_stuttering_restriction") (("3" (EXPAND "gen_stuttering_restriction") (("3" (EXPAND "member") (("3" (INST?) (("3" (EXPAND "complement") (("3" (EXPAND "member") (("3" (LEMMA "help3[ST1,ST]") (("3" (CASE "x1!1=sts(t1!1)(n!1)" "x2!1=sts(t1!1)(1 + n!1)") (("1" (GROUND) NIL) ("2" (INST? :WHERE +) (("2" (INST?) (("2" (GROUND) NIL))))) ("3" (INST?) (("3" (INST?) (("3" (GROUND) NIL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) (|preimage_is_wfar| "" (SKOSIMP) (("" (EXPAND "bmap") (("" (EXPAND "bmap1") (("" (EXPAND "bmap1_base") (("" (EXPAND "tran_cmp") (("" (GROUND) (("" (EXPAND "is_wfar") (("" (EXPAND "member") (("" (EXPAND "tr_cmp") (("" (SKOSIMP*) (("" (EXPAND "tr_tcs") (("" (EXPAND "tr_ac") (("" (EXPAND "member") (("" (INST -2 "(LAMBDA (x1: ST, x2: ST), (y: AG): (EXISTS (a1: ST1), (a2: ST1), (b: AG1): (tranc!1(a1, a2, b) AND (sttran1!1(a1)(x1) AND (sttran1!1(a2)(x2) AND agtran1!1(b)(y))))))") (("" (GROUND) (("1" (INST? -) (("1" (SKOSIMP*) (("1" (GROUND) (("1" (INST? +) (("1" (GROUND) (("1" (EXPAND "enabled") (("1" (EXPAND "member") (("1" (SKOSIMP*) (("1" (INST 2 "epsilon! (s: ST): sttran1!1(st2!1)(s)" "epsilon! (a: AG): agtran1!1(ag!1)(a)") (("1" (INST? +) (("1" (GROUND) (("1" (INST? -) (("1" (GROUND) NIL))) ("2" (USE "epsilon_ax[ST]") (("2" (GROUND) (("2" (USE "help4[ST1,ST]") NIL))))) ("3" (USE "epsilon_ax[AG]") (("3" (GROUND) (("3" (USE "help4[AG1,AG]") NIL))))))))))))))))))))) ("2" (SKOSIMP) (("2" (INST? +) (("2" (GROUND) (("2" (CASE "a1!1=sts(t1!1)(j!1)" "a2!1=sts(t1!1)(1 + j!1)" "b!1=ags(t1!1)(j!1)") (("1" (GROUND) NIL) ("2" (INST - "j!1") (("2" (USE "help3[AG1,AG]") (("2" (GROUND) NIL))))) ("3" (INST - "1+j!1") (("3" (LEMMA "help3[ST1,ST]") (("3" (INST? - :WHERE +) (("3" (INST?) (("3" (GROUND) NIL))))))))) ("4" (INST - "j!1") (("4" (LEMMA "help3[ST1,ST]") (("4" (INST? - :WHERE +) (("4" (INST?) (("4" (GROUND) NIL))))))))))))))))))))))) ("2" (INST? +) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))) (|preimage_is_sfar| "" (SKOSIMP) (("" (EXPAND "bmap") (("" (EXPAND "bmap1") (("" (EXPAND "bmap1_base") (("" (EXPAND "tran_cmp") (("" (GROUND) (("" (EXPAND "is_sfar") (("" (EXPAND "member") (("" (EXPAND "tr_cmp") (("" (SKOSIMP*) (("" (EXPAND "tr_tcs") (("" (EXPAND "tr_ac") (("" (EXPAND "member") (("" (INST -2 "(LAMBDA (x1: ST, x2: ST), (y: AG): (EXISTS (a1: ST1), (a2: ST1), (b: AG1): (tranc!1(a1, a2, b) AND (sttran1!1(a1)(x1) AND (sttran1!1(a2)(x2) AND agtran1!1(b)(y))))))") (("" (GROUND) (("1" (INST? -) (("1" (SKOSIMP*) (("1" (GROUND) (("1" (INST? +) (("1" (GROUND) (("1" (SKOSIMP) (("1" (INST? -) (("1" (GROUND) (("1" (EXPAND "enabled") (("1" (EXPAND "member") (("1" (SKOSIMP) (("1" (INST + "epsilon! (s: ST): sttran1!1(st2!1)(s)" "epsilon! (a: AG): agtran1!1(ag!1)(a)") (("1" (INST? +) (("1" (GROUND) (("1" (INST? -) (("1" (GROUND) NIL))) ("2" (USE "epsilon_ax[ST]") (("2" (GROUND) (("2" (USE "help4[ST1,ST]") NIL))))) ("3" (USE "epsilon_ax[AG]") (("3" (GROUND) (("3" (USE "help4[AG1,AG]") NIL))))))))))))))))))))))))))) ("2" (SKOSIMP*) (("2" (INST? +) (("2" (GROUND) (("2" (SKOSIMP) (("2" (INST + "l!1") (("2" (CASE "a1!1=sts(t1!1)(l!1)" "a2!1=sts(t1!1)(1 + l!1)" "b!1=ags(t1!1)(l!1)") (("1" (GROUND) NIL) ("2" (INST - "l!1") (("2" (USE "help3[AG1,AG]") (("2" (GROUND) NIL))))) ("3" (INST - "1+l!1") (("3" (LEMMA "help3[ST1,ST]") (("3" (INST? - :WHERE +) (("3" (INST?) (("3" (GROUND) NIL))))))))) ("4" (INST - "l!1") (("4" (LEMMA "help3[ST1,ST]") (("4" (INST? - :WHERE +) (("4" (INST?) (("4" (GROUND) NIL))))))))))))))))))))))))))) ("2" (INST? +) (("2" (GROUND) NIL))))))))))))))))))))))))))))))))) (|prop_for_preimage| "" (SKOSIMP) (("" (EXPAND "prop_for") (("" (CASE "EXISTS (t1: trace_t[ST1, AG1]): (bmap(t1, sttran1!1, agtran1!1)(t!1))") (("1" (SKOSIMP) (("1" (INST?) (("1" (GROUND) (("1" (USE "preimage_initial_okay") (("1" (GROUND) NIL))) ("2" (USE "preimage_steps_okay") (("2" (GROUND) NIL))) ("3" (USE "preimage_is_wfar") (("3" (GROUND) NIL))) ("4" (USE "preimage_is_sfar") (("4" (GROUND) NIL))))))))) ("2" (HIDE -1 2) (("2" (EXPAND "bmap") (("2" (TYPEPRED "agtran1!1") (("2" (LEMMA "bmap1_strong[ST,ST1,AG,AG1]") (("2" (INST?) (("2" (GROUND) (("2" (HIDE -2 -3) (("2" (EXPAND "translator_t") (("2" (EXPAND "member") (("2" (INST? -) NIL))))))))))))))))))))))))) (|tcprop1_TCC1| "" (SKOSIMP) (("" (REWRITE "ci_composable") NIL))) (|tcprop1| "" (SKOSIMP) (("" (REWRITE "ci_component") (("" (REPLACE -3 :HIDE? T) (("" (EXPAND "satisfies") (("" (SKOSIMP) (("" (EXPAND "pmap") (("" (EXPAND "pmap1") (("" (GROUND) (("" (FORWARD-CHAIN "prop_for_preimage") (("" (REPLACE -3 :DIR RL :HIDE? T) (("" (SKOSIMP) (("" (GROUND) (("" (INST?) (("" (INST?) (("" (GROUND) NIL))))))))))))))))))))))))))))) (|tolerates_cags_trans_prop| "" (SKOSIMP) (("" (EXPAND "tran_cmp") (("" (EXPAND "tr_cmp") (("" (EXPAND "union") (("" (EXPAND "env_stutter") (("" (EXPAND "member") (("" (GROUND) (("" (EXPAND "tr_ac") (("" (SKOSIMP) (("" (EXPAND "member") (("" (INST?) (("" (GROUND) (("1" (EXPAND "tmap") (("1" (EXPAND "member") (("1" (INST?) (("1" (GROUND) NIL))))))) ("2" (EXPAND "vmap") (("2" (EXPAND "member") (("2" (INST?) (("2" (GROUND) NIL))))))))))))))))))))))))))))))) (|disjoint_cags| "" (SKOSIMP) (("" (EXPAND "tran_cmp") (("" (EXPAND "tr_cmp") (("" (EXPAND "tmap") (("" (SKOSIMP*) (("" (EXPAND "member") (("" (INST?) (("" (GROUND) (("" (CASE-REPLACE "x!1 = x!2") (("" (USE "help3[AG1, AG]") (("" (GROUND) NIL)))))))))))))))))))))) $$$translators.pvs translators[X: NONEMPTY_TYPE, Y: NONEMPTY_TYPE]: THEORY BEGIN base_translator_t: TYPE = [X -> setof[Y]] inv_translator_t: TYPE = [Y -> X] bt: VAR base_translator_t it: VAR inv_translator_t x, x1, x2: VAR X y, y1, y2: VAR Y weak_translator_t(bt): bool = (FORALL x: bt(x) /= emptyset) AND (FORALL x1, x2: x1 /= x2 IMPLIES intersection(bt(x1), bt(x2)) = emptyset) t: VAR (weak_translator_t) translator_t(t): bool = (FORALL y: (EXISTS x: member(y, t(x)))) t1: VAR (translator_t) r, s: VAR setof[X] tmap(bt, s): setof[Y] = (LAMBDA y: (EXISTS x: member(x, s) AND member(y, bt(x)))) s1: VAR setof[Y] help1: THEOREM s1 /= emptyset IFF (EXISTS y: s1(y)) help2: THEOREM s /= emptyset IMPLIES (EXISTS x: s(x)) help3: THEOREM t(x1)(y) AND t(x2)(y) IMPLIES x1 = x2 help4: THEOREM (EXISTS y: t(x)(y)) help5: THEOREM (EXISTS x: t1(x)(y)) tmap_union: THEOREM tmap(t, union(r, s)) = union(tmap(t, r), tmap(t, s)) tmap_intersection: THEOREM tmap(t, intersection(r, s)) = intersection(tmap(t, r), tmap(t, s)) trone(t, x): Y = choose(t(x)) trone_def: THEOREM t(x)(trone(t, x)) trinv(t1, y): X = choose(LAMBDA x: member(y,t1(x))) trinv_def: THEOREM t1(trinv(t1, y))(y) inv_trans_prop: THEOREM (FORALL x: bt(x) = {y | it(y) = x} AND (EXISTS y: it(y) = x)) => weak_translator_t(bt) AND translator_t(bt) END translators $$$translators.prf (|translators| (|help1| "" (SKOLEM!) (("" (LEMMA "emptyset_is_empty?[Y]") (("" (INST -1 "s1!1") (("" (EXPAND "empty?") (("" (EXPAND "member") (("" (GROUND) (("1" (SKOLEM!) (("1" (INST?) NIL))) ("2" (SKOLEM!)