diff --git a/thys/ADS_Functor/document/root.tex b/thys/ADS_Functor/document/root.tex --- a/thys/ADS_Functor/document/root.tex +++ b/thys/ADS_Functor/document/root.tex @@ -1,77 +1,78 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Authenticated Data Structures as Functors} \author{Andreas Lochbihler \qquad Ognjen Maric \\[1em] Digital Asset} \maketitle \begin{abstract} Authenticated data structures allow several systems to convince each other that they are referring to the same data structure, even if each of them knows only a part of the data structure. Using inclusion proofs, knowledgable systems can selectively share their knowledge with other systems and the latter can verify the authenticity of what is being shared. In this paper, we show how to modularly define authenticated data structures, their inclusion proofs, and operations thereon as datatypes in Isabelle/HOL, using a shallow embedding. Modularity allows us to construct complicated trees from reusable building blocks, which we call Merkle functors. Merkle functors include sums, products, and function spaces and are closed under composition and least fixpoints. As a practical application, we model the hierarchical transactions of Canton, a practical interoperability protocol for distributed ledgers, as authenticated data structures. This is a first step towards formalizing the Canton protocol and verifying its integrity and security guarantees. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/AI_Planning_Languages_Semantics/document/root.tex b/thys/AI_Planning_Languages_Semantics/document/root.tex --- a/thys/AI_Planning_Languages_Semantics/document/root.tex +++ b/thys/AI_Planning_Languages_Semantics/document/root.tex @@ -1,71 +1,72 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ \usepackage{wasysym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Semantics of AI Planning Languages} \author{Mohammad Abdulaziz and Peter Lammich\footnote{Author names are alphabetically ordered.}} % \subtitle{Proof Document} % \author{M. Abdulaziz \and P. Lammich} \date{} \maketitle This is an Isabelle/HOL formalisation of the semantics of the multi-valued planning tasks language that is used by the planning system Fast-Downward~\cite{helmert2006fast}, the STRIPS~\cite{fikes1971strips} fragment of the Planning Domain Definition Language~\cite{PDDLref} (PDDL), and the STRIPS soundness meta-theory developed by Lifschitz~\cite{lifschitz1987semantics}. It also contains formally verified checkers for checking the well-formedness of problems specified in either language as well the correctness of potential solutions. The formalisation in this entry was described in an earlier publication~\cite{ictai2018}. \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/AODV/document/root.tex b/thys/AODV/document/root.tex --- a/thys/AODV/document/root.tex +++ b/thys/AODV/document/root.tex @@ -1,69 +1,70 @@ % vim:nojs:spelllang=en_au tw=76 sw=4 sts=4 fo+=awn fmr={-{,}-} et ts=8 \documentclass[11pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{mathpartir} \usepackage[margin=10mm,bottom=15mm]{geometry} \usepackage[final]{graphicx} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{rm} \begin{document} \title{Loop freedom of the (untimed) AODV routing protocol} \author{Timothy Bourke\thanks{Inria, \'Ecole normale sup\'erieure, and NICTA} \and Peter H\"ofner\thanks{NICTA and Computer Science and Engineering, UNSW}} \maketitle \begin{abstract} The Ad hoc On-demand Distance Vector (AODV) routing protocol~\cite{RFC3561} allows the nodes in a Mobile Ad hoc Network (MANET) or a Wireless Mesh Network (WMN) to know where to forward data packets. Such a protocol is `loop free' if it never leads to routing decisions that forward packets in circles. This development mechanises an existing pen-and-paper proof of loop freedom of AODV~\cite{FehnkerEtAl:AWN:2013}. The protocol is modelled in the Algebra of Wireless Networks (AWN), which is the subject of an earlier paper~\cite{BourkeEtAl:MechAWN:2014} and mechanization~\cite{Bourke14}. The proof relies on a novel compositional approach for lifting invariants to networks of nodes. We exploit the mechanization to analyse several variants of AODV and show that Isabelle/HOL can re-establish most proof obligations automatically and identify exactly the steps that are no longer valid. Each of the variants is essentially a modified copy of the main development. Further documentation is available in~\cite{BourkevGlHof:ATVA:2014}. \centering{\includegraphics[width=\textwidth]{session_graph}} \end{abstract} \newpage \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \newpage \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/AVL-Trees/document/root.tex b/thys/AVL-Trees/document/root.tex --- a/thys/AVL-Trees/document/root.tex +++ b/thys/AVL-Trees/document/root.tex @@ -1,31 +1,32 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} \addtolength{\hoffset}{-1,5cm} \addtolength{\textwidth}{3cm} \begin{document} \title{AVL Trees} \author{Tobias Nipkow and Cornelia Pusch} \maketitle \begin{abstract} Two formalizations of AVL trees with room for extensions. The first formalization is monolithic and shorter, the second one in two stages, longer and a bit simpler. The final implementation is the same. If you are interested in developing this further, please contact \url{}. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex % include generated text of all theories \input{session} \end{document} diff --git a/thys/AWN/document/root.tex b/thys/AWN/document/root.tex --- a/thys/AWN/document/root.tex +++ b/thys/AWN/document/root.tex @@ -1,70 +1,70 @@ % vim:nojs:spelllang=en_au tw=76 sw=4 sts=4 fo+=awn fmr={-{,}-} et ts=8 \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{mathpartir} \usepackage[margin=10mm,bottom=15mm]{geometry} \usepackage[final]{graphicx} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{rm} \begin{document} \title{Mechanization of the Algebra for Wireless Networks (AWN)} \author{Timothy Bourke\thanks{Inria, \'Ecole normale sup\'erieure, and NICTA}} \maketitle \begin{abstract} AWN is a process algebra developed for modelling and analysing protocols for Mobile Ad hoc Networks (MANETs) and Wireless Mesh Networks (WMNs)~\cite[\textsection 4]{FehnkerEtAl:AWN:2013}. AWN models comprise five distinct layers: sequential processes, local parallel compositions, nodes, partial networks, and complete networks. This development mechanises the original operational semantics of AWN and introduces a variant `open' operational semantics that enables the compositional statement and proof of invariants across distinct network nodes. It supports labels (for weakening invariants) and (abstract) data state manipulations. A framework for compositional invariant proofs is developed, including a tactic (\verb|inv_cterms|) for inductive invariant proofs of sequential processes, lifting rules for the open versions of the higher layers, and a rule for transferring lifted properties back to the standard semantics. A notion of `control terms' reduces proof obligations to the subset of subterms that act directly (in contrast to operators for combining terms and joining processes). Further documentation is available in~\cite{BourkeEtAl:MechAWN:2014}. \centering{\includegraphics[width=.6\textwidth]{session_graph}} \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \newpage \input{session} \section{Acknowledgements} We thank Peter H\"ofner for agreeing to the inclusion of the simple `Toy' example model. % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Abortable_Linearizable_Modules/document/root.tex b/thys/Abortable_Linearizable_Modules/document/root.tex --- a/thys/Abortable_Linearizable_Modules/document/root.tex +++ b/thys/Abortable_Linearizable_Modules/document/root.tex @@ -1,44 +1,44 @@ \documentclass[11pt,a4paper]{article} -\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Abortable Linearizable Modules} \author{Rachid Guerraoui \and Viktor Kuncak \and Giuliano Losa} \maketitle \input{abstract} \tableofcontents \input{introduction} % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \section{Conclusion} In this document we have defined the SLin I/O-automaton (a shorthand for Speculative Linearizability) and we have proved that the composition of two instances of the SLin I/O-automaton behaves like a single instance of the SLin I/O-automaton. This theorem justifies the compositional proof technique presented in \cite{Losa2014}. % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Abs_Int_ITP2012/document/root.tex b/thys/Abs_Int_ITP2012/document/root.tex --- a/thys/Abs_Int_ITP2012/document/root.tex +++ b/thys/Abs_Int_ITP2012/document/root.tex @@ -1,38 +1,39 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand{\snip}[4]{} \begin{document} \title{Abstract Interpretation of Annotated Commands} \author{Tobias Nipkow} \maketitle \begin{abstract} This is the Isabelle formalization of the material decribed in the eponymous ITP paper~\cite{Nipkow-ITP12}. It develops a generic abstract interpreter for a while-language, including widening and narrowing. The collecting semantics and the abstract interpreter operate on annotated commands: the program is represented as a syntax tree with the semantic information directly embedded, without auxiliary labels. The aim of the formalization is simplicity, not efficiency or precision. This is motivated by the inclusion of the material in a theorem prover based course on semantics. A similar (but more polished) development is covered in~\cite{Concrete}. \end{abstract} % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Abstract-Hoare-Logics/document/root.tex b/thys/Abstract-Hoare-Logics/document/root.tex --- a/thys/Abstract-Hoare-Logics/document/root.tex +++ b/thys/Abstract-Hoare-Logics/document/root.tex @@ -1,41 +1,42 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Abstract Hoare Logics} \author{Tobias Nipkow} \maketitle \begin{abstract} These therories describe Hoare logics for a number of imperative language constructs, from while-loops to mutually recursive procedures. Both partial and total correctness are treated. In particular a proof system for total correctness of recursive procedures in the presence of unbounded nondeterminism is presented. \end{abstract} \tableofcontents \section{Introduction} These are the theories underlying the publications \cite{Nipkow-MOD2001,Nipkow-CSL02}. They should be consulted for explanatory text. The local variable declaration construct in \cite{Nipkow-MOD2001} has been generalized; see Section~\ref{sec:lang}. \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Abstract-Rewriting/document/root.tex b/thys/Abstract-Rewriting/document/root.tex --- a/thys/Abstract-Rewriting/document/root.tex +++ b/thys/Abstract-Rewriting/document/root.tex @@ -1,44 +1,45 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \begin{document} \title{Abstract Rewriting} \author{Christian Sternagel and Ren\'e Thiemann} \maketitle \begin{abstract} We present an Isabelle formalization of abstract rewriting (see, e.g., \cite{BaaderNipkow}). First, we define standard relations like \emph{joinability}, \emph{meetability}, \emph{conversion}, etc. Then, we formalize important properties of abstract rewrite systems, e.g., confluence and strong normalization. Our main concern is on strong normalization, since this formalization is the basis of \cite{CeTA} (which is mainly about strong normalization of term rewrite systems; see also \isafor/\ceta's website\footnote{\url{http://cl-informatik.uibk.ac.at/software/ceta}}). Hence lemmas involving strong normalization, constitute by far the biggest part of this theory. One of those is Newman's lemma. \end{abstract} \tableofcontents A description of this formalization will be available in \cite{Sternagel2010}. % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Abstract_Completeness/document/root.tex b/thys/Abstract_Completeness/document/root.tex --- a/thys/Abstract_Completeness/document/root.tex +++ b/thys/Abstract_Completeness/document/root.tex @@ -1,49 +1,50 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Abstract Completeness} \author{Jasmin Christian Blanchette, Andrei Popescu, and Dmitriy Traytel} \maketitle \begin{abstract} This is a formalization of an abstract property of possibly infinite derivation trees (modeled by a codatatype), that represents the core of a Beth--Hintikka-style proof of the first-order logic completeness theorem and is independent of the concrete syntax or inference rules. This work is described in detail in a publication by the authors \cite{bla-compl}. The abstract proof can be instantiated for a wide range of Gentzen and tableau systems as well as various flavors of FOL---e.g., with or without predicates, equality, or sorts. Here, we give only a toy example instantiation with classical propositional logic. A more serious instance---many-sorted FOL with equality---is described elsewhere \cite{bla-mech}. \end{abstract} \bibliographystyle{abbrv} \bibliography{root} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Abstract_Soundness/document/root.tex b/thys/Abstract_Soundness/document/root.tex --- a/thys/Abstract_Soundness/document/root.tex +++ b/thys/Abstract_Soundness/document/root.tex @@ -1,45 +1,46 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Abstract Soundness} \author{Jasmin Christian Blanchette, Andrei Popescu, and Dmitriy Traytel} \maketitle \begin{abstract} This is a formalized coinductive account of the abstract development of Brotherston et al.\ \cite{brotherston-et-al-2012}, in a slightly more general form since we work with arbitrary infinite proofs, which may be acyclic. This work is described in detail in an article by the authors \cite{blanchette-et-al-2017-co-methods}. The abstract proof can be instantiated for various formalisms, including first-order logic with inductive predicates. \end{abstract} \bibliographystyle{abbrv} \bibliography{root} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Adaptive_State_Counting/document/root.tex b/thys/Adaptive_State_Counting/document/root.tex --- a/thys/Adaptive_State_Counting/document/root.tex +++ b/thys/Adaptive_State_Counting/document/root.tex @@ -1,69 +1,70 @@ \documentclass[8pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage[margin=2cm]{geometry} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Formalisation of an Adaptive State Counting Algorithm} \author{Robert Sachtleben} \maketitle \begin{abstract} This entry provides a formalisation of a refinement of an adaptive state counting algorithm, used to test for reduction between finite state machines. The algorithm has been originally presented by Hierons in \cite{hierons} and was slightly refined by Sachtleben et al.\ in \cite{refinement}. Definitions for finite state machines and adaptive test cases are given and many useful theorems are derived from these. The algorithm is formalised using mutually recursive functions, for which it is proven that the generated test suite is sufficient to test for reduction against finite state machines of a certain fault domain. Additionally, the algorithm is specified in a simple WHILE-language and its correctness is shown using Hoare-logic. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Affine_Arithmetic/document/root.tex b/thys/Affine_Arithmetic/document/root.tex --- a/thys/Affine_Arithmetic/document/root.tex +++ b/thys/Affine_Arithmetic/document/root.tex @@ -1,49 +1,50 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{amsmath} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \title{Affine Arithmetic} \author{Fabian Immler} \begin{document} \maketitle \begin{abstract} We give a formalization of affine forms~\cite{Stolfi2004,Girard2005} as abstract representations of zonotopes. We provide affine operations as well as overapproximations of some non-affine operations like multiplication and division. Expressions involving those operations can automatically be turned into (executable) functions approximating the original expression in affine arithmetic. Moreover we give a verified implementation of a functional algorithm to compute the intersection of a zonotope with a hyperplane, as described in the paper~\cite{Immler}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Aggregation_Algebras/document/root.tex b/thys/Aggregation_Algebras/document/root.tex --- a/thys/Aggregation_Algebras/document/root.tex +++ b/thys/Aggregation_Algebras/document/root.tex @@ -1,53 +1,53 @@ \documentclass[11pt,a4paper]{article} - +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,ragged2e} \usepackage{pdfsetup} \isabellestyle{it} \renewenvironment{isamarkuptext}{\par\isastyletext\begin{isapar}\justifying\color{blue}}{\end{isapar}} \renewcommand\labelitemi{$*$} \begin{document} \title{Aggregation Algebras} \author{Walter Guttmann} \maketitle \begin{abstract} We develop algebras for aggregation and minimisation for weight matrices and for edge weights in graphs. We show numerous instances of these algebras based on linearly ordered commutative semigroups. \end{abstract} \tableofcontents \section{Overview} This document describes the following four theory files: \begin{itemize} \item Big sums over semigroups generalises parts of Isabelle/HOL's theory of finite summation \texttt{Groups\_Big.thy} from commutative monoids to commutative semigroups with a unit element only on the image of the semigroup operation. \item Aggregation Algebras introduces s-algebras, m-algebras and m-Kleene-algebras with operations for aggregating the elements of a weight matrix and finding the edge with minimal weight. \item Matrix Aggregation Algebras introduces aggregation orders, aggregation lattices and linear aggregation lattices. Matrices over these structures form s-algebras and m-algebras. \item Linear Aggregation Algebras shows numerous instances based on linearly ordered commutative semigroups. They include aggregations used for the minimum weight spanning tree problem and for the minimum bottleneck spanning tree problem, as well as arbitrary t-norms and t-conorms. \end{itemize} Three theory files, which were originally part of this entry, have been moved elsewhere: \begin{itemize} \item A theory for total-correctness proofs in Hoare logic became part of Isabelle/HOL's theory \texttt{Hoare/Hoare\_Logic.thy}. \item A theory with simple total-correctness proof examples became Isabelle/HOL's theory \texttt{Hoare/ExamplesTC.thy}. \item A theory proving total correctness of Kruskal's and Prim's minimum spanning tree algorithms based on m-Kleene-algebras using Hoare logic was split into two theories that became part of AFP entry \cite{GuttmannRobinsonOBrien2020}. \end{itemize} The development is based on Stone-Kleene relation algebras \cite{Guttmann2017b,Guttmann2017c}. The algebras for aggregation and minimisation, their application to weighted graphs and the verification of Prim's and Kruskal's minimum spanning tree algorithms, and various instances of aggregation are described in \cite{Guttmann2016c,Guttmann2018a,Guttmann2018b}. Related work is discussed in these papers. \begin{flushleft} \input{session} \end{flushleft} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Akra_Bazzi/document/root.tex b/thys/Akra_Bazzi/document/root.tex --- a/thys/Akra_Bazzi/document/root.tex +++ b/thys/Akra_Bazzi/document/root.tex @@ -1,39 +1,40 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{amsmath} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Akra--Bazzi theorem and the Master theorem} \author{Manuel Eberl} \maketitle \begin{abstract} This article contains a formalisation of the Akra--Bazzi method~\cite{akrabazzi} based on a proof by Leighton~\cite{leighton}. It is a generalisation of the well-known Master Theorem for analysing the complexity of Divide \& Conquer algorithms. We also include a generalised version of the Master theorem based on the Akra--Bazzi theorem, which is easier to apply than the Akra--Bazzi theorem itself. Some proof methods that facilitate applying the Master theorem are also included. For a more detailed explanation of the formalisation and the proof methods, see the accompanying paper (publication forthcoming). \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Algebraic_Numbers/document/root.tex b/thys/Algebraic_Numbers/document/root.tex --- a/thys/Algebraic_Numbers/document/root.tex +++ b/thys/Algebraic_Numbers/document/root.tex @@ -1,136 +1,137 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{amsmath} \usepackage{xspace} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \newcommand\rats{\mathbb{Q}} \newcommand\ints{\mathbb{Z}} \newcommand\reals{\mathbb{R}} \newcommand\complex{\mathbb{C}} \newcommand\rai{real algebraic number\xspace} \newcommand\rais{real algebraic numbers\xspace} \begin{document} \title{Algebraic Numbers in Isabelle/HOL\footnote{Supported by FWF (Austrian Science Fund) project Y757.}} \author{Ren\'e Thiemann, Akihisa Yamada, and Sebastiaan Joosten} \maketitle \begin{abstract} Based on existing libraries for matrices, factorization of integer polynomials, and Sturm's theorem, we formalized algebraic numbers in Isabelle/HOL. Our development serves as an implementation for real and complex numbers, and it admits to compute roots and completely factorize real and complex polynomials, provided that all coefficients are rational numbers. Moreover, we provide two implementations to display algebraic numbers, an injective one that reveals the representing polynomial, or an approximative one that only displays a fixed amount of digits. To this end, we mechanized several results on resultants. \end{abstract} \tableofcontents \section{Introduction} Isabelle's previous implementation of irrational numbers was limited: it only admitted numbers expressed in the form ``$a+b\sqrt{c}$'' for $a,b,c \in \rats$, and even computations like $\sqrt2 \cdot \sqrt3$ led to a runtime error \cite{Real-AFP}. In this work, we provide full support for the \emph{real algebraic numbers}, i.e., the real numbers that are expressed as roots of non-zero integer polynomials, and we also partially support complex algebraic numbers. Most of the results on algebraic numbers have been taken from a textbook by Bhubaneswar Mishra \cite{AlgNumbers}. Also Wikipedia provided valuable help. \medskip Concerning the real algebraic numbers, we first had to prove that they form a field. To show that the addition and multiplication of \rais are also \rais, we formalize the theory of \emph{resultants}, which are the determinants of specific matrices, where the size of these matrices depend on the degree of the polynomials. To this end, we utilized the matrix library provided in the Jordan-Normal-Form AFP-entry \cite{JNF-AFP} where the matrix dimension can arbitrarily be chosen at runtime. Given \rais $x$ and $y$ expressed as the roots of polynomials, we compute a polynomial that has $x+y$ or $x \cdot y$ as its root via resultants. In order to guarantee that the resulting polynomial is non-zero, we needed the result that multivariate polynomials over fields form a unique factorization domain (UFD). To this end, we initially proved that polynomials over some UFD are again a UFD, relying upon results in HOL-algebra. When performing actual computations with algebraic numbers, it is important to reduce the degree of the representing polynomials. To this end, we use the existing Berlekamp-Zassenhaus factorization algorithm. This is crucial for the default show-function for real algebraic numbers which requires the unique minimal polynomial representing the algebraic number -- but an alternative which displays only an approximative value is also available. In order to support tests on whether a given algebraic number is a rational number, we also make use of the fact that we compute the minimal polynomial. The formalization of Sturm's method \cite{Sturm-AFP} was crucial to separate the different roots of a fixed polynomial. We could nearly use it as it is, and just copied some function definition so that Sturm's method now is available to separate the real roots of rational polynomial, where all computations are now performed over $\rats$. With all the mentioned ingredients we implemented all arithmetic operations on real algebraic numbers, i.e., addition, subtraction, multiplication, division, comparison, $n$-th root, floor- and ceiling, and testing on membership in $\rats$. Moreover, we provide a method to create real algebraic numbers from a given rational polynomial, a method which computes precisely the set of real roots of a rational polynomial. \medskip The absence of an equivalent to Sturm's method for the complex numbers in Isabelle/HOL prevented us from having native support for complex algebraic numbers. Instead, we represent complex algebraic numbers as their real and imaginary part: note that a complex number is algebraic if and only if both the real and the imaginary part are real algebraic numbers. This equivalence also admitted us to design an algorithm which computes all complex roots of a rational polynomial. It first constructs a set of polynomials which represent all real and imaginary parts of all complex roots, yielding a superset of all roots, and afterwards the set just is just filtered. By the fundamental theorem of algebra, we then also have a factorization algorithm for polynomials over $\complex$ with rational coefficients. Finally, for factorizing a rational polynomial over $\reals$, we first factorize it over $\complex$, and then combine each pair of complex conjugate roots. \medskip As future it would be interesting to include the result that the set of complex algebraic numbers is algebraically closed, i.e., at the momemnt we are limited to determine the complex roots of a polynomial over $\rats$, and cannot determine the real or complex roots of an polynomial having arbitrary algebraic coefficients. Finally, an analog to Sturm's method for the complex numbers would be welcome, in order to have a smaller representation: for instance, currently the complex roots of $1 + x + x^3$ are computed as ``root \#1 of $1 + x + x^3$'', ``(root \#1 of $-\frac18 + \frac14x + x^3$)+(root \#1 of $-\frac{31}{64} + \frac{9}{16}x^2 - \frac32x^4 + x^6$)i'', and ``(root \#1 of $-\frac18 + \frac14x + x^3$)+(root \#2 of $-\frac{31}{64} + \frac{9}{16}x^2 - \frac32x^4 + x^6$)i''. \section{Auxiliary Algorithms} % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Algebraic_VCs/document/root.tex b/thys/Algebraic_VCs/document/root.tex --- a/thys/Algebraic_VCs/document/root.tex +++ b/thys/Algebraic_VCs/document/root.tex @@ -1,113 +1,114 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Program Construction and Verification Components Based on Kleene Algebra} \author{Victor B. F. Gomes and Georg Struth} \maketitle \begin{abstract} Variants of Kleene algebra support program construction and verification by algebraic reasoning. This entry provides a verification component for Hoare logic based on Kleene algebra with tests, verification components for weakest preconditions and strongest postconditions based on Kleene algebra with domain and a component for step-wise refinement based on refinement Kleene algebra with tests. In addition to these components for the partial correctness of while programs, a verification component for total correctness based on divergence Kleene algebras and one for (partial correctness) of recursive programs based on domain quantales are provided. Finally we have integrated memory models for programs with pointers and a program trace semantics into the weakest precondition component. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introductory Remarks} These Isabelle theories provide program construction and verification components for simpe while programs based on variants of Kleene algebra with tests and Kleene algebra with domain, as well as a component for parameterless recursive programs based on domain quantales. The general approach consists in using the algebras for deriving verification conditions for the control flow of programs. They are linked by formal soundness proofs with denotational program semantics of the store and data domain---here predominantly with a relational semantics. Assignment laws can then be derived in this semantics. Program construction and verification tasks are performed within the concrete semantics as well; structured syntax for programs could easily be added, but is not provided at the moment. All components are correct by construction relative to Isabelle's small trustworthy core, as our soundness proofs make the axiomatic extensions provided by the algebras consistent with respect to it. The main components are integrated into previous AFP entries for Kleene algebras~\cite{afp:ka}, Kleene algebras with tests~\cite{afp:kat} and Kleene algebras with domain~\cite{afp:kad}. As an overview and perhaps for educational purposes, we have also added two standalone components based on Hoare logic and weakest (liberal) preconditions that use only Isabelle's main libraries. Background information on the general approach and the first main component, which is based on Kleene algebra with tests, can be found in~\cite{ArmstrongGS15}. An introduction to Kleene algebra with domain is given in~\cite{DesharnaisS11}; a paper describing the corresponding verification component in detail is in preparation. We are planning to add further components and expand and restructure the existing ones in the future. We would like to invite anyone interested in the algebraic approach to collaborate with us on these and contribute to this project. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Allen_Calculus/document/root.tex b/thys/Allen_Calculus/document/root.tex --- a/thys/Allen_Calculus/document/root.tex +++ b/thys/Allen_Calculus/document/root.tex @@ -1,59 +1,60 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Allen's Interval Calculus} \author{Fadoua Ghourabi \\ Ochanomizu University, Japan \\ fadouaghourabi@gmail.com} \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Amicable_Numbers/document/root.tex b/thys/Amicable_Numbers/document/root.tex --- a/thys/Amicable_Numbers/document/root.tex +++ b/thys/Amicable_Numbers/document/root.tex @@ -1,37 +1,38 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Amicable Numbers} \author{Angeliki Koutsoukou-Argyraki} \maketitle \begin{abstract} This is a formalisation of Amicable Numbers, involving some relevant material including Euler's sigma function, some relevant definitions, results and examples as well as rules such as Th\={a}bit ibn Qurra's Rule, Euler's Rule, te Riele's Rule and Borho's Rule with breeders. \\ \\ The main sources are \cite{garciaetal1} \cite{garciaetal2}. Some auxiliary material can be found in \cite{escott} \cite{sandifer}. If not otherwise stated, the source of definitions is \cite{garciaetal1}. In a few definitions where we refer to Wikipedia articles \cite{aliquotwiki} \cite{amicwiki} \cite{betrothedwiki} this is explicitly mentioned. \end{abstract} \newpage \tableofcontents \newpage % include generated text of all theories \input{session} \newpage \raggedright \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Amortized_Complexity/document/root.tex b/thys/Amortized_Complexity/document/root.tex --- a/thys/Amortized_Complexity/document/root.tex +++ b/thys/Amortized_Complexity/document/root.tex @@ -1,42 +1,43 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{latexsym} % this should be the last package used \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \renewcommand{\isacharunderscore}{\_} \renewcommand{\isacharunderscorekeyword}{\_} % for uniform font size \renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Amortized Complexity Verified} \author{Tobias Nipkow} \maketitle \begin{abstract} A framework for the analysis of the amortized complexity of (functional) data structures is formalized in Isabelle/HOL and applied to a number of standard examples and to the following non-trivial ones: skew heaps, splay trees, splay heaps and pairing heaps. This work is described in \cite{Nipkow-ITP15} (except for pairing heaps). An extended version (including pairing heaps) is available online \cite{Nipkow-Brinkop}. \end{abstract} \setcounter{tocdepth}{2} \tableofcontents \newpage % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/AnselmGod/document/root.tex b/thys/AnselmGod/document/root.tex --- a/thys/AnselmGod/document/root.tex +++ b/thys/AnselmGod/document/root.tex @@ -1,59 +1,60 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Anselm's God in Isabelle/HOL} \author{Ben Blumson} \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Applicative_Lifting/document/root.tex b/thys/Applicative_Lifting/document/root.tex --- a/thys/Applicative_Lifting/document/root.tex +++ b/thys/Applicative_Lifting/document/root.tex @@ -1,57 +1,58 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{textcomp} \usepackage{isabelle,isabellesym} \usepackage{amsmath,amssymb} \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Applicative Lifting} \author{Andreas Lochbihler \and Joshua Schneider} \maketitle \begin{abstract} Applicative functors augment computations with effects by lifting function application to types which model the effects \cite{mcbride08}. As the structure of the computation cannot depend on the effects, applicative expressions can be analysed statically. This allows us to lift universally quantified equations to the effectful types, as observed by Hinze \cite{hinze10}. Thus, equational reasoning over effectful computations can be reduced to pure types. This entry provides a package for registering applicative functors and two proof methods for lifting of equations over applicative functors. The first method applicative{\isacharunderscore}nf normalises applicative expressions according to the laws of applicative functors. This way, equations whose two sides contain the same list of variables can be lifted to every applicative functor. To lift larger classes of equations, the second method applicative{\isacharunderscore}\linebreak lifting exploits a number of additional properties (e.g., commutativity of effects) provided the properties have been declared for the concrete applicative functor at hand upon registration. We declare several types from the Isabelle library as applicative functors and illustrate the use of the methods with two examples: the lifting of the arithmetic type class hierarchy to streams and the verification of a relabelling function on binary trees. We also formalise and verify the normalisation algorithm used by the first proof method, as well as the general approach of the second method, which is based on bracket abstraction. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Approximation_Algorithms/document/root.tex b/thys/Approximation_Algorithms/document/root.tex --- a/thys/Approximation_Algorithms/document/root.tex +++ b/thys/Approximation_Algorithms/document/root.tex @@ -1,36 +1,37 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Verified Approximation Algorithms} \author{Robin E{\ss}mann, Tobias Nipkow and Simon Robillard} \maketitle \begin{abstract} We present the first formal verifications of approximation algorithms for NP-complete optimization problems: vertex cover, set cover, independent set, load balancing, and bin packing. The proofs correct incompletnesses in existing proofs and improve the approximation ratio in one case. A detailed description of our work has been published in the proceedings of \emph{IJCAR 2020} \cite{EssmannNR-IJCAR20}. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Architectural_Design_Patterns/document/root.tex b/thys/Architectural_Design_Patterns/document/root.tex --- a/thys/Architectural_Design_Patterns/document/root.tex +++ b/thys/Architectural_Design_Patterns/document/root.tex @@ -1,83 +1,84 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage[nointegrals]{wasysym} \usepackage{isabelle,isabellesym} \usepackage{amsmath} \usepackage{amssymb} \usepackage{fullpage} \usepackage{standalone} \usepackage{tikz} \usetikzlibrary{calc,positioning} %\usepackage{xr} %\externaldocument{C:/Users/Diego/dmarmsoler/Artikel/PatternHierarchy/trunk/main} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \newcommand{\repeatisanl}[1] {\ifnum#1=0\else\isanewline\repeatisanl{\numexpr#1-1}\fi} \newcommand{\snip}[4]{\repeatisanl#2#4\repeatisanl#3} \begin{document} \title{A Theory of Architectural Design Patterns} \author{Diego Marmsoler} \maketitle \begin{abstract} The following document formalizes and verifies several architectural design patterns~\cite{Buschmann1996}. Each pattern specification is formalized in terms of a locale where the locale assumptions correspond to the assumptions which a pattern poses on an architecture. Thus, pattern specifications may build on top of each other by interpreting the corresponding locale. A pattern is verified using the framework provided by the AFP entry \textit{Dynamic Architectures}~\cite{Marmsoler2017d}. Currently, the document consists of formalizations of $4$ different patterns: the singleton, the publisher subscriber, the blackboard pattern, and the blockchain pattern. Thereby, the publisher component of the publisher subscriber pattern is modeled as an instance of the singleton pattern and the blackboard pattern is modeled as an instance of the publisher subscriber pattern. In general, this entry provides the first steps towards an overall theory of architectural design patterns~\cite{Marmsoler2014}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{plain} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Aristotles_Assertoric_Syllogistic/document/root.tex b/thys/Aristotles_Assertoric_Syllogistic/document/root.tex --- a/thys/Aristotles_Assertoric_Syllogistic/document/root.tex +++ b/thys/Aristotles_Assertoric_Syllogistic/document/root.tex @@ -1,42 +1,43 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{mathtools,url} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \bibliographystyle{plain} \begin{document} \title{Aristotle's Assertoric Syllogistic} \author{Angeliki Koutsoukou-Argyraki} \maketitle \begin{abstract} We formalise with Isabelle/HOL some basic elements of Aristotle's assertoric syllogistic following the article from the Stanford Encyclopedia of Philosophy by Robin Smith: \url{https://plato.stanford.edu/entries/aristotle-logic/}. To this end, we use a set theoretic formulation (covering both individual and general predication). In particular, we formalise the deductions in the Figures and after that we present Aristotle's metatheoretical observation that all deductions in the Figures can in fact be reduced to either Barbara or Celarent. As the formal proofs prove to be straightforward, the interest of this entry lies in illustrating the functionality of Isabelle and high efficiency of Sledgehammer for simple exercises in philosophy. \end{abstract} \tableofcontents % include generated text of all theories \input{session} %\bibliographystyle{abbrv} %\bibliography{root} \end{document} diff --git a/thys/Arith_Prog_Rel_Primes/document/root.tex b/thys/Arith_Prog_Rel_Primes/document/root.tex --- a/thys/Arith_Prog_Rel_Primes/document/root.tex +++ b/thys/Arith_Prog_Rel_Primes/document/root.tex @@ -1,31 +1,31 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - %this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Arithmetic progressions and relative primes} \author{Jos\'e Manuel Rodr\'iguez Caballero} \maketitle \begin{abstract} This article provides a formalization of the solution obtained by the author of the Problem ``ARITHMETIC PROGRESSIONS" from the Putnam exam problems \cite{putnam} of $2002$. The statement of the problem is as follows: For which integers $n>1$ does the set of positive integers less than and relatively prime to $n$ constitute an arithmetic progression? \end{abstract} \tableofcontents \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/ArrowImpossibilityGS/document/root.tex b/thys/ArrowImpossibilityGS/document/root.tex --- a/thys/ArrowImpossibilityGS/document/root.tex +++ b/thys/ArrowImpossibilityGS/document/root.tex @@ -1,35 +1,36 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Arrow and Gibbard-Satterthwaite} \author{Tobias Nipkow} \maketitle \begin{abstract} This article formalizes two proofs of Arrow's impossibility theorem due to Geanakoplos and derives the Gibbard-Satterthwaite theorem as a corollary. One formalization is based on utility functions, the other one on strict partial orders. \end{abstract} \noindent For an article about these proofs see \url{http://www.in.tum.de/~nipkow/pubs/arrow.pdf}. % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Attack_Trees/document/root.tex b/thys/Attack_Trees/document/root.tex --- a/thys/Attack_Trees/document/root.tex +++ b/thys/Attack_Trees/document/root.tex @@ -1,78 +1,79 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Attack Trees in Isabelle for GDPR compliance of IoT healthcare systems} \author{Florian Kamm\"uller} \maketitle \begin{abstract} In this article, we present a proof theory for Attack Trees. Attack Trees are a well established and useful model for the construction of attacks on systems since they allow a stepwise exploration of high level attacks in application scenarios. Using the expressiveness of Higher Order Logic in Isabelle, we succeed in developing a generic theory of Attack Trees with a state-based semantics based on Kripke structures and CTL (see \cite{kam:16b} for more details). The resulting framework allows mechanically supported logic analysis of the meta-theory of the proof calculus of Attack Trees and at the same time the developed proof theory enables application to case studies. A central correctness and completeness result proved in Isabelle establishes a connection between the notion of Attack tTree validity and CTL. The application is illustrated on the example of a healthcare IoT system and GDPR compliance verification. A more detailed account of the Attack Tree formalisation is given in \cite{kam:18b} and the case study is described in detail in \cite{kam:18a}. %bla \cite{kk:16}\cite{kp:16}\cite{mw:09}\cite{kk:20} \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Auto2_HOL/document/root.tex b/thys/Auto2_HOL/document/root.tex --- a/thys/Auto2_HOL/document/root.tex +++ b/thys/Auto2_HOL/document/root.tex @@ -1,72 +1,73 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Auto2 prover} \author{Bohua Zhan} \maketitle \begin{abstract} Auto2 is a saturation-based heuristic prover for higher-order logic, implemented as a tactic in Isabelle. This entry contains the instantiation of auto2 for Isabelle/HOL, along with two basic examples: solutions to some of the Pelletier's problems, and elementary number theory of primes. \end{abstract} \newpage \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \section{Introduction} Auto2 \cite{zhan16} is a proof automation tool implemented in Isabelle. It uses a saturation-based approach to proof search: starting with a list of initial assumptions, it iteratively adds facts that can be derived from these assumptions, with the aim of ultimately deriving a contradiction. Users can add their own proof procedures to auto2 in the form of \emph{proof steps}, in order to implement domain-specific knowledge. Auto2 can be instantiated to both Isabelle/HOL (for ordinary usage) and Isabelle/FOL (for formalization of mathematics based on set theory). This AFP entry contains the instantiation of auto2 to Isabelle/HOL, and two basic applications: \begin{itemize} \item Pelletier's problems: solutions to some of the problems in Pelletier's collection of problems for testing automatic theorem provers \cite{pelletier}. Auto2 is not intended to compete with ATPs. In our examples, we merely show how to use the prover to solve some of the problems, sometimes with hints. \item Elementary number theory: theory of prime numbers up to the infinitude of primes and unique factorization. This example follows the development in HOL/Computational\_Algebra/Primes.thy in the Isabelle distribution. \end{itemize} \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Auto2_Imperative_HOL/document/root.tex b/thys/Auto2_Imperative_HOL/document/root.tex --- a/thys/Auto2_Imperative_HOL/document/root.tex +++ b/thys/Auto2_Imperative_HOL/document/root.tex @@ -1,68 +1,69 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Verifying Imperative Programs using Auto2} \author{Bohua Zhan} \maketitle \begin{abstract} This entry contains the application of auto2 to verifying functional and imperative programs. Algorithms and data structures that are verified include linked lists, binary search trees, red-black trees, interval trees, priority queue, quicksort, union-find, Dijkstra's algorithm, and a sweep-line algorithm for detecting rectangle intersection. The imperative verification is based on Imperative HOL and its separation logic framework. A major goal of this work is to set up automation in order to reduce the length of proof that the user needs to provide, both for verifying functional programs and for working with separation logic. \end{abstract} \newpage \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \section{Introduction} This AFP entry contains the applications of auto2 to verifying functional and imperative programs. These examples are published in \cite{zhan18a}. \begin{itemize} \item Functional programs (in directory Functional): we verify several functional algorithms and data structures, including: linked lists, binary search trees, red-black trees, interval trees, priority queue, quicksort, union-find, Dijkstra's algorithm, and a sweep-line algorithm for detecting rectangle intersection. \item Imperative programs (in directory Imperative): we verify imperative versions of the above algorithms and data structures, using Isabelle's Imperative HOL framework \cite{imphol}. We make use of separation logic, following the framework set up by Lammich and Reis \cite{Separation_Logic_Imperative_HOL-AFP}. The general outline of some of the examples also come from there. \end{itemize} \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/AutoFocus-Stream/document/root.tex b/thys/AutoFocus-Stream/document/root.tex --- a/thys/AutoFocus-Stream/document/root.tex +++ b/thys/AutoFocus-Stream/document/root.tex @@ -1,65 +1,65 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{graphicx} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{wasysym} -\usepackage[utf8]{inputenc} \usepackage[only,bigsqcap]{stmaryrd} %\usepackage{masmath} % this should be the last package used \usepackage{pdfsetup} \newcommand{\isasymNoMsg}{\ensuremath\varepsilon} %\newcommand{\isasymMsg}{\texttt{Msg}} %\newcommand{\isasymMsg}{\isatext{\rm\sffamily{}Msg}} \newcommand{\isasymMsg}{\textsf{Msg}} % \newcommand{\isasymB}{\textsf{B}} % \newcommand{\isasymR}{\textsf{R}} % \newcommand{\isasymS}{\textsf{S}} % \newcommand{\isasymU}{\textsf{U}} % \newcommand{\isasymW}{\textsf{W}} \newcommand{\backslashlessgreater}[1]{\ensuremath{\backslash\!\!<}#1\ensuremath{>}} \newcommand{\isasymHTMLNoMsg}{\backslashlessgreater{HTMLNoMsg}} \newcommand{\isasymHTMLMsg}{\backslashlessgreater{HTMLMsg}} \urlstyle{rm} \isabellestyle{it} \pagestyle{myheadings} \begin{document} \title{AutoFocus Stream Processing for Single-Clocking and Multi-Clocking Semantics} \author{David Trachtenherz} \maketitle \begin{abstract} We formalize the AutoFocus Semantics (a time-synchronous subset of the Focus formalism) as stream processing functions on finite and infinite message streams represented as finite/infinite lists. The formalization comprises both the conventional single-clocking semantics (uniform global clock for all components and communications channels) and its extension to multi-clocking semantics (internal execution clocking of a component may be a multiple of the external communication clocking). The semantics is defined by generic stream processing functions making it suitable for simulation/code generation in Isabelle/HOL. Furthermore, a number of AutoFocus semantics properties are formalized using definitions from the Nat-Interval-Logic theories. \end{abstract} \tableofcontents \begin{center} \includegraphics[scale=0.5]{session_graph} \end{center} \clearpage \parindent 0pt\parskip 0.5ex \input{session} \end{document} diff --git a/thys/Automated_Stateful_Protocol_Verification/document/root.tex b/thys/Automated_Stateful_Protocol_Verification/document/root.tex --- a/thys/Automated_Stateful_Protocol_Verification/document/root.tex +++ b/thys/Automated_Stateful_Protocol_Verification/document/root.tex @@ -1,164 +1,165 @@ \documentclass[10pt,DIV16,a4paper,abstract=true,twoside=semi,openright] {scrreprt} +\usepackage[T1]{fontenc} \usepackage[english]{babel} \usepackage[numbers, sort&compress]{natbib} \usepackage{isabelle,isabellesym} \usepackage{booktabs} \usepackage{paralist} \usepackage{graphicx} \usepackage{amssymb} \usepackage{xspace} \usepackage{xcolor} \usepackage{hyperref} \pagestyle{headings} \isabellestyle{default} \setcounter{tocdepth}{1} \newcommand{\ie}{i.\,e.\xspace} \newcommand{\eg}{e.\,g.\xspace} \newcommand{\thy}{\isabellecontext} \renewcommand{\isamarkupsection}[1]{% \begingroup% \def\isacharunderscore{\textunderscore}% \section{#1 (\thy)}% \endgroup% } \title{Automated Stateful Protocol Verification} \author{% \begin{minipage}{.8\textwidth} \centering \href{https://www.dtu.dk/english/service/phonebook/person?id=64207}{Andreas~V.~Hess}\footnotemark[1] \qquad\qquad \href{https://people.compute.dtu.dk/samo/}{Sebastian~M{\"o}dersheim}\footnotemark[1] \\ \href{http://www.brucker.ch/}{Achim~D.~Brucker}\footnotemark[2] \qquad\qquad \href{https://people.compute.dtu.dk/andschl}{Anders~Schlichtkrull} \end{minipage} } \publishers{% \footnotemark[1]~DTU Compute, Technical University of Denmark, Lyngby, Denmark\texorpdfstring{\\}{, } \texttt{\{avhe, samo, andschl\}@dtu.dk}\\[2em] % \footnotemark[2]~ Department of Computer Science, University of Exeter, Exeter, UK\texorpdfstring{\\}{, } \texttt{a.brucker@exeter.ac.uk} % } \begin{document} \maketitle \begin{abstract} \begin{quote} In protocol verification we observe a wide spectrum from fully automated methods to interactive theorem proving with proof assistants like Isabelle/HOL. In this AFP entry, we present a fully-automated approach for verifying stateful security protocols, i.e., protocols with mutable state that may span several sessions. The approach supports reachability goals like secrecy and authentication. We also include a simple user-friendly transaction-based protocol specification language that is embedded into Isabelle. \bigskip \noindent{\textbf{Keywords:}} Fully automated verification, stateful security protocols \end{quote} \end{abstract} \tableofcontents \cleardoublepage \chapter{Introduction} In protocol verification we observe a wide spectrum from fully automated methods to interactive theorem proving with proof assistants like Isabelle/HOL. The latter provide overwhelmingly high assurance of the correctness, which automated methods often cannot: due to their complexity, bugs in such automated verification tools are likely and thus the risk of erroneously verifying a flawed protocol is non-negligible. There are a few works that try to combine advantages from both ends of the spectrum: a high degree of automation and assurance. Inspired by~\cite{brucker.ea:integrating:2009}, we present here a first step towards achieving this for a more challenging class of protocols, namely those that work with a mutable long-term state. To our knowledge this is the first approach that achieves fully automated verification of stateful protocols in an LCF-style theorem prover. The approach also includes a simple user-friendly transaction-based protocol specification language embedded into Isabelle, and can also leverage a number of existing results such as soundness of a typed model (see, e.g.,~\cite{hess:typing:2018,hess.ea:formalizing:2017,hess.ea:typing:2018}) and compositionality (see, e.g.,~\cite{hess:typing:2018,hess.ea:stateful:2018}). The Isabelle formalization extends the AFP entry on stateful protocol composition and typing~\cite{hess.ea:stateful:2020}. \begin{figure} \centering \includegraphics[height=\textheight]{session_graph} \caption{The Dependency Graph of the Isabelle Theories.\label{fig:session-graph}} \end{figure} The rest of this document is automatically generated from the formalization in Isabelle/HOL, i.e., all content is checked by Isabelle. Overall, the structure of this document follows the theory dependencies (see \autoref{fig:session-graph}): We start with the formal framework for verifying stateful security protocols (\autoref{cha:verification}). We continue with the setup for supporting the high-level protocol specifications language for security protocols (the Trac format) and the implementation of the fully automated proof tactics (\autoref{cha:trac}). Finally, we present examples (\autoref{cha:examples}). \paragraph{Acknowledgments} This work was supported by the Sapere-Aude project ``Composec: Secure Composition of Distributed Systems'', grant 4184-00334B of the Danish Council for Independent Research, by the EU H2020 project no. 700321 ``LIGHTest: Lightweight Infrastructure for Global Heterogeneous Trust management in support of an open Ecosystem of Trust schemes'' (lightest.eu) and by the ``CyberSec4Europe'' European Union's Horizon 2020 research and innovation programme under grant agreement No 830929. \clearpage \chapter{Stateful Protocol Verification} \label{cha:verification} \input{Transactions.tex} \input{Term_Abstraction.tex} \input{Stateful_Protocol_Model.tex} \input{Term_Variants.tex} \input{Term_Implication.tex} \input{Stateful_Protocol_Verification.tex} \chapter{Trac Support and Automation} \label{cha:trac} \input{Eisbach_Protocol_Verification.tex} \input{ml_yacc_lib.tex} \input{trac_term.tex} \input{trac_fp_parser.tex} \input{trac_protocol_parser.tex} \input{trac.tex} \chapter{Examples} \label{cha:examples} \input{Keyserver.tex} \input{Keyserver2.tex} \input{Keyserver_Composition.tex} \input{PKCS_Model03.tex} \input{PKCS_Model07.tex} \input{PKCS_Model09.tex} % \input{session} {\small \bibliographystyle{abbrvnat} \bibliography{root} } \end{document} \endinput %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Automatic_Refinement/document/root.tex b/thys/Automatic_Refinement/document/root.tex --- a/thys/Automatic_Refinement/document/root.tex +++ b/thys/Automatic_Refinement/document/root.tex @@ -1,76 +1,76 @@ \documentclass[11pt,a4paper]{book} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % Tweaks \newcounter{TTStweak_tag} \setcounter{TTStweak_tag}{0} \newcommand{\setTTS}{\setcounter{TTStweak_tag}{1}} \newcommand{\resetTTS}{\setcounter{TTStweak_tag}{0}} \newcommand{\insertTTS}{\ifnum\value{TTStweak_tag}=1 \ \ \ \fi} \renewcommand{\isakeyword}[1]{\resetTTS\emph{\bf\def\isachardot{.}\def\isacharunderscore{\isacharunderscorekeyword}\def\isacharbraceleft{\{}\def\isacharbraceright{\}}#1}} \renewcommand{\isachardoublequoteopen}{\insertTTS} \renewcommand{\isachardoublequoteclose}{\setTTS} \renewcommand{\isanewline}{\mbox{}\par\mbox{}\resetTTS} \renewcommand{\isamarkupcmt}[1]{\hangindent5ex{\isastylecmt --- #1}} \makeatletter \newenvironment{abstract}{% \small \begin{center}% {\bfseries \abstractname\vspace{-.5em}\vspace{\z@}}% \end{center}% \quotation}{\endquotation} \makeatother \begin{document} \title{Automatic Data Refinement} \author{Peter Lammich} \maketitle \begin{abstract} We present the Autoref tool for Isabelle/HOL, which automatically refines algorithms specified over abstract concepts like maps and sets to algorithms over concrete implementations like red-black-trees, and produces a refinement theorem. It is based on ideas borrowed from relational parametricity due to Reynolds and Wadler. The tool allows for rapid prototyping of verified, executable algorithms. Moreover, it can be configured to fine-tune the result to the user's needs. Our tool is able to automatically instantiate generic algorithms, which greatly simplifies the implementation of executable data structures. This AFP-entry provides the basic tool, which is then used by the Refinement and Collection Framework to provide automatic data refinement for the nondeterminism monad and various collection datastructures. \end{abstract} \clearpage \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/AxiomaticCategoryTheory/document/root.tex b/thys/AxiomaticCategoryTheory/document/root.tex --- a/thys/AxiomaticCategoryTheory/document/root.tex +++ b/thys/AxiomaticCategoryTheory/document/root.tex @@ -1,118 +1,119 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{authblk} \usepackage{latexsym,amsmath} \usepackage[margin=2cm]{geometry} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Axioms Systems for Category Theory in Free Logic} \author[1]{Christoph Benzm\"uller} \author[2]{Dana S. Scott} \affil[1]{University of Luxemburg, Luxemburg \& Freie Universit\"at Berlin, Germany} \affil[2]{Visiting Scholar at University of Califormia, Berkeley, USA} \date{\today} %% if you don't need date to appear \setcounter{Maxaffil}{0} \renewcommand\Affilfont{\itshape\small} \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} % \bibliography{root} \begin{thebibliography}{1} \bibitem{C57} C.~Benzm{\"u}ller and D.~Scott. \newblock Automating free logic in {Isabelle/HOL}. \newblock In G.-M. Greuel, T.~Koch, P.~Paule, and A.~Sommese, editors, {\em Mathematical Software -- ICMS 2016, 5th International Congress, Proceedings}, volume 9725 of {\em LNCS}, pages 43--50, Berlin, Germany, 2016. Springer. \bibitem{C67} C.~Benzm{\"u}ller and D.~Scott. \newblock Some reflections on a computer-aided theory exploration study in category theory (extended abstract). \newblock In T.~C. Hales, C.~Kaliszyk, S.~Schulz, and J.~Urban, editors, {\em 3rd Conference on Artificial Intelligence and Theorem Proving (AITP 2018), Book of Abstracts}, 2018. \bibitem{R58} C.~Benzm{\"u}ller and D.~S. Scott. \newblock Axiomatizing category theory in free logic. \newblock Technical report, CoRR, 2016. \newblock \url{http://arxiv.org/abs/1609.01493}. \bibitem{FreydScedrov90} P.~J. Freyd and A.~Scedrov. \newblock {\em Categories, Allegories}. \newblock North Holland, 1990. \bibitem{MacLane48} S.~McLane. \newblock Groups, categories and duality. \newblock {\em Proceedings of the National Academy of Sciences}, 34(6):263--267, 1948. \bibitem{Scott79} D.~Scott. \newblock Identity and existence in intuitionistic logic. \newblock In M.~Fourman, C.~Mulvey, and D.~Scott, editors, {\em Applications of Sheaves: Proceedings of the Research Symposium on Applications of Sheaf Theory to Logic, Algebra, and Analysis, Durham, July 9--21, 1977}, volume 752 of {\em Lecture Notes in Mathematics}, pages 660--696. Springer Berlin Heidelberg, 1979. \end{thebibliography} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/BDD/document/root.tex b/thys/BDD/document/root.tex --- a/thys/BDD/document/root.tex +++ b/thys/BDD/document/root.tex @@ -1,50 +1,51 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} \usepackage{graphicx} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \renewcommand{\isasymacute}{\isatext{\'\relax\hspace{-0.20em}}} \DeclareRobustCommand{\isactrlesup}{\egroup\egroup\endmath\egroup\relax\hspace{-0.15em}} \begin{document} \title{BDD-Normalisation} \author{Veronika Ortner and Norbert Schirmer} \begin{abstract} We present the verification of the normalisation of a binary decision diagram (BDD). The normalisation follows the original algorithm presented by Bryant in 1986 and transforms an ordered BDD in a reduced, ordered and shared BDD. The verification is based on Hoare logics. \end{abstract} \maketitle \tableofcontents \begin{center} \includegraphics[width=\textwidth=\textheight,keepaspectratio]{session_graph} \end{center} \parindent 0pt\parskip 0.5ex \section{Introduction} In \cite{Ortner-Schirmer-TPHOL05} we describe the partial correctness proofs for BDD normalisation. We extend this work to total correctness in these theories. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/BNF_CC/document/root.tex b/thys/BNF_CC/document/root.tex --- a/thys/BNF_CC/document/root.tex +++ b/thys/BNF_CC/document/root.tex @@ -1,75 +1,76 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath} \usepackage{amssymb} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{booktabs} \usepackage{wasysym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % Tweaks \newcounter{TTStweak_tag} \setcounter{TTStweak_tag}{0} \newcommand{\setTTS}{\setcounter{TTStweak_tag}{1}} \newcommand{\resetTTS}{\setcounter{TTStweak_tag}{0}} \newcommand{\insertTTS}{\ifnum\value{TTStweak_tag}=1 \ \ \ \fi} \renewcommand{\isakeyword}[1]{\resetTTS\emph{\bf\def\isachardot{.}\def\isacharunderscore{\isacharunderscorekeyword}\def\isacharbraceleft{\{}\def\isacharbraceright{\}}#1}} \renewcommand{\isachardoublequoteopen}{\insertTTS} \renewcommand{\isachardoublequoteclose}{\setTTS} \renewcommand{\isanewline}{\mbox{}\par\mbox{}\resetTTS} \renewcommand{\isamarkupcmt}[1]{\hangindent5ex{\isastylecmt --- #1}} \newcommand{\BNFCC}{BNF$\protect\vphantom{F}_{\text{CC}}$} \begin{document} \title{Bounded Natural Functors with Covariance and Contravariance} \author{Andreas Lochbihler and Joshua Schneider} \maketitle \begin{abstract} Bounded natural functors (BNFs) provide a modular framework for the construction of (co)datatypes in higher-order logic. Their functorial operations, the mapper and relator, are restricted to a subset of the parameters, namely those where recursion can take place. For certain applications, such as free theorems, data refinement, quotients, and generalised rewriting, it is desirable that these operations do not ignore the other parameters. In this article, we formalise the generalisation \BNFCC{}~\cite{LochbihlerSchneider2018ITP} that extends the mapper and relator to covariant and contravariant parameters. We show that (i)~\BNFCC{}s are closed under functor composition and least and greatest fixpoints, (ii)~subtypes inherit the \BNFCC{} structure under conditions that generalise those for the BNF case, and (iii)~\BNFCC{}s preserve quotients under mild conditions. These proofs are carried out for abstract \BNFCC{}s similar to the AFP entry BNF Operations \cite{BNF_Operations-AFP}. In addition, we apply the \BNFCC{} theory to several concrete functors. \end{abstract} For an informal description of the abstract proofs see \cite{LochbihlerSchneider2018ITP}. \clearpage \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/BNF_Operations/document/root.tex b/thys/BNF_Operations/document/root.tex --- a/thys/BNF_Operations/document/root.tex +++ b/thys/BNF_Operations/document/root.tex @@ -1,55 +1,54 @@ \documentclass[10pt,a4paper]{article} -\usepackage[utf8]{inputenc} \usepackage[T1]{fontenc} \usepackage{amssymb} \usepackage[left=2.25cm,right=2.25cm,top=2.25cm,bottom=2.75cm]{geometry} \usepackage{graphicx} \usepackage{isabelle} \usepackage{isabellesym} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{pdfsetup} \urlstyle{tt} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \renewcommand{\isacharunderscore}{\_} \begin{document} \title{Operations on Bounded Natural Functors} \author{Jasmin Christian Blanchette \and Andrei Popescu \and Dmitriy Traytel} \maketitle \begin{abstract} \noindent This entry formalizes the closure property of bounded natural functors (BNFs) under seven operations. These operations and the corresponding proofs constitute the core of Isabelle's (co)datatype package. To be close to the implemented tactics, the proofs are deliberately formulated as detailed apply scripts. The (co)datatypes together with (co)induction principles and (co)recursors are byproducts of the fixpoint operations LFP and GFP. Composition of BNFs is subdivided into four simpler operations: Compose, Kill, Lift, and Permute. The N2M operation provides mutual (co)induction principles and (co)recursors for nested (co)datatypes. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/BTree/document/root.tex b/thys/BTree/document/root.tex --- a/thys/BTree/document/root.tex +++ b/thys/BTree/document/root.tex @@ -1,63 +1,64 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{mathtools} \usepackage{amssymb} \usepackage{stmaryrd} \usepackage[numbers]{natbib} % this should be the last package used \usepackage{pdfsetup} \usepackage{doi} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \DeclarePairedDelimiter{\norm}{\lVert}{\rVert} \begin{document} \title{A Verified Imperative Implementation of B-Trees} \author{Niels Mündler} \date{} \maketitle \begin{abstract} In this work, we use the interactive theorem prover Isabelle/HOL to verify an imperative implementation of the classical B-tree data structure \cite{DBLP:journals/acta/BayerM72}. The implementation supports set membership and insertion queries with efficient binary search for intra-node navigation. This is accomplished by first specifying the structure abstractly in the functional modeling language HOL and proving functional correctness. Using manual refinement, we derive an imperative implementation in Imperative/HOL. We show the validity of this refinement using the separation logic utilities from the Isabelle Refinement Framework \cite{Refine_Imperative_HOL-AFP}. The code can be exported to the programming languages SML and Scala. We examine the runtime of all operations indirectly by reproducing results of the logarithmic relationship between height and the number of nodes. The results are discussed in greater detail in the related Bachelor's Thesis \cite{BTNielsMuendler}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography {\raggedright \bibliographystyle{plainnat} \bibliography{root} } \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Banach_Steinhaus/document/root.tex b/thys/Banach_Steinhaus/document/root.tex --- a/thys/Banach_Steinhaus/document/root.tex +++ b/thys/Banach_Steinhaus/document/root.tex @@ -1,30 +1,31 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath,amssymb} %this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Banach-Steinhaus theorem} \author{Dominique Unruh \and Jos\'e Manuel Rodr\'iguez Caballero} \maketitle \begin{abstract} We formalize in Isabelle/HOL a result \cite{Weisstein_UBP} due to S. Banach and H. Steinhaus \cite{banach1927principe} known as Banach-Steinhaus theorem or Uniform boundedness principle: a pointwise-bounded family of continuous linear operators from a Banach space to a normed space is uniformly bounded. Our approach is an adaptation to Isabelle/HOL of a proof due to A. Sokal \cite{sokal2011really}. \end{abstract} \tableofcontents \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Bell_Numbers_Spivey/document/root.tex b/thys/Bell_Numbers_Spivey/document/root.tex --- a/thys/Bell_Numbers_Spivey/document/root.tex +++ b/thys/Bell_Numbers_Spivey/document/root.tex @@ -1,79 +1,80 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Spivey's Generalized Recurrence for Bell Numbers} \author{Lukas Bulwahn} \maketitle \begin{abstract} This entry defines the Bell numbers~\cite{bell-numbers} as the cardinality of set partitions for a carrier set of given size, and derives Spivey's generalized recurrence relation for Bell numbers~\cite{spivey-2008} following his elegant and intuitive combinatorial proof. As the set construction for the combinatorial proof requires construction of three intermediate structures, the main difficulty of the formalization is handling the overall combinatorial argument in a structured way. The introduced proof structure allows us to compose the combinatorial argument from its subparts, and supports to keep track how the detailed proof steps are related to the overall argument. To obtain this structure, this entry uses set monad notation for the set construction's definition, introduces suitable predicates and rules, and follows a repeating structure in its Isar proof. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \nocite{*} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Berlekamp_Zassenhaus/document/root.tex b/thys/Berlekamp_Zassenhaus/document/root.tex --- a/thys/Berlekamp_Zassenhaus/document/root.tex +++ b/thys/Berlekamp_Zassenhaus/document/root.tex @@ -1,273 +1,273 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb} \usepackage{amsmath} \usepackage[ruled,noend]{algorithm2e} \DontPrintSemicolon \usepackage{xspace} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \newcommand\rats{\mathbb{Q}} \newcommand\ints{\mathbb{Z}} \newcommand\reals{\mathbb{R}} \newcommand\complex{\mathbb{C}} \newcommand\GFpp[1]{\ensuremath{\text{GF}(#1)}} \newcommand\GFp{\GFpp{p}} \newcommand\ring[1][p^k]{\ensuremath{\ints/{#1}\ints}\xspace} \newcommand\tint{\isa{int}} \newcommand\tlist{\isa{list}} \newcommand\tpoly{\isa{poly}} \newcommand\tto{\Rightarrow} \newcommand\sqfree{\isa{square\_free}\xspace} \newcommand\assumes{\isakeyword{assumes}\xspace} \newcommand\idegree{\isa{degree}} \newcommand\iand{\isakeyword{and}\xspace} \newcommand\shows{\isakeyword{shows}} \newcommand\bz{\isa{berlekamp\_zassenhaus\_factorization}\xspace} \newcommand\fs{\mathit{fs}} \newcommand\listprod{\isa{prod\_list}} \newcommand\set{\isa{set}} \newcommand\irred{\isa{irreducible}} \newcommand\rTH[1]{Theorem~\ref{#1}} \makeatletter \protected\def\myDot{% \@ifnextchar.{}{.% \@ifnextchar,{}{% \@ifnextchar:{}{% \@ifnextchar;{}{% \@ifnextchar~{}{\ } }}}}} \makeatother \newcommand\etal{{et~al}\myDot} \newtheorem{theorem}{Theorem} \begin{document} \title{The Factorization Algorithm of Berlekamp and Zassenhaus \footnote{Supported by FWF (Austrian Science Fund) project Y757.}} \author{Jose Divas\'on \and Sebastiaan Joosten \and Ren\'e Thiemann \and Akihisa Yamada} \maketitle \begin{abstract} We formalize the Berlekamp-Zassenhaus algorithm for factoring square-free integer polynomials in Isabelle/HOL. We further adapt an existing formalization of Yun's square-free factorization algorithm to integer polynomials, and thus provide an efficient and certified factorization algorithm for arbitrary univariate polynomials. The algorithm first performs a factorization in the prime field GF($p$) and then performs computations in the integer ring modulo $p^k$, where both $p$ and $k$ are determined at runtime. Since a natural modeling of these structures via dependent types is not possible in Isabelle/HOL, we formalize the whole algorithm using Isabelle's recent addition of local type definitions. Through experiments we verify that our algorithm factors polynomials of degree 100 within seconds. \end{abstract} \tableofcontents \section{Introduction} Modern algorithms to factor integer polynomials -- following Berlekamp and Zassenhaus -- work via polynomial factorization over prime fields $\GFp$ and quotient rings \ring \cite{Berlekamp,CZ81}. Algorithm~\ref{bz} illustrates the basic structure of such an algorithm.\footnote{Our algorithm starts with step \ref{p:prime}, so that section numbers and step-numbers coincide.} \begin{algorithm}[h] \caption{A modern factorization algorithm\label{bz}} \setcounter{AlgoLine}{3} % start at the number after this line \KwIn{Square-free integer polynomial $f$.} \KwOut{Irreducible factors $f_1,\dots,f_n$ such that $f = f_1 \cdot \ldots \cdot f_n$.} % \lnl{p:prime} Choose a suitable prime $p$ depending on $f$.\; \lnl{p:berlekamp} Factor $f$ in \GFp: $f \equiv g_1 \cdot\ldots\cdot g_m \pmod p$.\; \lnl{p:exp} Determine a suitable bound $d$ on the degree, depending on $g_1,\ldots,g_m$. Choose an exponent $k$ such that every coefficient of a factor of a given multiple of $f$ in $\ints$ with degree at most $d$ can be uniquely represent by a number below $p^k$. \; \lnl{p:hensel} From step \ref{p:berlekamp} compute the unique factorization $f \equiv h_1 \cdot \ldots \cdot h_m \pmod {p^k}$ via the Hensel lifting.\; \lnl{p:integer} Construct a factorization $f = f_1 \cdot \ldots \cdot f_n$ over the integers where each $f_i$ corresponds to the product of one or more $h_j$. \end{algorithm} In previous work on algebraic numbers \cite{TY16}, we implemented Algorithm~\ref{bz} in Isabelle/HOL \cite{Isabelle} as a function of type $\tint\ \tpoly \tto \tint\ \tpoly\ \tlist$, where we chose Berlekamp's algorithm in step \ref{p:berlekamp}. However, the algorithm was available only as an oracle, and thus a validity check on the result factorization had to be performed. In this work we fully formalize the correctness of our implementation. \begin{theorem}[Berlekamp-Zassenhaus' Algorithm] \label{thm:bz} \begin{align*} & \assumes\ \sqfree\ (f :: \tint\ \tpoly) \\ & \quad\iand\ \idegree\ f \neq 0 \\ & \quad\iand\ \bz\ f = \fs \\ & \shows\ f = \listprod\ \fs\ \\ & \quad\iand\ \forall f_i \in \set\ \fs.\ \irred\ f_i \end{align*} \end{theorem} % % %now provide full proofs changes the previous implementation correctness of the implementation is not yet formalized in Isabelle/HOL. %Hence it is invoked in a certified wrapper which takes %an arbitrary integer polynomial as input, performs the desired preprocessing, %i.e., square-free and content-free factorization, and passes each %preliminary factor $f$ to $\oracle$. %It finally tests the validity of the obtained factorizations %$f = f_1 \cdot \ldots \cdot f_n$, but it does not test optimality, i.e., %irreducibility of the resulting factors. % %The current work is a significant step forward to formally proving the\linebreak soundness %of $\oracle$, namely by formally proving the soundness of Berlekamp's algorithm %in step~\ref{p:berlekamp}. To obtain \rTH{thm:bz} we perform the following tasks. \begin{itemize} \item We introduce two formulations of $\GFp$ and $\ring$. We first define a type to represent these domains, employing ideas from HOL multivariate analysis. This is essential for reusing many type-based algorithms from the Isabelle distribution and the AFP (archive of formal proofs). At some points in our developement, the type-based setting is still too restrictive. Hence we also introduce a second formulation which is \emph{locale-based}. \item The prime $p$ in step \ref{p:prime} must be chosen so that $f$ remains square-free in $\GFp$. For the termination of the algorithm, we prove that such a prime always exists. \item We explain Berlekamp's algorithm that factors polynomials over prime fields, and formalize its correctness using the type-based representation. Since Isabelle's code generation does not work for the type-based representation of prime fields, we define an implementation of Berlekamp's algorithm which avoids type-based polynomial algorithms and type-based prime fields. The soundness of this implementation is proved via the transfer package \cite{lifting}: we transform the type-based soundness statement of Berlekamp's algorithm into a statement which speaks solely about integer polynomials. Here, we crucially rely upon local type definitions \cite{KP16} to eliminate the presence of the type for the prime field $\GFp$. \item For step \ref{p:exp} we need to find a bound on the coefficients of the factors of a polynomial. For this purpose, we formalize Mignotte's factor bound. During this formalization task we detected a bug in our previous oracle implementation, which computed improper bounds on the degrees of factors. \item We formalize the Hensel lifting. As for Berlekamp's algorithm, we first formalize basic operations in the type-based setting. Unfortunately, however, this result cannot be extended to the full Hensel lifting. Therefore, we model the Hensel lifting in a locale-based way so that modulo operation is explicitly applied on polynomials. \item For the reconstruction in step \ref{p:integer} we closely follow the description of Knuth \cite[page~452]{Knuth}. Here, we use the same representation of polynomials over $\ring$ as for the Hensel lifting. \item We adapt an existing square-free factorization algorithm from $\rats$ to $\ints$. In combination with the previous results this leads to a factorization algorithm for arbitrary integer and rational polynomials. %\item Moreover, we formalize (efficient) division algorithms for non-field polynomials % that are applied within the oracle, % and also optimize the existing division algorithm for field polynomials (\rSC{polydiv}). % The improvements are now integrated in the Isabelle distribution as code equations % \cite{DataRefinement,codegen}. % %\item A comparison of the trusted code with the one from $\oracle$ revealed two % mistakes which are now repaired (\rSC{compare oracle}). % %\item Mignotte-bound (somewhere) %\item Hensel-lifting (somewhere) %\item Reconstruction (somewhere) \end{itemize} %Related work: To our knowledge, this is the first formalization of the Berlekamp-Zassenhaus algorithm. For instance, Barthe \etal report that there is no formalization of an efficient factorization algorithm over $\GFp$ available in Coq \cite[Section 6, note 3 on formalization]{NoCoqFactorization}. Some key theorems leading to the algorithm have already been formalized in Isabelle or other proof assistants. In ACL2, for instance, polynomials over a field are shown to be a unique factorization domain (UFD)~\cite{cowles2006unique}. A more general result, namely that polynomials over UFD are also UFD, was already developed in Isabelle/HOL for implementing algebraic numbers \cite{TY16} and an independent development by Eberl is now available in the Isabelle distribution. An Isabelle formalization of Hensel's lemma is provided by Kobayashi \etal \cite{Kobayashi2005}, who defined the valuations of polynomials via Cauchy sequences, and used this setup to prove the lemma. Consequently, their result requires a `valuation ring' as precondition in their formalization. While this extra precondition is theoretically met in our setting, we did not attempt to reuse their results, because the type of polynomials in their formalization (from HOL-Algebra) differs from the polynomials in our development (from HOL/Library). Instead, we formalize a direct proof for Hensel's lemma. Our formalizations are incomparable: On the one hand, Kobayashi \etal did not consider only integer polynomials as we do. On the other hand, we additionally formalize the quadratic Hensel lifting~\cite{Zassenhaus69}, extend the lifting from binary to $n$-ary factorizations, and prove a uniqueness result, which is required for proving the soundness of \rTH{thm:bz}. A Coq formalization of Hensel's lemma is also available, %~\cite{Martin-Dorel:2011aa}, which is used for certifying integral roots and `hardest-to-round computation'~\cite{Martin-Dorel2015}. If one is interested in certifying a factorization, rather than a certified algorithm that performs it, it suffices to test that all the found factors are irreducible. Kirkels \cite{kirkels2004} formalized a sufficient criterion for this test in Coq: when a polynomial is irreducible modulo some prime, it is also irreducible in $\mathbb{Z}$. Both formalizations are in Coq, and we did not attempt to reuse them. % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Bernoulli/document/root.tex b/thys/Bernoulli/document/root.tex --- a/thys/Bernoulli/document/root.tex +++ b/thys/Bernoulli/document/root.tex @@ -1,67 +1,68 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb, amsmath} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Bernoulli Numbers} \author{Lukas Bulwahn and Manuel Eberl} \maketitle \begin{abstract} Bernoulli numbers were first discovered in the closed-form expansion of the sum $1^m + 2^m + \ldots + n^m$ for a fixed $m$ and appear in many other places. This entry provides three different definitions for them: a recursive one, an explicit one, and one through their exponential generating function. In addition, we prove some basic facts, e.\,g.\ their relation to sums of powers of integers and that all odd Bernoulli numbers except the first are zero. We also prove the correctness of the Akiyama--Tanigawa algorithm~\cite{kaneko2000} for computing Bernoulli numbers with reasonable efficiency, and we define the periodic Bernoulli polynomials (which appear e.\,g.\ in the Euler--MacLaurin summation formula and the expansion of the log-Gamma function) and prove their basic properties. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \begingroup \raggedright \bibliography{root} \endgroup \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Bertrands_Postulate/document/root.tex b/thys/Bertrands_Postulate/document/root.tex --- a/thys/Bertrands_Postulate/document/root.tex +++ b/thys/Bertrands_Postulate/document/root.tex @@ -1,69 +1,70 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb, amsmath} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Bertrand's postulate} \author{Julian Biendarra, Manuel Eberl} \maketitle \begin{abstract} Bertrand's postulate is an early result on the distribution of prime numbers: For every positive integer $n$, there exists a prime number that lies strictly between $n$ and $2n$. The proof is ported from John Harrison's formalisation in HOL Light~\cite{hollight}. It proceeds by first showing that the property is true for all $n$ greater than or equal to 600 and then showing that it also holds for all $n$ below 600 by case distinction. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \begingroup \raggedright \bibliography{root} \endgroup \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Bicategory/document/root.tex b/thys/Bicategory/document/root.tex --- a/thys/Bicategory/document/root.tex +++ b/thys/Bicategory/document/root.tex @@ -1,374 +1,375 @@ \RequirePackage{luatex85} \documentclass[11pt,notitlepage,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym,eufrak} \usepackage[english]{babel} % For graphics files \usepackage{graphicx} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % XYPic package, for drawing commutative diagrams. \input{xy} \xyoption{curve} \xyoption{arrow} \xyoption{matrix} \xyoption{2cell} \xyoption{line} \UseAllTwocells % Even though I stayed within the default boundary in the JEdit buffer, % some proof lines wrap around in the PDF document. To minimize this, % increase the text width a bit from the default. \addtolength\textwidth{60pt} \addtolength\oddsidemargin{-30pt} \addtolength\evensidemargin{-30pt} \begin{document} \title{Bicategories} \author{Eugene W. Stark\\[\medskipamount] Department of Computer Science\\ Stony Brook University\\ Stony Brook, New York 11794 USA} \maketitle \begin{abstract} Taking as a starting point the author's previous work (\cite{Category3-AFP} \cite{MonoidalCategory-AFP}) on developing aspects of category theory in Isabelle/HOL, this article gives a compatible formalization of the notion of ``bicategory'' and develops a framework within which formal proofs of facts about bicategories can be given. The framework includes a number of basic results, including the Coherence Theorem, the Strictness Theorem, pseudofunctors and biequivalence, and facts about internal equivalences and adjunctions in a bicategory. As a driving application and demonstration of the utility of the framework, it is used to give a formal proof of a theorem, due to Carboni, Kasangian, and Street \cite{carboni-et-al}, that characterizes up to biequivalence the bicategories of spans in a category with pullbacks. The formalization effort necessitated the filling-in of many details that were not evident from the brief presentation in the original paper, as well as identifying a few minor corrections along the way. Revisions made subsequent to the first version of this article added additional material on pseudofunctors, pseudonatural transformations, modifications, and equivalence of bicategories; the main thrust being to give a proof that a pseudofunctor is a biequivalence if and only if it can be extended to an equivalence of bicategories. \end{abstract} \tableofcontents \phantomsection \addcontentsline{toc}{chapter}{Introduction} \chapter*{Introduction} Bicategories, introduced by B\'{e}nabou \cite{benabou}, are a generalization of categories in which the sets of arrows between pairs of objects (\emph{i.e.}~the ``hom-sets'') themselves have the structure of categories. In a typical formulation, the definition of bicategories involves three separate kinds of entities: \emph{objects} (or \emph{$0$-cells}), \emph{arrows} (or \emph{$1$-cells}), and morphisms between arrows (or \emph{$2$-cells}). There are two kinds of composition: \emph{vertical} composition, which composes $2$-cells within a single hom-category, and \emph{horizontal} composition, which composes $2$-cells in ``adjacent'' hom-categories ${\rm hom}(A, B)$ and ${\rm hom}(B, C)$. Horizontal composition is required to be functorial with respect to vertical composition; the identification of a $1$-cell with the corresponding identity $2$-cell then leads to the ability to horizontally compose $1$-cells with $2$-cells (\emph{i.e.}~``whiskering'') and to horizontally compose $1$-cells with each other. Each hom-category ${\rm hom}(A, A)$ is further equipped with an \emph{identity} $1$-cell ${\rm id}_A$, which serves as a unit for horizontal composition. In a \emph{strict} bicategory, also known as a \emph{$2$-category}, the usual unit and associativity laws for horizontal composition are required to hold exactly, or (as it is said) ``on the nose''. In a general bicategory, these laws are only required to hold ``weakly''; that is, up to a collection of (vertical) isomorphisms that satisfy certain \emph{coherence conditions}. A bicategory, all of whose hom-categories are discrete, is essentially an ordinary category. A bicategory with just one object amounts to a monoidal category whose tensor is given by horizontal composition. Alternatively, we may think of bicategories as a generalization of monoidal categories in which the tensor is permitted to be a partial operation, in analogy to the way in which ordinary categories can be considered as a generalization of monoids. A standard example of a bicategory is \textbf{Cat}, the bicategory whose $0$-cells are categories, whose $1$-cells are functors, and whose $2$-cells are natural transformations. This is in fact a $2$-category; however, as two categories that are related by an equivalence of categories have the same ``categorical'' properties, it is often more sensible to consider constructions on categories as given up to equivalence, rather than up to isomorphism, and this leads to considering \textbf{Cat} as a bicategory and using bicategorical constructions rather than as a $2$-category and using $2$-categorical ones. This is one reason for the importance of bicategories: as Street \cite{street-fibrations-ii} remarks, ``In recent years it has become even more obvious that, although the fundamental constructions of set theory are categorical, the fundamental constructions of category theory are bicategorical.'' An alternative reason for studying bicategories, which is more aligned with my own personal interests and forms a major reason why I chose to pursue the present project, is that they provide an elegant framework for theories of generalized relations, as has been shown by Carboni, Walters, Street, and others \cite{carboni-et-al} \cite{cartesian-bicategories-i} \cite{cartesian-bicategories-ii} \cite{carboni-partial-maps}. Indeed, the category of sets and relations becomes a bicategory by taking the inclusions between relations as $2$-cells and thereby becomes an exemplar of the notion bicategory of relations which itself is a specialization of the notion of cartesian bicategory \cite{cartesian-bicategories-i} \cite{cartesian-bicategories-ii}. In the study of the semantics of programming languages containing nondeterministic or concurrent constructs, it is natural to consider the meaning of a program in such a language as some kind of relation between inputs and outputs. Ordinary relations can be used for this purpose in simple situations, but they fail to be adequate for the study of higher-order nondeterministic programs or for concurrent programs that engage in interaction with their environment, so some sort of notion of generalized relation is needed. One is therefore led to try to identify some kind of bicategories of generalized relations as framework suitable for defining the semantics of such programs. One expects these to be instances of cartesian bicategories. I attempted for a long time to try to develop a semantic framework for a certain class of interactive concurrent programs along the lines outlined above, but ultimately failed to obtain the kind of comprehensive understanding that I was seeking. The basic idea was to try to regard a program as denoting a kind of generalized machine, expressed as some sort of bimodule or two-sided fibration ({\em cf.}~\cite{street-fibrations-i} \cite{street-fibrations-ii}), to be represented as a certain kind of span in an underlying category of ``maps'', which would correspond to the meanings of deterministic programs. A difficulty with trying to formulate any kind of theory like this is that there quickly gets to be a lot of data and a lot of properties to keep track of, and it was certainly more than I could handle. For example, bicategories have objects, $1$-cells, and $2$-cells, as well as domains, codomains, composition and identities for both the horizontal and vertical structure. In addition, there are unit and associativity isomorphisms for the weak horizontal composition, as well as their associated coherence conditions. Cartesian bicategories are symmetric monoidal bicategories, which means that there is an additional tensor product, which comes with another set of canonical isomorphisms and coherence conditions. Still more canonical morphisms and coherence conditions are associated with the cartesian structure. Even worse, in order to give a proper account of the computational ideas I was hoping to capture, the underlying category of maps would at least have to be regarded as an ordered category, if not a more general $2$-category or bicategory, so the situation starts to become truly daunting. With so much data and so many properties, it is unusual in the literature to find proofs written out in anything approaching complete detail. To the extent that proofs are given, they often involve additional assumptions made purely for convenience and presentational clarity, such as assuming that the bicategories under consideration are strict when actually they are not, and then discharging these assumptions by appeals to informal arguments such as ``the result holds in the general case because we can always replace a non-strict bicategory by an equivalent strict one.'' This is perhaps fine if you happen to have finely honed insight, but in my case I am always left wondering if something important hasn't been missed or glossed over, and I don't trust very much my own ability to avoid gross errors if I were to work at the same level of detail as the proofs that I see in the literature. So my real motivation for the present project was to try to see whether a proof assistant would actually be useful in carrying out fully formalized, machine-checkable proofs of some kind of interesting facts about bicategories. I also hoped in the process to develop a better understanding of some concepts that I knew that I hadn't understood very well. The project described in the present article is divided into two main parts. The first part, which comprises Chapter 1, seeks to develop a formalization of the notion of bicategory using Isabelle/HOL and to prove various facts about bicategories that are required for a subsequent application. Additional goals here are: (1) to be able to make as much use as possible of the formalizations previously created for categories \cite{Category3-AFP} and monoidal categories \cite{MonoidalCategory-AFP}; (2) to create a plausibly useful framework for future extension; and (3) to better understand some subtleties involved in the definition of bicategory. In this chapter, we give an HOL formalization of bicategories that makes use of and extends the formalization of categories given in \cite{Category3-AFP}. In that previous work, categories were formalized in an ``object-free'' style in terms of a suitably defined associative partial binary operation of composition on a single type. Elements of the type that behave as units for the composition were called ``identities'' and the ``arrows'' were identified as the elements of the type that are composable both on the left and on the right with identities. The identities composable in this way with an arrow were then shown to be uniquely determined, which permitted domain and codomain functions to be defined. This formalization of categories is economical in terms of basic data (only a single partial binary operation is required), but perhaps more importantly, functors and natural transformations need not be defined as structured objects, but instead can be taken to be ordinary functions between types that suitably preserve arrows and composition. In order to carry forward unchanged the framework developed for categories, for the formalization of bicategories we take as a jumping-off point the somewhat offbeat view of a bicategory as a single global category under vertical composition (the arrows are the $2$-cells), which is then equipped with an additional partial binary operation of horizontal composition. This point of view corresponds to thinking of bicategories as generalizations of monoidal categories in which the tensor is allowed to be a partial operation. In a direct generalization of the approach taken for categories, we then show that certain \emph{weak units} with respect to the horizontal composition play the role of $0$-cells (the identities with respect to vertical composition play the role of $1$-cells) and that we can define the \emph{sources} and \emph{targets} of an arrow as the sets of weak units horizontally composable on the right and on the left with it. We then define a notion of weak associativity for the horizontal composition and arrive at the definition of a \emph{prebicategory}, which consists of a (vertical) category equipped with an associative weak (horizontal) composition, subject to the additional assumption that every vertical arrow has a nonempty set of sources and targets with respect to the horizontal composition. We then show that, to obtain from a prebicategory a structure that satisfies a more traditional-looking definition of a bicategory, all that is necessary is to choose arbitrarily a particular representative source and target for each arrow. Moreover, every bicategory determines a prebicategory by simply forgetting the chosen sources and targets. This development clarifies that an \emph{a priori} assignment of source and target objects for each $2$-cell is merely a convenience, rather than an element essential to the notion of bicategory. Additional highlights of Chapter 1 are as follows: \begin{itemize} \item As a result of having formalized bicategories essentially as ``monoidal categories with partial tensor'', we are able to generalize to bicategories, in a mostly straightforward way, the proof of the Coherence Theorem we previously gave for monoidal categories in \cite{MonoidalCategory-AFP}. We then develop some machinery that enables us to apply the Coherence Theorem to shortcut certain kinds of reasoning involving canonical isomorphisms. % \item Using the syntactic setup developed for the proof of the Coherence Theorem, we also give a proof of the Strictness Theorem, which states that every bicategory is biequivalent to a $2$-category, its so-called ``strictification''. % \item We define the notions of internal equivalence and internal adjunction in a bicategory and prove a number of basic facts about these notions, including composition of equivalences and adjunctions, and that every equivalence can be refined to an adjoint equivalence. % \item We formalize the notion of a pseudofunctor between bicategories, generalizing the notion of a monoidal functor between monoidal categories and we show that pseudofunctors preserve internal equivalences and adjunctions. % \item We define a sub-class of pseudofunctors which we call \emph{equivalence pseudofunctors}. Equivalence pseudofunctors are intended to coincide with those pseudofunctors that can be extended to an equivalence of bicategories, but we do not attempt to give an independent definition equivalence of bicategories in the present development. Instead, we establish various properties of equivalence pseudofunctors to provide some confidence that the notion has been formalized correctly. Besides establishing various preservation results, we prove that, given an equivalence pseudofunctor, we may obtain one in the converse direction. For the rest of this article we use the property of two bicategories being connected by an equivalence pseudofunctor as a surrogate for the property of biequivalence, leaving for future work a more proper formulation of equivalence of bicategories and a full verification of the relationship of this notion with equivalence pseudofunctors. \end{itemize} The second part of the project, presented in Chapter 2, is to demonstrate the utility of the framework by giving a formalized proof of a nontrivial theorem about bicategories. For this part, I chose to tackle a theorem of Carboni, Kasangian, and Street (\cite{carboni-et-al}, ``CKS'' for short) which gives axioms that characterize up to equivalence those bicategories whose $1$-cells are spans of arrows in an underlying category with pullbacks and whose $2$-cells are arrows of spans. The original paper is very short (nine pages in total) and the result I planned to formalize (Theorem 4) was given on the sixth page. I thought I had basically understood this result and that the formalization would not take very long to accomplish, but I definitely underestimated both my prior understanding of the result and the amount of auxiliary material that it would be necessary to formalize before I could complete the main proof. Eventually I did complete the formalization, and in the process filled in what seemed to me to be significant omissions in Carboni, Kasangian, and Street's presentation, as well as correcting some errors of a minor nature. Highlights of Chapter 2 are the following: \begin{itemize} \item A formalization of the notion of a category with chosen pullbacks, a proof that this formalization is in agreement with the general definition of limits we gave previously in \cite{Category3-AFP}, and the development of some basic properties of a category with pullbacks. % \item A construction, given a category $C$ with chosen pullbacks, of the ``span bicategory'' ${\rm Span}(C)$, whose objects are those of the given category, whose $1$-cells are spans of arrows of $C$, and whose $2$-cells are arrows of spans. We characterize the maps (the \emph{i.e.}~left adjoints) in ${\rm Span}(C)$ as exactly those spans whose ``input leg'' is invertible. % \item A formalization of the notion of \emph{tabulation} of a $1$-cell in a bicategory and a development of some of its properties. Tabulations are a kind of bicategorical limit introduced by CKS, which can be used to define a kind of biuniversal way of factoring a $1$-cell up to isomorphism as the horizontal composition of a map and the adjoint of a map. % \item A formalization of \emph{bicategories of spans}, which are bicategories that satisfy three axioms introduced in CKS. We give a formal proof of CKS Theorem 4, which characterizes the bicategories of spans as those bicategories that are biequivalent to a bicategory ${\rm Span}(C)$ for some category $C$ with pullbacks. One direction of the proof shows that if $C$ is a category with pullbacks, then ${\rm Span}(C)$ satisfies the axioms for a bicategory of spans. Moreover, we show that the notion ``bicategory of spans'' is preserved under equivalence of bicategories, so that in fact any bicategory biequivalent to one of the form ${\rm Span}(C)$ is a bicategory of spans. Conversely, we show that if $B$ is a bicategory of spans, then $B$ is biequivalent to ${\rm Span}({\rm Maps}(B))$, where ${\rm Maps}(B)$ is the so-called \emph{classifying category} of the maps in $B$, which has as objects those of $B$ and as arrows the isomorphism classes of maps in $B$. In order to formalize the proof of this result, it was necessary to develop a number of details not mentioned by CKS, including ways of composing tabulations vertically and horizontally, and spelling out a way to choose pullbacks in ${\rm Maps}(B)$ so that the tupling of arrows of ${\rm Maps}(B)$ obtained using the chosen pullbacks agrees with that obtained through horizontal composition of tabulations. These details were required in order to give the definition of the compositor for an equivalence pseudofunctor ${\rm SPN}$ from $B$ to ${\rm Span}({\rm Maps}(B))$ and establish the necessary coherence conditions. \end{itemize} In the end, I think it can be concluded that Isabelle/HOL can be used with benefit to formalize proofs about bicategories. It is certainly very helpful for keeping track of the data involved and the proof obligations required. For example, in the formalization given here, a total of 99 separate subgoals are involved in proving that a given set of data constitutes a bicategory (only 7 subgoals are required for an ordinary category) and another 29 subgoals must be proved in order to establish a pseudofunctor between two bicategories (only 5 additional subgoals are required for an ordinary functor), but the proof assistant assumes the burden of keeping track of these proof obligations and presenting them to the human user in a structured, understandable fashion. On the other hand, some of the results proved here still required some lengthy equational ``diagram chases'' for which the proof assistant (at least so far) didn't provide that much help (aside from checking their correctness). An exception to this was in the case of equational reasoning about expressions constructed purely of canonical isomorphisms, which our formulation of the Coherence Theorem permitted to be carried out automatically by the simplifier. It seems likely, though, that there is still room for more general procedures to be developed in order to allow other currently lengthy chains of equational reasoning to be carried out automatically. \medskip\par\noindent {\bf Revision Notes} The original version of this article dates from January, 2020. The current version of this article incorporates revisions made throughout 2020. A number of the changes made in early to mid-2020 consisted of minor improvements and speedups. A more major change made in this period was that the theory ``category with pullbacks'' was moved to \cite{Category3-AFP}, where it more logically belongs. In late 2020 additional material was added relating to pseudofunctors, pseudonatural transformations, and equivalence of bicategories. The main result shown was that a pseudofunctor is a biequivalence if and only if it can be extended to an equivalence of bicategories. This important result was sidestepped in the original version of this article, but the author felt that it was a glaring omission that should be corrected. Unfortunately, to formalize these results required some rather lengthy calculations in order to establish coherence conditions. These calculations added significantly to the line count of this article, as well as the time and memory required to validate the proofs. \phantomsection \addcontentsline{toc}{chapter}{Preliminaries} \chapter*{Preliminaries} \input{IsomorphismClass.tex} \chapter{Bicategories} \input{Prebicategory.tex} \input{Bicategory.tex} \input{Coherence.tex} \input{CanonicalIsos.tex} \input{Subbicategory.tex} \input{InternalEquivalence.tex} \input{Pseudofunctor.tex} \input{Strictness.tex} \input{InternalAdjunction.tex} \input{PseudonaturalTransformation.tex} \input{Modification.tex} \input{EquivalenceOfBicategories.tex} \chapter{Bicategories of Spans} \input{SpanBicategory.tex} \input{Tabulation.tex} \input{BicategoryOfSpans.tex} \phantomsection \addcontentsline{toc}{chapter}{Bibliography} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/BinarySearchTree/document/root.tex b/thys/BinarySearchTree/document/root.tex --- a/thys/BinarySearchTree/document/root.tex +++ b/thys/BinarySearchTree/document/root.tex @@ -1,25 +1,26 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{BinarySearchTree} \author{Larry Paulson} \maketitle \tableofcontents \parindent 0pt\parskip 0.5ex % include generated text of all theories \input{session} \end{document} diff --git a/thys/Binding_Syntax_Theory/document/root.tex b/thys/Binding_Syntax_Theory/document/root.tex --- a/thys/Binding_Syntax_Theory/document/root.tex +++ b/thys/Binding_Syntax_Theory/document/root.tex @@ -1,64 +1,65 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{A General Theory of Syntax with Bindings} \author{Lorenzo Gheri and Andrei Popescu} \maketitle \begin{abstract} We formalize a theory of syntax with bindings that has been developed and refined over the last decade to support several large formalization efforts. Terms are defined for an arbitrary number of constructors of varying numbers of inputs, quotiented to alpha-equivalence and sorted according to a binding signature. The theory includes many properties of the standard operators on terms: substitution, swapping and freshness. It also includes bindings-aware induction and recursion principles and support for semantic interpretation. This work has been presented in the ITP 2017 paper ``A Formalized General Theory of Syntax with Bindings''. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Binomial-Heaps/document/root.tex b/thys/Binomial-Heaps/document/root.tex --- a/thys/Binomial-Heaps/document/root.tex +++ b/thys/Binomial-Heaps/document/root.tex @@ -1,52 +1,53 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Binomial Heaps and Skew Binomial Heaps} \author{Rene Meis \and Finn Nielsen \and Peter Lammich} \maketitle \begin{abstract} We implement and prove correct binomial heaps and skew binomial heaps. Both are data-structures for priority queues. While binomial heaps have logarithmic {\em findMin}, {\em deleteMin}, {\em insert}, and {\em meld } operations, skew binomial heaps have constant time {\em findMin}, {\em insert}, and {\em meld} operations, and only the {\em deleteMin}-operation is logarithmic. This is achieved by using {\em skew links} to avoid cascading linking on {\em insert}-operations, and {\em data-structural bootstrapping} to get constant-time {\em findMin} and {\em meld} operations. Our implementation follows the paper of Brodal and Okasaki \cite{BrOk96}. \end{abstract} \clearpage \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Binomial-Queues/document/root.tex b/thys/Binomial-Queues/document/root.tex --- a/thys/Binomial-Queues/document/root.tex +++ b/thys/Binomial-Queues/document/root.tex @@ -1,61 +1,60 @@ - \documentclass[fleqn]{llncs} - +\usepackage[T1]{fontenc} \usepackage[english]{babel} \usepackage{isabelle} \usepackage{isabellesym} \usepackage{haftmann} \usepackage{stmaryrd} \usepackage{tabularx} \usepackage{amssymb,amsmath} %% format \pagestyle{plain} \isabellestyle{it} \renewcommand{\isastyle}{\isastyleminor} % for uniform font size %% style % pipe bar with same width as space \renewcommand{\isacharbar}{\isamath{\mid}\hspace{0.079em}} \renewcommand{\isamarkupsubsubsection}[1]{\subsubsection{#1} ~ \\ \par } %% hyphenation \hyphenation{Isabelle} %% document infos \title{Verification of Functional Binomial Queues} \author{Ren\'{e} Neumann} \institute{Technische Universit\"at M\"unchen, Institut f\"ur Informatik \\ \url{http://www.in.tum.de/~neumannr/}} %% document \begin{document} \maketitle \begin{abstract} Priority queues are an important data structure and efficient implementations of them are crucial. We implement a functional variant of binomial queues in Isabelle/HOL and show its functional correctness. A verification against an abstract reference specification of priority queues has also been attempted, but could not be achieved to the full extent. \end{abstract} \vspace*{1ex} \input{session} \vspace*{-3ex} \bibliographystyle{spmpsci} \bibliography{root} \end{document} diff --git a/thys/BirdKMP/document/root.tex b/thys/BirdKMP/document/root.tex --- a/thys/BirdKMP/document/root.tex +++ b/thys/BirdKMP/document/root.tex @@ -1,250 +1,249 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage[a4paper,margin=1cm,footskip=.5cm]{geometry} \usepackage{amsfonts} \usepackage{amsmath} \usepackage{isabelle,isabellesym} \usepackage{graphicx} \usepackage{wrapfig} -\usepackage[utf8]{inputenc} - % Bibliography \usepackage[authoryear,sort]{natbib} \bibpunct();A{}, % Allow pdflatex to do some fancier spacing. \usepackage{microtype} \usepackage{fancyvrb} \usepackage{tikz} \usetikzlibrary{arrows,automata,cd,positioning} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size \renewcommand{\isastyle}{\isastyleminor} \begin{document} % sane default for proof documents \parindent 0pt\parskip 0.5ex \title{Putting the `K' into Bird's derivation of Knuth-Morris-Pratt string matching} \author{Peter Gammie} \maketitle \begin{abstract} \noindent Richard Bird and collaborators have proposed a derivation of an intricate cyclic program that implements the Morris-Pratt string matching algorithm. Here we provide a proof of total correctness for Bird's derivation and complete it by adding Knuth's optimisation. \end{abstract} \tableofcontents \section{Introduction\label{sec:introduction}} We formalize a derivation of the string-matching algorithm of \citet{KnuthMorrisPratt:1977} (KMP) due to \citet[Chapter~17]{Bird:PearlsofFAD:2010}. The central novelty of this approach is its use of a circular data structure to simultaneously compute and represent the failure function; see Figure~\ref{fig:haskell-kmp} for the final program. This is challenging to model in a logic of total functions, as we discuss below, which leads us to employ the venerable machinery of domain theory. \begin{figure} \VerbatimInput[fontsize=\small]{programs/KMP.hs} \caption{Bird's KMP as a Haskell program.} \label{fig:haskell-kmp} \end{figure} Our development completes Bird's derivation of the Morris-Pratt (MP) algorithm with proofs that each derivation step preserves productivity, yielding total correctness; in other words, we show that this circular program is extensionally equal to its specification. We also add what we call the `K' optimisation to yield the full KMP algorithm (\S\ref{sec:KMP:data_refinement}). Our analysis inspired a Prolog implementation (\S\ref{sec:implementations}) that some may find more perspicuous. Here we focus on the formalities of this style of program refinement and defer further background on string matching to two excellent monographs: \citet[\S2.3]{Gusfield:1997} and \citet[\S2.1]{CrochemoreRytter:2002}. Both provide traditional presentations of the problem, the KMP algorithm and correctness proofs and complexity results. We discuss related work in \S\ref{sec:related-work}. \subsection{Formal setting\label{sec:formal_setting}} Bird does not make his formal context explicit. The program requires non-strict datatypes and sharing to obtain the expected complexity, which implies that he is working in a lazy (call-by-need) language. For reasons we observe during our development in \S\ref{sec:KMP}, some of Bird's definitions are difficult to make directly in Isabelle/HOL (a logic of total functions over types denoting sets) using the existing mechanisms. We therefore adopt domain theory as mechanised by \texttt{HOLCF} \citep{HOLCF:1999}. This logic provides a relatively straightforward if awkward way to reason about non-strict (call-by-name) programs at the cost of being too abstract to express sharing. Bird's derivation implicitly appeals to the fold/unfold framework of \citet{BurstallDarlington:1977}, which guarantees the preservation of partial correctness: informally, if the implementation terminates then it yields a value that coincides with the specification, or $\mbox{implementation} \sqsubseteq \mbox{specification}$ in domain-theoretic terms. These rules come with side conditions that would ensure that productivity is preserved -- that the implementation and specification are moreover extensionally equal -- but Bird does not establish them. We note that it is easy to lose productivity through subtle uses of cyclic data structures (see \S\ref{sec:KMP:increase_sharing} in particular), and that this derivation does not use well-known structured recursion patterns like \emph{map} or \emph{foldr} that mitigate these issues. We attempt to avoid the confusions that can arise when transforming programs with named expressions (definitions or declarations) by making each step in the derivation completely self-contained: specifically, all definitions that change or depend on a definition that changes are redefined at each step. Briefly this avoids the conflation of equations with definitions; for instance, $f = f$ holds for all functions but makes for a poor definition. The issues become more subtle in the presence of recursion modelled as least fixed points, where satisfying a fixed-point equation $F f = f$ does not always imply the desired equality $f = \mbox{lfp}\ F$. \citet{Tullsen:PhDThesis} provides a fuller discussion. As our main interest is the introduction of the circular data structure (\S\ref{sec:KMP:data_refinement}), we choose to work with datatypes that simplify other aspects of this story. Specifically we use strict lists (\S\ref{sec:theory_of_lists}) as they allow us to adapt many definitions and lemmas about HOL's lists and localise (the many!) definedness conditions. We also impose strong conditions on equality (\S\ref{sec:equality}) for similar reasons, and, less critically, assume products behave pleasantly (\S\ref{sec:KMP:specification}). Again \citet{Tullsen:PhDThesis} discusses how these may violate Haskell expectations. We suggest the reader skip the next two sections and proceed to the derivation which begins in \S\ref{sec:KMP}. % generated text of all theories \input{session} \section{Related work\label{sec:related-work}} Derivations of KMP matching are legion and we do not attempt to catalogue them here. Bird and colleagues have presented versions of this story at least four times. All treat MP, not KMP (see \S\ref{sec:KMP:data_refinement}), and use a style of equational reasoning with fold/unfold transformations \citep{BurstallDarlington:1977} that only establishes partial correctness (see \S\ref{sec:formal_setting}). Briefly: \begin{itemize} \item The second example of \citet{Bird:1977} is an imperative program that is similar to MP. \item \citet{BirdGibbonsJones:1989} devised the core of the derivation mechanized here, notably omitting a formal justification for the final data refinement step that introduces the circular data structure. \item \citet{Bird:2005} refines \citet{BirdGibbonsJones:1989} and derives Boyer-Moore matching \citep[\S2.2]{Gusfield:1997} in a similar style. \item \citet[Chapter~17]{Bird:PearlsofFAD:2010} further refines \citet{Bird:2005} and is the basis of the work discussed here. \citet[\S3.1]{Bird:2012} contains some further relevant remarks. \end{itemize} \citet{AgerDanvyRohde:2006} show how KMP matchers (specialised to a given pattern) can be derived by the partial evaluation of an initial program in linear time. We observe that neither their approach, of incorporating the essence of KMP in their starting point, nor Bird's of introducing it by data refinement (\S\ref{sec:KMP:data_refinement}), provides a satisfying explanation of how KMP could be discovered; \citet{Pottier:2012} attempts to do this. In contrast to Bird, these and most other presentations make heavy use of arrays and array indexing which occludes the central insights. \section{Implementations\label{sec:implementations}} With varying amounts of effort we can translate our final program of \S\ref{sec:KMP:final_version} into a variety of languages. The most direct version, in Haskell, was shown in Figure~\ref{fig:haskell-kmp}. An ocaml version is similar due to that language's support for laziness. In contrast Standard ML requires an encoding; we use backpatching as shown in Figure~\ref{fig:sml-kmp}. In both cases the tree datatype can be made strict in the right branch as it is defined by primitive recursion on the pattern. More interestingly, our derivation suggests that Bird's KMP program can be computed using \emph{rational} trees (also known as \emph{regular} trees \citep{Courcelle:1983}), which are traditionally supported by Prolog implementations. Our version is shown in Figure~\ref{fig:prolog-kmp}. This demonstrates that the program could instead be thought of as a computation over difference structures. \citet{Colmerauer:1982,GiannesiniCohen:1984} provide more examples of this style of programming. We leave a proof of correctness to future work. \begin{figure} \VerbatimInput[fontsize=\small]{programs/KMP.pl} \caption{The final KMP program transliterated into Prolog.} \label{fig:prolog-kmp} \end{figure} \begin{figure} \VerbatimInput[fontsize=\small,lastline=62]{programs/KMP.sml} % FIXME brittle \caption{The final KMP program transliterated into Standard ML.} \label{fig:sml-kmp} \end{figure} \section{Concluding remarks} Our derivation leans heavily on domain theory's ability to reason about partially-defined objects that are challenging to handle at present in a language of total functions. Conversely it is too abstract to capture the operational behaviour of the program as it does not model laziness. It would also be interesting to put the data refinement of \S\ref{sec:KMP:data_refinement} on a firmer foundation by deriving the memoizing datatype from the direct program of \S\ref{sec:KMP:specification}. Haskell fans may care to address the semantic discrepancies mentioned in \S\ref{sec:formal_setting}. \bibliographystyle{plainnat} \bibliography{root} \addcontentsline{toc}{section}{References} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Blue_Eyes/document/root.tex b/thys/Blue_Eyes/document/root.tex --- a/thys/Blue_Eyes/document/root.tex +++ b/thys/Blue_Eyes/document/root.tex @@ -1,68 +1,68 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage[T1]{fontenc} \usepackage[margin=2.5cm]{geometry} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used, but isn't, because cleveref complains when it is \usepackage{pdfsetup} \usepackage{cleveref} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Solution to the xkcd Blue Eyes puzzle} \author{Jakub Kądziołka} \maketitle \begin{abstract} In a puzzle published by Randall Munroe~\cite{xkcd}, perfect logicians forbidden from communicating are stranded on an island, and may only leave once they have figured out their own eye color. We present a method of modeling the behavior of perfect logicians and formalize a solution of the puzzle. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{plainurl} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Bondy/document/root.tex b/thys/Bondy/document/root.tex --- a/thys/Bondy/document/root.tex +++ b/thys/Bondy/document/root.tex @@ -1,28 +1,29 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Bondy's Theorem} \author{Jeremy Avigad and Stefan Hetzl} \maketitle \begin{abstract} A proof of Bondy's Theorem following Bollob\'{a}s~\cite{Bollobas86Combinatorics}. \end{abstract} % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Boolean_Expression_Checkers/document/root.tex b/thys/Boolean_Expression_Checkers/document/root.tex --- a/thys/Boolean_Expression_Checkers/document/root.tex +++ b/thys/Boolean_Expression_Checkers/document/root.tex @@ -1,30 +1,31 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Boolean Expression Checkers} \author{Tobias Nipkow} \maketitle \begin{abstract} This entry provides executable checkers for the following properties of boolean expressions: satisfiability, tautology and equivalence. Internally, the checkers operate on binary decision trees and are reasonably efficient (for purely functional algorithms). \end{abstract} \tableofcontents % include generated text of all theories \input{session} \end{document} diff --git a/thys/Bounded_Deducibility_Security/document/root.tex b/thys/Bounded_Deducibility_Security/document/root.tex --- a/thys/Bounded_Deducibility_Security/document/root.tex +++ b/thys/Bounded_Deducibility_Security/document/root.tex @@ -1,37 +1,38 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \addtolength{\paperwidth}{4cm} \addtolength{\textwidth}{4cm} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Bounded-Deducibility Security} \author{Andrei Popescu \and Peter Lammich} \date{} \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \input{intro} % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Buchi_Complementation/document/root.tex b/thys/Buchi_Complementation/document/root.tex --- a/thys/Buchi_Complementation/document/root.tex +++ b/thys/Buchi_Complementation/document/root.tex @@ -1,35 +1,34 @@ \documentclass[11pt, a4paper]{article} -\usepackage[utf8]{inputenc} \usepackage[T1]{fontenc} \usepackage{stmaryrd} \usepackage{isabelle, isabellesym} \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Büchi Complementation} \author{Julian Brunner} \maketitle \begin{abstract} This entry provides a verified implementation of rank-based Büchi Complementation \cite{complementation}. The verification is done in three steps: \begin{enumerate} \item Definition of odd rankings and proof that an automaton rejects a word iff there exists an odd ranking for it. \item Definition of the complement automaton and proof that it accepts exactly those words for which there is an odd ranking. \item Verified implementation of the complement automaton using the Isabelle Collections Framework. \end{enumerate} \end{abstract} \tableofcontents \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Budan_Fourier/document/root.tex b/thys/Budan_Fourier/document/root.tex --- a/thys/Budan_Fourier/document/root.tex +++ b/thys/Budan_Fourier/document/root.tex @@ -1,43 +1,44 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Budan-Fourier Theorem and Counting Real Roots with Multiplicity} \author{Wenda Li} \maketitle \begin{abstract} This entry is mainly about counting and approximating real roots (of a polynomial) with multiplicity. We have first formalised the Budan-Fourier theorem: given a polynomial with real coefficients, we can calculate sign variations on Fourier sequences to over-approximate the number of real roots (counting multiplicity) within an interval. When all roots are known to be real, the over-approximation becomes tight: we can utilise this theorem to count real roots exactly. It is also worth noting that Descartes' rule of sign is a direct consequence of the Budan-Fourier theorem, and has been included in this entry. In addition, we have extended previous formalised Sturm's theorem to count real roots with multiplicity, while the original Sturm's theorem only counts distinct real roots. Compared to the Budan-Fourier theorem, our extended Sturm's theorem always counts roots exactly but may suffer from greater computational cost. \end{abstract} Many problems in real algebraic geometry is about counting or approximating roots of a polynomial. Previous formalised results are mainly about counting distinct real roots (i.e. Sturm's theorem in Isabelle/HOL \cite{Sturm_Tarski-AFP,Sturm_Sequences-AFP}, HOL Light \cite{harrison-poly}, PVS \cite{Narkawicz:2015do} and Coq \cite{Mahboubi:2012gg}) and limited support for multiple real roots (i.e. Descartes' rule of signs in Isabelle/HOL \cite{Descartes_Sign_Rule-AFP}, HOL Light and ProofPower\footnote{According to Freek Wiedijk's "Formalising 100 Theorems" (\url{http://www.cs.ru.nl/~freek/100/index.html})}). In comparison, this entry provides more comprehensive support for reasoning about multiple real roots. The main motivation of this entry is to cope with the roots-on-the-border issue when counting complex roots \cite{li_evaluate_cauchy,Count_Complex_Roots-AFP}, but the results here should be beneficial to other developments. Our proof of the Budan-Fourier theorem mainly follows Theorem 2.35 in the book by Basu et al. \cite{Basu:2006bo} and that of the extended Sturm's theorem is inspired by Theorem 10.5.6 in Rahman and Schmeisser's book \cite{Rahman:2016us}. %\tableofcontents % include generated text of all theories \input{session} \section{Acknowledgements} The work was supported by the ERC Advanced Grant ALEXANDRIA (Project 742178), funded by the European Research Council and led by Professor Lawrence Paulson at the University of Cambridge, UK. \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Buffons_Needle/document/root.tex b/thys/Buffons_Needle/document/root.tex --- a/thys/Buffons_Needle/document/root.tex +++ b/thys/Buffons_Needle/document/root.tex @@ -1,42 +1,43 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsfonts, amsmath, amssymb} \usepackage{nicefrac} \usepackage{pgfplots} \usetikzlibrary{calc} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Buffon's {N}eedle {P}roblem} \author{Manuel Eberl} \maketitle \begin{abstract} In the 18th century, Georges-Louis Leclerc, Comte de Buffon posed and later solved the following problem~\cite{ramaley,mathworld}, which is often called the first problem ever solved in geometric probability: Given a floor divided into vertical strips of the same width, what is the probability that a needle thrown onto the floor randomly will cross two strips? This entry formally defines the problem in the case where the needle's position is chosen uniformly at random in a single strip around the origin (which is equivalent to larger arrangements due to symmetry). It then provides proofs of the simple solution in the case where the needle's length is no greater than the width of the strips and the more complicated solution in the opposite case. \end{abstract} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Buildings/document/root.tex b/thys/Buildings/document/root.tex --- a/thys/Buildings/document/root.tex +++ b/thys/Buildings/document/root.tex @@ -1,71 +1,72 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ \usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \renewcommand{\refname}{Bibliography} \begin{document} \title{Chamber complexes, Coxeter systems, and buildings} \author{Jeremy Sylvestre \\ University of Alberta, Augustana Campus \\ \href{mailto:jeremy.sylvestre@ualberta.ca}{\url{jeremy.sylvestre@ualberta.ca}}} \maketitle \begin{abstract} We provide a basic formal framework for the theory of chamber complexes and Coxeter systems, and for buildings as thick chamber complexes endowed with a system of apartments. Along the way, we develop some of the general theory of abstract simplicial complexes and of groups (relying on the \textit{group{\_}add} class for the basics), including free groups and group presentations, and their universal properties. The main results verified are that the deletion condition is both necessary and sufficient for a group with a set of generators of order two to be a Coxeter system, and that the apartments in a (thick) building are all uniformly Coxeter. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \vspace*{32pt} \textit{Note:} A number of the proofs in this theory were modelled on or inspired by proofs in the books on buildings by Abramenko and Brown \cite{Abramenko+Brown:Buildings} and by Garrett \cite{Garrett:Buildings}. As well, some of the definitions, statments, and proofs appearing in the first two sections previously appeared in a submission to the \textit{Archive of Formal Proofs} by the author of the current submission \cite{Sylvestre-AFP15}. \vspace*{32pt} % generated text of all theories \input{session} \clearpage % optional bibliography \nocite{Johnson:GroupPres} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/BytecodeLogicJmlTypes/document/root.tex b/thys/BytecodeLogicJmlTypes/document/root.tex --- a/thys/BytecodeLogicJmlTypes/document/root.tex +++ b/thys/BytecodeLogicJmlTypes/document/root.tex @@ -1,63 +1,64 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{A bytecode logic for JML and types\\ (Isabelle/HOL sources)} \author{Lennart Beringer and Martin Hofmann} \maketitle \begin{abstract} This document contains the Isabelle/HOL sources underlying our paper \emph{A bytecode logic for JML and types}~\cite{DBLP:conf/aplas/BeringerH06}, updated to Isabelle 2008. We present a program logic for a subset of sequential Java bytecode that is suitable for representing both, features found in high-level specification language JML as well as interpretations of high-level type systems. To this end, we introduce a fine-grained collection of assertions, including strong invariants, local annotations and VDM-reminiscent partial-correctness specifications. Thanks to a goal-oriented structure and interpretation of judgements, verification may proceed without recourse to an additional control flow analysis. The suitability for interpreting intensional type systems is illustrated by the proof-carrying-code style encoding of a type system for a first-order functional language which guarantees a constant upper bound on the number of objects allocated throughout an execution, be the execution terminating or non-terminating. Like the published paper, the formal development is restricted to a comparatively small subset of the JVML, lacking (among other features) exceptions, arrays, virtual methods, and static fields. This shortcoming has been overcome meanwhile, as our paper has formed the basis of the {\sc Mobius} base logic~\cite{MobiusDeliverable3.1}, a program logic for the full sequential fragment of the JVML. Indeed, the present formalisation formed the basis of a subsequent formalisation of the {\sc Mobius} base logic in the proof assistant Coq, which includes a proof of soundness with respect to the Bicolano operational semantics~\cite{Pichardie06}. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/C2KA_DistributedSystems/document/root.tex b/thys/C2KA_DistributedSystems/document/root.tex --- a/thys/C2KA_DistributedSystems/document/root.tex +++ b/thys/C2KA_DistributedSystems/document/root.tex @@ -1,195 +1,196 @@ % Document Class %------------------------------------------------------------------------------ \documentclass[11pt,a4paper]{article} %------------------------------------------------------------------------------ % Import Packages %------------------------------------------------------------------------------ +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath} \usepackage{amssymb} \usepackage{xspace} % this should be the last package used \usepackage{pdfsetup} %------------------------------------------------------------------------------ % Set Styles %------------------------------------------------------------------------------ \urlstyle{rm} \isabellestyle{it} %------------------------------------------------------------------------------ \renewcommand{\isasymlless}{\isamath{\lessdot}} % Include Macros %------------------------------------------------------------------------------ % Agent Macros \newcommand{\Agent}[1]{\mathsf{#1}} \newcommand{\agent}[2]{\Agent{#1} \mapsto \bigA{#2}} % Algebra Macros \newcommand{\A}{{\mathcal{A}}} \newcommand{\semiring}[5]{\big(#1, #2, #3, #4, #5\big)} \newcommand{\Lsemimodule}[3]{\big(_{#1}#2, #3\big)} \newcommand{\Rsemimodule}[3]{\big(#2_{#1}, #3\big)} % Basic Math Macros \newcommand{\bigP}[1]{\big( #1 \big)} \newcommand{\bigA}[1]{\big\langle #1 \big\rangle} % C2KA Macros \newcommand{\CKAabbrv}{\textup{CKA}\@\xspace} \newcommand{\cka}{{\mathcal K}} \newcommand{\CKAset}{K} \newcommand{\CKAbasic}{\CKAset_{b}} \newcommand{\KAstar}[1]{{#1}^*} \newcommand{\CKApar}{*} \newcommand{\CKAseq}{\raise.3ex\hbox{\,\rm;\,}} \newcommand{\CKAiterSeqOp}{\text{\scriptsize \raise.3ex\hbox{\,\rm;\,}}} \newcommand{\CKAiterParOp}{\text{\scriptsize \raise-.75ex\hbox{\,*\,}}} \newcommand{\CKAiterSeq}[1]{{#1}^\CKAiterSeqOp} \newcommand{\CKAiterPar}[1]{{#1}^\CKAiterParOp} \newcommand{\CKAstructure}{\bigP{\CKAset, +, \CKApar, \CKAseq, \CKAiterPar{}, \CKAiterSeq{}, 0, 1}} \newcommand{\CKAle}{\le_{\cka}} \newcommand{\CKAsim}{\sim_{\cka}} \newcommand{\stim}{{\mathcal S}} \newcommand{\STIMset}{S} \newcommand{\STIMbasic}{\STIMset_{b}} \newcommand{\STIMplus}{\oplus} \newcommand{\STIMdot}{\odot} \newcommand{\Nstim}{\mathfrak{n}} \newcommand{\Dstim}{\mathfrak{d}} \newcommand{\STIMstructure}{\bigP{\STIMset, \STIMplus, \STIMdot, \Dstim, \Nstim}} \newcommand{\STIMle}{\le_{\stim}} \newcommand{\STIMsim}{\sim_{\stim}} \newcommand{\rightAct}[1]{right~$#1$-act\@\xspace} \newcommand{\leftAct}[1]{left~$#1$-act\@\xspace} \newcommand{\rightSemimodule}[1]{right~$#1$-semimodule\@\xspace} \newcommand{\leftSemimodule}[1]{left~$#1$-semimodule\@\xspace} \newcommand{\ract}[2]{{#1}_{#2}} \newcommand{\lact}[2]{_{#2}{#1}} \newcommand{\lSact}{\lact{\CKAset}{\stim}} \newcommand{\rKact}{\ract{\STIMset}{\cka}} \newcommand{\actOp}{\circ} \newcommand{\lAct}[2]{{#2} \actOp {#1}} \newcommand{\outOp}{\lambda} \newcommand{\lOut}[2]{\outOp(#2,#1)} \newcommand{\stab}[1]{\mathrm{Stab}(#1)} \newcommand{\fix}[2]{\mathrm{Fix}_{#1}(#2)} \newcommand{\orb}[1]{\mathrm{Orb}(#1)} \newcommand{\orbS}[1]{\mathrm{Orb_{S}}(#1)} \newcommand{\CCKA}{Communicating Concurrent Kleene Algebra\@\xspace} \newcommand{\CCKAabbrv}{\textup{C$^2$KA}\@\xspace} \newcommand{\CCKAstructure}{\bigP{\stim, \cka}} \newcommand{\ActSemimodule}{\Lsemimodule{\stim}{\CKAset}{+}} \newcommand{\OutSemimodule}{\Rsemimodule{\cka}{\STIMset}{\STIMplus}} \newcommand{\CKAorb}[1]{{\cka}\text{-}\orb{#1}} \newcommand{\STIMorb}[1]{{\stim}\text{-}\orb{#1}} \newcommand{\CKAstab}[1]{{\cka}\text{-}\stab{#1}} \newcommand{\STIMstab}[1]{{\stim}\text{-}\stab{#1}} \newcommand{\enc}{\lessdot} \newcommand{\CKAenc}{\enc_{\cka}} \newcommand{\CKAencompass}[2]{#1 \CKAenc #2} \newcommand{\STIMenc}{\enc_{\stim}} \newcommand{\STIMencompass}[2]{#1 \STIMenc #2} \newcommand{\ind}{\lhd} \newcommand{\induced}[2]{#2 \ind #1} \newcommand{\notInduced}[2]{\neg(\induced{#1}{#2})} % Logic Macros \newcommand{\Not}{\neg} \newcommand{\Ors}{\;\mathrel{\vee}\;} \newcommand{\nAnd}{\;\mathrel{\wedge}\;} \newcommand{\mImp}{\;\Longrightarrow\;} \newcommand{\mIff}{\;\Longleftrightarrow\;} \newcommand{\lnotation}[4]{ \def\third:{#3} \def\possiblyone:{} \def\possiblytwo:{~} \def\possiblythree:{ } \def\divide{\;#1\hspace*{-0pt}( #2\; \mid: \; #4 \, )} \def\nodivide{\;#1\hspace*{-0pt}( #2\;\mid\; #3\;:\;#4 \, )} \ifx\third\possiblyone\divide \else\ifx\third\possiblytwo\divide \else \ifx\third\possiblythree\divide \else \nodivide\fi\fi\fi} \newcommand{\biglnotation}[4]{ \def\third:{#3} \def\possiblyone:{} \def\possiblytwo:{~} \def\possiblythree:{ } \def\divide{\;#1\hspace*{-0pt}\big( #2\; \mid: \; #4 \, \big)} \def\nodivide{\;#1\hspace*{-0pt}\big( #2\;\mid\; #3\;:\;#4 \, \big)} \ifx\third\possiblyone\divide \else\ifx\third\possiblytwo\divide \else \ifx\third\possiblythree\divide \else \nodivide\fi\fi\fi} % PFC Macros \newcommand{\comm}[2]{\mathrel{{\to}_{#1}^{#2}}} \newcommand{\STIMcommD}[2]{#1 \comm{\stim}{} #2} \newcommand{\STIMcommN}[3]{#1 \comm{\stim}{#3} #2} \newcommand{\STIMcomm}[2]{\STIMcommN{#1}{#2}{+}} \newcommand{\notSTIMcomm}[2]{\Not(\STIMcomm{#1}{#2})} \newcommand{\notSTIMcommD}[2]{\Not(\STIMcommD{#1}{#2})} \newcommand{\env}{{\mathcal{E}}} \newcommand{\ENVcommD}[2]{#1 \comm{\env}{} #2} \newcommand{\ENVcommN}[3]{#1 \comm{\env}{#3} #2} \newcommand{\ENVcomm}[2]{\ENVcommN{#1}{#2}{+}} \newcommand{\notENVcomm}[2]{\Not(\ENVcomm{#1}{#2})} \newcommand{\notENVcommD}[2]{\Not(\ENVcommD{#1}{#2})} \newcommand{\pfcD}[2]{#1 \leadsto #2} \newcommand{\pfcN}[2]{#1 \leadsto^{n} #2} \newcommand{\pfc}[2]{#1 \leadsto^{+} #2} \newcommand{\notpfc}[2]{\Not(\pfc{#1}{#2})} \newcommand{\depOp}{\mathrm{R}} \newcommand{\depOpTC}{\depOp^{+}} \newcommand{\dep}[2]{#2 \,\depOp\, #1} \newcommand{\depTC}[2]{#2 \,\depOpTC\, #1} % Set Macros \newcommand{\STbot}{\emptyset} \newcommand{\STleq}{\subseteq} \newcommand{\STdiff}{\backslash} \newcommand{\set}[1]{\{#1\}} \newcommand{\sets}[2]{\{#1\; \mid \; #2\}} %------------------------------------------------------------------------------ %------------------------------------------------------------------------------ \begin{document} \sloppy % Title and Authorship \title{Communicating Concurrent Kleene Algebra for Distributed Systems Specification} \author{Maxime Buyse and Jason Jaskolka} \maketitle % Abstract \begin{abstract} \CCKA~(\CCKAabbrv) is a mathematical framework for capturing the communicating and concurrent behaviour of agents in distributed systems. It extends Hoare et al.'s\linebreak Concurrent Kleene Algebra (\CKAabbrv) with communication actions through the notions of stimuli and shared environments. \CCKAabbrv has applications in studying system-level properties of distributed systems such as safety, security, and reliability. In this work, we formalize results about \CCKAabbrv and its application for distributed systems specification. We first formalize the stimulus structure and behaviour structure (\CKAabbrv). Next, we combine them to formalize \CCKAabbrv and its properties. Then, we formalize notions and properties related to the topology of distributed systems and the potential for communication via stimuli and via shared environments of agents, all within the algebraic setting of~\CCKAabbrv. \end{abstract} % Table of Contents \tableofcontents % Paragraph Settings \parindent 0pt \parskip 1ex \section{Introduction} \label{sec:introduction} % Begin Section Most complex distributed systems participate in intensive communication and exchange with their environment, which often includes other systems. For example, many systems need input in terms of energy, resources, information, etc. As a result, the interactions between a system and its environment need to be carefully taken into account when modeling such systems. In a distributed system, agents can communicate via their shared environments in the form of shared-variable communication where they transfer information through a shared medium (e.g., variables, buffers, etc.) and through their local communication channels in the form of message-passing communication where they transfer information explicitly through the exchange of data structures. However, the agents in the system may also be influenced by external stimuli. From the perspective of behaviourism, a \emph{stimulus} constitutes the basis for behaviour. In this way, agent behaviour can, in some situations, be explained without the need to consider the internal states of an agent. A \emph{closed system} is one that does not receive any stimuli that affect its behaviour and that does not share any environment. A system that is not a closed system is called an \emph{open system}. When dealing with open systems, external stimuli are required to initiate agent behaviours. Such external stimuli result from systems outside the boundaries of the considered system and may impact the way in which the system agents behave. It is important to note that every stimulus \emph{invokes a response} from an agent. When the behaviour of an agent changes as a result of the response, we say that the stimulus \emph{influences} the behaviour of the agent. \emph{\CCKA}~(\CCKAabbrv)~\cite{Jaskolka2015ab,Jaskolka2014aa} is a mathematical framework for capturing the communicating and concurrent behaviour of agents in distributed systems. In this work, the term \emph{agent} is used to refer to any system, component, or process whose behaviour consists of discrete actions and each interaction, direct or indirect, of an agent with its neighbouring agents is called a \emph{communication} as in~\cite{Milner1989aa}. \CCKAabbrv extends the algebraic model of Concurrent Kleene Algebra~\cite{Hoare2011aa}, with communication actions through the notions of stimuli and shared environments. It offers an algebraic setting capable of capturing both the influence of stimuli on agent behaviour as well as the communication and concurrency of agents in a system and its environment at an abstract algebraic level, thereby allowing it to capture the dynamic behaviour of complex distributed systems. In this work, we follow Jaskolka's doctoral dissertation~\cite{Jaskolka2015ab} which provides a full treatment of \CCKAabbrv and its related notions and properties. Section~\ref{sec:stimulus_structure} and Section~\ref{sec:behaviour_structure} formalize the stimulus structure and behaviour structure, respectively. These structures comprise the two primary components of a \CCKAabbrv. Section~\ref{sec:ccka} then combines these notions to formalize \CCKAabbrv and its properties. Section~\ref{sec:topology} follows this by presenting a formalization of the notions of orbits, stabilisers, and fixed points to establish an understanding of the topology of a distributed system specified using \CCKAabbrv. Finally, Section~\ref{sec:communication} formalizes results regarding the potential for communication via stimuli and via shared environments of distributed system agents within the algebraic setting of \CCKAabbrv. % End Section % Include ROOT session \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %------------------------------------------------------------------------------ diff --git a/thys/CAVA_Automata/document/root.tex b/thys/CAVA_Automata/document/root.tex --- a/thys/CAVA_Automata/document/root.tex +++ b/thys/CAVA_Automata/document/root.tex @@ -1,77 +1,77 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % Tweaks \newcounter{TTStweak_tag} \setcounter{TTStweak_tag}{0} \newcommand{\setTTS}{\setcounter{TTStweak_tag}{1}} \newcommand{\resetTTS}{\setcounter{TTStweak_tag}{0}} \newcommand{\insertTTS}{\ifnum\value{TTStweak_tag}=1 \ \ \ \fi} \renewcommand{\isakeyword}[1]{\resetTTS\emph{\bf\def\isachardot{.}\def\isacharunderscore{\isacharunderscorekeyword}\def\isacharbraceleft{\{}\def\isacharbraceright{\}}#1}} \renewcommand{\isachardoublequoteopen}{\insertTTS} \renewcommand{\isachardoublequoteclose}{\setTTS} \renewcommand{\isanewline}{\mbox{}\par\mbox{}\resetTTS} \renewcommand{\isamarkupcmt}[1]{\hangindent5ex{\isastylecmt --- #1}} \begin{document} \title{The CAVA Automata Library} \author{Peter Lammich} \maketitle \begin{abstract} We report on the graph and automata library that is used in the fully verified LTL model checker CAVA. As most components of CAVA use some type of graphs or automata, a common automata library simplifies assembly of the components and reduces redundancy. The CAVA Automata Library provides a hierarchy of graph and automata classes, together with some standard algorithms. Its object oriented design allows for sharing of algorithms, theorems, and implementations between its classes, and also simplifies extensions of the library. Moreover, it is integrated into the Automatic Refinement Framework, supporting automatic refinement of the abstract automata types to efficient data structures. Note that the CAVA Automata Library is work in progress. Currently, it is very specifically tailored towards the requirements of the CAVA model checker. Nevertheless, the formalization techniques presented here allow an extension of the library to a wider scope. Moreover, they are not limited to graph libraries, but apply to class hierarchies in general. The CAVA Automata Library is described in the paper: Peter Lammich, The CAVA Automata Library, Isabelle Workshop 2014, to appear. \end{abstract} \clearpage \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \clearpage % % optional bibliography % \bibliographystyle{abbrv} % \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/CAVA_LTL_Modelchecker/document/root.tex b/thys/CAVA_LTL_Modelchecker/document/root.tex --- a/thys/CAVA_LTL_Modelchecker/document/root.tex +++ b/thys/CAVA_LTL_Modelchecker/document/root.tex @@ -1,76 +1,76 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % Tweaks \newcounter{TTStweak_tag} \setcounter{TTStweak_tag}{0} \newcommand{\setTTS}{\setcounter{TTStweak_tag}{1}} \newcommand{\resetTTS}{\setcounter{TTStweak_tag}{0}} \newcommand{\insertTTS}{\ifnum\value{TTStweak_tag}=1 \ \ \ \fi} \renewcommand{\isakeyword}[1]{\resetTTS\emph{\bf\def\isachardot{.}\def\isacharunderscore{\isacharunderscorekeyword}\def\isacharbraceleft{\{}\def\isacharbraceright{\}}#1}} \renewcommand{\isachardoublequoteopen}{\insertTTS} \renewcommand{\isachardoublequoteclose}{\setTTS} \renewcommand{\isanewline}{\mbox{}\par\mbox{}\resetTTS} \renewcommand{\isamarkupcmt}[1]{\hangindent5ex{\isastylecmt --- #1}} \begin{document} \title{A Fully Verified Executable LTL Model Checker} \author{Javier Esparza, Peter Lammich, Ren\'{e} Neumann, Tobias Nipkow,\\Alexander Schimpf, Jan-Georg Smaus} \maketitle \begin{abstract} We present an LTL model checker whose code has been completely verified using the Isabelle theorem prover. The checker consists of over 4000 lines of ML code. The code is produced using the Isabelle Refinement Framework, which allows us to split its correctness proof into (1) the proof of an abstract version of the checker, consisting of a few hundred lines of ``formalized pseudocode'', and (2) a verified refinement step in which mathematical sets and other abstract structures are replaced by implementations of efficient structures like red-black trees and functional arrays. This leads to a checker that, while still slower than unverified checkers, can already be used as a trusted reference implementation against which advanced implementations can be tested. An early version of this model checker is described elsewhere~\cite{VeriLTLMC13}. \end{abstract} \clearpage \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \clearpage % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/CCS/document/root.tex b/thys/CCS/document/root.tex --- a/thys/CCS/document/root.tex +++ b/thys/CCS/document/root.tex @@ -1,63 +1,63 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Calculus of Communicating Systems} \author{Jesper Bengtson} \maketitle \begin{abstract} We formalise a large portion of CCS as described in Milner's book 'Communication and Concurrency' using the nominal datatype package in Isabelle. Our results include many of the standard theorems of bisimulation equivalence and congruence, for both weak and strong versions. One main goal of this formalisation is to keep the machine-checked proofs as close to their pen-and-paper counterpart as possible. \end{abstract} \tableofcontents \section{Overview} These theories formalise the following results from Milner's book Communication and Concurrency. \begin{itemize} \item strong bisimilarity is a congruence \item strong bisimilarity respects the laws of structural congruence \item weak bisimilarity is preserved by all operators except sum \item weak congruence is a congruence \item all strongly bisimilar agents are also weakly congruent which in turn are weakly bisimilar. As a corollary, weak bisimilarity and weak congruence respect the laws of structural congruence. \end{itemize} The file naming convention is hopefully self explanatory, where the prefixes \emph{Strong} and \emph{Weak} denote that the file covers theories required to formalise properties of strong and weak bisimilarity respectively; if the file name contains \emph{Sim} the theories cover simulation, file names containing \emph{Bisim} cover bisimulation, and file names containing \emph{Cong} cover weak congruence; files with the suffix \emph{Pres} deal with theories that reason about preservation properties of operators such as a certain simulation or bisimulation being preserved by a certain operator; files with the suffix \emph{SC} reason about structural congruence. For a complete exposition of all theories, please consult Bengtson's Ph. D. thesis \cite{bengtson:thesis}. % include generated text of all theories \section{Formalisation} \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/CISC-Kernel/document/root.tex b/thys/CISC-Kernel/document/root.tex --- a/thys/CISC-Kernel/document/root.tex +++ b/thys/CISC-Kernel/document/root.tex @@ -1,420 +1,421 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{graphicx} \usepackage{amssymb} \usepackage{euromils} \docnumber{D31.1} \doctitle{Formal Specification of a Generic Separation Kernel} \doctype{R} \docactivity{Activity~3} \docwp{WP~3.1} % due date \docdate{ \formatdate{30}{09}{2013} % {DD}{MM}{YYYY} } \docmonth{12} % responsible organisation \organisation{Open University of The Netherlands} % editor \doceditor{Freek Verbeek, Julien Schmaltz} % authors \docauthor{% Sergey Tverdyshev, Oto Havle, Holger Blasum (SYSGO AG)\\ Bruno Langenstein, Werner Stephan (Deutsches Forschungszentrum f\"{u}r k\"{u}nstliche Intelligenz / DFKI GmbH)\\ Abderrahmane Feliachi, Yakoub Nemouchi, Burkhart Wolff (Universit\'{e} Paris Sud)\\ Freek Verbeek, Julien Schmaltz (Open University of The Netherlands)} \doctag{PU} % revision \docversion{0.0} \docrevision{\svnrev} % abstract and keywords \docabstract{ We introduce a theory of intransitive non-interference for separation kernels with control. We show that it can be instantiated for a simple API consisting of IPC and events.} \dockeywords{separation kernel with control, formal model, instantiation, IPC, events, Isabelle/HOL} \executivesummary{ %We introduce a theory of intransitive non-interference for separation kernels with %control. We show that it can be instantiated for a simple API consisting of IPC and %events. %} % %\abstract{ Intransitive noninterference has been a widely studied topic in the last few decades. Several well-established methodologies apply interactive theorem proving to formulate a noninterference theorem over abstract academic models. In joint work with several industrial and academic partners throughout Europe, we are helping in the certification process of PikeOS, an industrial separation kernel developed at SYSGO. In this process, established theories could not be applied. We present a new generic model of separation kernels and a new theory of intransitive noninterference. The model is rich in detail, making it suitable for formal verification of realistic and industrial systems such as PikeOS. Using a refinement-based theorem proving approach, we ensure that proofs remain manageable. This document corresponds to the deliverable D31.1 of the EURO-MILS Project \url{http://www.euromils.eu}. } \usepackage{MnSymbol} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \euromilsmaketitlelists \clearpage \section{Introduction} %CONTEXT: separation kernels, verification of PikeOS, intransitive noninterference\\ Separation kernels are at the heart of many modern security-critical systems~\cite{rushby81}. With next generation technology in cars, aircrafts and medical devices becoming more and more interconnected, a platform that offers secure decomposition of embedded systems becomes crucial for safe and secure performance. PikeOS, a separation kernel developed at SYSGO, is an operating system providing such an environment~\cite{kaiser07,brygier09}. A consortium of several European partners from industry and academia works on the certification of PikeOS up to at least Common Criteria EAL5+, with "+" being applying formal methods compliant to EAL7. Our aim is to derive a precise model of PikeOS and a precise formulation of the PikeOS security policy.%, to be used for the Common Criteria evaluation of PikeOS. A crucial security property of separation kernels is \emph{intransitive} \emph{noninterference}. This property is typically required for systems with multiple independent levels of security (MILS) such as PikeOS. It ensures that a given security policy over different subjects of the system is obeyed. Such a security policy dictates which subjects may flow information to which other subjects. %MOTIVATION: Certification of PikeOS: Rushby/GWV/etc. not usable for realistic, industrial systems. Intransitive noninterference has been an active research field for the last three decades. Several papers have been published on defining intransitive noninterference and on unwinding methodologies that enable the proof of intransitive noninterference from local proof obligations. However, in the certification process of PikeOS these existing methodologies could not be directly applied. Generally, the methodologies are based on highly abstract generic models of computation. The gap between such an abstract model and the reality of PikeOS is large, making application of the methodologies tedious and cumbersome. %CONTRIBUTION: new model + new theory This paper presents a new generic model for separation kernels called CISK (for: Controlled Interruptible Separation Kernel). This model is richer in details and contains several facets present in many separation kernels, such as \emph{interrupts}, \emph{context} \emph{switches} between domains and a notion of \emph{control}. Regarding the latter, this concerns the fact that the kernel exercises control over the executions as performed by the domains. The kernel can, e.g., decide to skip actions of the domains, or abort them halfway. We prove that any instantiation of the model provides intransitive noninterference. The model and proofs have been formalized in Isabelle/HOL~\cite{nipkow12} which are included in the subsequent sections of this document. %\footnote{Source code is available at: removed for double blind review.}. %DOUBLEBLIND\\\url{www.cs.ru.nl/~freekver/EUROMILS/CSF14.zip}}. We have adopted Rushby's definition of intransitive noninterference~\cite{rushby92}. We first present an overview of our approach and then discuss the relation between our approach and existing methodologies in the next section. %Our definition improves on Rushby's ipurge-based (for: intransitive purge) definition in two ways. %First, we do not assume a static mapping of actions to domains, since for an OS kernel such a mapping does not necessarily exist~\cite{murray12}. %Secondly, we prove more directly that domains perform securely in presence of attackers. %Instead of removing actions, we replace the program code of an attacking domain by arbitrary other program code from the attack surface. % PAPER OVERVIEW %We first present the generic model and the security theorem that is proven for it in Section~\ref{sec:theorem}. %We then present our locale-based approach in Section~\ref{sec:proofs}. %Related work is presented in Section~\ref{sec:related}. %We conclude in Section~\ref{sec:conclusion}. \subsubsection*{Overview}\label{subsec:overview} Generally, there are two conflicting interests when using a generic model. On the one hand the model must be sufficiently abstract to ensure that theorems and proofs remain manageable. On the other hand, the model must be rich enough and must contain sufficient domain-knowledge to allow easy instantiation. Rushby's model, for example, is on one end of the spectrum: it is basically a Mealy machine, which is a highly abstract notion of computation, consisting only of state, inputs and outputs~\cite{rushby92}. The model and its proofs are manageable, but making a realistic instantiation is tedious and requires complicated proofs. %and quickly becomes infeasible. We aim at the other side of the spectrum by having a generic model that is rich in detail. As a result, instantiating the model with, e.g., a model of PikeOS can be done easily. To ensure maintainability of the theorems and proofs, we have applied a highly modularized theorem proving technique. % based on Isabelles' \emph{locales}. %Locales basically allowed us a separation of concerns, i.e., they allowed us to separate different facets of the model. %Starting with a highly generic and abstract model of a separation kernel, we define and prove security for this model. %Then, the model is enriched step-by-step. %As each step is an extension of the previous step, all the proofs can be automatically reused. %This methodology ensures manageable proofs. %The result of these locale-based proofs is a rich generic model that can be instantiated easily. Figure~\ref{fig:extensions} shows an overview. The initial module ``Kernel'' is close to a Mealy machine, but has several facets added, including interrupts, context switches and control. New modules are added in such a way that each new module basically inserts an adjective before ``Kernel''. The use of modules allows us to prove, e.g., a separation theorem in module ``Separation Kernel'' and subsequently to reuse this theorem later on when details on control or interrupts are added. \begin{figure}[htb] \centering \includegraphics[width=\linewidth]{locales.png} \caption{Overview of CISK modular structure} \label{fig:extensions} \end{figure} % TODO The second module adds a notion of separation, yielding a module of a Separation Kernel (SK). A security policy is added that dictates which domains may flow information to each other. Local proof obligations are added from which a global theorem of noninterference is proven. This global theorem is the \emph{unwinding} of the local proof obligations. %The addition of a control mechanism to the model means that the traditional %formulation of intransitive noninterference no longer applies, as will be %explained in Section~\ref{sec:related}. %We have reformulated noninterference to deal with control. In the third module calls to the kernel are no longer considered atomic, yielding an Interruptible Separation Kernel (ISK). In this model, one call to the kernel is represented by an \emph{action sequence}. Consider, for example, an IPC call (for: Inter Process Communication). From the point of view of the programmer this is one kernel call. From the point of view of the kernel it is an action sequence consisting of three stages IPC\_PREP, IPC\_WAIT, and IPC\_SEND. During the PREP stage, it is checked whether the IPC is allowed by the security policy. The WAIT stage is entered if a thread needs to wait for its communication partner. The SEND stage is data transmission. After each stage, an interrupt may occur that switches the current context. A consequence of allowing interruptible action sequences is that it is no longer the case that any execution, i.e., any combination of atomic kernel actions, is realistic. We formulate a definition of \emph{realistic execution} and weaken the proof obligations of the model to apply only to realistic executions. The final module provides an interpretation of control that allows atomic kernel actions to be aborted or delayed. Additional proof obligations are required to ensure that noninterference is still provided. This yields a Controlled Interruptible Separation Kernel (CISK). When sequences of kernel actions are aborted, error codes can be transmitted to other domains. Revisiting our IPC example, after the PREP stage the kernel can decide to abort the action. The IPC action sequence will not be continued and error codes may be sent out. At the WAIT stage, the kernel can delay the action sequence until the communication partner of the IPC call is ready to receive. % OLD In Section~\ref{sect:generic} we introduce a theory of intransitive non-interference for separation kernels with control, based on~\cite{Verbeek2013}. We show that it can be instantiated for a simple API consisting of IPC and events (Section~\ref{sect:instantiation}). The rest of {\em this} section gives some auxiliary theories used for Section~\ref{sect:generic}. \section{Preliminaries} % generated text of all theories \input{session} \section{Related Work} We consider various definitions of intransitive (I) nonin- terference (NI). This overview is by no means intended to be complete. We first prune the field by focusing on INI with as granularity the domains: if the security policy states the act ``$v \rightsquigarrow u$'', this means domain v is permitted to flow any information it has at its disposal to u. We do not consider language-based approaches to noninterference \cite{SKIPaper6}, which allow finer granularity mechanisms (i.e., flowing just a subset of the available information). Secondly, several formal verification efforts have been conducted concerning properties similar and related to INI such as no-exfiltration and no-infiltration \cite{SKIPaper7}. Heitmeyer et al. prove these properties for a separation kernel in a Common Criteria certification process \cite{Heitmeyer:2006:FSV:1180405.1180448} (which kernel and which EAL is not clear). Martin et al. proved separation properties over the MASK kernel \cite{Martin:2000:FCM:786768.786973} and Shapiro and Weber verified correctness of the EROS confinement mechanism \cite{Shapiro:2000:VEC:882494.884422}. Klein provides an excellent overview of OS's for which such properties have been verified \cite{SKIPaper11}. Thirdly, INI definitions can be built upon either state-based automata, trace-based models, or process algebraic models \cite{SKIPaper12}. We do not focus on the latter, as our approach is not based on process algebra. Transitive NI was first introduced by Goguen and Meseguer in 1982 \cite{SKIPaper13} and has been the topic of heavy research since. Goguen and Meseguer tried to extend their definition with an unless construct to allow such policies \cite{SKIPaper14}. This construct, however, did not capture the notion of INI \cite{SKIPaper15}. The first commonly accepted definition of INI is Rushby's purging-based definition IP-secure \cite{rushby92}. IP- security has been applied to, e.g., smartcards \cite{SKIPaper16} and OS kernel extensions \cite{SKIPaper17}. To the best of our knowledge, Rushby's definition has not been applied in a certification context. Rushby's definition has been subject to heavy scrutiny \cite{SKIPaper18}, \cite{VanDerMeyden:2007:IIN:2393847.2393869} and a vast array of modifications have been proposed. Roscoe and Goldsmith provide CSP-based definitions of NI for the transitive and the intransitive case, here dubbed as lazy and mixed independence. The latter one is more restrictive than Rushby's IP-security. Their critique on IP-secure, however, is not universally accepted \cite{SKIPaper19}. Greve at al. provided the GWV framework developed in ACL2 \cite{SKIPaper7}. Their definition is a non-inductive version of noninterference similar to Rushby's step consistency. GWV has been used on various industrial systems. The exact relation between GWV and (I)P-secure, i.e., whether they are of equal strength, is still open. The second property, Declassification, means whether the definition allows assignments in the form of $l := \texttt{declassify}(h)$ (where we use Sabelfelds \cite{SKIPaper6} notation for high and low variables). Information flows from $h$ to $l$, but only after it has been declassified. In general, NI is coarser than declassification. It allows where downgrading can occur, but now what may be downgraded \cite{SKIPaper15}. Mantel provides a definition of transitive NI where exceptions can be added to allow de-classification by adding intransitive exceptions to the security policy \cite{SKIPaper15}. To deal with concurrency, definitions of NI have been proposed for Non-Deterministic automata. Von Oheimb defined noninfluence for such systems. His definition can be regarded as a ``non-deterministic version'' of IP-secure. Engelhardt et al. defined nTA-secure, the non-deterministic version of TA-security. Finally, some notions of INI consider models that are in a sense richer than similar counterparts. Leslie extends Rushby's notion of IP-security for a model in which the security policy is Dynamic. Eggert et al. defined i-secure, an extension of IP-secure. Their model extends Rushby's model (Mealy machines) with Local security policies. Murray et al. extends Von Oheimb definition of noninfluence to apply to a model that does not assume a static mapping of actions to domains. This makes it applicable to OS's, as in such a setting such a mapping does not exist \cite{Murray_MBGK_12}. NI-OS has been applied to the seL4 separation kernel \cite{Murray_MBGK_12}, \cite{Klein:2009:SFV:1629575.1629596}. Most definitions have an associated methodology. Various methodologies are based on unwinding \cite{SKIPaper14}. This breaks down the proof of NI into smaller proof obligations (PO's). These PO's can be checked by some manual proof \cite{rushby92}, \cite{SKIPaper32}, model checking \cite{SKIPaper21} or dedicated algorithms \cite{SKIPaper20}. The methodology of Murray et al. is a combination of unwinding, automated deduction and manual proofs. Some definitions are undecidable and have no suitable unwinding. We are aiming to provide a methodology for INI based on a model that is richer in detail than Mealy machines. This places our contribution next to other works that aim to extend IP-security \cite{SKIPaper25}, \cite{SKIPaper31} in Figure 2. Similar to those approaches, we take IP-security as a starting point. We add kernel control mechanisms, interrupts and context switches. Ideally, we would simply prove IP-security over CISK. We argue that this is impossible and that a rephrasing is necessary. Our ultimate goal --- certification of PikeOS --- is very similar to the work done on seL4 \cite{Murray_MBGK_12}--\cite{SKIPaper30}. There are two reasons why their approach is not directly applicable to PikeOS. First, seL4 has been developed from scratch. A Haskell specification serves as the medium for the implementation as well as the system model for the kernel \cite{Elphinstone:2007:TPV:1361397.1361417}. C code is derived from a high level specification. PikeOS, in contrast, is an established industrial OS. Secondly, interrupts are mostly disabled in seL4. Klein et al. side-step dealing with the verification complexity of interrupts by using a mostly atomic API \cite{Klein:2009:SFV:1629575.1629596}. In contrast, we aim to fully address interrupts. With respect to attempts to formal operating system verifications, notable works are also the Verisoft I project \cite{DBLP:journals/jar/AlkassarHLSST09} where also a weak form of a separation property, namely fairness of execution was addressed \cite{DBLP:journals/jar/DaumDW09}. % Stolen text from Gerwin: \cite{Murray_MBGK_12}. % DO NOT INCLUDE DIRECTLY. %Recently, Barthe et al. [3] presented a formalisation of isolation for an idealised model of %a hypervisor, and its unwinding conditions. Like ours, their definition is based on von %Oheimb's noninfluence [21]. As in traditional formalisations of noninterference, in their %formulation actions are intrinsically linked to domains, and so it cannot reason about %information leaks through scheduling decisions. %INTEGRITY-178B is a real-time operating system for which an isolation proof has been %completed [15]. The isolation property proved is based on the GWVr2 information flow %property [9], which bears similarities to the unwinding conditions for noninterference. %Like ours, it is general enough to handle systems in which previous execution steps affect %which is the entity that executes next. Unlike ours, it is defined only for deterministic %systems. The exact relationship between GWVr2 and our conditions deserves further study. %Our formulation of information flow security is descendant from traditional ipurge-based %formulations of intransitive noninterference (starting with Haigh and Young's [10]). Van %der Meyden [19] argues that ipurge-based formulations of intransitive noninterference are %too weak for certain intransitive policies, and proposes a number of stronger definitions. %He shows that Rushby's unwinding conditions [16] are sufficient for some of these alternatives. %Given the similarity of our unwinding conditions to Rushby's, we wonder whether our existing %unwinding conditions may be sufficient to prove analogues of van der Meyden's definitions. %Others have presented noninterference conditions for systems with scheduling components. %One recent example is van der Meyden and Zhang [20], who consider systems that run in %lock-step with a scheduling component that controls which domain's actions are currently %enabled. Their security condition for the scheduler requires that the actions of the High %domain cannot affect scheduling decisions. Our formulation, in contrast, has the scheduler %update a component of the system state that determines the currently running domain. This %allows our scheduler security condition to require that scheduling decisions be unaffected %not only by domain actions, but also by domain state. %A range of proof calculi and verification procedures for confidentiality properties, and %other relational properties, have also been developed [1,2,4,5,18]. Unlike many of these, %ours aims not at generality but rather at scalability. The simplicity of our calculus has %enabled it to scale to the entire functional specification of the seL4 microkernel, whose %size is around 2,500 lines of Isabelle/HOL, and whose implementation that refines this %specification is around 8,500 lines of C. %[1] T. Amtoft and A. Banerjee. Information flow analysis in logical form. In SAS '04, volume 3148 of LNCS, pages 33--36. Springer-Verlag, 2004. %[2]T. Amtoft and A. Banerjee. Verification condition generation for conditional information flow. In FMSE '07, pages 2--11. ACM, 2007. %[3]G. Barthe, G. Betarte, J. Campo, and C. Luna. Formally verifying isolation and availability in an idealized model of virtualization. In M. Butler and W. Schulte, editors, 17th FM, volume 6664 of LNCS, pages 231--245. Springer-Verlag, 2011. %[4]N. Benton. Simple relational correctness proofs for static analyses and program transformations. In POPL 2004, pages 14--25. ACM, 2004. %[5]L. Beringer. Relational decomposition. In 2nd ITP, volume 6898 of LNCS, pages 39--54. Springer-Verlag, 2011. %[6]D. Cock, G. Klein, and T. Sewell. Secure microkernels, state monads and scalable refinement. In 21st TPHOLs, volume 5170 of LNCS, pages 167--182, Aug 2008. %[7]W.-P. de Roever and K. Engelhardt. Data Refinement: Model-Oriented Proof Methods and their Comparison. Cambridge University Press, 1998. %[8]J. Goguen and J. Meseguer. Security policies and security models. In IEEE Symp. Security & Privacy, pages 11--20, Oakland, California, USA, Apr 1982. IEEE. %[9]D. A. Greve. Information security modeling and analysis. In D. S. Hardin, editor, Design and Verification of Microprocessor Systems for High-Assurance Applications, pages 249--300. Springer-Verlag, 2010. %[10]J. T. Haigh and W. D. Young. Extending the noninterference version of MLS for SAT. Trans. Softw. Engin., 13:141--150, Feb 1987. %[11]G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an OS kernel. In 22nd SOSP, pages 207--220. ACM, 2009. %[12]G. Klein, T. Murray, P. Gammie, T. Sewell, and S. Winwood. Provable security: How feasible is it? In 13th HotOS, pages 28--32, Napa, CA, USA, May 2011. USENIX. %[13]D. Matichuk and T. Murray. Extensible specifications for automatic re-use of specifications and proofs. In 10th SEFM, Oct 2012. %[14]T. Nipkow, L. Paulson, and M. Wenzel. Isabelle/HOL --- A Proof Assistant for Higher-Order Logic, volume 2283 of LNCS. Springer-Verlag, 2002. %[15]R. J. Richards. Modeling and security analysis of a commercial real-time operating system kernel. In D. S. Hardin, editor, Design and Verification of Microprocessor Systems for High-Assurance Applications, pages 301--322. Springer-Verlag, 2010. %[16]J. Rushby. Noninterference, transitivity, and channel-control security policies. Technical Report CSL-92-02, SRI International, Dec 1992. %[17]T. Sewell, S. Winwood, P. Gammie, T. Murray, J. Andronick, and G. Klein. seL4 enforces integrity. In 2nd ITP, volume 6898 of LNCS, pages 325--340, Nijmegen, The Netherlands, Aug 2011. Springer-Verlag. %[18]T. Terauchi and A. Aiken. Secure information flow as a safety problem. In SAS '05, volume 3672 of LNCS, pages 352--367. Springer-Verlag, 2005. %[19]R. van der Meyden. What, indeed, is intransitive noninterference? In 12th ESORICS, volume 4734 of LNCS, pages 235--250. Springer-Verlag, 2007. %[20]R. van der Meyden and C. Zhang. Information flow in systems with schedulers. In 21st CSF, pages 301--312. IEEE, Jun 2008. %[21]D. von Oheimb. Information flow control revisited: Noninfluence = noninterference + nonleakage. In 9th ESORICS, volume 3193 of LNCS, pages 225--243, 2004. \section{Conclusion} We have introduced a generic theory of intransitive non-interference for separation kernels with control as a series of locales and extensible record definitions in order to a achieve a modular organization. Moreover, we have shown that it can be instantiated for a simplistic API consisting of IPC and events. In the ongoing EURO-MILS project, we will extend this generic theory in order make it sufficiently rich to be instantiated with a realistic functional model of PikeOS. \subsubsection{Acknowledgement.}This work corresponds to the formal deliverable D31.1 of the Euro-MILS project funded by the European Union's Programme \[FP7/2007-2013\] under grant agreement number ICT-318353. % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/CRDT/document/root.tex b/thys/CRDT/document/root.tex --- a/thys/CRDT/document/root.tex +++ b/thys/CRDT/document/root.tex @@ -1,89 +1,90 @@ \documentclass[11pt]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[a4paper,portrait,margin=1in]{geometry} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amsmath} \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{A framework for establishing Strong Eventual Consistency for Conflict-free Replicated Data types} \author{Victor B.~F.~Gomes, Martin Kleppmann, Dominic P.~Mulligan,\\Alastair R. Beresford} \maketitle \begin{abstract} In this work, we focus on the correctness of Conflict-free Replicated Data Types (CRDTs), a class of algorithm that provides strong eventual consistency guarantees for replicated data. We develop a modular and reusable framework for verifying the correctness of CRDT algorithms. We avoid correctness issues that have dogged previous mechanised proofs in this area by including a network model in our formalisation, and proving that our theorems hold in all possible network behaviours. Our axiomatic network model is a standard abstraction that accurately reflects the behaviour of real-world computer networks. Moreover, we identify an abstract convergence theorem, a property of order relations, which provides a formal definition of strong eventual consistency. We then obtain the first machine-checked correctness theorems for three concrete CRDTs: the Replicated Growable Array, the Observed-Remove Set, and an Increment-Decrement Counter. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \section {Introduction} \emph{Strong eventual consistency} (SEC) is a model that strikes a compromise between strong and eventual consistency~\cite{Shapiro:2011un}. Informally, it guarantees that whenever two nodes have received the same set of messages---possibly in a different order---their view of the shared state is identical, and any conflicting concurrent updates must be merged automatically. Large-scale deployments of SEC algorithms include datacentre-based applications using the Riak distributed database \cite{Brown:2014hs}, and collaborative editing applications such as Google Docs \cite{DayRichter:2010tt}. Unlike strong consistency models, it is possible to implement SEC in decentralised settings without any central server or leader, and it allows local execution at each node to proceed without waiting for communication with other nodes. However, algorithms for achieving decentralised SEC are currently poorly understood: several such algorithms, published in peer-reviewed venues, were subsequently shown to violate their supposed guarantees \cite{Imine:2003ks,Imine:2006kn,Oster:2005vi}. Informal reasoning has repeatedly produced plausible-looking but incorrect algorithms, and there have even been examples of mechanised formal proofs of SEC algorithm correctness later being shown to be flawed. These mechanised proofs failed because, in formalising the algorithm, they made false assumptions about the execution environment. In this work we use the Isabelle/HOL proof assistant~\cite{DBLP:conf/tphol/WenzelPN08} to create a framework for reliably reasoning about the correctness of a particular class of decentralised replication algorithms. We do this by formalising not only the replication algorithms, but also the network in which they execute, allowing us to prove that the algorithm's assumptions hold in all possible network behaviours. We model the network using the axioms of \emph{asynchronous unreliable causal broadcast}, a well-understood abstraction that is commonly implemented by network protocols, and which can run on almost any computer network, including large-scale networks that delay, reorder, or drop messages, and in which nodes may fail. We then use this framework to produce machine-checked proofs of correctness for three Conflict-Free Replicated Data Types (CRDTs), a class of replication algorithms that ensure strong eventual consistency \cite{Shapiro:2011wy,Shapiro:2011un}. To our knowledge, this is the first machine-checked verification of SEC algorithms that explicitly models the network and reasons about all possible network behaviours. The framework is modular and reusable, making it easy to formulate proofs for new algorithms. We provide the first mechanised proofs of the Replicated Growable Array, the operation-based Observed-Remove Set, and the operation-based counter CRDT. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/CSP_RefTK/document/root.tex b/thys/CSP_RefTK/document/root.tex --- a/thys/CSP_RefTK/document/root.tex +++ b/thys/CSP_RefTK/document/root.tex @@ -1,85 +1,86 @@ \documentclass[11pt,a4paper]{book} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{graphicx} \graphicspath {{figures/}} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{latexsym} \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage[greek,english]{babel} %option greek for \ %option english (default language) for \, \ %\usepackage[latin1]{inputenc} %for \, \, \, \, %\, \, \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The HOL-CSP Refinement Toolkit} \author{ Safouan Taha \and Burkhart Wolff \and Lina Ye } \maketitle \chapter*{Abstract} Recently, a modern version of Roscoes and Brookes \cite{brookes-roscoe85} Failure-Divergence Semantics for CSP has been formalized in Isabelle \cite{HOL-CSP-AFP}. We use this formal development called HOL-CSP2.0 to analyse a family of refinement notions, comprising classic and new ones. This analysis enables to derive a number of properties that allow to deepen the understanding of these notions, in particular with respect to specification decomposition principles for the case of infinite sets of events. The established relations between the refinement relations help to clarify some obscure points in the CSP literature, but also provide a weapon for shorter refinement proofs. Furthermore, we provide a framework for state-normalisation allowing to formally reason on parameterised process architectures. As a result, we have a modern environment for formal proofs of concurrent systems that allow for the combination of general infinite processes with locally finite ones in a logically safe way. We demonstrate these verification-techniques for classical, generalised examples: The CopyBuffer for arbitrary data and the Dijkstra's Dining Philosopher Problem of arbitrary size. If you consider to cite this work, please refer to \cite{HOL-CSP-iFM2020}. \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{adb-long,root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/CYK/document/root.tex b/thys/CYK/document/root.tex --- a/thys/CYK/document/root.tex +++ b/thys/CYK/document/root.tex @@ -1,35 +1,36 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} %\usepackage[sorting=none]{biblatex} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{A formalisation of the Cocke-Younger-Kasami algorithm} \author{Maksym Bortin} \maketitle \begin{abstract} The theory provides a formalisation of the Cocke-Younger-Kasami algorithm~\cite{Younger1967} (CYK for short), an approach to solving the word problem for context-free languages. CYK decides if a word is in the languages generated by a context-free grammar in Chomsky normal form. The formalized algorithm is executable. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/CakeML/document/root.tex b/thys/CakeML/document/root.tex --- a/thys/CakeML/document/root.tex +++ b/thys/CakeML/document/root.tex @@ -1,79 +1,80 @@ \documentclass[11pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{CakeML} \author{Lars Hupel, Yu Zhang} \maketitle \begin{abstract} CakeML is a functional programming language with a proven-correct compiler and runtime system. This entry contains an unofficial version of the CakeML semantics that has been exported from the Lem specifications to Isabelle. Additionally, there are some hand-written theory files that adapt the exported code to Isabelle and port proofs from the HOL4 formalization, e.g.\ termination and equivalence proofs. \end{abstract} \tableofcontents \clearpage \section*{Contributors} The export script has been written by Lars Hupel. Hand-written theory files, including definitions and proofs, have been developed by Lars Hupel and Yu Zhang. Lem is a project by Peter Sewell et.al. Contributors can be found on its project page\footnote{\url{https://www.cl.cam.ac.uk/~pes20/lem/}} and on GitHub.\footnote{\url{https://github.com/rems-project/lem/graphs/contributors}} CakeML is a project with many developers and contributors that can be found on its project page\footnote{\url{https://cakeml.org/}} and on GitHub.\footnote{\url{https://github.com/CakeML/cakeml/graphs/contributors}} In particular, Fabian Immler and Johannes \AA{}man Pohjola have contributed Isabelle mappings for constants in the Lem specification of the CakeML semantics. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/CakeML_Codegen/document/root.tex b/thys/CakeML_Codegen/document/root.tex --- a/thys/CakeML_Codegen/document/root.tex +++ b/thys/CakeML_Codegen/document/root.tex @@ -1,46 +1,47 @@ \documentclass[11pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle} \usepackage{isabellesym} \usepackage{amssymb} \usepackage{graphicx} \usepackage[english]{babel} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{A Verified Code Generator from Isabelle/HOL to CakeML} \author{Lars Hupel} \maketitle \tableofcontents \clearpage \includegraphics[width=\textwidth,height=\textheight,keepaspectratio]{session_graph.pdf} \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: \ No newline at end of file diff --git a/thys/Call_Arity/document/root.tex b/thys/Call_Arity/document/root.tex --- a/thys/Call_Arity/document/root.tex +++ b/thys/Call_Arity/document/root.tex @@ -1,240 +1,239 @@ \documentclass[11pt,a4paper,parskip=half]{scrartcl} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[only,bigsqcap]{stmaryrd} \newcommand{\isasymnotsqsubseteq}{\isamath{\not\sqsubseteq}} \usepackage{amsmath} \usepackage{mathtools} \usepackage{graphicx} \usepackage{tikz} -\usepackage[T1]{fontenc} -\usepackage[utf8]{inputenc} \usepackage{mathpartir} \usepackage{calc} \usepackage{booktabs} \usepackage{longtable} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theorys in math-similar italics \urlstyle{rm} \isabellestyle{it} % Isabelle does not like *} in a text {* ... *} block % Concrete implemenation thanks to http://www.mrunix.de/forums/showpost.php?p=235085&postcount=5 \newenvironment{alignstar}{\csname align*\endcsname}{\csname endalign*\endcsname} \newenvironment{alignatstar}{\csname alignat*\endcsname}{\csname endalignat*\endcsname} % quench koma warnings \def\bf{\normalfont\bfseries} \def\it{\normalfont\itshape} \def\rm{\normalfont} \def\sc{\normalfont\scshape} % from http://tex.stackexchange.com/a/12931 \begingroup \catcode`\_=\active \gdef_#1{\ensuremath{\sb{\mathrm{#1}}}} \endgroup \mathcode`\_=\string"8000 \catcode`\_=12 \begin{document} \title{The Safety of Call Arity} \author{Joachim Breitner\\ Programming Paradigms Group\\ Karlsruhe Institute for Technology\\ \url{breitner@kit.edu}} \maketitle \begin{abstract} We formalize the Call Arity analysis \cite{tfp}, as implemented in GHC, and prove both functional correctness and, more interestingly, safety (i.e.\ the transformation does not increase allocation). A highlevel overview of the work can be found in \cite{call-arity-haskell15}. We use syntax and the denotational semantics from an earlier work \cite{breitner2013}, where we formalized Launchbury's natural semantics for lazy evaluation \cite{launchbury}. The functional correctness of Call Arity is proved with regard to that denotational semantics. The operational properties are shown with regard to a small-step semantics akin to Sestoft's mark 1 machine \cite{sestoft}, which we prove to be equivalent to Launchbury's semantics. We use Christian Urban's Nominal2 package \cite{nominal} to define our terms and make use of Brian Huffman's HOLCF package for the domain-theoretical aspects of the development \cite{holcf}. \end{abstract} \section*{Artifact correspondence table} \label{sec:table} The following table connects the definitions and theorems from \cite{call-arity-haskell15} with their corresponding Isabelle concept in this development. \newcommand{\seetheory}[1]{\hyperref[sec_#1]{#1}} \begin{center} \begin{longtable}[h]{lll} \textsf{Concept} & \textsf{corresponds to} & \textsf{in theory} \\ \midrule Syntax & \isacommand{nominal-datatype} \isa{expr} & Terms in \cite{breitner2013} \\ Stack & \isacommand{type-synonym} \isa{stack} & \seetheory{SestoftConf} \\ Configuration & \isacommand{type-synonym} \isa{conf} & \seetheory{SestoftConf} \\ Semantics ($\Rightarrow$) & \isacommand{inductive} \isa{step} & \seetheory{Sestoft} \\ Arity & \isacommand{typedef} \isa{Arity} & \seetheory{Arity} \\ Eta-expansion & \isacommand{lift-definition} \isa{Aeta-expand} & \seetheory{ArityEtaExpansion} \\ Lemma 1 & \isacommand{theorem} \isa{Aeta-expand-safe} & \seetheory{ArityEtaExpansionSafe} \\ $\mathcal A_\alpha(\Gamma, e)$ & \isacommand{locale} \isa{ArityAnalysisHeap} & \seetheory{ArityAnalysisSig} \\ $\mathsf T_\alpha(e)$ & \isacommand{sublocale} \isa{AbstractTransformBound} & \seetheory{ArityTransform} \\ $\mathcal A_\alpha(e)$ & \isacommand{locale} \isa{ArityAnalysis} & \seetheory{ArityAnalysisSig} \\ Definition 2 & \isacommand{locale} \isa{ArityAnalysisLetSafe} & \seetheory{ArityAnalysisSpec} \\ Definition 3 & \isacommand{locale} \isa{ArityAnalysisLetSafeNoCard} & \seetheory{ArityAnalysisSpec} \\ Definition 4 & \isacommand{inductive} \isa{a-consistent} & \seetheory{ArityConsistent} \\ Definition 5 & \isacommand{inductive} \isa{consistent} & \seetheory{ArityTransformSafe} \\ Lemma 2 & \isacommand{lemma} \isa{arity-transform-safe} & \seetheory{ArityTransformSafe} \\ % Concrete arity analysis & \isacommand{definition} \isa{Real-Aexp} & \seetheory{ArityAnalysisImpl} \\ $\operatorname{Card}$ & \isacommand{type-synonym} \isa{two} & \seetheory{Cardinality-Domain} \\ $\mathcal C_\alpha(\Gamma, e)$ & \isacommand{locale} \isa{CardinalityHeap} & \seetheory{CardinalityAnalysisSig} \\ $\mathcal C_{(\bar\alpha,\alpha,\dot\alpha)}((\Gamma, e, S))$ & \isacommand{locale} \isa{CardinalityPrognosis} & \seetheory{CardinalityAnalysisSig} \\ Definition 6 & \isacommand{locale} \isa{CardinalityPrognosisSafe} & \seetheory{CardinalityAnalysisSpec} \\ Definition 7 ($\Rightarrow_\#$) & \isacommand{inductive} \isa{gc-step} & \seetheory{SestoftGC} \\ Definition 8 & \isacommand{inductive} \isa{consistent} & \seetheory{CardArityTransformSafe} \\ Lemma 3 & \isacommand{lemma} \isa{card-arity-transform-safe} & \seetheory{CardArityTransformSafe} \\ Trace trees & \isacommand{typedef} \isa{'a ttree} & \seetheory{TTree} \\ Function $s$ & \isacommand{lift-definition} \isa{substitute} & \seetheory{TTree} \\ $\mathcal T_\alpha(e)$ & \isacommand{locale} \isa{TTreeAnalysis} & \seetheory{TTreeAnalysisSig} \\ $\mathcal T_\alpha(\Gamma,e)$ & \isacommand{locale} \isa{TTreeAnalysisCardinalityHeap} & \seetheory{TTreeAnalysisSpec} \\ Definition 9 & \isacommand{locale} \isa{TTreeAnalysisCardinalityHeap} & \seetheory{TTreeAnalysisSpec} \\ Lemma 4 & \isacommand{sublocale} \isa{CardinalityPrognosisSafe} & \seetheory{TTreeImplCardinalitySafe} \\ Co-Call graphs & \isacommand{typedef} \isa{CoCalls} & \seetheory{CoCallGraph} \\ Function $g$ & \isacommand{lift-definition} \isa{ccApprox} & \seetheory{CoCallGraph-TTree} \\ Function $t$ & \isacommand{lift-definition} \isa{ccTTree} & \seetheory{CoCallGraph-TTree} \\ $\mathcal G_\alpha(e)$ & \isacommand{locale} \isa{CoCallAnalysis} & \seetheory{CoCallAnalysisSig} \\ $\mathcal G_\alpha(\Gamma, e)$ & \isacommand{locale} \isa{CoCallAnalysisHeap} & \seetheory{CoCallAnalysisSig} \\ Definition 10 & \isacommand{locale} \isa{CoCallAritySafe} & \seetheory{CoCallAnalysisSpec} \\ Lemma 5 & \isacommand{sublocale} \isa{TTreeAnalysisCardinalityHeap} & \seetheory{CoCallImplTTreeSafe} \\ Call Arity & \isacommand{nominal-function} \isa{cCCexp} & \seetheory{CoCallAnalysisImpl} \\ Theorem 1 & \isacommand{lemma} \isa{end2end-closed} & \seetheory{CallArityEnd2EndSafe} \\ \end{longtable} \end{center} \bibliographystyle{amsalpha} \bibliography{\jobname} \tableofcontents \newcommand{\theory}[1]{\subsection{#1}\label{sec_#1}\input{#1.tex}} %\let\OldInput\input %\renewcommand{\input}[1]{{ % \subsection{#1} % \OldInput{#1} %}} %\OldInput{session.tex} \section{Various Utilities} \theory{ConstOn} \theory{Set-Cpo} \theory{Env-Set-Cpo} \theory{AList-Utils-HOLCF} \theory{List-Interleavings} \section{Small-step Semantics} \theory{SestoftConf} \theory{Sestoft} \theory{SestoftGC} \theory{BalancedTraces} \theory{SestoftCorrect} \section{Arity} \theory{Arity} \theory{AEnv} \theory{Arity-Nominal} \theory{ArityStack} \section{Eta-Expansion} \theory{EtaExpansion} \theory{EtaExpansionSafe} \theory{TransformTools} \theory{ArityEtaExpansion} \theory{ArityEtaExpansionSafe} \section{Arity Analysis} \theory{ArityAnalysisSig} \theory{ArityAnalysisAbinds} \theory{ArityAnalysisSpec} \theory{TrivialArityAnal} \theory{ArityAnalysisStack} \theory{ArityAnalysisFix} \theory{ArityAnalysisFixProps} \section{Arity Transformation} \theory{AbstractTransform} \theory{ArityTransform} \section{Arity Analysis Safety (without Cardinality)} \theory{ArityConsistent} \theory{ArityTransformSafe} \section{Cardinality Analysis} \theory{Cardinality-Domain} \theory{CardinalityAnalysisSig} \theory{CardinalityAnalysisSpec} \theory{NoCardinalityAnalysis} \theory{CardArityTransformSafe} \section{Trace Trees} \theory{TTree} \theory{TTree-HOLCF} \section{Trace Tree Cardinality Analysis} \theory{AnalBinds} \theory{TTreeAnalysisSig} \theory{Cardinality-Domain-Lists} \theory{TTreeAnalysisSpec} \theory{TTreeImplCardinality} \theory{TTreeImplCardinalitySafe} \section{Co-Call Graphs} \theory{CoCallGraph} \theory{CoCallGraph-Nominal} \section{Co-Call Cardinality Analysis} \theory{CoCallAnalysisSig} \theory{CoCallAnalysisBinds} \theory{CoCallAritySig} \theory{CoCallAnalysisSpec} \theory{CoCallFix} \theory{CoCallGraph-TTree} \theory{CoCallImplTTree} \theory{CoCallImplTTreeSafe} \section{CoCall Cardinality Implementation} \theory{CoCallAnalysisImpl} \theory{CoCallImplSafe} \section{End-to-end Saftey Results and Example} \theory{CallArityEnd2End} \theory{CallArityEnd2EndSafe} \section{Functional Correctness of the Arity Analysis} \theory{ArityAnalysisCorrDenotational} %%% Local Variables: %%% mode: l %%% TeX-master: "root" %%% End: \end{document} diff --git a/thys/Card_Equiv_Relations/document/root.tex b/thys/Card_Equiv_Relations/document/root.tex --- a/thys/Card_Equiv_Relations/document/root.tex +++ b/thys/Card_Equiv_Relations/document/root.tex @@ -1,80 +1,81 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Cardinality of Equivalence Relations} \author{Lukas Bulwahn} \maketitle \begin{abstract} This entry provides formulae for counting the number of equivalence relations and partial equivalence relations over a finite carrier set with given cardinality. To count the number of equivalence relations, we provide bijections between equivalence relations and set partitions~\cite{wiki:equiv-relation}, and then transfer the main results of the two AFP entries, Cardinality of Set Partitions~\cite{bulwahn-AFP15} and Spivey's Generalized Recurrence for Bell Numbers~\cite{bulwahn-AFP16}, to theorems on equivalence relations. To count the number of partial equivalence relations, we observe that counting partial equivalence relations over a set $A$ is equivalent to counting all equivalence relations over all subsets of the set $A$. From this observation and the results on equivalence relations, we show that the cardinality of partial equivalence relations over a finite set of cardinality $n$ is equal to the $n+1$-th Bell number~\cite{bell-numbers}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \nocite{*} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Card_Multisets/document/root.tex b/thys/Card_Multisets/document/root.tex --- a/thys/Card_Multisets/document/root.tex +++ b/thys/Card_Multisets/document/root.tex @@ -1,57 +1,58 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Cardinality of Multisets} \author{Lukas Bulwahn} \maketitle \begin{abstract} This entry provides three lemmas to count the number of multisets of a given size and finite carrier set. The first lemma provides a cardinality formula assuming that the multiset's elements are chosen from the given carrier set. The latter two lemmas provide formulas assuming that the multiset's elements also cover the given carrier set, i.e., each element of the carrier set occurs in the multiset at least once. The proof of the first lemma uses the argument of the recurrence relation for counting multisets~\cite{wikipedia:Multiset}. The proof of the second lemma is straightforward, and the proof of the third lemma is easily obtained using the first cardinality lemma. A challenge for the formalization is the derivation of the required induction rule, which is a special combination of the induction rules for finite sets and natural numbers. The induction rule is derived by defining a suitable inductive predicate and transforming the predicate's induction rule. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \nocite{*} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Card_Number_Partitions/document/root.tex b/thys/Card_Number_Partitions/document/root.tex --- a/thys/Card_Number_Partitions/document/root.tex +++ b/thys/Card_Number_Partitions/document/root.tex @@ -1,49 +1,50 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Cardinality of Number Partitions} \author{Lukas Bulwahn} \maketitle \begin{abstract} This entry provides a basic library for number partitions, defines the two-argument partition function through its recurrence relation and relates this partition function to the cardinality of number partitions. The main proof shows that the recursively-defined partition function with arguments $n$ and $k$ equals the cardinality of number partitions of $n$ with exactly $k$ parts. The combinatorial proof follows the proof sketch of Theorem~2.4.1 in Mazur's textbook ``Combinatorics: A Guided Tour''~\cite{mazur-2010}. This entry can serve as starting point for various more intrinsic properties about number partitions, the partition function and related recurrence relations. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \nocite{*} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Card_Partitions/document/root.tex b/thys/Card_Partitions/document/root.tex --- a/thys/Card_Partitions/document/root.tex +++ b/thys/Card_Partitions/document/root.tex @@ -1,50 +1,51 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Cardinality of Set Partitions} \author{Lukas Bulwahn} \maketitle \begin{abstract} The theory's main theorem states that the cardinality of set partitions of size $k$ on a carrier set of size $n$ is expressed by Stirling numbers of the second kind. In Isabelle, Stirling numbers of the second kind are defined in the AFP entry `Discrete Summation'~\cite{Discrete_Summation-AFP} through their well-known recurrence relation. The main theorem relates them to the alternative definition as cardinality of set partitions. The proof follows the simple and short explanation in Richard P. Stanley's `Enumerative Combinatorics: Volume 1'~\cite{Stanley-2012} and Wikipedia~\cite{Wikipedia-Stirling-Numbers-2015}, and unravels the full details and implicit reasoning steps of these explanations. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Cartan_FP/document/root.tex b/thys/Cartan_FP/document/root.tex --- a/thys/Cartan_FP/document/root.tex +++ b/thys/Cartan_FP/document/root.tex @@ -1,32 +1,33 @@ \documentclass[11pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Cartan Fixed Point Theorems} \author{Lawrence C. Paulson} \maketitle \begin{abstract} The Cartan fixed point theorems concern the group of holomorphic automorphisms on a connected open set of $\mathbb{C}^n$. Ciolli et al.\ \cite{ciolli-cartan} have formalised the one-dimensional case of these theorems in HOL Light. This entry contains their proofs, ported to Isabelle/HOL\@. Thus it addresses the authors’ remark that ``it would be important to write a formal proof in a language that can be read by both humans and machines.'' \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Case_Labeling/document/root.tex b/thys/Case_Labeling/document/root.tex --- a/thys/Case_Labeling/document/root.tex +++ b/thys/Case_Labeling/document/root.tex @@ -1,59 +1,60 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Generating Cases from Labeled Subgoals} \author{Lars Noschinski} \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \begin{abstract} Isabelle/Isar provides \emph{named cases} to structure proofs. This article contains an implementation of a proof method \texttt{casify}, which can be used to easily extend proof tools with support for named cases. Such a proof tool must produce labeled subgoals, which are then interpreted by \texttt{casify}. As examples, this work contains verification condition generators producing named cases for three languages: The Hoare language from \texttt{HOL/Library}, a monadic language for computations with failure (inspired by the AutoCorres tool), and a language of conditional expressions. These VCGs are demonstrated by a number of example programs. \end{abstract} % generated text of all theories \input{Case_Labeling} \section{Examples} \input{Monadic_Language} \input{Conditionals} \input{Labeled_Hoare} \input{Labeled_Hoare_Examples} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Catalan_Numbers/document/root.tex b/thys/Catalan_Numbers/document/root.tex --- a/thys/Catalan_Numbers/document/root.tex +++ b/thys/Catalan_Numbers/document/root.tex @@ -1,41 +1,42 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsfonts} \usepackage{amsmath} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Catalan Numbers} \author{Manuel Eberl} \maketitle \begin{abstract} In this work, we define the Catalan numbers $C_n$ and prove several equivalent definitions (including some closed-form formulae). We also show one of their applications (counting the number of binary trees of size $n$), prove the asymptotic growth approximation $C_n \sim \frac{4^n}{\sqrt{\pi}n^{1.5}}$, and provide reasonably efficient executable code to compute them. The derivation of the closed-form formulae uses algebraic manipulations of the ordinary generating function of the Catalan numbers, and the asymptotic approximation is then done using generalised binomial coefficients and the Gamma function. Thanks to these highly non-elementary mathematical tools, the proofs are very short and simple. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \newpage \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Category/document/root.tex b/thys/Category/document/root.tex --- a/thys/Category/document/root.tex +++ b/thys/Category/document/root.tex @@ -1,36 +1,37 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{{\bf Category Theory to Yoneda's Lemma}} \author{Greg O'Keefe} \maketitle This development proves Yoneda's lemma and aims to be readable by humans. It only defines what is needed for the lemma: categories, functors and natural transformations. Limits, adjunctions and other important concepts are not included. There is no explanation or discussion in this document. See \cite{fcat4cats} for this and a survey of category theory formalisations. \tableofcontents \vspace{1cm} \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{alpha} \bibliography{root} \end{document} diff --git a/thys/Category2/document/root.tex b/thys/Category2/document/root.tex --- a/thys/Category2/document/root.tex +++ b/thys/Category2/document/root.tex @@ -1,37 +1,38 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \newcommand{\isasymemdash}{-} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Category Theory} \author{Alexander Katovsky} \maketitle \begin{abstract} This article presents a development of Category Theory in Isabelle. A Category is defined using records and locales in Isabelle/HOL. Functors and Natural Transformations are also defined. The main result that has been formalized is that the Yoneda functor is a full and faithful embedding. We also formalize the completeness of many sorted monadic equational logic. Extensive use is made of the HOLZF theory in both cases. For an informal description see~\cite{apk}. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Category3/document/root.tex b/thys/Category3/document/root.tex --- a/thys/Category3/document/root.tex +++ b/thys/Category3/document/root.tex @@ -1,284 +1,285 @@ \documentclass[11pt,notitlepage,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym,eufrak} \usepackage[english]{babel} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \input{xy} \xyoption{curve} \xyoption{arrow} \xyoption{matrix} \xyoption{2cell} \UseAllTwocells % Even though I stayed within the default boundary in the JEdit buffer, % some proof lines wrap around in the PDF document. To minimize this, % increase the text width a bit from the default. \addtolength\textwidth{60pt} \addtolength\oddsidemargin{-30pt} \addtolength\evensidemargin{-30pt} \begin{document} \title{Category Theory with Adjunctions and Limits} \author{Eugene W. Stark\\[\medskipamount] Department of Computer Science\\ Stony Brook University\\ Stony Brook, New York 11794 USA} \maketitle \begin{abstract} This article attempts to develop a usable framework for doing category theory in Isabelle/HOL. Our point of view, which to some extent differs from that of the previous AFP articles on the subject, is to try to explore how category theory can be done efficaciously within HOL, rather than trying to match exactly the way things are done using a traditional approach. To this end, we define the notion of category in an ``object-free'' style, in which a category is represented by a single partial composition operation on arrows. This way of defining categories provides some advantages in the context of HOL, including the ability to avoid the use of records and the possibility of defining functors and natural transformations simply as certain functions on arrows, rather than as composite objects. We define various constructions associated with the basic notions, including: dual category, product category, functor category, discrete category, free category, functor composition, and horizontal and vertical composite of natural transformations. A ``set category'' locale is defined that axiomatizes the notion ``category of all sets at a type and all functions between them,'' and a fairly extensive set of properties of set categories is derived from the locale assumptions. The notion of a set category is used to prove the Yoneda Lemma in a general setting of a category equipped with a ``hom embedding,'' which maps arrows of the category to the ``universe'' of the set category. We also give a treatment of adjunctions, defining adjunctions via left and right adjoint functors, natural bijections between hom-sets, and unit and counit natural transformations, and showing the equivalence of these definitions. We also develop the theory of limits, including representations of functors, diagrams and cones, and diagonal functors. We show that right adjoint functors preserve limits, and that limits can be constructed via products and equalizers. We characterize the conditions under which limits exist in a set category. We also examine the case of limits in a functor category, ultimately culminating in a proof that the Yoneda embedding preserves limits. Revisions made subsequent to the first version of this article added material on equivalence of categories, cartesian categories, categories with pullbacks, categories with finite limits, and cartesian closed categories. A construction was given of the category of hereditarily finite sets and functions between them, and it was shown that this category is cartesian closed. \end{abstract} \tableofcontents \chapter{Introduction} This article attempts to develop a usable framework for doing category theory in Isabelle/HOL. Perhaps the main issue that one faces in doing this is how best to represent what is essentially a theory of a partially defined operation (composition) in HOL, which is a theory of total functions. The fact that in HOL every function is total means that a value must be given for the composition of any pair of arrows of a category, even if those arrows are not really composable. Proofs must constantly concern themselves with whether or not a particular term does or does not denote an arrow, and whether particular pairs of arrows are or are not composable. This kind of issue crops up in the most basic situations, such as trying to use associativity of composition to prove that two arrows are equal. Without some sort of systematic way of dealing with this issue, it is hard to do proofs of interesting results, because one is constantly distracted from the main line of reasoning by the necessity of proving lemmas that show that various expressions denote well-defined arrows, that various pairs of arrows are composable, {\em etc.} In trying to develop category theory in this setting, one notices fairly soon that some of the problem can be solved by creating introduction rules that allow the proof assistant to automatically infer, say, that a given term denotes an arrow with a particular domain and codomain from similar properties of its proper subterms. This ``upward'' reasoning helps, but it goes only so far. Eventually one faces a situation in which it is desired to prove theorems whose hypotheses state that certain terms denote arrows with particular domains and codomains, but the proof requires similar lemmas about the proper subterms. Without some way of doing this ``downward'' reasoning, it becomes very tedious to establish the necessary lemmas. Another issue that one faces when trying to formulate category theory within HOL is the lack of the set-theoretic universe that is usually assumed in traditional developments. Since there is no ``type of all sets'' in HOL, one cannot construct ``the'' category {\bf Set} of {\em all} sets and functions between them. Instead, the best one can do is consider ``a'' category of all sets and functions at a particular type. Although the lack of set-theoretic universe would likely cause complications for some applications of category theory, there are many applications for which the lack of a universe is not really a hindrance. So one might well adopt a point of view that accepts {\em a priori} the lack of a universe and asks instead how much of traditional category theory could be done in such a setting. There have been two previous category theory submissions to the AFP. The first \cite{OKeefe-AFP05} is an exploratory work that develops just enough category theory to enable the statement and proof of a version of the Yoneda Lemma. The main features are: the use of records to define categories and functors, construction of a category of all subsets of a given set, where the arrows are domain set/codomain set/function triples, and the use of the category of all sets of elements of the arrow type of category $C$ as the target for the Yoneda functor for $C$. The second category theory submission to the AFP \cite{Katovsky-AFP10} is somewhat more extensive in its scope, and tries to match more closely a traditional development of category theory through the use of a set-theoretic universe obtained by an axiomatic extension of HOL. Categories, functors, and natural transformations are defined as multi-component records, similarly to \cite{OKeefe-AFP05}. ``The'' category of sets is defined, having as its object and arrow type the type ZF, which is the axiomatically defined set-theoretic universe. Included in \cite{Katovsky-AFP10} is a more extensive development of natural transformations, vertical composition, and functor categories than is to be found in \cite{OKeefe-AFP05}. However, as in \cite{OKeefe-AFP05}, the main purely category-theoretic result in \cite{Katovsky-AFP10} is the Yoneda Lemma. Beyond the use of ``extensional'' functions, which take on a particular default value outside of their domains of definition, neither \cite{OKeefe-AFP05} nor \cite{Katovsky-AFP10} explicitly describe a systematic approach to the problem of obtaining lemmas that establish when the various terms appearing in a proof denote well-defined arrows. The present development differs in a number of respects from that of \cite{OKeefe-AFP05} and \cite{Katovsky-AFP10}, both in style and scope. The main stylistic features of the present development are as follows: \begin{itemize} \item The notion of a category is defined in an ``object-free'' style, motivated by \cite{AHS}, Sec. 3.52-3.53, in which a category is represented by a single partial composition operation on arrows. This way of defining categories provides some advantages in the context of HOL, including the possibility of avoiding extensive use of composite objects constructed using records. (Katovsky seemed to have had some similar ideas, since he refers in \cite{Katovsky-CatThy10} to a theory ``PartialBinaryAlgebra'' that was also motivated by \cite{AHS}, although this theory did not ultimately become part of his AFP article.) \item Functors and natural transformation are defined simply to be certain functions on arrows, where locale predicates are used to express the conditions that must be satisfied. This makes it possible to define functors and natural transformations easily using lambda notation without records. \item Rules for reasoning about categories, functors, and natural transformations are defined so that all ``diagrammatic'' hypotheses reduce to conjunctions of assertions, each of which states that a given entity is an arrow, has a particular domain or codomain, or inhabits a particular ``hom-set''. A system of introduction and elimination rules is established which permits both ``upward'' reasoning, in which such diagrammatic assertions are established for larger terms using corresponding assertions about the proper subterms, as well as ``downward'' reasoning, in which diagrammatic assertions about proper subterms are inferred from such assertions about a larger term, to be carried out automatically. \item Constructions on categories, functors, and natural transformations are defined using locales in a formulaic fashion. As an example, the product category construction is defined using a locale that takes two categories (given by their partial composition operations) as parameters. The partial composition operation for the product category is given by a function ``$comp$'' defined in the locale. Lemmas proved within the locale include the fact that $comp$ indeed defines a category, as well as characterizations of the basic notions (domain, codomain, identities, composition) in terms of those of the parameter categories. For some constructions, such as the product category, it is possible and convenient to have a ``transparent'' arrow type, which permits reasoning about the construction without having to introduce an elaborate system of constructors, destructors, and associated rules. For other constructions, such as the functor category, it is more desirable to use an ``opaque'' arrow type that hides the concrete structure, and forces all reasoning to take place using a fixed set of rules. \item Rather than commit to a specific concrete construction of a category of sets and functions a ``set category'' locale is defined which axiomatizes the properties of the category of sets with elements at a particular type and functions between such. In keeping with the definitional approach, the axiomatization is shown consistent by exhibiting a particular interpretation for the locale, however care is taken to to ensure that any proofs making use of the interpretation depend only on the locale assumptions and not on the concrete details of the construction. The set category axioms are also shown to be categorical, in the sense that a bijection between the sets of terminal objects of two interpretations of the locale extends to an isomorphism of categories. This supports the idea that the locale axioms are an adequate characterization of the properties of a category of sets and functions and the details of a particular concrete construction can be kept hidden. \end{itemize} A brief synopsis of the formal mathematical content of the present development is as follows: \begin{itemize} \item Definitions are given for the notions: category, functor, and natural transformation. \item Several constructions on categories are given, including: free category, discrete category, dual category, product category, and functor category. \item Composite functor, horizontal and vertical composite of natural transformations are defined, and various properties proved. \item The notion of a ``set category'' is defined and a fairly extensive development of the consequences of the definition is carried out. \item Hom-functors and Yoneda functors are defined and the Yoneda Lemma is proved. \item Adjunctions are defined in several ways, including universal arrows, natural isomorphisms between hom-sets, and unit and counit natural transformations. The relationships between the definitions are established. \item The theory of limits is developed, including the notions of diagram, cone, limit cone, representable functors, products, and equalizers. It is proved that a category with products at a particular index type has limits of all diagrams at that type. The completeness properties of a set category are established. Limits in functor categories are explored, culminating in a proof that the Yoneda embedding preserves limits. \end{itemize} \medskip\par\noindent {\bf Revision Notes} The 2018 version of this development was a major revision of the original (2016) version. Although the overall organization and content remained essentially the same, the 2018 version revised the axioms used to define a category, and as a consequence many proofs required changes. The purpose of the revision was to obtain a more organized set of basic facts which, when annotated for use in automatic proof, would yield behavior more understandable than that of the original version. In particular, as I gained experience with the Isabelle simplifier, I was able to understand better how to avoid some of the vexing problems of looping simplifications that sometimes cropped up when using the original rules. The new version ``feels'' about as powerful as the original version, or perhaps slightly more so. However, the new version uses elimination rules in place of some things that were previously done by simplification rules, which means that from time to time it becomes necessary to provide guidance to the prover as to where the elimination rules should be invoked. Another difference between the 2018 version of this document and the original is the introduction of some notational syntax, which I intentionally avoided in the original. An important reason for not introducing syntax in the original version was that at the time I did not have much experience with the notational features of Isabelle, and I was afraid of introducing hard-to-remove syntax that would make the development more difficult to read and write, rather than easier. (I tended to find, for example, that the proliferation of special syntax introduced in \cite{Katovsky-AFP10} made the presentation seem less readily accessible than if the syntax had been omitted.) In the 2018 revision, I introduced syntax for composition of arrows in a category, and for the notion of ``an arrow inhabiting a hom-set.'' The notation for composition eases readability by reducing the number of required parentheses, and the notation for asserting that an arrow inhabits a particular hom-set gives these assertions a more familiar appearance; making it easier to understand them at a glance. This document was revised again in early 2020, prior to the release of Isabelle2020. That revision incorporated the generic ``concrete category'' construction originally introduced in \cite{Bicategory-AFP}, and using it systematically as a uniform replacement for various constructions that were previously done in an {\em ad hoc} manner. These include the construction of ``functor categories'' of categories of functors and natural transformations, ``set categories'' of sets and functions, and various kinds of free categories. The awkward ``abstracted category'' construction, which had no interesting mathematical content but was present in the original version as a solution to a modularity problem that I no longer deem to be a significant issue, has been removed. The cumbersome ``horizontal composite'' locale, which was unnecessary given that in this formalization horizontal composite is given simply by function composition, has been replaced by a single lemma that does the same job. Finally, a lemma in the original version that incorrectly advertised itself as being the ``interchange law'' for natural transformations, has been changed to be the correct general statement. The current version of this document incorporates further revisions, made later in 2020 after the release of Isabelle2020. The theory ``category with pullbacks'', originally introduced in \cite{Bicategory-AFP}, was moved here and improved somewhat. In addition, new theories were introduced to cover additional common situations of categories with certain kinds of limits: ``cartesian category'', which concerns categories with binary products and a terminal object, ``cartesian closed category'', which additionally have exponentials, and ``category with finite limits'', which is shown to be the same as ``category with pullbacks and terminal object''. To tie things together and to verify the consistency of the locales (\emph{e.g.}~``cartesian closed category'') for which concrete interpretations have not yet been given, we construct a category whose objects correspond to the hereditarily finite sets and whose arrows correspond to functions between such sets, and we show that this category is cartesian closed and has finite limits. To facilitate this development, we generalize the ``set category'' construction to cover some cases in which not every subset of the ``universe'' need determine an object. In particular, the generalized notion of ``set category'' covers the case in which only finite sets correspond to objects. This generalization permits us to treat the category of hereditarily finite sets as a ``set category'' and to apply some results previously shown about limits in such a category. % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Cauchy/document/root.tex b/thys/Cauchy/document/root.tex --- a/thys/Cauchy/document/root.tex +++ b/thys/Cauchy/document/root.tex @@ -1,37 +1,38 @@ \documentclass[11pt,a4paper,oneside]{book} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Cauchy's Mean Theorem and the Cauchy-Schwarz Inequality} \author{Benjamin Porter} \maketitle \tableofcontents \parindent 0pt\parskip 0.5ex \chapter*{Abstract} This document presents the mechanised proofs of two popular theorems attributed to Augustin Louis Cauchy - Cauchy's Mean Theorem and the Cauchy-Schwarz Inequality. % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Cayley_Hamilton/document/root.tex b/thys/Cayley_Hamilton/document/root.tex --- a/thys/Cayley_Hamilton/document/root.tex +++ b/thys/Cayley_Hamilton/document/root.tex @@ -1,93 +1,94 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Cayley-Hamilton theorem} \author{Stephan Adelsberger \and Stefan Hetzl \and Florian Pollak} \maketitle \begin{abstract} This document contains a proof of the Cayley-Hamilton theorem based on the development of matrices in HOL/Multivariate\_Analysis. \end{abstract} \tableofcontents \section{Introduction}\label{subsec:intro} The Cayley-Hamilton theorem states that every square matrix is a zero of its own characteristic polynomial, in symbols: $\chi_A(A) = 0$. It is a central theorem of linear algebra and plays an important role for matrix normal form theory. In this document we work with matrices over a commutative ring $R$ and give a direct algebraic proof of the theorem. The starting point of the proof is the following fundamental property of the adjugate matrix \begin{equation} \mathrm{adj}(B) \cdot B = B \cdot \mathrm{adj}(B) = \mathrm{det}(B) I_n\label{eq_fund_adj} \end{equation} where $I_n$ denotes the $n\times n$-identity matrix and $\mathrm{det}(B)$ the determinant of $B$. Recall that the characteristic polynomial is defined as $\chi_A(X) = \mathrm{det}(X I_n - A)$, i.e. as the determinant of a matrix whose entries are polynomials. Considering the adjugate of this matrix we obtain \begin{equation} (X I_n - A)\cdot\mathrm{adj}(X I_n - A) = \chi_A(X) I_n\label{eq_fund_adj_char_mat} \end{equation} directly from~(\ref{eq_fund_adj}). Now, $\mathrm{adj}(X I_n - A)$ being a matrix of polynomials of degree at most $n-1$ can be written as \begin{equation} \mathrm{adj}(X I_n - A) = \sum_{i=0}^{n-1} X^i B_i\ \mbox{for $B_i \in R^{n\times n}$}.\label{eq_basis_adj_mat} \end{equation} A straightforward calculation starting from~(\ref{eq_fund_adj_char_mat}) using~(\ref{eq_basis_adj_mat}) then shows that \begin{equation} \chi_A(X) I_n = X^n B_{n-1} + \sum_{i=1}^{n-1} X^i(B_{i-1} - A \cdot B_i) - A\cdot B_0.\label{eq_charpoly_simp} \end{equation} Now let $c_i$ be the coefficient of $X^i$ in $\chi_A(X)$. Then equating the coefficients in~(\ref{eq_charpoly_simp}) yields \begin{eqnarray*} B_{n-1} & = & I_n,\\ B_{i-1} - A \cdot B_i & = & c_i I_n\ \mbox{for $1\leq i \leq n-1$},\ \mbox{and}\\ -A \cdot B_0 & = & c_0 I_n. \end{eqnarray*} Multiplying the $i$-th equation with $A^i$ from the left gives \begin{eqnarray*} A^n \cdot B_{n-1} & = & A^n,\\ A^i \cdot B_{i-1} - A^{i+1} \cdot B_i & = & c_i A_i\ \mbox{for $1\leq i \leq n-1$},\ \mbox{and}\\ -A \cdot B_0 & = & c_0 I_n \end{eqnarray*} which shows that \[ \chi_A(A) I_n = A^n + c_{n-1} A^{n-1} + \cdots + c_1 A + c_0 I_n = 0 \] and hence $\chi_A(A) = 0$ which finishes this proof sketch. There are numerous other proofs of the Cayley-Hamilton theorem, in particular the one formalized in Coq by Sidi Ould Biha~\cite{Biha08Formalisation,Biha10Composants}. This proof also starts with the fundamental property of the adjugate matrix but instead of the above calculation relies on the existence of a ring isomorphism between $\mathcal{M}_n(R[X])$, the matrices of polynomials over $R$, and $(\mathcal{M}_n(R))[X]$, the polynomials whose coefficients are matrices over $R$. On the upside, this permits a briefer and more abstract argument (once the background theory contains all prerequisites) but on the downside one has to deal with the mathematically subtle evaluation of polynomials over the non-commutative({\bf !}) ring $\mathcal{M}_n(R)$. As described nicely in~\cite{Biha10Composants} this evaluation is no longer a ring homomorphism. However, its use in the proof of the Cayley-Hamilton theorem is sufficiently restricted so that one can work around this problem. Sections~\ref{sec.poly.ext},~\ref{sec.det.ext}, and~\ref{sec.mat} contain basic results about matrices and polynomials which are needed for the proof of the Cayley-Hamilton theorem in addition to the results which are available in the library. Section~\ref{sec.mat.poly} contains basic results about matrices of polynomials, including the definition of the characteristic polynomial and proofs of some of its basic properties. Finally, Section~\ref{sec.ch} contains the proof of the Cayley-Hamilton theorem as outlined above. % sane default for proof documents \parindent 0pt\parskip 0.5ex % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Certification_Monads/document/root.tex b/thys/Certification_Monads/document/root.tex --- a/thys/Certification_Monads/document/root.tex +++ b/thys/Certification_Monads/document/root.tex @@ -1,44 +1,45 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} \usepackage[english]{babel} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Certification-Monads\thanks{This research is supported by FWF (Austrian Science Fund) projects J3202 and P22767.}} \author{Christian Sternagel and Ren\'e Thiemann} \maketitle \begin{abstract} This entry provides several monads intended for the development of stand-alone certifiers via code generation from Isabelle/HOL. More specifically, there are three flavors of error monads (the sum type, for the case where all monadic functions are total; an instance of the former, the so called check monad, yielding either success without any further information or an error message; as well as a variant of the sum type that accommodates partial functions by providing an explicit bottom element) and a parser monad built on top. All of this monads are heavily used in the IsaFoR/CeTA project which thus provides many examples of their usage. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Chandy_Lamport/document/root.tex b/thys/Chandy_Lamport/document/root.tex --- a/thys/Chandy_Lamport/document/root.tex +++ b/thys/Chandy_Lamport/document/root.tex @@ -1,70 +1,71 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ \usepackage{authblk} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \title{A formal proof of the Chandy--Lamport distributed snapshot algorithm} \author[1]{Ben Fiedler} \author[1]{Dmitriy Traytel} \affil[1]{ETH Z\"urich} \begin{document} \maketitle \begin{abstract} We provide a suitable distributed system model and implementation the Chandy--Lamport distributed snapshot algorithm~\cite{chandy}. Our main result is a formal termination and correctness proof of the Chandy--Lamport algorithm and its use in stable property detection. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Chord_Segments/document/root.tex b/thys/Chord_Segments/document/root.tex --- a/thys/Chord_Segments/document/root.tex +++ b/thys/Chord_Segments/document/root.tex @@ -1,177 +1,178 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{gensymb} \usepackage{textcomp} \usepackage{cite} \usepackage{tikz} \usetikzlibrary{shadings,intersections} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % notation and presentation style for geometric expressions \newcommand{\length}[1]{\overline{#1}} \begin{document} \title{Intersecting Chords Theorem} \author{Lukas Bulwahn} \maketitle \begin{abstract} This entry provides a geometric proof of the intersecting chords theorem. The theorem states that when two chords intersect each other inside a circle, the products of their segments are equal. After a short review of existing proofs in the literature~\cite{proofwiki:chord-theorem, knorr-1989, birkhoff-beatley-1959, harrison}, I decided to use a proof approach that employs reasoning about lengths of line segments, the orthogonality of two lines and Pythagoras Law. Hence, one can understand the formalized proof easily with the knowledge of a few general geometric facts that are commonly taught in high-school. This theorem is the 55th theorem of the Top 100 Theorems list. \end{abstract} \tableofcontents \section{Introduction} The intersecting chords theorem states: \begin{quote} When two chords intersect each other inside a circle, the products of their segments are equal. \end{quote} To prove this theorem in Isabelle, I reviewed existing formalizations in theorem provers and proofs in the literature~\cite{proofwiki:chord-theorem, knorr-1989, birkhoff-beatley-1959, harrison}. At the time of this AFP submission, the formalization of geometry in Isabelle is limited to only a few concepts and theorems. Hence, I selected to formalize the proof approach that fitted best to the already existing geometry formalizations. The proof in HOL Light~\cite{harrison} simply unfolds the involved geometric predicates and then proves the theorem using only algebraic computations on real numbers. By a quick and shallow inspection of the proof script without executing the proof script step by step in HOL Light, I could not understand the proof script well enough to re-write the proof in Isabelle. As running the script in HOL Light seemed too involved to me, I ignored HOL Light's proof approach and considered the other approaches in the literature. The first proof approach~\cite{proofwiki:chord-theorem} that I found in the literature employs similarity of triangles, the inscribed angle theorem, and basic reasoning with angles. The intersecting chords theorem only consists of two reasoning steps after stating the geometric observations about angles. However, the proof requires to formalize the concept of similarity of triangles, extend the existing formalization of angles, and prove the inscribed angle theorem. So, I abandoned this proof approach and considered the second proof approach. The second proof approach~\cite{proofwiki:chord-theorem} needs only basic geometric reasoning about lengths of line segments, the orthogonality of two lines and Pythagoras Law. More specifically, one must prove that the line that goes through the apex and the midpoint of the base in an isosceles triangle is orthogonal to the base. This is easily derived from the property of an isosceles triangle using the congruence properties of triangles, which is already formalized in AFP's Triangle entry~\cite{Triangle-AFP}. Furthermore, Pythagoras Law is a special case of the Law of Cosines, which is already formalized in AFP's Triangle entry. Ultimately, I decided to use this second proof approach, which I sketch in more detail in the next subsection. \subsection{Informal Proof Sketch} The proof of the intersecting chords theorem relies on the following observation which is depicted in Figure \ref{fig:chord-property}. \begin{figure} \begin{tikzpicture} \coordinate [label=above:$C$] (C) at (0,0); \coordinate [label=below:$S$] (S) at (-4,-3); \coordinate [label=below:$T$] (T) at (4,-3); \coordinate [label=below:$X$] (X) at (1,-3); \coordinate [label=below:$M$] (M) at (0,-3); \draw (S) -- (T); \draw (S) -- (C); \draw (T) -- (C); \draw (M) -- (C); \draw (X) -- (C); % draw an arc from S T with center C % and extend this arc by 10 degrees beyond S and T % to show a nicely clipped part of the relevant arc. \pgfmathparse{atan2(-3, -4) - 10}; \pgfmathsetmacro{\startangle}{\pgfmathresult)}; \pgfmathparse{atan2(-3, 4) + 10}; \pgfmathsetmacro{\endangle}{\pgfmathresult)}; \coordinate (S') at (\startangle : 5); \draw [dashed] (S') arc ( \startangle : \endangle : 5); \draw (0.2,-3) arc (0:90:0.2); \coordinate [label=right:\tiny{90\textdegree}] (C) at (0.15,-2.8); \end{tikzpicture} \caption{Key Lemma states $\length{SX} \cdot \length{XT} = \length{SC} ^ 2 - \length{XC} ^ 2$} \label{fig:chord-property} \end{figure} Instead of considering \emph{two} arbitrary chords intersecting, consider \emph{one} arbitrary chord with endpoints $S$ and $T$ on a circle with center $C$ and one arbitrary point $X$ on the chord $ST$. This point $X$ on the chord creates two line segments on this chord, the left part $SX$, and the right part $XT$. Without loss of generality, we can assume that $SX$ is longer that $XT$, as shown in Figure \ref{fig:chord-property}. The key lemma for the intersecting chords theorem provides a closed expression for the length of these two line segment using the distances of the chord endpoints and the point to the center $C$, i.e., the lemma states: \begin{quote} $\length{SX} \cdot \length{XT} = \length{SC} ^ 2 - \length{XC} ^ 2$. \end{quote} To prove this fact, we consider the midpoint $M$ of the chord $ST$. First, as $M$ is the midpoint, $\length{SM}$ and $\length{TM}$ are equal. Second, we observe that the lengths of the line segments $SX$ and $XT$ are: \begin{quote} $\length{SX} = \length{SM} + \length{MX}$ and $\length{XT} = \length{TM} - \length{MX} = \length{SM} - \length{MX}$. \end{quote} Third, the Pythagoras law for the triangles $SMC$ and $XMC$ states: \begin{quote} $\length{SM} ^ 2 + \length{MC} ^ 2 = \length{SC} ^ 2$ and $\length{XM} ^ 2 + \length{MC} ^ 2 = \length{XC} ^ 2$. \end{quote} Finally, the product can be expressed as: \begin{quote} $\length{SX} \cdot \length{XT} = (\length{SM} + \length{MX}) \cdot (\length{TM} - \length{MX}) = \length{SM} ^ 2 - \length{MX} ^ 2 = (\length{SC} ^ 2 - \length{MC} ^ 2) - (\length{XC} ^ 2 - \length{MC} ^ 2) = \length{SC} ^ 2 - \length{XC} ^ 2$. \end{quote} The intersecting chord theorem now follows directly from this lemma: as the distances $SC$ and $XC$ for two arbitrary chords intersecting at $X$ are equal, also the products of the chord segments are equal. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \nocite{*} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Circus/document/root.tex b/thys/Circus/document/root.tex --- a/thys/Circus/document/root.tex +++ b/thys/Circus/document/root.tex @@ -1,979 +1,980 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{graphicx} %\usepackage{isabelle,isabellesym} \usepackage{proof} %\usepackage{isabelle} %\usepackage[isasymonly]{hol-ocl-isar} \usepackage{hol-ocl-isar} \usepackage{amsmath} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % way no ... bu \usepackage[draft]{fixme} % urls in roman style, theory text in math-similar italics \urlstyle{rm} %\isabellestyle{it} \newcommand{\bgtt}{\bgroup\isabellestyle{default}\isabellestyle{tt}\isastyle% \renewcommand{\isadigit}[1]{##1}} \newcommand{\entt}{\egroup} %\renewenvironment{isatagML}{\bgtt}{\entt} %\isadroptag{ML} \newcommand{\isasymboxplus}{\isamath{\boxplus}} \newcommand{\isactrlcircusaction}{} \newcommand{\isactrlbegincircusschema}{} \newcommand{\isactrlendcircusschema}{} \newcommand{\ie}{\textit{i.e.}\ } \newcommand{\eg}{\textit{e.g.}\ } \newcommand{\wrt}{\textit{w.r.t.}\ } \usepackage{listings} \usepackage{lstisar-mbt} \usepackage{multicol} \usepackage[color]{circus} \begin{document} \title{Isabelle/Circus} \author{Abderrahmane Feliachi, Marie-Claude Gaudel, Makarius Wenzel \\ and Burkhart Wolff} \maketitle \begin{abstract} The Circus specification language combines elements for complex data and behavior specifications, using an integration of Z and CSP with a refinement calculus. Its semantics is based on Hoare and He's unifying theories of programming (UTP). Isabelle/Circus is a formalization of the UTP and the Circus language in Isabelle/HOL. It contains proof rules and tactic support that allows for proofs of refinement for Circus processes (involving both data and behavioral aspects). This environment supports a syntax for the semantic definitions which is close to textbook presentations of Circus. These theories are presented with details in \cite{fgw11rapport-lri}. This document is a technical appendix of this report. \end{abstract} \tableofcontents \begin{center} \includegraphics[width=\textwidth,height=\textheight,keepaspectratio]{session_graph} \end{center} \newpage \section{Introduction} Many systems involve both complex (sometimes infinite) data structures and interactions between concurrent processes. Refinement of abstract specifications of such systems into more concrete ones, requires an appropriate formalisation of refinement and appropriate proof support. There are several combinations of process-oriented modeling languages with data-oriented specification formalisms such as Z or B or CASL; examples are discussed in \cite{Butler99csp2b:a,Fischer:1998:CZP:647283.722938,Taguchi:1997:SCS:523981.852142,Roggenbach:2006}. In this paper, we consider \Circus\ \cite{WC02}, a language for refinement, that supports modeling of high-level specifications, designs, and concrete programs. It is representative of a class of languages that provide facilities to model data types, using a predicate-based notation, and patterns of interactions, without imposing architectural restrictions. It is this feature that makes it suitable for reasoning about both abstract and low-level designs. We present a ``shallow embedding'' of the \Circus\ semantics enabling state variables and channels in \Circus\ to have arbitrary HOL types. Therefore, the entire handling of typing can be completely shifted to the (efficiently implemented) Isabelle type-checker and is therefore implicit in proofs. This drastically simplifies definitions and proofs, and makes the reuse of standardized proof procedures possible. Compared to implementations based on a ``deep embedding'' such as \cite{ZC09} this significantly improves the usability of the resulting proof environment. Our representation brings particular technical challenges and contributions concerning some important notions about variables. The main challenge was to represent alphabets and bindings in a typed way that preserves the semantics and improves deduction. We provide a representation of bindings without an explicit management of alphabets. However, the representation of some core concepts in the unifying theories of programming (UTP) and \Circus\ constructs (variable scopes and renaming) became challenging. Thus, we propose a (stack-based) solution that allows the coding of state variables scoping with no need for renaming. This solution is even a contribution to the UTP theory that does not allow nested variable scoping. Some challenging and tricky definitions (e.g. channels and name sets) are explained in this paper. This paper is organized as follows. The next section gives an introduction to the basics of our work: Isabelle/HOL, UTP and \Circus\ with a short example of a \Circus\ process. In Section \ref{Section:CircusHOL}, we present our embedding of the basic concepts of \Circus\ (alphabet, variables ...). We introduce the representation of some \Circus\ actions and process, with an overview of the Isabelle/\Circus\ syntax. In Section \ref{Section:framework}, we show on an example, how Isabelle/\Circus\ can be used to write specifications. We give some details on what %the system is happening ``behind the scenes'' when the system parses each part of the specification. In the last part of this section, we show how to write proofs based on specifications, and give a refinement proof example. A more developed version of this paper can be found in \cite{fgw11rapport-lri}. \section{Background} \label{Section:background} \subsection{Isabelle, HOL and Isabelle/HOL} \label{IsaHOL} \subsubsection{isar} \cite{nipkow.ea:isabelle:2002} is a generic theorem prover implemented in SML. It is based on the so-called ``LCF-style architecture'', which makes it possible to extend a small trusted logical kernel by user-programmed procedures in a logically safe way. New object logics can be introduced to Isabelle by specifying their syntax and semantics, by deriving its inference rules from there and program specific tactic support for the object logic. Isabelle is based on a typed $\lambda$-calculus including a Haskell-style type-system with type-classes (e.g. in $\alpha::\text{order}$, the type-variable ranges over all types that posses a partial ordering.) \subsubsection{Higher-order logic (HOL)}~\cite{church:types:1940,andrews:introduction:2002} is a classical logic based on a simple type system. It provides the usual logical connectives like $\_ \land \_$, $\_ \implies\_$, $\lnot \_ $ as well as the object-logical quantifiers $\forall x\spot P\ x$ and $\exists x\spot P\ x$; in contrast to first-order logic, quantifiers may range over arbitrary types, including total functions $f :: \alpha \Rightarrow \beta$. HOL is centered around extensional equality $\_ = \_ :: \alpha \Rightarrow \alpha \Rightarrow \text{bool}$. HOL is more expressive than first-order logic, since, \eg, induction schemes can be expressed inside the logic. Being based on some polymorphically typed $\lambda$-calculus, HOL can be viewed as a combination of a programming language like SML or Haskell and a specification language providing powerful logical quantifiers ranging over elementary and function types. \subsubsection{Isabelle/HOL} is an instance of Isabelle with higher-order logic. It provides a rich collection of library theories like sets, pairs, relations, partial functions lists, multi-sets, orderings, and various arithmetic theories which only contain rules derived from conservative, \ie logically safe definitions. Setups for the automated proof procedures like \inlineisar{simp}, \inlineisar{auto}, and arithmetic types such as \inlineisar{int} are provided. \subsection{Advanced Specification Constructs in Isabelle/HOL} \label{Subsection:advconstructs} \subsubsection{Constant definitions.} In its easiest form, constant definitions are definitional logical axioms of the form $c \equiv E$ where c is a fresh constant symbol not occurring in $E$ which is closed (both wrt. variables and type variables). For example: \begin{isar} definition upd::(\\\)\\\\\(\\\) ("_(|_ := _|)") where "upd f x v \ \ z. if x=z then v else f z" \end{isar} The pragma \inlineisar+("_(| _ := _|)")+ for the Isabelle syntax engine introduces the notation \inlineisar+f(|x:=y|)+ for \inlineisar+upd f x y+. Moreover, some elaborate preprocessing allows for recursive definitions, provided that a termination ordering can be established. Such recursive definitions are thus internally reduced to definitional axioms. \subsubsection{Type definitions.} Types can be introduced in Isabelle/HOL in different ways. The most general way to safely introduce new types is using the \inlineisar+typedef+ construct. This allows introducing a type as a non-empty subset of an existing type. More precisely, the new type is specified to be isomorphic to this non-empty subset. For instance: \begin{isar} typedef mytype = "{x::nat. x < 10}" \end{isar} This definition requires that the set is non-empty: \inlineisar+\x. x\{x::nat. x<10}+, which is easy to prove in this case: \begin{isar} by (rule_tac x = 1 in exI, simp) \end{isar} where \inlineisar+rule_tac+ is a tactic that applies an introduction rule, and \inlineisar+exI+ corresponds to the introduction of the existential quantification. Similarly, the \inlineisar+datatype+ command allows the definition of inductive datatypes. It introduces a datatype using a list of \emph{constructors}. For instance, a logical compiler is invoked for the following introduction of the type \inlineisar+option+: \begin{isar} datatype \ option = None | Some \ \end{isar} which generates the underlying type definition and derives distinctness rules and induction principles. Besides the \emph{constructors} \inlineisar+None+ and \inlineisar+Some+, the following match-operator and his rules are also generated: $\HolCase\ap x\ap\HolOf~\HolNone \isasymRightarrow ...\ap \mid \HolSome{a} \isasymRightarrow ...$ \subsubsection{Extensible records.} Isabelle/HOL's support for \emph{extensible records} is of particular importance for our work. Record types are denoted, for example, by: \begin{isar} record T = a::T_1 b::T_2 \end{isar} which implicitly introduces the record constructor \inlineisar+(|a:=e_1,b:=e_2|)+ and the update of record r in field a, written as \inlineisar+r(|a:= x|)+. Extensible records are represented internally by cartesian products with an implicit free component $\delta$, i.e. in this case by a triple of the type \inlineisar+T_1 \ T_2 \ \+. The third component can be referenced by a \emph{special selector} \inlineisar+more+ available on extensible records. Thus, the record \inlineisar+T+ can be extended later on using the syntax: \begin{isar} record ET = T + c::T_3 \end{isar} The key point is that theorems can be established, once and for all, on \inlineisar+T+ types, even if future parts of the record are not yet known, and reused in the later definition and proofs over \inlineisar+ET+-values. Using this feature, we can model the effect of defining the alphabet of UTP processes incrementally while maintaining the full expressivity of HOL wrt. the types of \inlineisar+T_1+, \inlineisar+T_2+ and \inlineisar+T_3+. \subsection{\Circus\ and its UTP Foundation} \label{CircusUTP} \Circus\ is a formal specification language \cite{WC02} which integrates the notions of states and complex data types (in a Z-like style) and communicating parallel processes inspired from CSP. From Z, the language inherits the notion of a schema used to model sets of (ground) states as well as syntactic machinery to describe pre-states and post-states; from CSP, the language inherits the concept of \emph{communication events} and typed communication channels, the concepts of deterministic and non-deterministic choice (reflected by the process combinators $P~\square~P'$ and $P~\sqcap~P'$), the concept of concealment (hiding) $P \backslash A$ of events in $A$ occurring in in the evolution of process $P$. Due to the presence of state variables, the \Circus\ synchronous communication operator syntax is slightly different frome CSP: $P\ \llbracket\ n \ |\ c\ |\ n'\ \rrbracket P'$ means that $P$ and $P'$ communicate via the channels mentioned in $c$; moreover, $P$ may modify the variables mentioned in $n$ only, and $P'$ in $n'$ only, $n$ and $n'$ are disjoint name sets. Moreover, the language comes with a formal notion of refinement based on a denotational semantics. It follows the failure/divergence semantics \cite{Roscoe:1997:TPC:550448}, (but coined in terms of the UTP \cite{CircusDS}) providing a notion of execution trace \inlineisar+tr+, refusals \inlineisar+ref+, and divergences. %(see below)). It is expressed in terms of the UTP \cite{HJ98} which makes it amenable to other refinement-notions in UTP. %The semantics allows Figure \ref{figure:Fig} presents a simple \Circus\ specification, \inlineisar+FIG+, the fresh identifiers generator.\\ \vspace{-.8cm} \begin{figure}[h] \begin{zed} [ID] \end{zed} \vspace{-.8cm} \begin{circus} \circchannel\ req\\ \circchannel\ ret, out: ID \end{circus} \vspace{-.9cm} \begin{circus} \circprocess\ FIG ~~\circdef~~ \circbegin\ \end{circus} \vspace{-1.0cm} \begin{circusaction} \circstate\ S ~~==~~ [~ idS: \power~ID ~] \end{circusaction} \vspace{-1.0cm} \begin{circusaction} Init ~~\circdef~~ idS := \emptyset \end{circusaction}% \vspace{-1.2cm} \begin{multicols}{2} \begin{schema}{Out} \Delta S \\ v!: ID \where v! \notin idS \\ idS' = idS \cup \{ v! \} \end{schema}% \begin{schema}{Remove} \Delta S \\ x?: ID \where idS' = idS \setminus \{ x? \} \end{schema}% \end{multicols} \vspace{-.5cm} \begin{circusaction} \circspot\ Init \circseq\ \circvar\ v : ID \circspot\ \\ (\circmu\ X \circspot\ (req \then Out \circseq\ out!v \then \Skip\ \extchoice\ ret?x \then Remove)\circseq\ X) \end{circusaction} \vspace{-.9cm} \begin{circus} \circend\ \end{circus} \vspace{-1cm} \caption{\label{figure:Fig} The Fresh Identifiers Generator in (Textbook) \Circus\ } \vspace{-.55cm} \end{figure} \subsubsection{Predicates and Relations.} The UTP is a semantic framework based on an alphabetized relational calculus. An \emph{alphabetized predicate} is a pair ($alphabet$, $predicate$) where the free variables appearing in the predicate are all in the alphabet, e.g. $(\{x, y\}, x > y)$. As such, it is very similar to the concept of a \emph{schema} in Z. In the base theory Isabelle/UTP of this work, we represent alphabetized predicates by sets of (extensible) records, e.g. \inlineisar+{A. x A > y A}+. An \emph{alphabetized relation} is an alphabetized predicate where the alphabet is composed of input (undecorated) and output (dashed) variables. In this case the predicate describes a relation between input and output variables, for example $(\{x, x', y, y'\}, x' = x + y)$ which is a notation for: \inlineisar*{(A,A').x A' = x A + y A}*, which is a set of pairs, thus a relation. Standard predicate calculus operators are used to combine alphabetized predicates. The definition of these operators is very similar to the standard one, with some additional constraints on the alphabets. \subsubsection{Designs and processes.} \label{sec:design-and-processes} In UTP, in order to explicitly record the termination of a program, a subset of alphabetized relations is introduced. These relations are called $designs$ and their alphabet should contain the special boolean observational variable \inlineisar+ok+. % This variable It is used to record the start and termination of a program. A UTP design is defined as follows in Isabelle: \begin{isar} (P \ Q) \ \ (A,A'). (ok A \ P (A,A')) \ (ok A' \ Q (A,A')) \end{isar} Following the way of UTP to describe reactive processes, % we need to add more observational variables are needed to record the interaction %of these processes with the environment. Three observational variables are defined for this subset of relations: \inlineisar+wait+, \inlineisar+tr+ and \inlineisar+ref+. The boolean variable \inlineisar+wait+ records if the process is waiting for an interaction or has terminated. \inlineisar+tr+ records the list (trace) of interactions the process has performed so far. The variable \inlineisar+ref+ contains the set of interactions (events) the process may refuse to perform. These observational variables defines the basic alphabet of all reactive processes called ``\inlineisar+alpha_rp+''. Some healthiness conditions are defined over \inlineisar+wait+, \inlineisar+tr+ and \inlineisar+ref+ to ensure that a recative process satisfies some properties \cite{CW06} (see Table 2 in \cite{fgw11rapport-lri}). A CSP process is a UTP reactive process that satisfies two additional healthiness conditions% called $CSP1$ and $CSP2$ (all well-formedness conditions can be found in \cite{fgw11rapport-lri}). A process that satisfies these conditions is said to be CSP healthy. \section{Isabelle/\Circus } \label{Section:CircusHOL} \begin{figure}[h] \vspace{-0.6 cm} \begin{minipage}{5cm} $ \begin{array}{lcl} % ----------------------------------------------------------------% \mathsf{Process} & % \mathsf{::=} & \mathsf{\textbf{circusprocess}\ Tpar^*\ name\ \textbf{=}\ PParagraph^*\ \textbf{where}\ Action} \ \\ % \mathsf{PParagraph} & % \mathsf{::=} & \mathsf{AlphabetP }\ \mathsf{|}\ \mathsf{StateP }\ \mathsf{|}\ \mathsf{ ChannelP }\ \mathsf{|}\ \mathsf{ NamesetP }\ \mathsf{|}\ \mathsf{ ChansetP }\ \mathsf{|}\ \mathsf{ SchemaP }\ \\% & \mathsf{|}\ & \mathsf{ ActionP} \ \\ % \mathsf{AlphabetP} & % \mathsf{::=} & \mathsf{\textbf{alphabet}\ \textbf{[ }\ vardecl^+\ \textbf{] }} \ \\ % \mathsf{vardecl} & % \mathsf{::=} & \mathsf{name::type} \ \\ % \mathsf{StateP} & % \mathsf{::=} & \mathsf{\textbf{state}\ \textbf{[ }\ vardecl^+\ \textbf{] }} \ \\ % \mathsf{ChannelP} & % \mathsf{::=} & \mathsf{\textbf{channel}\ \textbf{[ }\ chandecl^+\ \textbf{] }} \ \\ % \mathsf{chandecl} & % \mathsf{::=} & \mathsf{name\ }\ \mathsf{|}\ \mathsf{\ name\ type} \ \\ % \mathsf{NamesetP} & % \mathsf{::=} & \mathsf{\textbf{nameset}\ name\ \textbf{=\ [ }\ name^+\ \textbf{] }} \ \\ % \mathsf{ChansetP} & % \mathsf{::=} & \mathsf{\textbf{chanset}\ name\ \textbf{=\ [ }\ name^+\ \textbf{] }} \ \\ % \mathsf{SchemaP} & % \mathsf{::=} & \mathsf{\textbf{schema}\ name\ \textbf{=\ }\ SchemaExpression} \ \\ % \mathsf{ActionP} & % \mathsf{::=} & \mathsf{\textbf{action}\ name\ \textbf{=\ }\ Action} \ \\ % \mathsf{Action} & % \mathsf{::=} & \mathsf{\textbf{Skip} }\ \mathsf{|}\ \mathsf{ \textbf{Stop} }\ \mathsf{|}\ \mathsf{ Action\ ; Action }\ \mathsf{|}\ \mathsf{ Action\ \square\ Action }\ \mathsf{|}\ \mathsf{ Action\ \sqcap\ Action} \ \\ % & \mathsf{|} & \mathsf{Action\ \backslash\ chansetN}\ \mathsf{|}\ \mathsf{var := expr}\ \mathsf{|}\ \mathsf{guard\ \&\ Action}\ \mathsf{|}\ \mathsf{comm\ \rightarrow\ Action} \\ % & \mathsf{|} & \mathsf{\textbf{Schema}\ name}\ \mathsf{|}\ \mathsf{ActionName}\ \mathsf{|}\ \mathsf{\mu\ var\ @\ Action}\ \mathsf{|}\ \mathsf{\textbf{var}\ var\ @\ Action }\ \\ % & \mathsf{|} & \mathsf{Action\ \llbracket\ namesetN\ |\ chansetN\ |\ namesetN\ \rrbracket\ Action}\ \\ % %----------------------------------------------------------------% \end{array} $ \caption{\label{figure:CircSynt} Isabelle/\Circus\ syntax} \end{minipage} \vspace{-0.4 cm} \end{figure} The Isabelle/\Circus\ environment %allows for allows a syntax of processes which is close to the textbook presentations of \Circus\ (see Fig. \ref{figure:CircSynt}). Similar to other specification constructs in Isabelle/HOL, this syntax is ``parsed away", \ie{} compiled into an internal representation of the denotational semantics of \Circus , which is a formalization in form of a shallow embedding of the (essentially untyped) paper-and-pencil definitions by Oliveira et al. \cite{CircusDS}, based on UTP. \Circus\ actions are defined as CSP healthy reactive processes. In the UTP representation of reactive processes we have given in a previous paper \cite{feliachi:uznifying-theories:2010}, %we mentioned that the process type is generic. It contains two type parameters that represent the channel type and the alphabet of the process. These parameters are very general, and they are instantiated for each specific process. This could be problematic when representing the \Circus\ semantics, since some definitions rely directly on variables and channels (e.g assignment and communication). In this section we present our solution to deal with this kind of problems, and our representation of the \Circus\ actions and processes. We now describe the foundation as well as the semantic definition of some process operators of \Circus . A distinguishing feature of \Circus\ processes are explicit state variables which do not exist in other process algebras like, e.g., CSP. These can be: \begin{itemize} \item \emph{global} state variables, \ie{} they are declared via alphabetized predicates in the \inlineisar+state+ section, or Z-like $\Delta$ operations on global states that generate alphabetized relations, or \item \emph{local} state variables, \ie{} they are result of the variable declaration statement $\mathsf{\textbf{var}\ var\ @\ Action }$. The scope of local variables is restricted to $\mathsf{Action}$. \end{itemize} On both kind of state variables, logical constraints may be expressed. \subsection{Alphabets and Variables} In order to define the set of variables of a specification, the \Circus\ semantics %language describes considers the alphabet of its components, be it on the level of alphabetized predicates, alphabetized relations or actions. We recall that these items are represented by sets of records or sets of pairs of records. %following the idea that The \emph{alphabet of a process} is defined by extending the basic reactive process alphabet (cf. Section \ref{sec:design-and-processes} ) by its %the corresponding variable names and types. For the example $FIG$, where the global state variable $idS$ is defined, this is reflected in Isabelle/Circus by the extension of the process alphabet by this variable, i.e. by the extension of the Isabelle/HOL record: \begin{isar} record \ alpha = \ alpha_rp + idS :: ID set \end{isar} This introduces the record type \inlineisar+alpha+ that contains the observational variables of a reactive process, plus the variable \inlineisar+idS+. Note that our \Circus\ semantic representation allows ``built-in'' bindings of alphabets in a typed way. Moreover, there is no restriction on the associated HOL type. However, the inconvenience of this representation is that variables cannot be introduced ``on the fly''; they must be known statically i.e. at type inference time. Another consequence is that a "syntactic" operation such as variable renaming has to be expressed as a "semantic" operation that maps one record type into another. \subsubsection{Updating and accessing global variables.}\label{sec:updating_global} Since the alphabets are represented by HOL records, i.e. a kind binding "$name \mapsto value$", we need a certain infrastructure to access data in them and to update them. The Isabelle representation as records gives us already two functions (for each record)``select'' and ``update''. The ``select'' function returns the value of a given variable name, and the ``update'' functions updates the value of this variable. Since we may have different HOL types for different variables, a unique definition for select and update cannot be provided. There is an instance of these functions for each variable in the record. The name of the variable is used to distinguish the different instances: for the select function the name is used directly and for the update function the name is used as a prefix e.g. for a variable named ``x" the names of the \emph{select} and \emph{update} functions are respectively \inlineisar+x+ of type \inlineisar+\+ and \inlineisar+x_update+. Since a variable is characterized essentially by these functions, we define a general type (synonym) called \inlineisar+var+ which represents a variable as a pair of its select and update function (in the underlying state \inlineisar+\+). \begin{isar} types (\, \) var = "(\ \ \) * ((\ \ \) \ \ \ \)" \end{isar} For a given alphabet (record) of type \inlineisar+\+, \inlineisar+(\, the type \) var+ represents the type of the variables whose value type is \inlineisar+\+. One can then extract the select and update functions from a given variable with the following functions: \begin{isar} definition select :: "(\, \) var \ \ \ \" where select f \ (fst f) definition update :: "(\, \) var \ \ \ \ \ \" where update f v \ (snd f) (\ _ . v) \end{isar} Finally, we introduce a function called \inlineisar+VAR+ to implement a syntactic translation of a variable name to an entity of type \inlineisar+var+. \begin{isar} syntax "_VAR" :: "id \ (\, \) var" ("VAR _") translations VAR x => (x, _update_ name x) \end{isar} Note that in this syntactic translation rule, \inlineisar+_update_ name x+ stands for the concatenation of the string \inlineisar+_update_+ with the content of the variable \inlineisar+x+; the resulting \inlineisar+_update_x+ in this example is mapped to the field-update function of the extensible record \inlineisar+x_update+ by a default mechanism. On this basis, the assignment notation can be written as usual: \begin{isar} syntax "_assign" :: "id \ (\ \ \) \ (\, \) action" ("_ `:=` _") translations "x `:=` E" => "CONST ASSIGN (VAR x) E" \end{isar} and mapped to the \emph{semantics} of the program variable \inlineisar+(x,x_update)+ together with the universal \inlineisar+ASSIGN+ operator defined later on, in Section \ref{sec:assignment_action}. \begin{comment} as follows: \begin{isar} definition ASSIGN::"(\, \) var \ (\ \ \) \ (\::ev_eq, \) action" where ASSIGN x e \ ... \end{isar} The details in this definition based on UTP and embedded into \Circus-Actions can be found in Section \ref{sec:assignment_action}. \end{comment} \subsubsection{Updating and accessing local variables.} In \Circus , local program variables can be introduced on the fly, and their scopes are explicitly defined, as can be seen in the %\inlineisar+Fig+ $FIG$ example. In textbook \Circus , nested scopes are handled by variable renaming which is not possible in our representation due to the implicit representation of variable names. We represent local program variables by global variables, %i.e. using the \inlineisar+var+ type defined above, where selection and update involve an explicit stack discipline. Each variable is mapped to a list of values, and not to one value only (as for state variables). Entering the scope of a variable % corresponds to is just adding a new value as the head of the corresponding values list. Leaving a variable scope %corresponds to is just removing the %first element head of the values list. The select and update functions correspond to selecting and updating the head of the list. This ensures dynamic scoping, as it is stated by the \Circus\ semantics. Note that this encoding scheme requires to make local variables lexically distinct from global variables; local variable instances are just distinguished from the global ones by the stack discipline. \subsection{Synchronization infrastructure: Name sets and channels.} \label{Section:NSandCS} \subsubsection{Name sets.} An important notion, used in the definition of parallel \Circus\ actions, is name sets as seen in Section \ref{CircusUTP}. A name set is a set of variable names, which is a subset of the alphabet. This notion cannot be directly expressed in our representation since variable names are not explicitly represented. %Its definition is a bit tricky and Thus its definition relies on the characterization of the variables in our representation. As for variables, name sets are defined by their functional characterization. They are used in the definition of the binding merge function $MSt$ below:\\ {\footnotesize $\forall v @ (v \in ns1 \Rightarrow v' = (1.v)) \land (v \in ns2 \Rightarrow v' = (2.v)) \land (v \notin ns1 \cup ns2 \Rightarrow v' = v)$}. The disjoint name sets $ns1$ and $ns2$ are used to determine which variable values (extracted from local bindings of the parallel components) are used to update the global binding of the process. %Therefore, A name set can be functionally defined as a binding update function, that copies values from a local binding to the global one. For example, a name set $NS$ that only contains the variable $x$ can be defined as follows in Isabelle/Circus: \begin{isar} definition NS lb gb \ x_update (x lb) gb \end{isar} \noindent where \inlineisar+lb+ and \inlineisar+gb+ stands for local and global bindings, \inlineisar+x+ and \inlineisar+x_update+ are the select and update functions of variable \inlineisar+x+. Then the merge function can be defined by composing the application of the name sets to the global binding. \subsubsection{Channels.} Reactive processes interact with the environment via synchronizations and communications. A synchronization is an interaction via a channel without any exchange of data. A communication is a synchronization with data exchange. In order to reason about communications in the same way, a datatype $channels$ is defined using the channels names as constructors. For instance, in: \begin{isar} datatype channels = chan1 | chan2 nat | chan3 bool \end{isar} \noindent we declare three channels: \inlineisar+chan1+ that synchronizes without data , \inlineisar+chan2+ that communicates natural values and \inlineisar+chan3+ that exchanges boolean values. This definition %allows us makes it possible to reason globally about communications since they have the same type. However, the channels may not have the same type: in the example above, the types of \inlineisar+chan1+, \inlineisar+chan2+ and \inlineisar+chan3+ are respectively \inlineisar+channels+, \inlineisar+nat \ channels+ and \inlineisar+bool \ channels+. In the definition of some \Circus\ operators, we need to compare two channels, and one can't compare for example \inlineisar+chan1+ with \inlineisar+chan2+ since they don't have the same type. A solution would be to compare %for example \inlineisar+chan1+ with (\inlineisar+chan2 v+). The types are equivalent in this case, but the problem remains because comparing (\inlineisar+chan2 0+) to (\inlineisar+chan2 1+) will state inequality just because the communicated values are not equal. We could define an inductive function over the datatype \inlineisar+channels+ to compare channels, but this is only possible when all the channels are known $a~priori$. Thus, %when we need to provide a general definition, we %only need to we add some constraint to the generic channels type: we require the \inlineisar+channels+ type to implement a function \inlineisar+chan_eq+ that tests the equality of two channels. Fortunately, Isabelle/HOL provides a %feature that allows construct for this kind of restriction: the type classes (sorts) mentioned in Section \ref{IsaHOL}. We define a type class (interface) \inlineisar+chan_eq+ that contains a signature of the \inlineisar+chan_eq+ function. \begin{isar} class chan_eq = fixes chan_eq :: "\ \ \ \ bool" begin end \end{isar} Concrete channels type %should must implement the interface (class) `` \inlineisar+chan_eq+'' that can be easily defined for this concrete type. Moreover, one can use this class to add some definition that depends on the channel equivalence function. For example, a trace equivalence function can be defined as follows: \begin{isar} fun tr_eq where tr_eq [] [] = True | tr_eq xs [] = False | tr_eq [] ys = False | tr_eq (x#xs) (y#ys) = if chan_eq x y then tr_eq xs ys else False \end{isar} It is applicable to traces of elements whose type belongs to the sort \inlineisar+chan_eq+. \subsection{Actions and Processes} \label{ActionsAndP} The \Circus\ actions type is defined as the set of all the CSP healthy reactive processes. The type \inlineisar+(\,\)relation_rp+ is the reactive process type where \inlineisar+\+ is of \inlineisar+channels+ type and \inlineisar+\+ is a record extensions of \inlineisar+action_rp+, \ie{} the global state variables. On this basis, we can encode the concept of a process for a family of possible state instances. We introduce below the vital type \inlineisar+action+: \begin{isar} typedef(Action) (\::chan_eq,\) action = {p::(\,\)relation_rp. is_CSP_process p} proof - {...} qed \end{isar} As mentioned before, a type-definition introduces a new type by stating a set. In our case it is the set of reactive processes that satisfy the healthiness-conditions for CSP-processes, isomorphic to the new type. Technically, this %specification construct introduces two constants definitions \inlineisar+Abs_Action+ and \inlineisar+Rep_Action+ respectively of type \inlineisar+(\,\) relation_rp \ (\,\) action+ and \inlineisar+(\,\)action \(\,\)relation_rp+ as well as the usual two axioms expressing the bijection \inlineisar+Abs_Action(Rep_Action(X))=X+ and \inlineisar+is_CSP_process p \ Rep_Action(Abs_Action(p))=p+ where \inlineisar+is_CSP_process+ captures the healthiness conditions. Every \Circus\ action is an abstraction of an alphabetized predicate. In \cite{fgw11rapport-lri}, we introduce the definitions of all the actions and operators using their denotational semantics. The environment contains, for each action, the proof that this predicate is CSP healthy. In this section, we present some of the important definitions, namely: basic actions, assignments, communications, hiding, and recursion. \subsubsection{Basic actions.} \inlineisar+Stop+ is defined as a reactive design, with a precondition \inlineisar+true+ and a postcondition stating that the system deadlocks and the traces are not evolving. \begin{isar} definition Stop \ Abs_Action (R (true \ \ (A, A'). tr A' = tr A \ wait A')) \end{isar} \inlineisar+Skip+ is defined as a reactive design, with a precondition $true$ and a postcondition stating that the system terminates and all the state variables are not changed. We represent this fact by stating that the \inlineisar+more+ field (seen in Section \ref{Subsection:advconstructs}) is not changed, since this field is mapped to all the state variables. Note that using the \inlineisar+more+-field is a tribute to our encoding of alphabets by extensible records and stands for all future extensions of the alphabet (e.g. state variables). \begin{isar} definition Skip \ Abs_Action (R (true \ \ (A, A'). tr A' = tr A \ \ wait A' \ more A = more A')) \end{isar} \subsubsection{The universal assignment action.}\label{sec:assignment_action} In Section \ref{sec:updating_global}, we described how global and local variables are represented by access- and updates functions introduced by fields in extensible records. In these terms, the "lifting" to the assignment action in \Circus\ processes is straightforward: \begin{isar} definition ASSIGN::"(\, \) var \ (\ \ \) \ (\::ev_eq, \) action" where ASSIGN x e \ Abs_Action (R (true \ Y)) where Y = \ (A, A'). tr A' = tr A \ \ wait A' \ more A' = (assign x (e (more A))) (more A) \end{isar} where \inlineisar+assign+ is the projection into the update operation of a semantic variable described in section \ref{sec:updating_global}. \subsubsection{Communications.} The definition of prefixed actions is based on the definition of a special relation \inlineisar+do_I+. In the \Circus\ denotational semantics \cite{CircusDS}, various forms of prefixing were defined. In our theory, we define one general form, and the other forms are defined as special cases. \begin{isar} definition do_I c x P \ X \ wait o fst \ Y where X = (\ (A, A'). tr A = tr A' \ ((c ` P) \ ref A') = {}) and Y = (\ (A, A'). hd ((tr A') - (tr A)) \ (c ` P) \ (c (select x (more A))) = (last (tr A'))) \end{isar} where \inlineisar+c+ is a channel constructor, \inlineisar+x+ is a variable (of \inlineisar+var+ type) and \inlineisar+P+ is a predicate. The \inlineisar+do_I+ relation gives the semantics of an interaction: if the system is ready to interact, the trace is unchanged and the waiting channel is not refused. After performing the interaction, the new event in the trace corresponds to this interaction. The semantics of the whole action is given by the following definition: \begin{isar} definition Prefix c x P S \ Abs_Action(R (true \ Y)) ; S where Y = do_I c x P \ (\ (A, A'). more A' = more A) \end{isar} where \inlineisar+c+ is a channel constructor, \inlineisar+x+ is a variable (of type var), \inlineisar+P+ is a predicate and \inlineisar+S+ is an action. This definition states that the prefixed action semantics is given by the interaction semantics (\inlineisar+do_I+) sequentially composed with the semantics of the continuation (action \inlineisar+S+). Different types of communication are considered: % below. \begin{itemize} \item Inputs: the communication is done over a variable. \item Constrained Inputs: the input variable value is constrained with a predicate. \item Outputs: the communications exchanges only one value. \item Synchronizations: only the channel name is considered (no data). \end{itemize} The semantics of these different forms of communications is based on the general definition above. \begin{isar} definition read c x P \ Prefix c x true P definition write1 c a P \ Prefix c (\s. a s, (\ x. \y. y)) true P definition write0 c P \ Prefix (\_.c) (\_._, (\ x. \y. y)) true P \end{isar} where \inlineisar+read+, \inlineisar+write1+ and \inlineisar+write0+ respectively correspond to inputs, outputs and synchronization. Constrained~ inputs correspond to the general definition. We configure the Isabelle syntax-engine such that it parses the usual communication primitives and gives the corresponding semantics: \begin{isar} translations c ? p \ P == CONST read c (VAR p) P c ? p : b \ P == CONST Prefix c (VAR p) b P c ! p \ P == CONST write1 c p P a \ P == CONST write0 (TYPE(_)) a P \end{isar} \subsubsection{Hiding.} The hiding operator is interesting because it depends on a channel set. This operator \inlineisar+P \ cs+ is used to encapsulate the events that are in the channel set \inlineisar+cs+. These events become no longer visible from the environment. The semantics of the hiding operator is given by the following reactive process: \begin{isar} definition Hide ::"[(\, \) action , \ set] \ (\, \) action" (infixl "\") where P \ cs \ Abs_Action( R(\ (A, A'). \ s. (Rep_Action P)(A, A'\tr :=s, ref := (ref A') \ cs\) \ (tr A' - tr A) = (tr_filter (s - tr A) cs))); Skip \end{isar} The definition uses a filtering function \inlineisar+tr_filter+ that removes from a trace the events whose channels belong to a given set. The definition of this function is based on the function \inlineisar+chan_eq+ we defined in the class \inlineisar+chan_eq+. This explains the presence of the constraint on the type of the action channels in the hiding definition, and in the definition of the filtering function below: \begin{isar} fun tr_filter::"a::chan_eq list \ a set \ a list" where tr_filter [] cs = [] | tr_filter (x#xs) cs = (if (\ chan-in_set x cs) then (x#(tr_filter xs cs)) else (tr_filter xs cs)) \end{isar} \noindent where the \inlineisar+chan-in_set+ function checks if a given channel belongs to a channel set using \inlineisar+chan_eq+ as equality function. \subsubsection{Recursion.} To represent the recursion operator ``$\mu$'' over actions, we use the universal least fix-point operator ``$lfp$'' defined in the HOL library for lattices and we follow again \cite{CircusDS}. The use of least fix-points in \cite{CircusDS} is the most substantial deviation from the standard CSP denotational semantics, which requires Scott-domains and complete partial orderings. The operator $lfp$ is inherited from the ``$Complete~Lattice~class$'' under some conditions, and all theorems defined over this operator can be reused. In order to reuse this operator, we have to show that the least-fixpoint over functionals that enrich pairs of failure - and divergence trace sets monotonely, produces an \inlineisar+action+ that satisfies the CSP healthiness conditions. This consistency proof for the recursion operator is the largest contained in the Isabelle/\Circus\ library. Therefore, we must prove that the \Circus\ actions type defines a complete lattice. This leads to prove that the actions type belongs to the HOL ``\emph{Complete Lattice class}''. Since type classes in HOL are hierarchic, the proof is in three steps: first, a proof that the \Circus\ actions type forms a lattice by instantiating the HOL ``$Lattice~class$''; second, a proof that actions type instantiates a subclass of lattices called ``$Bounded~Lattice~class$''; third, proof of the instantiation from the ``\emph{Complete Lattice class}''. %The details of these proofs are not given here. More on these proofs can be found in \cite{fgw11rapport-lri}. \subsubsection{\Circus\ Processes.} A \Circus\ process is defined in our environment as a local theory by introducing qualified names for all its components. This is very similar to the notion of $namespaces$ popular in programming languages. Defining a \Circus\ process locally makes it possible to encapsulate definitions of alphabet, channels, schema expressions and actions in the same namespace. It is important for the foundation of Isabelle/\Circus\ to avoid the ambiguity between local process entities definitions (e.g. \inlineisar+FIG.Out+ and \inlineisar+DFIG.Out+ in the example of Section \ref{Section:framework}). \section{Using Isabelle/\Circus\ }\label{Section:framework} We describe the front-end interface of Isabelle/\Circus . In order to support a maximum of common \Circus\ syntactic look-and-feel, we have programmed at the SML level of Isabelle a compiler that parses and (partially) pretty prints \Circus\ process given in the syntax presented in Figure \ref{figure:CircSynt}. \subsection{Writing specifications} A specification is a sequence of paragraphs. Each paragraph may be a declaration of alphabet, state, channels, name sets, channel sets, schema expressions or actions. The main action is introduced by the keyword \inlineisar+where+. Below, we illustrate how to use the environment to write a \Circus\ specification using the \inlineisar+FIG+ process example presented in Figure \ref{figure:Fig}. \begin{isar} circusprocess FIG = alphabet = [v::nat, x::nat] state = [idS::nat set] channel = [req, ret nat, out nat] schema Init = idS := {} schema Out = \ a. v' = a \ v' \ idS \ idS' = idS \ {v'} schema Remove = x \ idS \ idS' = idS - {x} where var v \ Schema Init; (\ X \ (req \ Schema Out; out!v \ Skip) \ (ret?x \ Schema Remove); X) \end{isar} Each line of the specification is translated into the corresponding semantic operator given in Section \ref{ActionsAndP}. We describe below the result of executing each command of \inlineisar+FIG+: \begin{itemize} \item the compiler introduces a scope of local components whose names are qualified by the process name (\inlineisar+FIG+ in the example). \item \inlineisar+alphabet+ generates a list of record fields to represent the binding. These fields map names to value lists. \item \inlineisar+state+ generates a list of record fields that corresponds to the state variables. The names are mapped to single values. This command, together with \inlineisar+alphabet+ command, generates a record that represents all the variables (for the \inlineisar+FIG+ example the command generates the record \inlineisar+FIG_alphabet+, that contains the fields \inlineisar+v+ and \inlineisar+x+ of type \inlineisar+nat list+ and the field \inlineisar+idS+ of type \inlineisar+nat set+). \item \inlineisar+channel+ introduces a datatype of typed communication channels (for the \inlineisar+FIG+ example the command generates the datatype \inlineisar+FIG_channels+ that contains the constructors \inlineisar+req+ without communicated value and \inlineisar+ret+ and \inlineisar+out+ that communicate natural values). \item \inlineisar+schema+ allows the definition of schema expressions represented as an alphabetized relation over the process variables (in the example the schema expressions \inlineisar+FIG.Init+, \inlineisar+FIG.Out+ and \inlineisar+FIG.Remove+ are generated). \item \inlineisar+action+ introduces definitions for \Circus\ actions in the process. These definitions are based on the denotational semantics of \Circus\ actions. The type parameters of the action type are instantiated with the locally defined channels and alphabet types. \item \inlineisar+where+ introduces the main action as in \inlineisar+action+ command (in the example the main action is \inlineisar+FIG.FIG+ of type \inlineisar+(FIG_channels, FIG_alphabet) action+). \end{itemize} \subsection{Relational and Functional Refinement in Circus} The main goal of Isabelle/\Circus\ is to provide a proof environment for \Circus\ processes. The ``shallow-embedding'' of \Circus\ and UTP in Isabelle/HOL offers the possibility to reuse proof procedures, infrastructure and theorem libraries already existing in Isabelle/HOL. Moreover, once a process specification is encoded and parsed in Isabelle/\Circus , proofs of, e. g., refinement properties can be developped using the ISAR language for structured proofs. To show in more details how to use Isabelle/\Circus , we provide a small example of action refinement proof. The refinement relation is defined as the universal reverse implication in the UTP. In \Circus , %the refinement relation it is defined as follows: \begin{isar} definition A1 \c A2 \ (Rep_Action A1) \utp (Rep_Action A2) \end{isar} where A1 and A2 are \Circus\ actions, \inlineisar+\c+ and \inlineisar+\utp+ stands respectively for refinement relation on \Circus\ actions and on UTP predicate. This definition assumes that the actions A1 and A2 share the same alphabet (binding) and the same channels. In general, refinement involves an important data evolution and growth. The data refinement is defined in \cite{SWC02,CSW03} by backwards and forwards simulations. In this paper, we %will restrict ourselves to a special case, the so-called \emph{functional} backwards simulation. This refers to the fact that the abstraction relation \inlineisar+R+ that relates concrete and abstract actions is just a function: \begin{isar} definition Simulation ("_ \_ _") where A1 \R A2 = \ a b.(Rep_Action A2)(a,b) \ (Rep_Action A1)(R a,R b) \end{isar} where \inlineisar+A1+ and \inlineisar+A2+ are \Circus\ actions and \inlineisar+R+ is a function mapping the corresponding \inlineisar+A1+ alphabet to the \inlineisar+A2+ alphabet. \subsection{Refinement Proofs} We can use the definition of simulation to transform the proof of refinement to a simple proof of implication by unfolding the operators in terms of their underlying relational semantics. The problem with this approach is that the size of proofs will grow exponentially with the size of the processes. To avoid this problem, some general refinement laws were defined in \cite{CSW03} to deal with the refinement of \Circus\ actions at operators level and not at UTP level. We introduced and proved a subset of theses laws in our environment (see Table \ref{table:laws}). \setlength{\tabcolsep}{9pt} \begin{footnotesize} \begin{center} \begin{table}[h] \vspace{-0.65 cm} \begin{tabular}[t]{| c c c |} \hline & & \\ \vspace{- 0.7 cm} & & \\ \infer[\mathrm{SeqI}] {P ; P' \preceq_S Q ; Q'}{P \preceq_S Q & \quad P' \preceq_S Q'} & \multicolumn{2}{c |}{\infer[\mathrm{GrdI}] {g_1 \& P \preceq_S g_2 \& Q}{P \preceq_S Q & \quad g_1 \simeq_S g_2}} \\ & & \\ \vspace{- 0.55 cm} & & \\ \infer[\mathrm{VarI}] {var~x \bullet P \preceq_S var~ y \bullet Q}{P \preceq_S Q & \quad x \sim_S y} & \multicolumn{2}{c |}{\infer[\mathrm{InpI}] {c?x \rightarrow P \preceq_S c?y \rightarrow Q}{P \preceq_S Q & \quad x \sim_S y}} \\ & & \\ \vspace{- 0.55 cm} & & \\ \infer[\mathrm{NdetI}] {P \sqcap P' \preceq_S Q \sqcap Q'}{P \preceq_S Q & \quad P' \preceq_S Q'} & \multicolumn{2}{c |}{\infer[\mathrm{OutI}] {c!x \rightarrow P \preceq_S c!y \rightarrow Q}{P \preceq_S Q & \quad x \sim_S y}} \\ & & \\ \vspace{- 0.55 cm} & & \\ \infer[\mathrm{MuI}] {\mu X \bullet P~X \preceq_S \mu Y \bullet Q~Y}{\infer*{P~X \preceq_S Q~Y}{[X \preceq_S Y]} & mono~P & mono~Q} & \multicolumn{2}{c |}{\infer[\mathrm{DetI}] {P \Box P' \preceq_S Q \Box Q'}{P \preceq_S Q & \quad P' \preceq_S Q'}} \\ & & \\ \vspace{- 0.55 cm} & & \\ \infer[\mathrm{SchI}] {schema~sc_1 \preceq_S schema~sc_2}{\infer*{Pre~sc_2~A}{[Pre~sc_1~(S~A)]} & \infer*{sc_1~(S~A, S~A')}{[Pre~sc_1~(S~A) & sc_2~(A, A')]}} & & \infer[\mathrm{SyncI}] {a \rightarrow P \preceq_S a \rightarrow Q}{P \preceq_S Q} \\ & & \\ \vspace{- 0.55 cm} & & \\ \multicolumn{2}{| c}{\infer[\mathrm{ParI}] {P \llbracket ns_1 | cs | ns_2 \rrbracket P' \preceq_S Q \llbracket ns'_1 | cs | ns'_2 \rrbracket Q'}{P \preceq_S Q & P' \preceq_S Q' & ns_1 \sim_S ns'_1 & ns_2 \sim_S ns'_2}} & \infer[\mathrm{SkipI}] {Skip \preceq_S Skip}{} \\ \hline \end{tabular} \vspace{0.3 cm} \caption{\label{table:laws} Proved refinement laws} \vspace{-0.9 cm} \end{table} \end{center} \end{footnotesize} In Table \ref{table:laws}, the relations ``$x \sim_S y$'' and ``$g_1 \simeq_S g_2$'' record the fact that the variable $x$ (repectively the guard $g_1$) is refined by the variable $y$ (repectively by the guard $g_2$) w.r.t the simulation function $S$. These laws can be used in complex refinement proofs to simplify them at the \Circus\ level. More rules can be defined and proved to deal with more complicated statements like combination of operators for example. Using these laws, and exploiting the advantages of a shallow embedding, the automated proof of refinement becomes surprisingly simple. Coming back to our example, let us consider the \inlineisar+DFIG+ specification below, where the management of the identifiers via the set \inlineisar+idS+ is refined into a set of removed identifiers \inlineisar+retidS+ and a number \inlineisar+max+, which is the rank of the last issued identifier. \begin{isar} circusprocess DFIG = alphabet = [w::nat, y::nat] state = [retidS::nat set, max::nat] schema Init = retidS' = {} \ max' = 0 schema Out = w' = max \ max' = max+1 \ retidS' = retidS - {max} schema Remove = y < max \ y \ retidS \ retidS' = retidS \ {y} \ max' = max where var w \ Schema Init; (\ X \ (req \ Schema Out; out!w \ Skip) \ (ret?y \ Schema Remove); X) \end{isar} We provide the proof of refinement of \inlineisar+FIG+ by \inlineisar+DFIG+ just instantiating the simulation function \inlineisar+R+ by the following abstraction function, that maps the underlying concrete states to abstract states: \begin{isar} definition Sim A = FIG_alphabet.make (w A) (y A) ({a. a < (max A) \ a \ (retidS A)}) \end{isar} where A is the alphabet of \inlineisar+DFIG+, and \inlineisar+FIG_alphabet.make+ yields an alphabet of type \inlineisar+FIG_Alphabet+ initializing the values of \inlineisar+v+, \inlineisar+x+ and \inlineisar+idS+ by their corresponding values from \inlineisar+DFIG_alphabet+: \inlineisar+w+, \inlineisar+y+ and \inlineisar+{a. a < max \ a \ retidS}+). To prove that \inlineisar+DFIG+ is a refinement of \inlineisar+FIG+ one must prove that the main action \inlineisar+DFIG.DFIG+ refines the main action \inlineisar+FIG.FIG+. The definition is then simplified, and the refinement laws are applied to simplify the proof goal. Thus, the full proof consists of a few lines in ISAR: \begin{isar} theorem "FIG.FIG \Sim DFIG.DFIG" apply (auto simp: DFIG.DFIG_def FIG.FIG_def mono_Seq intro!: VarI SeqI MuI DetI SyncI InpI OutI SkipI) apply (simp_all add: SimRemove SimOut SimInit Sim_def) done \end{isar} First, the definitions of \inlineisar+FIG.FIG+ and \inlineisar+DFIG.DFIG+ are simplified and the defined refinement laws are used by the \inlineisar+auto+ tactic as introduction rules. The second step replaces the definition of the simulation function and uses some proved lemmas to finish the proof. The three lemmas used in this proof: \inlineisar+SimInit+, \inlineisar+SimOut+ and \inlineisar+SimRemove+ give proofs of simulation for the schema \inlineisar+Init+, \inlineisar+Out+ and \inlineisar+Remove+. \section{Conclusions} We have shown for the language \Circus , which combines data-oriented modeling in the style of Z and behavioral modeling in the style of CSP, a semantics in form of a shallow embedding in Isabelle/HOL. In particular, by representing the somewhat non-standard concept of the \emph{alphabet} in UTP in form of extensible records in HOL, we achieved a fairly compact, typed presentation of the language. In contrast to previous work based on some deep embedding \cite{ZC09}, this shallow embedding allows arbitrary (higher-order) HOL-types for channels, events, and state-variables, such as, e.g., sets of relations etc. Besides, systematic renaming of local variables is avoided by compiling them essentially to global variables using a stack of variable instances. The necessary proofs for showing that the definitions are consistent --- \ie{} satisfy altogether \inlineisar+is_CSP_healthy+ --- have been done, together with a number of algebraic simplification laws on \Circus\ processes. Since the encoding effort can be hidden behind the scene by flexible extension mechanisms of the Isabelle, it is possible to have a compact notation for both specifications and proofs. Moreover, existing standard tactics of Isabelle such as \verb+auto+, \verb+simp+ and \verb+metis+ can be reused since our \Circus\ semantics is representationally close to HOL. Thus, we provide an environment that can cope with combined refinements concerning data and behavior. Finally, we demonstrate its power --- w.r.t. both expressivity and %the degree of achieved proof automation --- with a small, but prototypic example of a process-refinement. In the future, we intend to use Isabelle/\Circus\ for the generation of test-cases, on the basis of \cite{CavalGau:Acta:2011}, using the HOL-TestGen-environment \cite{brucker.ea:theorem-prover:2012}. \section{Acknowledgement} We warmly thank Markarius Wenzel for his valuable help with the Isabelle framework. Furthermore, we are greatly indebted to Ana Cavalcanti for her comments on the semantic foundation of this work. \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{plain} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Clean/document/root.tex b/thys/Clean/document/root.tex --- a/thys/Clean/document/root.tex +++ b/thys/Clean/document/root.tex @@ -1,112 +1,110 @@ \documentclass[fontsize=11pt,paper=a4,open=right,twoside,abstract=true]{scrreprt} \usepackage[T1]{fontenc} -\usepackage[utf8]{inputenc} -\usepackage{lmodern} \usepackage[numbers, sort&compress, sectionbib]{natbib} \usepackage{isabelle,isabellesym} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{ifthen} \usepackage{wrapfig} \usepackage{graphicx} \usepackage{xcolor} \usepackage{listings} \usepackage{lstisadof} \IfFileExists{railsetup.sty}{\usepackage{railsetup}}{} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % command \newenvironment{matharray}[1]{\[\begin{array}{#1}}{\end{array}\]} % from 'iman.sty' \newcommand{\indexdef}[3]% {\ifthenelse{\equal{}{#1}}{\index{#3 (#2)|bold}}{\index{#3 (#1\ #2)|bold}}} % from 'isar.sty' \newcommand{\isactrlC}{{\bf C}} %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % fix for package declaration to be at the end \usepackage[pdfpagelabels, pageanchor=false, plainpages=false]{hyperref} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % document \urlstyle{rm} \isabellestyle{it} \newcommand{\HOL}{HOL} \newcommand{\eg}{e.g.} \newcommand{\ie}{i.e.} \begin{document} \title{Clean - An Abstract Imperative Programming Language and its Theory} \author{% \href{https://www.lri.fr/~ftuong/}{Fr\'ed\'eric Tuong} \and \href{https://www.lri.fr/~wolff/}{Burkhart Wolff} \\ \and (with Contributions by \href{https://www.lri.fr/~keller/}{Chantal Keller})} \publishers{% \mbox{LRI, Univ. Paris-Sud, CNRS, Universit\'e Paris-Saclay} \\ b\^at. 650 Ada Lovelace, 91405 Orsay, France \texorpdfstring{\\}{} } \maketitle \begin{abstract} Clean is based on a simple, abstract execution model for an imperative target language. ``Abstract'' is understood as contrast to ``Concrete Semantics''; alternatively, the term ``shallow-style embedding'' could be used. It strives for a type-safe notation of program-variables, an incremental construction of the typed state-space, support of incremental verification, and open-world extensibility of new type definitions being intertwined with the program definitions. Clean is based on a ``no-frills'' state-exception monad with the usual definitions of \isa{bind} and \isa{unit} for the compositional glue of state-based computations. Clean offers conditionals and loops supporting C-like control-flow operators such as \isa{break} and \isa{return}. The state-space construction is based on the extensible record package. Direct recursion of procedures is supported. Clean's design strives for extreme simplicity. It is geared towards symbolic execution and proven correct verification tools. The underlying libraries of this package, however, deliberately restrict themselves to the most elementary infrastructure for these tasks. The package is intended to serve as demonstrator semantic backend for Isabelle/C~\cite{TuongWolff19}, or for the test-generation techniques described in~\cite{DBLP:conf/tap/Keller18}. \end{abstract} \newpage \tableofcontents \parindent 0pt\parskip 0.5ex %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % \input{session} \newpage \input{Clean.tex} \input{Quicksort_concept.tex} \input{SquareRoot_concept.tex} \newpage \chapter{Appendix : Used Monad Libraries} \input{MonadSE.tex} \input{Seq_MonadSE.tex} \input{Symbex_MonadSE.tex} \input{Clean_Symbex.tex} \input{Test_Clean.tex} \input{Hoare_MonadSE.tex} \input{Hoare_Clean.tex} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \bibliographystyle{abbrvnat} \bibliography{root} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/ClockSynchInst/document/root.tex b/thys/ClockSynchInst/document/root.tex --- a/thys/ClockSynchInst/document/root.tex +++ b/thys/ClockSynchInst/document/root.tex @@ -1,171 +1,172 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{verbatim} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Instances of Schneider's generalized protocol\\ of clock synchronization.} \author{Damian Barsotti} \maketitle \begin{abstract}\noindent Schneider \cite{schneider87understanding} generalizes a number of protocols for Byzantine fault-tolerant clock synchronization and presents a uniform proof for their correctness. In Schneider's schema, each processor maintains a local clock by periodically adjusting each value to one computed by a convergence function applied to the readings of all the clocks. Then, correctness of an algorithm, i.e. that the readings of two clocks at any time are within a fixed bound of each other, is based upon some conditions on the convergence function. To prove that a particular clock synchronization algorithm is correct it suffices to show that the convergence function used by the algorithm meets Schneider's conditions. Using the theorem prover Isabelle, we formalize the proofs that the convergence functions of two algorithms, namely, the Interactive Convergence Algorithm (ICA) of Lamport and Melliar-Smith \cite{lamport_cs} and the Fault-tolerant Midpoint algorithm of Lundelius-Lynch \cite{lynch_cs}, meet Schneider's conditions. Furthermore, we experiment on handling some parts of the proofs with fully automatic tools like ICS\cite{ics} and \mbox{CVC-lite}\cite{cvclite}. These theories are part of a joint work with Alwen Tiu and Leonor P. Nieto \cite{bars_leon_tiu}. In this work the correctness of Schneider schema was also verified using Isabelle (available at \url{http://isa-afp.org/entries/GenClock.shtml}). \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex % include generated text of all theories \input{session} \appendix \section{CVC-lite and ICS proofs} \subsection{Lemma abs\_distrib\_div} \label{sec:abs_distrib_mult} In the proof of the Fault-Tolerant Mid Point Algorithm we need to prove this simple lemma: \begin{isabellebody}% \isamarkuptrue% \isacommand{lemma}\ abs{\isacharunderscore}distrib{\isacharunderscore}div{\isacharcolon}\isanewline \ \ {\isachardoublequote}{\isadigit{0}}\ {\isacharless}\ {\isacharparenleft}c{\isacharcolon}{\isacharcolon}real{\isacharparenright}\ \ {\isasymLongrightarrow}\ {\isasymbar}a\ {\isacharslash}\ c\ {\isacharminus}\ b\ {\isacharslash}\ c{\isasymbar}\ {\isacharequal}\ {\isasymbar}a\ {\isacharminus}\ b{\isasymbar}\ {\isacharslash}\ c{\isachardoublequote}\isanewline \isamarkupfalse% \end{isabellebody}% It is not possible to prove this lemma in Isabelle using \emph{arith} nor \emph{auto} tactics. Even if we added lemmas to the default simpset of HOL. In the translation from Isabelle to ICS we need to change the division by a multiplication because this tools do not accept formulas with this arithmetic operator. Moreover, to translate the absolute value we define e constant for each application of that function. In ICS it is proved automatically. File \verb|abs_distrib_mult.ics|: \verbatiminput{abs_distrib_mult.ics} It was not possible to find the proof in CVC-lite because the formula is not linear. Two proofs where attempted. In the first one we use lambda abstraction to define the absolute value. The second one is the same translation that we do in ICS. File \verb|abs_distrib_mult.cvc|: \verbatiminput{abs_distrib_mult.cvc} File \verb|abs_distrib_mult2.cvc|: \verbatiminput{abs_distrib_mult2.cvc} \subsection{Bound for Precision Enhancement property} \label{sec:bound_prec_enh} In order to prove Precision Enhancement for Lynch's algorithm we need to prove that: \begin{isabellebody}% \ \ \ \ \ \isacommand{have}\ {\isachardoublequote}{\isasymbar}Max\ {\isacharparenleft}reduce\ f\ PR{\isacharparenright}\ {\isacharplus}\ Min\ {\isacharparenleft}reduce\ f\ PR{\isacharparenright}\ \ {\isacharplus}\ \isanewline \ \ \ \ \ \ \ \ \ \ \ \ {\isacharminus}\ Max\ {\isacharparenleft}reduce\ g\ PR{\isacharparenright}\ {\isacharplus}\ {\isacharminus}\ Min\ {\isacharparenleft}reduce\ g\ PR{\isacharparenright}{\isasymbar}\ {\isacharless}{\isacharequal}\ y\ {\isacharplus}\ {\isadigit{2}}\ {\isacharasterisk}\ x{\isachardoublequote} \end{isabellebody}% This is the result of the whole theorem where we multiply by two both sides of the inequality. In order to do the proof we need to translate also the lemmas \emph{uboundmax}, \emph{lboundmin}, \emph{same\_bound} (lemmas about the existence of some bounds), the axiom \emph{constants\_ax} and the assumptions of the theorem. We make five different translations. In each one we where increasing the amount of eliminated quantifiers. File \verb|bound_prec_enh4.cvc|: \verbatiminput{bound_prec_enh4.cvc} Note that we leave quantifiers in some assumptions. In the next file we also try to do the proof with all quantifiers, but CVC cannot find it. File \verb|bound_prec_enh.cvc|: \verbatiminput{bound_prec_enh.cvc} We also try to do the proof removing all quantifiers and the proof was successful. File \verb|bound_prec_enh7.cvc|: \verbatiminput{bound_prec_enh7.cvc} From this last file we make the translation also for ICS adding a constant for each application of the absolute value. In this case ICS do not find the proof. File \verb|bound_prec_enh.ics|: \verbatiminput{bound_prec_enh.ics} \subsection{Accuracy Preservation property} \label{sec:accur_pres} The proof of this property was successful in both tools. Even in CVC-lite the proof was find without the need of removing the quantifiers. File \verb|accur_pres.cvc|: \verbatiminput{accur_pres.cvc} File \verb|accur_pres.ics|: \verbatiminput{accur_pres.ics} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Closest_Pair_Points/document/root.tex b/thys/Closest_Pair_Points/document/root.tex --- a/thys/Closest_Pair_Points/document/root.tex +++ b/thys/Closest_Pair_Points/document/root.tex @@ -1,35 +1,36 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Closest Pair of Points Algorithms} \author{Martin Rau and Tobias Nipkow} \maketitle \begin{abstract} This entry provides two related verified divide-and-conquer algorithms solving the fundamental \textit{Closest Pair of Points} problem in Computational Geometry. Functional correctness and the optimal running time of $\mathcal{O}(n \log n)$ are proved. Executable code is generated which is empirically competitive with handwritten reference implementations. \end{abstract} \tableofcontents \newpage % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/CofGroups/document/root.tex b/thys/CofGroups/document/root.tex --- a/thys/CofGroups/document/root.tex +++ b/thys/CofGroups/document/root.tex @@ -1,56 +1,57 @@ % Title: An Example of a Cofinitary Group in Isabelle/HOL % % Author: Bart.Kastermans at colorado.edu, 2009 % Maintainer: Bart.Kastermans at colorado.edu \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage {amsmath} \usepackage{amssymb} \def\polhk#1{\setbox0=\hbox{#1}{\ooalign{\hidewidth \lower1.5ex\hbox{`}\hidewidth\crcr\unhbox0}}} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \DeclareMathOperator{\Sym}{Sym} \newcommand {\N} {\ensuremath {\mathbb {N}}} \begin{document} \title{An Example of a Cofinitary Group in Isabelle/HOL} \author{Bart Kastermans} \maketitle \begin{abstract} We formalize the usual proof that the group generated by the function $k \mapsto k + 1$ on the integers gives rise to a cofinitary group. \end{abstract} \tableofcontents \vspace {.3cm} % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Coinductive/document/root.tex b/thys/Coinductive/document/root.tex --- a/thys/Coinductive/document/root.tex +++ b/thys/Coinductive/document/root.tex @@ -1,51 +1,52 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{stmaryrd} \usepackage{amsmath} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Coinductive} \author{Andreas Lochbihler \\ with contributions by Johannes H\"olzl} \maketitle \begin{abstract} This article collects formalisations of general-purpose coinductive data types and sets. Currently, it contains: \begin{itemize} \item coinductive natural numbers, \item coinductive lists, i.e. lazy lists or streams, and a library of operations on coinductive lists, \item coinductive terminated lists, i.e. lazy lists with the stop symbol containing data, \item coinductive streams, \item coinductive resumptions, and \item numerous examples which include a version of K\"onig's lemma and the Hamming stream. \end{itemize} The initial theory was contributed by Paulson and Wenzel. Extensions and other coinductive formalisations of general interest are welcome. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \pagebreak % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Coinductive_Languages/document/root.tex b/thys/Coinductive_Languages/document/root.tex --- a/thys/Coinductive_Languages/document/root.tex +++ b/thys/Coinductive_Languages/document/root.tex @@ -1,36 +1,36 @@ \documentclass[10pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{a4wide} \usepackage[english]{babel} \usepackage{eufrak} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{literal} \begin{document} \title{A Codatatype of Formal Languages} \author{Dmitriy Traytel} \maketitle %\tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Collections/document/root.tex b/thys/Collections/document/root.tex --- a/thys/Collections/document/root.tex +++ b/thys/Collections/document/root.tex @@ -1,86 +1,87 @@ \documentclass[11pt,a4paper]{book} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % Tweaks \newcounter{TTStweak_tag} \setcounter{TTStweak_tag}{0} \newcommand{\setTTS}{\setcounter{TTStweak_tag}{1}} \newcommand{\resetTTS}{\setcounter{TTStweak_tag}{0}} \newcommand{\insertTTS}{\ifnum\value{TTStweak_tag}=1 \ \ \ \fi} \renewcommand{\isakeyword}[1]{\resetTTS\emph{\bf\def\isachardot{.}\def\isacharunderscore{\isacharunderscorekeyword}\def\isacharbraceleft{\{}\def\isacharbraceright{\}}#1}} \renewcommand{\isachardoublequoteopen}{\insertTTS} \renewcommand{\isachardoublequoteclose}{\setTTS} \renewcommand{\isanewline}{\mbox{}\par\mbox{}\resetTTS} \renewcommand{\isamarkupcmt}[1]{\hangindent5ex{\isastylecmt --- #1}} \newcommand{\isaheader}[1]{#1} \newcommand{\isachapter}[1]{\chapter{#1}} \newcommand{\isasection}[1]{\section{#1}} \renewcommand{\isamarkupchapter}[1]{\chapter{#1}} \renewcommand{\isamarkupsection}[1]{\subsection{#1}} \renewcommand{\isamarkupsubsection}[1]{\subsubsection{#1}} \renewcommand{\isamarkupsubsubsection}[1]{\paragraph{#1}} \makeatletter \newenvironment{abstract}{% \small \begin{center}% {\bfseries \abstractname\vspace{-.5em}\vspace{\z@}}% \end{center}% \quotation}{\endquotation} \makeatother \include{documentation} \begin{document} \title{Isabelle Collections Framework} \author{By Peter Lammich and Andreas Lochbihler} \maketitle \begin{abstract} This development provides an efficient, extensible, machine checked collections framework for use in Isabelle/HOL. The library adopts the concepts of interface, implementation and generic algorithm from object-oriented programming and implements them in Isabelle/HOL. The framework features the use of data refinement techniques to refine an abstract specification (using high-level concepts like sets) to a more concrete implementation (using collection datastructures, like red-black-trees). The code-generator of Isabelle/HOL can be used to generate efficient code in all supported target languages, i.e. Haskell, SML, and OCaml. \end{abstract} \clearpage \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex \input{intro} % generated text of all theories \input{session} \input{conclusion} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Collections/document/root_userguide.tex b/thys/Collections/document/root_userguide.tex --- a/thys/Collections/document/root_userguide.tex +++ b/thys/Collections/document/root_userguide.tex @@ -1,65 +1,66 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % Tweaks \newcounter{TTStweak_tag} \setcounter{TTStweak_tag}{0} \newcommand{\setTTS}{\setcounter{TTStweak_tag}{1}} \newcommand{\resetTTS}{\setcounter{TTStweak_tag}{0}} \newcommand{\insertTTS}{\ifnum\value{TTStweak_tag}=1 \ \ \ \fi} \renewcommand{\isakeyword}[1]{\resetTTS\emph{\bf\def\isachardot{.}\def\isacharunderscore{\isacharunderscorekeyword}\def\isacharbraceleft{\{}\def\isacharbraceright{\}}#1}} \renewcommand{\isachardoublequoteopen}{\insertTTS} \renewcommand{\isachardoublequoteclose}{\setTTS} \renewcommand{\isanewline}{\mbox{}\par\mbox{}\resetTTS} \renewcommand{\isamarkupcmt}[1]{\hangindent5ex{\isastylecmt --- #1}} \begin{document} \title{Isabelle Collections Framework Userguide} \author{By Peter Lammich} \maketitle \clearpage \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % Some dirty hacking to get nesting of sections right \newcommand{\isaheader}[1]{#1} \newcommand{\isachapter}[1]{\chapter{#1}} \newcommand{\isasection}[1]{\section{#1}} \renewcommand{\isamarkupchapter}[1]{\chapter{#1}} \renewcommand{\isamarkupsection}[1]{\subsection{#1}} \renewcommand{\isamarkupsubsection}[1]{\subsubsection{#1}} \renewcommand{\isamarkupsubsubsection}[1]{\paragraph{#1}} % Just read the generated Userguide tex files \input{ICF_Userguide} \input{Refine_Monadic_Userguide} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Comparison_Sort_Lower_Bound/document/root.tex b/thys/Comparison_Sort_Lower_Bound/document/root.tex --- a/thys/Comparison_Sort_Lower_Bound/document/root.tex +++ b/thys/Comparison_Sort_Lower_Bound/document/root.tex @@ -1,39 +1,40 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Comparison-based Sorting Algorithms} \author{Manuel Eberl} \maketitle \begin{abstract} This article contains a formal proof of the well-known fact that number of comparisons that a comparison-based sorting algorithm needs to perform to sort a list of length $n$ is at least $\log_2 (n!)$ in the worst case, i.\,e.\ $\Omega(n \log n)$. For this purpose, a shallow embedding for comparison-based sorting algorithms is defined: a sorting algorithm is a recursive datatype containing either a HOL function or a query of a comparison oracle with a continuation containing the remaining computation. This makes it possible to force the algorithm to use only comparisons and to track the number of comparisons made. \end{abstract} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Compiling-Exceptions-Correctly/document/root.tex b/thys/Compiling-Exceptions-Correctly/document/root.tex --- a/thys/Compiling-Exceptions-Correctly/document/root.tex +++ b/thys/Compiling-Exceptions-Correctly/document/root.tex @@ -1,27 +1,28 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} \addtolength{\hoffset}{-1,5cm} \addtolength{\textwidth}{3cm} \begin{document} \title{Compiling Exceptions Correctly} \author{Tobias Nipkow} \maketitle \begin{abstract} An exception compilation scheme that dynamically creates and removes exception handler entries on the stack. A formalization of an article of the same name by Hutton and Wright \cite{HuttonW04}. \end{abstract} \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Complete_Non_Orders/document/root.tex b/thys/Complete_Non_Orders/document/root.tex --- a/thys/Complete_Non_Orders/document/root.tex +++ b/thys/Complete_Non_Orders/document/root.tex @@ -1,195 +1,196 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,amsmath,stmaryrd} \usepackage{tikz} \usetikzlibrary{backgrounds} \usetikzlibrary{positioning} \usetikzlibrary{shapes} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\SLE{\sqsubseteq} \newcommand\Nat{\mathbb{N}} \makeatletter \def\tp@#1#2{\@ifnextchar[{\tp@@{#1}{#2}}{\tp@@@{#1}{#2}}} \def\tp@@#1#2[#3]#4{#3#1\def\mid{\mathrel{#3|}}#4#3#2} \def\tp@@@#1#2#3{\bgroup\left#1\def\mid{\;\middle|\;}#3\right#2\egroup} \def\pa{\tp@()} \def\tp{\tp@\langle\rangle} \def\set{\tp@\{\}} \makeatother \begin{document} \title{Complete Non-Orders and Fixed Points} \author{Akihisa Yamada and Jérémy Dubut} \maketitle \begin{abstract} We develop an Isabelle/HOL library of order-theoretic concepts, such as various completeness conditions and fixed-point theorems. We keep our formalization as general as possible: we reprove several well-known results about complete orders, often without any properties of ordering, thus complete non-orders. In particular, we generalize the Knaster--Tarski theorem so that we ensure the existence of a quasi-fixed point of monotone maps over complete non-orders, and show that the set of quasi-fixed points is complete under a mild condition---% attractivity---which is implied by either antisymmetry or transitivity. This result generalizes and strengthens a result by Stauti and Maaden. Finally, we recover Kleene's fixed-point theorem for omega-complete non-orders, again using attractivity to prove that Kleene's fixed points are least quasi-fixed points. \end{abstract} \tableofcontents \section{Introduction} The main driving force towards mechanizing mathematics using proof assistants has been the reliability they offer, exemplified prominently by~\cite{4color},~\cite{flyspeck},~\cite{sel4}, etc. In this work, we utilize another aspect of Isabelle/JEdit~\cite{isabelle/jedit} as engineering tools for developing mathematical theories. We formalize order-theoretic concepts and results, adhering to an \emph{as-general-as-possible} approach: most results concerning order-theoretic completeness and fixed-point theorems are proved without assuming the underlying relations to be orders (non-orders). In particular, we provide the following: \begin{itemize} \item A locale-based library for binary relations, as partly depicted in Figure~\ref{fig:non-orders}. \item Various completeness results that generalize known theorems in order theory: Actually most relationships and duality of completeness conditions are proved without \emph{any} properties of the underlying relations. \item Existence of fixed points: We show that a relation-preserving mapping $f : A \to A$ over a complete non-order $\tp{A,\SLE}$ admits a \emph{quasi-fixed point} $f(x) \sim x$, meaning $x \SLE f(x) \wedge f(x) \SLE x$. Clearly if $\SLE$ is antisymmetric then this implies the existence of fixed points $f(x) = x$. \item Completeness of the set of fixed points: We further show that if $\SLE$ satisfies a mild condition, which we call \emph{attractivity} and which is implied by either transitivity or antisymmetry, then the set of quasi-fixed points is complete. Furthermore, we also show that if $\SLE$ is antisymmetric, then the set of \emph{strict} fixed points $f(x) = x$ is complete. \item Kleene-style fixed-point theorems: For an $\omega$-complete non-order $\tp{A,\SLE}$ with a bottom element $\bot \in A$ (not necessarily unique) and for every $\omega$-continuous map $f : A \to A$, a supremum exists for the set $\set{ f^n(\bot) \mid n \in \Nat}$, and it is a quasi-fixed point. If $\SLE$ is attractive, then the quasi-fixed points obtained this way are precisely the least quasi-fixed points. \end{itemize} We remark that all these results would have required much more effort than we spent (if possible at all), if we were not with the smart assistance by Isabelle. Our workflow was often the following: first we formalize existing proofs, try relaxing assumptions, see where proof breaks, and at some point ask for a counterexample. \begin{figure} \small \centering \def\isa#1{\textsf{#1}} \def\t{-1.8} \def\a{3.6} \def\at{1.8} \def\s{-3.6} \def\st{-5.4} \begin{tikzpicture} \tikzstyle{every node}=[draw,ellipse] \tikzstyle{every edge}=[draw] \draw (0,0) node[fill] (rel) {} (\t,1) node (trans) {\isa{transitive}} (0,-2) node (refl) {\isa{reflexive}} (0,2) node (irr) {\isa{irreflexive}} (\s,0) node (sym) {\isa{symmetric}} (\a,0) node (anti) {\isa{antisymmetric}} (\at,1) node (near) {\isa{near\_order}} (\a,2) node (asym) {\isa{asymmetric}} (\a,-2) node (pso) {\isa{pseudo\_order}} (\at,-1) node (po) {\isa{partial\_order}} (\t,-1) node (qo) {\isa{quasi\_order}} (0,3) node (str) {\hspace{3em}\isa{strict\_order}\mbox{\hspace{3em}}} (\st,-1) node (equiv) {\isa{equivalence}} (\st,1) node (peq) {\hspace{-.8em}\isa{partial\_equivalence}\mbox{\hspace{-.8em}}} (\st,3) node (emp) {$\emptyset$} (\s,-2) node (tol) {\isa{tolerance}} (\s,2) node (ntol) {$\neg$\isa{tolerance}} ; \draw[->] (near) edge[color=blue] ([xshift=51,yshift=-7]str) (irr) edge[color=red] ([xshift=-46,yshift=-8]str) (trans) edge[color=blue] ([xshift=-51,yshift=-7]str) (asym) edge[color=red] ([xshift=55,yshift=-7]str) (trans) edge[color=green] (near) (anti) edge[color=red] (near) (irr) edge[color=green] (asym) (anti) edge[color=blue] (asym) (anti) edge[color=blue] (pso) (near) edge[color=blue] (po) (pso) edge[color=red] (po) (refl) edge[color=green] (pso) (trans) edge[color=blue] (qo) (refl) edge[color=red] (qo) (qo) edge[color=green] (po) (qo) edge[color=green] (equiv) (peq) edge[color=blue] (equiv) (trans) edge[color=green] (peq) (peq) edge[color=blue] (emp) (str) edge[color=green] (emp) (sym) edge[color=red] (peq) (sym) edge[color=blue] (tol) (sym) edge[color=blue] (ntol) (irr) edge[color=green] (ntol) (refl) edge[color=green] (tol) (ntol) edge[color=red] (emp) (tol) edge[color=red] (equiv) (rel) edge[color=red, line width=1.5pt] (trans) (rel) edge[color=blue, line width=1.5pt] (irr) (rel) edge[color=blue, line width=1.5pt] (refl) (rel) edge[color=green, line width=1.5pt] (sym) (rel) edge[color=green, line width=1.5pt] (anti) ; \end{tikzpicture} \caption{\label{fig:non-orders} Combinations of basic properties. The black dot around the center represents arbitrary binary relations, and the five outgoing arrows indicate atomic assumptions. We do not present the combination of \isa{reflexive} and \isa{irreflexive}, which is empty, and one of \isa{symmetric} and \isa{antisymmetric}, which is a subset of equality. Node ``$\neg$\isa{tolerance}'' indicates the negated relation is \isa{tolerance}, and ``$\emptyset$'' is the empty relation. } \end{figure} \paragraph*{Related Work} Many attempts have been made to generalize the notion of completeness for lattices, conducted in different directions: by relaxing the notion of order itself, removing transitivity (pseudo-orders \cite{trellis}); by relaxing the notion of lattice, considering minimal upper bounds instead of least upper bounds ($\chi$-posets \cite{LN83}); by relaxing the notion of completeness, requiring the existence of least upper bounds for restricted classes of subsets (e.g., directed complete and $\omega$-complete, see \cite{davey02} for a textbook). Considering those generalizations, it was natural to prove new versions of classical fixed-point theorems for maps preserving those structures, e.g., existence of least fixed points for monotone maps on (weak chain) complete pseudo-orders \cite{Bhatta05, SM13}, construction of least fixed points for $\omega$-continuous functions for $\omega$-complete lattices \cite{mashburn83}, (weak chain) completeness of the set of fixed points for monotone functions on (weak chain) complete pseudo-orders \cite{PG11}. Concerning Isabelle formalization, one can easily find several formalizations of complete partial orders or lattices in Isabelle's standard library. They are, however, defined on partial orders, either in form of classes or locales, and thus not directly reusable for non-orders. Nevertheless we tried to make our formalization compatible with the existing ones, and various correspondences are ensured. This work has been published in the conference paper \cite{YamadaD2019}. % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Completeness/document/root.tex b/thys/Completeness/document/root.tex --- a/thys/Completeness/document/root.tex +++ b/thys/Completeness/document/root.tex @@ -1,22 +1,22 @@ \documentclass[11pt,a4paper]{article} -\usepackage{isabelle} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Completeness for FOL} \author{James Margetson, ported by Tom Ridge} \maketitle \tableofcontents \parindent 0pt\parskip 0.5ex \input{session} \end{document} diff --git a/thys/Complex_Geometry/document/root.tex b/thys/Complex_Geometry/document/root.tex --- a/thys/Complex_Geometry/document/root.tex +++ b/thys/Complex_Geometry/document/root.tex @@ -1,73 +1,74 @@ \documentclass[8pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage[margin=2cm]{geometry} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \usepackage{amsmath} \begin{document} \title{Complex Geometry} \author{Filip Mari\'c \and Danijela Simi\'c } \maketitle \begin{abstract} A formalization of geometry of complex numbers is presented. Fundamental objects that are investigated are the complex plane extended by a single infinite point, its objects (points, lines and circles), and groups of transformations that act on them (e.g., inversions and M\"obius transformations). Most objects are defined algebraically, but correspondence with classical geometric definitions is shown. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \clearpage \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Complx/document/root.tex b/thys/Complx/document/root.tex --- a/thys/Complx/document/root.tex +++ b/thys/Complx/document/root.tex @@ -1,56 +1,57 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage[french,english]{babel} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{tt} \newcommand{\simpl}{\sloppy \textsc{Simpl}} \newcommand{\complx}{\sloppy \textsc{Complx}} \begin{document} \title{\complx: a Verification Framework for Concurrent Imperative Programs} \author{Sidney Amani, June Andronick, Maksym Bortin,\\ Corey Lewis, Christine Rizkallah, Joseph Tuong} \maketitle \begin{abstract} We propose a concurrency reasoning framework for imperative programs, based on the Owicki-Gries (OG) foundational shared-variable concurrency method. Our framework combines the approaches of Hoare-Parallel, a formalisation of OG in Isabelle/HOL for a simple while-language, and \simpl, a generic imperative language embedded in Isabelle/HOL, allowing formal reasoning on C programs. We define the \complx{} language, extending the syntax and semantics of \simpl{} with support for parallel composition and synchronisation. We additionally define an OG logic, which we prove sound w.r.t. the semantics, and a verification condition generator, both supporting involved low-level imperative constructs such as function calls and abrupt termination. We illustrate our framework on an example that features exceptions, guards and function calls. We aim to then target concurrent operating systems, such as the interruptible eChronos embedded operating system for which we already have a model-level OG proof using Hoare-Parallel. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/ComponentDependencies/document/root.tex b/thys/ComponentDependencies/document/root.tex --- a/thys/ComponentDependencies/document/root.tex +++ b/thys/ComponentDependencies/document/root.tex @@ -1,59 +1,59 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{mdwlist} \usepackage{amssymb} \usepackage{amsmath} \usepackage{bbding} % check marks \usepackage{pifont} % arrows \usepackage{stmaryrd} % arrows \usepackage{graphicx} \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} %macros \newcommand{\idep}{\mathbb{I}^\mathcal{D}} \newcommand{\odep}{\mathbb{O}^\mathcal{D}} \newcommand{\instreams}{\mathbb{I}} \newcommand{\outstreams}{\mathbb{O}} \title{Formalisation and Analysis of Component Dependencies} \author{Maria Spichkova} \maketitle \begin{abstract} This set of theories presents a formalisation in Isabelle/HOL~\cite{npw} of data dependencies between components. The approach allows to analyse system structure oriented towards efficient checking of system: it aims at elaborating for a concrete system, which parts of the system (or system model) are necessary to check a given property. \end{abstract} \tableofcontents \newpage \input{intro} \parindent 0pt\parskip 0.5ex % generated text of all theories \newpage \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/ConcurrentGC/document/root.tex b/thys/ConcurrentGC/document/root.tex --- a/thys/ConcurrentGC/document/root.tex +++ b/thys/ConcurrentGC/document/root.tex @@ -1,86 +1,86 @@ \documentclass[11pt,a4paper]{article} \usepackage[a4paper,margin=1cm,footskip=.5cm]{geometry} - +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} \usepackage{graphicx} \usepackage[authoryear,longnamesfirst,sort]{natbib} \bibpunct();A{}, % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \renewcommand{\ttdefault}{cmtt} % CM rather than courier for \tt % for uniform font size \renewcommand{\isastyle}{\isastyleminor} % Abstract various things that might change. \newcommand{\ccode}[1]{\texttt{#1}} \newcommand{\isabelletype}[1]{\emph{#1}} \newcommand{\isabelleterm}[1]{\emph{#1}} % sane default for proof documents \parindent 0pt\parskip 0.5ex \begin{document} \title{Relaxing Safely: Verified On-the-Fly Garbage Collection for x86-TSO} \author{Peter Gammie, Tony Hosking and Kai Engelhardt} \maketitle \begin{abstract} We model an instance of Schism, a state-of-the-art real-time garbage collection scheme for weak memory, and show that it is safe on x86-TSO. \end{abstract} \tableofcontents \section{Introduction} \label{sec:introduction} We verify the memory safety of one of the Schism garbage collectors as developed by \citet{Pizlo+2010PLDI,Pizlo201xPhd} with respect to the x86-TSO model (a total store order memory model for modern multicore Intel x86 architectures) developed and validated by \citet{DBLP:journals/cacm/SewellSONM10}. Our development is inspired by the original work on the verification of concurrent mark/sweep collectors by \citet{DBLP:journals/cacm/DijkstraLMSS78}, and the more realistic models and proofs of \citet{DoligezGonthier:1994}. We leave a thorough survey of formal garbage collection verification to future work. We present our model of the garbage collector in \S\ref{sec:gc-model}, the predicates we use in our assertions in \S\ref{sec:proofs-basis}, the detailed invariants in \S\ref{sec:global-invariants} and \S\ref{sec:local-invariants}, and the high-level safety results in \S\ref{sec:top-level-correctness}. A concrete system state that satisfies our invariants is exhibited in \S\ref{sec:concrete-system-state}. The other sections contain the often gnarly proofs and lemmas starring in supporting roles. The modelling language CIMP used in this development is described in the AFP entry ConcurrentIMP \citep{ConcurrentIMP_AFP}. % generated text of all theories \input{session} \bibliographystyle{plainnat} \bibliography{root} \addcontentsline{toc}{section}{References} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/ConcurrentIMP/document/root.tex b/thys/ConcurrentIMP/document/root.tex --- a/thys/ConcurrentIMP/document/root.tex +++ b/thys/ConcurrentIMP/document/root.tex @@ -1,88 +1,88 @@ \documentclass[11pt,a4paper]{article} \usepackage[a4paper,margin=1cm,footskip=.5cm]{geometry} - +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{wasysym} \usepackage[english]{babel} % lifted composition. \newcommand{\isasymbigcirc}{\isamath{\circ}} % Bibliography \usepackage[authoryear,longnamesfirst,sort]{natbib} \bibpunct();A{}, % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \renewcommand{\ttdefault}{cmtt} % CM rather than courier for \tt % for uniform font size \renewcommand{\isastyle}{\isastyleminor} % Abstract various things that might change. \newcommand{\ccode}[1]{\texttt{#1}} \newcommand{\isabelletype}[1]{\emph{#1}} \newcommand{\isabelleterm}[1]{\emph{#1}} \begin{document} \title{CIMP} \author{Peter Gammie} \maketitle \begin{abstract} CIMP extends the small imperative language IMP with control non-determinism and constructs for synchronous message passing. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \section{Concluding remarks} Previously \citet{DBLP:conf/fase/NipkowN99,Prensa-PhD,Prensa-ESOP03}\footnote{The theories are in \texttt{\$ISABELLE/src/HOL/Hoare\_Parallel}.} have developed the classical Owicki/Gries and Rely-Guarantee paradigms for the verification of shared-variable concurrent programs in Isabelle/HOL. These have been used to show the correctness of a garbage collector \citep{PrenEsp00}. We instead use synchronous message passing, which is significantly less explored. \citet{DBLP:conf/mfcs/BoerRH99,DBLP:books/cu/RoeverBH2001} provide compositional systems for \emph{terminating} systems. We have instead adopted Lamport's paradigm of a single global invariant and local proof obligations as the systems we have in mind are tightly coupled and it is not obvious that the proofs would be easier on a decomposed system; see \citet[\S1.6.6]{DBLP:books/cu/RoeverBH2001} for a concurring opinion. Unlike the generic sequential program verification framework Simpl \citep{DBLP:conf/lpar/Schirmer04}, we do not support function calls, or a sophisticated account of state spaces. Moreover we do no meta-theory beyond showing the simple VCG is sound (\S\ref{sec:cimp-vcg}). \bibliographystyle{plainnat} \bibliography{root} \addcontentsline{toc}{section}{References} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Concurrent_Ref_Alg/document/root.tex b/thys/Concurrent_Ref_Alg/document/root.tex --- a/thys/Concurrent_Ref_Alg/document/root.tex +++ b/thys/Concurrent_Ref_Alg/document/root.tex @@ -1,172 +1,173 @@ \documentclass[12pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % additional symbol fonts \usepackage{stmaryrd} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} \usepackage{times} %\usepackage{a4med} \newcommand{\isasymiinter}{\isamath{\doublecap}} \newcommand{\isasymocirc}{\isamath{\circledcirc}} \newcommand{\isasymostar}{\isamath{\varoast}} \newcommand{\quotient}{\mathbin{//}} \newcommand{\Seq}{\mathbin{;}} \newcommand{\refsto}{\mathrel{\sqsubseteq}} \newcommand{\nondet}{\mathbin{\sqcap}} \newcommand{\Nondet}{\mathop{\bigsqcap}} \newcommand{\together}{\mathbin{\doublecap}} %\newcommand{\parallel}{\mathbin{||}} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Concurrent Refinement Algebra and Rely Quotients} \author{Julian Fell and Ian Hayes and Andrius Velykis} \maketitle \begin{abstract} The concurrent refinement algebra developed here is designed to provide a foundation for rely/guarantee reasoning about concurrent programs. The algebra builds on a complete lattice of commands by providing sequential composition, parallel composition and a novel weak conjunction operator. The weak conjunction operator coincides with the lattice supremum providing its arguments are non-aborting, but aborts if either of its arguments do. Weak conjunction provides an abstract version of a guarantee condition as a guarantee process. We distinguish between models that distribute sequential composition over non-deterministic choice from the left (referred to as being conjunctive in the refinement calculus literature) and those that don't. Least and greatest fixed points of monotone functions are provided to allow recursion and iteration operators to be added to the language. Additional iteration laws are available for conjunctive models. The rely quotient of processes $c$ and $i$ is the process that, if executed in parallel with $i$ implements $c$. It represents an abstract version of a rely condition generalised to a process. \end{abstract} \newpage \tableofcontents \parindent 0pt\parskip 0.5ex \newpage \section{Overview} The theories provided here were developed in order to provide support for rely/guarantee concurrency \cite{Jones81d,jon83a}. The theories provide a quite general concurrent refinement algebra that builds on a complete lattice of commands by adding sequential and parallel composition operators as well as recursion. A novel weak conjunction operator is also added as this allows one to build more general specifications. The theories are based on the paper by Hayes~\cite{AFfGRGRACP}, however there are some differences that have been introduced to correct and simplify the algebra and make it more widely applicable. See the appendix for a summary of the differences. The basis of the algebra is a complete lattice of commands (Section~\ref{S:lattice}). Sections~\ref{S:sequential}, \ref{S:parallel} and \ref{S:conjunction} develop laws for sequential composition, parallel composition and weak conjunction, respectively, based on the refinement lattice. Section~\ref{S:CRA} brings the above theories together. Section~\ref{S:galois} adds least and greatest fixed points and there associated laws, which allows finite, possibly infinite and strictly infinite iteration operators to be defined in Section~\ref{S:iteration} in terms of fixed points. The above theories do not assume that sequential composition is conjunctive. Section~\ref{S:conjunctive-sequential} adds this assumption and derives a further set of laws for sequential composition and iterations. Section~\ref{S:rely-quotient} builds on the general theory to provide a rely quotient operator that can be used to provide a general rely/guarantee framework for reasoning about concurrent programs. \input{session} \section{Conclusions} The theories presented here provide a quite abstract view of the rely/guarantee approach to concurrent program refinement. A trace semantics for this theory has been developed \cite{DaSMfaWSLwC}. The concurrent refinement algebra is general enough to also form the basis of a more concrete rely/guarantee approach based on a theory of atomic steps and synchronous parallel and weak conjunction operators \cite{FM2016atomicSteps}. \subparagraph*{Acknowledgements.} This research was supported by Australian Research Council Grant grant DP130102901 and EPSRC (UK) Taming Concurrency grant. This research has benefited from feedback from Robert Colvin, Chelsea Edmonds, Ned Hoy, Cliff Jones, Larissa Meinicke, and Kirsten Winter. %but the remaining errors are all courtesy of the authors. \appendix \section{Differences to earlier paper} This appendix summarises the differences between these Isabelle theories and the earlier paper \cite{AFfGRGRACP}. We list the changes to the axioms but not all the flow on effects to lemmas. \begin{enumerate} \item The earlier paper assumes $c \Seq (d_0 \nondet d_1) = (c \Seq d_0) \nondet (c \Seq d_1)$ but here we separate the case where this is only a refinement from left to right (Section~\ref{S:sequential}) from the equality case (Section~\ref{S:conjunctive-sequential}). \item\label{diff:distr-par} The earlier paper assumes $(\Nondet C) \parallel d = (\Nondet c \in C . c \parallel d)$ but in Section~\ref{S:parallel} we assume this only for non-empty $C$ and furthermore assume that parallel is abort strict, i.e. $\bot \parallel c = c$. \item The earlier paper assumes $c \together (\bigsqcup D) = (\bigsqcup d \in D . c \together d)$. In Section~\ref{S:conjunction} that assumption is not made because it does not hold for the model we have in mind \cite{DaSMfaWSLwC} but we do assume $c \together \bot = \bot$. \item In Section~\ref{S:CRA} we add the assumption $nil \refsto nil \parallel nil$ to locale sequential-parallel. \item In Section~\ref{S:CRA} we add the assumption $\top \refsto chaos \parallel \top$. \item In Section~\ref{S:CRA} we assume only $chaos \refsto chaos \parallel chaos$ whereas in the paper this is an equality (the reverse direction is straightforward to prove). \item In Section~\ref{S:CRA} axiom chaos-skip ($chaos \refsto skip$) has been dropped because it can be proven as a lemma using the parallel-interchange axiom. \item In Section~\ref{S:CRA} we add the assumption $chaos \refsto chaos \Seq chaos$. \item Section~\ref{S:conjunctive-sequential} assumes $D \neq \{\} \Rightarrow c \Seq \Nondet D = (\Nondet d \in D . c \Seq d)$. This distribution axiom is not considered in the earlier paper. \item Because here parallel does not distribute over an empty non-deterministic choice (see point \ref{diff:distr-par} above) in Section~\ref{S:rely-quotient} the theorem rely-quotient needs to assume the interference process $i$ is non-aborting (refines chaos). This also affects many lemmas in this section that depend on theorem rely-quotient. \end{enumerate} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Concurrent_Revisions/document/root.tex b/thys/Concurrent_Revisions/document/root.tex --- a/thys/Concurrent_Revisions/document/root.tex +++ b/thys/Concurrent_Revisions/document/root.tex @@ -1,38 +1,38 @@ \documentclass[11pt,a4paper]{article} - +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Formalization of Concurrent Revisions} \author{Roy Overbeek} \maketitle \begin{abstract} \noindent Concurrent revisions is a concurrency control model developed by Microsoft Research \cite{burckhardt2010concurrent}. It has many interesting properties that distinguish it from other well-known models such as transactional memory. One of these properties is \emph{determinacy}: programs written within the model always produce the same outcome, independent of scheduling activity. The concurrent revisions model has an operational semantics, with an informal proof of determinacy \cite{burckhardt2011semantics}. This document contains an Isabelle/HOL formalization of this semantics and the proof of determinacy. It is part of my master's thesis \cite{overbeek2018formalizing}, which describes it in more detail.\footnote{My master's thesis was partially funded by ING, and I would especially like to thank my supervisors Jasmin Blanchette (VU Amsterdam), Robbert van Dalen (ING) and Wan Fokkink (VU Amsterdam) for their useful feedback on this work. } \end{abstract} \tableofcontents \pagebreak % sane default for proof documents \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Consensus_Refined/document/root.tex b/thys/Consensus_Refined/document/root.tex --- a/thys/Consensus_Refined/document/root.tex +++ b/thys/Consensus_Refined/document/root.tex @@ -1,140 +1,140 @@ \documentclass[12pt]{article} - +\usepackage[T1]{fontenc} \usepackage{isabelle} \usepackage{isabellesym} % this should be the last package used \usepackage{pdfsetup} \usepackage{amsmath} \usepackage{graphicx} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % sane default for proof documents \parindent 0pt\parskip 0.5ex \begin{document} \title{Consensus Refined} \begin{abstract} Algorithms for solving the consensus problem are fundamental to distributed computing. Despite their brevity, their ability to operate in concurrent, asynchronous and failure-prone environments comes at the cost of complex and subtle behaviors. Accordingly, understanding how they work and proving their correctness is a non-trivial endeavor where abstraction is immensely helpful. % Moreover, research on consensus has yielded a large number of algorithms, many of which appear to share common algorithmic ideas. A natural question is whether and how these similarities can be distilled and described in a precise, unified way. % In this work, we combine stepwise refinement and lockstep models to provide an abstract and unified view of a sizeable family of consensus algorithms. Our models provide insights into the design choices underlying the different algorithms, and classify them based on those choices. \end{abstract} \maketitle \tableofcontents \newpage \section{Introduction} \label{sec:introduction} \emph{Distributed consensus} is a fundamental problem in distributed computing: a fixed set of processes must \textit{agree} on a single value from a set of proposed ones. Algorithms that solve this problem provide building blocks for many higher-level tasks, such as distributed leases, group membership, atomic broadcast (also known as total-order broadcast or multi-consensus), and so forth. These in turn provide building blocks for yet higher-level tasks like system replication. In this work, however, our focus is on consensus algorithms ``proper'', rather than their applications. Namely, we consider consensus algorithms for the asynchronous message-passing setting with benign link and process failures. Although the setting we consider explicitly excludes malicious behavior, the interplay of concurrency, asynchrony, and failures can still drive the execution of any consensus algorithm in many different ways. This makes the understanding of both the algorithms and their correctness non-trivial. Furthermore, many consensus algorithms have been proposed in the literature. Many of these algorithms appear to share similar underlying algorithmic ideas, although their presentation, structure and details differ. A natural question is whether these similarities can be distilled and captured in a uniform and generic way. In the same vein, one may ask whether the algorithms can be classified by some natural criteria. This formalization, which accompanies our conference paper~\cite{maric_consensus_15}, is our contribution towards addressing these issues. Our primary tool in tackling them is \emph{abstraction}. We describe consensus algorithms using \emph{stepwise refinement}. In this method, an algorithm is derived through a sequence of models. The initial models in the sequence can describe the algorithms in arbitrarily abstract terms. In our abstractions, we remove message passing and describe the system using non-local steps that depend on the states of multiple processes. These abstractions allow us to focus on the main algorithmic ideas, without getting bogged down in details, thereby providing simplicity. We then gradually introduce details in successive, more concrete models that refine the abstract ones. In order to be implementable in a distributed setting, the final models must use strictly local steps, and communicate only by passing messages. The link between abstract and concrete models is precisely described and proved using \emph{refinement relations}. Furthermore, the same abstract model can be implemented by different algorithms. This results in a \emph{refinement tree} of models, where branching corresponds to different implementations. \begin{figure*}[t] \centering \includegraphics[scale=0.35]{ref-tree} \caption{The consensus family tree. Boxes contain models of concrete algorithms.} \label{fig:consensus-tree} \end{figure*} Figure~\ref{fig:consensus-tree} shows the resulting refinement tree for our development. It captures the relationships between the different consensus algorithms found at its leaves: OneThirdRule, $A_{T,E}$, Ben-Or's algorithm, UniformVoting, Paxos, Chandra-Toueg algorithm and a new algorithm that we present. The refinement tree provides a natural classification of these algorithms. The new algorithm answers a question raised in~\cite{charron-bost_heard-model:_2009}, asking whether there exists a leaderless consensus algorithm that requires no waiting to provide safety, while tolerating up to $\frac{N}{2}$ process failures. Our abstract (non-leaf) models are represented using unlabeled transition systems. For the models of the concrete algorithms, we adopt the Heard-Of model~\cite{charron-bost_heard-model:_2009}) and reuse its Isabelle formalization by Debrat and Merz~\cite{DBLP:journals/afp/DebratM12}. The Heard-Of model belongs to a class of models we refer to as \emph{lockstep}, and which are applicable to algorithms which operate in communication-closed rounds. For this class of algorithms, the asynchronous setting is replaced by what is an essentially a synchronous model weakened by message loss (dual to strengthening the asynchronous model by failure detectors). This provides the illusion that all the processes operate in lockstep. Yet our results translate to the asynchronous setting of the real world, thanks to the preservation result established in~\cite{chaouch-saad_reduction_2009} (and formalized in~\cite{DBLP:journals/afp/DebratM12}). \section{Preliminaries} \label{sec:introduction} \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Constructive_Cryptography/document/root.tex b/thys/Constructive_Cryptography/document/root.tex --- a/thys/Constructive_Cryptography/document/root.tex +++ b/thys/Constructive_Cryptography/document/root.tex @@ -1,59 +1,60 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,amsmath} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{wasysym} \usepackage{booktabs} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Constructive Cryptography in HOL} \author{Andreas Lochbihler and S. Reza Sefidgar} \maketitle \begin{abstract} Inspired by Abstract Cryptography~\cite{Maurer2011}, we extend CryptHOL~\cite{Basin2017, Lochbihler2017AFP}, a framework for formalizing game-based proofs, with an abstract model of Random Systems~\cite{Maurer2002} and provide proof rules about their composition and equality. This foundation facilitates the formalization of Constructive Cryptography~\cite{Maurer2011a} proofs, where the security of a cryptographic scheme is realized as a special form of construction in which a complex random system is built from simpler ones. This is a first step towards a fully-featured compositional framework, similar to Universal Composability framework~\cite{Canetti2001}, that supports formalization of simulation-based proofs~\cite{Goldwasser1989}. \end{abstract} \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Constructor_Funs/document/root.tex b/thys/Constructor_Funs/document/root.tex --- a/thys/Constructor_Funs/document/root.tex +++ b/thys/Constructor_Funs/document/root.tex @@ -1,25 +1,26 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Constructor Functions} \author{Lars Hupel} \maketitle \begin{abstract} Isabelle's code generator performs various adaptations for target languages. Among others, constructor applications have to be fully saturated. That means that for constructor calls occuring as arguments to higher-order functions, synthetic lambdas have to be inserted. This entry provides tooling to avoid this construction altogether by introducing constructor functions. \end{abstract} \parindent 0pt\parskip 0.5ex \input{session} \end{document} \ No newline at end of file diff --git a/thys/Containers/document/root.tex b/thys/Containers/document/root.tex --- a/thys/Containers/document/root.tex +++ b/thys/Containers/document/root.tex @@ -1,99 +1,100 @@ \documentclass[11pt,a4paper]{book} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{booktabs} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % Tweaks \newcounter{TTStweak_tag} \setcounter{TTStweak_tag}{0} \newcommand{\setTTS}{\setcounter{TTStweak_tag}{1}} \newcommand{\resetTTS}{\setcounter{TTStweak_tag}{0}} \newcommand{\insertTTS}{\ifnum\value{TTStweak_tag}=1 \ \ \ \fi} \renewcommand{\isakeyword}[1]{\resetTTS\emph{\bf\def\isachardot{.}\def\isacharunderscore{\isacharunderscorekeyword}\def\isacharbraceleft{\{}\def\isacharbraceright{\}}#1}} \renewcommand{\isachardoublequoteopen}{\insertTTS} \renewcommand{\isachardoublequoteclose}{\setTTS} \renewcommand{\isanewline}{\mbox{}\par\mbox{}\resetTTS} \renewcommand{\isamarkupcmt}[1]{\hangindent5ex{\isastylecmt --- #1}} \newcommand{\isaheader}[1]{\section{#1}} \makeatletter \newenvironment{abstract}{% \small \begin{center}% {\bfseries \abstractname\vspace{-.5em}\vspace{\z@}}% \end{center}% \quotation}{\endquotation} \makeatother \begin{document} \title{Light-Weight Containers} \author{Andreas Lochbihler} \maketitle \begin{abstract} This development provides a framework for container types like sets and maps such that generated code implements these containers with different (efficient) data structures. Thanks to type classes and refinement during code generation, this light-weight approach can seamlessly replace Isabelle's default setup for code generation. Heuristics automatically pick one of the available data structures depending on the type of elements to be stored, but users can also choose on their own. The extensible design permits to add more implementations at any time. To support arbitrary nesting of sets, we define a linear order on sets based on a linear order of the elements and provide efficient implementations. It even allows to compare complements with non-complements. \end{abstract} \clearpage \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex \chapter{Introduction} This development focuses on generating efficient code for container types like sets and maps. It falls into two parts: First, we define linear order on sets (Ch.~\ref{chapter:linear:order:set}) that is efficiently executable given a linear order on the elements. Second, we define an extensible framework LC (for light-weight containers) that supports multiple (efficient) implementations of container types (Ch.~\ref{chapter:light-weight:containers}) in generated code. Both parts heavily exploit type classes and the refinement features of the code generator \cite{HaftmannKrausKuncarNipkow2013ITP}. This way, we are able to implement the HOL types for sets and maps directly, as the name light-weight containers (LC) emphasises. In comparison with the Isabelle Collections Framework (ICF) \cite{LammichLochbihler2010ITP,Lammich2009AFP}, the style of refinement is the major difference. In the ICF, the container types are replaced with the types of the data structures inside the logic. Typically, the user has to define his operations that involve maps and sets a second time such that they work on the concrete data structures; then, she has to prove that both definitions agree. With LC, the refinement happens inside the code generator. Hence, the formalisation can stick with the types $'a\ set$ and $('a, 'b)\ mapping$ and there is no need to duplicate definitions or prove refinement. The drawback is that with LC, we can only implement operations that can be fully specified on the abstract container type. In particular, the internal representation of the implementations may not affect the result of the operations. For example, it is not possible to pick non-deterministically an element from a set or fold a set with a non-commutative operation, i.e., the result depends on the order of visiting the elements. For more documentation and introductory material refer to the userguide (Chapter~\ref{chapter:Userguide}) and the ITP-2013 paper \cite{Lochbihler2013ITP}. % generated text of all theories \input{session} %\input{conclusion} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/CoreC++/document/root.tex b/thys/CoreC++/document/root.tex --- a/thys/CoreC++/document/root.tex +++ b/thys/CoreC++/document/root.tex @@ -1,50 +1,50 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{latexsym} \usepackage{amssymb} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} \usepackage{wasysym} \usepackage{graphicx} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \hyphenation{Isabelle} \begin{document} \title{An Operational Semantics and Type Safety Proof for Multiple Inheritance in C++ (CoreC++)} \author{Daniel Wasserrab\\ Fakult\"at f\"ur Mathematik und Informatik\\ Universit\"at Passau\\ \url{http://www.infosun.fmi.uni-passau.de/st/staff/wasserra/}\\ \includegraphics{corec++}} \date{\today} \maketitle \begin{abstract} We present an operational semantics and type safety proof for multiple inheritance in C++. The semantics models the behavior of method calls, field accesses, and two forms of casts. For explanations see~\cite{WasserrabNST-OOPSLA06}. \end{abstract} \tableofcontents \input{session} \clearpage \phantomsection \addcontentsline{toc}{section}{Bibliography} \bibliographystyle{plain} \bibliography{root} \end{document} diff --git a/thys/Core_DOM/document/root.tex b/thys/Core_DOM/document/root.tex --- a/thys/Core_DOM/document/root.tex +++ b/thys/Core_DOM/document/root.tex @@ -1,264 +1,265 @@ \documentclass[10pt,DIV16,a4paper,abstract=true,twoside=semi,openright] {scrreprt} +\usepackage[T1]{fontenc} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% Overrides the (rightfully issued) warnings by Koma Script that \rm %%% etc. should not be used (they are deprecated since more than a %%% decade) \DeclareOldFontCommand{\rm}{\normalfont\rmfamily}{\mathrm} \DeclareOldFontCommand{\sf}{\normalfont\sffamily}{\mathsf} \DeclareOldFontCommand{\tt}{\normalfont\ttfamily}{\mathtt} \DeclareOldFontCommand{\bf}{\normalfont\bfseries}{\mathbf} \DeclareOldFontCommand{\it}{\normalfont\itshape}{\mathit} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \usepackage[english]{babel} \usepackage[numbers, sort&compress]{natbib} \usepackage{isabelle,isabellesym} \usepackage{booktabs} \usepackage{paralist} \usepackage{graphicx} \usepackage{amssymb} \usepackage{xspace} \usepackage{xcolor} \usepackage{listings} \lstloadlanguages{HTML} \usepackage[]{mathtools} \usepackage[pdfpagelabels, pageanchor=false, plainpages=false]{hyperref} \lstdefinestyle{html}{language=XML, basicstyle=\ttfamily, commentstyle=\itshape, keywordstyle=\color{blue}, ndkeywordstyle=\color{blue}, } \lstdefinestyle{displayhtml}{style=html, floatplacement={tbp}, captionpos=b, framexleftmargin=0pt, basicstyle=\ttfamily\scriptsize, backgroundcolor=\color{black!2}, frame=lines, } \lstnewenvironment{html}[1][]{\lstset{style=displayhtml, #1}}{} \def\inlinehtml{\lstinline[style=html, columns=fullflexible]} \pagestyle{headings} \isabellestyle{default} \setcounter{tocdepth}{1} \newcommand{\ie}{i.\,e.\xspace} \newcommand{\eg}{e.\,g.\xspace} \newcommand{\thy}{\isabellecontext} \renewcommand{\isamarkupsection}[1]{% \begingroup% \def\isacharunderscore{\textunderscore}% \section{#1 (\thy)}% \endgroup% } \title{Core DOM\\\medskip \Large A Formal Model of the Document Object Model}% \author{Achim~D.~Brucker \and Michael~Herzberg}% \publishers{ Department of Computer Science\\ The University of Sheffield\\ Sheffield, UK\\ \texttt{\{\href{mailto:a.brucker@sheffield.ac.uk}{a.brucker}, \href{mailto:msherzberg1@sheffield.ac.uk}{msherzberg1}\}@sheffield.ac.uk} } \begin{document} \maketitle \begin{abstract} \begin{quote} In this AFP entry, we formalize the core of the Document Object Model (DOM). At its core, the DOM defines a tree-like data structure for representing documents in general and HTML documents in particular. It is the heart of any modern web browser. Formalizing the key concepts of the DOM is a prerequisite for the formal reasoning over client-side JavaScript programs and for the analysis of security concepts in modern web browsers. We present a formalization of the core DOM, with focus on the \emph{node-tree} and the operations defined on node-trees, in Isabelle/HOL\@. We use the formalization to verify the functional correctness of the most important functions defined in the DOM standard. Moreover, our formalization is \begin{inparaenum} \item \emph{extensible}, i.e., can be extended without the need of re-proving already proven properties and \item \emph{executable}, i.e., we can generate executable code from our specification. \end{inparaenum} \bigskip \noindent{\textbf{Keywords:}} Document Object Model, DOM, Formal Semantics, Isabelle/HOL \end{quote} \end{abstract} \tableofcontents \cleardoublepage \chapter{Introduction} In a world in which more and more applications are offered as services on the internet, web browsers start to take on a similarly central role in our daily IT infrastructure as operating systems. Thus, web browsers should be developed as rigidly and formally as operating systems. While formal methods are a well-established technique in the development of operating systems (see, \eg,~\citet{klein:operating:2009} for an overview of formal verification of operating systems), there are few proposals for improving the development of web browsers using formal approaches~\cite{gardner.ea:dom:2008,raad.ea:dom:2016,jang.ea:establishing:2012,bohannon.ea:featherweight:2010}. As a first step towards a verified client-side web application stack, we model and formally verify the Document Object Model (DOM) in Isabelle/HOL\@. The DOM~\cite{whatwg:dom:2017,w3c:dom:2015} is \emph{the} central data structure of all modern web browsers. At its core, the Document Object Model (DOM), defines a tree-like data structure for representing documents in general and HTML documents in particular. Thus, the correctness of a DOM implementation is crucial for ensuring that a web browser displays web pages correctly. Moreover, the DOM is the core data structure underlying client-side JavaScript programs, \ie, client-side JavaScript programs are mostly programs that read, write, and update the DOM. In more detail, we formalize the core DOM as a shallow embedding~\cite{joyce.ea:higher:1994} in Isabelle/HOL\@. Our formalization is based on a typed data model for the \emph{node-tree}, \ie, a data structure for representing XML-like documents in a tree structure. Furthermore, we formalize a typed heap for storing (partial) node-trees together with the necessary consistency constraints. Finally, we formalize the operations (as described in the DOM standard~\cite{whatwg:dom:2017}) on this heap that allow manipulating node-trees. Our machine-checked formalization of the DOM node tree~\cite{whatwg:dom:2017} has the following desirable properties: \begin{itemize} \item It provides a \emph{consistency guarantee.} Since all definitions in our formal semantics are conservative and all rules are derived, the logical consistency of the DOM node-tree is reduced to the consistency of HOL. \item It serves as a \emph{technical basis for a proof system.} Based on the derived rules and specific setup of proof tactics over node-trees, our formalization provides a generic proof environment for the verification of programs manipulating node-trees. \item It is \emph{executable}, which allows to validate its compliance to the standard by evaluating the compliance test suite on the formal model and \item It is \emph{extensible} in the sense of~\cite{brucker.ea:extensible:2008-b,brucker:interactive:2007}, \ie, properties proven over the core DOM do not need to be re-proven for object-oriented extensions such as the HTML document model. \end{itemize} The rest of this document is automatically generated from the formalization in Isabelle/HOL, i.e., all content is checked by Isabelle.\footnote{For a brief overview of the work, we refer the reader to~\cite{brucker.ea:core-dom:2018}.} The structure follows the theory dependencies (see \autoref{fig:session-graph}): we start with introducing the technical preliminaries of our formalization (\autoref{cha:perliminaries}). Next, we introduce the concepts of pointers (\autoref{cha:pointers}) and classes (\autoref{cha:classes}), i.e., the core object-oriented datatypes of the DOM. On top of this data model, we define the functional behavior of the DOM classes, i.e., their methods (\autoref{cha:monads}). In \autoref{cha:dom}, we introduce the formalization of the functionality of the core DOM, i.e., the \emph{main entry point for users} that want to use this AFP entry. Finally, we formalize the relevant compliance test cases in \autoref{cha:tests}. \begin{figure} \centering \includegraphics[width=.8\textwidth]{session_graph} \caption{The Dependency Graph of the Isabelle Theories.\label{fig:session-graph}} \end{figure} \clearpage \chapter{Preliminaries} \label{cha:perliminaries} In this chapter, we introduce the technical preliminaries of our formalization of the core DOM, namely a mechanism for hiding type variables and the heap error monad. \input{Hiding_Type_Variables} \input{Heap_Error_Monad} \chapter{References and Pointers} \label{cha:pointers} In this chapter, we introduce a generic type for object-oriented references and typed pointers for each class type defined in the DOM standard. \input{Ref} \input{ObjectPointer} \input{NodePointer} \input{ElementPointer} \input{CharacterDataPointer} \input{DocumentPointer} \input{ShadowRootPointer} \chapter{Classes} \label{cha:classes} In this chapter, we introduce the classes of our DOM model. The definition of the class types follows closely the one of the pointer types. Instead of datatypes, we use records for our classes. a generic type for object-oriented references and typed pointers for each class type defined in the DOM standard. \input{BaseClass} \input{ObjectClass} \input{NodeClass} \input{ElementClass} \input{CharacterDataClass} \input{DocumentClass} \chapter{Monadic Object Constructors and Accessors} \label{cha:monads} In this chapter, we introduce the moandic method definitions for the classes of our DOM formalization. Again the overall structure follows the same structure as for the class types and the pointer types. \input{BaseMonad} \input{ObjectMonad} \input{NodeMonad} \input{ElementMonad} \input{CharacterDataMonad} \input{DocumentMonad} \chapter{The Core DOM} \label{cha:dom} In this chapter, we introduce the formalization of the core DOM, i.e., the most important algorithms for querying or modifying the DOM, as defined in the standard. For more details, we refer the reader to \cite{brucker.ea:core-dom:2018}. \input{Core_DOM_Basic_Datatypes} \input{Core_DOM_Functions} \input{Core_DOM_Heap_WF} \input{Core_DOM} \chapter{Test Suite} \label{cha:tests} In this chapter, we present the formalized compliance test cases for the core DOM. As our formalization is executable, we can (symbolically) execute the test cases on top of our model. Executing these test cases successfully shows that our model is compliant to the official DOM standard. As future work, we plan to generate test cases from our formal model (e.g., using~\cite{brucker.ea:interactive:2005,brucker.ea:theorem-prover:2012}) to improve the quality of the official compliance test suite. For more details on the relation of test and proof in the context of web standards, we refer the reader to \cite{brucker.ea:standard-compliance-testing:2018}. \input{Core_DOM_BaseTest} \input{Document_adoptNode} \input{Document_getElementById} \input{Node_insertBefore} \input{Node_removeChild} \input{Core_DOM_Tests} {\small \bibliographystyle{abbrvnat} \bibliography{root} } \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Core_SC_DOM/document/root.tex b/thys/Core_SC_DOM/document/root.tex --- a/thys/Core_SC_DOM/document/root.tex +++ b/thys/Core_SC_DOM/document/root.tex @@ -1,268 +1,269 @@ \documentclass[10pt,DIV16,a4paper,abstract=true,twoside=semi,openright] {scrreprt} +\usepackage[T1]{fontenc} \usepackage[USenglish]{babel} \usepackage[numbers, sort&compress]{natbib} \usepackage{isabelle,isabellesym} \usepackage{booktabs} \usepackage{paralist} \usepackage{graphicx} \usepackage{amssymb} \usepackage{xspace} \usepackage{xcolor} \usepackage{listings} \lstloadlanguages{HTML} \usepackage[]{mathtools} \usepackage[pdfpagelabels, pageanchor=false, plainpages=false]{hyperref} \lstdefinestyle{html}{language=XML, basicstyle=\ttfamily, commentstyle=\itshape, keywordstyle=\color{blue}, ndkeywordstyle=\color{blue}, } \lstdefinestyle{displayhtml}{style=html, floatplacement={tbp}, captionpos=b, framexleftmargin=0pt, basicstyle=\ttfamily\scriptsize, backgroundcolor=\color{black!2}, frame=lines, } \lstnewenvironment{html}[1][]{\lstset{style=displayhtml, #1}}{} \def\inlinehtml{\lstinline[style=html, columns=fullflexible]} \pagestyle{headings} \isabellestyle{default} \setcounter{tocdepth}{1} \newcommand{\ie}{i.\,e.\xspace} \newcommand{\eg}{e.\,g.\xspace} \newcommand{\thy}{\isabellecontext} \renewcommand{\isamarkupsection}[1]{% \begingroup% \def\isacharunderscore{\textunderscore}% \section{#1 (\thy)}% \endgroup% } \title{Core SC DOM\\\medskip \Large A Formal Model of the Document Object Model for Safe Components}% \author{% \href{https://www.brucker.ch/}{Achim~D.~Brucker}\footnotemark[1] \and \href{https://www.michael-herzberg.de/}{Michael Herzberg}\footnotemark[2] } \publishers{ \footnotemark[1]~Department of Computer Science, University of Exeter, Exeter, UK\texorpdfstring{\\}{, } \texttt{a.brucker@exeter.ac.uk}\\[2em] % \footnotemark[2]~ Department of Computer Science, The University of Sheffield, Sheffield, UK\texorpdfstring{\\}{, } \texttt{msherzberg1@sheffield.ac.uk} } \begin{document} \maketitle \begin{abstract} \begin{quote} In this AFP entry, we formalize the core of the \emph{Safely Composable Document Object Model} (SC DOM). The SC DOM improve the standard DOM by strengthening the tree boundaries set by shadow roots: in the SC DOM, the shadow root is a sub-class of the document class (instead of a base class). This modifications also results in changes to some API methods (e.g., getOwnerDocument) to return the nearest shadow root rather than the document root. As a result, many API methods that, when called on a node inside a shadow tree, would previously ``break out'' and return or modify nodes that are possibly outside the shadow tree, now stay within its boundaries. This change in behavior makes programs that operate on shadow trees more predictable for the developer and allows them to make more assumptions about other code accessing the DOM. \bigskip \noindent{\textbf{Keywords:}} Document Object Model, DOM, SC DOM, Safely Composable DOM, Formal Semantics, Isabelle/HOL \end{quote} \end{abstract} \tableofcontents \cleardoublepage \chapter{Introduction} In a world in which more and more applications are offered as services on the internet, web browsers start to take on a similarly central role in our daily IT infrastructure as operating systems. Thus, web browsers should be developed as rigidly and formally as operating systems. While formal methods are a well-established technique in the development of operating systems (see, \eg,~\citet{klein:operating:2009} for an overview of formal verification of operating systems), there are few proposals for improving the development of web browsers using formal approaches~\cite{gardner.ea:dom:2008,raad.ea:dom:2016,jang.ea:establishing:2012,bohannon.ea:featherweight:2010}. As a first step towards a verified client-side web application stack, we model and formally verify the Document Object Model (DOM) in Isabelle/HOL\@. The DOM~\cite{whatwg:dom:2017,w3c:dom:2015} is \emph{the} central data structure of all modern web browsers. At its core, the Document Object Model (DOM), defines a tree-like data structure for representing documents in general and HTML documents in particular. Thus, the correctness of a DOM implementation is crucial for ensuring that a web browser displays web pages correctly. Moreover, the DOM is the core data structure underlying client-side JavaScript programs, \ie, client-side JavaScript programs are mostly programs that read, write, and update the DOM. In more detail, we formalize the core core of the \emph{Safely Composable Document Object Model} (SC DOM) a shallow embedding~\cite{joyce.ea:higher:1994} in Isabelle/HOL\@. Our formalization is based on a typed data model for the \emph{node-tree}, \ie, a data structure for representing XML-like documents in a tree structure. Furthermore, we formalize a typed heap for storing (partial) node-trees together with the necessary consistency constraints. Finally, we formalize the operations (as described in the DOM standard~\cite{whatwg:dom:2017}) on this heap that allow manipulating node-trees. Our machine-checked formalization of the DOM node tree~\cite{whatwg:dom:2017} has the following desirable properties: \begin{itemize} \item It provides a \emph{consistency guarantee.} Since all definitions in our formal semantics are conservative and all rules are derived, the logical consistency of the DOM node-tree is reduced to the consistency of HOL. \item It serves as a \emph{technical basis for a proof system.} Based on the derived rules and specific setup of proof tactics over node-trees, our formalization provides a generic proof environment for the verification of programs manipulating node-trees. \item It is \emph{executable}, which allows to validate its compliance to the standard by evaluating the compliance test suite on the formal model and \item It is \emph{extensible} in the sense of~\cite{brucker.ea:extensible:2008-b,brucker:interactive:2007}, \ie, properties proven over the core DOM do not need to be re-proven for object-oriented extensions such as the HTML document model. \end{itemize} The rest of this document is automatically generated from the formalization in Isabelle/HOL, i.e., all content is checked by Isabelle.\footnote{For a brief overview of the work, we refer the reader to~\cite{brucker.ea:core-dom:2018,herzberg:web-components:2020}.} The structure follows the theory dependencies (see \autoref{fig:session-graph}): we start with introducing the technical preliminaries of our formalization (\autoref{cha:perliminaries}). Next, we introduce the concepts of pointers (\autoref{cha:pointers}) and classes (\autoref{cha:classes}), i.e., the core object-oriented datatypes of the DOM. On top of this data model, we define the functional behavior of the DOM classes, i.e., their methods (\autoref{cha:monads}). In \autoref{cha:dom}, we introduce the formalization of the functionality of the core DOM, i.e., the \emph{main entry point for users} that want to use this AFP entry. Finally, we formalize the relevant compliance test cases in \autoref{cha:tests}. \paragraph{Important Note:} This document describes the formalization of the \emph{Safely Composable Document Object Model} (SC DOM), which deviated in one important aspect from the official DOM standard: in the SC DOM, the shadow root is a sub-class of the document class (instead of a base class). This modification results in a stronger notion of web components that provide improved safety properties for the composition of web components. While the SC DOM still passes the compliance test suite as provided by the authors of the DOM standard, its data model is different. We refer readers interested in a formalisation of the standard compliant DOM to the AFP entry ``Core\_DOM''~\cite{brucker.ea:afp-core-dom:2018}. \begin{figure} \centering \includegraphics[width=.8\textwidth]{session_graph} \caption{The Dependency Graph of the Isabelle Theories.\label{fig:session-graph}} \end{figure} \clearpage \chapter{Preliminaries} \label{cha:perliminaries} In this chapter, we introduce the technical preliminaries of our formalization of the core DOM, namely a mechanism for hiding type variables and the heap error monad. \input{Hiding_Type_Variables} \input{Heap_Error_Monad} \chapter{References and Pointers} \label{cha:pointers} In this chapter, we introduce a generic type for object-oriented references and typed pointers for each class type defined in the DOM standard. \input{Ref} \input{ObjectPointer} \input{NodePointer} \input{ElementPointer} brucker.ea:afp-core-dom:2018 \input{CharacterDataPointer} \input{DocumentPointer} \input{ShadowRootPointer} \chapter{Classes} \label{cha:classes} In this chapter, we introduce the classes of our DOM model. The definition of the class types follows closely the one of the pointer types. Instead of datatypes, we use records for our classes. a generic type for object-oriented references and typed pointers for each class type defined in the DOM standard. \input{BaseClass} \input{ObjectClass} \input{NodeClass} \input{ElementClass} \input{CharacterDataClass} \input{DocumentClass} \chapter{Monadic Object Constructors and Accessors} \label{cha:monads} In this chapter, we introduce the moandic method definitions for the classes of our DOM formalization. Again the overall structure follows the same structure as for the class types and the pointer types. \input{BaseMonad} \input{ObjectMonad} \input{NodeMonad} \input{ElementMonad} \input{CharacterDataMonad} \input{DocumentMonad} \chapter{The Core SC DOM} \label{cha:dom} In this chapter, we introduce the formalization of the core DOM, i.e., the most important algorithms for querying or modifying the DOM, as defined in the standard. For more details, we refer the reader to \cite{brucker.ea:core-dom:2018}. \input{Core_DOM_Basic_Datatypes} \input{Core_DOM_Functions} \input{Core_DOM_Heap_WF} \input{Core_DOM} \chapter{Test Suite} \label{cha:tests} In this chapter, we present the formalized compliance test cases for the core DOM. As our formalization is executable, we can (symbolically) execute the test cases on top of our model. Executing these test cases successfully shows that our model is compliant to the official DOM standard. As future work, we plan to generate test cases from our formal model (e.g., using~\cite{brucker.ea:interactive:2005,brucker.ea:theorem-prover:2012}) to improve the quality of the official compliance test suite. For more details on the relation of test and proof in the context of web standards, we refer the reader to \cite{brucker.ea:standard-compliance-testing:2018}. \input{Core_DOM_BaseTest} \input{Document_adoptNode} \input{Document_getElementById} \input{Node_insertBefore} \input{Node_removeChild} \input{Core_DOM_Tests} {\small \bibliographystyle{abbrvnat} \bibliography{root} } \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Count_Complex_Roots/document/root.tex b/thys/Count_Complex_Roots/document/root.tex --- a/thys/Count_Complex_Roots/document/root.tex +++ b/thys/Count_Complex_Roots/document/root.tex @@ -1,36 +1,37 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Count the Number of Complex Roots} \author{Wenda Li} \maketitle \begin{abstract} Based on evaluating Cauchy indices through remainder sequences \cite{eisermann2012fundamental} \cite[Chapter 11]{rahman2002analytic}, this entry provides an effective procedure to count the number of complex roots (with multiplicity) of a polynomial within a rectangle box or a half-plane. Potential applications of this entry include certified complex root isolation (of a polynomial) and testing the Routh-Hurwitz stability criterion (i.e., to check whether all the roots of some characteristic polynomial have negative real parts). \end{abstract} %\tableofcontents % include generated text of all theories \input{session} \section{Acknowledgements} The work was supported by the ERC Advanced Grant ALEXANDRIA (Project 742178), funded by the European Research Council and led by Professor Lawrence Paulson at the University of Cambridge, UK. \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/CryptHOL/document/root.tex b/thys/CryptHOL/document/root.tex --- a/thys/CryptHOL/document/root.tex +++ b/thys/CryptHOL/document/root.tex @@ -1,59 +1,60 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,amsmath} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{wasysym} \usepackage{booktabs} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{CryptHOL} \author{Andreas Lochbihler} \maketitle \begin{abstract} CryptHOL provides a framework for formalising cryptographic arguments in Isabelle/HOL. It shallowly embeds a probabilistic functional programming language in higher order logic. The language features monadic sequencing, recursion, random sampling, failures and failure handling, and black-box access to oracles. Oracles are probabilistic functions which maintain hidden state between different invocations. All operators are defined in the new semantic domain of generative probabilistic values, a codatatype. We derive proof rules for the operators and establish a connection with the theory of relational parametricity. Thus, the resuting proofs are trustworthy and comprehensible, and the framework is extensible and widely applicable. The framework is used in the accompanying AFP entry ``Game-based Cryptography in HOL''. There, we show-case our framework by formalizing different game-based proofs from the literature. This formalisation continues the work described in the author's ESOP 2016 paper \cite{Lochbihler2016ESOP}. \end{abstract} A tutorial in the AFP entry \emph{Game-based cryptography} explains how CryptHOL can be used to formalize game-based cryptography proofs. \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/CryptoBasedCompositionalProperties/document/root.tex b/thys/CryptoBasedCompositionalProperties/document/root.tex --- a/thys/CryptoBasedCompositionalProperties/document/root.tex +++ b/thys/CryptoBasedCompositionalProperties/document/root.tex @@ -1,30 +1,31 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \isabellestyle{it} \begin{document} \title{Compositional properties of crypto-based components} \author{Maria Spichkova} \maketitle \begin{abstract} This paper presents an Isabelle/HOL~\cite{npw} set of theories which allows to specify crypto-based components and to verify their composition properties wrt.\ cryptographic aspects. We introduce a formalisation of the security property of data secrecy, the corresponding definitions and proofs. A part of these definitions is based on \cite{sj_TB08}.\\ Please note that here we import the Isabelle/HOL theory ListExtras.thy, presented in \cite{FocusStreamsCaseStudies-AFP}. \end{abstract} \tableofcontents \newpage \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/DFS_Framework/document/root.tex b/thys/DFS_Framework/document/root.tex --- a/thys/DFS_Framework/document/root.tex +++ b/thys/DFS_Framework/document/root.tex @@ -1,90 +1,91 @@ \documentclass[11pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[english]{babel} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{A Framework for Verifying Depth-First Search Algorithms} \author{Peter Lammich and Ren\'{e} Neumann} \maketitle \begin{abstract} This entry presents a framework for the modular verification of DFS-based algorithms, which is described in our [CPP-2015] paper. It provides a generic DFS algorithm framework, that can be parameterized with user-defined actions on certain events (e.g. discovery of new node). It comes with an extensible library of invariants, which can be used to derive invariants of a specific parameterization. Using refinement techniques, efficient implementations of the algorithms can easily be derived. Here, the framework comes with templates for a recursive and a tail-recursive implementation, and also with several templates for implementing the data structures required by the DFS algorithm. Finally, this entry contains a set of re-usable DFS-based algorithms, which illustrate the application of the framework. \vfill {\footnotesize \begin{description} \item[{[{CPP-2015}]}] Peter Lammich, Ren\'{e} Neumann: A Framework for Verifying Depth-First Search Algorithms. CPP 2015: 137-146 \end{description} } \end{abstract} \clearpage \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/DOM_Components/document/root.tex b/thys/DOM_Components/document/root.tex --- a/thys/DOM_Components/document/root.tex +++ b/thys/DOM_Components/document/root.tex @@ -1,238 +1,239 @@ \documentclass[10pt,DIV16,a4paper,abstract=true,twoside=semi,openright] {scrreprt} +\usepackage[T1]{fontenc} \usepackage[USenglish]{babel} \usepackage[numbers, sort&compress]{natbib} \usepackage{isabelle,isabellesym} \usepackage{booktabs} \usepackage{paralist} \usepackage{graphicx} \usepackage{amssymb} \usepackage{xspace} \usepackage{xcolor} \usepackage{listings} \lstloadlanguages{HTML} \usepackage[]{mathtools} \usepackage[pdfpagelabels, pageanchor=false, plainpages=false]{hyperref} \lstdefinestyle{html}{language=XML, basicstyle=\ttfamily, commentstyle=\itshape, keywordstyle=\color{blue}, ndkeywordstyle=\color{blue}, } \lstdefinestyle{displayhtml}{style=html, floatplacement={tbp}, captionpos=b, framexleftmargin=0pt, basicstyle=\ttfamily\scriptsize, backgroundcolor=\color{black!2}, frame=lines, } \lstnewenvironment{html}[1][]{\lstset{style=displayhtml, #1}}{} \def\inlinehtml{\lstinline[style=html, columns=fullflexible]} \newsavebox{\fstlst} \newsavebox{\sndlst} \usepackage[caption=false]{subfig} \pagestyle{headings} \isabellestyle{default} \setcounter{tocdepth}{1} \newcommand{\ie}{i.\,e.\xspace} \newcommand{\eg}{e.\,g.\xspace} \newcommand{\thy}{\isabellecontext} \renewcommand{\isamarkupsection}[1]{% \begingroup% \def\isacharunderscore{\textunderscore}% \section{#1 (\thy)}% \endgroup% } \title{A Formalization of Web Components} \author{Achim~D.~Brucker \and Michael~Herzberg}% \publishers{ \footnotemark[1]~Department of Computer Science, University of Exeter, Exeter, UK\texorpdfstring{\\}{, } \texttt{a.brucker@exeter.ac.uk}\\[2em] % \footnotemark[2]~ Department of Computer Science, The University of Sheffield, Sheffield, UK\texorpdfstring{\\}{, } \texttt{msherzberg1@sheffield.ac.uk} } \begin{document} \maketitle \begin{abstract} \begin{quote} While the DOM with shadow trees provide the technical basis for defining web components, the DOM standard neither defines the concept of web components nor specifies the safety properties that web components should guarantee. Consequently, the standard also does not discuss how or even if the methods for modifying the DOM respect component boundaries. In AFP entry, we present a formally verified model of web components and define safety properties which ensure that different web components can only interact with each other using well-defined interfaces. Moreover, our verification of the application programming interface (API) of the DOM revealed numerous invariants that implementations of the DOM API need to preserve to ensure the integrity of components. \bigskip \noindent{\textbf{Keywords:} Web Components, DOM} \end{quote} \end{abstract} \tableofcontents \cleardoublepage \chapter{Introduction} The trend towards ever more complex client-side web applications is unstoppable. Compared to traditional software development, client-side web development lacks a well-established component model which allows easily and safely reusing implementations. The Document Object Model (DOM) essentially defines a tree-like data structure (the \emph{node tree}) for representing documents in general and HTML documents in particular. \emph{Shadow trees} are a recent addition to the DOM standard~\cite{whatwg:dom:2019} to enable web developers to partition the node tree into ``sub-trees.'' The vision of shadow trees is to enable web developers to provide a library of re-usable and customizable widgets. For example, let us consider a multi-tab view called \emph{Fancy Tab}, which is a simplified version of~\cite{bidelman:self-contained:2017}. \begin{figure}[b] \begin{lrbox}{\fstlst}% \begin{minipage}{.34\linewidth} \centering \includegraphics[width=\linewidth]{fancytabs-normal} \end{minipage} \end{lrbox} \begin{lrbox}{\sndlst}% \begin{minipage}{.63\linewidth} \begin{html}[basicstyle=\ttfamily\scriptsize]
content panel 1
  • News Item 1
  • News Item 2
  • News Item 3
content panel 3
 \end{html} \end{minipage} \end{lrbox} \subfloat[\label{fig:running-example-user} User view ]{\usebox{\fstlst}}% \hfill% \subfloat[\label{fig:running-example-consumer} Consumer view ]{\usebox{\sndlst}} \caption{A simple example: a fancy tab component.}\label{fig:running-example} \end{figure} The left-hand side of \autoref{fig:running-example} shows the rendered output of the widget in use while the right-hand side shows the HTML source code snippet. It provides a custom HTML tag \inlinehtml{} using an HTML template that developers can use to include the widget. Its children will be rendered inside the widget, more precisely, inside its \emph{slots} (elements of type \inlinehtml{slot}). It has a slot called ``title'' and a default slot, which receives all children that do not specify a ``slot'' attribute. It is important to understand that slotting does \emph{not change} the structure of the DOM (\ie, the underlying pointer graph): instead, slotting is implemented using special element attributes such as ``slot,'' which control the final rendering. The DOM standard specifies methods that inspect the effect of these attributes such as \texttt{assigned\_slot}, but the majority of DOM methods do not consider the semantics of these attributes and therefore do not traverse into shadow trees. This provides an important boundary for client-side code. For example, a JavaScript program coming from the widget developer that changes the style attributes of the ``Previous Tab'' and ``Next Tab'' buttons in the lower corners of the widget will not affect buttons belonging to other parts coming from outside, \ie, the application of the widget consumer. Similarly, a JavaScript program that changes the styles of buttons outside of Fancy Tab, such as the navigation buttons, will not have any effect on them, even in the case of duplicate identifiers. Sadly, the DOM standard neither defines the concept of web components nor specifies the safety properties that they should guarantee, not even informally. Consequently, the standard also does not discuss how or even if the methods for modifying the node tree respect component boundaries. Thus, shadow roots are only the very first step in defining a safe web component model. Earlier~\cite{brucker.ea:core-dom:2018,brucker.ea:afp-core-dom:2018}, we presented a formalization of the ``flat'' DOM (called Core DOM) without any support for shadow trees or components. We then extended this formalisation with support for shadow trees and slots~\cite{brucker.ea:afp-shadow-dom:2020}. In this AFP entries, we use the basis provided by our earlier work for defining a \emph{formally verified model of web components} in general and, in particular, the notion of \emph{weak} and \emph{strong component safety}. For all methods that query, modify, or transform the DOM, we formally analyze their level of component safety. In more detail, the contribution of this AFP entry is four-fold: \begin{enumerate} \item We provide a formal model of web components and their safety guarantees to web developers, enabling a compositional development of web applications, \item for each method, we formally verify that it is either weakly or strongly component safe, or we provide a proof showing that it is not component safe, \item we fill the gaps in the standard by explicitly formalizing invariants that are left out in the standard. These invariants are required to ensure that methods in the standard preserve a valid node tree. Finally, \item we present a formal model of the DOM with shadow roots including the methods for querying, modifying, and transforming DOM instances with shadow roots. \end{enumerate} Overall, our work gives web developers the guarantee that their code will respect the component boundaries as long as they abstain from or are careful when using certain DOM methods such as \texttt{appendChild} or \texttt{ownerDocument}. The rest of this document is automatically generated from the formalization in Isabelle/HOL, i.e., all content is checked by Isabelle (we refer readers interested in a more high-level presentation of the work to \cite{herzberg:web-components:2020, brucker.ea:web-components:2019}. The structure follows the theory dependencies (see \autoref{fig:session-graph}). \begin{figure} \centering \includegraphics[width=.8\textwidth]{session_graph} \caption{The Dependency Graph of the Isabelle Theories.\label{fig:session-graph}} \end{figure} \clearpage \chapter{Web Components} \label{cha:components} \input{Core_DOM_Components.tex} \input{Shadow_DOM_Components.tex} \chapter{Example} \label{cha:example} \input{fancy_tabs.tex} {\small \bibliographystyle{abbrvnat} \bibliography{root} } \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/DPT-SAT-Solver/document/root.tex b/thys/DPT-SAT-Solver/document/root.tex --- a/thys/DPT-SAT-Solver/document/root.tex +++ b/thys/DPT-SAT-Solver/document/root.tex @@ -1,44 +1,44 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{a4wide} \usepackage{amssymb} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{eufrak} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{tt} \begin{document} \title{A Fast SAT Solver for Isabelle in Standard ML} \author{Armin Heller} \maketitle \begin{abstract} This contribution contains a fast SAT solver for Isabelle written in Standard ML. By loading the theory \isa{DPT\_SAT\_Solver}, the SAT solver installs itself (under the name ``dptsat'') and certain Isabelle tools like Refute will start using it automatically. This is a port of the DPT (Decision Procedure Toolkit) SAT Solver written in OCaml. Theory \isa{DPT\_SAT\_Tests} tests the solver on a few hundred problems. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/DataRefinementIBP/document/root.tex b/thys/DataRefinementIBP/document/root.tex --- a/thys/DataRefinementIBP/document/root.tex +++ b/thys/DataRefinementIBP/document/root.tex @@ -1,78 +1,79 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Semantics and Data Refinement of Invariant Based Programs} \author{Viorel Preoteasa and Ralph-Johan Back} \maketitle \begin{abstract} The invariant based programming is a technique of constructing correct programs by first identifying the basic situations (pre- and post-conditions and invariants) that can occur during the execution of the program, and then defining the transitions and proving that they preserve the invariants. Data refinement is a technique of building correct programs working on concrete datatypes as refinements of more abstract programs. In the theories presented here we formalize the predicate transformer semantics for invariant based programs and their data refinement. \end{abstract} \tableofcontents \section{Introduction} Invariant based programming \cite{Back80:invariants,Back83:invariants,aBack08,back:preoteasa:2008} is an approach to construct correct programs where we start by identifying all basic situations (pre- and post-conditions, and loop invariants) that could arise during the execution of the algorithm. These situations are determined and described before any code is written. After that, we identify the transitions between the situations, which together determine the flow of control in the program. The transitions are verified at the same time as they are constructed. The correctness of the program is thus established as part of the construction process. These theories present the predicate transformer sematics for invariant based programs and their data refinement. The complete treatment of the sematics of invariant based programs was presented in \cite{back:preoteasa:2008}. There we introduced big and small step semantics, predicate transformer semantics, and we proved complete and correct Hoare rules for invariand based programs. These results were also formalized in the PVS theorem prover. In \cite{preoteasa:back:2009} we have studied data refinement of invariant based programs, and we outlined the steps for proving the Deutsch-Schorr-Waite marking algorithm using data refinement of invariant based programs. These theories represent a mechanical formalization of the data refinement results from \cite{preoteasa:back:2009} and some of the results from \cite{back:preoteasa:2008}. In another formalization we will show how the theory presented here can be used in the complete verification of the marking algorithm. \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Datatype_Order_Generator/document/root.tex b/thys/Datatype_Order_Generator/document/root.tex --- a/thys/Datatype_Order_Generator/document/root.tex +++ b/thys/Datatype_Order_Generator/document/root.tex @@ -1,67 +1,68 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} \usepackage{railsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \begin{document} \title{Deriving class instances for datatypes.\footnote{Supported by FWF (Austrian Science Fund) project P22767-N13.}} \author{Ren\'e Thiemann} \maketitle \begin{abstract} We provide a framework for registering automatic methods to derive class instances of datatypes, as it is possible using Haskell's ``deriving Ord, Show, \ldots'' feature. We further implemented such automatic methods to derive (linear) orders or hash-functions which are required in the Isabelle Collection Framework \cite{rbt} and the Container Framework \cite{containers}. Moreover, for the tactic of Huffman and Krauss to show that a datatype is countable, we implemented a wrapper so that this tactic becomes accessible in our framework. Our formalization was performed as part of the \isafor/\ceta{} project% \footnote{\url{http://cl-informatik.uibk.ac.at/software/ceta}} \cite{CeTA}. With our new tactic we could completely remove tedious proofs for linear orders of two datatypes. \end{abstract} \tableofcontents \section{Important Information} The described generators are outdated as they are based on the old datatype package. Generators for the new datatypes are available in the AFP entry ``Deriving''. % include generated text of all theories \input{session} \section{Acknowledgements} We thank \begin{itemize} \item Lukas Bulwahn and Brian Huffman for the discussion on a generic derive command and the pointer to the tactic for countability. \item Alexander Krauss for pointing me to the recursors of the datatype package. \item Peter Lammich for the inspiration of developing a hash-function generator. \item Andreas Lochbihler for the inspiration of developing generators for the container framework. \item Christian Urban for his cookbook about the ML-level of Isabelle. \item Stefan Berghofer, Cezary Kaliszyk, and Tobias Nipkow for their explanations on several Isabelle related questions. \end{itemize} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Decl_Sem_Fun_PL/document/root.tex b/thys/Decl_Sem_Fun_PL/document/root.tex --- a/thys/Decl_Sem_Fun_PL/document/root.tex +++ b/thys/Decl_Sem_Fun_PL/document/root.tex @@ -1,87 +1,87 @@ - \documentclass[10pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{fullpage} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Declarative Semantics for Functional Languages} \author{Jeremy G. Siek} \maketitle \begin{abstract} We present a semantics for an applied call-by-value lambda-calculus that is compositional, extensional, and elementary. We present four different views of the semantics: 1) as a relational (big-step) semantics that is not operational but instead declarative, 2) as a denotational semantics that does not use domain theory, 3) as a non-deterministic interpreter, and 4) as a variant of the intersection type systems of the Torino group. We prove that the semantics is correct by showing that it is sound and complete with respect to operational semantics on programs and that is sound with respect to contextual equivalence. We have not yet investigated whether it is fully abstract. We demonstrate that this approach to semantics is useful with three case studies. First, we use the semantics to prove correctness of a compiler optimization that inlines function application. Second, we adapt the semantics to the polymorphic lambda-calculus extended with general recursion and prove semantic type soundness. Third, we adapt the semantics to the call-by-value lambda-calculus with mutable references. The paper that accompanies these Isabelle theories is available on arXiv at the following URL: \\ \url{https://arxiv.org/abs/1707.03762} \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \pagebreak % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Decreasing-Diagrams-II/document/root.tex b/thys/Decreasing-Diagrams-II/document/root.tex --- a/thys/Decreasing-Diagrams-II/document/root.tex +++ b/thys/Decreasing-Diagrams-II/document/root.tex @@ -1,50 +1,51 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Decreasing-Diagrams-II} \author{By Bertram Felgenhauer} \maketitle \begin{abstract} This theory formalizes a commutation version of decreasing diagrams for Church-Rosser modulo. The proof follows Felgenhauer and van Oostrom (RTA 2013). The theory also provides important specializations, in particular van Oostrom's conversion version (TCS 2008) of decreasing diagrams. \end{abstract} We follow the development described in~\cite{FvO13}: Conversions are mapped to Greek strings, and we prove that whenever a local peak (or cliff) is replaced by a joining sequence from a locally decreasing diagram, then the corresponding Greek strings become smaller in a specially crafted well-founded order on Greek strings. Once there are no more local peaks or cliffs are left, the result is a valley that establishes the Church-Rosser modulo property. As special cases we provide non-commutation versions and the conversion version of decreasing diagrams by van Oostrom~\cite{vO08a}. We also formalize extended decreasingness~\cite{HM10}. \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Decreasing-Diagrams/document/root.tex b/thys/Decreasing-Diagrams/document/root.tex --- a/thys/Decreasing-Diagrams/document/root.tex +++ b/thys/Decreasing-Diagrams/document/root.tex @@ -1,44 +1,45 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{latexsym} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Decreasing-Diagrams} \author{Harald Zankl} \maketitle \begin{abstract} This theory contains a formalization of decreasing diagrams showing that any locally decreasing abstract rewrite system is confluent. We consider the valley (van Oostrom, TCS 1994) and the conversion version (van Oostrom, RTA 2008) and closely follow the original proofs. As an application we prove Newman's lemma. \end{abstract} A description of this formalization is available in~\cite{Z13}. \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Deep_Learning/document/root.tex b/thys/Deep_Learning/document/root.tex --- a/thys/Deep_Learning/document/root.tex +++ b/thys/Deep_Learning/document/root.tex @@ -1,33 +1,34 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{latexsym} \usepackage{isabelle,isabellesym} \newcommand{\qt}[1]{`#1'} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Expressiveness of Deep Learning} \author{Alexander Bentkamp} \maketitle \begin{abstract} Deep learning has had a profound impact on computer science in recent years, with applications to search engines, image recognition and language processing, bioinformatics, and more. Recently, Cohen et al.\ \cite{cohen2015} provided theoretical evidence for the superiority of deep learning over shallow learning. For my master's thesis \cite{bentkamp2016}, I formalized their mathematical proof using Isabelle/HOL. This formalization simplifies and generalizes the original proof, while working around the limitations of the Isabelle type system. To support the formalization, I developed reusable libraries of formalized mathematics, including results about the matrix rank, the Lebesgue measure, and multivariate polynomials, as well as a library for tensor analysis. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Delta_System_Lemma/document/header-delta-system.tex b/thys/Delta_System_Lemma/document/header-delta-system.tex --- a/thys/Delta_System_Lemma/document/header-delta-system.tex +++ b/thys/Delta_System_Lemma/document/header-delta-system.tex @@ -1,295 +1,294 @@ -\usepackage[utf8]{inputenc} \usepackage{amsmath} \usepackage{amsfonts} \usepackage{bbm} % Para el \bb{1} \usepackage{multidef} \usepackage{verbatim} \usepackage{stmaryrd} %% para \llbracket % \usepackage{hyperref} \usepackage{xcolor} \usepackage{framed} %% %% \usepackage[bottom=2cm, top=2cm, left=2cm, right=2cm]{geometry} %% \usepackage{titling} %% \setlength{\droptitle}{-10ex} %% \renewcommand{\o}{\vee} \renewcommand{\O}{\bigvee} \newcommand{\y}{\wedge} \newcommand{\Y}{\bigwedge} \newcommand{\limp}{\longrightarrow} \newcommand{\lsii}{\longleftrightarrow} %% %\newcommand{\DeclareMathOperator}[2]{\newcommand{#1}{\mathop{\mathrm{#2}}}} \DeclareMathOperator{\cf}{cf} \DeclareMathOperator{\dom}{domain} \DeclareMathOperator{\im}{img} \DeclareMathOperator{\Fn}{Fn} \DeclareMathOperator{\rk}{rk} \DeclareMathOperator{\mos}{mos} \DeclareMathOperator{\trcl}{trcl} \DeclareMathOperator{\Con}{Con} \DeclareMathOperator{\Club}{Club} \newcommand{\modelo}[1]{\mathbf{#1}} \newcommand{\axiomas}[1]{\mathit{#1}} \newcommand{\clase}[1]{\mathsf{#1}} \newcommand{\poset}[1]{\mathbb{#1}} \newcommand{\operador}[1]{\mathbf{#1}} %% \newcommand{\Lim}{\clase{Lim}} %% \newcommand{\Reg}{\clase{Reg}} %% \newcommand{\Card}{\clase{Card}} %% \newcommand{\On}{\clase{On}} %% \newcommand{\WF}{\clase{WF}} %% \newcommand{\HF}{\clase{HF}} %% \newcommand{\HC}{\clase{HC}} %% %% El siguiente comando reemplaza todos los anteriores: %% \multidef{\clase{#1}}{Card,HC,HF,Lim,On->Ord,Reg,WF,Ord} \newcommand{\ON}{\On} %% En lugar de usar todo el paquete bbm: \DeclareMathAlphabet{\mathbbm}{U}{bbm}{m}{n} \newcommand{\1}{\mathbbm{1}} \newcommand{\PP}{\mathbbm{P}} %% %% \newcommand{\calD}{\mathcal{D}} %% \newcommand{\calS}{\mathcal{S}} %% \newcommand{\calU}{\mathcal{U}} %% \newcommand{\calB}{\mathcal{B}} %% \newcommand{\calL}{\mathcal{L}} %% \newcommand{\calF}{\mathcal{F}} %% \newcommand{\calT}{\mathcal{T}} %% \newcommand{\calW}{\mathcal{W}} %% \newcommand{\calA}{\mathcal{A}} %% %% El siguiente comando reemplaza todos los anteriores: %% \multidef[prefix=cal]{\mathcal{#1}}{A-Z} %% %% \newcommand{\A}{\modelo{A}} %% \newcommand{\BB}{\modelo{B}} %% \newcommand{\ZZ}{\modelo{Z}} %% \newcommand{\PP}{\modelo{P}} %% \newcommand{\QQ}{\modelo{Q}} %% \newcommand{\RR}{\modelo{R}} %% %% El siguiente comando reemplaza todos los anteriores: %% \multidef{\modelo{#1}}{A,BB->B,CC->C,NN->N,QQ->Q,RR->R,ZZ->Z} \multidef[prefix=p]{\mathbb{#1}}{A-Z} %% \newcommand{\B}{\modelo{B}} %% \newcommand{\C}{\modelo{C}} %% \newcommand{\F}{\modelo{F}} %% \newcommand{\D}{\modelo{D}} \newcommand{\Th}{\mb{Th}} \newcommand{\Mod}{\mb{Mod}} \newcommand{\Se}{\operador{S^\prec}} \newcommand{\Pu}{\operador{P_u}} \renewcommand{\Pr}{\operador{P_R}} \renewcommand{\H}{\operador{H}} \renewcommand{\S}{\operador{S}} \newcommand{\I}{\operador{I}} \newcommand{\E}{\operador{E}} \newcommand{\se}{\preccurlyeq} \newcommand{\ee}{\succ} \newcommand{\id}{\approx} \newcommand{\subm}{\subseteq} \newcommand{\ext}{\supseteq} \newcommand{\iso}{\cong} %% \renewcommand{\emptyset}{\varnothing} \newcommand{\rel}{\mathcal{R}} \newcommand{\Pow}{\mathop{\mathcal{P}}} \renewcommand{\P}{\Pow} \newcommand{\BP}{\mathrm{BP}} \newcommand{\func}{\rightarrow} \newcommand{\ord}{\mathrm{Ord}} \newcommand{\R}{\mathbb{R}} \newcommand{\N}{\mathbb{N}} \newcommand{\Z}{\mathbb{Z}} \renewcommand{\I}{\mathbb{I}} \newcommand{\Q}{\mathbb{Q}} \newcommand{\B}{\mathbf{B}} \newcommand{\lb}{\langle} \newcommand{\rb}{\rangle} \newcommand{\impl}{\rightarrow} \newcommand{\ent}{\Rightarrow} \newcommand{\tne}{\Leftarrow} \newcommand{\sii}{\Leftrightarrow} \renewcommand{\phi}{\varphi} \newcommand{\phis}{{\varphi^*}} \renewcommand{\th}{\theta} \newcommand{\Lda}{\Lambda} \newcommand{\La}{\Lambda} \newcommand{\lda}{\lambda} \newcommand{\ka}{\kappa} \newcommand{\del}{\delta} \newcommand{\de}{\delta} \newcommand{\ze}{\zeta} %\newcommand{\ }{\ } \newcommand{\la}{\lambda} \newcommand{\al}{\alpha} \newcommand{\be}{\beta} \newcommand{\ga}{\gamma} \newcommand{\Ga}{\Gamma} \newcommand{\ep}{\varepsilon} \newcommand{\De}{\Delta} \newcommand{\defi}{\mathrel{\mathop:}=} \newcommand{\forces}{\Vdash} %\newcommand{\ap}{\mathbin{\wideparen{\ }}} \newcommand{\Tree}{{\mathrm{Tr}_\N}} \newcommand{\PTree}{{\mathrm{PTr}_\N}} \newcommand{\NWO}{\mathit{NWO}} \newcommand{\Suc}{{\N^{<\N}}}% \newcommand{\init}{\mathsf{i}} \newcommand{\ap}{\mathord{^\smallfrown}} \newcommand{\Cantor}{\mathcal{C}} %\newcommand{\C}{\Cantor} \newcommand{\Baire}{\mathcal{N}} \newcommand{\sig}{\ensuremath{\sigma}} \newcommand{\fsig}{\ensuremath{F_\sigma}} \newcommand{\gdel}{\ensuremath{G_\delta}} \newcommand{\Sig}{\ensuremath{\boldsymbol{\Sigma}}} \newcommand{\bPi}{\ensuremath{\boldsymbol{\Pi}}} \newcommand{\Del}{\ensuremath{\boldsymbol\Delta}} %\renewcommand{\F}{\operador{F}} \newcommand{\ths}{{\theta^*}} \newcommand{\om}{\ensuremath{\omega}} %\renewcommand{\c}{\complement} \newcommand{\comp}{\mathsf{c}} \newcommand{\co}[1]{\left(#1\right)^\comp} \newcommand{\len}[1]{\left|#1\right|} \DeclareMathOperator{\tlim}{\overline{\mathrm{TLim}}} \newcommand{\card}[1]{{\left|#1\right|}} \newcommand{\bigcard}[1]{{\bigl|#1\bigr|}} % % Cardinality % \newcommand{\lec}{\leqslant_c} \newcommand{\gec}{\geqslant_c} \newcommand{\lc}{<_c} \newcommand{\gc}{>_c} \newcommand{\eqc}{=_c} \newcommand{\biy}{\approx} \newcommand*{\ale}[1]{\aleph_{#1}} % \newcommand{\Zerm}{\axiomas{Z}} \newcommand{\ZC}{\axiomas{ZC}} \newcommand{\AC}{\axiomas{AC}} \newcommand{\DC}{\axiomas{DC}} \newcommand{\MA}{\axiomas{MA}} \newcommand{\CH}{\axiomas{CH}} \newcommand{\ZFC}{\axiomas{ZFC}} \newcommand{\ZF}{\axiomas{ZF}} \newcommand{\Inf}{\axiomas{Inf}} % % Cardinal characteristics % \newcommand{\cont}{\mathfrak{c}} \newcommand{\spl}{\mathfrak{s}} \newcommand{\bound}{\mathfrak{b}} \newcommand{\mad}{\mathfrak{a}} \newcommand{\tower}{\mathfrak{t}} % \renewcommand{\hom}[2]{{}^{#1}\hskip-0.116ex{#2}} \newcommand{\pred}[1][{}]{\mathop{\mathrm{pred}_{#1}}} %% Postfix operator with supressable space: %% \newcommand*{\iseg}{\relax\ifnum\lastnodetype>0 \mskip\medmuskip\fi{\downarrow}} % \newcommand*{\iseg}{{\downarrow}} \newcommand{\rr}{\mathrel{R}} \newcommand{\restr}{\upharpoonright} %\newcommand{\type}{\mathtt{}} \newcommand{\app}{\mathop{\mathrm{Aprox}}} \newcommand{\hess}{\triangleleft} \newcommand{\bx}{\bar{x}} \newcommand{\by}{\bar{y}} \newcommand{\bz}{\bar{z}} \newcommand{\union}{\mathop{\textstyle\bigcup}} \newcommand{\sm}{\setminus} \newcommand{\sbq}{\subseteq} \newcommand{\nsbq}{\subseteq} \newcommand{\mty}{\emptyset} \newcommand{\dimg}{\text{\textup{``}}} % direct image \newcommand{\quine}[1]{\ulcorner{\!#1\!}\urcorner} %\newcommand{\ntrm}[1]{\textsl{\textbf{#1}}} \newcommand{\Null}{\calN\!\mathit{ull}} \DeclareMathOperator{\club}{Club} \DeclareMathOperator{\otp}{otp} \DeclareMathOperator{\val}{\mathit{val}} \DeclareMathOperator{\chk}{\mathit{check}} \DeclareMathOperator{\edrel}{\mathit{edrel}} \DeclareMathOperator{\eclose}{\mathit{eclose}} \DeclareMathOperator{\Memrel}{\mathit{Memrel}} \renewcommand{\PP}{\mathbb{P}} \renewcommand{\app}{\mathrm{App}} \newcommand{\formula}{\isatt{formula}} \newcommand{\tyi}{\isatt{i}} \newcommand{\tyo}{\isatt{o}} \newcommand{\forceisa}{\mathop{\mathtt{forces}}} \newcommand{\equ}{\mathbf{e}} \newcommand{\bel}{\mathbf{b}} \newcommand{\atr}{\mathit{atr}} \newcommand{\concat}{\mathbin{@}} \newcommand{\dB}[1]{\mathbf{#1}} \newcommand{\ed}{\mathrel{\isatt{ed}}} \newcommand{\frecR}{\mathrel{\isatt{frecR}}} \newcommand{\forceseq}{\mathop{\isatt{forces{\isacharunderscore}eq}}} \newcommand{\forcesmem}{\mathop{\isatt{forces{\isacharunderscore}mem}}} \newcommand{\forcesat}{\mathop{\isatt{forces{\isacharunderscore}at}}} \newcommand{\pleq}{\preceq} %%%%%%%%%%%%%%%%%%%%%%%%% % Variant aleph, beth, etc % From http://tex.stackexchange.com/q/170476/69595 \makeatletter \@ifpackageloaded{txfonts}\@tempswafalse\@tempswatrue \if@tempswa \DeclareFontFamily{U}{txsymbols}{} \DeclareFontFamily{U}{txAMSb}{} \DeclareSymbolFont{txsymbols}{OMS}{txsy}{m}{n} \SetSymbolFont{txsymbols}{bold}{OMS}{txsy}{bx}{n} \DeclareFontSubstitution{OMS}{txsy}{m}{n} \DeclareSymbolFont{txAMSb}{U}{txsyb}{m}{n} \SetSymbolFont{txAMSb}{bold}{U}{txsyb}{bx}{n} \DeclareFontSubstitution{U}{txsyb}{m}{n} \DeclareMathSymbol{\aleph}{\mathord}{txsymbols}{64} \DeclareMathSymbol{\beth}{\mathord}{txAMSb}{105} \DeclareMathSymbol{\gimel}{\mathord}{txAMSb}{106} \DeclareMathSymbol{\daleth}{\mathord}{txAMSb}{107} \fi \makeatother %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% Theorem Environments %% % \newtheorem{theorem}{Theorem} % \newtheorem{lemma}[theorem]{Lemma} % \newtheorem{prop}[theorem]{Proposition} % \newtheorem{corollary}[theorem]{Corollary} % \newtheorem{claim}{Claim} % \newtheorem*{claim*}{Claim} % \theoremstyle{definition} % \newtheorem{definition}[theorem]{Definition} % \newtheorem{remark}[theorem]{Remark} % \newtheorem{example}[theorem]{Example} % \theoremstyle{remark} % \newtheorem*{remark*}{Remark} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% \newenvironment{inducc}{\begin{list}{}{\itemindent=2.5em \labelwidth=4em}}{\end{list}} %% \newcommand{\caso}[1]{\item[\fbox{#1}]} \newenvironment{proofofclaim}{\begin{proof}[Proof of Claim]}{\end{proof}} diff --git a/thys/Delta_System_Lemma/document/root.tex b/thys/Delta_System_Lemma/document/root.tex --- a/thys/Delta_System_Lemma/document/root.tex +++ b/thys/Delta_System_Lemma/document/root.tex @@ -1,119 +1,120 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[numbers]{natbib} \usepackage{relsize} \DeclareRobustCommand{\isactrlbsub}{\emph\bgroup\math{}\sb\bgroup\mbox\bgroup\isaspacing\itshape\smaller} \DeclareRobustCommand{\isactrlesub}{\egroup\egroup\endmath\egroup} \DeclareRobustCommand{\isactrlbsup}{\emph\bgroup\math{}\sp\bgroup\mbox\bgroup\isaspacing\itshape\smaller} \DeclareRobustCommand{\isactrlesup}{\egroup\egroup\endmath\egroup} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ \input{header-delta-system} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{tt} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \renewcommand{\isacharunderscorekeyword}{\mbox{\_}} \renewcommand{\isacharunderscore}{\mbox{\_}} \renewcommand{\isasymtturnstile}{\isamath{\Vdash}} \renewcommand{\isacharminus}{-} \begin{document} \title{Cofinality and the Delta System Lemma} \author{ Pedro S\'anchez Terraf\thanks{Universidad Nacional de C\'ordoba. Facultad de Matem\'atica, Astronom\'{\i}a, F\'{\i}sica y Computaci\'on.} \thanks{% Centro de Investigaci\'on y Estudios de Matem\'atica (CIEM-FaMAF), Conicet. C\'ordoba. Argentina. Supported by Secyt-UNC project 33620180100465CB.} } \maketitle \begin{abstract} We formalize the basic results on cofinality of linearly ordered sets and ordinals and \v{S}anin's Lemma for uncountable families of finite sets. We work in the set theory framework of Isabelle/ZF, using the Axiom of Choice as needed. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introduction} The session we present gathers very basic results built on the set theory formalization of Isabelle/ZF \cite{DBLP:journals/jar/PaulsonG96}. In a sense, some of the material formalized here corresponds to a natural continuation of that work. This is even clearer after perusing Section~\ref{sec:zf-lib}, where notions like cardinal exponentiation are first defined, together with various lemmas that do not depend on the Axiom of Choice ($\AC$); the same holds for the basic theory of cofinality of ordinals, which is developed in Section~\ref{sec:cofinality}. In Section~\ref{sec:cardinal-lib}, (un)countability is defined and several results proved, now using $\AC$ freely; the latter is also needed to prove König's Theorem on cofinality of cardinal exponentiation. The simplest infinitary version of the Delta System Lemma (DSL, also known as the ``Sunflower Lemma'') due to \v{S}anin is proved in Section~\ref{sec:dsl}, and it is applied to prove that Cohen posets satisfy the \emph{countable chain condition}. A greater part of this development was motivated by an ongoing joint project on the formalization of the ctm approach to forcing~\cite{2020arXiv200109715G} by Gunther, Pagano, Steinberg, and the author. Indeed, most of the results presented here are required for the development of forcing. As it turns out, the material as formalized presently will not be part of the forcing formalization, since for that goal we need relativized versions of both the concepts and the proofs. A cross-linked HTML version of the development can be found at \url{https://cs.famaf.unc.edu.ar/~pedro/Delta_System_Lemma/html}. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{root} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Density_Compiler/document/root.tex b/thys/Density_Compiler/document/root.tex --- a/thys/Density_Compiler/document/root.tex +++ b/thys/Density_Compiler/document/root.tex @@ -1,53 +1,54 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[english]{babel} \usepackage{stmaryrd} \usepackage{eufrak} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{A Verified Compiler for\\ Probability Density Functions} \author{Manuel Eberl, Johannes H\"olzl and Tobias Nipkow} \maketitle \begin{abstract}% % Bhat \emph{et al.}\ \cite{bhat13pdf} developed an inductive compiler that computes density functions for probability spaces described by programs in a probabilistic functional language. In this work, we implement such a compiler for a modified version of this language within the theorem prover Isabelle and give a formal proof of its soundness w.r.t.\ the semantics of the source and target language. Together with Isabelle's code generation for inductive predicates, this yields a fully verified, executable density compiler. The proof is done in two steps: First, an abstract compiler working with abstract functions modelled directly in the theorem prover's logic is defined and proved sound. Then, this compiler is refined to a concrete version that returns a target-language expression. A detailed presentation of this work can be found in the first author's master's thesis~\cite{eberl}. % \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Dependent_SIFUM_Refinement/document/root.tex b/thys/Dependent_SIFUM_Refinement/document/root.tex --- a/thys/Dependent_SIFUM_Refinement/document/root.tex +++ b/thys/Dependent_SIFUM_Refinement/document/root.tex @@ -1,71 +1,71 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage[utf8]{inputenc} % Input encoding \usepackage[american]{babel} % Language \usepackage[defblank]{paralist} % for compact lists \usepackage{amsmath} \usepackage{amssymb} \usepackage{amsthm} \usepackage{stmaryrd} \usepackage{verbatim} \usepackage{dot2texi} \usepackage{pdfpages} \newtheorem{definition}{Definition}[section] \newtheorem{theorem}{Theorem}[section] \newtheorem{lemma}{Lemma}[section] \newcommand{\definitionautorefname}{Definition} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} %========= DRAFT ONLY =============== \makeatletter \newcommand\CO[1]{% \@tempdima=\linewidth% \advance\@tempdima by -2\fboxsep% \advance\@tempdima by -2\fboxrule% \leavevmode\par\noindent% \fbox{\parbox{\the\@tempdima}{\small\sf #1}}% \smallskip\par} \newcommand\NOTE[2][Note]{% \leavevmode\marginpar{\raggedright\hangindent=1ex\small\textbf{#1: }#2}} \newcommand\OLD[1]{% \slshape[\textbf{old: }\ignorespaces #1\unskip]} %======= END DRAFT ONLY ============= \title{Compositional Security-Preserving Refinement for Concurrent Imperative Programs} \author{Toby Murray, Robert Sison, Edward Pierzchalski and Christine Rizkallah} \begin{document} \maketitle % sane default for proof documents \parindent 0pt\parskip 0.5ex \begin{abstract} The paper ``Compositional Verification and Refinement of Concurrent Value-Dependent Noninterference'' by Murray et. al. \cite{Murray_SPR_16} presents a compositional theory of refinement for a value-dependent noninterference property, defined in \cite{Murray_15}, for concurrent programs. This development formalises that refinement theory, and demonstrates its application on some small examples. The formalisation is contained in the theory \texttt{CompositionalRefinement.thy}. Examples are also present in the formalisation in the \texttt{Examples/} directory. \end{abstract} \tableofcontents \input{CompositionalRefinement.tex} \bibliography{root} \bibliographystyle{alpha} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Dependent_SIFUM_Type_Systems/document/root.tex b/thys/Dependent_SIFUM_Type_Systems/document/root.tex --- a/thys/Dependent_SIFUM_Type_Systems/document/root.tex +++ b/thys/Dependent_SIFUM_Type_Systems/document/root.tex @@ -1,96 +1,96 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage[utf8]{inputenc} % Input encoding \usepackage[american]{babel} % Language \usepackage[defblank]{paralist} % for compact lists \usepackage{amsmath} \usepackage{amssymb} \usepackage{amsthm} \usepackage{stmaryrd} \usepackage{verbatim} \usepackage{dot2texi} \usepackage{pdfpages} \newtheorem{definition}{Definition}[section] \newtheorem{theorem}{Theorem}[section] \newtheorem{lemma}{Lemma}[section] \newcommand{\definitionautorefname}{Definition} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} %========= DRAFT ONLY =============== \makeatletter \newcommand\CO[1]{% \@tempdima=\linewidth% \advance\@tempdima by -2\fboxsep% \advance\@tempdima by -2\fboxrule% \leavevmode\par\noindent% \fbox{\parbox{\the\@tempdima}{\small\sf #1}}% \smallskip\par} \newcommand\NOTE[2][Note]{% \leavevmode\marginpar{\raggedright\hangindent=1ex\small\textbf{#1: }#2}} \newcommand\OLD[1]{% \slshape[\textbf{old: }\ignorespaces #1\unskip]} %======= END DRAFT ONLY ============= \title{A Dependent Security Type System for Concurrent Imperative Programs} \author{Toby Murray, Robert Sison, Edward Pierzchalski and Christine Rizkallah} \begin{document} \maketitle % sane default for proof documents \parindent 0pt\parskip 0.5ex \begin{abstract} The paper ``Compositional Verification and Refinement of Concurrent Value-Dependent Noninterference'' by Murray et. al. \cite{Murray_SPR_16} presents a dependent security type system for compositionally verifying a value-dependent noninterference property, defined in \cite{Murray_15}, for concurrent programs. This development formalises that security definition, the type system and its soundness proof, and demonstrates its application on some small examples. It was derived from the \texttt{SIFUM\_Type\_Systems} AFP entry~\cite{Grewe_MS_14}, by Sylvia Grewe, Heiko Mantel and Daniel Schoepe and which itself formalises the work in~\cite{Mantel_SS_11}, and whose structure it inherits. The formalization includes the following parts: \begin{compactitem} \item Notion of Dependent SIFUM-security and preliminary concepts:\\ \texttt{Preliminaries.thy}, \texttt{Security.thy} \item Compositionality proof: \texttt{Compositionality.thy} \item Example language: \texttt{Language.thy} \item Type system for ensuring Dependent SIFUM-security and soundness proof: \\ \texttt{TypeSystem.thy} \item Type system for ensuring sound use of modes and soundness proof: \texttt{LocallySoundUseOfModes.thy} \end{compactitem} Examples are also present in the formalisation in the \texttt{Examples/} directory. \end{abstract} \tableofcontents \input{Preliminaries.tex} \input{Security.tex} \input{Compositionality.tex} \input{Language.tex} \input{TypeSystem.tex} \input{LocallySoundModeUse.tex} \bibliography{root} \bibliographystyle{alpha} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Depth-First-Search/document/root.tex b/thys/Depth-First-Search/document/root.tex --- a/thys/Depth-First-Search/document/root.tex +++ b/thys/Depth-First-Search/document/root.tex @@ -1,34 +1,34 @@ - \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Depth-First Search} \author{Toshiaki Nishihara \and Yasuhiko Minamide} \maketitle \begin{abstract} Depth-first search of a graph is formalized with \texttt{function}. It is shown that it visits all of the reachable nodes from a given list of nodes. Executable ML code of depth-first search is obtained with code generation feature of Isabelle/HOL. The formalization contains two implementations of depth-first search: one by stack and one by nested recursion. They are shown to be equivalent. The termination condition of the version with nested-recursion is shown by the method of inductive invariants. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \input{session} \end{document} diff --git a/thys/Derangements/document/root.tex b/thys/Derangements/document/root.tex --- a/thys/Derangements/document/root.tex +++ b/thys/Derangements/document/root.tex @@ -1,45 +1,46 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{url} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Derangements} \author{Lukas Bulwahn} \maketitle \begin{abstract} The Derangements Formula describes the number of fixpoint-free permutations as closed-form formula. This theorem is the 88th theorem of the Top 100 Theorems list. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \nocite{Harrison,wikipedia:derangement,wikipedia:fixpunktfreie-permutation,wikipedia:rencontres-numbers} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Deriving/document/root.tex b/thys/Deriving/document/root.tex --- a/thys/Deriving/document/root.tex +++ b/thys/Deriving/document/root.tex @@ -1,65 +1,66 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} \usepackage{railsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \begin{document} \title{Deriving class instances for datatypes.\footnote{Supported by FWF (Austrian Science Fund) projects P27502 and Y757.}} \author{Christian Sternagel and Ren\'e Thiemann} \maketitle \begin{abstract} We provide a framework for registering automatic methods to derive class instances of datatypes, as it is possible using Haskell's ``deriving Ord, Show, \ldots'' feature. We further implemented such automatic methods to derive comparators, linear orders, parametrizable equality functions, and hash-functions which are required in the Isabelle Collection Framework \cite{rbt} and the Container Framework \cite{containers}. Moreover, for the tactic of Blanchette to show that a datatype is countable, we implemented a wrapper so that this tactic becomes accessible in our framework. All of the generators are based on the infrastructure that is provided by the BNF-based datatype package. Our formalization was performed as part of the \isafor/\ceta{} project% \footnote{\url{http://cl-informatik.uibk.ac.at/software/ceta}} \cite{CeTA}. With our new tactics we could remove several tedious proofs for (conditional) linear orders, and conditional equality operators within \isafor{} and the Container Framework. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \section{Acknowledgements} We thank \begin{itemize} \item Lukas Bulwahn and Brian Huffman for the discussion on a generic derive command. \item Jasmin Blanchette for providing the tactic for countability for BNF-based datatypes. \item Jasmin Blanchette and Dmitriy Traytel for adjusting the Isabelle/ML interface of the BNF-based datatypes. \item Alexander Krauss for telling us to avoid the function package for this task. \item Peter Lammich for the inspiration of developing a hash-function generator. \item Andreas Lochbihler for the inspiration of developing generators for the container framework. \item Christian Urban for his cookbook on Isabelle/ML. \item Stefan Berghofer, Florian Haftmann, Cezary Kaliszyk, Tobias Nipkow, and Makarius Wenzel for their explanations on several Isabelle related questions. \end{itemize} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Descartes_Sign_Rule/document/root.tex b/thys/Descartes_Sign_Rule/document/root.tex --- a/thys/Descartes_Sign_Rule/document/root.tex +++ b/thys/Descartes_Sign_Rule/document/root.tex @@ -1,38 +1,39 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Descartes' Rule of Signs} \author{Manuel Eberl} \maketitle \begin{abstract} In this work, we formally proved Descartes Rule of Signs, which relates the number of positive real roots of a polynomial with the number of sign changes in its coefficient list. Our proof follows the simple inductive proof given by Arthan~\cite{arthan}, which was also used by John Harrison in his HOL Light formalisation. We proved most of the lemmas for arbitrary linearly-ordered integrity domains (e.g. integers, rationals, reals); the main result, however, requires the intermediate value theorem and was therefore only proven for real polynomials. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Dict_Construction/document/root.tex b/thys/Dict_Construction/document/root.tex --- a/thys/Dict_Construction/document/root.tex +++ b/thys/Dict_Construction/document/root.tex @@ -1,36 +1,37 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{latexsym} \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Dictionary Construction} \author{Lars Hupel} \maketitle \parindent 0pt\parskip 0.5ex \begin{abstract} Isabelle's code generator natively supports type classes. For targets that do not have language support for classes and instances, it performs the well-known \emph{dictionary translation}, as described by Haftmann and Nipkow~\cite{haftmann2010codegeneration}. This translation happens outside the logic, i.e., there is no guarantee that it is correct, besides the pen-and-paper proof. This work implements a certified dictionary translation that produces new class-free constants and derives equality theorems. \end{abstract} \tableofcontents \input{session} \bibliographystyle{plain} \bibliography{root} \end{document} \ No newline at end of file diff --git a/thys/Differential_Dynamic_Logic/document/root.tex b/thys/Differential_Dynamic_Logic/document/root.tex --- a/thys/Differential_Dynamic_Logic/document/root.tex +++ b/thys/Differential_Dynamic_Logic/document/root.tex @@ -1,84 +1,85 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Differential-Dynamic-Logic} \author{Brandon Bohrer} \maketitle \begin{abstract} We formalize differential dynamic logic, a logic for proving properties of hybrid systems. The proof calculus in this formalization is based on the uniform substitution principle. We show it is sound with respect to our denotational semantics, which provides increased confidence in the correctness of the KeYmaera X theorem prover based on this calculus. As an application, we include a proof term checker embedded in Isabelle/HOL with several example proofs. Published in \cite{BohrerCPP17} \end{abstract} We present a formalization of a uniform substitution calculus for differential dynamic logic (dL). In this calculus, the soundness of dL proofs is reduced to the soundness of a finite number of axioms, standard propositional rules and a central \textit{uniform substitution} rule for combining axioms. We present a formal definition for the denotational semantics of dL and prove the uniform substitution calculus sound by showing that all inference rules are sound with respect to the denotational semantics, and all axioms valid (true in every state and interpretation). This work is published in \cite{BohrerCPP17} along with a Coq formalization. It is based on prior non-mechanized proofs~\cite{DBLP:journals/jar/Platzer16,DBLP:conf/cade/Platzer15}. \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Differential_Game_Logic/document/root.tex b/thys/Differential_Game_Logic/document/root.tex --- a/thys/Differential_Game_Logic/document/root.tex +++ b/thys/Differential_Game_Logic/document/root.tex @@ -1,73 +1,74 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Differential-Game-Logic} \author{Andr\'e Platzer} \maketitle \begin{abstract} This formalization provides differential game logic (\textsf{dGL}), a logic for proving properties of hybrid game. In addition to the syntax and semantics, it formalizes a uniform substitution calculus for \textsf{dGL}. Church's uniform substitutions substitute a term or formula for a function or predicate symbol everywhere. The uniform substitutions for \textsf{dGL} also substitute hybrid games for a game symbol everywhere. We prove soundness of one-pass uniform substitutions and the axioms of differential game logic with respect to their denotational semantics. One-pass uniform substitutions are faster by postponing soundness-critical admissibility checks with a linear pass homomorphic application and regain soundness by a variable condition at the replacements. The formalization is based on prior non-mechanized soundness proofs for \textsf{dGL} \cite{DBLP:journals/tocl/Platzer15,DBLP:conf/cade/Platzer18,DBLP:conf/cade/Platzer19,DBLP:journals/tocl/Platzer15,DBLP:journals/corr/Platzer18:usubst}. This AFP entry formalizes the mathematical proofs \cite{DBLP:conf/cade/Platzer19,DBLP:journals/corr/abs-1902-07230} till Theorem 19. \end{abstract} \tableofcontents \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex This formalization provides \emph{Differential Game Logic} \textsf{dGL} \cite{DBLP:journals/corr/abs-1902-07230,DBLP:conf/cade/Platzer19} till Theorem 19, including the corresponding results from \cite{DBLP:conf/cade/Platzer18} till Lemma 13. Differential Game Logic originates from \cite{DBLP:journals/tocl/Platzer15}.\\[1em] % generated text of all theories \input{session} \paragraph{Acknowledgment.} I very much appreciate all the kind advice of the entire Isabelle Group at TU Munich and Fabian Immler and Brandon Bohrer for how to best formalize the mathematical proofs in Isabelle/HOL. % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Dijkstra_Shortest_Path/document/root.tex b/thys/Dijkstra_Shortest_Path/document/root.tex --- a/thys/Dijkstra_Shortest_Path/document/root.tex +++ b/thys/Dijkstra_Shortest_Path/document/root.tex @@ -1,54 +1,55 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \renewcommand{\isamarkupcmt}[1]{\hangindent5ex{\isastylecmt --- #1}} \begin{document} \title{Dijkstra's Algorithm} %\title{A Efficiently Computable Formalisation of %Dijkstra's Algorithm} \author{Benedikt Nordhoff \and Peter Lammich} \maketitle \begin{abstract} We implement and prove correct Dijkstra's algorithm for the single source shortest path problem, conceived in 1956 by E. Dijkstra. The algorithm is implemented using the data refinement framework for monadic, nondeterministic programs. An efficient implementation is derived using data structures from the Isabelle Collection Framework. \end{abstract} \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Diophantine_Eqns_Lin_Hom/document/root.tex b/thys/Diophantine_Eqns_Lin_Hom/document/root.tex --- a/thys/Diophantine_Eqns_Lin_Hom/document/root.tex +++ b/thys/Diophantine_Eqns_Lin_Hom/document/root.tex @@ -1,50 +1,50 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage[utf8]{inputenc} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Diophantine Equations\thanks{% This work is supported by the Austrian Science Fund (FWF): project P27502.}} \author{% Florian Meßner \and Julian Parsert \and Jonas Schöpf \and Christian Sternagel} \maketitle \begin{abstract} In this entry we formalize Huet's~\cite{Huet1978} bounds for minimal solutions of homogenous linear Diophantine equations (HLDEs). Based on these bounds, we further provide a certified algorithm for computing the set of all minimal solutions of a given HLDE. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Dirichlet_L/document/root.tex b/thys/Dirichlet_L/document/root.tex --- a/thys/Dirichlet_L/document/root.tex +++ b/thys/Dirichlet_L/document/root.tex @@ -1,40 +1,41 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Dirichlet $L$-functions and Dirichlet's Theorem} \author{Manuel Eberl} \maketitle \begin{abstract} This article provides a formalisation of Dirichlet characters and Dirichlet $L$-functions including proofs of their basic properties -- most notably their analyticity, their areas of convergence, and their non-vanishing for $\mathfrak{R}(s)\geq 1$. All of this is built in a very high-level style using Dirichlet series. The proof of the non-vanishing follows a very short and elegant proof by Newman~\cite{newman1998analytic}, which we attempt to reproduce faithfully in a similar level of abstraction in Isabelle. This also leads to a relatively short proof of Dirichlet's Theorem, which states that, if $h$ and $n$ are coprime, there are infinitely many primes $p$ with $p \equiv h \pmod{n}$. \end{abstract} \newpage \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Dirichlet_Series/document/root.tex b/thys/Dirichlet_Series/document/root.tex --- a/thys/Dirichlet_Series/document/root.tex +++ b/thys/Dirichlet_Series/document/root.tex @@ -1,47 +1,48 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Dirichlet Series} \author{Manuel Eberl} \maketitle \begin{abstract} This entry is a formalisation of much of Chapters 2, 3, and 11 of Apostol's ``Introduction to Analytic Number Theory''~\cite{apostol}. This includes: \begin{itemize} \item Definitions and basic properties for several number-theoretic functions (Euler's $\varphi$, M\"{o}bius $\mu$, Liouville's $\lambda$, the divisor function $\sigma$, von Mangoldt's $\Lambda$) \item Executable code for most of these functions, the most efficient implementations using the factoring algorithm by Thiemann\ \emph{et al.} \item Dirichlet products and formal Dirichlet series \item Analytic results connecting convergent formal Dirichlet series to complex functions \item Euler product expansions \item Asymptotic estimates of number-theoretic functions including the density of squarefree integers and the average number of divisors of a natural number \end{itemize} These results are useful as a basis for developing more number-theoretic results, such as the Prime Number Theorem. \end{abstract} \newpage \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/DiscretePricing/document/root.tex b/thys/DiscretePricing/document/root.tex --- a/thys/DiscretePricing/document/root.tex +++ b/thys/DiscretePricing/document/root.tex @@ -1,59 +1,60 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Pricing in discrete financial models} \author{Mnacho Echenim} \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Discrete_Summation/document/root.tex b/thys/Discrete_Summation/document/root.tex --- a/thys/Discrete_Summation/document/root.tex +++ b/thys/Discrete_Summation/document/root.tex @@ -1,28 +1,29 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Discrete Summation} \author{Florian Haftmann \\ with contributions by Amine Chaieb} \maketitle \begin{abstract} These theories introduce basic concepts and proofs about discrete summation: shifts, formal summation, falling factorials and stirling numbers. As proof of concept, a simple summation conversion is provided. \end{abstract} % include generated text of all theories \input{session} \end{document} diff --git a/thys/DiskPaxos/document/root.tex b/thys/DiskPaxos/document/root.tex --- a/thys/DiskPaxos/document/root.tex +++ b/thys/DiskPaxos/document/root.tex @@ -1,52 +1,53 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{tla}\notla \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{graphicx} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Proving the Correctness of Disk Paxos in Isabelle/HOL} \author{Mauro Jaskelioff\and Stephan Merz} \maketitle \begin{abstract} Disk Paxos~\cite{Gafni00disk} is an algorithm for building arbitrary fault-tolerant distributed systems. The specification of Disk Paxos has been proved correct informally and tested using the TLC model checker, but up to now, it has never been fully formally verified. In this work we have formally verified its correctness using the Isabelle theorem prover and the HOL logic system~\cite{Nipkow-Paulson-Wenzel:2002}, showing that Isabelle is a practical tool for verifying properties of TLA$^{+}$ specifications. \end{abstract} \tableofcontents %%% The body of the paper \input{body} %\newpage \appendix \section{TLA$^{+}$ correctness specification} \label{ap:correctness} \tla \input{tlaspec} \notla \parindent 0pt\parskip 0.5ex % include generated text of all theories \input{session} \end{document} diff --git a/thys/DynamicArchitectures/document/root.tex b/thys/DynamicArchitectures/document/root.tex --- a/thys/DynamicArchitectures/document/root.tex +++ b/thys/DynamicArchitectures/document/root.tex @@ -1,83 +1,84 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{wasysym}%Needed for next (circle) \usepackage{fullpage} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Dynamic Architectures% %\thanks{The final publication is available at the Archive of Formal Proofs via \url{http://isa-afp.org/entries/DynamicArchitectures.shtml}.}% } \author{Diego Marmsoler} \maketitle \begin{abstract} %Context The architecture of a system describes the system's overall organization into components and connections between those components. With the emergence of mobile computing, dynamic architectures have become increasingly important. In such architectures, components may appear or disappear, and connections may change over time. %Problem In the following we mechanize a theory of dynamic architectures and verify the soundness of a corresponding calculus. %Approach Therefore, we first formalize the notion of configuration traces~\cite{Marmsoler2016} as a model for dynamic architectures. Then, the behavior of single components is formalized in terms of behavior traces and an operator is introduced and studied to extract the behavior of a single component out of a given configuration trace. Then, behavior trace assertions are introduced as a temporal specification technique to specify behavior of components. Reasoning about component behavior in a dynamic context is formalized in terms of a calculus for dynamic architectures~\cite{Marmsoler2017c}. Finally, the soundness of the calculus is verified by introducing an alternative interpretation for behavior trace assertions over configuration traces and proving the rules of the calculus. Since projection may lead to finite as well as infinite behavior traces, they are formalized in terms of coinductive lists. Thus, our theory is based on Lochbihler's~\cite{Lochbihler2010} formalization of coinductive lists. %Implications The theory may be applied to verify properties for dynamic architectures. \end{abstract} \newpage \tableofcontents \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Dynamic_Tables/document/root.tex b/thys/Dynamic_Tables/document/root.tex --- a/thys/Dynamic_Tables/document/root.tex +++ b/thys/Dynamic_Tables/document/root.tex @@ -1,31 +1,32 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Dynamic Tables} \author{Tobias Nipkow} \maketitle \begin{abstract} This article formalizes the amortized analysis of dynamic tables parameterized with their minimal and maximal load factors and the expansion and contraction factors. A full description is found in a companion paper \cite{Nipkow-Tables}. \end{abstract} \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/E_Transcendental/document/root.tex b/thys/E_Transcendental/document/root.tex --- a/thys/E_Transcendental/document/root.tex +++ b/thys/E_Transcendental/document/root.tex @@ -1,65 +1,66 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb, amsmath} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{The Transcendence of $e$} \author{Manuel Eberl} \maketitle \begin{abstract} This work contains a formalisation of the proof that Euler's number $e$ is transcendental. The proof follows the standard approach of assuming that $e$ is algebraic and then using a specific integer polynomial to derive two inconsistent bounds, leading to a contradiction. This approach can be found in many different sources; this formalisation mostly follows a PlanetMath article~\cite{planetmath} by Roger Lipsett. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \begingroup \raggedright \bibliography{root} \endgroup \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Echelon_Form/document/root.tex b/thys/Echelon_Form/document/root.tex --- a/thys/Echelon_Form/document/root.tex +++ b/thys/Echelon_Form/document/root.tex @@ -1,45 +1,46 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Echelon Form} \author{By Jose Divas\'on and Jes\'us Aransay\thanks{This research has been funded by the research grant FPI-UR-12 of the Universidad de La Rioja and by the project MTM2014-54151-P from Ministerio de Econom\'ia y Competitividad (Gobierno de Espa\~na).}} \maketitle \begin{abstract} In this work we present the formalization of an algorithm to compute the Echelon Form of a matrix. We have proved its existence over Bezout domains and we have made it executable over Euclidean domains, such as $\mathbb{Z}$ and $\mathbb{K}[x]$. This allows us to compute determinants, inverses and characteristic polynomials of matrices. The work is based on the \emph{HOL-Multivariate Analysis} library, and on both the Gauss-Jordan and Cayley-Hamilton AFP entries. As a by-product, some algebraic structures have been implemented (principal ideal domains, Bezout domains\dots). The algorithm has been refined to immutable arrays and code can be generated to functional languages as well. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/EdmondsKarp_Maxflow/document/root.tex b/thys/EdmondsKarp_Maxflow/document/root.tex --- a/thys/EdmondsKarp_Maxflow/document/root.tex +++ b/thys/EdmondsKarp_Maxflow/document/root.tex @@ -1,202 +1,203 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{wasysym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % Tweaks \newcounter{TTStweak_tag} \setcounter{TTStweak_tag}{0} \newcommand{\setTTS}{\setcounter{TTStweak_tag}{1}} \newcommand{\resetTTS}{\setcounter{TTStweak_tag}{0}} \newcommand{\insertTTS}{\ifnum\value{TTStweak_tag}=1 \ \ \ \fi} \renewcommand{\isakeyword}[1]{\resetTTS\emph{\bf\def\isachardot{.}\def\isacharunderscore{\isacharunderscorekeyword}\def\isacharbraceleft{\{}\def\isacharbraceright{\}}#1}} \renewcommand{\isachardoublequoteopen}{\insertTTS} \renewcommand{\isachardoublequoteclose}{\setTTS} \renewcommand{\isanewline}{\mbox{}\par\mbox{}\resetTTS} \renewcommand{\isamarkupcmt}[1]{\hangindent5ex{\isastylecmt --- #1}} %\newcommand{\isaheader}[1]{\section{#1}} \newcommand{\DefineSnippet}[2]{#2} \begin{document} \title{Formalizing the Edmonds-Karp Algorithm} \author{Peter Lammich and S.~Reza Sefidgar} \maketitle \begin{abstract} We present a formalization of the Edmonds-Karp algorithm for computing the maximum flow in a network. Our formal proof closely follows a standard textbook proof, and is accessible even without being an expert in Isabelle/HOL--- the interactive theorem prover used for the formalization. We use stepwise refinement to refine a generic formulation of the Ford-Fulkerson method to Edmonds-Karp algorithm, and formally prove its complexity bound of $O(VE^2)$. Further refinement yields a verified implementation, whose execution time compares well to an unverified reference implementation in Java. This entry is based on our ITP-2016 paper with the same title. \end{abstract} \clearpage \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introduction} Computing the maximum flow of a network is an important problem in graph theory. Many other problems, like maximum-bipartite-matching, edge-disjoint-paths, circulation-demand, as well as various scheduling and resource allocating problems can be reduced to it. The Ford-Fulkerson method~\cite{FF56} describes a class of algorithms to solve the maximum flow problem. An important instance is the Edmonds-Karp algorithm~\cite{EK72}, which was one of the first algorithms to solve the maximum flow problem in polynomial time for the general case of networks with real valued capacities. In our paper~\cite{LaSe16}, we present a formal verification of the Edmonds-Karp algorithm and its polynomial complexity bound. The formalization is conducted entirely in the Isabelle/HOL proof assistant~\cite{NPW02}. This entry contains the complete formalization. Stepwise refinement techniques~\cite{Wirth71,Back78,BaWr98} allow us to elegantly structure our verification into an abstract proof of the Ford-Fulkerson method, its instantiation to the Edmonds-Karp algorithm, and finally an efficient implementation. The abstract parts of our verification closely follow the textbook presentation of Cormen et al.~\cite{CLRS09}. We have used the Isar~\cite{Wenzel99} proof language to develop human-readable proofs that are accessible even to non-Isabelle experts. While there exists another formalization of the Ford-Fulkerson method in Mizar~\cite{Lee05}, we are, to the best of our knowledge, the first that verify a polynomial maximum flow algorithm, prove the polynomial complexity bound, or provide a verified executable implementation. Moreover, this entry is a case study on elegantly formalizing algorithms. % generated text of all theories \input{session} \section{Conclusion}\label{sec:concl} We have presented a verification of the Edmonds-Karp algorithm, using a stepwise refinement approach. Starting with a proof of the Ford-Fulkerson theorem, we have verified the generic Ford-Fulkerson method, specialized it to the Edmonds-Karp algorithm, and proved the upper bound $O(VE)$ for the number of outer loop iterations. We then conducted several refinement steps to derive an efficiently executable implementation of the algorithm, including a verified breadth first search algorithm to obtain shortest augmenting paths. Finally, we added a verified algorithm to check whether the input is a valid network, and generated executable code in SML. The runtime of our verified implementation compares well to that of an unverified reference implementation in Java. Our formalization has combined several techniques to achieve an elegant and accessible formalization: Using the Isar proof language~\cite{Wenzel99}, we were able to provide a completely rigorous but still accessible proof of the Ford-Fulkerson theorem. The Isabelle Refinement Framework~\cite{LaTu12,La12} and the Sepref tool~\cite{La15,La16} allowed us to present the Ford-Fulkerson method on a level of abstraction that closely resembles pseudocode presentations found in textbooks, and then formally link this presentation to an efficient implementation. Moreover, modularity of refinement allowed us to develop the breadth first search algorithm independently, and later link it to the main algorithm. The BFS algorithm can be reused as building block for other algorithms. The data structures are re-usable, too: although we had to implement the array representation of (capacity) matrices for this project, it will be added to the growing library of verified imperative data structures supported by the Sepref tool, such that it can be re-used for future formalizations. During this project, we have learned some lessons on verified algorithm development: \begin{itemize} \item It is important to keep the levels of abstraction strictly separated. For example, when implementing the capacity function with arrays, one needs to show that it is only applied to valid nodes. However, proving that, e.g., augmenting paths only contain valid nodes is hard at this low level. Instead, one can protect the application of the capacity function by an assertion--- already on a high abstraction level where it can be easily discharged. On refinement, this assertion is passed down, and ultimately available for the implementation. Optimally, one wraps the function together with an assertion of its precondition into a new constant, which is then refined independently. \item Profiling has helped a lot in identifying candidates for optimization. For example, based on profiling data, we decided to delay a possible deforestation optimization on augmenting paths, and to first refine the algorithm to operate on residual graphs directly. \item ``Efficiency bugs'' are as easy to introduce as for unverified software. For example, out of convenience, we implemented the successor list computation by \emph{filter}. Profiling then indicated a hot-spot on this function. As the order of successors does not matter, we invested a bit more work to make the computation tail recursive and gained a significant speed-up. Moreover, we realized only lately that we had accidentally implemented and verified matrices with column major ordering, which have a poor cache locality for our algorithm. Changing the order resulted in another significant speed-up. \end{itemize} We conclude with some statistics: The formalization consists of roughly 8000 lines of proof text, where the graph theory up to the Ford-Fulkerson algorithm requires 3000 lines. The abstract Edmonds-Karp algorithm and its complexity analysis contribute 800 lines, and its implementation (including BFS) another 1700 lines. The remaining lines are contributed by the network checker and some auxiliary theories. The development of the theories required roughly 3 man month, a significant amount of this time going into a first, purely functional version of the implementation, which was later dropped in favor of the faster imperative version. \subsection{Related Work}\label{sec:related_work} We are only aware of one other formalization of the Ford-Fulkerson method conducted in Mizar~\cite{MaRu05} by Lee. Unfortunately, there seems to be no publication on this formalization except~\cite{Lee05}, which provides a Mizar proof script without any additional comments except that it ``defines and proves correctness of Ford/Fulkerson's Maximum Network-Flow algorithm at the level of graph manipulations''. Moreover, in Lee et al.~\cite{LeRu07}, which is about graph representation in Mizar, the formalization is shortly mentioned, and it is clarified that it does not provide any implementation or data structure formalization. As far as we understood the Mizar proof script, it formalizes an algorithm roughly equivalent to our abstract version of the Ford-Fulkerson method. Termination is only proved for integer valued capacities. Apart from our own work~\cite{La14,NoLa12}, there are several other verifications of graph algorithms and their implementations, using different techniques and proof assistants. Noschinski~\cite{Nosch15} verifies a checker for (non-)planarity certificates using a bottom-up approach. Starting at a C implementation, the AutoCorres tool~\cite{Greenaway15,GAK12} generates a monadic representation of the program in Isabelle. Further abstractions are applied to hide low-level details like pointer manipulations and fixed size integers. Finally, a verification condition generator is used to prove the abstracted program correct. Note that their approach takes the opposite direction than ours: While they start at a concrete version of the algorithm and use abstraction steps to eliminate implementation details, we start at an abstract version, and use concretization steps to introduce implementation details. Chargu\'eraud~\cite{char11} also uses a bottom-up approach to verify imperative programs written in a subset of OCaml, amongst them a version of Dijkstra's algorithm: A verification condition generator generates a \emph{characteristic formula}, which reflects the semantics of the program in the logic of the Coq proof assistant~\cite{BeCa10}. \subsection{Future Work} Future work includes the optimization of our implementation, and the formalization of more advanced maximum flow algorithms, like Dinic's algorithm~\cite{Di06} or push-relabel algorithms~\cite{GoTa88}. We expect both formalizing the abstract theory and developing efficient implementations to be challenging but realistic tasks. % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Efficient-Mergesort/document/root.tex b/thys/Efficient-Mergesort/document/root.tex --- a/thys/Efficient-Mergesort/document/root.tex +++ b/thys/Efficient-Mergesort/document/root.tex @@ -1,33 +1,34 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Efficient Mergesort} \author{Christian Sternagel} \maketitle \begin{abstract} We provide a formalization of the mergesort algorithm as used in GHC's Data.List module, proving correctness and stability. Furthermore, experimental data suggests that generated (Haskell-)code for this algorithm is much faster than for previous algorithms available in the Isabelle distribution. \end{abstract} \parindent 0pt\parskip 0.5ex % include generated text of all theories \input{session} % optional bibliography \addcontentsline{toc}{section}{Bibliography} %\nocite{*} \bibliographystyle{plain} \bibliography{root} \end{document} diff --git a/thys/Elliptic_Curves_Group_Law/document/root.tex b/thys/Elliptic_Curves_Group_Law/document/root.tex --- a/thys/Elliptic_Curves_Group_Law/document/root.tex +++ b/thys/Elliptic_Curves_Group_Law/document/root.tex @@ -1,73 +1,74 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage[english]{babel} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{The Group Law for Elliptic Curves} \author{Stefan Berghofer} \maketitle \begin{abstract} We prove the group law for elliptic curves in Weierstrass form over fields of characteristic greater than 2. In addition to affine coordinates, we also formalize projective coordinates, which allow for more efficient computations. By specializing the abstract formalization to prime fields, we can apply the curve operations to parameters used in standard security protocols. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introduction} Elliptic curves play an important role in cryptography, since they allow to achieve a security level that is comparable to that of RSA, while requiring a smaller key size and less computation time. The primitive operation on elliptic curves is \emph{point addition}. To ensure the proper functioning of cryptographic algorithms based on elliptic curves, such as Diffie-Hellman key exchange (ECDH) or digital signatures (ECDSA), it is important that the points on the curve form a group with respect to point addition. Our formalization of elliptic curves is based on earlier work by Laurent Th{\'e}ry in Coq \cite{Coq-Elliptic}. Like its Coq counterpart, the Isabelle formalization uses decision procedures for rings and fields based on reflection, which are executed using Isabelle's code generator for efficiency reasons. The decision procedure for rings is due to Gr{\'e}goire and Mahboubi \cite{Mahboubi-Gregoire-TPHOLs2005} and was ported from Coq to Isabelle by Bernhard Haeupler. The formalization exists in two flavours: one based on axiomatic type classes, and another one based on locales. While the axiomatic type class version is more concise, the locale version is more suitable for working with concrete rings or fields like prime fields. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Encodability_Process_Calculi/document/root.tex b/thys/Encodability_Process_Calculi/document/root.tex --- a/thys/Encodability_Process_Calculi/document/root.tex +++ b/thys/Encodability_Process_Calculi/document/root.tex @@ -1,65 +1,65 @@ \documentclass[11pt,a4paper]{article} - +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath,amssymb} \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \usepackage[left=2cm, right=2cm, top=2cm, bottom=2cm]{geometry} \begin{document} \title{Analysing and Comparing Encodability Criteria for Process Calculi (Technical Report)} \author{ \begin{tabular}{c} Kirstin Peters\thanks{Supported by funding of the Excellence Initiative by the German Federal and State Governments (Institutional Strategy, measure `support the best').}\\ \begin{small} TU Dresden, Germany \end{small} \end{tabular} \and \begin{tabular}{c} Rob van Glabbeek\\ \begin{small} NICTA\thanks{NICTA is funded by the Australian Government through the Department of Communications and the Australian Research Council through the ICT Centre of Excellence Program.}, Sydney, Australia \end{small}\\ \begin{small} Computer Science and Engineering, UNSW, Sydney, Australia \end{small} \end{tabular} } \date{August 05, 2015} \maketitle \begin{abstract} Encodings or the proof of their absence are the main way to compare process calculi. To analyse the quality of encodings and to rule out trivial or meaningless encodings, they are augmented with quality criteria. There exists a bunch of different criteria and different variants of criteria in order to reason in different settings. This leads to incomparable results. Moreover it is not always clear whether the criteria used to obtain a result in a particular setting do indeed fit to this setting. We show how to formally reason about and compare encodability criteria by mapping them on requirements on a relation between source and target terms that is induced by the encoding function. In particular we analyse the common criteria \emph{full abstraction}, \emph{operational correspondence}, \emph{divergence reflection}, \emph{success sensitiveness}, and \emph{respect of barbs}; e.g.\ we analyse the exact nature of the simulation relation (coupled simulation versus bisimulation) that is induced by different variants of operational correspondence. This way we reduce the problem of analysing or comparing encodability criteria to the better understood problem of comparing relations on processes. \end{abstract} \noindent In the following we present the Isabelle implementation of the underlying theory as well as all proofs of the results presented in the paper \emph{Analysing and Comparing Encodability Criteria} as submitted to EXPRESS/SOS'15. \newpage \tableofcontents \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Epistemic_Logic/document/root.tex b/thys/Epistemic_Logic/document/root.tex --- a/thys/Epistemic_Logic/document/root.tex +++ b/thys/Epistemic_Logic/document/root.tex @@ -1,46 +1,46 @@ \documentclass[11pt,a4paper]{article} -\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Epistemic Logic} \author{Asta Halkjær From} \maketitle \begin{abstract} This work is a formalization of epistemic logic with countably many agents. It includes proofs of soundness and completeness for the axiom system K. The completeness proof is based on the textbook ``Reasoning About Knowledge'' by Fagin, Halpern, Moses and Vardi (MIT Press 1995)~\cite{fagin1995}. \end{abstract} \tableofcontents \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Ergodic_Theory/document/root.tex b/thys/Ergodic_Theory/document/root.tex --- a/thys/Ergodic_Theory/document/root.tex +++ b/thys/Ergodic_Theory/document/root.tex @@ -1,55 +1,56 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{mathtools} \usepackage{amssymb} \usepackage{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \DeclarePairedDelimiter{\norm}{\lVert}{\rVert} \begin{document} \title{Ergodic theory in Isabelle} \author{Sebastien Gouezel} \date{} \maketitle \begin{abstract} Ergodic theory is the branch of mathematics that studies the behaviour of measure preserving transformations, in finite or infinite measure. It interacts both with probability theory (mainly through measure theory) and with geometry as a lot of interesting examples are from geometric origin. We implement the first definitions and theorems of ergodic theory, including notably Poincar\'e recurrence theorem for finite measure preserving systems (together with the notion of conservativity in general), induced maps, Kac's theorem, Birkhoff theorem (arguably the most important theorem in ergodic theory), and variations around it such as conservativity of the corresponding skew product, or Atkinson lemma, and Kingman theorem. Using this material, we formalize completely the proof of the main theorems of~\cite{gouezel_karlsson} and~\cite{gouezel_normalizing_sequences}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{amsalpha} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Error_Function/document/root.tex b/thys/Error_Function/document/root.tex --- a/thys/Error_Function/document/root.tex +++ b/thys/Error_Function/document/root.tex @@ -1,37 +1,38 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Error Function} \author{Manuel Eberl} \maketitle \begin{abstract} This entry provides the definitions and basic properties of the complex and real error function $\text{erf}$ and the complementary error function $\text{erfc}$. Additionally, it gives their full asymptotic expansions. \end{abstract} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Euler_MacLaurin/document/root.tex b/thys/Euler_MacLaurin/document/root.tex --- a/thys/Euler_MacLaurin/document/root.tex +++ b/thys/Euler_MacLaurin/document/root.tex @@ -1,44 +1,45 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Euler--MacLaurin summation formula} \author{Manuel Eberl} \maketitle \begin{abstract} The Euler--MacLaurin formula relates the value of a discrete sum $\sum_{i=a}^b f(i)$ to that of the integral $\int_a^b f(x)\,\text{d}x$ in terms of the derivatives of $f$ at $a$ and $b$ and a remainder term. Since the remainder term is often very small as $b$ grows, this can be used to compute asymptotic expansions for sums. This entry contains a proof of this formula for functions from the reals to an arbitrary Banach space. Two variants of the formula are given: the standard textbook version and a variant outlined in \emph{Concrete Mathematics}~\cite{GKP_CM} that is more useful for deriving asymptotic estimates. As example applications, we use that formula to derive the full asymptotic expansion of the harmonic numbers and the sum of inverse squares. \end{abstract} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Euler_Partition/document/root.tex b/thys/Euler_Partition/document/root.tex --- a/thys/Euler_Partition/document/root.tex +++ b/thys/Euler_Partition/document/root.tex @@ -1,46 +1,47 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Euler's Partition Theorem} \author{Lukas Bulwahn} \maketitle \begin{abstract} Euler's Partition Theorem states that the number of partitions with only distinct parts is equal to the number of partitions with only odd parts. The combinatorial proof follows John Harrison's pre-existing HOL Light formalization~\cite{Harrison}. To understand the rough idea of the proof, I read the lecture notes of the MIT course 18.312 on Algebraic Combinatorics~\cite{Musiker-2009} by Gregg Musiker. This theorem is the 45th theorem of the Top 100 Theorems list. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Example-Submission/document/root.tex b/thys/Example-Submission/document/root.tex --- a/thys/Example-Submission/document/root.tex +++ b/thys/Example-Submission/document/root.tex @@ -1,32 +1,33 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Submission Example} \author{Gerwin Klein} \maketitle \begin{abstract} This is an example submission to the Archive of Formal Proofs. It shows submission requirements and explains the structure of a simple typical submission. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Extended_Finite_State_Machine_Inference/document/root.tex b/thys/Extended_Finite_State_Machine_Inference/document/root.tex --- a/thys/Extended_Finite_State_Machine_Inference/document/root.tex +++ b/thys/Extended_Finite_State_Machine_Inference/document/root.tex @@ -1,106 +1,107 @@ \documentclass[10pt,DIV16,a4paper,abstract=true,twoside=semi,openright]{scrreprt} +\usepackage[T1]{fontenc} \usepackage[english]{babel} \usepackage[numbers, sort&compress]{natbib} \usepackage{isabelle,isabellesym} \usepackage{booktabs} \usepackage{paralist} \usepackage{graphicx} \usepackage{amssymb} \usepackage{xspace} \usepackage{xcolor} \usepackage{hyperref} \usepackage{rotating} \pagestyle{headings} \isabellestyle{default} \setcounter{tocdepth}{1} \newcommand{\ie}{i.\,e.\xspace} \newcommand{\eg}{e.\,g.\xspace} \newcommand{\thy}{\isabellecontext} \renewcommand{\isamarkupsection}[1]{% \begingroup% \def\isacharunderscore{\textunderscore}% \section{#1 (\thy)}% \endgroup% } \newcommand{\orcidID}[1]{} % temp. hack \newcommand{\repeatisanl}[1] {\ifnum#1=0\else\isanewline\repeatisanl{\numexpr#1-1}\fi} \newcommand{\snip}[4]{\repeatisanl#2#4\repeatisanl#3} \title{Inference of Extended Finite State Machines}% \author{% \begin{minipage}{.8\textwidth} \centering Michael~Foster\footnotemark[1]\orcidID{0000-0001-8233-9873}% \qquad\qquad% Achim~D.~Brucker\footnotemark[2]\orcidID{0000-0002-6355-1200}% \\% Ramsay~G.~Taylor\footnotemark[1]\orcidID{0000-0002-4036-7590}% \qquad\qquad% John~Derrick\footnotemark[1]\orcidID{0000-0002-6631-8914}% \end{minipage} } \publishers{% \footnotemark[1]~Department of Computer Science, The University of Sheffield, Sheffield, UK\texorpdfstring{\\}{, }% \texttt{\{% \href{mailto:jmafoster1@sheffield.ac.uk}{jmafoster1},% \href{mailto:r.g.taylor@sheffield.ac.uk}{r.g.taylor},% \href{mailto:j.derrick@sheffield.ac.uk}{j.derrick}% \}@sheffield.ac.uk}\\[2em]% \footnotemark[2]~% Department of Computer Science, University of Exeter, Exeter, UK\texorpdfstring{\\}{, }% \href{mailto:a.brucker@exeter.ac.uk}{\texttt{a.brucker@exeter.ac.uk}}% } \begin{document} \maketitle \begin{abstract} In this AFP entry, we provide a formal implementation of a state-merging technique to infer extended finite state machines (EFSMs), complete with output and update functions, from black-box traces. In particular, we define the \emph{subsumption in context} relation as a means of determining whether one transition is able to account for the behaviour of another. Building on this, we define the \emph{direct subsumption} relation, which lifts the \emph{subsumption in context} relation to EFSM level such that we can use it to determine whether it is safe to merge a given pair of transitions. Key proofs include the conditions necessary for subsumption to occur and the that subsumption and direct subsumption are preorder relations. We also provide a number of different \emph{heuristics} which can be used to abstract away concrete values into \emph{registers} so that more states and transitions can be merged and provide proofs of the various conditions which must hold for these abstractions to subsume their ungeneralised counterparts. A Code Generator setup to create executable Scala code is also defined. \begin{quote} \bigskip \noindent{\textbf{Keywords:} EFSMs, Model inference, Reverse engineering } \end{quote} \end{abstract} \tableofcontents \cleardoublepage \chapter{Introduction}\label{chap:intro} This AFP entry provides a formal implementation of a state-merging technique to infer EFSMs from black-box traces and is an accompaniment to work published in \cite{foster2018} and \cite{foster2019}. The inference technique builds off classical FSM inference techniques which work by first building a Prefix Tree Acceptor from traces of the underlying system, and then iteratively merging states which share behaviour to form a smaller model. Most notably, we formalise the definitions of \emph{subsumption in context} and \emph{direct subsumption.} When merging EFSM transitions, one must \emph{account for} the behaviour of the other. The \emph{subsumption in context} relation from \cite{foster2018} formalises the intuition that, in certain contexts, a transition $t_2$ reproduces the behaviour of, and updates the data state in a manner consistent with, another transition $t_1$, meaning that $t_2$ can be used in place of $t_1$ with no observable difference in behaviour. This relation requires us to supply a context in which to test subsumption, but there is a problem when we try to apply this to inference: Which context should we use? The \emph{directly subsumes} relation presented in \cite{foster2019} incorporates subsumption into a relation which can be used to determine if it is safe to merge a pair of transitions in an EFSM. It is this which allows us to take the subsumption relation from \cite{foster2018} and use it in the inference process. The rest of this document is automatically generated from the formalization in Isabelle/HOL, i.e., all content is checked by Isabelle. Overall, the structure of this document follows the theory dependencies (see \autoref{fig:session-graph}). \begin{sidewaysfigure} \centering \resizebox{\textheight}{!}{\includegraphics[height=\textheight]{session_graph}} \caption{The Dependency Graph of the Isabelle Theories.\label{fig:session-graph}} \end{sidewaysfigure} \nocite{foster.ea:efsm:2018} \clearpage \input{session} {\small \bibliographystyle{abbrvnat} \bibliography{root} } \end{document} \endinput %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Extended_Finite_State_Machines/document/root.tex b/thys/Extended_Finite_State_Machines/document/root.tex --- a/thys/Extended_Finite_State_Machines/document/root.tex +++ b/thys/Extended_Finite_State_Machines/document/root.tex @@ -1,146 +1,147 @@ \documentclass[10pt,DIV16,a4paper,abstract=true,twoside=semi,openright]{scrreprt} +\usepackage[T1]{fontenc} \usepackage[english]{babel} \usepackage[numbers, sort&compress]{natbib} \usepackage{isabelle,isabellesym} \usepackage{booktabs} \usepackage{paralist} \usepackage{graphicx} \usepackage{amssymb} \usepackage{xspace} \usepackage{xcolor} \usepackage{hyperref} \usepackage{enumitem} % Mess about with itemize, enumerate, description styles \newcommand\mydescriptionlabel[1]{\hspace{\leftmargini}\textbf{#1}} \newenvironment{where}{% \let\descriptionlabel\mydescriptionlabel \description[itemsep=0em, font=\normalfont] }{% \enddescription } \pagestyle{headings} \isabellestyle{default} \setcounter{tocdepth}{1} \newcommand{\ie}{i.\,e.\xspace} \newcommand{\eg}{e.\,g.\xspace} \newcommand{\thy}{\isabellecontext} \renewcommand{\isamarkupsection}[1]{% \begingroup% \def\isacharunderscore{\textunderscore}% \section{#1 (\thy)}% \endgroup% } \newcommand{\orcidID}[1]{} % temp. hack \newcommand{\repeatisanl}[1] {\ifnum#1=0\else\isanewline\repeatisanl{\numexpr#1-1}\fi} \newcommand{\snip}[4]{\repeatisanl#2#4\repeatisanl#3} \newcommand{\DefineSnippet}[2]{% \expandafter\newcommand\csname snippet--#1\endcsname{% \begin{quote} \begin{isabelle} #2 \end{isabelle} \end{quote}}} \newcommand{\Snippet}[1]{% \ifcsname snippet--#1\endcsname{\csname snippet--#1\endcsname}% \else+++++++ERROR: Snippet ``#1 not defined''+++++++ \fi} \title{A Formal Model of Extended Finite State Machines}% \author{% \begin{minipage}{.8\textwidth} \centering Michael~Foster\footnotemark[1]\orcidID{0000-0001-8233-9873}% \qquad\qquad% Achim~D.~Brucker\footnotemark[2]\orcidID{0000-0002-6355-1200}% \\% Ramsay~G.~Taylor\footnotemark[1]\orcidID{0000-0002-4036-7590}% \qquad\qquad% John~Derrick\footnotemark[1]\orcidID{0000-0002-6631-8914}% \end{minipage} } \publishers{% \footnotemark[1]~Department of Computer Science, The University of Sheffield, Sheffield, UK\texorpdfstring{\\}{, }% \texttt{\{% \href{mailto:jmafoster1@sheffield.ac.uk}{jmafoster1},% \href{mailto:r.g.taylor@sheffield.ac.uk}{r.g.taylor},% \href{mailto:j.derrick@sheffield.ac.uk}{j.derrick}% \}@sheffield.ac.uk}\\[2em]% \footnotemark[2]~% Department of Computer Science, University of Exeter, Exeter, UK\texorpdfstring{\\}{, }% \href{mailto:a.brucker@exeter.ac.uk}{\texttt{a.brucker@exeter.ac.uk}}% } \begin{document} \maketitle \begin{abstract} In this AFP entry, we provide a formalisation of extended finite state machines (EFSMs) where models are represented as finite sets of transitions between states. EFSMs execute traces to produce observable outputs. We also define various simulation and equality metrics for EFSMs in terms of traces and prove their strengths in relation to each other. Another key contribution is a framework of function definitions such that LTL properties can be phrased over EFSMs. Finally, we provide a simple example case study in the form of a drinks machine. \begin{quote} \bigskip \noindent{\textbf{Keywords:} Extended Finite State Machines, Automata, Linear Temporal Logic} \end{quote} \end{abstract} \tableofcontents \cleardoublepage \chapter{Introduction} This AFP entry formalises extended finite state machines (EFSMs) as defined in \cite{foster2018}. Here, models maintain both a \emph{control flow state} and a \emph{data state}, which takes the form of a set of \emph{registers} to which values may be assigned. Transitions may take additional input parameters, and may impose guard conditions on the values of both inputs and registers. Additionally, transitions may produce observable outputs and update the data state by evaluating arithmetic functions over inputs and registers. As defined in \cite{foster2018}, an EFSM is a tuple, $(S, s_0, T)$ where \begin{where} \item [$S$] is a finite non-empty set of states. \item [$s_0 \in S$]is the initial state. \item [$T$] is the transition matrix $T:(S \times S) \to \mathcal{P}(L \times \mathbb{N} \times G \times F \times U)$ with rows representing origin states and columns representing destination states. \end{where} In $T$ \begin{where} \item [$L$] is a finite set of transition labels \item [$\mathbb{N}$] gives the transition \emph{arity} (the number of input parameters), which may be zero. \item [$G$] is a finite set of Boolean guard functions $G:(I \times R) \to \mathbb{B}$. \item [$F$] is a finite set of \emph{output functions} $F:(I \times R) \to O$. \item [$U$] is a finite set of \emph{update functions} $U:(I \times R) \to R$. \end{where} In $G$, $F$, and $U$ \begin{where} \item [$I$] is a list $[i_0, i_1, \ldots, i_{m-1}]$ of values representing the inputs of a transition, which is empty if the arity is zero. \item [$R$] is a mapping from variables $[r_0, r_1, \ldots]$, representing each register of the machine, to their values. \item [$O$] is a list $[o_0, o_1, \ldots, o_{n-1}]$ of values, which may be empty, representing the outputs of a transition. \end{where} EFSM transitions have five components: label, arity, guards, outputs, and updates. Transition labels are strings, and the arities natural numbers. Guards have a defined type of \emph{guard expression} (\texttt{gexp}) and the outputs and updates are defined using \emph{arithmetic expressions} (\texttt{aexp}). Outputs are simply a list of expressions to be evaluated. Updates are a list of pairs with the first element being the index of the register to be updated, and the second element being an arithmetic expression to be evaluated. \begin{figure} \centering \includegraphics[height=\textheight]{session_graph} \caption{The Dependency Graph of the Isabelle Theories.\label{fig:session-graph}} \end{figure} The rest of this document is automatically generated from the formalization in Isabelle/HOL, i.e., all content is checked by Isabelle. Overall, the structure of this document follows the theory dependencies (see \autoref{fig:session-graph}): \nocite{foster2018} \clearpage % \chapter{Theories} \input{session} {\small \bibliographystyle{abbrvnat} \bibliography{root} } \end{document} \endinput %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/FFT/document/root.tex b/thys/FFT/document/root.tex --- a/thys/FFT/document/root.tex +++ b/thys/FFT/document/root.tex @@ -1,35 +1,36 @@ \documentclass[12pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[british]{babel} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in typewriter \urlstyle{rm} \isabellestyle{tt} \addtolength{\hoffset}{-1,5cm} \addtolength{\textwidth}{3cm} \addtolength{\voffset}{-1cm} \begin{document} \title{Fast Fourier Transformation } \author{Clemens Ballarin} \maketitle \tableofcontents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/FLP/document/root.tex b/thys/FLP/document/root.tex --- a/thys/FLP/document/root.tex +++ b/thys/FLP/document/root.tex @@ -1,53 +1,53 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} \usepackage{csquotes} \usepackage{amsmath} \usepackage{isabelle,isabellesym} \usepackage{color} \usepackage{custom-macros} \usepackage[top=3cm,bottom=4.5cm]{geometry} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in isabelle-similar-similar type-writer \urlstyle{rm} \isabellestyle{tt} \title{A constructive proof for FLP} \author{Benjamin Bisping \and Paul-David Brodmann \and Tim Jungnickel \and Christina Rickmann \and Henning Seidler \and Anke St\"uber \and Arno Wilhelm-Weidner \and Kirstin Peters \and Uwe Nestmann} % \date{\today} \begin{document} \maketitle \begin{abstract} The impossibility of distributed consensus with one faulty process is a result with important consequences for real world distributed systems e.g., commits in replicated databases. Since proofs are not immune to faults and even plausible proofs with a profound formalism can conclude wrong results, we validate the fundamental result named FLP after Fischer, Lynch and Paterson by using the interactive theorem prover Isabelle/HOL. We present a formalization of distributed systems and the aforementioned consensus problem. Our proof is based on Hagen Völzer's paper \emph{A constructive proof for FLP}. In addition to the enhanced confidence in the validity of Völzer's proof, we contribute the missing gaps to show the correctness in Isabelle/HOL. We clarify the proof details and even prove fairness of the infinite execution that contradicts consensus. Our Isabelle formalization can also be reused for further proofs of properties of distributed systems. \end{abstract} In the following we present the Isabelle implementation of the underlying theory as well as all proofs of the results presented in the paper \emph{Mechanical Verification of a Constructive Proof for FLP} as submitted to the Proceedings of the \textit{seventh conference on Interactive Theorem Proving}, ITP 2016, LNCS. \newpage \tableofcontents \newpage % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/FOL-Fitting/document/root.tex b/thys/FOL-Fitting/document/root.tex --- a/thys/FOL-Fitting/document/root.tex +++ b/thys/FOL-Fitting/document/root.tex @@ -1,44 +1,44 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{graphicx} \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \isadroptag{theory} \newcommand{\isasymnotturnstile}{\isamath{\not\vdash}} \newcommand{\isasymnotTurnstile}{\isamath{\not\models}} \newcommand{\secref}[1]{\S\ref{#1}} \newcommand{\figref}[1]{Figure \ref{#1}} \begin{document} \title{Meta-theory of first-order predicate logic} \author{Stefan Berghofer} \maketitle \begin{abstract} We present a formalization of parts of Melvin Fitting's book ``First-Order Logic and Automated Theorem Proving'' \cite{Fitting}. The formalization covers the syntax of first-order logic, its semantics, the model existence theorem, a natural deduction proof calculus together with a proof of correctness and completeness, as well as the L\"owenheim-Skolem theorem. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/FOL_Harrison/document/root.tex b/thys/FOL_Harrison/document/root.tex --- a/thys/FOL_Harrison/document/root.tex +++ b/thys/FOL_Harrison/document/root.tex @@ -1,80 +1,81 @@ \documentclass[a4paper]{article} +\usepackage[T1]{fontenc} \title{First-Order Logic According to Harrison} \author{Alexander Birch Jensen, Anders Schlichtkrull \&\\ J{\o}rgen Villadsen, DTU Compute, Denmark} \date{\isadate\today} \usepackage[left=15mm,right=15mm,top=20mm,bottom=27mm]{geometry} \usepackage{datetime,isabelle,isabellesym,parskip} \newdateformat{isadate}{\THEDAY\ \monthname[\THEMONTH] \THEYEAR} \usepackage{pdfsetup} \isabellestyle{tt} \urlstyle{rm} %\renewcommand{\isachardoublequote}{} %\renewcommand{\isachardoublequoteopen}{} %\renewcommand{\isachardoublequoteclose}{} \renewcommand{\isamarkupchapter}[1]{\clearpage\isamarkupsection{#1}\medskip} \renewcommand{\isamarkupsection}[1]{\medskip\section*{#1}\addcontentsline{toc}{section}{#1}\medskip} \renewcommand{\isamarkupsubsection}[1]{\medskip\subsection*{#1}\medskip} \renewcommand{\isamarkupsubsubsection}[1]{\medskip\subsubsection*{#1}\medskip} \renewcommand{\isabeginpar}{\par\ifisamarkup\relax\else\bigskip\fi} \renewcommand{\isaendpar}{\par\bigskip} \begin{document} \makeatletter \parbox[t]{\textwidth}{\centering\Huge\bfseries\@title}\par\kern5mm \parbox[t]{\textwidth}{\centering\Large\bfseries\@author}\par\kern3mm \parbox[t]{\textwidth}{\centering\bfseries\@date}\par\kern8mm \makeatother \begin{abstract}\normalsize\noindent We present a certified declarative first-order prover with equality based on John Harrison's Handbook of Practical Logic and Automated Reasoning, Cambridge University Press, 2009. ML code reflection is used such that the entire prover can be executed within Isabelle as a very simple interactive proof assistant. As examples we consider Pelletier's problems 1-46. \end{abstract} \tableofcontents \isamarkupsection{Preample} Preliminary formalizations are described here: \begin{trivlist} \item Alexander Birch Jensen: \emph{Development and Verification of a Proof Assistant.} Master's Thesis, Technical University of Denmark, 2016. \url{http://findit.dtu.dk/en/catalog/2345011633} \item Alexander Birch Jensen, Anders Schlichtkrull \&\ J{\o}rgen Villadsen: \emph{Verification of an LCF-Style First-Order Prover with Equality.} Isabelle Workshop 2016. \url{https://github.com/logic-tools/sml-handbook} \end{trivlist} \clearpage \input{session} \clearpage \isamarkupsection{Acknowledgements} The SML code is based on the OCaml code accompanying John Harrison's Handbook of Practical Logic and Automated Reasoning, Cambridge University Press, 2009 Thanks to Jasmin Blanchette, Asta Halkj{\ae}r From, John Bruntse Larsen, Andrei Popescu and Tom Ridge for discussions. \end{document} diff --git a/thys/FOL_Seq_Calc1/document/root.tex b/thys/FOL_Seq_Calc1/document/root.tex --- a/thys/FOL_Seq_Calc1/document/root.tex +++ b/thys/FOL_Seq_Calc1/document/root.tex @@ -1,47 +1,47 @@ \documentclass[11pt,a4paper]{article} -\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \title{A Sequent Calculus for First-Order Logic} \author{Asta Halkjær From} \begin{document} \maketitle \begin{abstract} This work formalizes soundness and completeness of a one-sided sequent calculus for first-order logic. The completeness is shown via a translation from a complete semantic tableau calculus, the proof of which is based on the First-Order Logic According to Fitting theory. The calculi and proof techniques are taken from Ben-Ari's Mathematical Logic for Computer Science~\cite{BenAri2012}. \end{abstract} \tableofcontents \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Factored_Transition_System_Bounding/document/root.tex b/thys/Factored_Transition_System_Bounding/document/root.tex --- a/thys/Factored_Transition_System_Bounding/document/root.tex +++ b/thys/Factored_Transition_System_Bounding/document/root.tex @@ -1,40 +1,41 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,amsmath} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Upper Bounding Diameters of State Spaces of Factored Transition Systems} \author{Friedrich Kurz and Mohammad Abdulaziz} \maketitle \begin{abstract} A {\em completeness threshold} is required to guarantee the completeness of planning as satisfiability, and bounded model checking of safety properties. One valid completeness threshold is the {\em diameter} of the underlying transition system. The diameter is the maximum element in the set of lengths of all shortest paths between pairs of states. The diameter is not calculated exactly in our setting, where the transition system is succinctly described using a (propositionally) factored representation. Rather, an upper bound on the diameter is calculated compositionally, by bounding the diameters of small abstract subsystems, and then composing those. We port a HOL4 formalisation of a compositional algorithm for computing a relatively tight upper bound on the system diameter. This compositional algorithm exploits acyclicity in the state space to achieve compositionality, and it was introduced by Abdulaziz et. al~\cite{icaps2017} (in particular Algorithm~1). The formalisation that we port is described as a part of another paper by Abdulaziz et. al~\cite{abdulaziz2018formally}, in particular in section~6. As a part of this porting we developed a libray about transition systems, which shall be of use in future related mechanisation efforts. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Falling_Factorial_Sum/document/root.tex b/thys/Falling_Factorial_Sum/document/root.tex --- a/thys/Falling_Factorial_Sum/document/root.tex +++ b/thys/Falling_Factorial_Sum/document/root.tex @@ -1,98 +1,99 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{The Falling Factorial of a Sum} \author{Lukas Bulwahn} \maketitle \begin{abstract} This entry shows that the falling factorial of a sum can be computed with an expression using binomial coefficients and the falling factorial of its summands. The entry provides three different proofs: a combinatorial proof, an induction proof and an algebraic proof using the Vandermonde identity. The three formalizations try to follow their informal presentations from a Mathematics Stack Exchange page~\cite{mse-1, mse-2, mse-3, mse-4} as close as possible. The induction and algebraic formalization end up to be very close to their informal presentation, whereas the combinatorial proof first requires the introduction of list interleavings, and significant more detail than its informal presentation. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \section{Note on Copyright Licensing} The initial material of the informal proof for this formalisation is provided on Mathematics Stack Exchange under the Creative Commons Attribution-ShareAlike 3.0 Unported license (CC BY-SA 3.0; \url{https://creativecommons.org/licenses/by-sa/3.0/}), which is pointed out on the the Mathematics Stack Exchange terms of use at~\url{https://stackexchange.com/legal/terms-of-service}. The two main proofs, the induction and the algebraic proof in this AFP entry are (even textually) very close to the initial material from Mathematics Stack Exchange. In case the two Isabelle proofs are judged to build upon the main proofs from Mathematics Stack Exchange, the CC BY-SA 3.0 license requires that these proofs must be available under the same license, and hence, these proofs are consequently licensed under CC BY-SA 3.0. In case the two Isabelle proofs are not judged to build upon the material from Mathematics Stack Exchange, I as an author provide them under the 3-Clause BSD License~(\url{https://opensource.org/licenses/BSD-3-Clause}) to allow their seemless integration into the Isabelle repository at any point in time. All other content that does not build upon the material from Mathematics Stack Exchange is licensed under the 3-clause BSD License, and can be copied, moved or integrated in other work licensed under the 3-clause BSD License without further consideration of the different obligations of the existing copyright licensing. \nocite{*} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Farkas/document/root.tex b/thys/Farkas/document/root.tex --- a/thys/Farkas/document/root.tex +++ b/thys/Farkas/document/root.tex @@ -1,96 +1,96 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb} \usepackage{xspace} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Farkas' Lemma and Motzkin's Transposition Theorem\footnote{ Supported by FWF (Austrian Science Fund) project Y757. The authors are listed in alphabetical order regardless of individual contributions or seniority.} } \author{Ralph Bottesch \and Max W.\ Haslbeck \and Ren\'e Thiemann} \maketitle \begin{abstract} We formalize a proof of Motzkin's transposition theorem and Farkas' lemma in Isabelle/HOL. Our proof is based on the formalization of the simplex algorithm which, given a set of linear constraints, either returns a satisfying assignment to the problem or detects unsatisfiability. % the unsat core is not relevant for this paper By reusing facts about the simplex algorithm we show that a set of linear constraints is unsatisfiable if and only if there is a linear combination of the constraints which evaluates to a trivially unsatisfiable inequality. % Farkas' lemma states that a set of linear constraints is either satisfiable or % there exists a linear combination of the constraints which evaluates to an % unsatisfiable inequality $0 \leq c$ where $c$ is negative. % % Our proof is based on the formalization of the simplex algorithm which, given a % set of linear constraints, either returns a assignment to the % problem or returns a subset of the constraints which are unsatisfiable. \end{abstract} \tableofcontents \section{Introduction} This formalization augments the existing formalization of the simplex algorithm \cite{simplex-afp,SpasicMaric,Thiemann18}. Given a system of linear constraints, the simplex implementation in \cite{simplex-afp} produces either a satisfying assignment or a subset of the given constraints that is itself unsatisfiable. Here we prove some variants of Farkas' Lemma. In essence, it states that if a set of constraints is unsatisfiable, then there is a linear combination of these constraints that evaluates to an unsatisfiable inequality of the form $0 \leq c$, for some negative $c$. Our proof of Farkas' Lemma \cite[Cor.~7.1e]{LinearProgramming} relies on the formalized simplex algorithm: Under the assumption that the algorithm has detected unsatisfiability, we show that there exist coefficients for the above-mentioned linear combination of the input constraints. Since the formalized algorithm follows the structure of the simplex-algorithm by Dutertre and de Moura \cite{simplex-rad}, it first goes through a number of preprocessing phases, before starting the simplex procedure in earnest. These are relevant for proving Farkas' Lemma. We distinguish four \emph{layers} of the algorithm; at each layer, it operates on data that is a refinement of the data available at the previous layer. \begin{itemize} \item \emph{Layer 1.} \emph{Data}: the input -- a set of linear constraints with rational coefficients. These can be equalities or strict/non-strict inequalities. \emph{Preprocessing}: Each equality is split into two non-strict inequalities, strict inequalities are replaced by non-strict inequalities involving $\delta$-rationals. \item \emph{Layer 2.} \emph{Data}: a set of linear constraints that are non-strict inequalities with $\delta$-rationals. \emph{Preprocessing}: Linear constraints are simplified so that each constraint involves a single variable, by introducing so-called slack variables where necessary. The equations defining the slack variables are collected in a \emph{tableau}. The constraints are normalized so that they are of the form $y\leq c$ or $y\geq c$ (these are called \emph{atoms}). \item \emph{Layer 3.} \emph{Data}: A tableau and a set of atoms. Here the algorithm initializes the simplex algorithm. \item \emph{Layer 4.} \emph{Data}: A tableau, a set of atoms and an assignment of the variables. The simplex procedure is run. \end{itemize} At the point in the execution where the simplex algorithm detects unsatisfiability, we can directly obtain coefficients for the desired linear combination. However, these coefficients must then be propagated backwards through the different layers, where the constraints themselves have been modified, in order to obtain coefficients for a linear combination of \emph{input} constraints. These propagation steps make up a large part of the formalized proof, since we must show, at each of the layers 1--3, that the existence of coefficients at the layer below translates into the existence of such coefficients for the current layer. This means, in particular, that we formulate and prove a version of Farkas' Lemma for each of the four layers, in terms of the data available at the respective level. The theorem we obtain at Layer 1 is actually a more general version of Farkas' lemma, in the sense that it allows for strict as well as non-strict inequalities, known as Motzkin's Transposition Theorem \cite[Cor.~7.1k]{LinearProgramming} or the Kuhn--Fourier Theorem~\cite[Thm.~1.1.9]{StoerWitzgall}. Since the implementation of the simplex algorithm in \cite{simplex-afp}, which our work relies on, is restricted to systems of constraints over the rationals, this formalization is also subject to the same restriction. \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Featherweight_OCL/document/root.tex b/thys/Featherweight_OCL/document/root.tex --- a/thys/Featherweight_OCL/document/root.tex +++ b/thys/Featherweight_OCL/document/root.tex @@ -1,283 +1,281 @@ \documentclass[fontsize=10pt,DIV12,paper=a4,open=right,twoside,abstract=true]{scrreprt} \usepackage{fixltx2e} \usepackage[T1]{fontenc} -\usepackage[utf8]{inputenc} -\usepackage{lmodern} \usepackage{textcomp} \usepackage[english]{babel} \usepackage{isabelle} \isatagannexa \usepackage{omg} \usepackage{draftwatermark} \SetWatermarkAngle{55} \SetWatermarkLightness{.9} \SetWatermarkFontSize{3cm} \SetWatermarkScale{1.4} \SetWatermarkText{\textbf{\textsf{Draft Proposal}}} \endisatagannexa \usepackage[nocolortable, noaclist,isasymonly,nocolor]{hol-ocl-isar} \renewcommand{\lfloor}{\isasymHolOclLiftLeft} \renewcommand{\rfloor}{\isasymHolOclLiftRight} \renewcommand{\lceil}{\isasymHolOclDropLeft} \renewcommand{\rceil}{\isasymHolOclDropRight} \renewcommand{\oclkeywordstyle}{\bfseries} \renewcommand{\javakeywordstyle}{\bfseries} \renewcommand{\smlkeywordstyle}{\bfseries} \renewcommand{\holoclthykeywordstyle}{} \usepackage{lstisar} \usepackage{railsetup} \usepackage[]{mathtools} \usepackage{% multirow, paralist, booktabs, % " " " threeparttable, longtable, % Mehrseitige Tabellen } \usepackage{graphicx} \usepackage[numbers, sort&compress, sectionbib]{natbib} \usepackage{chapterbib} \usepackage[caption=false]{subfig} \usepackage{tabu} \usepackage{prooftree} %\usepackage[draft]{fixme} \usepackage[pdfpagelabels, pageanchor=false, bookmarksnumbered, plainpages=false]{hyperref} \graphicspath{{data/},{figures/}} \makeatletter \renewcommand*\l@section{\bprot@dottedtocline{1}{1.5em}{2.8em}} \renewcommand*\l@subsection{\bprot@dottedtocline{2}{3.8em}{3.7em}} \renewcommand*\l@subsubsection{\bprot@dottedtocline{3}{7.0em}{5em}} \renewcommand*\l@paragraph{\bprot@dottedtocline{4}{10em}{6.2em}} %\renewcommand*\l@paragraph{\bprot@dottedtocline{4}{10em}{5.5em}} \renewcommand*\l@subparagraph{\bprot@dottedtocline{5}{12em}{7.7em}} %\renewcommand*\l@subparagraph{\bprot@dottedtocline{5}{12em}{6.5em}} \makeatother %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% Overall the (rightfully issued) warning by Koma Script that \rm %%% etc. should not be used (they are deprecated since more than a %%% decade) \DeclareOldFontCommand{\rm}{\normalfont\rmfamily}{\mathrm} \DeclareOldFontCommand{\sf}{\normalfont\sffamily}{\mathsf} \DeclareOldFontCommand{\tt}{\normalfont\ttfamily}{\mathtt} \DeclareOldFontCommand{\bf}{\normalfont\bfseries}{\mathbf} \DeclareOldFontCommand{\it}{\normalfont\itshape}{\mathit} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \setcounter{tocdepth}{3} % printed TOC not too detailed \hypersetup{bookmarksdepth=3} % more detailed digital TOC (aka bookmarks) \sloppy \allowdisplaybreaks[4] \raggedbottom \newcommand{\HOL}{HOL\xspace} \newcommand{\OCL}{OCL\xspace} \newcommand{\UML}{UML\xspace} \newcommand{\HOLOCL}{HOL-OCL\xspace} \newcommand{\FOCL}{Featherweight OCL\xspace} \renewcommand{\HolTrue}{\mathrm{true}} \renewcommand{\HolFalse}{\mathrm{false}} \newcommand{\ptmi}[1]{\using{\mi{#1}}} \newcommand{\Lemma}[1]{{\color{BrickRed}% \mathbf{\operatorname{lemma}}}~\text{#1:}\quad} \newcommand{\done}{{\color{OliveGreen}\operatorname{done}}} \newcommand{\apply}[1]{{\holoclthykeywordstyle% \operatorname{apply}}(\text{#1})} \newcommand{\fun} {{\holoclthykeywordstyle\operatorname{fun}}} \newcommand{\isardef} {{\holoclthykeywordstyle\operatorname{definition}}} \newcommand{\where} {{\holoclthykeywordstyle\operatorname{where}}} \newcommand{\datatype} {{\holoclthykeywordstyle\operatorname{datatype}}} \newcommand{\types} {{\holoclthykeywordstyle\operatorname{types}}} \newcommand{\pglabel}[1]{\text{#1}} \renewcommand{\isasymOclUndefined}{\ensuremath{\mathtt{invalid}}} \newcommand{\isasymOclNull}{\ensuremath{\mathtt{null}}} \newcommand{\isasymOclInvalid}{\isasymOclUndefined} \DeclareMathOperator{\inv}{inv} \newcommand{\Null}[1]{{\ensuremath{\mathtt{null}_\text{{#1}}}}} \newcommand{\testgen}{HOL-TestGen\xspace} \newcommand{\HolOption}{\mathrm{option}} \newcommand{\ran}{\mathrm{ran}} \newcommand{\dom}{\mathrm{dom}} \newcommand{\typedef}{\mathrm{typedef}} \newcommand{\typesynonym}{\mathrm{type\_synonym}} \newcommand{\mi}[1]{\,\text{#1}} \newcommand{\state}[1]{\ifthenelse{\equal{}{#1}}% {\operatorname{state}}% {\operatorname{\mathit{state}}(#1)}% } \newcommand{\mocl}[1]{\text{\inlineocl|#1|}} \DeclareMathOperator{\TCnull}{null} \DeclareMathOperator{\HolNull}{null} \DeclareMathOperator{\HolBot}{bot} \newcommand{\isaAA}{\mathfrak{A}} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand{\ie}{i.\,e.\xspace} \newcommand{\eg}{e.\,g.\xspace} \newenvironment{isamarkuplazy_text}{\par \isacommand{lazy{\isacharunderscore}text}\isamarkupfalse\isacartoucheopen\isastyletext\begin{isapar}}{\end{isapar}\isacartoucheclose} \renewcommand{\isasymguillemotleft}{\isatext{\textquotedblleft}} \renewcommand{\isasymguillemotright}{\isatext{\textquotedblright}} \begin{document} \renewcommand{\subsubsectionautorefname}{Section} \renewcommand{\subsectionautorefname}{Section} \renewcommand{\sectionautorefname}{Section} \renewcommand{\chapterautorefname}{Chapter} \newcommand{\subtableautorefname}{\tableautorefname} \newcommand{\subfigureautorefname}{\figureautorefname} \isatagannexa \renewcommand\thepart{\Alph{part}} \renewcommand\partname{Annex} \endisatagannexa \newenvironment{matharray}[1]{\[\begin{array}{#1}}{\end{array}\]} % from 'iman.sty' \newcommand{\indexdef}[3]% {\ifthenelse{\equal{}{#1}}{\index{#3 (#2)|bold}}{\index{#3 (#1\ #2)|bold}}} % from 'isar.sty' \isatagafp \title{Featherweight OCL} \subtitle{A Proposal for a Machine-Checked Formal Semantics for OCL 2.5 %\\ %\includegraphics[scale=.5]{figures/logo_focl} } \endisatagafp \isatagannexa \title{A Formal Machine-Checked Semantics for OCL 2.5} \subtitle{A Proposal for the "Annex A" of the OCL Standard} \endisatagannexa \author{% \href{http://www.brucker.ch/}{Achim D. Brucker}\footnotemark[1] \and \href{https://www.lri.fr/~tuong/}{Fr\'ed\'eric Tuong}\footnotemark[2]~\footnotemark[3] \and \href{https://www.lri.fr/~wolff/}{Burkhart Wolff}\footnotemark[2]~\footnotemark[3]} \publishers{% \footnotemark[1]~SAP SE\\ Vincenz-Priessnitz-Str. 1, 76131 Karlsruhe, Germany \texorpdfstring{\\}{} \href{mailto:"Achim D. Brucker" }{achim.brucker@sap.com}\\[2em] % \footnotemark[2]~LRI, Univ. Paris-Sud, CNRS, CentraleSup\'elec, Universit\'e Paris-Saclay \\ b\^at. 650 Ada Lovelace, 91405 Orsay, France \texorpdfstring{\\}{} \href{mailto:"Frederic Tuong" }{frederic.tuong@lri.fr} \hspace{4.5em} \href{mailto:"Burkhart Wolff" }{burkhart.wolff@lri.fr} \\[2em] % \footnotemark[3]~IRT SystemX\\ 8 av.~de la Vauve, 91120 Palaiseau, France \texorpdfstring{\\}{} \href{mailto:"Frederic Tuong" }{frederic.tuong@irt-systemx.fr} \quad \href{mailto:"Burkhart Wolff" }{burkhart.wolff@irt-systemx.fr} } \maketitle \isatagannexa \cleardoublepage \endisatagannexa \isatagafp \begin{abstract} The Unified Modeling Language (UML) is one of the few modeling languages that is widely used in industry. While UML is mostly known as diagrammatic modeling language (\eg, visualizing class models), it is complemented by a textual language, called Object Constraint Language (OCL). OCL is a textual annotation language, originally based on a three-valued logic, that turns UML into a formal language. Unfortunately the semantics of this specification language, captured in the ``Annex A'' of the OCL standard, leads to different interpretations of corner cases. Many of these corner cases had been subject to formal analysis since more than ten years. The situation complicated with the arrival of version 2.3 of the OCL standard. OCL was aligned with the latest version of UML: this led to the extension of the three-valued logic by a second exception element, called \inlineocl{null}. While the first exception element \inlineocl{invalid} has a strict semantics, \inlineocl{null} has a non strict interpretation. The combination of these semantic features lead to remarkable confusion for implementors of OCL compilers and interpreters. In this paper, we provide a formalization of the core of OCL in HOL\@. It provides denotational definitions, a logical calculus and operational rules that allow for the execution of OCL expressions by a mixture of term rewriting and code compilation. Moreover, we describe a coding-scheme for UML class models that were annotated by code-invariants and code contracts. An implementation of this coding-scheme has been undertaken: it consists of a kind of compiler that takes a UML class model and translates it into a family of definitions and derived theorems over them capturing the properties of constructors and selectors, tests and casts resulting from the class model. However, this compiler is \emph{not} included in this document. Our formalization reveals several inconsistencies and contradictions in the current version of the OCL standard. They reflect a challenge to define and implement OCL tools in a uniform manner. Overall, this document is intended to provide the basis for a machine-checked text ``Annex A'' of the OCL standard targeting at tool implementors. \end{abstract} \tableofcontents \endisatagafp \part{Formal Semantics of OCL} \input{introduction} %\clearpage \isatagafp \input{session} \endisatagafp \isatagannexa \input{UML_Types.tex} \input{UML_Logic.tex} \input{UML_PropertyProfiles.tex} \input{UML_Boolean.tex} \input{UML_Void.tex} \input{UML_Integer.tex} \input{UML_Real.tex} \input{UML_String.tex} \input{UML_Pair.tex} \input{UML_Bag.tex} \input{UML_Set.tex} \input{UML_Sequence.tex} \input{UML_Library.tex} \input{UML_State.tex} \input{UML_Contracts.tex} %\input{UML_Tools.tex} %\input{UML_Main.tex} % \input{Design_UML.tex} % \input{Design_OCL.tex} \input{Analysis_UML.tex} \input{Analysis_OCL.tex} \part{Bibliography} \endisatagannexa \isatagafp \input{conclusion} %no conclusion for standard document \endisatagafp \bibliographystyle{abbrvnat} \bibliography{root} \isatagafp \appendix \part{Appendix} \endisatagafp \input{FOCL_Syntax} \isatagannexa \part{Table of Contents} \clearpage {\small \tableofcontents } \endisatagannexa \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: % LocalWords: implementors denotational OCL UML diff --git a/thys/Fermat3_4/document/root.tex b/thys/Fermat3_4/document/root.tex --- a/thys/Fermat3_4/document/root.tex +++ b/thys/Fermat3_4/document/root.tex @@ -1,93 +1,93 @@ \documentclass[11pt,a4paper,twoside]{article} - +\usepackage[T1]{fontenc} \addtolength{\textwidth}{1cm} \addtolength{\textheight}{1cm} \addtolength{\hoffset}{-.5cm} \addtolength{\voffset}{-.5cm} \addtolength{\oddsidemargin}{24pt} \addtolength{\evensidemargin}{-24pt} \usepackage{isabelle,isabellesym} \usepackage{graphicx} \usepackage{amssymb} \usepackage{fancyhdr} \pagestyle{fancyplain} \renewcommand{\headrulewidth}{1.6pt} \renewcommand{\sectionmark}[1]{\markboth{\thesection\ #1}{\thesection\ #1}} \renewcommand{\subsectionmark}[1]{\markright{\thesubsection\ #1}} \lhead[\thepage] {\fancyplain{}{\rightmark}} \chead{} \rhead[\fancyplain{}{\leftmark}] {\thepage} \cfoot{} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Exponents 3 and 4 of Fermat's Last Theorem \\ and the Parametrisation of Pythagorean Triples} \author{Roelof Oosterhuis\\University of Groningen} \maketitle \begin{abstract} This document gives a formal proof of the cases $n=3$ and $n=4$ (and all their multiples) of Fermat's Last Theorem: if $n>2$ then for all integers $x,y,z$: \[ x^n + y^n = z^n \Longrightarrow xyz=0.\] Both proofs only use facts about the integers and are developed along the lines of the standard proofs (see, for example, sections 1 and 2 of the book by Edwards~\cite{Edwards}). First, the framework of `infinite descent' is being formalised and in both proofs there is a central role for the lemma \[ coprime a b ~\land~ ab=c^n \Longrightarrow \exists ~k: |a| =k^n. \] Furthermore, the proof of the case $n=4$ uses a parametrisation of the Pythagorean triples. The proof of the case $n=3$ contains a study of the quadratic form $x^2 + 3y^2$. This study is completed with a result on which prime numbers can be written as $x^2+3y^2$. The case $n=4$ of FLT, in contrast to the case $n=3$, has already been formalised (in the proof assistant Coq) \cite{DelahayeM}. The parametrisation of the Pythagorean Triples can be found as number 23 on the list of `top 100 mathematical theorems' \cite{Wiedijk100}. This research is part of an M.Sc.~thesis under supervision of Jaap Top and Wim H.~Hesselink (RU Groningen). The author wants to thank Clemens Ballarin (TU M\"unchen) and Freek Wiedijk (RU Nijmegen) for their support. For more information see \cite{Oosterhuis-MSc}. \end{abstract} \thispagestyle{empty} \clearpage \markboth{Contents}{Contents} \tableofcontents \markboth{Contents}{Contents} %\vspace{1cm} %\begin{figure}[hb] %\centering %\includegraphics[scale=0.5]{FLT34.pdf} %\caption{The depence on existing files in the Isabelle library.} %\end{figure} \clearpage % generated text of all theories \input{session} % optional bibliography \bibliographystyle{alpha} \bibliography{root} \end{document} diff --git a/thys/FileRefinement/document/root.tex b/thys/FileRefinement/document/root.tex --- a/thys/FileRefinement/document/root.tex +++ b/thys/FileRefinement/document/root.tex @@ -1,39 +1,40 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Data refinement of representation of a file} \author{Karen Zee and Viktor Kuncak} \maketitle \begin{abstract} This document illustrates the verification of basic file operations (file creation, file read and file write) in Isabelle theorem prover \cite{LNCS2283}. We describe a file at two levels of abstraction: an abstract file represented as a resizable array, and a concrete file represented using data blocks. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \input{introduction} % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/FinFun/document/root.tex b/thys/FinFun/document/root.tex --- a/thys/FinFun/document/root.tex +++ b/thys/FinFun/document/root.tex @@ -1,32 +1,33 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand{\isaheader}[1]{\section{#1}} \begin{document} \title{Finfuns} \author{Andreas Lochbihler} \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Finger-Trees/document/root.tex b/thys/Finger-Trees/document/root.tex --- a/thys/Finger-Trees/document/root.tex +++ b/thys/Finger-Trees/document/root.tex @@ -1,72 +1,73 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{FingerTrees} \author{Benedikt Nordhoff \and Stefan K\"orner \and Peter Lammich} %\institute{ % Institut f\"ur Informatik, % Westf\"alische Wilhelms-Universit\"at M\"unster, Germany \\ % \email{\{b\_nord01,s\_koer03,peter.lammich\}@uni-muenster.de} %} \maketitle \begin{abstract} We implement and prove correct 2-3 finger trees. Finger trees are a general purpose data structure, that can be used to efficiently implement other data structures, such as priority queues. Intuitively, a finger tree is an annotated sequence, where the annotations are elements of a monoid. Apart from operations to access the ends of the sequence, the main operation is to split the sequence at the point where a {\em monotone predicate} over the sum of the left part of the sequence becomes true for the first time. The implementation follows the paper of Hinze and Paterson\cite{HiPa06}. The code generator can be used to get efficient, verified code. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \section{Related work} Finger trees were originally introduced by Hinze and Paterson\cite{HiPa06}, who give an implementation in Haskell. Our implementation closely follows this original implementation. There is also a machine-checked formalization of 2-3 finger trees in Coq \cite{So07}. Like ours, it closely follows the original paper of Hinze and Paterson. The main difference is that the Coq-formalization encodes the invariants directly into the datatype for finger trees, while we first define the bigger algebraic datatype {\em FingerTreeStruc} along with the predicate {\em ft-invar} that checks the invariant. This bigger type and the {\em ft-invar}-predicate is then wrapped into the datatype {\em FingerTree}, that, however, exposes no algebraic structure any more. Our approach greatly simplifies matters in the context of Isabelle/HOL, as it can be realized with Isabelle's datatype-package. % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Finite-Map-Extras/document/root.tex b/thys/Finite-Map-Extras/document/root.tex --- a/thys/Finite-Map-Extras/document/root.tex +++ b/thys/Finite-Map-Extras/document/root.tex @@ -1,32 +1,31 @@ \documentclass[11pt,a4paper]{article} - +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{latexsym} \usepackage{amssymb} \usepackage{pdfsetup} \addtolength{\hoffset}{-1,5cm} \addtolength{\textwidth}{3cm} %\urlstyle{rm} \isabellestyle{it} \begin{document} \title{Finite Map Extras} \author{Javier D\'iaz\\\url{}} \maketitle \begin{abstract} This includes useful syntactic sugar, new operators and functions and their associated lemmas for finite maps which currently are not present in the standard \texttt{Finite\_Map} theory. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \input{session} \end{document} diff --git a/thys/Finite_Automata_HF/document/root.tex b/thys/Finite_Automata_HF/document/root.tex --- a/thys/Finite_Automata_HF/document/root.tex +++ b/thys/Finite_Automata_HF/document/root.tex @@ -1,41 +1,42 @@ \documentclass[11pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage[only,bigsqcap]{stmaryrd} % for \ \usepackage{isabelle,isabellesym,amsfonts,amsmath,graphicx} \date{} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{tt} \begin{document} \title{Finite Automata using the Hereditarily Finite Sets} \author{Prof.\ Lawrence C Paulson\\ Computer Laboratory, University of Cambridge} \maketitle % sane default for proof documents \parindent 0pt\parskip 0.5ex \begin{abstract} Finite Automata, both deterministic and non-deterministic, for regular languages. The Myhill-Nerode Theorem. Closure under intersection, concatenation, etc. Regular expressions define regular languages. Closure under reversal; the powerset construction mapping NFAs to DFAs. Left and right languages; minimal DFAs. Brzozowski's minimization algorithm. Uniqueness up to isomorphism of minimal DFAs. \end{abstract} % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/First_Order_Terms/document/root.tex b/thys/First_Order_Terms/document/root.tex --- a/thys/First_Order_Terms/document/root.tex +++ b/thys/First_Order_Terms/document/root.tex @@ -1,67 +1,68 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{amsmath} \usepackage{xspace} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{First-Order Terms\footnote{Supported by FWF (Austrian Science Fund) projects Y757 and P27502}} \author{Christian Sternagel \and Ren\'e Thiemann} \maketitle \begin{abstract} We formalize basic results on first-order terms, including a first-order unification algorithm, as well as well-foundedness of the subsumption order. This entry is part of the \emph{Isabelle Formalization of Rewriting} \isafor~\cite{isafor}, where first-order terms are omni-present: the unification algorithm is used to certify several confluence and termination techniques, like critical-pair computation and dependency graph approximations; and the subsumption order is a crucial ingredient for completion. \end{abstract} \tableofcontents \section{Introduction} We define first-order terms, substitutions, the subsumption order, and a unification algorithm. In all these definitions type-parameters are used to specify variables and function symbols, but there is no explicit signature. The unification algorithm has been formalized following a textbook on term rewriting~\cite{AllThat}. The complete \isafor\ library is available at: \begin{quote} \url{http://cl-informatik.uibk.ac.at/isafor/} \end{quote} % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/First_Welfare_Theorem/document/root.tex b/thys/First_Welfare_Theorem/document/root.tex --- a/thys/First_Welfare_Theorem/document/root.tex +++ b/thys/First_Welfare_Theorem/document/root.tex @@ -1,33 +1,34 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \begin{document} \title{First Welfare Theorem \thanks{% This work is supported by the Austrian Science Fund (FWF) project P26201 and the European Research Council (ERC) grant no 714034 \emph{SMART}.}} \author{Julian Parsert \and Cezary Kaliszyk} \maketitle \begin{abstract} \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \input{session} \section{Related work} \cite{tadelis2013game} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Fishburn_Impossibility/document/root.tex b/thys/Fishburn_Impossibility/document/root.tex --- a/thys/Fishburn_Impossibility/document/root.tex +++ b/thys/Fishburn_Impossibility/document/root.tex @@ -1,61 +1,62 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{The Incompatibility of Fishburn-Strategyproofness and Pareto-Efficiency} \author{Felix Brandt, Manuel Eberl, Christian Saile, Christian Stricker} \maketitle \begin{abstract} This formalisation contains the proof that there is no anonymous Social Choice Function for at least three agents and alternatives that satisfies both Pareto-Efficiency and Fishburn-Strategyproofness. It was derived from a proof of Brandt\ \textit{et~al.}~\cite{BSS17a}, which relies on an unverified translation of a fixed finite instance of the original problem to SAT. This Isabelle proof contains a machine-checked version of both the statement for exactly three agents and alternatives and the lifting to the general case. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \newpage \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Fisher_Yates/document/root.tex b/thys/Fisher_Yates/document/root.tex --- a/thys/Fisher_Yates/document/root.tex +++ b/thys/Fisher_Yates/document/root.tex @@ -1,39 +1,40 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsfonts} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Fisher--Yates shuffle} \author{Manuel Eberl} \maketitle \begin{abstract} This work defines and proves the correctness of the Fisher--Yates shuffle~\cite{fisheryates,taocp,wikipedia} for shuffling -- i.\,e.\ producing a random permutation -- of a list. The algorithm proceeds by traversing the list and in each step swapping the current element with a random element from the remaining list. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \newpage \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Flow_Networks/document/root.tex b/thys/Flow_Networks/document/root.tex --- a/thys/Flow_Networks/document/root.tex +++ b/thys/Flow_Networks/document/root.tex @@ -1,82 +1,83 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{wasysym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % Tweaks \newcounter{TTStweak_tag} \setcounter{TTStweak_tag}{0} \newcommand{\setTTS}{\setcounter{TTStweak_tag}{1}} \newcommand{\resetTTS}{\setcounter{TTStweak_tag}{0}} \newcommand{\insertTTS}{\ifnum\value{TTStweak_tag}=1 \ \ \ \fi} \renewcommand{\isakeyword}[1]{\resetTTS\emph{\bf\def\isachardot{.}\def\isacharunderscore{\isacharunderscorekeyword}\def\isacharbraceleft{\{}\def\isacharbraceright{\}}#1}} \renewcommand{\isachardoublequoteopen}{\insertTTS} \renewcommand{\isachardoublequoteclose}{\setTTS} \renewcommand{\isanewline}{\mbox{}\par\mbox{}\resetTTS} \renewcommand{\isamarkupcmt}[1]{\hangindent5ex{\isastylecmt --- #1}} %\newcommand{\isaheader}[1]{\section{#1}} \newcommand{\DefineSnippet}[2]{#2} \begin{document} \title{Flow Networks and the Min-Cut-Max-Flow Theorem} \author{Peter Lammich and S.~Reza Sefidgar} \maketitle \begin{abstract} We present a formalization of flow networks and the Min-Cut-Max-Flow theorem. Our formal proof closely follows a standard textbook proof, and is accessible even without being an expert in Isabelle/HOL--- the interactive theorem prover used for the formalization. \end{abstract} \clearpage \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introduction} Computing the maximum flow of a network is an important problem in graph theory. Many other problems, like maximum-bipartite-matching, edge-disjoint-paths, circulation-demand, as well as various scheduling and resource allocating problems can be reduced to it. The Ford-Fulkerson method~\cite{FF56} describes a class of algorithms to solve the maximum flow problem. It is based on a corollary of the Min-Cut-Max-Flow theorem~\cite{FF56,EFS56}, which states that a flow is maximal iff there exists no augmenting path. In this chapter, we present a formalization of flow networks and prove the Min-Cut-Max-Flow theorem, closely following the textbook presentation of Cormen et al.~\cite{CLRS09}. We have used the Isar~\cite{Wenzel99} proof language to develop human-readable proofs that are accessible even to non-Isabelle experts. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Floyd_Warshall/document/root.tex b/thys/Floyd_Warshall/document/root.tex --- a/thys/Floyd_Warshall/document/root.tex +++ b/thys/Floyd_Warshall/document/root.tex @@ -1,69 +1,69 @@ \documentclass[11pt,a4paper]{article} -\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{xspace} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size \renewcommand{\isastyle}{\isastyleminor} \renewcommand{\isamarkupchapter}[1]{\section{#1}} \renewcommand{\isamarkupsection}[1]{\subsection{#1}} \renewcommand{\isamarkupsubsection}[1]{\subsubsection{#1}} \renewcommand{\isamarkupsubsubsection}[1]{\paragraph{#1}} \newcommand{\fw}{Floyd-Warshall algorithm\xspace} \begin{document} \title{The Floyd-Warshall Algorithm for Shortest Paths} \author{Simon Wimmer and Peter Lammich} \maketitle \begin{abstract} The \fw \cite{floyd, roy, warshall} is a classic dynamic programming algorithm to compute the length of all shortest paths between any two vertices in a graph (i.e. to solve the all-pairs shortest path problem, or \textit{APSP} for short). Given a representation of the graph as a matrix of weights $M$, it computes another matrix $M'$ which represents a graph with the same path lengths and contains the length of the shortest path between any two vertices $i$ and $j$. This is only possible if the graph does not contain any negative cycles. However, in this case the \fw will detect the situation by calculating a negative diagonal entry. This entry includes a formalization of the algorithm and of these key properties. The algorithm is refined to an efficient imperative version using the Imperative Refinement Framework. \end{abstract} \setcounter{tocdepth}{2} \tableofcontents \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{alpha} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Flyspeck-Tame/document/root.tex b/thys/Flyspeck-Tame/document/root.tex --- a/thys/Flyspeck-Tame/document/root.tex +++ b/thys/Flyspeck-Tame/document/root.tex @@ -1,49 +1,50 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Tame Plane Graphs} \author{Gertrud Bauer and Tobias Nipkow} \date{\today} \maketitle \begin{abstract} These theories present the verified enumeration of \emph{tame} plane graphs as defined by Thomas C. Hales in his revised proof of the Kepler Conjecture. Compared with his original proof, the notion of tameness has become simpler, there are many more tame graphs, but much of the earlier verification \cite{NipkowBS-IJCAR06} carries over. For more details see \url{http://code.google.com/p/flyspeck/} and the forthcoming book ``Dense Sphere Packings: A Blueprint for Formal Proofs'' by Hales. \end{abstract} \setcounter{tocdepth}{2} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \clearpage \phantomsection \addcontentsline{toc}{section}{Bibliography} \bibliographystyle{plain} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/FocusStreamsCaseStudies/document/root.tex b/thys/FocusStreamsCaseStudies/document/root.tex --- a/thys/FocusStreamsCaseStudies/document/root.tex +++ b/thys/FocusStreamsCaseStudies/document/root.tex @@ -1,55 +1,56 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{mdwlist} \usepackage{focus} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \input{macros} \title{Stream processing components:\\ Isabelle/HOL formalisation and case studies} \author{Maria Spichkova} \maketitle \begin{abstract} This set of theories presents an Isabelle/HOL formalisation of stream processing components introduced in \Focus, a framework for formal specification and development of interactive systems. This is an extended and updated version of the formalisation, which was elaborated within the methodology ``\Focus on Isabelle'' \cite{spichkova}. In addition, we also applied the formalisation on three case studies that cover different application areas: process control (Steam Boiler System), data transmission (FlexRay communication protocol), memory and processing components (Automotive-Gateway System). \end{abstract} \tableofcontents \newpage \input{intro} \parindent 0pt\parskip 0.5ex % generated text of all theories \newpage \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{biblio2} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Forcing/document/root.tex b/thys/Forcing/document/root.tex --- a/thys/Forcing/document/root.tex +++ b/thys/Forcing/document/root.tex @@ -1,110 +1,111 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[numbers]{natbib} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \renewcommand{\isacharunderscorekeyword}{\mbox{\_}} \renewcommand{\isacharunderscore}{\mbox{\_}} \renewcommand{\isasymtturnstile}{\isamath{\Vdash}} \renewcommand{\isacharminus}{-} \newcommand{\axiomas}[1]{\mathit{#1}} \newcommand{\ZFC}{\axiomas{ZFC}} \begin{document} \title{Formalization of Forcing in Isabelle/ZF} \author{Emmanuel Gunther\thanks{Universidad Nacional de C\'ordoba. Facultad de Matem\'atica, Astronom\'{\i}a, F\'{\i}sica y Computaci\'on.} \and Miguel Pagano\footnotemark[1] \and Pedro S\'anchez Terraf\footnotemark[1] \thanks{Centro de Investigaci\'on y Estudios de Matem\'atica (CIEM-FaMAF), Conicet. C\'ordoba. Argentina. Supported by Secyt-UNC project 33620180100465CB.} } \maketitle \begin{abstract} We formalize the theory of forcing in the set theory framework of Isabelle/ZF. Under the assumption of the existence of a countable transitive model of $\ZFC$, we construct a proper generic extension and show that the latter also satisfies $\ZFC$. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introduction} We formalize the theory of forcing. We work on top of the Isabelle/ZF framework developed by \citet{DBLP:journals/jar/PaulsonG96}. Our mechanization is described in more detail in our papers \cite{2018arXiv180705174G} (LSFA 2018), \cite{2019arXiv190103313G}, and \cite{2020arXiv200109715G} (IJCAR 2020). \subsection*{Release notes} \label{sec:release-notes} We have improved several aspects of our development before submitting it to the AFP: \begin{enumerate} \item Our session \isatt{Forcing} depends on the new release of \isatt{ZF-Constructible}. \item We streamlined the commands for synthesizing renames and formulas. \item The command that synthesizes formulas produces the lemmas for them (the synthesized term is a formula and the equivalence between the satisfaction of the synthesized term and the relativized term). \item Consistently use of structured proofs using Isar (except for one coming from a schematic goal command). \end{enumerate} A cross-linked HTML version of the development can be found at \url{https://cs.famaf.unc.edu.ar/~pedro/forcing/}. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{root} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Formal_Puiseux_Series/document/root.tex b/thys/Formal_Puiseux_Series/document/root.tex --- a/thys/Formal_Puiseux_Series/document/root.tex +++ b/thys/Formal_Puiseux_Series/document/root.tex @@ -1,43 +1,44 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} \usepackage{pgfplots} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Formal Puiseux Series} \author{Manuel Eberl} \maketitle \begin{abstract} Formal Puiseux series are generalisations of formal power series and formal Laurent series that also allow for fractional exponents. They have the following general form: \[\sum_{i=N}^\infty a_{i/d} X^{i/d}\] where $N$ is an integer and $d$ is a positive integer. This entry defines these series including their basic algebraic properties. Furthermore, it proves the Newton--Puiseux Theorem, namely that the Puiseux series over an algebraically closed field of characteristic 0 are also algebraically closed. \end{abstract} \newpage \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \nocite{corless96} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Formal_SSA/document/root.tex b/thys/Formal_SSA/document/root.tex --- a/thys/Formal_SSA/document/root.tex +++ b/thys/Formal_SSA/document/root.tex @@ -1,64 +1,63 @@ \documentclass[11pt,a4paper]{article} - \usepackage[T1]{fontenc} \usepackage{quotmark} \usepackage{amsmath} \usepackage{tikz} \usetikzlibrary{positioning,calc,arrows} \usepackage{isabelle,isabellesym} \usepackage{amssymb} %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Verified Construction of Static Single Assignment Form} \author{Sebastian Ullrich\and Denis Lohner} \maketitle \newcommand\pf{$\phi$~function} \begin{abstract} We define a functional variant of the static single assignment (SSA) form construction algorithm described by Braun et~al. \cite{braun13cc}, which combines simplicity and efficiency. The definition is based on a general, abstract control flow graph representation using Isabelle locales. We prove that the algorithm's output is semantically equivalent to the input according to a small-step semantics, and that it is in minimal SSA form for the common special case of reducible inputs. We then show the satisfiability of the locale assumptions by giving instantiations for a simple While language. Furthermore, we use a generic instantiation based on typedefs in order to extract ML code and replace the unverified SSA construction algorithm of the CompCertSSA project~\cite{barthe14} with it. \end{abstract} \tableofcontents % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Formula_Derivatives/document/root.tex b/thys/Formula_Derivatives/document/root.tex --- a/thys/Formula_Derivatives/document/root.tex +++ b/thys/Formula_Derivatives/document/root.tex @@ -1,55 +1,55 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Derivatives of Logical Formulas} \author{Dmitriy Traytel} \maketitle \begin{abstract} We formalize new decision procedures for WS1S, M2L(Str), and Presburger Arithmetics. Formulas of these logics denote regular languages. Unlike traditional decision procedures, we do \emph{not} translate formulas into automata (nor into regular expressions), at least not explicitly. Instead we devise notions of derivatives (inspired by Brzozowski derivatives for regular expressions) that operate on formulas directly and compute a syntactic bisimulation using these derivatives. The treatment of Boolean connectives and quantifiers is uniform for all mentioned logics and is abstracted into a locale. This locale is then instantiated by different atomic formulas and their derivatives (which may differ even for the same logic under different encodings of interpretations as formal words). The WS1S instance is described in the draft paper \emph{A Coalgebraic Decision Procedure for WS1S} \footnote{\url{http://www21.in.tum.de/~traytel/papers/ws1s_derivatives/index.html}} by the author. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Fourier/document/root.tex b/thys/Fourier/document/root.tex --- a/thys/Fourier/document/root.tex +++ b/thys/Fourier/document/root.tex @@ -1,47 +1,48 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{mathtools,url} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \bibliographystyle{plain} \begin{document} \title{Fourier Series} \author{Lawrence C Paulson} \date{} \maketitle \begin{abstract} This development formalises the square integrable functions over the reals and the basics of Fourier series. It culminates with a proof that every well-behaved periodic function can be approximated by a Fourier series. The material is ported from HOL Light.\footnote{\url{https://github.com/jrh13/hol-light/blob/master/100/fourier.ml}} \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \section{Acknowledgements} The author was supported by the ERC Advanced Grant ALEXANDRIA (Project 742178) funded by the European Research Council. % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Free-Boolean-Algebra/document/root.tex b/thys/Free-Boolean-Algebra/document/root.tex --- a/thys/Free-Boolean-Algebra/document/root.tex +++ b/thys/Free-Boolean-Algebra/document/root.tex @@ -1,31 +1,32 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Free Boolean Algebra} \author{Brian Huffman} \maketitle \begin{abstract} This theory defines a type constructor representing the free Boolean algebra over a set of generators. Values of type $(\alpha)\mathit{formula}$ represent propositional formulas with uninterpreted variables from type $\alpha$, ordered by implication. In addition to all the standard Boolean algebra operations, the library also provides a function for building homomorphisms to any other Boolean algebra type. \end{abstract} % include generated text of all theories \input{session} \end{document} diff --git a/thys/Free-Groups/document/root.tex b/thys/Free-Groups/document/root.tex --- a/thys/Free-Groups/document/root.tex +++ b/thys/Free-Groups/document/root.tex @@ -1,38 +1,39 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{textcomp} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Free Groups} \author{Joachim Breitner} \maketitle \begin{abstract} Free Groups are, in a sense, the most generic kind of group. They are defined over a set of generators with no additional relations in between them. They play an important role in the definition of group presentations and in other fields. This theory provides the definition of Free Group as the set of fully canceled words in the generators. The universal property is proven, as well as some isomorphisms results about Free Groups. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \end{document} diff --git a/thys/FunWithFunctions/document/root.tex b/thys/FunWithFunctions/document/root.tex --- a/thys/FunWithFunctions/document/root.tex +++ b/thys/FunWithFunctions/document/root.tex @@ -1,36 +1,37 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Fun With Functions} \author{Tobias Nipkow} \maketitle \begin{abstract} This is a collection of cute puzzles of the form ``Show that if a function satisfies the following constraints, it must be \dots'' Please add further examples to this collection! \end{abstract} Apart from the one about factorial, they all come from the delightful booklet by Terence Tao~\cite{Tao2006} but go back to Math Olympiads and similar events. Please add further examples of this kind, either directly or by sending them to me. Let us make this a growing body of \emph{fun}! \input{session} \bibliographystyle{plain} \bibliography{root} \end{document} diff --git a/thys/FunWithTilings/document/root.tex b/thys/FunWithTilings/document/root.tex --- a/thys/FunWithTilings/document/root.tex +++ b/thys/FunWithTilings/document/root.tex @@ -1,37 +1,38 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{latexsym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Fun With Tilings} \author{Tobias Nipkow and Lawrence Paulson} \maketitle \begin{abstract} Tilings are defined inductively. It is shown that one form of mutilated chess board cannot be tiled with dominoes, while another one can be tiled with L-shaped tiles. \end{abstract} Sections 1 and 2 are by Paulson and described elsewhere~\cite{Paulson}. Section~3 is by Nipkow and formalizes a well-known argument from the literature~\cite{Velleman}. Please add further fun examples of this kind! \input{session} \bibliographystyle{plain} \bibliography{root} \end{document} diff --git a/thys/Functional-Automata/document/root.tex b/thys/Functional-Automata/document/root.tex --- a/thys/Functional-Automata/document/root.tex +++ b/thys/Functional-Automata/document/root.tex @@ -1,54 +1,53 @@ - - \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} \begin{document} \title{Functional Automata} \author{Tobias Nipkow} \maketitle \begin{abstract} This theory defines deterministic and nondeterministic automata in a functional representation: the transition function/relation and the finality predicate are just functions. Hence the state space may be infinite. It is shown how to convert regular expressions into such automata. A scanner (generator) is implemented with the help of functional automata: the scanner chops the input up into longest recognized substrings. Finally we also show how to convert a certain subclass of functional automata (essentially the finite deterministic ones) into regular sets. \end{abstract} \section{Overview} The theories are structured as follows: \begin{itemize} \item Automata: \texttt{AutoProj}, \texttt{NA}, \texttt{NAe}, \texttt{DA}, \texttt{Automata} \item Conversion of regular expressions into automata:\\ \texttt{RegExp2NA}, \texttt{RegExp2NAe}, \texttt{AutoRegExp}. \item Scanning: \texttt{MaxPrefix}, \texttt{MaxChop}, \texttt{AutoMaxChop}. \end{itemize} For a full description see \cite{Nipkow-TPHOLs98}. In contrast to that paper, the latest version of the theories provides a fully executable scanner generator. The non-executable bits (transitive closure) have been eliminated by going from regular expressions directly to nondeterministic automata, thus bypassing epsilon-moves. Not described in the paper is the conversion of certain functional automata (essentially the finite deterministic ones) into regular sets contained in \texttt{RegSet\_of\_nat\_DA}. % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Functional_Ordered_Resolution_Prover/document/root.tex b/thys/Functional_Ordered_Resolution_Prover/document/root.tex --- a/thys/Functional_Ordered_Resolution_Prover/document/root.tex +++ b/thys/Functional_Ordered_Resolution_Prover/document/root.tex @@ -1,83 +1,84 @@ \documentclass[10pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{amssymb} \usepackage[left=2.25cm,right=2.25cm,top=2.25cm,bottom=2.75cm]{geometry} \usepackage{graphicx} \usepackage{isabelle} \usepackage{isabellesym} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{pdfsetup} \urlstyle{tt} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \renewcommand{\isacharunderscore}{\_} \begin{document} \title{A Verified Functional Implementation of \\ Bachmair and Ganzinger's Ordered Resolution Prover} \author{Anders Schlichtkrull, Jasmin Christian Blanchette, and Dmitriy Traytel} \maketitle \begin{abstract} \noindent This Isabelle/HOL formalization refines the abstract ordered resolution prover presented in Section~4.3 of Bachmair and Ganzinger's ``Resolution Theorem Proving'' chapter in the \emph{Handbook of Automated Reasoning}. The result is a functional implementation of a first-order prover. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt \parskip 0.5ex \section{Introduction} Bachmair and Ganzinger's ``Resolution Theorem Proving'' chapter %\cite{bachmair-ganzinger-2001} in the \emph{Handbook of Automated Reasoning} is the standard reference on the topic. It defines a general framework for propositional and first-order resolution-based theorem proving. Resolution forms the basis for superposition, the calculus implemented in many popular automatic theorem provers. \medskip This Isabelle/HOL formalization starts from an existing formalization of Bachmair and Ganzinger's chapter, up to and including Section 4.3. It refines the abstract ordered resolution prover presented in Section~4.3 to obtain an executable, functional implementation of a first-order prover. Figure~\ref{fig:thys} shows the corresponding Isabelle theory structure. \medskip We refer to the following conference paper for details: \begin{quote} Anders Schlichtkrull, Jasmin Christian Blanchette, Dmitriy Traytel: \\ A verified prover based on ordered resolution. \\ CPP 2019: 152-165 \\ \url{http://matryoshka.gforge.inria.fr/pubs/fun_rp_paper.pdf} \end{quote} \begin{figure} \begin{center} \includegraphics[width=0.75\textwidth,keepaspectratio]{session_graph} \end{center} \caption{Theory dependency graph} \label{fig:thys} \end{figure} % generated text of all theories \input{session} % optional bibliography % \bibliographystyle{abbrv} % \bibliography{bib} \end{document} diff --git a/thys/Furstenberg_Topology/document/root.tex b/thys/Furstenberg_Topology/document/root.tex --- a/thys/Furstenberg_Topology/document/root.tex +++ b/thys/Furstenberg_Topology/document/root.tex @@ -1,41 +1,42 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsfonts, amsmath, amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Furstenberg's Topology And\\ His Proof of the Infinitude of Primes} \author{Manuel Eberl} \maketitle \begin{abstract} This article gives a formal version of Furstenberg's topological proof of the infinitude of primes. He defines a topology on the integers based on arithmetic progressions (or, equivalently, residue classes). Using some fairly obvious properties of this topology, the infinitude of primes is then easily obtained. Apart from this, this topology is also fairly `nice' in general: it is second countable, metrizable, and perfect. All of these (well-known) facts are formally proven, including an explicit metric for the topology given by Zulfeqarr. \end{abstract} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/GPU_Kernel_PL/document/root.tex b/thys/GPU_Kernel_PL/document/root.tex --- a/thys/GPU_Kernel_PL/document/root.tex +++ b/thys/GPU_Kernel_PL/document/root.tex @@ -1,44 +1,45 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Syntax and semantics of a \\ GPU kernel programming language} \author{John Wickerson} \maketitle \begin{abstract} This document accompanies the article \emph{The Design and Implementation of a Verification Technique for GPU Kernels} by Adam Betts, Nathan Chong, Alastair F. Donaldson, Jeroen Ketema, Shaz Qadeer, Paul Thomson and John Wickerson~\cite{gpuverify}. It formalises all of the definitions provided in Sections~3 and~4 of the article. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Gabow_SCC/document/root.tex b/thys/Gabow_SCC/document/root.tex --- a/thys/Gabow_SCC/document/root.tex +++ b/thys/Gabow_SCC/document/root.tex @@ -1,76 +1,76 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % Tweaks \newcounter{TTStweak_tag} \setcounter{TTStweak_tag}{0} \newcommand{\setTTS}{\setcounter{TTStweak_tag}{1}} \newcommand{\resetTTS}{\setcounter{TTStweak_tag}{0}} \newcommand{\insertTTS}{\ifnum\value{TTStweak_tag}=1 \ \ \ \fi} \renewcommand{\isakeyword}[1]{\resetTTS\emph{\bf\def\isachardot{.}\def\isacharunderscore{\isacharunderscorekeyword}\def\isacharbraceleft{\{}\def\isacharbraceright{\}}#1}} \renewcommand{\isachardoublequoteopen}{\insertTTS} \renewcommand{\isachardoublequoteclose}{\setTTS} \renewcommand{\isanewline}{\mbox{}\par\mbox{}\resetTTS} \renewcommand{\isamarkupcmt}[1]{\hangindent5ex{\isastylecmt --- #1}} \renewcommand{\isamarkupchapter}[1]{\chapter{#1}} \renewcommand{\isamarkupsection}[1]{\subsection{#1}} \renewcommand{\isamarkupsubsection}[1]{\subsubsection{#1}} \renewcommand{\isamarkupsubsubsection}[1]{\paragraph{#1}} \begin{document} \title{Verified Efficient Implementation of Gabow's Strongly Connected Components Algorithm} \author{Peter Lammich} \maketitle \begin{abstract} We present an Isabelle/HOL formalization of Gabow's algorithm for finding the strongly connected components of a directed graph. Using data refinement techniques, we extract efficient code that performs comparable to a reference implementation in Java. Our style of formalization allows for re-using large parts of the proofs when defining variants of the algorithm. We demonstrate this by verifying an algorithm for the emptiness check of generalized B\"uchi automata, re-using most of the existing proofs. \end{abstract} \clearpage \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex \input{intro} % generated text of all theories \input{session} \input{conclusion} \clearpage % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Game_Based_Crypto/document/root.tex b/thys/Game_Based_Crypto/document/root.tex --- a/thys/Game_Based_Crypto/document/root.tex +++ b/thys/Game_Based_Crypto/document/root.tex @@ -1,83 +1,84 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,amsmath} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{wasysym} \usepackage{booktabs} \usepackage{authblk} \usepackage[inline]{enumitem} \usepackage{amsthm} \usepackage{mathptmx} \usepackage{tikz} \usetikzlibrary{% arrows,% arrows.meta,% calc,% chains,% patterns,% decorations.pathreplacing,% fit,% intersections,% positioning,% shapes.multipart,% svg.path,% } % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand{\CryptHOL}{CryptHOL} % \theoremstyle{definition} \newtheorem*{definition}{Definition} \begin{document} \title{Game-based cryptography in HOL} \author{Andreas Lochbihler and S. Reza Sefidgar and Bhargav Bhatt} \maketitle \begin{abstract} In this AFP entry, we show how to specify game-based cryptograph\-ic security notions and formally prove secure several cryptographic constructions from the literature using the CryptHOL framework. Among others, we formalise the notions of a random oracle, a pseudo-random function, an unpredictable function, and of encryption schemes that are indistinguishable under chosen plaintext and/or ciphertext attacks. We prove the random-permutation/random-function switching lemma, security of the Elgamal and hashed Elgamal public-key encryption scheme and correctness and security of several constructions with pseu\-do-random functions. Our proofs follow the game-hopping style advocated by Shoup \cite{Shoup2004IACR} and Bellare and Rogaway \cite{BellareRogaway2006EUROCRYPT}, from which most of the examples have been taken. We generalise some of their results such that they can be reused in other proofs. Thanks to CryptHOL's integration with Isabelle's parametricity infrastructure, many simple hops are easily justified using the theory of representation independence. \end{abstract} \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Gauss-Jordan-Elim-Fun/document/root.tex b/thys/Gauss-Jordan-Elim-Fun/document/root.tex --- a/thys/Gauss-Jordan-Elim-Fun/document/root.tex +++ b/thys/Gauss-Jordan-Elim-Fun/document/root.tex @@ -1,26 +1,27 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Gauss-Jordan Elimination\\ for Matrices Represented as Functions} \author{Tobias Nipkow} \maketitle \begin{abstract} This theory provides a compact formulation of Gauss-Jordan elimination for matrices represented as functions. Its distinctive feature is succinctness. It is not meant for large computations. \end{abstract} \input{session} \end{document} diff --git a/thys/Gauss_Jordan/document/root.tex b/thys/Gauss_Jordan/document/root.tex --- a/thys/Gauss_Jordan/document/root.tex +++ b/thys/Gauss_Jordan/document/root.tex @@ -1,63 +1,64 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Gauss-Jordan algorithm and its applications} \author{By Jose Divas\'on and Jes\'us Aransay\thanks{This research has been funded by the research grant FPIUR12 of the Universidad de La Rioja.}} \maketitle \begin{abstract} In this contribution, we present a formalization of the well-known Gauss-Jordan algorithm. It states that any matrix over a field can be transformed by means of elementary row operations to a matrix in reduced row echelon form. The formalization is based on the Rank Nullity Theorem entry of the AFP and on the HOL-Multivariate-Analysis session of Isabelle, where matrices are represented as functions over finite types. We have set up properly the code generator to make this representation executable. In order to improve the performance, a refinement to immutable arrays has been carried out. We have formalized some of the applications of the Gauss-Jordan algorithm. Thanks to this development, the following facts can be computed over matrices whose elements belong to a field: \begin{itemize} \item Ranks \item Determinants \item Inverses \item Bases and dimensions of the null space, left null space, column space and row space of a matrix \item Solutions of systems of linear equations (considering any case, including systems with one solution, multiple solutions and with no solution) \end{itemize} Code can be exported to both SML and Haskell. In addition, we have introduced some serializations (for instance, from \emph{bit} in Isabelle to booleans in SML and Haskell, and from \emph{rat} in Isabelle to the corresponding one in Haskell), that speed up the performance. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Gauss_Sums/document/root.tex b/thys/Gauss_Sums/document/root.tex --- a/thys/Gauss_Sums/document/root.tex +++ b/thys/Gauss_Sums/document/root.tex @@ -1,45 +1,46 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Gauss Sums and the P\'olya--Vinogradov Inequality} \author{Rodrigo Raya and Manuel Eberl} \maketitle \begin{abstract} This article provides a full formalisation of Chapter 8 of Apostol's \emph{Introduction to Analytic Number Theory}~\cite{apostol1976analytic}. Subjects that are covered are: \begin{itemize} \item periodic arithmetic functions and their finite Fourier series \item (generalised) Ramanujan sums \item Gauss sums and separable characters \item induced moduli and primitive characters \item the P\'olya--Vinogradov inequality \end{itemize} \end{abstract} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Gaussian_Integers/document/root.tex b/thys/Gaussian_Integers/document/root.tex --- a/thys/Gaussian_Integers/document/root.tex +++ b/thys/Gaussian_Integers/document/root.tex @@ -1,44 +1,45 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Gaussian Integers} \author{Manuel Eberl} \maketitle \begin{abstract} The Gaussian integers are the subring $\mathbb{Z}[i]$ of the complex numbers, i.\,e.\ the ring of all complex numbers with integral real and imaginary part. This article provides a definition of this ring as well as proofs of various basic properties, such as that they form a Euclidean ring and a full classification of their primes. An executable (albeit not very efficient) factorisation algorithm is also provided. Lastly, this Gaussian integer formalisation is used in two short applications: \begin{enumerate} \item The characterisation of all positive integers that can be written as sums of two squares \item Euclid's formula for primitive Pythagorean triples \end{enumerate} While elementary proofs for both of these are already available in the AFP, the theory of Gaussian integers provides more concise proofs and a more high-level view. \end{abstract} \newpage \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/GenClock/document/root.tex b/thys/GenClock/document/root.tex --- a/thys/GenClock/document/root.tex +++ b/thys/GenClock/document/root.tex @@ -1,95 +1,96 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{fullpage} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Formalization of a Generalized Protocol for Clock Synchronization in Isabelle/HOL} \author{Alwen Tiu \\ LORIA - \url{http://qsl.loria.fr}} \maketitle \begin{abstract} We formalize the generalized Byzantine fault-tolerant clock synchronization protocol of Schneider. This protocol abstracts from particular algorithms or implementations for clock synchronization. This abstraction includes several assumptions on the behaviors of physical clocks and on general properties of concrete algorithms/implementations. Based on these assumptions the correctness of the protocol is proved by Schneider. His proof was later verified by Shankar using the theorem prover EHDM (precursor to PVS). Our formalization in Isabelle/HOL is based on Shankar's formalization. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \section{Introduction} In certain distributed systems, e.g., real-time process-control systems, the existence of a reliable global time source is critical in ensuring the correct functioning of the systems. This reliable global time source can be implemented using several physical clocks distributed on different nodes in the distributed system. Since physical clocks are by nature constantly drifting away from the ``real time'' and different clocks can have different drift rates, in such a scheme, it is important that these clocks are regularly adjusted so that they are closely synchronized within a certain application-specific safe bound. The design and verification of clock synchronization protocols are often complicated by the additional requirement that the protocols should work correctly under certain types of errors, e.g., failure of some clocks, error in communication network or corrupted messages, etc. There has been a number of fault-tolerant clock synchronization algorithms studied in the literature, e.g., the {\em Interactive Convergence Algorithm} ({ICA}) by Lamport and Melliar-Smith~\cite{Lamport}, the Lundelius-Lynch algorithm \cite{Lundelius}, etc., each with its own degree of fault tolerance. One important property that must be satisfied by a clock synchronization algorithm is the agreement property, i.e., at any time $t$, the difference of the clock readings of any two non-faulty processes must be bounded by a constant (which is fixed according to the domain of applications). At the core of these algorithms is the convergence function that calculates the adjustment to a clock of a process, based on the clock readings of all other processes. Schneider~\cite{Schneider87} gives an abstract characterization of a wide range of clock synchronization algorithms (based on the convergence functions used) and proves the agreement property in this abstract framework. Schneider's proof was later verified by Shankar \cite{Shankar92} in the theorem prover EHDM (precursor to PVS), where eleven axioms about clocks are explicitly stated. We formalize Schneider's proof in Isabelle/HOL, making use of Shankar's formulation of the clock axioms. The particular formulation of axioms on clock conditions and the statements of the main theorems here are essentially those of Shankar's \cite{Shankar92}, with some minor changes in syntax. For the full description of the protocol, the general structure of the proof and the meaning of the constants and function symbols used in this formalization, we refer readers to \cite{Shankar92}. \paragraph{Acknowledgment} I would like to thank Stephan Merz and Pascal Fontaine for useful tips on using Isabelle and particularly the Isar proof language. \section{Isar proof scripts} % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/General-Triangle/document/root.tex b/thys/General-Triangle/document/root.tex --- a/thys/General-Triangle/document/root.tex +++ b/thys/General-Triangle/document/root.tex @@ -1,54 +1,55 @@ \documentclass[11pt,a4paper,notitlepage]{scrartcl} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{textcomp} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \usepackage{tikz} \usetikzlibrary{calc} \title{The General Triangle Is Unique} \author{Joachim Breitner} \date{April 1, 2011} \begin{document} \titlehead{ \begin{center} \begin{tikzpicture} \draw (0,0) node (a) {} -- (6,0) node (b) {} -- (intersection cs: first line ={(a) -- (45:1cm)}, second line ={(b) -- ($(b) + (120:1cm)$) }) node (c) {} -- cycle; \draw (a) +(8mm,0) arc (0:45:8mm); \draw (b) +(-8mm,0) arc (180:120:8mm); \draw ($(c) + (225:8mm)$) arc (225:300:8mm); \node at ($(a) + (20:5mm)$) {$a$}; \node at ($(b) + (150:5mm)$) {$b$}; \node at ($(c) + (265:5mm)$) {$c$}; \end{tikzpicture} \end{center} } \maketitle \begin{abstract} Some acute-angled triangles are special, e.g.\ right-angled or isosceles triangles. Some are not of this kind, but, without measuring angles, look as if they are. In that sense, there is exactly one general triangle. This well-known fact\cite{Tergan} is proven here formally. \end{abstract} %\tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Generalized_Counting_Sort/document/root.tex b/thys/Generalized_Counting_Sort/document/root.tex --- a/thys/Generalized_Counting_Sort/document/root.tex +++ b/thys/Generalized_Counting_Sort/document/root.tex @@ -1,77 +1,78 @@ \documentclass[11pt,a4paper,fleqn]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsfonts} \usepackage{amsmath} \usepackage{cancel} \renewcommand{\isastyletxt}{\isastyletext} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{An Efficient Generalization of Counting Sort\\for Large, possibly Infinite Key Ranges} \author{Pasquale Noce\\Software Engineer at HID Global, Italy\\pasquale dot noce dot lavoro at gmail dot com\\pasquale dot noce at hidglobal dot com} \maketitle \begin{abstract} Counting sort is a well-known algorithm that sorts objects of any kind mapped to integer keys, or else to keys in one-to-one correspondence with some subset of the integers (e.g. alphabet letters). However, it is suitable for direct use, viz. not just as a subroutine of another sorting algorithm (e.g. radix sort), only if the key range is not significantly larger than the number of the objects to be sorted. This paper describes a tail-recursive generalization of counting sort making use of a bounded number of counters, suitable for direct use in case of a large, or even infinite key range of any kind, subject to the only constraint of being a subset of an arbitrary linear order. After performing a pen-and-paper analysis of how such algorithm has to be designed to maximize its efficiency, this paper formalizes the resulting generalized counting sort (GCsort) algorithm and then formally proves its correctness properties, namely that (a) the counters' number is maximized never exceeding the fixed upper bound, (b) objects are conserved, (c) objects get sorted, and (d) the algorithm is stable. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Generic_Deriving/document/root.tex b/thys/Generic_Deriving/document/root.tex --- a/thys/Generic_Deriving/document/root.tex +++ b/thys/Generic_Deriving/document/root.tex @@ -1,44 +1,44 @@ \documentclass[11pt,a4paper]{article} -\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size \renewcommand{\isastyle}{\isastyleminor} \renewcommand{\isamarkupchapter}[1]{\section{#1}} \renewcommand{\isamarkupsection}[1]{\subsection{#1}} \renewcommand{\isamarkupsubsection}[1]{\subsubsection{#1}} \renewcommand{\isamarkupsubsubsection}[1]{\paragraph{#1}} \begin{document} \title{Deriving generic class instances for datatypes} \author{Jonas Rädle and Lars Hupel} \maketitle \begin{abstract} We provide a framework for automatically deriving instances for generic type classes. Our approach is inspired by Haskell's \textit{generic-deriving} package \cite{magalhaes2010generic} and Scala's \textit{shapeless} library \cite{shapeless2018}. In addition to generating the code for type class functions, we also attempt to automatically prove type class laws for these instances. As of now, however, some manual proofs are still required for recursive datatypes. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Generic_Join/document/root.tex b/thys/Generic_Join/document/root.tex --- a/thys/Generic_Join/document/root.tex +++ b/thys/Generic_Join/document/root.tex @@ -1,47 +1,47 @@ \documentclass[10pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{a4wide} \usepackage[english]{babel} \usepackage{eufrak} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{literal} \begin{document} \title{Formalization of Multiway-Join Algorithms} \author{Thibault Dardinier} \maketitle \begin{abstract} Worst-case optimal multiway-join algorithms are recent seminal achievement of the database community. These algorithms compute the natural join of multiple relational databases and improve in the worst case over traditional query plan optimizations of nested binary joins. In 2014, Ngo, R\'e, and Rudra \cite{Ngo:2014:SSB:2590989.2590991} gave a unified presentation of different multi-way join algorithms. We formalized and proved correct their "Generic Join" algorithm and extended it to support negative joins. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/GewirthPGCProof/document/root.tex b/thys/GewirthPGCProof/document/root.tex --- a/thys/GewirthPGCProof/document/root.tex +++ b/thys/GewirthPGCProof/document/root.tex @@ -1,77 +1,78 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{authblk} \usepackage{a4wide} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Formalisation and Evaluation of Alan Gewirth's \\ Proof for the Principle of Generic Consistency\\ in Isabelle/HOL\thanks{Benzm\"uller received support from the Volkswagen Foundation (Project CRAP: Consistent Rational Argumentation in Politics).}} \author[1]{David Fuenmayor} \author[1,2]{Christoph Benzm\"uller} \affil[1]{Freie Universit\"at Berlin, Germany} \affil[2]{University of Luxembourg, Luxembourg} \maketitle \begin{abstract} An ambitious ethical theory ---Alan Gewirth's "Principle of Generic Consistency"--- is encoded and analysed in Isabelle/HOL. Gewirth's theory has stirred much attention in philosophy and ethics and has been proposed as a potential means to bound the impact of artificial general intelligence. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Girth_Chromatic/document/root.tex b/thys/Girth_Chromatic/document/root.tex --- a/thys/Girth_Chromatic/document/root.tex +++ b/thys/Girth_Chromatic/document/root.tex @@ -1,47 +1,48 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{amsmath} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{A Probabilistic Proof of the Girth-Chromatic Number Theorem} \author{Lars Noschinski} \maketitle \begin{abstract} This works presents a formalization of the Girth-Chromatic number theorem in graph theory, stating that graphs with arbitrarily large girth and chromatic number exist. The proof uses the theory of Random Graphs to prove the existence with probabilistic arguments and is based on \cite{diestel2010graph}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories %\input{session} \input{Girth_Chromatic_Misc} \input{Ugraphs} \input{Girth_Chromatic} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/GoedelGod/document/root.tex b/thys/GoedelGod/document/root.tex --- a/thys/GoedelGod/document/root.tex +++ b/thys/GoedelGod/document/root.tex @@ -1,172 +1,173 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym,amsmath,amssymb,a4wide} \usepackage{graphicx,xcolor} \newcommand{\imp}{\rightarrow} \newcommand{\biimp}{\leftrightarrow} \newcommand{\all}{\forall} \newcommand{\ex}{\exists} \newcommand{\seq}{\vdash} \newcommand{\nec}{\Box} % necessarily \newcommand{\pos}{\Diamond} % possibly \newcommand{\ess}[2]{#1 \ \mathit{ess.} \ #2} \newcommand{\NE}{\mathit{NE}} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{G\"odel's God in Isabelle/HOL} \author{Christoph Benzm\"uller and Bruno Woltzenlogel Paleo} %\date{November 1, 2013} \maketitle %\noindent\colorbox{gray}{\includegraphics[width=.99\textwidth]{$HOME/GoedelGod/Talks/FU-Berlin/ScottsScriptGrab}} %$ \begin{figure}[h] \noindent\fcolorbox{gray}{white}{ \begin{minipage}{.96\textwidth}\small \begin{itemize} \item[A1] Either a property or its negation is positive, but not both: \hfill $\all \phi [P(\neg \phi) \biimp \neg P(\phi)]$ \\[-1.5em] \item[A2] A property necessarily implied \\ by a positive property is positive: \phantom{b} \hfill $\all \phi \all \psi [(P(\phi) \wedge \nec \all x [\phi(x) \imp \psi(x)]) \imp P(\psi)]$ \\[-1.5em] \item[T1] Positive properties are possibly exemplified: \hfill $\all \phi [P(\phi) \imp \pos \ex x \phi(x)]$ \\[-1.5em] \item[D1] A \emph{God-like} being possesses all positive properties: \hfill $G(x) \biimp \forall \phi [P(\phi) \to \phi(x)]$ \\[-1.5em] \item[A3] The property of being God-like is positive: \hfill $P(G)$ \\[-1.5em] \item[C\phantom{1}] Possibly, God exists: \hfill $\pos \ex x G(x)$ \\[-1.5em] \item[A4] Positive properties are necessarily positive: \hfill $\all \phi [P(\phi) \to \Box \; P(\phi)]$ \\[-1.5em] \item[D2] An \emph{essence} of an individual is a property possessed by it \\ and necessarily implying any of its properties: \\ \phantom{b} \hfill $\ess{\phi}{x} \biimp \phi(x) \wedge \all \psi (\psi(x) \imp \nec \all y (\phi(y) \imp \psi(y)))$ \\[-1.5em] \item[T2] Being God-like is an essence of any God-like being: \hfill $\all x [G(x) \imp \ess{G}{x}]$ \\[-1.5em] \item[D3] \emph{Necessary existence} of an individual is \\ the necessary exemplification of all its essences: \phantom{b} \hfill $\NE(x) \biimp \all \phi [\ess{\phi}{x} \imp \nec \ex y \phi(y)]$ \\[-1.5em] \item[A5] Necessary existence is a positive property: \hfill $P(\NE)$ \\[-1.5em] \item[T3] Necessarily, God exists: \hfill $\nec \ex x G(x)$ \end{itemize} \end{minipage} } \caption{Scott's version of G\"odel's ontological argument \cite{ScottNotes}.} \end{figure} \vskip1em %\tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \paragraph{Acknowledgments:} Nik Sultana, Jasmin Blanchette and Larry Paulson provided very important help on issues related to consistency checking in Isabelle. Jasmin Blanchette instructed us on producing Isabelle sessions and he showed us some useful tricks in Isabelle. %\small \begin{thebibliography}{10} \bibitem{B9} C.~Benzm{\"u}ller and L.C. Paulson. \newblock Exploring properties of normal multimodal logics in simple type theory with {LEO-II}. \newblock In {\em {Festschrift in Honor of {Peter B. Andrews} on His 70th Birthday}}, pp. 386--406. College Publications. \bibitem{J23} C.~Benzm{\"u}ller and L.C. Paulson. \newblock Quantified multimodal logics in simple type theory. \newblock {\em Logica Universalis (Special Issue on Multimodal Logics)}, 7(1):7--20, 2013. \bibitem{LEO-II} C.~Benzm{\"u}ller, F.~Theiss, L.~Paulson, and A.~Fietzke. \newblock {LEO-II} - a cooperative automatic theorem prover for higher-order logic. \newblock In {\em Proc. of IJCAR 2008}, volume 5195 of {\em LNAI}, pp. 162--170. Springer, 2008. \bibitem{Coq} Y.~Bertot and P.~Casteran. \newblock {\em {Interactive Theorem Proving and Program Development}}. \newblock Springer, 2004. \bibitem{Sledgehammer} J.C. Blanchette, S.~B\"ohme, and L.C. Paulson. \newblock Extending {Sledgehammer} with {SMT} solvers. \newblock {\em Journal of Automated Reasoning}, 51(1):109--128, 2013. \bibitem{Nitpick} J.C. Blanchette and T.~Nipkow. \newblock Nitpick: A counterexample generator for higher-order logic based on a relational model finder. \newblock In {\em Proc. of ITP 2010}, LNCS 6172, pp. 131--146. Springer, 2010. \bibitem{Satallax} C.E. Brown. \newblock Satallax: An automated higher-order prover. \newblock In {\em Proc. of IJCAR 2012}, LNAI 7364, pp. 111 -- 117. Springer, 2012. \bibitem{GoedelNotes} K.~G\"odel. \newblock {\em Appendix A. Notes in Kurt G\"odel's Hand}, pp. 144--145. \newblock In \cite{sobel2004logic}, 2004. \bibitem{Metis} J.~Hurd. \newblock First-order proof tactics in higher-order logic theorem provers. \newblock In {\em Design and Application of Strategies/Tactics in Higher Order Logics, NASA Tech. Rep. NASA/CP-2003-212448}, 2003. \bibitem{Isabelle} T.~Nipkow, L.C. Paulson, and M.~Wenzel. \newblock {\em {Isabelle/HOL: A Proof Assistant for Higher-Order Logic}}. \newblock LNCS 2283. Springer, 2002. \bibitem{rushby} J.~Rushby. \newblock The Ontological Argument in PVS. \newblock {\em CAV Workshop ``Fun With Formal Methods'}, St. Petersburg, Russia, 13th of July 2013. \bibitem{ScottNotes} D.~Scott. \newblock {\em Appendix B. Notes in Dana Scott's Hand}, pp. 145--146. \newblock In \cite{sobel2004logic}, 2004. \bibitem{sobel2004logic} J.H. Sobel. \newblock {\em Logic and Theism: Arguments for and Against Beliefs in God}. \newblock Cambridge University Press, 2004. \bibitem{J22} G.~Sutcliffe and C.~Benzm{\"u}ller. \newblock Automated reasoning in higher-order logic using the {TPTP THF} infrastructure. \newblock {\em Journal of Formalized Reasoning}, 3(1):1--27, 2010. \end{thebibliography} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Goedel_HFSet_Semantic/document/root.tex b/thys/Goedel_HFSet_Semantic/document/root.tex --- a/thys/Goedel_HFSet_Semantic/document/root.tex +++ b/thys/Goedel_HFSet_Semantic/document/root.tex @@ -1,46 +1,46 @@ \documentclass[10pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{a4wide} \usepackage[english]{babel} \usepackage{eufrak} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{literal} \begin{document} \title{From Abstract to Concrete G\"odel's Incompleteness Theorems---Part I} \author{Andrei Popescu \and Dmitriy Traytel} \maketitle \begin{abstract} We validate an abstract formulation of G\"odel's First and Second Incompleteness Theorems from a \href{https://www.isa-afp.org/entries/Goedel_Incompleteness.html}{separate AFP entry} by instantiating them to the case of \emph{finite sound extensions of the Hereditarily Finite (HF) Set theory}, i.e., FOL theories extending the HF Set theory with a finite set of axioms that are sound in the standard model. The concrete results had been previously formalised in an \href{https://www.isa-afp.org/entries/Incompleteness.html}{AFP entry by Larry Paulson}; our instantiation reuses the infrastructure developed in that entry. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Goedel_HFSet_Semanticless/document/root.tex b/thys/Goedel_HFSet_Semanticless/document/root.tex --- a/thys/Goedel_HFSet_Semanticless/document/root.tex +++ b/thys/Goedel_HFSet_Semanticless/document/root.tex @@ -1,52 +1,52 @@ \documentclass[10pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{a4wide} \usepackage[english]{babel} \usepackage{eufrak} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{literal} \begin{document} \title{From Abstract to Concrete G\"odel's Incompleteness Theorems---Part II} \author{Andrei Popescu \and Dmitriy Traytel} \maketitle \begin{abstract} We validate an abstract formulation of G\"odel’s Second Incompleteness Theorem from a \href{https://www.isa-afp.org/entries/Goedel_Incompleteness.html}{separate AFP entry} by instantiating it to the case of \emph{finite consistent extensions of the Hereditarily Finite (HF) Set theory}, i.e., consistent FOL theories extending the HF Set theory with a finite set of axioms. The instantiation draws heavily on infrastructure previously developed by Larry Paulson in his \href{https://www.isa-afp.org/entries/Incompleteness.html}{direct formalisation of the concrete result}. It strengthens Paulson’s formalization of G\"odel's Second from that entry by \emph{not} assuming soundness, and in fact not relying on any notion of model or semantic interpretation. The strengthening was obtained by first replacing some of Paulson’s semantic arguments with proofs within his HF calculus, and then plugging in some of Paulson's (modified) lemmas to instantiate our soundness-free G\"odel's Second locale. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Goedel_Incompleteness/document/root.tex b/thys/Goedel_Incompleteness/document/root.tex --- a/thys/Goedel_Incompleteness/document/root.tex +++ b/thys/Goedel_Incompleteness/document/root.tex @@ -1,53 +1,53 @@ \documentclass[10pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{a4wide} \usepackage[english]{babel} \usepackage{eufrak} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{literal} \begin{document} \title{An Abstract Formalization of G\"odel's Incompleteness Theorems} \author{Andrei Popescu \and Dmitriy Traytel} \maketitle \begin{abstract} We present an abstract formalization of G\"odel's incompleteness theorems. We analyze sufficient conditions for the theorems' applicability to a partially specified logic. Our abstract perspective enables a comparison between alternative approaches from the literature. These include Rosser's variation of the first theorem, Jeroslow's variation of the second theorem, and the Swierczkowski–Paulson semantics-based approach. This AFP entry is the main entry point to the results described in our CADE-27 paper~\cite{DBLP:conf/cade/0001T19}. \looseness=-1 As part of our abstract formalization's validation, we instantiate our locales twice in the separate AFP entries \href{https://www.isa-afp.org/entries/Goedel_HFSet_Semantic.html}{Goedel\_HFSet\_Semantic} and \href{https://www.isa-afp.org/entries/Goedel_HFSet_Semanticless.html}{Goedel\_HFSet\_Semanticless}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Goodstein_Lambda/document/root.tex b/thys/Goodstein_Lambda/document/root.tex --- a/thys/Goodstein_Lambda/document/root.tex +++ b/thys/Goodstein_Lambda/document/root.tex @@ -1,177 +1,178 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \newcommand{\doi}[1]{doi:\href{https://dx.doi.org/#1}{#1}} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amsmath} %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Implementing the Goodstein Function in $\lambda$-Calculus} \author{Bertram Felgenhauer} \maketitle \begin{abstract} In this formalization, we develop an implementation of the Goodstein function $\mathcal{G}$ in plain $\lambda$-calculus, linked to a concise, self-contained specification. The implementation works on a Church-encoded representation of countable ordinals. The initial conversion to hereditary base $2$ is not covered, but the material is sufficient to compute the particular value $\mathcal{G}(16)$, and easily extends to other fixed arguments. \end{abstract} \tableofcontents \section{Introduction} Given a number $n$ and a base $b$, we can write $n$ in \emph{hereditary base $b$}, which results from writing $n$ in base $b$, and then each exponent in hereditary base $b$ again. For example, $7$ in hereditary base $3$ is $3^1 \cdot 2 + 1$. Given the hereditary base $b$ representation of $n$, we can reinterpret it in base $b+1$ by replacing all occurrences of $b$ by $b+1$. The Goodstein sequence starting at $n$ in base $2$ is obtained by iteratively taking a number in hereditary base $b$, reinterpreting it in base $b+1$, and subtracting $1$. The next step is the same with $b$ incremented by $1$, and so on. So starting for example at $4$, we compute \begin{align*} 4 = 2^{2^1} &\:\to\: 3^{3^1} - 1 = 26\\ 26 = 3^2 \cdot 2 + 3^1 \cdot 2 + 2 &\:\to\: 4^2 \cdot 2 + 4^1 \cdot 2 + 1 \cdot 2 - 1 = 41\\ 41 = 4^2 \cdot 2 + 4^1 \cdot 2 + 1 &\:\to\: 5^2 \cdot 2 + 5^1 \cdot 2 + 1 - 1 = 60 \end{align*} and so on. We stop when we reach $0$. Goodstein's theorem states that this process always terminates~\cite{G44}. This result is independent of Peano Arithmetic, and is intimately connected to countable ordinals and the slow growing hierarchy (e.g., the Hardy function)~\cite{C83}. The length of the resulting sequence is the Goodstein function, denoted by $\mathcal G(n)$. For example, $\mathcal G(3) = 6$. For this formalization, we are interested in implementing the Goodstein function in $\lambda$-calculus. More concretely, we want to define the value $\mathcal G(16)$ (which is huge; for example, it exceeds Graham's number), in order to bound its Kolmogorov complexity. Our concrete measure of Kolmogorov complexity is the program length in the Binary Lambda Calculus~\cite{BLC,T08}. It turns out that we can define $\mathcal G(16)$ as follows, giving a complexity bound of 195 bits. \begin{align*} \mathit{exp\omega} &= (\lambda z\:s\:l.\:n\:s\:(\lambda x\:z.\:l\:(\lambda n.\:n\:x\:z))\: (\lambda f\:z.\:l\:(\lambda n.\:f\:n\:z))\:z)\\ \mathit{goodstein} &= (\lambda n\:c.\:n\\ &\phantom{{}=(}(\lambda x.\:x)\\ &\phantom{{}=(}(\lambda n\:m.\:n\:(\lambda f\:x.\:m\:f\:(f\:x)))\\ &\phantom{{}=(}(\lambda f\:m.\:f\:(\lambda f\:x.\:m\:f\:(f\:(f\:x)))\:m)\\ &\phantom{{}=(}c) \\ \mathcal G_{16} &= (\lambda e.\:\mathit{goodstein}\: (e\:(e\:(e\:(e\:(\lambda z\:s\:l.\:z)))))\:(\lambda x.\:x))\: \mathit{exp\omega} \end{align*} We rely on a shallow embedding of the $\lambda$-calculus throughout the formalization, so it turns out that we cannot quite prove this claim in Isabelle/HOL; the expression for $\mathcal G_{16}$ cannot be typed. However, we can prove that the building blocks $\mathit{exp\omega}$ and $\mathit{goodstein}$ work correctly in the sense that \begin{itemize} \item $\mathit{exp\omega}^4\:(\lambda z\:s\:l.\:z)$ is the hereditary base $2$ representation of $16$; and \item $\mathit{goodstein}\:c\:n$ computes the length of a Goodstein sequence given that the hereditary base $c+1$ representation of the $c$-th value in the sequence is equal to $n$. \end{itemize} The remaining steps are easily verified by a human. \paragraph{Contributions.} Our main contributions are a concise specification of the Goodstein function, another proof of Goodstein's theorem, and establishing the connection to $\lambda$-calculus as already outlined. \paragraph{Related work.} There is already a formalization of Goodstein's theorem in the AFP entry on nested multisets~\cite{NMO}, which comes with a formalization of ordinal arithmetic. Our focus is different, since our goal is to obtain an implementation of the Goodstein function in $\lambda$-calculus. Most notably, the intermediate type $\mathit{Ord}$ that we use to represent ordinal numbers has far more structure than the ordinals themselves. In particular it can represent arbitrary trees; if we were to compute $\omega + 1$, $1 + \omega$ and $\omega$ on this type, we would get three different results. However, we will use the operations such that $1 + \omega$ is never computed, keeping the connection to countable ordinals intact. Proving this is a large, albeit hidden, part of our formalization. \paragraph{Acknowledgement.} John Tromp raised the question of a concise $\lambda$-calculus term computing $\mathcal{G}(16)$. He also provided feedback on a draft version of this document. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/GraphMarkingIBP/document/root.tex b/thys/GraphMarkingIBP/document/root.tex --- a/thys/GraphMarkingIBP/document/root.tex +++ b/thys/GraphMarkingIBP/document/root.tex @@ -1,116 +1,117 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Verification of the Deutsch-Schorr-Waite Graph Marking Algorithm using Data Refinement} \author{Viorel Preoteasa and Ralph-Johan Back} \maketitle \begin{abstract} The verification of the Deutsch-Schorr-Waite graph marking algorithm is used as a benchmark in many formalizations of pointer programs. The main purpose of this mechanization is to show how data refinement of invariant based programs can be used in verifying practical algorithms. The verification starts with an abstract algorithm working on a graph given by a relation {\em next} on nodes. Gradually the abstract program is refined into Deutsch-Schorr-Waite graph marking algorithm where only one bit per graph node of additional memory is used for marking. \end{abstract} \tableofcontents \section{Introduction} The verification of the Deutsch-Schorr-Waite (DSW) \cite{schorr:waite:1967,knuth:1997} graph marking algorithm is used as a benchmark in many formalizations of pointer programs \cite{mehta:nipkow:2003,Abrial:2003}. The main purpose of this mechanization is to show how data refinement \cite{preoteasa:back:2009} of invariant based programs \cite{Back80:invariants,Back83:invariants,aBack08,back:preoteasa:2008} can be used in verifying practical algorithms. The DSW algorithm marks all nodes in a graph that are reachable from a {\em root} node. The marking is achieved using only one extra bit of memory for every node. The graph is given by two pointer functions, {\em left} and {\em right}, which for any given node return its left and right successors, respectively. While marking, the left and right functions are altered to represent a stack that describes the path from the root to the current node in the graph. On completion the original graph structure is restored. We construct the DSW algorithm by a sequence of three successive data refinement steps. One step in these refinements is a generalization of the DSW algorithm to an algorithm which marks a graph given by a family of pointer functions instead of left and right only. Invariant based programming is an approach to construct correct programs where we start by identifying all basic situations (pre- and post-conditions, and loop invariants) that could arise during the execution of the algorithm. These situations are determined and described before any code is written. After that, we identify the transitions between the situations, which together determine the flow of control in the program. The transitions are verified at the same time as they are constructed. The correctness of the program is thus established as part of the construction process. Data refinement \cite{hoare:1972,back-1980,back:vonwright:2000,deroever:1999} is a technique of building correct programs working on concrete data structures as refinements of more abstract programs working on abstract data structures. The correctness of the final program follows from the correctness of the abstract program and from the correctness of the data refinement. Both the semantics and the data refinement of invariant based programs were formalized in \cite{preoteasa:back:afp:2010}, and this verification is based on them. We use a simple model of pointers where addresses (pointers, nodes) are the elements of a set and pointer fields are global pointer functions from addresses to addresses. Pointer updates ($x.\mathit{left} := y$) are done by modifying the global pointer function $\mathit{left} := \mathit{left}(x := y)$. Because of the nature of the marking algorithm where no allocation and disposal of memory are needed we do not treat these operations. A number of Isabelle techniques are used here. The class mechanism is used for extending the complete lattice theories as well as for introducing well founded and transitive relations. The polimorphism is used for the state of the computation. In \cite{preoteasa:back:afp:2010} the state of computation was introduced as a type variable, or even more generaly, state predicates were introduced as elements of a complete (boolean) lattice. Here the state of the computation is instantiated with various tuples ranging from the abstract data in the first algorithm to the concrete data in the final refinement. The locale mechanism of Isabelle is used to introduce the specification variables and their invariants. These specification variables are used for example to prove that the main variables are restored to their initial values when the algorithm terminates. The locale extension and partial instantiation mechanisms turn out to be also very useful in the data refinements of DSW. We start with a locale which fixes the abstract graph as a relation {\em next} on nodes. This locale is first partially interpreted into a locale which replaces {\em next} by a union of a family of pointer functions. In the final refinement step the locale of the pointer functions is interpreted into a locale with only two pointer functions, {\em left} and {\em right}. \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Graph_Saturation/document/root.tex b/thys/Graph_Saturation/document/root.tex --- a/thys/Graph_Saturation/document/root.tex +++ b/thys/Graph_Saturation/document/root.tex @@ -1,47 +1,48 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} %\isabellestyle{it} \begin{document} \title{Graph Saturation} \author{Sebastiaan J. C. Joosten} \maketitle \begin{abstract} This is an Isabelle/HOL formalisation of graph saturation, closely following a paper by the author on graph saturation~\cite{Joosten18}. Nine out of ten lemmas of the original paper are proven in this formalisation. The formalisation additionally includes two theorems that show the main premise of the paper: that consistency and entailment are decided through graph saturation. This formalisation does not give executable code, and it did not implement any of the optimisations suggested in the paper. \end{abstract} \tableofcontents \section{Introduction} Although the formalisation follows a paper by the author on graph saturation~\cite{Joosten18}, it is foremost a formalisation. This document highlights the differences, where applicable. Nevertheless, the reader is advised to start by reading~\cite{Joosten18}. A copy might be available on \url{http://sjcjoosten.nl/4-publications/joosten18/}. The first publication of this graph saturation algorithm is in \cite{Joosten17a}. While that paper contains a somewhat more category-theoretical view, it also has fewer proofs and less rigor. Graph Saturation was originally developed to potentially benefit the Ampersand compiler~\cite{Michels11}. % include generated text of all theories \input{session} \paragraph*{acknowledgements} We thank Gerwin Klein for making an example submission in the AFP~\cite{Klein04}, which was of great help in making this submission. \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Graph_Theory/document/root.tex b/thys/Graph_Theory/document/root.tex --- a/thys/Graph_Theory/document/root.tex +++ b/thys/Graph_Theory/document/root.tex @@ -1,52 +1,53 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage[english]{babel} \usepackage{amssymb} \usepackage{wasysym} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Graph Theory} \author{By Lars Noschinski} \maketitle \begin{abstract} This development provides a formalization of directed graphs, supporting (labelled) multi-edges and infinite graphs. A polymorphic edge type allows edges to be treated as pairs of vertices, if multi-edges are not required. Formalized properties are i.a. walks (and related concepts), connectedness and subgraphs and basic properties of isomorphisms. This formalization is used to prove characterizations of Euler Trails, Shortest Paths and Kuratowski subgraphs. Definitions and nomenclature are based on \cite{bangjensen2009digraphs}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Green/document/root.tex b/thys/Green/document/root.tex --- a/thys/Green/document/root.tex +++ b/thys/Green/document/root.tex @@ -1,43 +1,44 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,amsmath} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{An Isabelle/HOL formalisation of Green's Theorem} \author{Mohammad Abdulaziz and Lawrence C.\ Paulson} \maketitle \begin{abstract} We formalise a statement of Green’s theorem—the first formalisation to our knowledge—in Isabelle/HOL. The theorem statement that we formalise is enough for most applications, especially in physics and engineering. Our formalisation is made possible by a novel proof that avoids the ubiquitous line integral cancellation argument. This eliminates the need to formalise orientations and region boundaries explicitly with respect to the outwards-pointing normal vector. Instead we appeal to a homological argument about equivalences between paths. \end{abstract} % \tableofcontents \section{Acknowledgements} Paulson was supported by the ERC Advanced Grant ALEXANDRIA (Project 742178) funded by the European Research Council at the University of Cambridge, UK. % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Groebner_Bases/document/root.tex b/thys/Groebner_Bases/document/root.tex --- a/thys/Groebner_Bases/document/root.tex +++ b/thys/Groebner_Bases/document/root.tex @@ -1,132 +1,133 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym,latexsym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Gr\"obner Bases Theory} \author{Fabian Immler and Alexander Maletzky\thanks{Supported by the Austrian Science Fund (FWF): grant no. W1214-N15 (project DK1) and grant no. P 29498-N31}} \maketitle \begin{abstract} This formalization is concerned with the theory of Gr\"obner bases in (commutative) multivariate polynomial rings over fields, originally developed by Buchberger in his 1965 PhD thesis. Apart from the statement and proof of the main theorem of the theory, the formalization also implements algorithms for actually computing Gr\"obner bases, thus allowing to effectively decide ideal membership in finitely generated polynomial ideals. Furthermore, all functions can be executed on a concrete representation of multivariate polynomials as association lists. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \newpage \section{Introduction} The theory of Gr\"obner bases, invented by Buchberger in~\cite{Buchberger1965,Buchberger1970}, is ubiquitous in many areas of computer algebra and beyond, as it allows to effectively solve a multitude of interesting, non-trivial problems of polynomial ideal theory. Since its invention in the mid-sixties, the theory has already seen a whole range of extensions and generalizations, some of which are present in this formalization: \begin{itemize} \item Following~\cite{Kreuzer2000}, the theory is formulated for vector-polynomials instead of ordinary scalar polynomials, thus allowing to compute Gr\"obner bases of syzygy modules. \item Besides Buchberger's original algorithm, the formalization also features Faug\`ere's $F_4$ algorithm~\cite{Faugere1999} for computing Gr\"obner bases. \item All algorithms for computing Gr\"obner bases incorporate criteria to avoid useless pairs; see~\cite{Buchberger1979} for details. \item Reduced Gr\"obner bases have been formalized and can be computed by a formally verified algorithm, too. \end{itemize} For further information about Gr\"obner bases theory the interested reader may consult the introductory paper~\cite{Buchberger1998a} or literally any book on commutative/computer algebra, e.\,g.~\cite{Adams1994,Kreuzer2000}. \subsection{Related Work} The theory of Gr\"obner bases has already been formalized in a couple of other proof assistants, listed below in alphabetical order: \begin{itemize} \item ACL2~\cite{Medina-Bulo2010}, \item Coq~\cite{Thery2001,Jorge2009}, \item Mizar~\cite{Schwarzweller2006}, and \item Theorema~\cite{Buchberger2003,Maletzky2016b}. \end{itemize} Please note that this formalization must not be confused with the \textit{algebra} proof method based on Gr\"obner bases~\cite{Chaieb2007}, which is a completely independent piece of work: our results could in principle be used to formally prove the correctness and, to some extent, completeness of said proof method. \subsection{Future Work} This formalization can be extended in several ways: \begin{itemize} \item One could formalize signature-based algorithms for computing Gr\"obner bases, as for instance Faug\`ere's $F_5$ algorithm~\cite{Faugere2002}. Such algorithms are typically more efficient than Buchberger's algorithm. \item One could establish the connection to \emph{elimination theory}, exploiting the well-known \emph{elimination property} of Gr\"obner bases w.\,r.\,t. certain term-orders (e.\,g. the purely lexicographic one). This would enable the effective simplification (and even solution, in some sense) of systems of algebraic equations. \item One could generalize the theory further to cover also \emph{non-commutative} Gr\"obner bases~\cite{Mora1994}. \end{itemize} % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Groebner_Macaulay/document/root.tex b/thys/Groebner_Macaulay/document/root.tex --- a/thys/Groebner_Macaulay/document/root.tex +++ b/thys/Groebner_Macaulay/document/root.tex @@ -1,80 +1,81 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym,latexsym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Gr\"obner Bases, Macaulay Matrices\\and Dub\'e's Degree Bounds} \author{Alexander Maletzky\thanks{Funded by the Austrian Science Fund (FWF): grant no. P 29498-N31}} \maketitle \begin{abstract} This entry formalizes the connection between Gr\"obner bases and Macaulay matrices (sometimes also referred to as `generalized Sylvester matrices'). In particular, it contains a method for computing Gr\"obner bases, which proceeds by first constructing some Macaulay matrix of the initial set of polynomials, then row-reducing this matrix, and finally converting the result back into a set of polynomials. The output is shown to be a Gr\"obner basis if the Macaulay matrix constructed in the first step is sufficiently large. In order to obtain concrete upper bounds on the size of the matrix (and hence turn the method into an effectively executable algorithm), Dub\'e's degree bounds on Gr\"obner bases are utilized; consequently, they are also part of the formalization. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \newpage \section{Introduction} The formalization consists of two main parts: \begin{itemize} \item The connection between Gr\"obner bases and Macaulay matrices (or `generalized Sylvester matrices'), due to Wiesinger-Widi~\cite{Wiesinger-Widi2015}. In particular, this includes a method for computing Gr\"obner bases via Macaulay matrices. \item Dub\'e's upper bounds on the degrees of Gr\"obner bases~\cite{Dube1990}. These bounds are not only of theoretical interest, but are also necessary to turn the above-mentioned method for computing Gr\"obner bases into an actual algorithm. \end{itemize} For more information about this formalization, see the accompanying papers~\cite{Maletzky2019} (Dub\'e's bound) and~\cite{Maletzky2019b} (Macaulay matrices). \subsection{Future Work} This formalization could be extended by formalizing improved degree bounds for special input. For instance, Wiesinger-Widi in~\cite{Wiesinger-Widi2015} obtains much smaller bounds if the initial set of polynomials only consists of two binomials. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Gromov_Hyperbolicity/document/root.tex b/thys/Gromov_Hyperbolicity/document/root.tex --- a/thys/Gromov_Hyperbolicity/document/root.tex +++ b/thys/Gromov_Hyperbolicity/document/root.tex @@ -1,61 +1,62 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{mathtools} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \DeclarePairedDelimiter{\norm}{\lVert}{\rVert} \begin{document} \title{Gromov hyperbolic spaces in Isabelle} \author{Sebastien Gouezel} \date{} \maketitle \begin{abstract} A geodesic metric space is Gromov hyperbolic if all its geodesic triangles are thin, i.e., every side is contained in a fixed thickening of the two other sides. While this definition looks innocuous, it has proved extremely important and versatile in modern geometry since its introduction by Gromov. We formalize the basic classical properties of Gromov hyperbolic spaces, notably the Morse lemma asserting that quasigeodesics are close to geodesics, the invariance of hyperbolicity under quasi-isometries, we define and study the Gromov boundary and its associated distance, and prove that a quasi-isometry between Gromov hyperbolic spaces extends to a homeomorphism of the boundaries. We also classify the isometries of hyperbolic spaces into elliptic, parabolic and loxodromic ones, both in terms of translation length and of fixed points at infinity. We also prove a less classical theorem, by Bonk and Schramm, asserting that a Gromov hyperbolic space embeds isometrically in a geodesic Gromov-hyperbolic space. As the original proof uses a transfinite sequence of Cauchy completions, this is an interesting formalization exercise. Along the way, we introduce basic material on isometries, quasi-isometries, geodesic spaces, the Hausdorff distance, the Cauchy completion of a metric space, and the exponential on extended real numbers. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{amsalpha} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Group-Ring-Module/document/root.tex b/thys/Group-Ring-Module/document/root.tex --- a/thys/Group-Ring-Module/document/root.tex +++ b/thys/Group-Ring-Module/document/root.tex @@ -1,35 +1,35 @@ \documentclass[11pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} \usepackage{textcomp} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Group Ring Module} \author{Hidetsune Kobayashi, L. Chen, H. Murao} \maketitle \begin{abstract} The theory of groups, rings and modules is developed to a great depth. Group theory results include Zassenhaus's theorem and the Jordan-Hoelder theorem. The ring theory development includes ideals, quotient rings and the Chinese remainder theorem. The module development includes the Nakayama lemma, exact sequences and Tensor products. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \end{document} diff --git a/thys/HOL-CSP/document/root.tex b/thys/HOL-CSP/document/root.tex --- a/thys/HOL-CSP/document/root.tex +++ b/thys/HOL-CSP/document/root.tex @@ -1,63 +1,64 @@ \documentclass[11pt,a4paper]{book} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{graphicx} \graphicspath {{figures/}} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{latexsym} \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage[greek,english]{babel} %option greek for \ %option english (default language) for \, \ %\usepackage[utf8]{inputenc} %for \, \, \, \, %\, \, \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{HOL-CSP Version 2.0} \author{ Safouan Taha \and Burkhart Wolff \and Lina Ye } \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{adb-long,root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/HOLCF-Prelude/document/root.tex b/thys/HOLCF-Prelude/document/root.tex --- a/thys/HOLCF-Prelude/document/root.tex +++ b/thys/HOLCF-Prelude/document/root.tex @@ -1,84 +1,85 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{xspace} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage[greek,english]{babel} %option greek for \ %option english (default language) for \, \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \newcommand\hlint{\texttt{HLint}\xspace} \begin{document} \title{Isabelle/HOLCF-Prelude} \author{% Joachim Breitner\thanks{Supported by the Deutsche Telekom Stiftung.}, Brian Huffman, Neil Mitchell, and Christian Sternagel\thanks{Supported by the Austrian Science Fund (FWF): J3202.}} \maketitle \begin{abstract} The Isabelle/HOLCF-Prelude is a formalization of a large part of Haskell's standard prelude \cite{haskell-prelude} in Isabelle/HOLCF. We use it to \begin{itemize} \item prove the correctness of the Eratosthenes' Sieve, in its self-referential implementation commonly used to showcase Haskell's laziness, \item prove correctness of GHC's ``fold/build'' rule and related rewrite rules, and \item certify a number of hints suggested by \hlint. \end{itemize} The work was presented at HART 2013~\cite{hart2013}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \section*{Acknowledgments} We thank Lars Hupel for his help with the final AFP submission. % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/HRB-Slicing/document/root.tex b/thys/HRB-Slicing/document/root.tex --- a/thys/HRB-Slicing/document/root.tex +++ b/thys/HRB-Slicing/document/root.tex @@ -1,79 +1,79 @@ \documentclass[11pt,a4paper,notitlepage]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{latexsym} \usepackage{amssymb} \usepackage{textcomp} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} \usepackage{wasysym} \usepackage{graphicx} \usepackage{url} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \renewcommand{\setisabellecontext}[1]{\markright{#1}} \begin{document} \title{Backing up Slicing: Verifying the interprocedural two-phase Horwitz-Reps-Binkley Slicer} \author{Daniel Wasserrab} \maketitle \begin{abstract} Slicing is a widely-used technique with applications in e.g. compiler technology and software security. Thus verification of algorithms in these areas is often based on the correctness of slicing, which should ideally be proven independent of concrete programming languages and with the help of well-known verifying techniques such as proof assistants. After verifying static intraprocedural and dynamic slicing \cite{Wasserrab:08}, we focus now on the sophisticated interprocedural two-phase Horwitz-Reps-Binkley slicer \cite{HorwitzRB:88}, including summary edges which were added in \cite{RepsHSR:94}. Again, abstracting from concrete syntax we base our work on a graph representation of the program fulfilling certain structural and well-formedness properties. The framework is instantiated with a simple While language with procedures, showing its validity. \end{abstract} \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \begin{thebibliography}{10} \bibitem{HorwitzRB:88} Susan Horwitz and Thomas Reps and David Binkley. \newblock Interprocedural Slicing Using Dependence Graphs. \newblock {\em ACM Transactions on Programming Languages and Systems}, 12(1):26--60, 1990. \bibitem{RepsHSR:94} Thomas Reps and Susan Horwitz and Mooly Sagiv and Genevieve Rosay. \newblock Speeding up slicing. \newblock In {\em Proc. of FSE'94}, pages 11--20. ACM, 1994 \bibitem{Wasserrab:08} \newblock Daniel Wasserrab. \newblock Towards certified slicing. \newblock In G. Klein, T. Nipkow, and L. Paulson, editors, {\em Archive of Formal Proofs}. \newblock \url{http://isa-afp.org/entries/Slicing.shtml}, September 2008. \newblock Formal proof development. \end{thebibliography} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Heard_Of/document/root.tex b/thys/Heard_Of/document/root.tex --- a/thys/Heard_Of/document/root.tex +++ b/thys/Heard_Of/document/root.tex @@ -1,198 +1,199 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsfonts} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand{\nat}{\mathbb{N}} \newcommand{\ute}{\ensuremath{\mathcal{U}_{T,E,\alpha}}} \newcommand{\ate}{\ensuremath{\mathcal{A}_{T,E,\alpha}}} \newcommand{\eigbyz}{\textit{EIGByz}\ensuremath{_f}} % sane default for proof documents \parindent 0pt\parskip 0.5ex \begin{document} \title{ Verifying Fault-Tolerant Distributed Algorithms In The Heard-Of Model\thanks{% Bernadette Charron-Bost introduced us to the Heard-Of model and accompanied this work by suggesting algorithms to study, providing or simplifying hand proofs, and giving most valuable feedback on our formalizations. Mouna Chaouch-Saad contributed an initial draft formalization of the reduction theorem. } } \author{ Henri Debrat\textsuperscript{1} and Stephan Merz\textsuperscript{2}\\ \mbox{}\textsuperscript{1} Universit\'e de Lorraine \& LORIA\\ \mbox{}\textsuperscript{2} Inria Nancy Grand-Est \& LORIA\\ Villers-l\`es-Nancy, France } \maketitle Distributed computing is inherently based on replication, promising increased tolerance to failures of individual computing nodes or communication channels. Realizing this promise, however, involves quite subtle algorithmic mechanisms, and requires precise statements about the kinds and numbers of faults that an algorithm tolerates (such as process crashes, communication faults or corrupted values). The landmark theorem due to Fischer, Lynch, and Paterson shows that it is impossible to achieve Consensus among $N$ asynchronously communicating nodes in the presence of even a single permanent failure. Existing solutions must rely on assumptions of ``partial synchrony''. Indeed, there have been numerous misunderstandings on what exactly a given algorithm is supposed to realize in what kinds of environments. Moreover, the abundance of subtly different computational models complicates comparisons between different algorithms. Charron-Bost and Schiper introduced the Heard-Of model for representing algorithms and failure assumptions in a uniform framework, simplifying comparisons between algorithms. In this contribution, we represent the Heard-Of model in Isabelle/HOL. We define two semantics of runs of algorithms with different unit of atomicity and relate these through a \emph{reduction theorem} that allows us to verify algorithms in the coarse-grained semantics (where proofs are easier) and infer their correctness for the fine-grained one (which corresponds to actual executions). We instantiate the framework by verifying six Consensus algorithms that differ in the underlying algorithmic mechanisms and the kinds of faults they tolerate. \tableofcontents \section{Introduction} We are interested in the verification of fault-tolerant distributed algorithms. The archetypical problem in this area is the \emph{Consensus} problem that requires a set of distributed nodes to achieve agreement on a common value in the presence of faults. Such algorithms are notoriously hard to design and to get right. This is particularly true in the presence of asynchronous communication: the landmark theorem by Fischer, Lynch, and Paterson~\cite{FLP85} shows that there is no algorithm solving the Consensus problem for asynchronous systems in the presence of even a single, permanent fault. Existing solutions therefore rely on assumptions of ``partial synchrony''~\cite{dwork:consensus}. Different computational models, and different concepts for specifying the kinds and numbers of faults such algorithms must tolerate, have been introduced in the literature on distributed computing. This abundance of subtly different notions makes it very difficult to compare different algorithms, and has sometimes even led to misunderstandings and misinterpretations of what an algorithm claims to achieve. The general lack of rigorous, let alone formal, correctness proofs for this class of algorithms makes it even harder to understand the field. In this contribution, we formalize in Isabelle/HOL the \emph{Heard-Of} (HO) model, originally introduced by Charron-Bost and Schiper~\cite{charron:heardof}. This model can represent algorithms that operate in communication-closed rounds, which is true of virtually all known fault-tolerant distributed algorithms. Assumptions on failures tolerated by an algorithm are expressed by \emph{communication predicates} that impose bounds on the set of messages that are not received during executions. Charron-Bost and Schiper show how the known failure hypotheses from the literature can be represented in this format. The Heard-Of model therefore makes an interesting target for formalizing different algorithms, and for proving their correctness, in a uniform way. In particular, different assumptions can be compared, and the suitability of an algorithm for a particular situation can be evaluated. The HO model has subsequently been extended~\cite{biely:tolerating} to encompass algorithms designed to tolerate value (also known as malicious or Byzantine) faults. In the present work, we propose a generic framework in Isabelle/HOL that encompasses the different variants of HO algorithms, including resilience to benign or value faults, as well as coordinated and non-coordinated algorithms. A fundamental design decision when modeling distributed algorithm is to determine the unit of atomicity. We formally relate in Isabelle two definitions of runs: we first define ``coarse-grained'' executions, in which entire rounds are executed atomically, and then define ``fine-grained'' executions that correspond to conventional interleaving representations of asynchronous networks. We formally prove that every fine-grained execution corresponds to a certain coarse-grained execution, such that every process observes the same sequence of local states in the two executions, up to stuttering. As a corollary, a large class of correctness properties, including Consensus, can be transferred from coarse-grained to fine-grained executions. We then apply our framework for verifying six different distributed Consensus algorithms w.r.t. their respective communication predicates. The first three algorithms, \emph{One-Third Rule}, \emph{UniformVoting}, and \emph{LastVoting}, tolerate benign failures. The three remaining algorithms, \ute{}, \ate{}, and \eigbyz{}, are designed to tolerate value failures, and solve a weaker variant of the Consensus problem. A preliminary report on the formalization of the \emph{LastVoting} algorithm in the HO model appeared in~\cite{charron:formal}. The paper~\cite{saad:reduction} contains a paper-and-pencil proof of the reduction theorem relating coarse-grained and fine-grained executions, and~\cite{charron:formal-malicious} reports on the formal verification of the \ute{}, \ate{}, and \eigbyz{} algorithms. \bigskip % generated text of all theories \input{session} \section{Conclusion} In this contribution we have formalized the Heard-Of model in the proof assistant Isabelle/HOL. We have established a formal framework, in which fault-tolerant distributed algorithms can be represented, and that caters for different variants (benign or malicious faults, coordinated and uncoordinated algorithms). We have formally proved a reduction theorem that relates fine-grained (asynchronous) interleaving executions and coarse-grained executions, in which an entire round constitutes the unit of atomicity. As a corollary, many correctness properties, including Consensus, can be transferred from the coarse-grained to the fine-grained representation. We have applied this framework to give formal proofs in Isabelle/HOL for six different Consensus algorithms known from the literature. Thanks to the reduction theorem, it is enough to verify the algorithms over coarse-grained runs, and this keeps the effort manageable. For example, our \emph{LastVoting} algorithm is similar to the DiskPaxos algorithm verified in~\cite{jaskelioff:diskpaxos}, but our proof here is an order of magnitude shorter, although we prove safety and liveness properties, whereas only safety was considered in~\cite{jaskelioff:diskpaxos}. We also emphasize that the uniform characterization of fault assumptions via communication predicates in the HO model lets us consider the effects of transient failures, contrary to standard models that consider only permanent failures. For example, our correctness proof for the \eigbyz{} algorithm establishes a stronger result than that claimed by the designers of the algorithm. The uniform presentation also paves the way towards comparing assumptions of different algorithms. The encoding of the HO model as Isabelle/HOL theories is quite straightforward, and we find our Isar proofs quite readable, although they necessarily contain the full details that are often glossed over in textbook presentations. We believe that our framework allows algorithm designers to study different fault-tolerant distributed algorithms, their assumptions, and their proofs, in a clear, rigorous and uniform way. % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Hello_World/document/root.tex b/thys/Hello_World/document/root.tex --- a/thys/Hello_World/document/root.tex +++ b/thys/Hello_World/document/root.tex @@ -1,48 +1,49 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{marvosym} % world symbol \newcommand{\isactrlurl}[0]{\Mundus} \usepackage{verbatim} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Hello World} \author{Cornelius Diekmann, Lars Hupel} \maketitle \begin{abstract} In this article, we present a formalization of the well-known ``Hello, World!'' code, including a formal framework for reasoning about IO. Our model is inspired by the handling of IO in Haskell. We start by formalizing the \isactrlurl{} and embrace the IO monad afterwards. Then we present a sample \verb~main :: IO ()~, followed by its proof of correctness. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/HereditarilyFinite/document/root.tex b/thys/HereditarilyFinite/document/root.tex --- a/thys/HereditarilyFinite/document/root.tex +++ b/thys/HereditarilyFinite/document/root.tex @@ -1,40 +1,41 @@ \documentclass[11pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[only,bigsqcap]{stmaryrd} % for \ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Hereditarily Finite Sets} \author{Lawrence C. Paulson} \maketitle \begin{abstract} The theory of hereditarily finite sets is formalised, following the development of {\'S}wierczkowski \cite{swierczkowski-finite}. An HF set is a finite collection of other HF sets; they enjoy an induction principle and satisfy all the axioms of ZF set theory apart from the axiom of infinity, which is negated. All constructions that are possible in ZF set theory (Cartesian products, disjoint sums, natural numbers, functions) without using infinite sets are possible here. The definition of addition for the HF sets follows Kirby \cite{kirby-addition}. This development forms the foundation for the Isabelle proof of G\"odel's incompleteness theorems, which has been formalised separately. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Hermite/document/root.tex b/thys/Hermite/document/root.tex --- a/thys/Hermite/document/root.tex +++ b/thys/Hermite/document/root.tex @@ -1,41 +1,42 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Hermite Normal Form} \author{By Jose Divas\'on and Jes\'us Aransay\thanks{This research has been funded by the research grant FPI-UR-12 of the Universidad de La Rioja and by the project MTM2014-54151-P from Ministerio de Econom\'ia y Competitividad (Gobierno de Espa\~na).}} \maketitle \begin{abstract} The Hermite Normal Form is a canonical matrix analogue of Reduced Echelon Form, but involving matrices over more general rings. In this work we formalise an algorithm to compute the Hermite Normal Form of a matrix by means of elementary row operations, taking advantage of the Echelon Form AFP entry. We have proven the correctness of such an algorithm and refined it to immutable arrays. Furthermore, we have also formalised the uniqueness of the Hermite Normal Form of a matrix. Code can be exported and some examples of execution involving $\mathbb{Z}$-matrices and $\mathbb{K}[x]$-matrices are presented as well. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Hidden_Markov_Models/document/root.tex b/thys/Hidden_Markov_Models/document/root.tex --- a/thys/Hidden_Markov_Models/document/root.tex +++ b/thys/Hidden_Markov_Models/document/root.tex @@ -1,61 +1,61 @@ \documentclass[11pt,a4paper]{article} -\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} \usepackage[margin=2cm]{geometry} \usepackage{isabelle,isabellesym} \usepackage{amsmath} \usepackage{amssymb} \usepackage[english]{babel} \usepackage{stmaryrd} \usepackage{eufrak} \usepackage{wasysym} \usepackage{tikz} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Hidden Markov Models} \author{Simon Wimmer} \maketitle \begin{abstract} This entry contains a formalization of hidden Markov models \cite{Markov13} based on Johannes Hölzl's formalization of discrete time Markov chains \cite{hoelzl2017mdp}. The basic definitions are provided and the correctness of two main (dynamic programming) algorithms for hidden Markov models is proved: the forward algorithm for computing the likelihood of an observed sequence, and the Viterbi algorithm for decoding the most probable hidden state sequence. The Viterbi algorithm is made executable including memoization. Hidden markov models have various applications in natural language processing. For an introduction see Jurafsky and Martin \cite{Jurafsky}. \end{abstract} \tableofcontents \pagebreak % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Higher_Order_Terms/document/root.tex b/thys/Higher_Order_Terms/document/root.tex --- a/thys/Higher_Order_Terms/document/root.tex +++ b/thys/Higher_Order_Terms/document/root.tex @@ -1,38 +1,39 @@ \documentclass[11pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle} \usepackage{isabellesym} \usepackage{amssymb} \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \begin{document} \title{An Algebra for Higher-Order Terms} \author{Lars Hupel} \maketitle \begin{abstract} In this formalization, I introduce a higher-order term algebra, generalizing the notions of free variables, matching, and substitution. The need arose from the work on a verified compiler from Isabelle to CakeML \cite{hupel2018compiler}. Terms can be thought of as consisting of a \emph{generic} (free variables, constants, application) and a \emph{specific} part. As example applications, this entry provides instantiations for de-Bruijn terms, terms with named variables, and Blanchette's $\lambda$-free higher-order terms \cite{blanchette2016lambda}. Furthermore, I implement translation functions between de-Bruijn terms and named terms and prove their correctness. \end{abstract} \tableofcontents \clearpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} \ No newline at end of file diff --git a/thys/Hoare_Time/document/root.tex b/thys/Hoare_Time/document/root.tex --- a/thys/Hoare_Time/document/root.tex +++ b/thys/Hoare_Time/document/root.tex @@ -1,52 +1,53 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{latexsym} \usepackage{eufrak} % this should be the last package used \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \renewcommand{\isacharunderscore}{\_} \renewcommand{\isacharunderscorekeyword}{\_} % for uniform font size \renewcommand{\isastyle}{\isastyleminor} \newcommand{\chapter}[1]{\section{#1}} \begin{document} \title{Hoare Logics for Time Bounds} \author{Maximilian P. L. Haslbeck\and Tobias Nipkow% \thanks{Supported by DFG GRK 1480 (PUMA) and Koselleck Grant NI 491/16-1} } \maketitle \begin{abstract} We study three different Hoare logics for reasoning about time bounds of imperative programs and formalize them in Isabelle/HOL: a classical Hoare like logic due to Nielson, a logic with potentials due to Carbonneaux \emph{et al.} and a \emph{separation logic} following work by Atkey, Chagu\'erand and Pottier. These logics are formally shown to be sound and complete. Verification condition generators are developed and are shown sound and complete too. We also consider variants of the systems where we abstract from multiplicative constants in the running time bounds, thus supporting a big-O style of reasoning. Finally we compare the expressive power of the three systems. An informal description is found in an accompanying report \cite{HaslbeckN-TACAS18}. \end{abstract} \setcounter{tocdepth}{2} \tableofcontents \newpage % generated text of all theories \input{session} \bibliographystyle{alpha} \bibliography{root} \end{document} diff --git a/thys/Hood_Melville_Queue/document/root.tex b/thys/Hood_Melville_Queue/document/root.tex --- a/thys/Hood_Melville_Queue/document/root.tex +++ b/thys/Hood_Melville_Queue/document/root.tex @@ -1,30 +1,31 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Hood-Melville Queue} \author{Alejandro G\'omez-Londo\~no} \maketitle \begin{abstract} This is a verified implementation of a constant time queue. The original design is due to Hood and Melville \cite{ipl/HoodM81}. This formalization follows the presentation by Okasaki \cite{Okasaki}. \end{abstract} % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/HotelKeyCards/document/root.tex b/thys/HotelKeyCards/document/root.tex --- a/thys/HotelKeyCards/document/root.tex +++ b/thys/HotelKeyCards/document/root.tex @@ -1,46 +1,47 @@ \documentclass[a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \renewcommand{\isasymcdot}{\isamath{\,\cdot\,}} \pagestyle{plain} \newtheorem{theorem}{Theorem} \newtheorem{lemma}{Lemma} \newtheorem{corollary}{Corollary} \begin{document} \title{Verifying a Hotel Key Card System\thanks{Appeared in proceedings of ICTAC 2006 \cite{Nipkow-ICTAC06}}} \author{Tobias Nipkow\\ Institut f\"ur Informatik, TU M\"unchen} \maketitle \begin{abstract} Two models of an electronic hotel key card system are contrasted: a state based and a trace based one. Both are defined, verified, and proved equivalent in the theorem prover Isabelle/HOL. It is shown that if a guest follows a certain safety policy regarding her key cards, she can be sure that nobody but her can enter her room. \end{abstract} \input{intro} \input{session} \input{conclu} \bibliographystyle{plain} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Hybrid_Logic/document/root.tex b/thys/Hybrid_Logic/document/root.tex --- a/thys/Hybrid_Logic/document/root.tex +++ b/thys/Hybrid_Logic/document/root.tex @@ -1,99 +1,99 @@ \documentclass[11pt,a4paper]{article} -\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Formalizing a Seligman-Style Tableau System for Hybrid Logic} \author{Asta Halkjær From} \maketitle \begin{abstract} This work is a formalization of soundness and completeness proofs for a Seligman-style tableau system for hybrid logic. The completeness result is obtained via a synthetic approach using maximally consistent sets of tableau blocks. The formalization differs from previous work~\cite{jlog17, aiml16} in a few ways. First, to avoid the need to backtrack in the construction of a tableau, the formalized system has no unnamed initial segment, and therefore no Name rule. Second, I show that the full Bridge rule is admissible in the system. Third, I start from rules restricted to only extend the branch with new formulas, including only witnessing diamonds that are not already witnessed, and show that the unrestricted rules are admissible. Similarly, I start from simpler versions of the @-rules and show that these are sufficient. The GoTo rule is restricted using a notion of potential such that each application consumes potential and potential is earned through applications of the remaining rules. I show that if a branch can be closed then it can be closed starting from a single unit. Finally, Nom is restricted by a fixed set of allowed nominals. The resulting system should be terminating. \end{abstract} \section*{Preamble} The formalization was part of the author's MSc thesis in Computer Science and Engineering at the Technical University of Denmark (DTU). \paragraph{Supervisors:} \begin{itemize} \item Jørgen Villadsen \item Alexander Birch Jensen (co-supervisor) \item Patrick Blackburn (Roskilde University, external supervisor) \end{itemize} \newpage \tableofcontents \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \nocite{*} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \addcontentsline{toc}{section}{References} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Hybrid_Multi_Lane_Spatial_Logic/document/root.tex b/thys/Hybrid_Multi_Lane_Spatial_Logic/document/root.tex --- a/thys/Hybrid_Multi_Lane_Spatial_Logic/document/root.tex +++ b/thys/Hybrid_Multi_Lane_Spatial_Logic/document/root.tex @@ -1,106 +1,107 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Hybrid Multi-Lane Spatial Logic} \author{Sven Linker} \maketitle \begin{abstract} We present a semantic embedding of a spatio-temporal multi-modal logic, specifically defined to reason about motorway traffic, into Isabelle/HOL. The semantic model is an abstraction of a motorway, emphasising local spatial properties, and parameterised by the types of sensors deployed in the vehicles. We use the logic to define controller constraints to ensure safety, i.e., the absence of collisions on the motorway. After proving safety with a restrictive definition of sensors, we relax these assumptions and show how to amend the controller constraints to still guarantee safety. Published in iFM 2017 \cite{Linker2017}. \end{abstract} Formal verification of autonomous vehicles on motorways is a challenging problem, due to the complex interactions between dynamical behaviours and controller choices of the vehicles. To overcome the complexities of proving safety properties, we proposed to separate the dynamical behaviour from the concrete changes in space \cite{Hilscher2011}. To that end, we defined \emph{Multi-Lane Spatial Logic} (MLSL), which was used to express guards and invariants of controller automata defining a protocol for safe lane-change manoeuvres. Under the assumption that all vehicles adhere to this protocol, we proved that collisions were avoided. Subsequently, we presented an extension of MLSL to reason about changes in space over time, a system of natural deduction, and formally proved a safety theorem \cite{Linker2015a,Linker2015b}. This proof was carried out manually and dependent on strong assumptions about the vehicles' sensors. We define a semantic embedding of a further extension of MLSL, inspired by Hybrid Logic \cite{Brauner2010}. Subsequently, we show how the safety theorem can be proved within this embedding. Finally, we alter this formal embedding by relaxing the assumptions on the sensors. We show that the previously proven safety theorem does \emph{not} ensure safety in this case, and how the controller constraints can be strengthened to guarantee safety. \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Hybrid_Systems_VCs/document/root.tex b/thys/Hybrid_Systems_VCs/document/root.tex --- a/thys/Hybrid_Systems_VCs/document/root.tex +++ b/thys/Hybrid_Systems_VCs/document/root.tex @@ -1,76 +1,77 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Verification Components for Hybrid Systems} \author{Jonathan Juli\'an Huerta y Munive} \maketitle \begin{abstract} These components formalise a semantic framework for the deductive verification of hybrid systems. They support reasoning about continuous evolutions of hybrid programs in the style of differential dynamic logic. Vector fields or flows model these evolutions, and their verification is done with invariants for the former or orbits for the latter. Laws of modal Kleene algebra or categorical predicate transformers implement the verification condition generation. Examples show the approach at work. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introductory Remarks} These theories implement verification components for hybrid programs in the style of differential dynamic logic~\cite{Platzer10}, an approach for deductive verification of hybrid systems. Following~\cite{afp:vericomp}, we use modal Kleene algebra, which subsumes the propositional part of dynamic logic, to automatically derive verification conditions for the program flow. Alternatively we also use categorical predicate transformers as formalised in~\cite{afp:transem}. These conditions are entirely about the dynamics that describe the continuous evolution of the hybrid system. The dynamics are formalised with flows and vector fields for systems of ordinary differential equations (ODEs) as in~\cite{ImmlerH12a}. The components support reasoning with vector fields by annotating differential invariants or by providing the solution of the system of ODEs; otherwise, the flow is enough for verification of the continuous evolution. We formalise several rules for derivatives that, when supplied to Isabelle's \isa{auto} method, enhance the automation of the process of discharging proof obligations. In all versions of our verification components we also derive domain specific rules of differential dynamic logic and prove a correctness specification of three hybrid systems using each of our procedures for reasoning with continuous evolutions. In addition to these implementations, for ease of use, we also present a stand alone light-weight variant of the verification components with predicate transformers that does not depend on other AFP entries. Background information on differential dynamic logic and some of its variants can be found in~\cite{Platzer10,BohrerRVVP17}, the general shallow embedding approach for building verification components with Isabelle can be found in~\cite{ArmstrongGS16}. For more details on modal Kleene algebra see~\cite{DesharnaisS11}; a paper with a detailed overview of the verification components in this entry and the mathematical concepts employed to build them will be available soon on ArXiv. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/HyperCTL/document/root.tex b/thys/HyperCTL/document/root.tex --- a/thys/HyperCTL/document/root.tex +++ b/thys/HyperCTL/document/root.tex @@ -1,38 +1,39 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \addtolength{\paperwidth}{4cm} \addtolength{\textwidth}{4cm} %\addtolength{\leftmargin}{-3cm} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{A shallow embedding of HyperCTL$^*$} \author{Markus N. Rabe \and Peter Lammich \and Andrei Popescu} \date{} \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \input{intro} % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/IEEE_Floating_Point/document/root.tex b/thys/IEEE_Floating_Point/document/root.tex --- a/thys/IEEE_Floating_Point/document/root.tex +++ b/thys/IEEE_Floating_Point/document/root.tex @@ -1,39 +1,40 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \parindent 0pt\parskip 0.5ex \begin{document} \title{A Formal Model of IEEE Floating Point Arithmetic} \author{Lei Yu} \maketitle \begin{abstract} This development provides a formal model of IEEE-754 floating-point arithmetic. This formalization, including formal specification of the standard and proofs of important properties of floating-point arithmetic, forms the foundation for verifying programs with floating-point computation. There is also a code generation setup for floats so that we can execute programs using this formalization in functional programming languages. The definitions of the IEEE standard in Isabelle is ported from HOL Light \cite{harrison1997floating}. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/IMAP-CRDT/document/root.tex b/thys/IMAP-CRDT/document/root.tex --- a/thys/IMAP-CRDT/document/root.tex +++ b/thys/IMAP-CRDT/document/root.tex @@ -1,235 +1,233 @@ -\documentclass[11pt,a4paper, DIV=11]{article} - -\usepackage[utf8]{inputenc} +\documentclass[11pt,a4paper,DIV=11]{article} \usepackage[T1]{fontenc} \usepackage{fullpage} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{amsmath,amsfonts} \renewcommand{\bf}{\normalfont\bfseries} \renewcommand{\rm}{\normalfont\rmfamily} \renewcommand{\it}{\normalfont\itshape} \usepackage{pdfsetup} \hypersetup{ pdfinfo={ Title={The IMAP CmRDT}, Subject={}, Keywords={IMAP, Isabelle, CRDT}, Author={Tim Jungnickel, Lennart Oldenburg, Matthias Loibl}, Creator={} }, bookmarksopen=true, bookmarksnumbered, bookmarksopenlevel=2, bookmarksdepth=3 } % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \renewcommand{\isastyle}{\isastyleminor} \usepackage{algorithm} % for CRDT translation \usepackage[noend]{algpseudocode} % for CRDT translation \usepackage{amssymb} % for correct math symbols \newcommand{\create}{\textit{create}} \newcommand{\delete}{\textit{delete}} \newcommand{\store}{\textit{store}} \newcommand{\append}{\textit{append}} \newcommand{\expunge}{\textit{expunge}} \newcommand{\session}{\textit{session}} \title{The IMAP CmRDT} \author{Tim Jungnickel, Lennart Oldenburg, Matthias Loibl} \date{\today} \begin{document} \maketitle \begin{abstract} We provide our Isabelle/HOL formalization of a Conflict-free Replicated Data Type for Internet Message Access Protocol commands. To this end, we show that Strong Eventual Consistency (SEC) is guaranteed by proving the commutativity of concurrent operations. We base our formalization on the recently proposed "framework for establishing Strong Eventual Consistency for Conflict-free Replicated Datatypes" (AFP.CRDT) by Gomes et al{.} Hence, we provide an additional example of how the recently proposed framework can be used to design and prove CRDTs. \end{abstract} \tableofcontents %\newpage \section{Preface} A Conflict-free Replicated Data Type (CRDT) \cite{shapiro_crdt} ensures convergence of replicas without requiring a central coordination server or even a distributed coordination system based on consensus or locking. Despite the fact that Shapiro et al{.} provide a comprehensive collection of definitions for the most useful data types such as registers, sets, and lists \cite{shapiro_report}, we observe that the use of CRDTs in standard IT services is rather uncommon. Therefore, we use the Internet Message Access Protocol (IMAP)---the de-facto standard protocol to retrieve and manipulate mail messages on an email server---as an example to show the feasibility of using CRDTs for replicating state of a standard IT service to achieve planetary scale. Designing a \emph{correct} CRDT is a challenging task. A CmRDT, the operation-based variant of a CRDT, requires all operations to commute. To this end, Gomes et al{.} recently published a CmRDT verification framework \cite{gomes_crdtafp} in Isabelle/HOL. In our most recent work \cite{pluto}, we presented \emph{pluto}, our research prototype of a planetary-scale IMAP service. To achieve the claimed planet-scale, we designed a CmRDT that provides multi-leader replication of mailboxes without the need of synchronous operations. In order to ensure the correctness of our proposed IMAP CmRDT, we implemented it in the verification framework proposed by Gomes et al{.} In this work, we present our Isabelle/HOL proof of the necessary properties and show that our CmRDT indeed guarantees Strong Eventual Consistency (SEC). We contribute not only the certainty that our CmRDT design is correct, but also provide one more example of how the verification framework can be used to prove the correctness of a CRDT. \subsection{The IMAP CmRDT} In the rest of this work, we show how we modeled our IMAP CmRDT in Isabelle/HOL. We start by presenting the original IMAP CmRDT, followed by the implementation details of the Isabelle/HOL formalization. The presentation of our CmRDT in Spec.~\ref{spec:imap} is based on the syntax introduced in \cite{shapiro_report}. We highly recommend reading the foundational work by Shapiro et al{.} prior to following our proof documentation. In essence, the IMAP CmRDT represents the state of a mailbox, containing folders (of type $\mathcal{N}$) and messages (of type $\mathcal{M}$). Moreover, we introduce metadata in form of tags (of type $\texttt{ID}$). All modeling details and a more detailed description of the CmRDT are provided in the original paper \cite{pluto}. \begin{algorithm}[t] \floatname{algorithm}{Specification} \caption{The IMAP CmRDT} \label{spec:imap} \algsetblock{payload}{}{1}{0.5cm} \algsetblock{update}{}{2}{0.5cm} \algsetblockdefx{atsourceone}{}{1}{0.5cm}[1][]{\textbf{atSource} #1}{} \algsetblockdefx{atsourcetwo}{}{2}{0.5cm}[1][]{\textbf{atSource} #1}{} \algsetblockdefx{downstreamone}{}{1}{0.5cm}[1][]{\textbf{downstream} #1}{} \begin{algorithmic}[1] \payload \ map $u: \mathcal{N} \rightarrow \mathcal{P}(\texttt{ID}) \times \mathcal{P}(\mathcal{M})$ \Comment{$\{\text{foldername}\ f \mapsto (\{\text{tag}\ t\}, \{\text{msg}\ m\}), \dots \}$} \State initial $\left(\lambda x . (\varnothing, \varnothing)\right)$ \vspace{0.3em} \update \ \create\ $(\text{foldername}\ f)$ \atsourceone{} \State let $\alpha = \textit{unique}()$ \downstreamone{$(f, \alpha)$} \State $u(f) \mapsto (u(f)_1 \cup \{\alpha\}, u(f)_2)$ \vspace{0.3em} \update \ \delete\ $(\text{foldername}\ f)$ \atsourcetwo{$(f)$} \State let $R_1 = u(f)_1$ \State let $R_2 = u(f)_2$ \downstreamone{$(f, R_1, R_2)$} \State $u(f) \mapsto (u(f)_1 \setminus R_1, u(f)_2 \setminus R_2)$ \update \ \append\ $(\text{foldername}\ f, \text{message}\ m)$ \atsourceone{$(m)$} \State \textbf{pre} $m$ is globally unique \downstreamone{$(f, m)$} \State $u(f) \mapsto (u(f)_1, u(f)_2 \cup \{m\})$ \vspace{0.3em} \update \ \expunge\ $(\text{foldername}\ f, \text{message}\ m)$ \atsourcetwo{$(f, m)$} \State \textbf{pre} $m \in u(f)_2$ \State let $\alpha = \textit{unique}()$ \downstreamone{$(f, m, \alpha)$} \State $u(f) \mapsto (u(f)_1 \cup \{\alpha\}, u(f)_2 \setminus \{m\})$ \vspace{0.3em} \update \ \store\ $(\text{foldername}\ f, \text{message}\ m_\text{old}, \text{message}\ m_\text{new})$ \atsourcetwo{$(f, m_\textit{old}, m_\textit{new})$} \State \textbf{pre} $m_\text{old} \in u(f)_2$ \State \textbf{pre} $m_\text{new}$ is globally unique \downstreamone{$(f, m_\text{old}, m_\text{new})$} \State $u(f) \mapsto (u(f)_1, (u(f)_2 \setminus \{m_\text{old}\}) \cup \{m_\text{new}\})$ \end{algorithmic} \end{algorithm} The only notable difference between the presented specification and our Isabelle/HOL formalization is, that we no longer distinguish between sets $\texttt{ID}$ and $\mathcal{M}$ and that the generated tags of \create\ and \expunge\ are handled explicitly. This makes the formalization slightly easier, because less type variables are introduced. The concrete definition can be found in the \textit{IMAP-CRDT Definitions} section of the \texttt{IMAP-def.thy} file. \subsection{Proof Guide} \textit{Hint:} In our proof, we build on top of the definitions given by Gomes et al{.} in \cite{gomes_crdtisabelle}. We strongly recommend to read their paper first before following our proof. In fact, in our formalization we reuse the \textit{locales} of the proposed framework and therefore this work cannot be compiled without the reference to \cite{gomes_crdtafp}. Operation-based CRDTs require all concurrent operations to commute in order to ensure convergence. Therefore, we begin our verification by proving the commutativity of every combination of possible concurrent operations. Initially, we used \textit{nitpick} to identify corner cases in our implementation. We prove the commutativity in Section 3 of the \texttt{IMAP-proof-commute.thy} file. The \textit{critical conditions} to satisfy in order to commute, can be summarized as follows: \begin{itemize} \item The tags of a \create\ and \expunge\ operation or the messages of an \append\ and \store\ operation are never in the removed-set of a concurrent \delete\ operation. \item The message of an \append\ operation is never the message that is deleted by a concurrent \store\ or \expunge\ operation. \item The message inserted by a \store\ operation is never the message that is deleted by a concurrent \store\ or \expunge\ operation. \end{itemize} The identified conditions obviously hold in regular traces of our system, because an item that has been inserted by one operation cannot be deleted by a concurrent operation. It simply cannot be present at the time of the initiation of the concurrent operation. Next, we show that the identified conditions actually hold for all concurrent operations. Because all tags and all inserted messages are globally unique, it can easily be shown that all conditions are satisfied. In Isabelle/HOL, showing this fact takes some effort. Fortunately, we were able to reuse parts of the Isabelle/HOL implementation of the OR-Set proof in \cite{gomes_crdtafp}. The Isabelle/HOL proofs for the \textit{critical conditions} are encapsulated in the \texttt{IMAP-proof-independent.thy} file. With the introduced lemmas, we prove the final theorem that states that convergence is guaranteed. Due to all operations being commutative in case the \textit{critical conditions} are satisfied and the \textit{critical conditions} indeed are holding for all concurrent updates, all concurrent operations commute. The Isabelle/HOL proof is contained in the \texttt{IMAP-proof.thy} file. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/IMO2019/document/root.tex b/thys/IMO2019/document/root.tex --- a/thys/IMO2019/document/root.tex +++ b/thys/IMO2019/document/root.tex @@ -1,38 +1,39 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{International Mathematical Olympiad 2019} \author{Manuel Eberl} \maketitle \begin{abstract} This entry contains formalisations of the answers to three of the six problem of the International Mathematical Olympiad 2019, namely Q1, Q4, and Q5. The reason why these problems were chosen is that they are particularly amenable to formalisation: they can be solved with minimal use of libraries. The remaining three concern geometry and graph theory, which, in the author's opinion, are more difficult to formalise resp.\ require a more complex library. \end{abstract} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \nocite{imo2019} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/IMP2/document/root.tex b/thys/IMP2/document/root.tex --- a/thys/IMP2/document/root.tex +++ b/thys/IMP2/document/root.tex @@ -1,85 +1,86 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \newcommand{\isactrlimp}{{\bf imp}} \newcommand{\isactrlhtriple}{{\bf htriple}} %\newcommand{\isactrlhtriple_partial}{{\bf htriple\_partial}} \begin{document} \title{IMP2 --- Simple Program Verification in Isabelle/HOL} \author{Peter Lammich \and Simon Wimmer} \maketitle \abstract{ IMP2 is a simple imperative language together with Isabelle tooling to create a program verification environment in Isabelle/HOL. The tools include a C-like syntax, a verification condition generator, and Isabelle commands for the specification of programs. The framework is modular, i.e., it allows easy reuse of already proved programs within larger programs. This entry comes with a quickstart guide and a large collection of examples, spanning basic algorithms with simple proofs to more advanced algorithms and proof techniques like data refinement. Some highlights from the examples are: Bisection Square Root, Extended Euclid, Exponentiation by Squaring, Binary Search, Insertion Sort, Quicksort, Depth First Search. The abstract syntax and semantics are very simple and well-documented. They are suitable to be used in a course, as extension to the IMP language which comes with the Isabelle distribution. While this entry is limited to a simple imperative language, the ideas could be extended to more sophisticated languages. } \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/IMP2_Binary_Heap/document/root.tex b/thys/IMP2_Binary_Heap/document/root.tex --- a/thys/IMP2_Binary_Heap/document/root.tex +++ b/thys/IMP2_Binary_Heap/document/root.tex @@ -1,61 +1,62 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size \renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{IMP2 Binary Heap} \author{Simon Griebel} \date{\today} \maketitle \begin{abstract} In this submission array-based binary minimum heaps are formalized. The correctness of the following heap operations is proven: \mbox{insert}, get-min, delete-min and make-heap. These are then used to verify an in-place heapsort. The formalization is based on IMP2, an imperative program verification framework implemented in Isabelle/HOL. The verified heap functions are iterative versions of the partly recursive functions found in ``Algorithms and Data Structures – The Basic Toolbox'' by K. Mehlhorn and P. Sanders and ``Introduction to Algorithms'' by T. H. Cormen, C. E. Leiserson, R. L. Rivest and C. Stein. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \newpage % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/IP_Addresses/document/root.tex b/thys/IP_Addresses/document/root.tex --- a/thys/IP_Addresses/document/root.tex +++ b/thys/IP_Addresses/document/root.tex @@ -1,60 +1,61 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{IP Addresses} \author{Cornelius Diekmann, Julius Michaelis, Lars Hupel} \maketitle \begin{abstract} This entry contains a definition of IP addresses and a library to work with them. Generic IP addresses are modeled as machine words of arbitrary length. Derived from this generic definition, IPv4 addresses are 32bit machine words, IPv6 addresses are 128bit words. Additionally, IPv4 addresses can be represented in dot-decimal notation and IPv6 addresses in (compressed) colon-separated notation. We support toString functions and parsers for both notations. Sets of IP addresses can be represented with a netmask (e.g. 192.168.0.0/255.255.0.0) or in CIDR notation (e.g. 192.168.0.0/16). To provide executable code for set operations on IP address ranges, the library includes a datatype to work on arbitrary intervals of machine words. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Imperative_Insertion_Sort/document/root.tex b/thys/Imperative_Insertion_Sort/document/root.tex --- a/thys/Imperative_Insertion_Sort/document/root.tex +++ b/thys/Imperative_Insertion_Sort/document/root.tex @@ -1,32 +1,33 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} \usepackage[english]{babel} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Imperative Insertion Sort} \author{Christian Sternagel} \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Impossible_Geometry/document/root.tex b/thys/Impossible_Geometry/document/root.tex --- a/thys/Impossible_Geometry/document/root.tex +++ b/thys/Impossible_Geometry/document/root.tex @@ -1,51 +1,52 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand{\isasymsqrt}{\isamath{\sqrt{}}} \begin{document} \title{Proving the Impossibility of Trisecting an Angle and Doubling the Cube} \author{Ralph Romanos and Lawrence Paulson} \maketitle \begin{abstract} Squaring the circle, doubling the cube and trisecting an angle, using a compass and straightedge alone, are classic unsolved problems first posed by the ancient Greeks. All three problems were proved to be impossible in the 19th century. The following document presents the proof of the impossibility of solving the latter two problems using Isabelle/HOL, following a proof by Carrega~\cite{Car81}. The proof uses elementary methods: no Galois theory or field extensions. The set of points constructible using a compass and straightedge is defined inductively. Radical expressions, which involve only square roots and arithmetic of rational numbers, are defined, and we find that all constructive points have radical coordinates. Finally, doubling the cube and trisecting certain angles requires solving certain cubic equations that can be proved to have no rational roots. The Isabelle proofs require a great many detailed calculations. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{alpha} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Incompleteness/document/root.tex b/thys/Incompleteness/document/root.tex --- a/thys/Incompleteness/document/root.tex +++ b/thys/Incompleteness/document/root.tex @@ -1,33 +1,34 @@ \documentclass[11pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[only,bigsqcap]{stmaryrd} % for \ \usepackage[ngerman]{babel} % for guillemots % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{G\"odel's Incompleteness Theorems} \author{Lawrence C. Paulson} \maketitle \begin{abstract} G\"odel's two incompleteness theorems \cite{goedel-I} are formalised, following a careful presentation by {\'S}wierczkowski \cite{swierczkowski-finite}, in the theory of hereditarily finite sets. This represents the first ever machine-assisted proof of the second incompleteness theorem. Compared with traditional formalisations using Peano arithmetic \cite{boolos-provability}, coding is simpler, with no need to formalise the notion of multiplication (let alone that of a prime number) in the formalised calculus upon which the theorem is based. However, other technical problems had to be solved in order to complete the argument. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Incredible_Proof_Machine/document/root.tex b/thys/Incredible_Proof_Machine/document/root.tex --- a/thys/Incredible_Proof_Machine/document/root.tex +++ b/thys/Incredible_Proof_Machine/document/root.tex @@ -1,153 +1,152 @@ \documentclass[11pt,DIV16,a4paper,parskip=half]{scrartcl} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[only,bigsqcap]{stmaryrd} % From src/HOL/HOLCF/document/root \newcommand{\isasymnotsqsubseteq}{\isamath{\not\sqsubseteq}} \usepackage{amsmath} \usepackage{amsfonts} \usepackage{mathtools} -\usepackage[T1]{fontenc} -\usepackage[utf8]{inputenc} \usepackage{calc} \usepackage{floatpag} \floatpagestyle{empty} % this should be the last package used \usepackage{pdfsetup} % silence the KOMA script warnings \def\bf{\normalfont\bfseries} \def\it{\normalfont\itshape} \def\rm{\normalfont\rmfamily} % urls in roman style, theorys in math-similar italics \urlstyle{rm} \isabellestyle{it} % Isabelle does not like *} in a text {* ... *} block % Concrete implemenation thanks to http://www.mrunix.de/forums/showpost.php?p=235085&postcount=5 \newenvironment{alignstar}{\csname align*\endcsname}{\csname endalign*\endcsname} \newenvironment{alignatstar}{\csname alignat*\endcsname}{\csname endalignat*\endcsname} % Entering \ in Isabelle/jEdit has unwanted consequences \catcode`\|=0 % % Unfortunately, _ are the norm for Isabelle file names \catcode`\_=12 \begin{document} \title{The meta theory of the\\ Incredible Proof Machine} \author{Joachim Breitner \and Denis Lohner} \maketitle \begin{abstract} \noindent The Incredible Proof Machine is an interactive visual theorem prover which represents proofs as port graphs. We model this proof representation in Isabelle, and prove that it is just as powerful as natural deduction. \end{abstract} \tableofcontents \section{Introduction} The Incredible Proof Machine (\url{http://incredible.pm}) is an educational tool that allows the user to prove theorems just by dragging proof blocks (corresponding to proof rules) onto a canvas, and connecting them correctly. In the ITP 2016 paper \cite{incredible} the first author formally describes the shape of these graphs, as port graphs, and gives the necessary conditions for when we consider such a graph a valid proof graph. The present Isabelle formalization implements these definitions in Isabelle, and furthermore proves that such proof graphs are just as powerful as natural deduction. All this happens with regard to an abstract set of formulas (theory \isa{Abstract_Formula}) and an abstract set of logic rules (theory \isa{Abstract_Rules}) and can thus be instantiated with various logics. This formalization covers the following aspects: \begin{itemize} \item We formalize the definition of port graphs, proof graphs and the conditions for such a proof graph to be a valid graph (theory \isa{Incredible_Deduction}). \item We provide a formal description of natural deduction (theory \isa{Natural_Deduction}), which connects to the existing theories in the AFP entry “Abstract Completeness” \cite{Abstract_Completeness-AFP}. \item For every proof graph, we construct a corresponding natural deduction derivation tree (theory \isa{Incredible_Correctness}). \item Conversely, if we have a natural deduction derivation tree, we can construct a proof graph thereof (theory \isa{Incredible_Completeness}). This is the much harder direction, mostly because the freshness side condition for locally fixed constants (such as in the introduction rule for the universal quantifier) is a local check in natural deduction, but a global check in proofs graphs, and thus some elaborate renaming has to occur (\isa{globalize} in \isa{Incredible_Trees}). \item To explain our abstract locales, and ensure that the assumptions are consistent, we provide example instantiations for them. \end{itemize} It does not cover the unification procedure and expects that a suitable instantiation is already given. It also does not cover the creation and use of custom blocks, which abstract over proofs and thus correspond to lemmas in Isabelle. \subsection*{Acknowledgements} We would like to thank Andreas Lochbihler for helpful comments. \bibliographystyle{amsalpha} \bibliography{root} \clearpage \newcommand{\theory}[1]{\subsection{#1}\label{sec\string_#1}\input{#1.tex}} \section{Auxiliary theories} \label{ch\string_aux} \theory{Entailment} \theory{Indexed\string_FSet} \theory{Rose\string_Tree} \clearpage \section{Abstract formulas, rules and tasks} \theory{Abstract\string_Formula} \theory{Abstract\string_Rules} \clearpage \section{Incredible Proof Graphs} \theory{Incredible\string_Signatures} \theory{Incredible\string_Deduction} \theory{Abstract\string_Rules\string_To\string_Incredible} \clearpage \section{Natural Deduction} \theory{Natural\string_Deduction} \clearpage \section{Correctness} \theory{Incredible\string_Correctness} \clearpage \section{Completeness} \theory{Incredible\string_Trees} \theory{Build\string_Incredible\string_Tree} \theory{Incredible\string_Completeness} \clearpage \section{Instantiations} To ensure that our locale assumption are fulfillable, we instantiate them with small examples. \theory{Propositional\string_Formulas} \theory{Incredible\string_Propositional} \theory{Incredible\string_Propositional\string_Tasks} \theory{Predicate\string_Formulas} \theory{Incredible\string_Predicate} \theory{Incredible\string_Predicate\string_Tasks} \end{document} diff --git a/thys/Inductive_Confidentiality/document/root.tex b/thys/Inductive_Confidentiality/document/root.tex --- a/thys/Inductive_Confidentiality/document/root.tex +++ b/thys/Inductive_Confidentiality/document/root.tex @@ -1,40 +1,41 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Inductive Study of Confidentiality} \author{Giampaolo Bella\\ Dipartimento di Matematica e Informatica, Universit\`a di Catania, Italy} \maketitle \begin{abstract} This document contains the full theory files accompanying article ``Inductive Study of Confidentiality --- for Everyone'' \cite{confeveryone}. They aim at an illustrative and didactic presentation of the Inductive Method of protocol analysis, focusing on the treatment of one of the main goals of security protocols: confidentiality against a threat model. The treatment of confidentiality, which in fact forms a key aspect of all protocol analysis tools, has been found cryptic by many learners of the Inductive Method, hence the motivation for this work. The theory files in this document guide the reader step by step towards design and proof of significant confidentiality theorems. These are developed against two threat models, the standard Dolev-Yao and a more audacious one, the General Attacker, which turns out to be particularly useful also for teaching purposes. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Inductive_Inference/document/root.tex b/thys/Inductive_Inference/document/root.tex --- a/thys/Inductive_Inference/document/root.tex +++ b/thys/Inductive_Inference/document/root.tex @@ -1,71 +1,70 @@ \documentclass[11pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage[utf8]{inputenc} - \usepackage[top=3cm,bottom=3cm]{geometry} \usepackage{amssymb} % for \mathbb % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Some classical results in inductive inference of recursive functions} \author{Frank J. Balbach} \maketitle \begin{abstract} This entry formalizes some classical concepts and results from inductive inference of recursive functions. In the basic setting a partial recursive function (``strategy'') must identify (``learn'') all functions from a set (``class'') of recursive functions. To that end the strategy receives more and more values $f(0), f(1), f(2), \ldots$ of some function $f$ from the given class and in turn outputs descriptions of partial recursive functions, for example, Gödel numbers. The strategy is considered successful if the sequence of outputs (``hypotheses'') converges to a description of $f$. A class of functions learnable in this sense is called ``learnable in the limit''. The set of all these classes is denoted by LIM. Other types of inference considered are finite learning (FIN), behaviorally correct learning in the limit (BC), and some variants of LIM with restrictions on the hypotheses: total learning (TOTAL), consistent learning (CONS), and class-preserving learning (CP). The main results formalized are the proper inclusions $\mathrm{FIN} \subset \mathrm{CP} \subset \mathrm{TOTAL} \subset \mathrm{CONS} \subset \mathrm{LIM} \subset \mathrm{BC} \subset 2^{\mathcal{R}}$, where $\mathcal{R}$ is the set of all total recursive functions. Further results show that for all these inference types except CONS, strategies can be assumed to be total recursive functions; that all inference types but CP are closed under the subset relation between classes; and that no inference type is closed under the union of classes. The above is based on a formalization of recursive functions heavily inspired by the \emph{Universal Turing Machine} entry by Xu~et~al.~\cite{Universal_Turing_Machine-AFP}, but different in that it models partial functions with codomain \emph{nat option}. The formalization contains a construction of a universal partial recursive function, without resorting to Turing machines, introduces decidability and recursive enumerability, and proves some standard results: existence of a Kleene normal form, the $s$-$m$-$n$ theorem, Rice's theorem, and assorted fixed-point theorems (recursion theorems) by Kleene, Rogers, and Smullyan. \end{abstract} \tableofcontents \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/InfPathElimination/document/root.tex b/thys/InfPathElimination/document/root.tex --- a/thys/InfPathElimination/document/root.tex +++ b/thys/InfPathElimination/document/root.tex @@ -1,129 +1,129 @@ -%\documentclass[11pt,a4paper]{article} -\documentclass[11pt, USenglish]{article} +\documentclass[11pt,USenglish]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{hyphenat} \usepackage{authblk} \usepackage[final]{graphicx} \usepackage{url} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{\huge Infeasible Paths Elimination by Symbolic Execution Techniques:\\ \large Proof of Correctness and Preservation of Paths} \author{% %\href{https://www.lri.fr/~aissat/}{ Romain Aissat %} and %\href{https://www.lri.fr/~fv/}{ Fr\'ed\'eric Voisin %} and %\href{https://www.lri.fr/~wolff/}{ Burkhart Wolff %} } \affil{% LRI, Univ Paris-Sud, CNRS, CentraleSup\'elec,\\Universit\'e Paris-Saclay, France\\ \href{mailto:"Romain Aissat"}{aissat@lri.fr}, \href{mailto:"Burkhart Wolff"}{wolff@lri.fr} } \maketitle \begin{abstract} TRACER~\cite{DBLP:conf/cav/JaffarMNS12} is a tool for verifying safety properties of sequential C programs. TRACER attempts at building a finite symbolic execution graph which over\hyp{}approximates the set of all concrete reachable states and the set of feasible paths. We present an abstract framework for TRACER and similar CEGAR\hyp{}like systems~\cite{DBLP:journals/sttt/BeyerHJM07,DBLP:conf/tacas/ClarkeKSY05,DBLP:conf/cav/IvancicYGGSA05,DBLP:conf/pldi/GrebenshchikovLPR12,McMillan2006}. The framework provides 1) a graph\hyp{}transformation based method for reducing the feasible paths in control\hyp{}flow graphs, 2) a model for symbolic execution, subsumption, predicate abstraction and invariant generation. In this framework we formally prove two key properties: correct construction of the symbolic states and preservation of feasible paths. The framework focuses on core operations, leaving to concrete prototypes to ``fit in'' heuristics for combining them. The accompanying paper (published in ITP 2016) can be found at \url{https://www.lri.fr/~wolff/papers/conf/2016-itp-InfPathsNSE.pdf}, also appeared in\cite{AissatVW2016}. \bigskip \noindent{\textbf{Keywords: TRACER, CEGAR, Symbolic Executions, Feasible Paths, Control-Flow Graphs, Graph Transformation}} \end{abstract} \newpage \tableofcontents \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex \input{intro} \newpage % generated text of all theories \input{session} \newpage \input{summary} %\newpage % optional bibliography %\bibliographystyle{abbrv} \bibliographystyle{IEEEtran} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/InformationFlowSlicing/document/root.tex b/thys/InformationFlowSlicing/document/root.tex --- a/thys/InformationFlowSlicing/document/root.tex +++ b/thys/InformationFlowSlicing/document/root.tex @@ -1,71 +1,71 @@ \documentclass[11pt,a4paper,notitlepage]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{latexsym} \usepackage{amssymb} \usepackage{textcomp} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} \usepackage{wasysym} \usepackage{graphicx} \usepackage{url} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Slicing Guarantees Information Flow Noninterference} \author{Daniel Wasserrab} \maketitle \begin{abstract} In this contribution, we show how correctness proofs for intra- \cite{Wasserrab:08} and interprocedural slicing \cite{Wasserrab:09} can be used to prove that slicing is able to guarantee information flow noninterference. Moreover, we also illustrate how to lift the control flow graphs of the respective frameworks such that they fulfil the additional assumptions needed in the noninterference proofs. A detailed description of the intraprocedural proof and its interplay with the slicing framework can be found in \cite{WasserrabLS:09}. \end{abstract} \section{Introduction} Information Flow Control (IFC) encompasses algorithms which determines if a given program leaks secret information to public entities. The major group are so called IFC type systems, where well-typed means that the respective program is secure. Several IFC type systems have been verified in proof assistants, e.g.\ see \cite{BartheN:04,BarthePR:07,Kammueller:08,BeringerH:08,SneltingW:08}. However, type systems have some drawbacks which can lead to false alarms. To overcome this problem, an IFC approach basing on slicing has been developed \cite{HammerS:09}, which can significantly reduce the amount of false alarms. This contribution presents the first machine-checked proof that slicing is able to guarantee IFC noninterference. It bases on previously published machine-checked correctness proofs for slicing \cite{Wasserrab:08,Wasserrab:09}. Details for the intraprocedural case can be found in \cite{WasserrabLS:09}. %\parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/InformationFlowSlicing_Inter/document/root.tex b/thys/InformationFlowSlicing_Inter/document/root.tex --- a/thys/InformationFlowSlicing_Inter/document/root.tex +++ b/thys/InformationFlowSlicing_Inter/document/root.tex @@ -1,71 +1,71 @@ \documentclass[11pt,a4paper,notitlepage]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{latexsym} \usepackage{amssymb} \usepackage{textcomp} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} \usepackage{wasysym} \usepackage{graphicx} \usepackage{url} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Slicing Guarantees Information Flow Noninterference} \author{Daniel Wasserrab} \maketitle \begin{abstract} In this contribution, we show how correctness proofs for intra- \cite{Wasserrab:08} and interprocedural slicing \cite{Wasserrab:09} can be used to prove that slicing is able to guarantee information flow noninterference. Moreover, we also illustrate how to lift the control flow graphs of the respective frameworks such that they fulfil the additional assumptions needed in the noninterference proofs. A detailed description of the intraprocedural proof and its interplay with the slicing framework can be found in \cite{WasserrabLS:09}. \end{abstract} \section{Introduction} Information Flow Control (IFC) encompasses algorithms which determines if a given program leaks secret information to public entities. The major group are so called IFC type systems, where well-typed means that the respective program is secure. Several IFC type systems have been verified in proof assistants, e.g.\ see \cite{BartheN:04,BarthePR:07,Kammueller:08,BeringerH:08,SneltingW:08}. However, type systems have some drawbacks which can lead to false alarms. To overcome this problem, an IFC approach basing on slicing has been developed \cite{HammerS:09}, which can significantly reduce the amount of false alarms. This contribution presents the first machine-checked proof that slicing is able to guarantee IFC noninterference. It bases on previously published machine-checked correctness proofs for slicing \cite{Wasserrab:08,Wasserrab:09}. Details for the intraprocedural case can be found in \cite{WasserrabLS:09}. %\parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Integration/document/root.tex b/thys/Integration/document/root.tex --- a/thys/Integration/document/root.tex +++ b/thys/Integration/document/root.tex @@ -1,77 +1,77 @@ \documentclass[11pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{latexsym} \usepackage{amsmath} \usepackage{amssymb} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{wasysym} \usepackage{eufrak} \usepackage{textcomp} %\usepackage{apalike} %\usepackage{times} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % proper setup for best-style documents \urlstyle{rm} \isabellestyle{it} \hyphenation{Isabelle} \date{15th May 2003} \parindent 0pt\parskip 0.5ex \begin{document} \title{Formalizing Integration Theory, with an Application to Probabilistic Algorithms} \author{Stefan Richter\\ LuFG Theoretische Informatik\\ RWTH Aachen\\ Ahornstraße 55\\ 52056 Aachen\\ FRG\\ \url{richter@informatik.rwth-aachen.de}} \date{\today} \maketitle \pagestyle{headings} \tableofcontents % include generated text of all theories % \input{session} \newpage \pagestyle{headings} \input{intro} \input{Sigma_Algebra} \input{MonConv} \input{Measure} \newpage \input{RealRandVar} \chapter{Integration} \label{cha:integration} The chapter at hand assumes a central position in the present paper. The Lebesgue integral is defined and its characteristics are shown in \ref{sec:stepwise-approach}. To illustrate the problems arising in doing so, we first look at implementation alternatives that did not work out. \input{Failure} \input{Integral} \input{outro} \begin{flushleft} \bibliographystyle{plain} \bibliography{root} \end{flushleft} \end{document} diff --git a/thys/Interpreter_Optimizations/document/root.tex b/thys/Interpreter_Optimizations/document/root.tex --- a/thys/Interpreter_Optimizations/document/root.tex +++ b/thys/Interpreter_Optimizations/document/root.tex @@ -1,72 +1,73 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ \usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Interpreter\_Optimizations} \author{Martin Desharnais} \maketitle \begin{abstract} \noindent This Isabelle/HOL formalization builds on the \verb|VeriComp| entry of the \emph{Archive of Formal Proofs} to provide the following contributions: \begin{itemize} \item an operational semantics for a realistic virtual machine (Std) for dynamically typed programming languages; \item the formalization of an inline caching optimization (Inca), a proof of bisimulation with (Std), and a compilation function; \item the formalization of an unboxing optimization (Ubx), a proof of bisimulation with (Inca), and a simple compilation function. \end{itemize} This formalization was described in \cite{desharnais-2021}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Interval_Arithmetic_Word32/document/root.tex b/thys/Interval_Arithmetic_Word32/document/root.tex --- a/thys/Interval_Arithmetic_Word32/document/root.tex +++ b/thys/Interval_Arithmetic_Word32/document/root.tex @@ -1,76 +1,77 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ \usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Interval Arithmetic on 32-bit Words} \author{Brandon Bohrer} \maketitle \begin{abstract} This article implements conservative interval arithmetic computations, then uses this interval arithmetic to implement a simple programming language where all terms have 32-bit signed word values, with explicit infinities for terms outside the representable bounds. Our target use case is interpreters for languages that must have a well-understood low-level behavior. We include a formalization of bounded-length strings which are used for the identifiers of our language. Bounded-length identifiers are useful in some applications, for example the Differential\_Dynamic\_Logic \cite{Differential_Dynamic_Logic-AFP} article, where a Euclidean space indexed by identifiers demands that identifiers are finitely many. \end{abstract} \newpage \tableofcontents \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Iptables_Semantics/document/root.tex b/thys/Iptables_Semantics/document/root.tex --- a/thys/Iptables_Semantics/document/root.tex +++ b/thys/Iptables_Semantics/document/root.tex @@ -1,68 +1,69 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %semantic rules printing \usepackage{mathpartir} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Iptables-Semantics} \author{Cornelius Diekmann, Lars Hupel} \maketitle \begin{abstract} We present a big step semantics of the filtering behavior of the Linux/netfilter iptables firewall. We provide algorithms to simplify complex iptables rulests to a simple firewall model (c.f.\ AFP entry Simple\_Firewall) and to verify spoofing protection of a ruleset. Internally, we embed our semantics into ternary logic, ultimately supporting every iptables match condition by abstracting over unknowns. Using this AFP entry and all entries it depends on, we created an easy-to-use, stand-alone haskell tool called \emph{fffuu} (\url{http://iptables.isabelle.systems}). The tool does not require any input ---except for the \texttt{iptables-save} dump of the analyzed firewall--- and presents interesting results about the user's ruleset. Real-Word firewall errors have been uncovered, as well as the correctness of rulesets has been proven with the help of our tool. For a detailed description, see \cite{diekmann2015fm,diekmann2015cnsm,diekmann2016networking,diekmann2015congress}. \end{abstract} \paragraph*{Acknowledgements} This entry would not have been possible without the help of Julius Michaelis, Max Haslbeck, Stephan-A.\ Posselt, Lars Noschinski, Manuel Eberl, Gerwin Klein, the Isabelle group Munich, and Georg Carle. \bigskip \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Irrational_Series_Erdos_Straus/document/root.tex b/thys/Irrational_Series_Erdos_Straus/document/root.tex --- a/thys/Irrational_Series_Erdos_Straus/document/root.tex +++ b/thys/Irrational_Series_Erdos_Straus/document/root.tex @@ -1,40 +1,41 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Irrationality Criteria for Series by Erd\H{o}s and Straus} \author{Angeliki Koutsoukou-Argyraki and Wenda Li} \maketitle \begin{abstract} We formalise certain irrationality criteria for infinite series of the form: \[ \sum_n\frac{b_n}{\prod_{i \leq n} a_i} \] where $b_n$, $a_i$ are integers. The result is due to P. Erd\H{o}s and E.G. Straus \cite{erdHos1974irrationality}, and in particular we formalise Theorem 2.1, Corollary 2.10 and Theorem 3.1. The latter is an application of Theorem 2.1 involving the prime numbers. \end{abstract} \tableofcontents \input{session} \nocite{apostol1976analytic} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Irrationality_J_Hancl/document/root.tex b/thys/Irrationality_J_Hancl/document/root.tex --- a/thys/Irrationality_J_Hancl/document/root.tex +++ b/thys/Irrationality_J_Hancl/document/root.tex @@ -1,84 +1,83 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amsmath} \usepackage{amssymb} \usepackage{amsthm} \usepackage{xspace} -\usepackage[utf8]{inputenc} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newtheorem{theorem}{Theorem}%[section] \newtheorem{corollary}{Corollary}%[section] \newcommand\rats{\mathbb{Q}} \newcommand\ints{\mathbb{Z}} \newcommand\reals{\mathbb{R}} \newcommand\complex{\mathbb{C}} \begin{document} \title{Irrational Rapidly Convergent Series} \author{Angeliki Koutsoukou-Argyraki and Wenda Li} \maketitle \begin{abstract} We formalize with Isabelle/HOL a proof of a theorem by J. Han\v cl asserting the irrationality of the sum of a series consisting of rational numbers, built up by sequences that fulfill certain properties. Even though the criterion is a number theoretic result, the proof makes use only of analytical arguments. We also formalize a corollary of the theorem for a specific series fulfilling the assumptions of the theorem. \end{abstract} \tableofcontents \section{Main Theorem and Sketch of the Proof} We formalize the proof of the following theorem by J. Han\v cl (Theorem 3 in \cite{hancl}) : \begin{theorem}(Theorem 3 in \cite{hancl}) Let $A \in \mathbb{R}$ with $A>1$. Let $\{d_n \}^{\infty}_{n=1} \in \mathbb{R}$ with $d_n >1$ for all $n \in \mathbb{N}$. Let $\{a_n \}^{\infty}_{n=1} \in \mathbb{Z}^+$, $\{b_n \}^{\infty}_{n=1} \in \mathbb{Z}^+$ such that : $$(1)~\lim_{n \rightarrow \infty} a_n^{\frac{1}{2^n}} = A , $$ for all sufficiently large $n \in \mathbb{N}$ : $$(2)~\frac{A}{ a_n^{\frac{1}{2^n}} } > \prod^{\infty}_{j=n} d_j$$ and $$(3)~\lim_{n \rightarrow \infty}\frac{d_n^{2^n}}{b_n} =\infty. $$ Then the series $\alpha = \sum^{\infty}_{n=1} \frac{b_n}{a_n}$ is an irrational number. \end{theorem} The first step is to show that the series $ \sum^{\infty}_{n=1} \frac{b_n}{a_n}$ converges to some $\alpha \in \mathbb{R}$. To show that $\alpha \in \mathbb{R} \setminus \mathbb{Q}$ we argue by proof by contradiction (to this end several auxiliary lemmas are firstly shown). In particular, assuming that $\alpha \in \mathbb{Q}$, i.e. that there exist $p, q \in \mathbb{Z}^+$ such that $\alpha = \frac{p}{q}$, we show that a quantity $\mathcal{A}(n) \geq 1$ for all $n \in \mathbb{N}$. At the same time, we find $n \in \mathbb{N}$ for which $\mathcal{A}(n) < 1$, yielding a contradiction from which we deduce the irrationality of the sum of the series. \\ \\ For the proof see \cite{hancl}. We note that the proof involves only elementary Analysis (criteria for convergence/divergence for sequences and series and several inequalities) and not any arithmetical/number theoretic arguments. Obviously for the formal proof we had to make many intermediate arguments explicit. Proofs of length of roughly 2 A4 pages in the original paper by J. Han\v cl were formalized in almost 1100 lines of code. \section{Corollary} We moreover formalize the following corollary that asserts the irrationality of the sum of an instance of a series that fulfills the assumptions of the theorem : \begin{corollary} (Corollary 2 in \cite{hancl}) Let $A \in \mathbb{R}$ with $A>1$. Let $\{a_n \}^{\infty}_{n=1} \in \mathbb{Z}^+$, $\{b_n \}^{\infty}_{n=1} \in \mathbb{Z}^+$ such that : $$\lim_{n \rightarrow \infty} a_n^{\frac{1}{2^n}} = A $$ and for all sufficiently large $n \in \mathbb{N}$ (in particular: for $n \geq 6$) $$a_n^{\frac{1}{2^n}} (1+ 4 (2/3)^n) \leq A $$ and $$b_n \leq 2^{(4/3)^{n-1}} .$$ Then the series $\sum^{\infty}_{n=1} \frac{b_n}{a_n}$ is an irrational number. \end{corollary} The above corollary is an immediate consequence of the theorem by setting $d_n = 1 + (2/3)^n$. For the formalized proof of the corollary one more auxiliary lemma was required. \input{session} \section{Acknowledgements} A. K.-A. and W.L. were supported by the ERC Advanced Grant ALEXANDRIA (Project 742178) funded by the European Research Council and led by Professor Lawrence Paulson at the University of Cambridge, UK. \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Isabelle_C/C11-FrontEnd/document/root.tex b/thys/Isabelle_C/C11-FrontEnd/document/root.tex --- a/thys/Isabelle_C/C11-FrontEnd/document/root.tex +++ b/thys/Isabelle_C/C11-FrontEnd/document/root.tex @@ -1,139 +1,137 @@ %% Copyright (c) 2019 University of Exeter %% 2018-2019 University of Paris-Saclay %% 2018-2019 The University of Sheffield %% %% License: %% This program can be redistributed and/or modified under the terms %% of the LaTeX Project Public License Distributed from CTAN %% archives in directory macros/latex/base/lppl.txt; either %% version 1.3c of the License, or (at your option) any later version. %% OR %% The 2-clause BSD-style license. %% %% SPDX-License-Identifier: LPPL-1.3c+ OR BSD-2-Clause %% 2019/09/21 Unreleased/Isabelle2019 %% Warning: Do Not Edit! %% ===================== %% This is the root file for the Isabelle/DOF using the scrreprt class. %% %% All customization and/or additional packages should be added to the file %% preamble.tex. \RequirePackage{ifvtex} \documentclass[fontsize=11pt,paper=a4,open=right,twoside,abstract=true]{scrreprt} \usepackage[T1]{fontenc} -\usepackage[utf8]{inputenc} -\usepackage{lmodern} \usepackage{textcomp} \bibliographystyle{abbrvnat} \usepackage[english]{babel} \RequirePackage[caption]{subfig} \usepackage{isabelle} \usepackage{isabellesym} \usepackage{ifthen} \usepackage{railsetup} \input{ontologies} \input{preamble.tex} \usepackage{amsmath} \usepackage{amssymb} \usepackage[numbers, sort&compress, sectionbib]{natbib} \usepackage{graphicx} \usepackage{hyperref} \setcounter{tocdepth}{2} \hypersetup{% bookmarksdepth=3 ,pdfpagelabels ,pageanchor=true ,bookmarksnumbered ,plainpages=false } % more detailed digital TOC (aka bookmarks) \sloppy \allowdisplaybreaks[4] \urlstyle{rm} \isabellestyle{it} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% Overrides the (rightfully issued) warning by Koma Script that \rm %%% etc. should not be used (they are deprecated since more than a %%% decade) \DeclareOldFontCommand{\rm}{\normalfont\rmfamily}{\mathrm} \DeclareOldFontCommand{\sf}{\normalfont\sffamily}{\mathsf} \DeclareOldFontCommand{\tt}{\normalfont\ttfamily}{\mathtt} \DeclareOldFontCommand{\bf}{\normalfont\bfseries}{\mathbf} \DeclareOldFontCommand{\it}{\normalfont\itshape}{\mathit} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \newenvironment{frontmatter}{}{} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % command \newenvironment{matharray}[1]{\[\begin{array}{#1}}{\end{array}\]} % from 'iman.sty' \newcommand{\indexdef}[3]% {\ifthenelse{\equal{}{#1}}{\index{#3 (#2)|bold}}{\index{#3 (#1\ #2)|bold}}} % from 'isar.sty' \newcommand{\isactrlurl}{$\oplus$} \newcommand{\isactrlC}{{\isacommand C}} % \renewcommand{\chapterautorefname}{Chapter} \renewcommand{\sectionautorefname}{Section} \renewcommand{\subsectionautorefname}{Section} \renewcommand{\subsubsectionautorefname}{Section} \newcommand{\subtableautorefname}{\tableautorefname} \newcommand{\subfigureautorefname}{\figureautorefname} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{document} \title{Isabelle/C} \begin{frontmatter} \vspace{-2cm} \publishers{% \mbox{LRI, CNRS, CentraleSup\'elec, Universit\'e Paris-Saclay} \\ b\^at. 650 Ada Lovelace, 91405 Orsay, France \texorpdfstring{\\}{} \href{mailto:"Frederic Tuong" }{frederic.tuong@lri.fr} \hspace{4.5em} \href{mailto:"Burkhart Wolff" }{burkhart.wolff@lri.fr} \vspace{3cm} \begin{center} \textbf{In case that you consider citing Isabelle/C, \\ please refer to \cite{Tuong-IsabelleC:2019}.} \end{center} } \maketitle \tableofcontents \end{frontmatter} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \chapter{A Conceptual Description of the Isabelle/C Package} \input{paper.tex} \input{C_Ast.tex} \input{C_Lexer_Language.tex} \input{C_Environment.tex} \input{C_Parser_Language.tex} \input{C_Lexer_Annotation.tex} \input{C_Parser_Annotation.tex} \input{C_Eval.tex} \input{C_Command.tex} \input{C_Document.tex} \input{C_Main.tex} % \input{C0.tex} % not included by default \input{C1.tex} \input{C2.tex} \input{C_paper.tex} \input{C_Appendices.tex} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Isabelle_Marries_Dirac/document/root.tex b/thys/Isabelle_Marries_Dirac/document/root.tex --- a/thys/Isabelle_Marries_Dirac/document/root.tex +++ b/thys/Isabelle_Marries_Dirac/document/root.tex @@ -1,67 +1,66 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage[utf8]{inputenc} -\usepackage[T1]{fontenc} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ \usepackage{amsmath} %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Isabelle Marries Dirac: a Library for Quantum Computation and Quantum Information} \author{Anthony Bordg, Hanna Lachnitt and Yijun He} \maketitle \tableofcontents \begin{abstract} This work is an effort to formalise some quantum algorithms and results in quantum information theory. Formal methods being critical for the safety and security of algorithms and protocols, we foresee their widespread use for quantum computing in the future. We have developed a large library for quantum computing in Isabelle based on a matrix representation for quantum circuits, successfully formalising the no-cloning theorem, quantum teleportation, Deutsch's algorithm, the Deutsch-Jozsa algorithm and the quantum Prisoner's Dilemma. \end{abstract} % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \nocite{*} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Isabelle_Meta_Model/document/root.tex b/thys/Isabelle_Meta_Model/document/root.tex --- a/thys/Isabelle_Meta_Model/document/root.tex +++ b/thys/Isabelle_Meta_Model/document/root.tex @@ -1,220 +1,218 @@ \documentclass[fontsize=11pt,paper=a4,open=right,twoside,abstract=true]{scrreprt} \usepackage[T1]{fontenc} -\usepackage[utf8]{inputenc} -\usepackage{lmodern} \usepackage{textcomp} \usepackage[english]{babel} %\usepackage[draft]{fixme} \usepackage{graphicx} \usepackage[numbers, sort&compress, sectionbib]{natbib} \usepackage{amssymb} \usepackage{versions} \usepackage{isabelle,isabellesym} \usepackage{units} %\usepackage{eurosym} \IfFileExists{railsetup.sty}{\usepackage{railsetup}}{} \usepackage{titletoc} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % short vs. long version %%%% Short Version: \includeversion{short} \excludeversion{extended} %%%% Extended Version: %\excludeversion{short} %\includeversion{extended} %%%% Misc.: \newenvironment{shortspace}[1]{}{} %\processifversion{short}{\vspace{#1}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % command \graphicspath{{data/},{figures/}} %% \newenvironment{matharray}[1]{\[\begin{array}{#1}}{\end{array}\]} % from 'iman.sty' \newcommand{\indexdef}[3]% {\ifthenelse{\equal{}{#1}}{\index{#3 (#2)|bold}}{\index{#3 (#1\ #2)|bold}}} % from 'isar.sty' %% \newcommand\inputif[1]{\IfFileExists{./#1}{\input{#1}}{}} \newcommand\chapterif[2]{\IfFileExists{./#1}{\chapter{#2}}{}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % fix for package declaration to be at the end \usepackage[pdfpagelabels, pageanchor=false, plainpages=false]{hyperref} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % document \urlstyle{rm} \isabellestyle{it} \begin{document} \title{A Meta-Model for the Isabelle API} \author{% \href{https://www.lri.fr/~tuong/}{Fr\'ed\'eric Tuong} \and \href{https://www.lri.fr/~wolff/}{Burkhart Wolff}} \publishers{% \mbox{LRI, Univ. Paris-Sud, CNRS, CentraleSup\'elec, Universit\'e Paris-Saclay} \\ b\^at. 650 Ada Lovelace, 91405 Orsay, France \texorpdfstring{\\}{} \href{mailto:"Frederic Tuong" }{frederic.tuong@lri.fr} \hspace{4.5em} \href{mailto:"Burkhart Wolff" }{burkhart.wolff@lri.fr} \\[2em] % IRT SystemX\\ 8 av.~de la Vauve, 91120 Palaiseau, France \texorpdfstring{\\}{} \href{mailto:"Frederic Tuong" }{frederic.tuong@irt-systemx.fr} \quad \href{mailto:"Burkhart Wolff" }{burkhart.wolff@irt-systemx.fr} } \maketitle \begin{abstract} We represent a theory \emph{of} (a fragment of) Isabelle/HOL \emph{in} Isabelle/HOL. The purpose of this exercise is to write packages for domain-specific specifications such as class models, B-machines, \dots, and generally speaking, any domain-specific languages whose abstract syntax can be defined by a HOL ``datatype''. On this basis, the Isabelle code-generator can then be used to generate code for global context transformations as well as tactic code. Consequently the package is geared towards parsing, printing and code-generation to the Isabelle API. It is at the moment not sufficiently rich for doing meta theory on Isabelle itself. Extensions in this direction are possible though. Moreover, the chosen fragment is fairly rudimentary. However it should be easily adapted to one's needs if a package is written on top of it. The supported API contains types, terms, transformation of global context like definitions and data-type declarations as well as infrastructure for Isar-setups. This theory is drawn from the Featherweight OCL\cite{brucker.ea:featherweight:2014} project where it is used to construct a package for object-oriented data-type theories generated from UML class diagrams. The Featherweight OCL, for example, allows for both the direct execution of compiled tactic code by the Isabelle API as well as the generation of \verb|.thy|-files for debugging purposes. Gained experience from this project shows that the compiled code is sufficiently efficient for practical purposes while being based on a formal \emph{model} on which properties of the package can be proven such as termination of certain transformations, correctness, etc. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %\input{session} \part{A Meta-Model for the Isabelle API} \chapter{Initialization} \inputif{Init.tex} \inputif{Init_rbt.tex} \chapter{Defining Meta-Models} \inputif{Meta_Pure.tex} \inputif{Meta_SML.tex} \inputif{Meta_Isabelle.tex} \inputif{Meta_Toy.tex} % toy \inputif{Meta_Toy_extended.tex} % toy \inputif{Meta_META.tex} %\chapter{Toy Libraries Static} % chapter already declared in this following first file: \inputif{Toy_Library_Static.tex} % toy %\chapter{Translating Meta-Models} % chapter already declared in this following first file: \inputif{Core_init.tex} \inputif{Floor1_enum.tex} \inputif{Floor1_infra.tex} \inputif{Floor1_astype.tex} \inputif{Floor1_istypeof.tex} \inputif{Floor1_iskindof.tex} \inputif{Floor1_allinst.tex} \inputif{Floor1_access.tex} \inputif{Floor1_examp.tex} \inputif{Floor2_examp.tex} \inputif{Floor1_ctxt.tex} \inputif{Floor2_ctxt.tex} \inputif{Core.tex} \chapter{Parsing Meta-Models} \inputif{Parser_init.tex} \inputif{Parser_Pure.tex} \inputif{Parser_Toy.tex} % toy \inputif{Parser_Toy_extended.tex} % toy \inputif{Parser_META.tex} \chapter{Printing Meta-Models} \inputif{Printer_init.tex} \inputif{Printer_Pure.tex} \inputif{Printer_SML.tex} \inputif{Printer_Isabelle.tex} \inputif{Printer_Toy.tex} % toy \inputif{Printer_Toy_extended.tex} % toy \inputif{Printer_META.tex} \inputif{Printer.tex} \chapter{Main} \inputif{Generator_static.tex} \inputif{Generator_dynamic_sequential.tex} \part{A Toy Example} \inputif{Toy_Library.tex} % toy \inputif{Design_deep.tex} % toy \inputif{Design_shallow.tex} % toy %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \bibliographystyle{abbrvnat} \bibliography{root} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \appendix \part{Appendix} \chapter{Grammars of Commands} \inputif{Rail.tex} \chapter{Content of the Directory isabelle\_home} \section{Extensions for Cartouches} \begin{itemize} \item \verb|./src/HOL/ex/Isabelle_Cartouche_Examples.thy| \hfill \emph{Main0}: \hspace{3em} \\ Some functions have been generalized for supporting cartouches. \end{itemize} \section{Other Changes} \begin{itemize} \item \verb|./src/Tools/Code/Isabelle_code_runtime.thy| \hfill \emph{Main1}: \hspace{3em} \\ The option $open$ was introduced in this file for the definition of $code\_reflect'$. \item \verb|./src/Tools/Code/Isabelle_code_target.thy| \hfill \emph{Main1}: \hspace{3em} \\ Some signatures was removed for exposing the main structure, we have also defined at the end the implementation of $lazy\_code\_printing$, $apply\_code\_printing$ and $apply\_code\_printing\_reflect$. \item \verb|./src/Pure/Isar/Isabelle_typedecl.thy| \hfill \emph{Main2}: \hspace{3em} \\ Short modification of the argument lifting a $binding$ to a $binding$~$option$ with some signatures removed. \end{itemize} \chapter{Content of One Generated File (as example)} \inputif{Design_generated_generated.tex} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Jacobson_Basic_Algebra/document/root.tex b/thys/Jacobson_Basic_Algebra/document/root.tex --- a/thys/Jacobson_Basic_Algebra/document/root.tex +++ b/thys/Jacobson_Basic_Algebra/document/root.tex @@ -1,70 +1,69 @@ \documentclass{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage[T1]{fontenc} -\usepackage[utf8]{inputenc} \usepackage{amsmath} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} \isadroptag{theory} \isafoldtag{proof} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{A Case Study in Basic Algebra} \author{Clemens Ballarin} \date{} \maketitle \begin{abstract} The focus of this case study is re-use in abstract algebra. It contains locale-based formalisations of selected parts of set, group and ring theory from Jacobson's \emph{Basic Algebra} leading to the respective fundamental homomorphism theorems. The study is not intended as a library base for abstract algebra. It rather explores an approach towards abstract algebra in Isabelle. \end{abstract} % sane default for proof documents \parindent 0pt\parskip 0.5ex % for proof reading \pagestyle{plain} % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Jinja/document/root.tex b/thys/Jinja/document/root.tex --- a/thys/Jinja/document/root.tex +++ b/thys/Jinja/document/root.tex @@ -1,61 +1,61 @@ -%\documentclass[11pt,a4paper]{article} \documentclass[11pt,a4paper]{book} +\usepackage[T1]{fontenc} \usepackage[english]{babel} \usepackage{graphicx,latexsym,isabelle,isabellesym,pdfsetup} % proper setup for best-style documents \urlstyle{rm} \isabellestyle{it} \pagestyle{myheadings} %make a bit more space \addtolength{\hoffset}{-1,5cm} \addtolength{\textwidth}{3cm} \addtolength{\voffset}{-1cm} \addtolength{\textheight}{2cm} \renewcommand{\setisabellecontext}[1]{\markright{Theory~#1}} \newcommand{\secref}[1]{Section~\ref{#1}} \newcommand{\secrefs}[1]{Sections~\ref{#1}} \newcommand{\charef}[1]{Chapter~\ref{#1}} \newcommand{\charefs}[1]{Chapters~\ref{#1}} %remove clutter from the toc \setcounter{secnumdepth}{2} \setcounter{tocdepth}{1} \begin{document} \title{A Machine-Checked Model for a Java-like Language,\\ Virtual Machine and Compiler} \author{Gerwin Klein \and Tobias Nipkow} \maketitle \tableofcontents \input{introduction.tex} \section{Theory Dependencies} Figure \ref{theory-deps} shows the dependencies between the Isabelle theories in the following sections. \begin{figure}[h!t] \begin{center} \includegraphics[width=\textwidth]{session_graph} \end{center} \caption{Theory Dependency Graph\label{theory-deps}} \end{figure} \newpage \input{session} \newpage \nocite{*} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/JinjaDCI/document/root.tex b/thys/JinjaDCI/document/root.tex --- a/thys/JinjaDCI/document/root.tex +++ b/thys/JinjaDCI/document/root.tex @@ -1,74 +1,74 @@ -%\documentclass[11pt,a4paper]{article} \documentclass[11pt,a4paper]{book} +\usepackage[T1]{fontenc} \usepackage[english]{babel} \usepackage{graphicx,latexsym,isabelle,isabellesym,amssymb,pdfsetup} % proper setup for best-style documents \urlstyle{rm} \isabellestyle{it} \pagestyle{myheadings} %make a bit more space \addtolength{\hoffset}{-1,5cm} \addtolength{\textwidth}{3cm} \addtolength{\voffset}{-1cm} \addtolength{\textheight}{2cm} \renewcommand{\setisabellecontext}[1]{\markright{Theory~#1}} \newcommand{\secref}[1]{Section~\ref{#1}} \newcommand{\secrefs}[1]{Sections~\ref{#1}} \newcommand{\charef}[1]{Chapter~\ref{#1}} \newcommand{\charefs}[1]{Chapters~\ref{#1}} %remove clutter from the toc \setcounter{secnumdepth}{2} \setcounter{tocdepth}{1} \begin{document} \title{JinjaDCI: a Java semantics with dynamic class initialization} \author{Susannah Mansky} \maketitle %\begin{abstract} %((FIXME: add abstract)) %\end{abstract} \begin{trivlist} \item \textbf{Abstract.} This work is an extension of the Jinja semantics for Java and the JVM by Klein and Nipkow to include static fields and methods and dynamic class initialization. In Java, class initialization methods are run dynamically, called when classes are first used. Such calls are handled by the running of an initialization procedure, which interrupts execution and determines which initialization methods must be run before execution continues. This interrupting is modeled here in a couple of ways. In the Java semantics, evaluation is performed via expressions that are manipulated through evaluation until a final value is reached. In JinjaDCI, we have added two types of initialization expressions whose evaluations produce the steps of the initialization procedure. These expressions can occur during evaluation and store the calling expression away to continue being evaluated once the procedure is complete. In the JVM semantics, since programs are static sequences of instructions, the initialization procedure is run instead by the execution function. This function performs steps of the procedure rather than calling instructions when the initialization procedure has been called. This extension includes the necessary updates to all major proofs from the original Jinja, including type safety and correctness of compilation from the Java semantics to the JVM semantics. This work is partially described in \cite{mansky2019dynamic}. \end{trivlist} \tableofcontents %\section{Theory Dependencies} %Figure \ref{theory-deps} shows the dependencies between %the Isabelle theories in the following sections. %\begin{figure}[h!t] %\begin{center} % \includegraphics[width=\textwidth]{session_graph} %\end{center} %\caption{Theory Dependency Graph\label{theory-deps}} %\end{figure} \clearpage \input{session} %\newpage %\nocite{*} \bibliographystyle{abbrv} %\bibliographystyle{plain} \bibliography{root} \end{document} diff --git a/thys/JinjaThreads/document/root.tex b/thys/JinjaThreads/document/root.tex --- a/thys/JinjaThreads/document/root.tex +++ b/thys/JinjaThreads/document/root.tex @@ -1,65 +1,65 @@ -%\documentclass[11pt,a4paper]{article} \documentclass[11pt,a4paper]{book} +\usepackage[T1]{fontenc} \usepackage[english]{babel} \usepackage{graphicx,latexsym,isabelle,isabellesym,pdfsetup} % proper setup for best-style documents \urlstyle{rm} \isabellestyle{it} \pagestyle{myheadings} %make a bit more space \addtolength{\hoffset}{-1,5cm} \addtolength{\textwidth}{3cm} \addtolength{\voffset}{-1cm} \addtolength{\textheight}{2cm} \newcommand{\secref}[1]{Section~\ref{#1}} \newcommand{\secrefs}[1]{Sections~\ref{#1}} \newcommand{\charef}[1]{Chapter~\ref{#1}} \newcommand{\charefs}[1]{Chapters~\ref{#1}} %remove clutter from the toc \setcounter{secnumdepth}{2} \setcounter{tocdepth}{1} \begin{document} \title{Jinja with Threads} \author{Andreas Lochbihler} \maketitle \begin{trivlist} \item \textbf{Abstract.} We extend the Jinja source code semantics by Klein and Nipkow with Java-style arrays and threads. Concurrency is captured in a generic framework semantics for adding concurrency through interleaving to a sequential semantics, which features dynamic thread creation, inter-thread communication via shared memory, lock synchronisation and joins. Also, threads can suspend themselves and be notified by others. We instantiate the framework with the adapted versions of both Jinja source and byte code and show type safety for the multithreaded case. Equally, the compiler from source to byte code is extended, for which we prove weak bisimilarity between the source code small step semantics and the defensive Jinja virtual machine. On top of this, we formalise the JMM and show the DRF guarantee and consistency. For description of the different parts, see \cite{Lochbihler2008FOOL,Lochbihler2010ESOP,LochbihlerBulwahn2011ITP,Lochbihler2012ESOP}. \end{trivlist} \tableofcontents %\section{Theory Dependencies} %Figure \ref{theory-deps} shows the dependencies between %the Isabelle theories in the following sections. %\begin{figure}[h!t] %\begin{center} % \includegraphics[height=\textheight]{session_graph} %\end{center} %\caption{Theory Dependency Graph\label{theory-deps}} %\end{figure} \clearpage \input{session} \bibliographystyle{plain} \bibliography{root} \end{document} diff --git a/thys/JiveDataStoreModel/document/root.tex b/thys/JiveDataStoreModel/document/root.tex --- a/thys/JiveDataStoreModel/document/root.tex +++ b/thys/JiveDataStoreModel/document/root.tex @@ -1,260 +1,261 @@ \documentclass[11pt,a4paper,twoside]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} %% Seitenformat: \setlength{\oddsidemargin}{0cm} % li. Randabstand auf re. Seiten \setlength{\textwidth}{16cm} % Breite des Textes \setlength{\evensidemargin}{0cm} % li. Randabstand auf li. Seiten \setlength{\topmargin}{-0.75cm} % Abst. Oberkante Blatt - Oberk. Header \setlength{\headheight}{30pt} % H\hookrightarrow e des Headers \setlength{\headsep}{0pt} % Abst. Header - Text \setlength{\topskip}{1cm} % Oberkante Text - Grundlinie 1. Z. \setlength{\textheight}{23.5cm} % H\hookrightarrow e des Textes %%\setlength{\footheight}{0cm} % H\hookrightarrow e des Footers \setlength{\footskip}{0cm} % Abst. Unterk. Text - Unterk. Footer \usepackage{graphicx} \usepackage{xspace} \usepackage{fancyvrb} \usepackage{fancyhdr} \usepackage{prooftree} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % Einstellungen f"ur den Seitenstil (fancyhdr) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \pagestyle{fancyplain} %% Setzen von Dicke und Breite der Linie unter der Kopfzeile. \renewcommand{\headrulewidth}{1.6pt} \newfont{\kopffont}{cmr10} % zum Justieren des Fonts \renewcommand{\sectionmark}[1]{\markboth{\kopffont\thesection\ #1}{}} \renewcommand{\subsectionmark}[1]{\markright{\kopffont\thesubsection\ #1}} %% Setzen der Kopflayouts ("`~\\"' erzeugt zus"atzlichen vertikalen Abstand). \lhead[\kopffont\thepage]% erscheint links auf % geraden Seiten {\fancyplain{}{\rightmark}} % erscheint links auf % ungeraden Seiten \chead{} % erscheint zentriert auf beiden Seiten \rhead[\fancyplain{}{\leftmark}]% erscheint rechts auf % geraden Seiten {\kopffont\thepage}% erscheint rechts auf % ungeraden Seiten \cfoot{} % im Fu"s soll nichts stehen %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \usepackage{my_logic} \renewcommand{\jive}{\textsc{Jive}\xspace} \newcommand{\isabelleP}{\textsc{Isabelle}\xspace} \newcommand{\isabelleH}{\textsc{Isabelle/HOL}\xspace} \newcommand{\javake}{\textsc{Java-KE}\xspace} \begin{document} % to be added for the TechReport \title{%{\normalsize Interner Bericht xxx/05}\\ %{\normalsize Technische Universit\"at Kaiserslautern}\\[1cm] Jive Data and Store Model\\[1cm] ~} \author{ Norbert Schirmer\\TU M\"unchen\\schirmer@informatik.tu-muenchen.de \and Nicole Rauch\\TU Kaiserslautern\\rauch@informatik.uni-kl.de} \date{} \maketitle \begin{abstract} % This Internal Report This document presents the formalization of an object-oriented data and store model in \isabelleH. This model is being used in the \textbf{J}ava \textbf{I}nteractive \textbf{V}erification \textbf{E}nvironment, \jive. \end{abstract} \thispagestyle{empty} \cleardoublepage \markboth{\kopffont Contents}{\kopffont Contents} \tableofcontents \markboth{\kopffont Contents}{\kopffont Contents} \parindent 0pt\parskip 0.5ex \cleardoublepage \section{Introduction} \jive \cite{Meyer.Poetzsch-Heffter00architecture,Jive} is a verification system that is being developed at the University of Kai\-sers\-lautern and at the ETH Z\"urich. It is an interactive special-purpose theorem prover for the verification of object-oriented programs on the basis of a partial-correctness Hoare-style programming logic. \jive operates on \javake \cite{Poetzsch-Heffter.Gaillourdet.EA05hoare}, a desugared subset of sequential Java which contains all important features of object-oriented languages (subtyping, exceptions, static and dynamic method invocation, etc.). \jive is written in Java and currently has a size of about 40,000 lines of code. \jive is able to operate on completely unannotated programs, allowing the user to dynamically add specifications. It is also possible to preliminarily annotate programs with invariants, pre- and postconditions using the specification language JML \cite{Leavens.BakerEA99jml}. In practice, a mixture of both techniques is employed, in which the user extends and refines the pre-annotated specifications during the verification process. The program to be verified, together with the specifications, is translated to Hoare sequents. Program and pre-annotated specifications are translated during startup, while the dynamically added specifications are translated whenever they are entered by the user. Hoare sequents have the shape $\Sequent{A}{\bP}{\mathtt{pp}}{\bQ}$ and express that for all states $S$ that fulfill $\bP$, if the execution of the program part $\mathtt{pp}$ terminates, the state that is reached when $pp$ has been evaluated in $S$ must fulfill $\bQ$. The so-called assumptions $\cl{A}$ are used to prove recursive methods. \jive's logic contains so-called Hoare rules and axioms. The rules consist of one or more Hoare sequents that represent the assumptions of the rule, and a Hoare sequent which is the conclusion of the rule. Axioms consist of only one Hoare sequent; they do not have assumptions. Therefore, axioms represent the known facts of the Hoare logic. To prove a program specification, the user directly works on the program source code. Proofs can be performed in backward direction and in forward direction. In backward direction, an initial open proof goal is reduced to new, smaller open subgoals by applying a rule. This process is repeated for the smaller subgoals until eventually each open subgoal can be closed by the application of an axiom. If all open subgoals are proven by axioms, the initial goal is proven as well. In forward direction, the axioms can be used to establish known facts about the statements of a given program. The rules are then used to produce new facts from these already known facts. This way, facts can be constructed for parts of the program. A large number of the rules and axioms of the Hoare logic is related to the structure of the program part that is currently being examined. Besides these, the logic also contains rules that manipulate the pre- or postcondition of the examined subgoal without affecting the current program part selection. A prominent member of this kind of rules is the rule of consequence\footnote{In \jive, the rule of consequence is part of a larger rule which serves several purposes at once. Since we want to focus on the rule of consequence, we left out the parts that are irrelevant in this context.}: \[ \begin{prooftree} \bPP \Rightarrow \bP \qquad \Sequent{A}{\bP}{\mathtt{pp}}{\bQ} \qquad \bQ \Rightarrow \bQQ \justifies \Sequent{A}{\bPP}{\mathtt{pp}}{\bQQ} \end{prooftree} \] It plays a special role in the Hoare logic because it additionally requires implications between stronger and weaker conditions to be proven. If a \jive proof contains an application of the rule of consequence, the implication is attached to the proof tree node that documents this rule application; these attachments are called lemmas. \jive sends these lemmas to an associated general purpose theorem prover where the user is required to prove them. Currently, \jive supports \isabelleH as associated prover. It is required that all lemmas that are attached to any node of a proof tree are proven before the initial goal of the proof tree is accepted as being proven. In order to prove these logical predicates, \isabelleH needs a data and store model of \javake. This model acts as an interface between \jive and \isabelleH. The first paper-and-pencil formalization of the data and store model was given in Arnd Poetzsch-Heffter's habilitation thesis \cite[Sect. 3.1.2]{Poetzsch-Heffter97specification}. The first machine-supported formalization was performed in PVS by Peter M\"uller, by translating the axioms given in \cite{Poetzsch-Heffter97specification} to axioms in PVS. The formalization presented in this report extends the PVS formalization. The axioms have been replaced by conservative extensions and proven lemmas, thus there is no longer any possibility to accidentally introduce unsoundness. Some changes were made to the PVS theories during the conversion. Some were caused due to the differences in the tools \isabelleH and PVS, but some are more conceptional. Here is a list of the major changes. \begin{itemize} \item In PVS, function arguments were sometimes restricted to subtypes. In \isabelleH, unintended usage of functions is left unspecified. \item In PVS, the program-independent theories were parameterized by the datatypes that were generated for the program to be verified. In \isabelleH, we just build on the generated theories. This makes the whole setting easier. The drawback is that we have to run the theories for each program we want to verify. But the proof scripts are designed in a way that they will work if the basic program-dependent theories are generated in the proper way. Since we can create an image of a proof session before starting actual verification we do not run into time problems either. \item The subtype relation is based on the direct subtype relation between classes and interfaces. We prove that subtyping forms a partial order. In the PVS version subtyping was expressed by axioms that described the subtype relation for the types appearing in the Java program to be verified. \end{itemize} Besides these changes we also added new concepts to the model. We can now deal with static fields and arrays. This way, the model supports programming languages that are much richer than \javake to allow for future extensions of \jive. Please note that although the typographic conventions in Isabelle suggest that constructors start with a capital letter while types do not, we kept the capitalization as it was before (which means that types start with a capital letter while constructors usually do not) to keep the naming more uniform across the various \jive-related publications. The theories presented in this report require the use of \isabelleP 2005. The proofs of lemmas are skipped in the presentation to keep it compact. The full proofs can be found in the original \isabelleP theories. % theories can download them \cite{}. \clearpage \section{Theory Dependencies} \begin{center} \includegraphics[height=12cm]{session_graph} %\includegraphics[height=15cm]{session_graph_edited} \end{center} The theories ``TypeIds'', ``DirectSubtypes'', ``Attributes'' and ``UnivSpec'' are program-dependent and are generated by the Jive tool. The program-dependent theories presented in this report are just examples and act as placeholders. The theories are stored in four different directories: \begin{tabbing} XXXXXX\= \kill Isabelle:\\ \>JavaType.thy \\ \>Subtype.thy \\ \>Value.thy \\ \>JML.thy \\ Isabelle\_Store: \\ \>AttributesIndep.thy \\ \>Location.thy \\ \>Store.thy \\ \>StoreProperties.thy \\ Isa\_$\langle$Prog$\rangle$: \\ \>TypeIds.thy \\ \>DirectSubtypes.thy \\ \>UnivSpec.thy \\ Isa\_$\langle$Prog$\rangle$\_Store: \\ \>Attributes.thy \end{tabbing} In this naming convention, the suffix ``\_Store'' denotes those theories that depend on the actual realization of the Store. They have been separated in order to allow for easy exchanging of the Store realization. The midfix ``$\langle$Prog$\rangle$'' denotes the name of the program for which the program-dependent theories have been generated. This way, different program-dependent theories can reside side-by-side without conflicts. These four directories have to be added to the ML path before loading UnivSpec. This can be done in a setup theory with the following command (here applied to a program called \texttt{Counter}): \begin{verbatim} ML {* add_path "/Isabelle"; add_path "/Isabelle_Store"; add_path "/Isa_Counter"; add_path "/Isa_Counter_Store"; *} \end{verbatim} This way, one can select the program-dependent theories for the program that currently is to be proven. \section{The Example Program} \label{example-program} The program-dependent theories are generated for the following example program: \VerbatimInput[fontsize=\small]{Counter.java} % include generated text of all theories \input{session} \bibliographystyle{alpha} \markboth{\kopffont References}{\kopffont References} \bibliography{root} \end{document} diff --git a/thys/Jordan_Hoelder/document/root.tex b/thys/Jordan_Hoelder/document/root.tex --- a/thys/Jordan_Hoelder/document/root.tex +++ b/thys/Jordan_Hoelder/document/root.tex @@ -1,43 +1,44 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} %\usepackage{biblatex} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Jordan-H\"older Theorem} \author{Jakob von Raumer} \maketitle \begin{abstract} This submission contains theories that lead to a formalization of the proof of the Jordan-H\"older theorem about composition series of finite groups. The theories formalize the notions of isomorphism classes of groups, simple groups, normal series, composition series, maximal normal subgroups. Furthermore, they provide proofs of the second isomorphism theorem for groups, the characterization theorem for maximal normal subgroups as well as many useful lemmas about normal subgroups and factor groups. The formalization is based on the work work in my first AFP submission \cite{snd-sylow} while the proof of the Jordan-H\"older theorem itself is inspired by course notes of Stuart Rankin \cite{rankin}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliography{root} \bibliographystyle{alpha} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Jordan_Normal_Form/document/root.tex b/thys/Jordan_Normal_Form/document/root.tex --- a/thys/Jordan_Normal_Form/document/root.tex +++ b/thys/Jordan_Normal_Form/document/root.tex @@ -1,133 +1,134 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \begin{document} \title{Matrices, Jordan Normal Forms, and Spectral Radius Theory\footnote{Supported by FWF (Austrian Science Fund) project Y757.}} \author{Ren\'e Thiemann and Akihisa Yamada} \maketitle \begin{abstract} Matrix interpretations are useful as measure functions in termination proving. In order to use these interpretations also for complexity analysis, the growth rate of matrix powers has to examined. Here, we formalized an important result of spectral radius theory, namely that the growth rate is polynomially bounded if and only if the spectral radius of a matrix is at most one. To formally prove this result we first studied the growth rates of matrices in Jordan normal form, and prove the result that every complex matrix has a Jordan normal form by means of two algorithms: we first convert matrices into similar ones via Schur decomposition, and then apply a second algorithm which converts an upper-triangular matrix into Jordan normal form. We further showed uniqueness of Jordan normal forms which then gives rise to a modular algorithm to compute individual blocks of a Jordan normal form. The whole development is based on a new abstract type for matrices, which is also executable by a suitable setup of the code generator. It completely subsumes our former AFP-entry on executable matrices \cite{Matrix-AFP}, and its main advantage is its close connection to the HMA-representation which allowed us to easily adapt existing proofs on determinants. All the results have been applied to improve \ceta\ \cite{CeTA,CeTAcomplexity}, our certifier to validate termination and complexity proof certificates. \end{abstract} \tableofcontents \section{Introduction} The spectral radius of a square, complex valued matrix $A$ is defined as the largest norm of some eigenvalue $c$ with eigenvector $v$. It is a central notion to estimate how the values in $A^n$ for increasing $n$. If the spectral radius is larger than $1$, clearly the values grow exponentially, since then $A^n \cdot v = c^n \cdot v$ becomes exponentially large. The other results, namely that the values in $A^n$ are bounded by a constant, if the spectral radius is smaller than $1$, and that there is a polynomial bound if the spectral radius is exactly $1$ are only immediate for matrices which have an eigenbasis, a precondition which is not satisfied by every matrix. However, these results are derivable via Jordan normal forms (JNFs): If $J$ is a JNF of $A$, then the growth rates of $A^n$ and $J^n$ are related by a constant as $A$ and $J$ are similar matrices. And for the values in $J^n$ there is a closed formula which gives the desired complexity bounds. To be more precise, the values in $J^n$ are bounded by ${\cal O}(|c|^n \cdot n^{k-1})$ where $k$ is the size of the largest block of an eigenvalue $c$ which has maximal norm w.r.t.\ the set of all eigenvalues. And since every complex matrix has a JNF, we can derive the polynomial (resp.\ constant bounds), if the spectral radius is 1 (resp.\ smaller than 1). These results are already applied in current complexity tools, and the motivation of this development was to extend our certifier \ceta\ to be able to validate corresponding complexity proofs. To this end, we formalized the following main results: \begin{itemize} \item an algorithm to compute the characteristic polynomial, since the eigenvalues are exactly the roots of this polynomial; \item the complexity bounds for JNFs; and \item an algorithm which computes JNFs for every matrix, provided that the list of eigenvalues is given. With the help of the fundamental theorem of algebra this shows that every complex matrix has a JNF. \end{itemize} Since \ceta\ is generated from Isabelle/HOL via code-generation, all the algorithms and results need to be available at code-generation time. Especially there is no possibility to create types on the fly which are chosen to fit the matrix dimensions of the input. To this end, we cannot use the matrix-representation of HOL multivariate analysis (HMA). Instead, we provide a new matrix library which is based on HOL-algebra with its explicit carriers. In contrast to our earlier development \cite{Matrix-AFP}, we do not immediately formalize everything as lists of lists, but use a more mathematical notion as triples of the form (dimension, dimension, characteristic-function). This makes reasoning very similar to HMA, and a suitable implementation type can be chosen afterwards: we provide one via immutable arrays (we use IArray's from the HOL library), but one can also think of an implementation for sparse matrices, etc. Even the infinite carrier itself is executable where we rely upon Lochbihler's container framework \cite{Containers-AFP} to have different set representations at the same time. As a consequence of not using HMA, we could not directly reuse existing algorithms which have been formalized for this representation. For instance, we formalized our own version of Gauss-Jordan elimination which is not very different to the one of Divas\'on and Aransay in \cite{Gauss_Jordan-AFP}: both define row-echelon form and apply elementary row transformations. Whereas Gauss-Jordan elimination has been developed from scratch as a case-study to see how suitable our matrix representation is, in other cases we often just copied and adjusted existing proofs from HMA. For instance, most of the library for determinants has been copied from the Isabelle distribution and adapted to our matrix representation. As a result of our formalization, \ceta\ is now able to check polynomial bounds for matrix interpretations \cite{MatrixJAR}. % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/KAD/document/root.tex b/thys/KAD/document/root.tex --- a/thys/KAD/document/root.tex +++ b/thys/KAD/document/root.tex @@ -1,115 +1,116 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym,amssymb} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Kleene Algebras with Domain} \author{Victor B. F. Gomes, Walter Guttmann, Peter H{\"o}fner, \\Georg Struth and Tjark Weber} \maketitle \begin{abstract} Kleene algebras with domain are Kleene algebras endowed with an operation that maps each element of the algebra to its domain of definition (or its complement) in abstract fashion. They form a simple algebraic basis for Hoare logics, dynamic logics or predicate transformer semantics. We formalise a modular hierarchy of algebras with domain and antidomain (domain complement) operations in Isabelle/HOL that ranges from domain and antidomain semigroups to modal Kleene algebras and divergence Kleene algebras. We link these algebras with models of binary relations and program traces. We include some examples from modal logics, termination and program analysis. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introductory Remarks} These theory files are intended as a reference formalisation for variants of Kleene algebras with domain. The algebraic hierarchy is developed in a modular way from domain and antidomain semigroups to modal Kleene algebras in which forward and backward box and diamond operators interact via conjugations and Galois connections. Throughout the development we have aimed at readable proofs so that these theories can be seen as a machine-checked introduction to reasoning in this setting. Apart from that, the Isabelle code is only sparsely annotated, and we refer to a series of articles for further information. Our formalisation follows the approaches of Desharnais, Jipsen and Struth to domain semigroups~\cite{DesharnaisJipsenStruth} and Desharnais and Struth to families of domain semirings and Kleene algebras with domain~\cite{DesharnaisStruthSCP,DesharnaisStruthAMAST}. The link with modal Kleene algebras, Hoare logics and predicate transformers has been elaborated by M{\"o}ller and Struth~\cite{MoellerStruth}; a notion of divergence has been added by Desharnais, M{\"o}ller and Struth~\cite{DesharnaisMoellerStruthLMCS}. A previous stage of this formalisation has been documented in a companion article~\cite{guttmannstruthweber11algmeth}. The target model of these axiomatisations are binary relations, where the domain operation represents the set of those elements that are related to some other element. There is a vast amount of literature on axiomatising the domain of functions, especially in semigroup theory. The deterministic nature of functions, however, leads to different axiom sets. An integration of these approaches is left for future work. Our Isabelle/HOL formalisation itself is based on a formalisation of variants of Kleene algebras~\cite{ka}. An adaptation of Kleene algebras with domain to the setting of concurrent dynamic algebra~\cite{FurusawaStruth} can also be found in the Archive of Formal Proofs~\cite{multirelations}. A formalisation of the original two-sorted approach to Kleene algebra with domain~\cite{desharnaismoellerstruth06kad} is left for future work as well. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/KAT_and_DRA/document/root.tex b/thys/KAT_and_DRA/document/root.tex --- a/thys/KAT_and_DRA/document/root.tex +++ b/thys/KAT_and_DRA/document/root.tex @@ -1,37 +1,38 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Kleene Algebra with Tests and Demonic Refinement Algebras} \author{Alasdair Armstrong \and Victor B. F. Gomes \and Georg Struth} \maketitle \begin{abstract} We formalise Kleene algebra with tests (KAT) and demonic refinement algebra (DRA) with tests in Isabelle/HOL. KAT is relevant for program verification and correctness proofs in the partial correctness setting. DRA targets similar applications in the context of total correctness. Our formalisation contains the two most important models of these algebras: binary relations in the case of KAT and predicate transformers in the case of DRA. In addition, we derive the inference rules for Hoare logic in KAT and its relational model. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/KBPs/document/root.tex b/thys/KBPs/document/root.tex --- a/thys/KBPs/document/root.tex +++ b/thys/KBPs/document/root.tex @@ -1,327 +1,327 @@ \documentclass{article} - +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{url} \usepackage{graphicx} \usepackage{wrapfig} \usepackage{placeins} \usepackage{amssymb} \usepackage[english]{babel} \usepackage{booktabs} \newcommand{\titl}{Verified Synthesis of Knowledge-Based Programs in Finite Synchronous Environments} \newcommand{\stitl}{Knowledge-Based Programs} \newcommand{\atitl}{\titl: \stitl} \usepackage{color} \definecolor{lcol}{rgb}{0,0,0} %% \usepackage[a4paper,bookmarks=false, %% colorlinks=true,linkcolor=lcol,citecolor=lcol, %% filecolor=lcol,pagecolor=lcol,urlcolor=lcol, %% pdfauthor={Peter Gammie}, %% pdftitle={\atitl}, %% plainpages=false]{hyperref} \newcommand{\isafun}[1]{{\sf #1}} \renewcommand{\isastyletxt}{\isastyletext} \renewcommand{\isadigit}[1]{\ensuremath{#1}} \renewcommand{\isacharprime}{\ensuremath{\mathit{\mskip2mu'\mskip-2mu}}} %\renewcommand{\isanewline}{\mbox{}\\} \renewcommand{\isachardoublequote}{} \newcommand{\isahex}[1]{#1} \renewcommand{\isacharminus}{\mbox{--}} %\newcommand{\isavskip}{\vskip 1ex plus 0.5ex minus 0.2ex} %\newenvironment{isaparskip}{\parskip 0ex plus 0.1ex minus 0ex}{} \renewenvironment{isabelle}{\begin{isabellebody}}{\end{isabellebody}} \newenvironment{isatab}[1] {\isavskip\small \begin{tabular}{#1}} {\end{tabular}\isavskip} \newenvironment{isactab}[1] {\begin{center}\small \begin{tabular}{#1}} {\end{tabular}\end{center}} \newcommand{\Defs}[1]{\begin{isatab}{ll@{}}#1\end{isatab}} \newcommand{\ColDefs}[1]{\begin{isatab}{l@{~~$\equiv$~~}l@{}}#1\end{isatab}} %\newcommand{\pb}[1]{\parbox{0.95\columnwidth}{#1}} %\newcommand{\Def}[1]{\pb{#1}} \newcommand{\code}[1]{{% \small% \renewcommand{\isacharequal}{=}% \renewcommand{\isacharsemicolon}{;}% \renewcommand{\isacharcomma}{,}% \renewcommand{\isacharparenleft}{(}% \renewcommand{\isacharparenright}{)}% \renewcommand{\isacharunderscore}{\_}% \renewcommand{\isacharbang}{!}% \renewcommand{\isacharampersand}{\&}% \renewcommand{\isacharslash}{/}% \renewcommand{\isacharasterisk}{*{}}% \renewcommand{\isacharcolon}{:}% \renewcommand{\isacharbar}{|}% \renewcommand{\isacharminus}{-}% \renewcommand{\isacharplus}{+}% \renewcommand{\isasymlbrace}{\{}% \renewcommand{\isasymlbrace}{\}}% \renewcommand{\isachargreater}{>}% \renewcommand{\isacharless}{<}% \upshape\texttt{#1}}} \newcommand{\secref}[1]{Sect.~\ref{#1}} \newcommand{\Secref}[1]{Sect.~\ref{#1}} \newcommand{\figref}[1]{Fig.~\ref{#1}} \newcommand{\Figref}[1]{Fig.~\ref{#1}} \newcommand{\tblref}[1]{Table~\ref{#1}} \newcommand{\Tblref}[1]{Table~\ref{#1}} \newcommand{\thmref}[1]{theorem~\ref{#1}} \newcommand{\Thmref}[1]{Theorem~\ref{#1}} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % Sane default for proof documents \parindent 0pt \parskip 0.5ex % Bibliography \usepackage{natbib} \bibpunct();A{}, \begin{document} \newcommand{\gcalt}{\mathbin{[]}} \title{\titl}% \author{Peter Gammie} \maketitle \begin{abstract} Knowledge-based programs (KBPs) are a formalism for directly relating an agent's knowledge and behaviour. Here we present a general scheme for compiling KBPs to executable automata with a proof of correctness in Isabelle/HOL. We develop the algorithm top-down, using Isabelle's locale mechanism to structure these proofs, and show that two classic examples can be synthesised using Isabelle's code generator. \end{abstract} \tableofcontents \section{Introduction} \label{sec:introduction} \label{sec:kbps-robot-intro} Imagine a robot stranded at zero on a discrete number line, hoping to reach and remain in the goal region $\{2,3,4\}$. The environment helpfully pushes the robot to the right, zero or one steps per unit time, and the robot can sense the current position with an error of plus or minus one. If the only action the robot can take is to halt at its current position, what program should it execute? %\begin{figure}[ht] \setlength{\unitlength}{0.1\textwidth} \begin{center} \begin{picture}(7.5,1.5) \put(0,0){\includegraphics[width=7.5\unitlength]{Robot}} \newcounter{Xordinate} \multiput(0,0)(1,0){7}{% \makebox(1,0.5){$\arabic{Xordinate}$% \stepcounter{Xordinate}}} \put(2.8,0.6){\makebox(2,0.5){goal}} \end{picture} \end{center} %\end{figure} An intuitive way to specify the robot's behaviour is with this \emph{knowledge-based program} (KBP), using the syntax of Dijkstra's guarded commands: \begin{center} \begin{tabular}{lll} $\mathbf{do}$\\ & $\gcalt$ $\mathbf{K}_{\mbox{robot}}$ goal & $\rightarrow$ Halt\\ & $\gcalt$ $\lnot\mathbf{K}_{\mbox{robot}}$ goal & $\rightarrow$ Nothing\\ $\mathbf{od}$\\ \end{tabular} \end{center} Here ``$\mathbf{K}_{\mbox{robot}}$ goal'' intuitively denotes ``the robot knows it is in the goal region'' \cite[Example~7.2.2]{FHMV:1995}. We will make this precise in \S\ref{sec:kbps-theory-kbps-semantics}, but for now note that what the robot knows depends on the rest of the scenario, which in general may involve other agents also running KBPs. In a sense a KBP is a very literal rendition of a venerable artificial intelligence trope, that what an agent does should depend on its knowledge, and what an agent knows depends on what it does. It has been argued elsewhere \cite{DBLP:conf/lpar/BickfordCHP04,EvdMM2000:FOSSACS,FHMV:1995} that this is a useful level of abstraction at which to reason about distributed systems, and some kinds of multi-agent systems \cite{Shoham:2008}. The cost is that these specifications are not directly executable, and it may take significant effort to find a concrete program that has the required behaviour. The robot does have a simple implementation however: it should halt iff the sensor reads at least 3. That this is correct can be shown by an epistemic model checker such as MCK \cite{DBLP:conf/cav/GammieM04} or pencil-and-paper refinement \cite{EvdMM2000:FOSSACS}. In contrast the goal of this work is to algorithmically discover such implementations, which is a step towards making the work of van der Meyden \cite{Ron:1996} practical. The contributions of this work are as follows: \S\ref{sec:kbps-logic-of-knowledge} develops enough of the theory of KBPs in Isabelle/HOL \cite{Nipkow-Paulson-Wenzel:2002} to support a formal proof of the possibility of their implementation by finite-state automata (\S\ref{sec:kbps-automata-synthesis}). The later sections extend this development with a full top-down derivation of an original algorithm that constructs these implementations (\S\ref{sec:kbps-alg}) and two instances of it (\S\ref{sec:kbps-spr-single-agent} and \S\ref{sec:kbps-broadcast-envs}), culminating in the mechanical synthesis of two standard examples from the literature: the aforementioned robot (\S\ref{sec:robot}) and the muddy children (\S\ref{sec:mc}). We make judicious use of parametric polymorphism and Isabelle's locale mechanism \cite{DBLP:conf/mkm/Ballarin06} to establish and instantiate this theory in a top-down style. Isabelle's code generator \cite{Haftmann-Nipkow:2010:code} allows the algorithm developed here to be directly executed on the two examples, showing that the theory is both sound and usable. The complete development, available from the Archive of Formal Proofs \cite{Gammie:2011}, includes the full formal details of all claims made in this paper. In the following we adopt the Isabelle convention of using an apostrophe to prefix fixed but unknown types, such as \isa{{\isacharprime}a}, and postfix type constructors as in \isa{{\isacharprime}a\ \isafun{list}}. Other non-standard syntax will be explained as it arises. % We don't use "session.tex" as it includes all the dependencies. \input{Kripke} \input{KBPs} \input{KBPsAuto} \input{DFS} \input{MapOps} \input{KBPsAlg} \input{Views} \input{ClockView} \input{SPRView} \input{SPRViewSingle} \input{SPRViewDet} \input{SPRViewNonDet} \input{SPRViewNonDetIndInit} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \section{Examples} \label{sec:kbps-theory-examples} We demonstrate the theory by using Isabelle's code generator to run it on two standard examples: the Robot from \S\ref{sec:kbps-robot-intro}, and the classic muddy children puzzle. \input{Robot} \input{MuddyChildren} \section{Perspective and related work} \label{sec:perspective} \label{sec:kbps-alg-reduction} The most challenging and time-consuming aspect of mechanising this theory was making definitions suitable for the code generator. For example, we could have used a locale to model the interface to the maps in \S\ref{sec:kbps-alg}, but as as the code generator presently does not cope with functions arising from locale interpretation, we are forced to say things at least twice if we try to use both features, as we implicitly did in \S\ref{sec:kbps-alg}. Whether it is more convenient or even necessary to use a record and predicate or a locale presently requires experimentation and guidance from experienced users. As reflected by the traffic on the Isabelle mailing list, a common stumbling block when using the code generator is the treatment of sets. The existing libraries are insufficiently general: Florian Haftmann's \emph{Cset} theory\footnote{The theory \emph{Cset} accompanies the Isabelle/HOL distribution.} does not readily support a choice operator, such as the one we used in \S\ref{def:choice}. Even the heroics of the Isabelle Collections Framework \cite{DBLP:conf/itp/LammichL10} are insufficient as there equality on keys is structural (i.e., HOL equality), forcing us to either use a canonical representation (such as ordered distinct lists) or redo the relevant proofs with reified operations (equality, orderings, etc.). Neither of these is satisfying from the perspective of reuse. Working with suitably general theories, e.g., using data refinement, is difficult as the simplifier is significantly less helpful for reasoning under abstract quotients, such as those in \S\ref{sec:kbps-alg}; what could typically be shown by equational rewriting now involves reasoning about existentials. For this reason we have only allowed some types to be refined; the representations of observations and system states are constant throughout our development, which may preclude some optimisations. The recent work of Kaliszyk and Urban \cite{Quotients:2011} addresses these issues for concrete quotients, but not for the abstract ones that arise in this kind of top-down development. As for the use of knowledge in formally reasoning about systems, this and similar semantics are under increasing scrutiny due to their relation to security properties. Despite the explosion in number of epistemic model checkers \cite{vanEijck:DEMO:2005,DBLP:conf/cav/GammieM04,DBLP:journals/fuin/KacprzakNNPPSWZ08,DBLP:conf/cav/LomuscioQR09}, finding implementations of knowledge-based programs remains a substantially manual affair \cite{Ron:2010}. A refinement framework has also been developed \cite{DBLP:conf/lpar/BickfordCHP04,EvdMM2000:FOSSACS}. The theory presented here supports a more efficient implementation using symbolic techniques, ala MCK; recasting the operations of the \isafun{SimEnvironment} locale into boolean decision diagrams is straightforward. It is readily generalised to other synchronous views, as alluded to in \S\ref{sec:kbps-spr-single-agent}, and adding a common knowledge modality, useful for talking about consensus \cite[Chapter~6]{FHMV:1995}, is routine. We hope that such an implementation will lead to more exploration of the KBP formalism. \section{Acknowledgements} Thanks to Kai Engelhardt for general discussions and for his autonomous robot graphic. Florian Haftmann provided much advice on using Isabelle/HOL's code generator and Andreas Lochbihler illuminated the darker corners of the locale mechanism. The implementation of Hopcroft's algorithm is due to Gerwin Klein. I am grateful to David Greenaway, Gerwin Klein, Toby Murray and Bernie Pope for their helpful comments. This work was completed while I was employed by the L4.verified project at NICTA. NICTA is funded by the Australian Government as represented by the Department of Broadband, Communications and the Digital Economy and the Australian Research Council through the IT Centre of Excellence program. \bibliographystyle{plainnat} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/KD_Tree/document/root.tex b/thys/KD_Tree/document/root.tex --- a/thys/KD_Tree/document/root.tex +++ b/thys/KD_Tree/document/root.tex @@ -1,67 +1,68 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ \usepackage{alltt} %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Multidimensional Binary Search Trees} \author{Martin Rau} \maketitle \begin{abstract} This entry provides a formalization of multidimensional binary trees, also known as $k$-d trees. It includes a balanced build algorithm as well as the nearest neighbor algorithm and the range search algorithm. It is based on the papers "Multidimensional binary search trees used for associative searching"~\cite{DBLP:journals/cacm/Bentley75} and "An Algorithm for Finding Best Matches in Logarithmic Expected Time"~\cite{DBLP:journals/toms/FriedmanBF77}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Key_Agreement_Strong_Adversaries/document/root.tex b/thys/Key_Agreement_Strong_Adversaries/document/root.tex --- a/thys/Key_Agreement_Strong_Adversaries/document/root.tex +++ b/thys/Key_Agreement_Strong_Adversaries/document/root.tex @@ -1,56 +1,57 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % % Project: Refining Authenticated Key Agreement with Strong Adversaries % % Module: document/root.tex (Isabelle/HOL 2016-1) % ID: $Id: root.tex 132885 2016-12-23 18:41:32Z csprenge $ % Author: Christoph Sprenger, ETH Zurich % % root file for generation of PDF document % % Copyright (c) 2015-2016 Christoph Sprenger % Licence: LGPL % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % additional packages \usepackage{graphicx} % to display session graph \usepackage{a4wide} % have each section start on a fresh page \renewcommand{\isamarkupsection}[1]{\newpage\section{#1}} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Refining Authenticated Key Agreement with Strong Adversaries} \author{Joseph Lallemand, Christoph Sprenger, and David Basin} \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % display the theory dependency graph \include{session_graph} % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} diff --git a/thys/Kleene_Algebra/document/root.tex b/thys/Kleene_Algebra/document/root.tex --- a/thys/Kleene_Algebra/document/root.tex +++ b/thys/Kleene_Algebra/document/root.tex @@ -1,81 +1,82 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Kleene Algebra} \author{Alasdair Armstrong, Victor B. F. Gomes, Georg Struth and Tjark Weber} \maketitle \begin{abstract} Variants of Dioids and Kleene algebras are formalised together with their most important models in Isabelle/HOL. The Kleene algebras presented include process algebras based on bisimulation equivalence (near Kleene algebras), simulation equivalence (pre-Kleene algebras) and language equivalence (Kleene algebras), as well as algebras with ambiguous finite or infinite iteration (Conway algebras), possibly infinite iteration (demonic refinement algebras), infinite iteration (omega algebras) and residuated variants (action algebras). Models implemented include binary relations, (regular) languages, sets of paths and traces, power series and matrices. Finally, min-plus and max-plus algebras as well as generalised Hoare logics for Kleene algebras and demonic refinement algebras are provided for applications. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introductory Remarks} These theory files are intended as a reference formalisation of variants of Kleene algebras and as a basis for other variants, such as Kleene algebras with tests~\cite{kat} and modal Kleene algebras~\cite{kad}, which are useful for program correctness and verification. To that end we have aimed at making proof accessible to readers at textbook granularity instead of fully automating them. In that sense, these files can be considered a machine-checked introduction to reasoning in Kleene algebra. Beyond that, the theories are only sparsely commented. Additional information on the hierarchy of Kleene algebras and its formalisation in Isabelle/HOL can be found in a tutorial paper~\cite{fosterstruthweber11tutorial} or an overview article~\cite{guttmannstruthweber11tarskikleene}. While these papers focus on the automation of algebraic reasoning, the present formalisation presents readable proofs whenever these are interesting and instructive. Expansions of the hierarchy to modal Kleene algebras, Kleene algebras with tests and Hoare logics as well as infinitary and higher-order Kleene algebras~\cite{guttmannstruthweber11algmeth,armstrongstruth12hoka}, and an alternative hierarchy of regular algebras and Kleene algebras~\cite{fosterstruth12regalg}---orthogonal to the present one---have also been implemented in the Archive of Formal Proofs~\cite{regalg,kad,kat,rel}. % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Knot_Theory/document/root.tex b/thys/Knot_Theory/document/root.tex --- a/thys/Knot_Theory/document/root.tex +++ b/thys/Knot_Theory/document/root.tex @@ -1,44 +1,45 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Knot Theory} \author{T. V. H. Prathamesh} \maketitle \begin{abstract} This work contains a formalization of some topics in knot theory. The concepts that were formalized include definitions of tangles, links, framed links and link/tangle equivalence. The formalization is based on a formulation of links in terms of tangles. We further construct and prove the invariance of the Bracket polynomial. Bracket polynomial is an invariant of framed links closely linked to the Jones polynomial. This is perhaps the first attempt to formalize any aspect of knot theory in an interactive proof assistant. For further reference, one can refer to the paper "Formalising Knot Theory in Isabelle/HOL" in Interactive Theorem Proving, 6th International Conference, ITP 2015, Nanjing, China, August 24-27, 2015, Proceedings. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Knuth_Bendix_Order/document/root.tex b/thys/Knuth_Bendix_Order/document/root.tex --- a/thys/Knuth_Bendix_Order/document/root.tex +++ b/thys/Knuth_Bendix_Order/document/root.tex @@ -1,62 +1,62 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb} \usepackage{xspace} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{Isa\kern-0.15exF\kern-0.15exo\kern-0.15exR}} \newcommand\ceta{\textsf{C\kern-0.15exe\kern-0.45exT\kern-0.45exA}} \begin{document} \title{A Formalization of Knuth--Bendix Orders\footnote{Supported by FWF (Austrian Science Fund) projects P27502 and Y757.}} \author{Christian Sternagel and Ren\'e Thiemann} \maketitle \begin{abstract} We define a generalized version of Knuth--Bendix orders, including subterm coefficient functions. For these orders we formalize several properties such as strong normalization, the subterm property, closure properties under substitutions and contexts, as well as ground totality. \end{abstract} \tableofcontents \section{Introduction} In their seminal paper \cite{KB70}, Knuth and Bendix introduced two important concepts: a procedure that allows us to solve certain instances of the word problem -- (Knuth--Bendix) completion -- as well as a specific order on terms that is useful to orient equations in the aforementioned procedure -- the Knuth--Bendix order (or KBO, for short). This AFP-entry is about the formalization of KBO. Note that there are several variants of KBO~\cite{KB70,DKM90,LW07,ZHM09,S89}, e.g., incorporating quasi-precedences, infinite signatures, subterm coefficient functions, and generalized weight functions. In fact, not for all of these variants well-foundedness has been proven. We give the first well-foundedness proof for a variant of KBO that combines infinite signatures, quasi-precedences, and subterm coefficient functions. Our proof is direct, i.e., it does not depend on Kruskal's tree theorem. This formalization is used in the \isafor/\ceta project~\cite{TS09b} for certifying untrusted termination and confluence proofs. For more details we refer to our RTA paper \cite{paper}. \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Knuth_Morris_Pratt/document/root.tex b/thys/Knuth_Morris_Pratt/document/root.tex --- a/thys/Knuth_Morris_Pratt/document/root.tex +++ b/thys/Knuth_Morris_Pratt/document/root.tex @@ -1,70 +1,71 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{wasysym} \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{The string search algorithm by Knuth, Morris and Pratt} \author{Fabian Hellauer and Peter Lammich} \maketitle \begin{abstract} The Knuth-Morris-Pratt algorithm\cite{KMP77} is often used to show that the problem of finding a string $s$ in a text $t$ can be solved deterministically in $O(|s| + |t|)$ time. We use the Isabelle Refinement Framework\cite{Refine_Monadic-AFP} to formulate and verify the algorithm. Via refinement, we apply some optimisations and finally use the \textit{Sepref} tool\cite{Refine_Imperative_HOL-AFP} to obtain executable code in \textit{Imperative/HOL}. \end{abstract} \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Koenigsberg_Friendship/document/root.tex b/thys/Koenigsberg_Friendship/document/root.tex --- a/thys/Koenigsberg_Friendship/document/root.tex +++ b/thys/Koenigsberg_Friendship/document/root.tex @@ -1,30 +1,31 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand{\koni}{\textrm{K\"{o}nigsberg}\ } \begin{document} \title{The \koni Bridge Problem and the Friendship Theorem} \author{Wenda Li} \maketitle \begin{abstract} This development provides a formalization of undirected graphs and simple graphs, which are based on Benedikt Nordhoff and Peter Lammich's simple formalization of labelled directed graphs \cite{website:isabelle_archive_shortest_path} in the archive. Then, with our formalization of graphs, we have shown both necessary and sufficient conditions for Eulerian trails and circuits \cite{koni_proof_lecture_notes} as well as the fact that the \koni Bridge problem does not have a solution. In addition, we have also shown the Friendship Theorem in simple graphs\cite{friend_combitorial,mertzios2008friendship}. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Kruskal/document/root.tex b/thys/Kruskal/document/root.tex --- a/thys/Kruskal/document/root.tex +++ b/thys/Kruskal/document/root.tex @@ -1,35 +1,36 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Kruskal's Algorithm for Minimum Spanning Forest} \author{Maximilian P.L. Haslbeck, Peter Lammich, Julian Biendarra} \maketitle \begin{abstract} This Isabelle/HOL formalization defines a greedy algorithm for finding a minimum weight basis on a weighted matroid and proves its correctness. This algorithm is an abstract version of Kruskal's algorithm. We interpret the abstract algorithm for the cycle matroid (i.e. forests in a graph) and refine it to imperative executable code using an efficient union-find data structure. Our formalization can be instantiated for different graph representations. We provide instantiations for undirected graphs and symmetric directed graphs. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \end{document} \ No newline at end of file diff --git a/thys/Kuratowski_Closure_Complement/document/root.tex b/thys/Kuratowski_Closure_Complement/document/root.tex --- a/thys/Kuratowski_Closure_Complement/document/root.tex +++ b/thys/Kuratowski_Closure_Complement/document/root.tex @@ -1,52 +1,51 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage[a4paper,margin=1cm,footskip=.5cm]{geometry} \usepackage{isabelle,isabellesym} \usepackage{tikz} -\usepackage[utf8]{inputenc} - % Bibliography \usepackage[authoryear,sort]{natbib} \bibpunct();A{}, % Allow pdflatex to do some fancier spacing. \usepackage{microtype} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size \renewcommand{\isastyle}{\isastyleminor} \renewcommand{\isacharunderscore}{\_} \begin{document} % sane default for proof documents \parindent 0pt\parskip 0.5ex \title{The Kuratowski Closure-Complement Theorem} \author{Peter Gammie and Gianpaolo Gioiosa} \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{plainnat} \bibliography{root} \addcontentsline{toc}{section}{References} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/LLL_Basis_Reduction/document/root.tex b/thys/LLL_Basis_Reduction/document/root.tex --- a/thys/LLL_Basis_Reduction/document/root.tex +++ b/thys/LLL_Basis_Reduction/document/root.tex @@ -1,146 +1,147 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{amsmath} \usepackage{xspace} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \newcommand\rats{\mathbb{Q}} \newcommand\ints{\mathbb{Z}} \newcommand\reals{\mathbb{R}} \newcommand\complex{\mathbb{C}} \newcommand\GFpp[1]{\ensuremath{\text{GF}(#1)}} \newcommand\GFp{\GFpp{p}} \newcommand\ring[1][p^k]{\ensuremath{\ints/{#1}\ints}\xspace} \newcommand\tint{\isa{int}} \newcommand\tlist{\isa{list}} \newcommand\tpoly{\isa{poly}} \newcommand\tto{\Rightarrow} \newcommand\sqfree{\isa{square\_free}\xspace} \newcommand\norm[1]{|\!|#1|\!|} \newcommand\sqnorm[1]{\norm{#1}^2} \newcommand\lemma{\isakeyword{lemma}\xspace} \newcommand\assumes{\isakeyword{assumes}\xspace} \newcommand\idegree{\isa{degree}} \newcommand\iand{\isakeyword{and}\xspace} \newcommand\shows{\isakeyword{shows}} \newcommand\bz{\isa{berlekamp\_zassenhaus\_factorization}\xspace} \newcommand\fs{\mathit{fs}} \newcommand\listprod{\isa{prod\_list}} \newcommand\set{\isa{set}} \newcommand\irred{\isa{irreducible}} \newcommand\rTH[1]{Theorem~\ref{#1}} \newcommand\base[1]{(#1_0,\ldots,#1_{n-1})} \newcommand\Base[2][m]{{#2}_0,\ldots,{#2}_{#1-1}} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \newtheorem{theorem}{Theorem} \begin{document} \title{A verified LLL algorithm\footnote{Supported by FWF (Austrian Science Fund) project Y757. Jose Divas\'on is partially funded by the Spanish project MTM2017-88804-P.}} \author{Ralph Bottesch \and Jose Divas\'on \and Maximilian Haslbeck \and Sebastiaan Joosten \and Ren\'e Thiemann \and Akihisa Yamada} \maketitle \begin{abstract} The Lenstra\textendash{}Lenstra\textendash{}Lov\'asz basis reduction algorithm, also known as LLL algorithm, is an algorithm to find a basis with short, nearly orthogonal vectors of an integer lattice. Thereby, it can also be seen as an approximation to solve the shortest vector problem (SVP), which is an NP-hard problem, where the approximation quality solely depends on the dimension of the lattice, but not the lattice itself. The algorithm also possesses many applications in diverse fields of computer science, from cryptanalysis to number theory, but it is specially well-known since it was used to implement the first polynomial-time algorithm to factor polynomials. In this work we present the first mechanized soundness proof of the LLL algorithm to compute short vectors in lattices. The formalization follows a textbook by von~zur~Gathen and Gerhard~\cite{MCA}. \end{abstract} \tableofcontents \section{Introduction} The LLL basis reduction algorithm by Lenstra, Lenstra and Lov\'asz~\cite{LLL} is a remarkable algorithm with numerous applications in diverse fields. For instance, it can be used for finding the minimal polynomial of an algebraic number given to a good enough approximation, for finding integer relations, for integer programming and even for breaking knapsack based cryptographic protocols. Its most famous application is a polynomial-time algorithm to factor integer polynomials. Moreover, the LLL algorithm is used as part of the best known polynomial factorization algorithm that is used in today's computer algebra systems. In this work we implement it in Isabelle/HOL and fully formalize the correctness of the implementation. The algorithm is parametric by some $\alpha > \frac43$, and given $\isa{fs}$ a list of $m$-linearly independent vectors $\Base {\isa{fs}} \in \ints^n$, it computes a short vector whose norm is at most $\alpha^{\frac{m-1}2}$ larger than the norm of any nonzero vector in the lattice generated by the vectors of the list $\isa{fs}$. The soundness theorem follows. \begin{theorem}[Soundness of LLL algorithm] \label{thm:LLL} \begin{align*} &\lemma\ short\_vector:\\ &\assumes\ \alpha \geq 4 / 3\\ &\iand\ lin\_indpt\_list\ (RAT\ fs)\\ &\iand\ short\_vector\ \alpha\ fs = v\\ &\iand\ length\ fs = m\\ &\iand\ m \neq 0\\ &\shows\ v \in lattice\_of\ fs - \{0_v\;\isa n\}\\ &\iand\ h \in lattice\_of\ fs - \{0_v\;\isa n\} \longrightarrow \sqnorm{\isa v} \leq \alpha^{\isa m-1} \cdot \sqnorm{\isa{h}} \end{align*} \end{theorem} To this end, we have performed the following tasks: \begin{itemize} \item We firstly have to improve some AFP entries, as well as generalize several concepts from the standard library. \item We have to develop a library about norms of vectors and their properties. \item We formalize the Gram--Schmidt orthogonalization procedure, which is a crucial sub-routine of the LLL algorithm. Indeed, we already formalized this procedure in Isabelle as a function \isa{gram\_schmidt} when proving the existence of Jordan normal forms \cite{ThiemannY16}. Unfortunately, lemma \isa{gram\_schmidt} does not suffice for verifying the LLL algorithm and we have had to extend such a formalization. \item We prove the termination of the algorithm and its soundness. \item We prove polynomial runtime complexity by showing that there is a polynomial bound on the required number of arithmetic operations. Moreover, we formally prove that the representation size of the numbers that occur during the executation stays polynomial. \end{itemize} To our knowledge, this is the first formalization of the LLL algorithm in any theorem prover. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/LLL_Factorization/document/root.tex b/thys/LLL_Factorization/document/root.tex --- a/thys/LLL_Factorization/document/root.tex +++ b/thys/LLL_Factorization/document/root.tex @@ -1,222 +1,223 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{amsmath} \usepackage{xspace} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\lc[1]{\mathsf{lc}(#1)} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \newcommand\rats{\mathbb{Q}} \newcommand\ints{\mathbb{Z}} \newcommand\reals{\mathbb{R}} \newcommand\complex{\mathbb{C}} \newcommand\GFpp[1]{\ensuremath{\text{GF}(#1)}} \newcommand\GFp{\GFpp{p}} \newcommand\ring[1][p^k]{\ensuremath{\ints/{#1}\ints}\xspace} \newcommand\tint{\isa{int}} \newcommand\tlist{\isa{list}} \newcommand\tpoly{\isa{poly}} \newcommand\tto{\Rightarrow} \newcommand\sqfree{\isa{square\_free}\xspace} \newcommand\norm[1]{|\!|#1|\!|} \newcommand\sqnorm[1]{\norm{#1}^2} \newcommand\lemma{\isakeyword{lemma}\xspace} \newcommand\assumes{\isakeyword{assumes}\xspace} \newcommand\idegree{\isa{degree}} \newcommand\iand{\isakeyword{and}\xspace} \newcommand\shows{\isakeyword{shows}} \newcommand\bz{\isa{berlekamp\_zassenhaus\_factorization}\xspace} \newcommand\fs{\mathit{fs}} \newcommand\listprod{\isa{prod\_list}} \newcommand\set{\isa{set}} \newcommand\irred{\isa{irreducible}} \newcommand\rTH[1]{Theorem~\ref{#1}} \newcommand\base[1]{(#1_0,\ldots,#1_{n-1})} \newcommand\Base[2][m]{{#2}_0,\ldots,{#2}_{#1-1}} \newcommand\degree[1]{\mathit{degree}(#1)} \newtheorem{theorem}{Theorem} \newtheorem{lemmas}{Lemma} \newtheorem{example}{Example} \renewcommand\gcd{\mathit{gcd}} \newcommand\rsub[1]{(\ref{#1})} \newcommand\rLE[1]{Lemma~\ref{#1}} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{A verified factorization algorithm for integer polynomials with polynomial complexity\footnote{Supported by FWF (Austrian Science Fund) project Y757. Jose Divas\'on is partially funded by the Spanish project MTM2017-88804-P.}} \author{Jose Divas\'on \and Sebastiaan Joosten \and Ren\'e Thiemann \and Akihisa Yamada} \maketitle \begin{abstract} Short vectors in lattices and factors of integer polynomials are related. Each factor of an integer polynomial belongs to a certain lattice. When factoring polynomials, the condition that we are looking for an irreducible polynomial means that we must look for a \emph{small} element in a lattice, which can be done by a basis reduction algorithm. In this development we formalize this connection and thereby one main application of the LLL basis reduction algorithm: an algorithm to factor square-free integer polynomials which runs in polynomial time. The work is based on our previous Berlekamp--Zassenhaus development, where the exponential reconstruction phase has been replaced by the polynomial-time basis reduction algorithm. Thanks to this formalization we found a serious flaw in a textbook. \end{abstract} \tableofcontents \section{Introduction} In order to factor an integer polynomial $f$, we may assume a \emph{modular} factorization of $f$ into several monic factors $u_i$: $f \equiv \lc f \cdot \prod_i u_i$ modulo $m$ where $m = p^l$ is some prime power for user-specified $l$. In Isabelle, we just reuse our verified modular factorization algorithm~\cite{BZ_CPP17} to obtain the modular factorization of $f$. We briefly explain how to compute non-trivial integer factors of $f$. The key is the following lemma~\cite[Lemma~16.20]{MCA}. \begin{lemmas}[{\cite[Lemma~16.20]{MCA}}] \label{lemma_16.20} Let $f,g,u$ be non-constant integer polynomials. Let $u$ be monic. If $u$ divides $f$ modulo $m$, $u$ divides $g$ modulo $m$, and $\norm f^{\degree g} \cdot \norm g^{\degree f} < m$, then $h = \gcd(f,g)$ is non-constant. \end{lemmas} Let $f$ be a polynomial of degree $n$. Let $u$ be any degree-$d$ factor of $f$ modulo~$m$. Now assume that $f$ is reducible, so $f = f_1 \cdot f_2$ where w.l.o.g., we assume that $u$ divides $f_1$ modulo $m$ and that $0 < \degree{f_1} < n$. Let us further assume that a lattice $L_{u,k}$ encodes the set of all polynomials of degree below $d+k$ (as vectors of length $d+k$) which are divisible by $u$ modulo~$m$. Fix $k = n - d$. Then clearly, $f_1 \in L_{u,k}$. In order to instantiate \rLE{lemma_16.20}, it now suffices to take $g$ as the polynomial corresponding to any short vector in $L_{u,k}$: $u$ will divide $g$ modulo $m$ by definition of $L_{u,k}$ and moreover $\degree g < n$. The short vector requirement will provide an upper bound to satisfy the assumption $\norm f^{\degree g} \cdot \norm g^{\degree f} < m$. \begin{align} \label{g_ineq} & \norm g \leq 2^{(n - 1)/2} \cdot \norm{f_1} \leq 2^{(n - 1)/2} \cdot 2^{n-1} \norm f = 2^{3(n-1)/2} \norm f \\ \label{full_ineq} \norm f^{\degree g} \cdot & \norm g^{\degree f} \leq \norm f^{n-1} \cdot (2^{3(n - 1)/2} \norm f)^{n} = \norm f^{2n-1} \cdot 2^{3n(n - 1)/2} \end{align} Here, the first inequality in \rsub{g_ineq} is the short vector approximation ($f_1 \in L_{u,k}$). The second inequality in \rsub{g_ineq} is Mignotte's factor bound ($f_1$ is a factor of $f$). Finally, \rsub{g_ineq} is used as an approximation of $\norm g$ in \rsub{full_ineq}. Hence, if $l$ is chosen large enough so that $m = p^l > \norm f^{2n-1} \cdot 2^{3n(n - 1)/2}$ then all preconditions of \rLE{lemma_16.20} are satisfied, and $h = \gcd(f,g)$ will be a non-constant factor of $f$. Since the degree of $h$ will be strictly less than $n$, $h$ is also a proper factor of $f$, i.e., in particular $h \notin \{1,f\}$. The textbook~\cite{MCA} also describes the general idea of the factorization algorithm based on the previous lemma in prose, and then presents an algorithm in pseudo-code which slightly extends the idea by directly splitting off \emph{irreducible} factors~\cite[Algorithm~16.22]{MCA}. We initially implemented and tried to verify this pseudo-code algorithm (see files \texttt{Factorization\_Algorithm\_16\_22.thy} and \texttt{Modern\_Computer\_Algebra\_Problem.thy}). After some work, we had only one remaining goal to prove: the content of the polynomial $g$ corresponding to the short vector is not divisible by the chosen prime $p$. However, we were unable to figure out how to discharge this goal and then also started to search for inputs where the algorithm delivers wrong results. After a while we realized that Algorithm~16.22 indeed has a serious flaw as demonstrated in the upcoming example. \begin{example} Consider the square-free and content-free polynomial $f = (1+x) \cdot (1 + x + x^3)$. Then according to Algorithm 16.22 we determine \begin{itemize} \item the prime $p = 2$ \item the exponent $l = 61$ \\ (our new formalized algorithm uses a tighter bound which results in $l = 41$) \item the leading coefficient $b = 1$ \item the value $B = 96$ \item the factorization mod $p$ via $h_1 = 1 + x$, $h_2 = 1 + x + x^3$ \item the factorization mod $p^l$ via $g_1 = 1 + x$, $g_2 = 1 + x + x^3$ \item $f^* = f$, $T = \{1,2\}$, $G = \emptyset$. \item we enter the loop and in the first iteration choose \item $u = 1 + x + x^3$, $d = 3$, $j = 4$ \item we consider the lattice generated by $(1,1,0,1)$, $(p^l,0,0,0)$, $(0,p^l,0,0)$, $(0,0,p^l,0)$. \item now we obtain a short vector in the lattice: $g^* = (2,2,0,2)$. \\ Note that $g^*$ has not really been computed by Algorithm 16.10, but it satisfies the soundness criterion, i.e., it is a sufficiently short vector in the lattice. To see this, note that a shortest vector in the lattice is $(1,1,0,1)$. \[ \norm{g^*} = 2 \cdot \sqrt 3 \leq 2 \cdot \sqrt 2 \cdot \sqrt 3 = 2^{(j-1)/2} \cdot \norm{(1,1,0,1)} \] So $g^*$ has the required precision that was assumed by the short-vector calculation. \item the problem at this point is that $p$ divides the content of $g^*$. Consequently, every polynomial divides $g^*$ mod $p$. Thus in step 9 we compute $S = T$, $h = 1$, enter the then-branch and update $T = \emptyset$, $G = G \cup \{1 + x + x^3\}$, $f^* = 1$, $b = 1$. \item Then in step 10 we update $G = \{1 + x + x^3, 1\}$ and finally return that the factorization of $f$ is $(1 + x + x^3) \cdot 1$. \end{itemize} \end{example} More details about the bug and some other wrong results presented in the book are shown in the file \texttt{Modern\_Computer\_Algebra\_Problem.thy}. Once we realized the problem, we derived another algorithm based on Lemma~\ref{lemma_16.20}, which also runs in polynomial-time, and prove its soundness in Isabelle/HOL. The corresponding Isabelle statement is as follows: \begin{theorem}[LLL Factorization Algorithm] \label{thm:LLL_factorization} \begin{align*} & \assumes\ \sqfree\ (f :: \tint\ \tpoly) \\ & \iand\ \idegree\ f \neq 0 \\ & \iand\ \isa{LLL\_factorization}\ f = gs \\ & \shows\ f = \listprod\ gs\ \\ & \iand\ \forall g_i \in \set\ gs.\ \irred\ g_i \end{align*} \end{theorem} Finally, we also have been able to fix Algorithm~16.22 and provide a formal correctness proof of the the slightly modified version. It can be seen as an implementation of the pseudo-code factorization algorithm given by Lenstra, Lenstra, and Lov{\'a}sz \cite{LLL}. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/LOFT/document/root.tex b/thys/LOFT/document/root.tex --- a/thys/LOFT/document/root.tex +++ b/thys/LOFT/document/root.tex @@ -1,122 +1,122 @@ \documentclass[a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ -\usepackage[utf8]{inputenc} \usepackage{makeidx} \usepackage{graphicx} \usepackage{tabularx} \usepackage{amssymb} \usepackage{amsmath} \usepackage{color} \usepackage{booktabs} \newcommand{\todo}[1]{\textcolor{red}{TODO: #1}} \usepackage{pifont} \usepackage{tikz} \usetikzlibrary{calc} \usepackage{moeptikz} \usepackage{flushend} \usepackage{stmaryrd} \usepackage{mathtools} \hyphenation{swit-ches} \usepackage{alphabeta} \usepackage{url} \usepackage{tikz} \usetikzlibrary{calc,positioning} \widowpenalty100000 \clubpenalty100000 \usepackage{pbox} \usepackage{subcaption} \usepackage{framed} \usepackage{listings} \lstset{breaklines=true,numbers=left,numberstyle=\tiny\color{gray},basicstyle=\footnotesize\ttfamily} \usepackage{pgfplots} \columnsep 2pc % Space between columns \textwidth 42pc % Width of text line. \oddsidemargin 4.5pc \evensidemargin 4.5pc \advance\oddsidemargin by -1.11in % Correct for LaTeX gratuitousness \advance\evensidemargin by -1.11in % Correct for LaTeX gratuitousness \marginparwidth 0pt % Margin pars are not allowed. \marginparsep 11pt % Horizontal space between outer margin and \emergencystretch=10cm % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \usepackage[english]{babel} % for \frqq (whatever that actually is) \begin{document} \title{LOFT — Verified Migration of Linux Firewalls to SDN} \author{Julius Michaelis and Cornelius Diekmann} \maketitle \begin{abstract} We present LOFT — \emph{L}inux firewall \emph{O}pen\emph{F}low \emph{T}ranslator, a system that transforms the main routing table and \texttt{FORWARD} chain of iptables of a Linux-based firewall into a set of static OpenFlow rules. Our implementation is verified against a model of a simplified Linux-based router and we can directly show how much of the original functionality is preserved. \end{abstract} \vspace{1em} Please note that this document is organized in two distinct parts. The first part contains the necessary definitions, helper lemmas and proofs in all their technicality as made in the theory code. The second part reiterates the most important definitions and proofs in a manner that is more suitable for human readers and enriches them with detailed explanations in natural language. Any interested reader should start from there. Many of the considerations that have led to the definitions made here have been explained in \cite{michaelis2016middlebox}. \tableofcontents \newpage \part{Code} % sane default for proof documents \parindent 0pt\parskip 0.5ex \input{session} \input{chap3} \bibliographystyle{abbrv} \bibliography{root} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/LTL/document/root.tex b/thys/LTL/document/root.tex --- a/thys/LTL/document/root.tex +++ b/thys/LTL/document/root.tex @@ -1,48 +1,44 @@ \documentclass[11pt,a4paper]{article} - +\usepackage[T1]{fontenc} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} - \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[only,bigsqcap]{stmaryrd} -\usepackage[T1]{fontenc} - % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size \renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Linear Temporal Logic} \author{Salomon Sickert} \maketitle \begin{abstract} This theory provides a formalisation of linear temporal logic (LTL) and unifies previous formalisations within the AFP. This entry establishes syntax and semantics for this logic and decouples it from existing entries, yielding a common environment for theories reasoning about LTL. Furthermore a parser written in SML and an executable simplifier are provided. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/LTL_Master_Theorem/document/root.tex b/thys/LTL_Master_Theorem/document/root.tex --- a/thys/LTL_Master_Theorem/document/root.tex +++ b/thys/LTL_Master_Theorem/document/root.tex @@ -1,55 +1,51 @@ \documentclass[11pt,a4paper]{article} - +\usepackage[T1]{fontenc} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} - \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[only,bigsqcap]{stmaryrd} -\usepackage[T1]{fontenc} - % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size \renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{A Compositional and Unified Translation of LTL into $\omega$-Automata} \author{Benedikt Seidl and Salomon Sickert} \maketitle \begin{abstract} We present a formalisation of the unified translation approach of linear temporal logic (LTL) into $\omega$-automata from \cite{DBLP:conf/lics/EsparzaKS18}. This approach decomposes LTL formulas into ``simple'' languages and allows a clear separation of concerns: first, we formalise the purely logical result yielding this decomposition; second, we instantiate this generic theory to obtain a construction for deterministic (state-based) Rabin automata (DRA). We extract from this particular instantiation an executable tool translating LTL to DRAs. To the best of our knowledge this is the first verified translation from LTL to DRAs that is proven to be double exponential in the worst case which asymptotically matches the known lower bound. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/LTL_Normal_Form/document/root.tex b/thys/LTL_Normal_Form/document/root.tex --- a/thys/LTL_Normal_Form/document/root.tex +++ b/thys/LTL_Normal_Form/document/root.tex @@ -1,110 +1,106 @@ \RequirePackage{luatex85} \documentclass[11pt,a4paper]{article} - +\usepackage[T1]{fontenc} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} - \usepackage{mathtools,amsthm,amssymb} \usepackage{isabelle,isabellesym} -\usepackage[T1]{fontenc} - % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size \renewcommand{\isastyle}{\isastyleminor} % LTL Operators \newcommand{\true}{{\ensuremath{\mathbf{t\hspace{-0.5pt}t}}}} \newcommand{\false}{{\ensuremath{\mathbf{ff}}}} \newcommand{\F}{{\ensuremath{\mathbf{F}}}} \newcommand{\GG}{{\ensuremath{\mathbf{G}}}} \newcommand{\X}{{\ensuremath{\mathbf{X}}}} \newcommand{\UU}{{\ensuremath{\mathbf{U}}}} \newcommand{\W}{{\ensuremath{\mathbf{W}}}} \newcommand{\M}{{\ensuremath{\mathbf{M}}}} \newcommand{\R}{{\ensuremath{\mathbf{R}}}} % LTL Subformulas \newcommand{\subf}{\textit{sf}\,} \newcommand{\sfmu}{{\ensuremath{\mathbb{\mu}}}} \newcommand{\sfnu}{{\ensuremath{\mathbb{\nu}}}} \newcommand{\setmu}{\ensuremath{M}} \newcommand{\setnu}{\ensuremath{N}} \newcommand{\setF}{\ensuremath{\mathcal{F}}} \newcommand{\setG}{\ensuremath{\mathcal{G}}} \newcommand{\setFG}{\ensuremath{\mathcal{F\hspace{-0.1em}G}}} \newcommand{\setGF}{\ensuremath{\mathcal{G\hspace{-0.1em}F}\!}} % LTL Functions \newcommand{\evalnu}[2]{{#1[#2]^\Pi_1}} \newcommand{\evalmu}[2]{{#1[#2]^\Sigma_1}} \newcommand{\flatten}[2]{{#1[#2]^\Sigma_2}} \newcommand{\flattentwo}[2]{{#1[#2]^\Pi_2}} \newtheorem{theorem}{Theorem} \newtheorem{definition}[theorem]{Definition} \newtheorem{lemma}[theorem]{Lemma} \newtheorem{corollary}[theorem]{Corollary} \newtheorem{proposition}[theorem]{Proposition} \newtheorem{example}[theorem]{Example} \newtheorem{remark}[theorem]{Remark} \begin{document} \title{An Efficient Normalisation Procedure for Linear Temporal Logic: Isabelle/HOL Formalisation} \author{Salomon Sickert} \maketitle \begin{abstract} In the mid 80s, Lichtenstein, Pnueli, and Zuck proved a classical theorem stating that every formula of Past LTL (the extension of LTL with past operators) is equivalent to a formula of the form $\bigwedge_{i=1}^n \GG\F \varphi_i \vee \F\GG \psi_i $, where $\varphi_i$ and $\psi_i$ contain only past operators \cite{DBLP:conf/lop/LichtensteinPZ85,XXXX:phd/Zuck86}. Some years later, Chang, Manna, and Pnueli built on this result to derive a similar normal form for LTL \cite{DBLP:conf/icalp/ChangMP92}. Both normalisation procedures have a non-elementary worst-case blow-up, and follow an involved path from formulas to counter-free automata to star-free regular expressions and back to formulas. We improve on both points. We present an executable formalisation of a direct and purely syntactic normalisation procedure for LTL yielding a normal form, comparable to the one by Chang, Manna, and Pnueli, that has only a single exponential blow-up. \end{abstract} \tableofcontents \section{Overview} This document contains the formalisation of the central results appearing in \cite[Sections 4-6]{XXXX:conf/lics/SickertE20}. We refer the interested reader to \cite{XXXX:conf/lics/SickertE20} or to the extended version \cite{DBLP:journals/corr/abs-2005-00472} for an introduction to the topic, related work, intuitive explanations of the proofs, and an application of the normalisation procedure, namely, a translation from LTL to deterministic automata. The central result of this document is the following theorem: \begin{theorem} Let $\varphi$ be an LTL formula and let $\Delta_2$, $\Sigma_1$, $\Sigma_2$, and $\Pi_1$ be the classes of LTL formulas from Definition \ref{def:future_hierarchy}. Then $\varphi$ is equivalent to the following formula from the class $\Delta_2$: \[ \bigvee_{\substack{\setmu \subseteq \sfmu(\varphi)\\\setnu \subseteq \sfnu(\varphi)}} \left( \flatten{\varphi}{\setmu} \wedge \bigwedge_{\psi \in \setmu} \GG\F(\evalmu{\psi}{\setnu}) \wedge \bigwedge_{\psi \in \setnu} \F\GG(\evalnu{\psi}{\setmu}) \right) \] \noindent where $\flatten{\psi}{\setmu}$, $\evalmu{\psi}{\setnu}$, and $\evalnu{\psi}{\setmu}$ are functions mapping $\psi$ to a formula from $\Sigma_2$, $\Sigma_1$, and $\Pi_1$, respectively. \end{theorem} \begin{definition}[Adapted from \cite{DBLP:conf/mfcs/CernaP03}] \label{def:future_hierarchy} We define the following classes of LTL formulas: \begin{itemize} \item The class $\Sigma_0 = \Pi_0 = \Delta_0$ is the least set containing all atomic propositions and their negations, and is closed under the application of conjunction and disjunction. \item The class $\Sigma_{i+1}$ is the least set containing $\Pi_i$ and is closed under the application of conjunction, disjunction, and the $\X$, $\UU$, and $\M$ operators. \item The class $\Pi_{i+1}$ is the least set containing $\Sigma_i$ and is closed under the application of conjunction, disjunction, and the $\X$, $\R$, and $\W$ operators. \item The class $\Delta_{i+1}$ is the least set containing $\Sigma_{i+1}$ and $\Pi_{i+1}$ and is closed under the application of conjunction and disjunction. \end{itemize} \end{definition} % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{plainurl} \bibliography{root} \end{document} diff --git a/thys/LTL_to_DRA/document/root.tex b/thys/LTL_to_DRA/document/root.tex --- a/thys/LTL_to_DRA/document/root.tex +++ b/thys/LTL_to_DRA/document/root.tex @@ -1,50 +1,46 @@ \documentclass[11pt,a4paper]{article} - +\usepackage[T1]{fontenc} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} - \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[only,bigsqcap]{stmaryrd} -\usepackage[T1]{fontenc} - % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size \renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Converting Linear Temporal Logic to Deterministic (Generalized) Rabin Automata} \author{Salomon Sickert} \maketitle \begin{abstract} Recently a new method directly translating linear temporal logic (LTL) formulas to deterministic (generalized) Rabin automata was described in \cite{DBLP:journals/fmsd/EsparzaKS16}. Compared to the existing approaches of constructing a non-deterministic Buechi-automaton in the first step and then applying a determinization procedure (e.g. some variant of Safra's construction) in a second step, this new approach preservers a relation between the formula and the states of the resulting automaton. While the old approach produced a monolithic structure, the new method is compositional. Furthermore it was shown in some cases the resulting automata were much smaller than the automata generated by existing approaches. In order to guarantee the correctness of the construction this entry contains a complete formalisation and verification of the translation. Furthermore from this basis executable code is generated. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/LTL_to_GBA/document/root.tex b/thys/LTL_to_GBA/document/root.tex --- a/thys/LTL_to_GBA/document/root.tex +++ b/thys/LTL_to_GBA/document/root.tex @@ -1,53 +1,53 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb} \usepackage[english]{babel} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Converting Linear-Time Temporal Logic to Generalized B\"uchi Automata} \author{Alexander Schimpf and Peter Lammich} \maketitle \begin{abstract} We formalize linear-time temporal logic (LTL) and the algorithm by Gerth et al.\ to convert LTL formulas to generalized B\"uchi automata. We also formalize some syntactic rewrite rules that can be applied to optimize the LTL formula before conversion. Moreover, we integrate the Stuttering Equivalence AFP-Entry by Stefan Merz, adapting the lemma that next-free LTL formula cannot distinguish between stuttering equivalent runs to our setting. We use the Isabelle Refinement and Collection framework, as well as the Autoref tool, to obtain a refined version of our algorithm, from which efficiently executable code can be extracted. \end{abstract} \clearpage \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex \input{intro} % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Lam-ml-Normalization/document/root.tex b/thys/Lam-ml-Normalization/document/root.tex --- a/thys/Lam-ml-Normalization/document/root.tex +++ b/thys/Lam-ml-Normalization/document/root.tex @@ -1,116 +1,117 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} %my own packages \usepackage{amsmath,amsthm} \usepackage{mathpartir} \usepackage{xspace} \usepackage{multicol} \usepackage[margin=1.2in]{geometry} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} %Nominal Logic \DeclareMathOperator{\finite}{finite} \DeclareMathOperator{\infinite}{infinite} \DeclareMathOperator{\supp}{supp} \DeclareMathOperator{\supports}{~supports~} \newcommand{\fresh}{~\sharp~} \newcommand{\A}{\mathbb A} \newcommand{\N}{\mathbb N} %Lam_ml notation \newcommand{\T}{T\,} \newcommand{\cto}[1]{~\mathsf{to}\ #1 \ \mathsf{in}~} \newcommand{\+}{+\!\!\!\!+} \newcommand{\SN}{\ensuremath{\mathit{SN}}} \newcommand{\red}[1]{\mathit{RED}_{#1}} \newcommand{\sred}[1]{\mathit{SRED}_{#1}} \newcommand{\imp}{\Longrightarrow} \newcommand{\Imp}{\quad \imp \quad} \newcommand{\Land}{\quad \land \quad} %HOL-Nominal notation \newcommand{\pt}{{\textsf{pt}}\ } \newcommand{\fs}{{\textsf{fs}}\ } %typesetting for theoremstyle \newlength{\rulewidth} \newcommand{\twpage}[1]{\begin{minipage}{\textwidth}#1\end{minipage}} \newcommand{\rwpage}[1]{\begin{minipage}{\rulewidth}#1\end{minipage}} %%%%%%%%%%%%%%%%%%%%%% %Theorems %%%%%%%%%%%%%%%%%%%%%% \theoremstyle{plain} \newtheorem{theorem}{Theorem}[section] \newtheorem{corollary}[theorem]{Corollary} \newtheorem{lemma}[theorem]{Lemma} \newtheorem{proposition}[theorem]{Proposition} \theoremstyle{definition} \newtheorem{definition}[theorem]{Definition} \newtheorem{property}[theorem]{Property} \newtheorem{observation}[theorem]{Observation} \newtheorem{example}[theorem]{Example} \newtheorem{counterexample}[theorem]{Counterexample} \theoremstyle{remark} \newtheorem*{notation}{Notation} \newtheorem*{note}{Note} \newtheorem*{proof-attempt}{Proof Attempt} \title{Strong Normalization of Moggis's Computational Metalanguage} \author{Christian Doczkal \\ \small{Saarland University}} \begin{document} \maketitle \abstract{ % alpha/binding issues Handling variable binding is one of the main difficulties in formal proofs. % In this context, Moggi's computational metalanguage serves as an interesting case study. It features monadic types and a commuting conversion rule that rearranges the binding structure. % Lindley and Stark have given an elegant proof of strong normalization for this calculus. The key construction in their proof is a notion of relational $\top\top$-lifting, using stacks of elimination contexts to obtain a Girard-Tait style logical relation. I give a formalization of their proof in Isabelle/HOL-Nominal with a particular emphasis on the treatment of bound variables. } \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \section*{Acknowledgments} I thank Christian Urban, the Nominal Methods group, and the members of the Isabelle mailing list for their helpful answers to my questions. % optional bibliography \bibliographystyle{alpha} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/LambdaAuth/document/root.tex b/thys/LambdaAuth/document/root.tex --- a/thys/LambdaAuth/document/root.tex +++ b/thys/LambdaAuth/document/root.tex @@ -1,49 +1,49 @@ \documentclass[10pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{a4wide} \usepackage[english]{babel} \usepackage{eufrak} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{literal} \begin{document} \title{Formalization of Generic Authenticated Data Structures} \author{Matthias Brun \and Dmitriy Traytel} \maketitle \begin{abstract} Authenticated data structures are a technique for outsourcing data storage and maintenance to an untrusted server. The server is required to produce an efficiently checkable and cryptographically secure proof that it carried out precisely the requested computation. Miller et al.~\cite{adsg} introduced $\lambda\bullet$ (pronounced \emph{lambda auth})---a functional programming language with a built-in primitive authentication construct, which supports a wide range of user-specified authenticated data structures while guaranteeing certain correctness and security properties for all well-typed programs. % We formalize $\lambda\bullet$ and prove its correctness and security properties. With Isabelle's help, we uncover and repair several mistakes in the informal proofs and lemma statements. Our findings are summarized in a paper draft~\cite{gadsf}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/LambdaMu/document/root.tex b/thys/LambdaMu/document/root.tex --- a/thys/LambdaMu/document/root.tex +++ b/thys/LambdaMu/document/root.tex @@ -1,73 +1,74 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{textcomp} \usepackage{amsmath,amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{The $\lambda\mu$-calculus} \author{Cristina Matache \and Victor B.~F.~Gomes \and Dominic P.~Mulligan} \maketitle \tableofcontents \abstract{ The propositions-as-types correspondence is ordinarily presented as linking the metatheory of typed $\lambda$-calculi and the proof theory of intuitionistic logic. Griffin~\cite{DBLP:conf/popl/Griffin90} observed that this correspondence could be extended to classical logic through the use of control operators. This observation set off a flurry of further research, leading to the development of Parigot’s $\lambda\mu$-calculus~\cite{DBLP:conf/lpar/Parigot92}. In this work, we formalise $\lambda\mu$-calculus in Isabelle/HOL and prove several metatheoretical properties such as type preservation and progress. } % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Lambert_W/document/root.tex b/thys/Lambert_W/document/root.tex --- a/thys/Lambert_W/document/root.tex +++ b/thys/Lambert_W/document/root.tex @@ -1,40 +1,41 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} \usepackage{pgfplots} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Lambert $W$ Function on the Reals} \author{Manuel Eberl} \maketitle \begin{abstract} The Lambert $W$ function is a multi-valued function defined as the inverse function of $x \mapsto x e^x$. Besides numerous applications in combinatorics, physics, and engineering, it also frequently occurs when solving equations containing both $e^x$ and $x$, or both $x$ and $\log x$. This article provides a definition of the two real-valued branches $W_0(x)$ and $W_{-1}(x)$ and proves various properties such as basic identities and inequalities, monotonicity, differentiability, asymptotic expansions, and the MacLaurin series of $W_0(x)$ at $x = 0$. \end{abstract} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \nocite{corless96} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Landau_Symbols/document/root.tex b/thys/Landau_Symbols/document/root.tex --- a/thys/Landau_Symbols/document/root.tex +++ b/thys/Landau_Symbols/document/root.tex @@ -1,32 +1,33 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Landau Symbols} \author{Manuel Eberl} \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Laplace_Transform/document/root.tex b/thys/Laplace_Transform/document/root.tex --- a/thys/Laplace_Transform/document/root.tex +++ b/thys/Laplace_Transform/document/root.tex @@ -1,66 +1,67 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amsmath} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Laplace Transform} \author{Fabian Immler} \maketitle \begin{abstract} This entry formalizes the Laplace transform and concrete Laplace transforms for arithmetic functions, frequency shift, integration and (higher) differentiation in the time domain. It proves Lerch's lemma and uniqueness of the Laplace transform for continuous functions. In order to formalize the foundational assumptions, this entry contains a formalization of piecewise continuous functions and functions of exponential order. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Latin_Square/document/root.tex b/thys/Latin_Square/document/root.tex --- a/thys/Latin_Square/document/root.tex +++ b/thys/Latin_Square/document/root.tex @@ -1,34 +1,35 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Latin Square} \author{Alexander Bentkamp} \maketitle \begin{abstract} A theory about Latin Squares following \cite{aigner}. A Latin Square is a $n \times n$ table filled with integers from 1 to n where each number appears exactly once in each row and each column. A Latin Rectangle is a partially filled $n \times n$ table with $r$ filled rows and $n-r$ empty rows, such that each number appears at most once in each row and each column. The main result of this theory is that any Latin Rectangle can be completed to a Latin Square. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/LatticeProperties/document/root.tex b/thys/LatticeProperties/document/root.tex --- a/thys/LatticeProperties/document/root.tex +++ b/thys/LatticeProperties/document/root.tex @@ -1,67 +1,67 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} -\usepackage[utf8]{inputenc} \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Lattice Properties} \author{Viorel Preoteasa} \maketitle \begin{abstract} This formalization introduces and collects some algebraic structures based on lattices and complete lattices for use in other developments. The structures introduced are modular, and lattice ordered groups. In addition to the results proved for the new lattices, this formalization also introduces theorems about latices and complete lattices in general. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \section{Overview} Section 2 introduces well founded and transitive relations. Section 3 introduces some properties about fixpoints of monotonic application which maps monotonic functions to monotonic functions. The most important property is that such a monotonic application has the least fixpoint monotonic. Section 4 introduces conjunctive, disjunctive, universally conjunctive, and universally disjunctive functions. In section 5 some simplification lemmas for alttices are proved. Section 6 introduces modular lattices and proves some properties about them and about distributive lattices. The main result of this section is that a lattice is distributive if and only if it satisfies $$\forall x \; y \; z: x \sqcap z = y \sqcap z \land x \sqcup z = y \sqcup z \longrightarrow x = y$$ Section 7 introduces lattice ordered groups and some of their properties. The most important is that they are distributive lattices, and this property is proved using the results from Section 5. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Launchbury/document/root.tex b/thys/Launchbury/document/root.tex --- a/thys/Launchbury/document/root.tex +++ b/thys/Launchbury/document/root.tex @@ -1,238 +1,237 @@ \documentclass[11pt,a4paper,parskip=half]{scrartcl} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[only,bigsqcap]{stmaryrd} % From src/HOL/HOLCF/document/root \newcommand{\isasymnotsqsubseteq}{\isamath{\not\sqsubseteq}} \usepackage{amsmath} \usepackage{amsfonts} \usepackage{mathtools} \usepackage{graphicx} \usepackage{tikz} -\usepackage[T1]{fontenc} -\usepackage[utf8]{inputenc} \usepackage{mathpartir} \usepackage{calc} \usepackage{floatpag} \floatpagestyle{empty} % this should be the last package used \usepackage{pdfsetup} % silence the KOMA script warnings \def\bf{\normalfont\bfseries} \def\it{\normalfont\itshape} \def\sc{\normalfont\scshape} \def\rm{\normalfont\rmfamily} % urls in roman style, theorys in math-similar italics \urlstyle{rm} \isabellestyle{it} % Isabelle does not like *} in a text {* ... *} block % Concrete implemenation thanks to http://www.mrunix.de/forums/showpost.php?p=235085&postcount=5 \newenvironment{alignstar}{\csname align*\endcsname}{\csname endalign*\endcsname} \newenvironment{alignatstar}{\csname alignat*\endcsname}{\csname endalignat*\endcsname} % Entering \ in Isabelle/jEdit has unwanted consequences \catcode`\|=0 % \begin{document} \title{The Correctness of Launchbury's Natural Semantics for Lazy Evaluation} \author{Joachim Breitner\\ Programming Paradigms Group\\ Karlsruhe Institute for Technology\\ \url{breitner@kit.edu}} \maketitle \begin{abstract} In his seminal paper ``Natural Semantics for Lazy Evaluation'' \cite{launchbury}, John Launchbury proves his semantics correct with respect to a denotational semantics, and outlines an adequacy proof. We have formalized both semantics and machine-checked the correctness proof, clarifying some details. Furthermore, we provide a new and more direct adequacy proof that does not require intermediate operational semantics. \end{abstract} \tableofcontents \section{Introduction} The Natural Semantics for Lazy Evaluation \cite{launchbury} created by John Launchbury in 1992 is often taken as the base for formal treatments of call-by-need evaluation, either to prove properties of lazy evaluation or as a base to describe extensions of the language or the implementation of the language. Therefore, assurance about the correctness and adequacy of the semantics is important in this field of research. Launchbury himself supports his semantics by defining a standard denotational semantics to prove both correctness and adequacy. Although his proofs are already on the more rigorous side for pen-and-paper proofs, they have not yet been verified by transforming them to machine-checked proofs. The present work fills this gap by formalizing both semantics in the proof assistant Isabelle and proving both correctness and adequacy. Our correctness formal proof is very close to the original proof. This is possible if the operator $\sqcup$ is understood as a right-sided update. If we were to understand $\sqcup$ as the least upper bound, then Theorem 2 in \cite{launchbury}, which is the generalization of the correctness statement used for Launchbury's inductive proof, is wrong. The main correctness result still holds, but needs a different proof; this is discussed in greater detail in \cite{breitner2013}. Launchbury outlines an adequacy proof via an intermediate operational semantics and resourced denotational semantics. The alternative operational semantics uses indirection instead of substitution for applications, does not update variable results and does not perform blackholing during evaluation of a variable. The equivalence of these two operational semantics is hard and tricky to prove. We found a direct proof for the adequacy of the original operational semantics and the (slightly modified) resourced denotational semantics. This is, as far as we know, the first complete and rigorous proof of adequacy of Launchbury's semantics. In this development we extend Launchbury’s syntax and semantics with boolean values and an if-then-else construct, in order to base a subsequent work \cite{callarita-afp} on this. This extension does not affect the validity of the proven theorems, and the extra cases can simply be ignored if one is interested in the plain semantics. The next introductory section does exactly that. Unfortunately, such meta-level arguments are not easily implemented inside a theorem prover. Our contributions are: \begin{itemize} \item We define the natural and denotational semantics given by Launchbury in the theorem prover Isabelle. \item We demonstrate how to use both the Nominal package (to handle name binding) \cite{nominal} and the HOLCF \cite{holcf} package (for the domain-theoretic aspects) in the same development. \item We verify Launchbury's proof of correctness. \item We provide a new and more direct proof of adequacy. \item In order to do so, we formalize parts of \cite{functionspaces}, fixing a mistake in the proof. \end{itemize} %\input{map.tex} \input{EverythingAdequacy.tex} \begin{figure} \begin{center} \IfFileExists{session_graph.pdf}{ \includegraphics[width=\textwidth]{session_graph} }{Here, \texttt{session\_graph.pdf} would be shown.} \end{center} \caption{Theory Dependency Graph\label{theory-deps}} \end{figure} \subsection{Theory overview} The following chapters contain the complete Isabelle theories, with one section per theory. Their interdependencies are visualized in Figure \ref{theory-deps}. Chapter \ref{ch_aux} contains auxiliary theories, not necessarily tied to Launchbury's semantics. The base theories are kept independent of Nominal and HOLCF where possible, the lemmas combining them are in theories of their own, creatively named by appending \isa{-Nominal} resp.\ \isa{-HOLCF}. You will find these theories: \begin{itemize} \item A definition for lifting a relation point-wise (\isa{Pointwise}). \item A collection of definition related to associative lists (\isa{AList-Utils}, \isa{AList-Utils-Nominal}). \item A characterization of monotonous functions $\mathbb N \to \mathbb N$ (\isa{Mono-Nat-Fun}). \item General utility functions extending Nominal (\isa{Nominal-Utils}). \item General utility functions extending HOLCF (\isa{HOLCF-Utils}). \item Binary meets in the context of HOLCF (\isa{HOLCF-Meet}). \item A theory combining notions from HOLCF and Nominal, e.g.\ continuity of permutation (\isa{Nominal-HOLCF}). \item A theory for working with pcpo-valued functions as semantic environments (\isa{Env}, \isa{Env-Nominal}, \isa{Env-HOLCF}). \item A function \isa{evalHeap} that converts between associative lists and functions. (\isa{EvalHeap}) \end{itemize} Chapter \ref{ch_natsem} defines the syntax and Launchbury's natural semantics. Chapter \ref{ch_dendom} sets the stage for the denotational semantics by defining a locale \isa{semantic-domain} for denotational domains, and an instantiation for the standard domain. Chapter \ref{ch_den} defines the denotational semantics. It also introduces the locale \isa{has-ESem} which abstracts over the value semantics when defining the semantics of heaps. Chapter \ref{ch_resden} defines the resourced denotational semantics. Chapter \ref{ch_correctness} proves the correctness of Launchbury's semantics with regard to both denotational semantics. We need the correctness with regard to the resourced semantics in the adequacy proof. Chapter \ref{ch_equiv} proves the two denotational semantics related, which is used in Chapter \ref{ch_adequacy}, where finally the adequacy is proved. %\subsection{Reusable components} % %Parts of this theory are independent of the actual semantics and may be of use to other users of Isabelle: % %TODO \subsection{Acknowledgements} I'd like to thank Lidia Sánchez-Gil, Mercedes Hidalgo-Herrero and Yolanda Ortega-Mallén for inviting me to Madrid to discuss our respective approaches.\\ This work was supported by the Deutsche Telekom Stiftung. \clearpage \newcommand{\theory}[1]{\subsection{#1}\label{sec_#1}\input{#1.tex}} \section{Auxiliary theories} \label{ch_aux} \theory{Pointwise} \theory{AList-Utils} \theory{Mono-Nat-Fun} \theory{Nominal-Utils} \theory{AList-Utils-Nominal} \theory{HOLCF-Utils} \theory{HOLCF-Meet} \theory{Nominal-HOLCF} \theory{Env} \theory{Env-Nominal} \theory{Env-HOLCF} \theory{EvalHeap} \clearpage \section{Launchbury's natural semantics} \label{ch_natsem} \theory{Vars} \theory{Terms} \theory{Substitution} \theory{Launchbury} \section{Denotational domain} \label{ch_dendom} \theory{Value} \theory{Value-Nominal} \clearpage \section{Denotational semantics} \label{ch_den} \theory{Iterative} \theory{HasESem} \theory{HeapSemantics} \theory{AbstractDenotational} \theory{Abstract-Denotational-Props} \theory{Denotational} \clearpage \section{Resourced denotational domain} \label{ch_resden} \theory{C} \theory{C-Meet} \theory{C-restr} \theory{CValue} \theory{CValue-Nominal} \theory{ResourcedDenotational} \clearpage \section{Correctness of the natural semantics} \label{ch_correctness} \theory{CorrectnessOriginal} \theory{CorrectnessResourced} \clearpage \section{Equivalence of the denotational semantics} \label{ch_equiv} \theory{ValueSimilarity} \theory{Denotational-Related} \clearpage \section{Adequacy} \label{ch_adequacy} \theory{ResourcedAdequacy} \theory{Adequacy} %\clearpage %\section{Conclusion} % %TODO \clearpage \bibliographystyle{amsalpha} \bibliography{root} \end{document} diff --git a/thys/Laws_of_Large_Numbers/document/root.tex b/thys/Laws_of_Large_Numbers/document/root.tex --- a/thys/Laws_of_Large_Numbers/document/root.tex +++ b/thys/Laws_of_Large_Numbers/document/root.tex @@ -1,64 +1,65 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{mathtools} \usepackage{amssymb} \usepackage{stmaryrd} \usepackage[numbers]{natbib} % this should be the last package used \usepackage{pdfsetup} \usepackage{doi} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \DeclarePairedDelimiter{\norm}{\lVert}{\rVert} \begin{document} \nocite{Simonnet1996} \nocite{krengel} \title{The Laws of Large Numbers} \author{Manuel Eberl} \date{} \maketitle \begin{abstract} The Law of Large Numbers states that, informally, if one performs a random experiment $X$ many times and takes the average of the results, that average will be very close to the expected value $E[X]$. More formally, let $(X_i)_{i\in\mathbb{N}}$ be a sequence of independently identically distributed random variables whose expected value $E[X_1]$ exists. Denote the running average of $X_1, \ldots, X_n$ for $\overline{X}_n$. Then: \begin{itemize} \item The Weak Law of Large Numbers states that $\overline{X}_{\!n} \longrightarrow E[X_1]$ in probability for $n\to\infty$, i.e. $\mathcal{P}(|\overline{X}_{\!n} - E[X_1]| > \varepsilon) \longrightarrow 0$ for $n\to\infty$ for any $\varepsilon > 0$. \item The Strong Law of Large Numbers states that $\overline{X}_{\!n} \longrightarrow E[X_1]$ almost surely for $n\to\infty$, i.e. $\mathcal{P}(\overline{X}_{\!n} \longrightarrow E[X_1]) = 1$. \end{itemize} In this entry, I formally prove the strong law and from it the weak law. The approach used for the proof of the strong law is a particularly quick and slick one based on ergodic theory, which was formalised by Gou\"ezel in another AFP entry. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \vspace{2em} \textbf{Acknowledgements.} I thank Sébastien Gouëzel for providing advice and context about the law of large numbers and ergodic theory. I do not actually know any ergodic theory and without him, I would probably have shied away from formalising this. % optional bibliography {\raggedright \bibliographystyle{plainnat} \bibliography{root} } \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Lazy-Lists-II/document/root.tex b/thys/Lazy-Lists-II/document/root.tex --- a/thys/Lazy-Lists-II/document/root.tex +++ b/thys/Lazy-Lists-II/document/root.tex @@ -1,43 +1,44 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{a4wide} \usepackage{amssymb} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{eufrak} \usepackage{textcomp} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{tt} \parindent0mm \begin{document} \title{More on Lazy Lists} \author{Stefan Friedrich} \maketitle \begin{abstract} This theory contains some useful extensions to the LList theory by Larry Paulson, including finite, infinite, and positive llists over an alphabet, as well as the new constants take and drop and the prefix order of llists. Finally, the notions of safety and liveness in the sense of \cite{alpern85:_defin_liven} are defined. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Lazy_Case/document/root.tex b/thys/Lazy_Case/document/root.tex --- a/thys/Lazy_Case/document/root.tex +++ b/thys/Lazy_Case/document/root.tex @@ -1,33 +1,34 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Lazifying case constants} \author{Lars Hupel} \maketitle \begin{abstract} Isabelle's code generator performs various adaptations for target languages. Among others, case statements are printed as match expressions. Internally, this is a sophisticated procedure, because in HOL, case statements are represented as nested calls to the case combinators as generated by the datatype package. Furthermore, the procedure relies on laziness of match expressions in the target language, i.e., that branches guarded by patterns that fail to match are not evaluated. Similarly, \texttt{if-then-else} is printed to the corresponding construct in the target language. This entry provides tooling to replace these special cases in the code generator by ignoring these target language features, instead printing case expressions and \texttt{if-then-else} as functions. \end{abstract} \parindent 0pt\parskip 0.5ex \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} \ No newline at end of file diff --git a/thys/Lehmer/document/root.tex b/thys/Lehmer/document/root.tex --- a/thys/Lehmer/document/root.tex +++ b/thys/Lehmer/document/root.tex @@ -1,59 +1,60 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{A Formalisation of Lehmer's Primality Criterion} \author{By Simon Wimmer and Lars Noschinski} \maketitle \begin{abstract} In 1927, Lehmer presented criterions for primality, based on the converse of Fermat's litte theorem~\cite{lehmer1927fermat_converse}. This work formalizes the second criterion from Lehmer's paper, a necessary and sufficient condition for primality. As a side product we formalize some properties of Euler's $\varphi$-function, the notion of the order of an element of a group, and the cyclicity of the multiplicative group of a finite field. \end{abstract} \tableofcontents \section{Introduction} Section \ref{sec:simp-rules} provides some technical lemmas about polynomials. Section \ref{sec:euler-phi} to \ref{sec:number-roots} formalize some basic number-theoretic and algebraic properties: Euler's $\varphi$-function, the order of an element of a group and an upper bound of the number of roots of a polynomial. Section \ref{sec:mult-group} combines these results to prove that the multiplicative group of a finite field is cyclic. Based on that, Section \ref{sec:lehmer} formalizes an extended version of Lehmer's Theorem, which gives us necessary and sufficient conditions to decide whether a number is prime. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \nocite{*} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End\dots diff --git a/thys/Lifting_Definition_Option/document/root.tex b/thys/Lifting_Definition_Option/document/root.tex --- a/thys/Lifting_Definition_Option/document/root.tex +++ b/thys/Lifting_Definition_Option/document/root.tex @@ -1,103 +1,104 @@ % Title: Lifting Definition Option % Author: René Thiemann % Maintainer: René Thiemann % License: LGPL % %Copyright 2014 René Thiemann % %This file is part of IsaFoR/CeTA. % %IsaFoR/CeTA is free software: you can redistribute it and/or modify it under the %terms of the GNU Lesser General Public License as published by the Free Software %Foundation, either version 3 of the License, or (at your option) any later %version. % %IsaFoR/CeTA is distributed in the hope that it will be useful, but WITHOUT ANY %WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A %PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. % %You should have received a copy of the GNU Lesser General Public License along %with IsaFoR/CeTA. If not, see . % \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath} \usepackage{xspace} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isakwd[1]{\textsf{\isa{#1}}} \newcommand\isasimpmp{\isa{simplify-emp-main}} \newcommand\parfun{\isakwd{partial-function}} \newcommand\vect[1]{\overrightarrow{#1}} \newcommand\fs{\isa{fs}} \newcommand\xs{\isa{xs}} \newcommand\xst{\isa{xs}_t} \newcommand\inT{\isa{in}} \newcommand\cprod[1]{({#1})} \newcommand\outT{\isa{out}} \newcommand\monad{\isa{monad}} \newcommand\tto\Rightarrow \newcommand\ar{\isa{ar}} \newcommand\inj{\isa{inj}} \newcommand\proj{\isa{proj}} \newcommand\mapM{\isa{map-monad}} \newcommand\curry{\isa{curry}} \newcommand\case{\isakwd{case}} \newcommand\of{\isakwd{of}} \newcommand\ldo{\isacommand{lift{\isacharunderscore}definition{\isacharunderscore}option}} \newcommand\ld{\isacommand{lift{\isacharunderscore}definition}} \newcommand\ys{y\isactrlsub {\isadigit{1}}\,\ldots\,y\isactrlsub n} \newcommand\isafor{\textsf{Isa\kern-0.2exF\kern-0.2exo\kern-0.2exR}\xspace} \newcommand\ceta{\textsf{C\kern-0.2exe\kern-0.5exT\kern-0.5exA}\xspace} \begin{document} \title{Lifting Definition Option\thanks{This research is supported by FWF (Austrian Science Fund) project Y 757.}} \author{Ren\'e Thiemann} \maketitle \begin{abstract} We implemented a command, \ldo, which can be used to easily generate elements of a restricted type \isa{{\isacharbraceleft}x\ {\isacharcolon}{\isacharcolon}\ {\isacharprime}a{\isachardot}\ P\ x{\isacharbraceright}}, provided the definition is of the form \isa{\isasymlambda\ \ys{\isachardot}\ if\ check\ \ys\ then\ Some\ {\isacharparenleft}generate\ \ys\ {\isacharcolon}{\isacharcolon}\ {\isacharprime}a{\isacharparenright}\ else\ None} and \isa{check\ \ys\ {\isasymLongrightarrow}\ P\ {\isacharparenleft}generate\ \ys{\isacharparenright}} can be proven. In principle, such a definition is also directly possible using one invocation of \ld. However, then this definition will not be suitable for code-generation. To this end, we automated a more complex construction of Joachim Breitner which is amenable for code-generation, and where the test \isa{check\ \ys} will only be performed once. In the automation, one auxiliary type is created, and Isabelle's lifting- and transfer-package is invoked several times. \end{abstract} \textbf{This entry is outdated as in the meantime the lifting- and transfer-package has the desired functionality in an even more general way. Therefore, only the examples are kept.} \tableofcontents \medskip \input{session} \subsection*{Acknowledgements} We thank Andreas Lochbihler for pointing us to Joachim's solution, and we thank Makarius Wenzel for explaining us, how we can go back from states to local theories within Isabelle/ML. \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/LightweightJava/document/root.tex b/thys/LightweightJava/document/root.tex --- a/thys/LightweightJava/document/root.tex +++ b/thys/LightweightJava/document/root.tex @@ -1,134 +1,135 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{listings,url} %\DeclareUrlCommand\myURL{\def\UrlFont{\rmfamily}} \urlstyle{rm} \lstset{language=java,showstringspaces=false, mathescape=true, morekeywords={member,export,replicating,module,own,as,with}, flexiblecolumns=false, basicstyle=\footnotesize\ttfamily, stringstyle=\itshape, tabsize=2, escapechar=£, frame=lines} \newcommand{\ie}{i.e.~} \newcommand{\eg}{e.g.~} %%\usepackage{isabelle,isabellesym} %%\usepackage{pdfsetup} %%\isabellestyle{it} \begin{document} \title{Lightweight Java} \author{Rok Strni\v sa \and Matthew Parkinson} \maketitle \begin{abstract} Lightweight Java (LJ) is an imperative fragment of Java~\cite{java}. It is intended to be as simple as possible while still retaining the feel of Java. LJ includes fields, methods, single inheritance, dynamic method dispatch, and method overriding. It does not include support for local variables, field hiding, interfaces, inner classes, or generics. The accompanying Isabelle script proves the type soundness of the Ott-generated LJ definition. \end{abstract} \section{Description} When designing or reasoning about a language feature or a language analysis, researchers try to limit the underlying language to avoid dealing with unnecessary details. For example, object-oriented generics were formalised on top of Featherweight Java (FJ)~\cite{fj}, a substantially simplified model of the Java programming language~\cite{java}. Many researchers have used FJ as their base language. However, FJ is not always suitable, since it is purely functional --- it does not model state; there are only expressions, which are evaluated completely locally. Therefore, FJ is a poor choice for language analyses or language features that rely on state, \eg separation logic~\cite{sl} or mixins~\cite{mixins}. In this chapter, we present Lightweight Java (LJ), a minimal {\em imperative} core of Java. We chose a minimal set of features that still gives a Java-like feel to the language, \ie fields, methods, single inheritance, dynamic method dispatch, and method overriding. We did not include type casts, local variables, field hiding, interfaces, method overloading, or any of the more advanced language features mainly due to their apparent orthogonality to the Java Module System~\cite{jsr277}, a research topic at the time; however, we later realised that, by including type casts and static data, we could formally verify properties regarding class cast exceptions (or their lack of) and module state independence --- this extension remains future work. LJ's semantics uses a program heap, and a variable state, but does not model a frame stack --- method calls are effectively flattened as they are executed, which simplifies the semantics. In spite of this, LJ is a proper subset of Java, \ie every LJ program is a valid Java program, while its observable semantics exactly corresponds to Java's semantics. LJ is largely a simplification of Middleweight Java (MJ)~\cite{mj-matt}. In addition to the above, MJ models a stack, type casts, and supports expressions (not just statements). LJ is defined rigorously. It is designed in Ott~\cite{ott}, a tool for writing definitions of programming languages and calculi. From LJ's Ott code, the tool also generates the language definition in Isabelle/HOL~\cite{isabelle}, a tool for writing computer-verified maths. Based on this definition, we mechanically prove type soundness in Isabelle/HOL, which gives us high confidence in the correctness of the results. Initially, we designed LJ as a base language for modelling the Java Module System, Lightweight Java Module System (LJAM)~\cite{ljam}, and its improvement, Improved Java Module System (iJAM)~\cite{iJAM} --- in both, we achieved a high level of reuse in both the definitions and proof scripts. Through this process, LJ has been abstracted to the point where we think it can be used for experimenting with other language features. In fact, LJ has already been used by others to formalise ``features'' in Lightweight Feature Java~\cite{lfj}. \section{Example program} Here are two Lightweight Java class definitions, which show the use of class fields, class methods, class inheritance, method overriding, subtyping, and dynamic method dispatch. \begin{lstlisting} class A { // class definition A f; // class field A m(B var) { this.f = var; return var; } // subtyping } class B extends A { // class inheritance A m(B var) { this.f = var; return this; } // overriding } // A a, result; B b; a = new B(); // subtyping b = new B(); result = a.m(b); // dynamic method dispatch (calls B::m) \end{lstlisting} \lstset{language=caml,morekeywords={match,with,then}} Due to method overriding, the method call on the last line calls {\tt B}'s method {\tt m}. Therefore, when the execution stops, both {\tt result} and {\tt a} point to the same heap location. \section{Extending the language} The easiest way to extend the language is to modify its Ott source files. To prove progress and well-formedness preservation of the extension, you can either: \begin{itemize} \item modify the existing Isabelle scripts; or, \item prove that any valid program of the extended language can be reduced to a program in LJ. \end{itemize} \section{More information} More information about Lightweight Java's operational semantics, type system, type checking, and a detailed walkthrough of the proof of type soundness can be found here: \begin{center} \url{http://rok.strnisa.com/lj/} \end{center} % include generated text of all theories % \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/LightweightJava/ott-src/lj.tex b/thys/LightweightJava/ott-src/lj.tex --- a/thys/LightweightJava/ott-src/lj.tex +++ b/thys/LightweightJava/ott-src/lj.tex @@ -1,11 +1,12 @@ % Since LJ defines some context dependent TeX homs, we provide this TeX file, % which avoids printing of these homs in inappropriate contexts. \documentclass[a4paper,10pt]{article} +\usepackage[T1]{fontenc} \usepackage{geometry,amsmath,amssymb,supertabular,color} \include{lj_included} \renewcommand{\ottformula}{} % do not print the list of formulas \begin{document} \ottmetavars\\ \ottgrammar\\ \ottdefnss \end{document} diff --git a/thys/LinearQuantifierElim/document/root.tex b/thys/LinearQuantifierElim/document/root.tex --- a/thys/LinearQuantifierElim/document/root.tex +++ b/thys/LinearQuantifierElim/document/root.tex @@ -1,45 +1,46 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Quantifier Elimination for Linear Arithmetic} \author{Tobias Nipkow} \maketitle \begin{abstract} This article formalizes quantifier elimination procedures for dense linear orders, linear real arithmetic and Presburger arithmetic. In each case both a DNF-based non-elementary algorithm and one or more (doubly) exponential NNF-based algorithms are formalized, including the well-known algorithms by Ferrante and Rackoff and by Cooper. The NNF-based algorithms for dense linear orders are new but based on Ferrante and Rackoff and on an algorithm by Loos and Weispfenning which simulates infinitesimals. All algorithms are directly executable. In particular, they yield reflective quantifier elimination procedures for HOL itself. The formalization makes heavy use of locales and is therefore highly modular. \end{abstract} \noindent For an exposition of the DNF-based procedures see~\cite{Nipkow-MOD2007}, for the NNF-based procedures see~\cite{Nipkow-IJCAR08}. \tableofcontents % generated text of all theories \input{session} \bibliographystyle{plain} \bibliography{root} \end{document} diff --git a/thys/Linear_Inequalities/document/root.tex b/thys/Linear_Inequalities/document/root.tex --- a/thys/Linear_Inequalities/document/root.tex +++ b/thys/Linear_Inequalities/document/root.tex @@ -1,107 +1,107 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amsmath} \usepackage{amssymb} \usepackage{amsthm} \usepackage{authblk} \newcommand\ints{\mathbb{Z}} \newcommand\reals{\mathbb{R}} \newtheorem{theorem}{Theorem} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \begin{document} \title{Linear Inequalities\footnote{Supported by FWF (Austrian Science Fund) project Y757.}} \author[1]{Ralph Bottesch} \author[2]{Alban Reynaud} \author[1]{Ren\'e Thiemann} \affil[1]{University of Innsbruck} \affil[2]{ENS Lyon} \maketitle \begin{abstract} We formalize results about linear inqualities, mainly from Schrijver's book \cite{schrijver1998theory}. The main results are the proof of the fundamental theorem on linear inequalities, Farkas' lemma, Carath\'eodory's theorem, the Farkas-Minkowsky-Weyl theorem, the decomposition theorem of polyhedra, and Meyer's result that the integer hull of a polyhedron is a polyhedron itself. Several theorems include bounds on the appearing numbers, and in particular we provide an a-priori bound on mixed-integer solutions of linear inequalities. \end{abstract} \tableofcontents \section{Introduction} The motivation for this formalization is the aim of developing a verified theory solver for linear integer arithmetic. Such a solver can be a combination of a simplex-implementation within a branch-and-bound approach, that might also utilize Gomory cuts \cite[Section 4 of the extended version]{incremental_simplex}. However, the branch-and-bound algorithm does not terminate in general, since the search space in infinite. To solve this latter problem, one can use results of Papadimitriou: he showed that whenever a set of linear inequalities has an integer solution, then it also has a small solution, where the bound on such a solution can be computed easily from the input \cite{Papad}. In this entry, we therefore formalize several results on linear inequalities which are required to obtain the desired bound, by following the proofs of Schrijver's textbook~\cite[Sections 7 and 16]{schrijver1998theory}. We start with basic definitions and results on cones, convex hulls, and polyhedra. Next, we verify the fundamental theorem of linear inequalities, which in our formalization shows the equivalence of four statements to describe a cone. From this theorem, one easily derives Farkas' Lemma and Carath\'eodory's theorem. Moreover we verify the Farkas-Minkowsky-Weyl theorem, that a convex cone is polyhedral if and only if it is finitely generated, and use this result to obtain the decomposition theorem for polyhedra, i.e., that a polyhedron can always be decomposed into a polytope and a finitely generated cone. For most of the previously mentioned results, we include bounds, so that in particular we have a quantitative version of the decomposition theorem, which provides bounds on the vectors that construct the polytope and the cone, and where these bounds are computed directly from the input polyhedron that should be decomposed. We further prove the decomposition theorem also for the integer hull of a polyhedron, using the same bounds, which gives rise to small integer solutions for linear inequalities. We finally formalize a direct proof for the more general case of mixed integer solutions, where we also permit both strict and non-strict linear inequalities. \begin{theorem} \label{thm} Consider $A_1 \in \ints^{m_1 \times n}, b_1 \in \ints^{m_1}, A_2 \in \ints^{m_2 \times n}, b_2 \in \ints^{m_2}$. Let $\beta$ be a bound on $A_1,b_1,A_2,b_2$, i.e., $\beta \geq |z|$ for all numbers $z$ that occur within $A_1,b_1,A_2,b_2$. Let $n = n_1+n_2$. Then if $x \in \ints^{n_1} \times \reals^{n_2} \subseteq \reals^n$ is a mixed integer solution of the linear inequalities, i.e., $A_1x \leq b_1$ and $A_2x < b_2$, then there also exists a mixed integer solution $y \in \ints^{n_1} \times \reals^{n_2}$ where $|y_i| \leq (n+1)! \cdot \beta^n$ for each entry $y_i$ of $y$. \end{theorem} The verified bound in Theorem~\ref{thm} in particular implies that integer-satisfiability of linear-inqualities with integer coefficients is in NP. % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Linear_Programming/document/root.tex b/thys/Linear_Programming/document/root.tex --- a/thys/Linear_Programming/document/root.tex +++ b/thys/Linear_Programming/document/root.tex @@ -1,82 +1,83 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Linear-Programming} \author{Julian Parsert} \maketitle \begin{abstract} We use the previous formalization of the general simplex algorithm to formulate an algorithm for solving linear programs. We encode the linear programs using only linear constraints. Solving these constraints also solves the original linear program. This algorithm is proven to be sound by applying the weak duality theorem which is also part of this formalization~\cite{schrijver1998theory}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Related work} Our work is based on a formalization of the general simplex algorithm described in~\cite{SimplexAFP,Spasic:FormIncrSimplex}. However, the general simplex algorithm lacks the ability to optimize a function. Boulmé and Maréchal~\cite{Sylvain:CoqTacForEqualityLinArith} describe a formalization and implementation of Coq tactics for linear integer programming and linear arithmetic over rationals. More closely related is the formalization by Allamigeon et al.~\cite{Allamigeon:FormCvxPolyhedraSimplex} which formalizes the simplex method and related results. As part of Flyspeck project Obua and Nipkow~\cite{Obua2009} created a verification mechanism for linear programs using the HOL computing library and external solvers. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Linear_Recurrences/document/root.tex b/thys/Linear_Recurrences/document/root.tex --- a/thys/Linear_Recurrences/document/root.tex +++ b/thys/Linear_Recurrences/document/root.tex @@ -1,42 +1,43 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{A Verified Solver for Linear Recurrences} \author{Manuel Eberl} \maketitle \begin{abstract} Linear recurrences with constant coefficients are an interesting class of recurrence equations that can be solved explicitly. The most famous example are certainly the Fibonacci numbers with the equation $f(n) = f(n-1) + f(n-2)$ and the quite non-obvious closed form \[\frac{1}{\sqrt 5} (\varphi^n - (-\varphi)^{-n})\] where $\varphi$ is the golden ratio. In this work, I build on existing tools in Isabelle -- such as formal power series and polynomial factorisation algorithms -- to develop a theory of these recurrences and derive a fully executable solver for them that can be exported to programming languages like Haskell. \end{abstract} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Liouville_Numbers/document/root.tex b/thys/Liouville_Numbers/document/root.tex --- a/thys/Liouville_Numbers/document/root.tex +++ b/thys/Liouville_Numbers/document/root.tex @@ -1,38 +1,39 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Liouville Numbers} \author{Manuel Eberl} \maketitle \begin{abstract} In this work, we define the concept of Liouville numbers as well as the standard construction to obtain Liouville numbers and we prove their most important properties: irrationality and transcendence. This is historically interesting since Liouville numbers constructed in the standard way where the first numbers that were proven to be transcendental. The proof is very elementary and requires only standard arithmetic and the Mean Value Theorem for polynomials and the boundedness of polynomials on compact intervals. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/List-Index/document/root.tex b/thys/List-Index/document/root.tex --- a/thys/List-Index/document/root.tex +++ b/thys/List-Index/document/root.tex @@ -1,25 +1,26 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{List Index} \author{Tobias Nipkow} \maketitle \begin{abstract} This theory provides functions for finding the index of an element in a list, by predicate and by value. \end{abstract} % include generated text of all theories \input{session} \end{document} diff --git a/thys/List-Infinite/document/root.tex b/thys/List-Infinite/document/root.tex --- a/thys/List-Infinite/document/root.tex +++ b/thys/List-Infinite/document/root.tex @@ -1,43 +1,43 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{graphicx} \usepackage{isabelle,isabellesym} \usepackage{amssymb} -\usepackage[utf8]{inputenc} \usepackage[only,bigsqcap]{stmaryrd} %\usepackage{masmath} % this should be the last package used \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \pagestyle{myheadings} \begin{document} \title{Infinite Lists} \author{David Trachtenherz} \maketitle \begin{abstract} We introduce a theory of infinite lists in HOL formalized as functions over naturals (folder ListInf, theories ListInf and ListInf\_Prefix). It also provides additional results for finite lists (theory ListInf/List2), natural numbers (folder CommonArith, esp. division/modulo, naturals with infinity), sets (folder CommonSet, esp. cutting/truncating sets, traversing sets of naturals). \end{abstract} \tableofcontents \begin{center} \includegraphics[scale=0.5]{session_graph} \end{center} \clearpage \parindent 0pt\parskip 0.5ex \input{session} \end{document} diff --git a/thys/List_Interleaving/document/root.tex b/thys/List_Interleaving/document/root.tex --- a/thys/List_Interleaving/document/root.tex +++ b/thys/List_Interleaving/document/root.tex @@ -1,49 +1,50 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \renewcommand{\isastyletxt}{\isastyletext} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Reasoning about Lists via List Interleaving} \author{Pasquale Noce\\Security Certification Specialist at Arjo Systems - Gep S.p.A.\\pasquale dot noce dot lavoro at gmail dot com\\pasquale dot noce at arjowiggins-it dot com} \maketitle \begin{abstract} Among the various mathematical tools introduced in his outstanding work on Communicating Sequential Processes, Hoare has defined "interleaves" as the predicate satisfied by any three lists such that the first list may be split into sublists alternately extracted from the other two ones, whatever is the criterion for extracting an item from either one list or the other in each step. This paper enriches Hoare's definition by identifying such criterion with the truth value of a predicate taking as inputs the head and the tail of the first list. This enhanced "interleaves" predicate turns out to permit the proof of equalities between lists without the need of an induction. Some rules that allow to infer "interleaves" statements without induction, particularly applying to the addition or removal of a prefix to the input lists, are also proven. Finally, a stronger version of the predicate, named "Interleaves", is shown to fulfil further rules applying to the addition or removal of a suffix to the input lists. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/List_Inversions/document/root.tex b/thys/List_Inversions/document/root.tex --- a/thys/List_Inversions/document/root.tex +++ b/thys/List_Inversions/document/root.tex @@ -1,65 +1,66 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{The Inversions of a List} \author{Manuel Eberl} \maketitle \nocite{clrs_solutions} \begin{abstract} This entry defines the set of \emph{inversions} of a list, i.\,e.\ the pairs of indices that violate sortedness. It also proves the correctness of the well-known $O(n \log n)$ divide-and-conquer algorithm to compute the number of inversions. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/List_Update/document/root.tex b/thys/List_Update/document/root.tex --- a/thys/List_Update/document/root.tex +++ b/thys/List_Update/document/root.tex @@ -1,43 +1,44 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{latexsym} \usepackage{eufrak} % this should be the last package used \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \renewcommand{\isacharunderscore}{\_} \renewcommand{\isacharunderscorekeyword}{\_} % for uniform font size \renewcommand{\isastyle}{\isastyleminor} \newcommand{\chapter}[1]{\section{#1}} \begin{document} \title{Analysis of List Update Algorithms} \author{Maximilian P.L. Haslbeck and Tobias Nipkow} \maketitle \begin{abstract} These theories formalize the quantitative analysis of a number of classical algorithms for the list update problem: 2-competitiveness of move-to-front, the lower bound of 2 for the competitive- ness of deterministic list update algorithms and 1.6-competitiveness of the randomized COMB algorithm, the best randomized list update algorithm known to date. An informal description is found in an accompanying report \cite{HaslbeckN}. The material is based on the first two chapters of the book by Borodin and El-Yaniv \cite{BorodinE}. \end{abstract} \setcounter{tocdepth}{2} \tableofcontents \newpage % generated text of all theories \input{session} \bibliographystyle{alpha} \bibliography{root} \end{document} diff --git a/thys/LocalLexing/document/root.tex b/thys/LocalLexing/document/root.tex --- a/thys/LocalLexing/document/root.tex +++ b/thys/LocalLexing/document/root.tex @@ -1,37 +1,37 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{graphicx} \usepackage{isabelle,isabellesym} \usepackage{amssymb} -\usepackage[utf8]{inputenc} \usepackage{url} % this should be the last package used \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \pagestyle{myheadings} \begin{document} \title{Local Lexing} \author{Steven Obua} \maketitle \begin{abstract} This formalisation accompanies the paper Local Lexing\footnote{\url{https://arxiv.org/abs/1702.03277}}, which introduces a novel parsing concept of the same name. The paper also gives a high-level algorithm for local lexing as an extension of Earley's algorithm. This formalisation proves the algorithm to be correct with respect to its local lexing semantics. As a special case, this formalisation thus also contains a proof of the correctness of Earley's algorithm. The paper contains a short outline of how this formalisation is organised. \end{abstract} \tableofcontents \begin{center} \includegraphics[scale=0.5]{session_graph} \end{center} \clearpage \parindent 0pt\parskip 0.5ex \input{session} \end{document} diff --git a/thys/Localization_Ring/document/root.tex b/thys/Localization_Ring/document/root.tex --- a/thys/Localization_Ring/document/root.tex +++ b/thys/Localization_Ring/document/root.tex @@ -1,36 +1,37 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Localization of a Commutative Ring} \author{Anthony Bordg} \maketitle \begin{abstract} We formalize the localization~\cite[II, \S4]{SL-Alg} of a commutative ring $R$ with respect to a multiplicative subset (i.e. a submonoid of $R$ seen as a multiplicative monoid). \\ This localization is itself a commutative ring and we build the natural homomorphism of rings from $R$ to its localization. \end{abstract} \tableofcontents \input{session} \section{Acknowledgements} The author was supported by the ERC Advanced Grant ALEXANDRIA (Project 742178) funded by the European Research Council and led by Professor Lawrence Paulson at the University of Cambridge, UK. \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Locally-Nameless-Sigma/document/root.tex b/thys/Locally-Nameless-Sigma/document/root.tex --- a/thys/Locally-Nameless-Sigma/document/root.tex +++ b/thys/Locally-Nameless-Sigma/document/root.tex @@ -1,74 +1,75 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Locally Nameless Sigma Calculus} \author{Ludovic Henrio and Florian Kamm\"uller and Bianca Lutz and Henry Sudhof} \maketitle \begin{abstract} We present a Theory of Objects based on the original functional $\varsigma$-calculus by Abadi and Cardelli \cite{AC96a} but with an additional parameter to methods. We prove confluence of the operational semantics following the outline of Nipkow's proof of confluence for the $\lambda$-calculus reusing his general \texttt{Commutation.thy} \cite{nip:01} a generic diamond lemma reduction. We furthermore formalize a simple type system for our $\varsigma$-calculus including a proof of type safety. The entire development uses the concept of Locally Nameless representation for binders \cite{ACPPW:POPL08}. We reuse an earlier proof of confluence \cite{HK:FMOODS07} for a simpler $\varsigma$-calculus based on de Bruijn indices and lists to represent objects. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{entcs} \begin{thebibliography}{10} \bibitem{AC96a} M. Abadi and L. Cardelli. \newblock {``A Theory of Objects''}. \newblock Springer, New York, 1996. \bibitem{ACPPW:POPL08} B. Aydemir, A, Charguéraud, B.~C. Pierce, R. Pollack, and S. Weirich. \newblock Engineering formal metatheory. \newblock {\em Princ. of Programming Languages, POPL'08}, ACM, 2008. \bibitem{HK:FMOODS07} L. Henrio and F. Kammüller. \newblock A mechanized model of the theory of objects. \newblock {\em Formal Methods for Open Object-Based Distributed Systems,}. LNCS \textbf{4468} Springer, 2007. \bibitem{nip:01} Tobias Nipkow. \newblock{More Church Rosser Proofs.} \newblock{\em Journal of Automated Reasoning}. \newblock{\textbf{26}:51--66, 2001.} \end{thebibliography} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Lowe_Ontological_Argument/document/root.tex b/thys/Lowe_Ontological_Argument/document/root.tex --- a/thys/Lowe_Ontological_Argument/document/root.tex +++ b/thys/Lowe_Ontological_Argument/document/root.tex @@ -1,75 +1,76 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{authblk} %\usepackage{a4wide} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Computer-assisted Reconstruction and Assessment\\ of E. J. Lowe's Modal Ontological Argument} \author[1]{David Fuenmayor} \author[2,1]{Christoph Benzm\"uller} \affil[1]{Freie Universit\"at Berlin, Germany} \affil[2]{University of Luxembourg, Luxembourg} \maketitle \begin{abstract} Computers may help us to understand --not just verify-- philosophical arguments. By utilizing modern proof assistants in an iterative interpretive process, we can reconstruct and assess an argument by fully formal means. Through the mechanization of a variant of St. Anselm's ontological argument by E. J. Lowe, which is a paradigmatic example of a natural-language argument with strong ties to metaphysics and religion, we offer an ideal showcase for our computer-assisted interpretive method. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Lower_Semicontinuous/document/root.tex b/thys/Lower_Semicontinuous/document/root.tex --- a/thys/Lower_Semicontinuous/document/root.tex +++ b/thys/Lower_Semicontinuous/document/root.tex @@ -1,32 +1,33 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath} \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Lower Semicontinuous Functions} \author{By Bogdan Grechuk} \maketitle \begin{abstract} We define the notions of lower and upper semicontinuity for functions from a metric space to the extended real line. We prove that a function is both lower and upper semicontinuous if and only if it is continuous. We also give several equivalent characterizations of lower semicontinuity. In particular, we prove that a function is lower semicontinuous if and only if its epigraph is a closed set. Also, we introduce the notion of the lower semicontinuous hull of an arbitrary function and prove its basic properties. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} diff --git a/thys/Lp/document/root.tex b/thys/Lp/document/root.tex --- a/thys/Lp/document/root.tex +++ b/thys/Lp/document/root.tex @@ -1,52 +1,53 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{mathtools} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \DeclarePairedDelimiter{\norm}{\lVert}{\rVert} \bibliographystyle{plain} \begin{document} \title{$L^p$ spaces in Isabelle} \author{Sebastien Gouezel} \date{} \maketitle \begin{abstract} $L^p$ is the space of functions whose $p$-th power is integrable. It is one of the most fundamental Banach spaces that is used in analysis and probability. We develop a framework for function spaces, and then implement the $L^p$ spaces in this framework using the existing integration theory in Isabelle/HOL. Our development contains most fundamental properties of $L^p$ spaces, notably the H\"older and Minkowski inequalities, completeness of $L^p$, duality, stability under almost sure convergence, multiplication of functions in $L^p$ and $L^q$, stability under conditional expectation. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Lucas_Theorem/document/root.tex b/thys/Lucas_Theorem/document/root.tex --- a/thys/Lucas_Theorem/document/root.tex +++ b/thys/Lucas_Theorem/document/root.tex @@ -1,66 +1,67 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Lucas's Theorem} \author{Chelsea Edmonds} \maketitle \begin{abstract} This work presents a formalisation of a generating function proof for Lucas's theorem. We first outline extensions to the existing Formal Power Series (FPS) library, including an equivalence relation for coefficients modulo $n$, an alternate binomial theorem statement, and a formalised proof of the Freshman's dream (mod $p$) lemma. The second part of the work presents the formal proof of Lucas's Theorem. Working backwards, the formalisation first proves a well known corollary of the theorem which is easier to formalise and then applies induction to prove the original theorem statement. The proof of the corollary aims to provide a good example of a formalised generating function equivalence proof using the FPS library. The final theorem statement is intended to be integrated into the formalised proof of Hilbert's 10th Problem \cite{bayerDPRMTheoremIsabelle2019}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/MFMC_Countable/document/root.tex b/thys/MFMC_Countable/document/root.tex --- a/thys/MFMC_Countable/document/root.tex +++ b/thys/MFMC_Countable/document/root.tex @@ -1,55 +1,56 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath,amssymb} \usepackage{stmaryrd} \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{A formal proof of the max-flow min-cut theorem for countable networks} \author{Andreas Lochbihler} \maketitle \begin{abstract} This article formalises a proof of the maximum-flow minimal-cut theorem for networks with countably many edges. A network is a directed graph with non-negative real-valued edge labels and two dedicated vertices, the source and the sink. A flow in a network assigns non-negative real numbers to the edges such that for all vertices except for the source and the sink, the sum of values on incoming edges equals the sum of values on outgoing edges. A cut is a subset of the vertices which contains the source, but not the sink. Our theorem states that in every network, there is a flow and a cut such that the flow saturates all the edges going out of the cut and is zero on all the incoming edges. The proof is based on the paper ``The Max-Flow Min-Cut theorem for countable networks'' by Aharoni et al.\ \cite{AharoniBergerGeorgakopoulusPerlsteinSpruessel2011JCT}. Additionally, we prove a characterisation of the lifting operation for relations on discrete probability distributions, which leads to a concise proof of its distributivity over relation composition. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/MFODL_Monitor_Optimized/document/root.tex b/thys/MFODL_Monitor_Optimized/document/root.tex --- a/thys/MFODL_Monitor_Optimized/document/root.tex +++ b/thys/MFODL_Monitor_Optimized/document/root.tex @@ -1,58 +1,58 @@ \documentclass[10pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{a4wide} \usepackage[english]{babel} \usepackage{eufrak} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{literal} \begin{document} \title{Formalization of an Optimized Monitoring Algorithm for\\ Metric First-Order Dynamic Logic with Aggregations} \author{Thibault Dardinier \and Lukas Heimes \and Martin Raszyk \and Joshua Schneider \and Dmitriy Traytel} \maketitle \begin{abstract} A monitor is a runtime verification tool that solves the following problem: Given a stream of time-stamped events and a policy formulated in a specification language, decide whether the policy is satisfied at every point in the stream. We verify the correctness of an executable monitor for specifications given as formulas in metric first-order dynamic logic (MFODL), which combines the features of metric first-order temporal logic (MFOTL)~\cite{BasinKMZ-JACM15} and metric dynamic logic~\cite{BasinKT-RV17}. Thus, MFODL supports real-time constraints, first-order parameters, and regular expressions. Additionally, the monitor supports aggregation operations such as count and sum. This formalization, which is described in a paper at IJCAR 2020~\cite{BasinDHKRST2020IJCAR}, significantly extends \href{https://www.isa-afp.org/entries/MFOTL_Monitor.html}{previous work on a verified monitor} for MFOTL~\cite{SchneiderBKT2019RV}. Apart from the addition of regular expressions and aggregations, we implemented \href{https://www.isa-afp.org/entries/Generic_Join.html}{multi-way joins} and a specialized sliding window algorithm to further optimize the monitor. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/MFOTL_Monitor/document/root.tex b/thys/MFOTL_Monitor/document/root.tex --- a/thys/MFOTL_Monitor/document/root.tex +++ b/thys/MFOTL_Monitor/document/root.tex @@ -1,52 +1,52 @@ \documentclass[10pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{a4wide} \usepackage[english]{babel} \usepackage{eufrak} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{literal} \begin{document} \title{Formalization of a Monitoring Algorithm for\\ Metric First-Order Temporal Logic} \author{Joshua Schneider \and Dmitriy Traytel} \maketitle \begin{abstract} A monitor is a runtime verification tool that solves the following problem: Given a stream of time-stamped events and a policy formulated in a specification language, decide whether the policy is satisfied at every point in the stream. We verify the correctness of an executable monitor for specifications given as formulas in metric first-order temporal logic (MFOTL)~\cite{BasinKMZ-JACM15}, an expressive extension of linear temporal logic with real-time constraints and first-order quantification. The verified monitor implements a simplified variant of the algorithm used in the efficient MonPoly monitoring tool~\cite{monpoly}. The formalization is presented in a RV 2019 paper~\cite{SchneiderBKT-RV19}, which also compares the output of the verified monitor to that of other monitoring tools on randomly generated inputs. This case study revealed several errors in the optimized but unverified tools. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/MSO_Regex_Equivalence/document/root.tex b/thys/MSO_Regex_Equivalence/document/root.tex --- a/thys/MSO_Regex_Equivalence/document/root.tex +++ b/thys/MSO_Regex_Equivalence/document/root.tex @@ -1,59 +1,59 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage[english]{babel} \usepackage{eufrak} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Decision Procedures for MSO on Words Based on Derivatives of Regular Expressions} \author{Dmitriy Traytel and Tobias Nipkow} \maketitle \begin{abstract} Monadic second-order logic on finite words (MSO) is a decidable yet expressive logic into which many decision problems can be encoded. Since MSO formulas correspond to regular languages, equivalence of MSO formulas can be reduced to the equivalence of some regular structures (e.g.\ automata). We verify an executable decision procedure for MSO formulas that is not based on automata but on regular expressions. Decision procedures for regular expression equivalence have been formalized before (e.g.\ in Isabelle/HOL~\cite{KraussN-AFP}), usually based on Brzozowski derivatives. Yet, for a straightforward embedding of MSO formulas into regular expressions an extension of regular expressions with a projection operation is required. We prove total correctness and completeness of an equivalence checker for regular expressions extended in that way. We also define a language-preserving translation of formulas into regular expressions with respect to two different semantics of MSO. The formalization is described in the ICFP 2013 functional pearl~\cite{TraytelN-ICFP13}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Markov_Models/document/root.tex b/thys/Markov_Models/document/root.tex --- a/thys/Markov_Models/document/root.tex +++ b/thys/Markov_Models/document/root.tex @@ -1,72 +1,73 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath} \usepackage[english]{babel} \usepackage{stmaryrd} \usepackage{eufrak} \usepackage{wasysym} \usepackage{tikz} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Markov Models} \author{Johannes H\"olzl and Tobias Nipkow} \maketitle \begin{abstract} This is a formalization of various Markov models in Isabelle/HOL. It builds on Isabelle's probability theory. The available models are currently discrete-time and continuous-time Markov chains as well as Markov decision processes. As application of these models we formalize probabilistic model checking of pCTL formulas, analysis of IPv4 address allocation in ZeroConf and an analysis of the anonymity of the Crowds protocol. \end{abstract} \tableofcontents \section{Introduction} This is a formalization of probabilistic models in Isabelle/HOL. It builds on Isabelle's probability theory (HOL-Probability). It provides formalizations for the following models: \begin{itemize} \item Discrete-time Markov processes with measurable state spaces~\cite{hoelzl2017markovprocesses} \item Markov decision processes on discrete spaces~\cite{hoelzl2017mdp} \item Continuous-time Markov chains on discrete spaces~\cite{hoelzl2017markovprocesses} \end{itemize} As application of these models we formalize \begin{itemize} \item a probabilistic model checking of pCTL formulas~\cite{hoelzl2012verifyingpctl}, \item an analysis of IPv4 address allocation in ZeroConf~\cite{hoelzl2012casestudies}, \item an analysis of the anonymity of the Crowds protocol~\cite{hoelzl2012casestudies}, \item the reachability analysis on finite-state MDPs~\cite{hoelzl2017mdp}, and \item expected running-time semantics for pGCL~\cite{hoelzl2016exprun}. \end{itemize} The formalization of rewarded DTMCs and pCTL model checking is discussed in detail in our paper. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Marriage/document/root.tex b/thys/Marriage/document/root.tex --- a/thys/Marriage/document/root.tex +++ b/thys/Marriage/document/root.tex @@ -1,28 +1,29 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Hall's Marriage Theorem} \author{Dongchen Jiang and Tobias Nipkow} \maketitle \begin{abstract} A proof of Hall's Marriage Theorem due to Halmos and Vaughan~\cite{HalmosV}. \end{abstract} % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Mason_Stothers/document/root.tex b/thys/Mason_Stothers/document/root.tex --- a/thys/Mason_Stothers/document/root.tex +++ b/thys/Mason_Stothers/document/root.tex @@ -1,69 +1,70 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{The Mason--Stothers theorem} \author{Manuel Eberl} \maketitle \begin{abstract} This article provides a formalisation of Snyder's simple and elegant proof of the Mason--Stothers theorem~\cite{snyder2000,lemmermeyer05}, which is the polynomial analogue of the famous $abc$ Conjecture for integers. Remarkably, Snyder found this very elegant proof when he was still a high-school student. In short, the statement of the theorem is that three non-zero coprime polynomials $A$, $B$, $C$ over a field which sum to $0$ and do not all have vanishing derivatives fulfil $\textrm{max}\{\textrm{deg}(A),\textrm{deg}(B),\textrm{deg}(C)\} < \textrm{deg}(\textrm{rad}(ABC))$ where $\textrm{rad}(P)$ denotes the \emph{radical} of $P$, i.\,e.\ the product of all unique irreducible factors of $P$. This theorem also implies a kind of polynomial analogue of Fermat's Last Theorem for polynomials: except for trivial cases, $A ^ n + B ^ n + C ^ n = 0$ implies $n \leq 2$ for coprime polynomials $A$, $B$, $C$ over a field. \end{abstract} \tableofcontents \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \newpage \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Matrices_for_ODEs/document/root.tex b/thys/Matrices_for_ODEs/document/root.tex --- a/thys/Matrices_for_ODEs/document/root.tex +++ b/thys/Matrices_for_ODEs/document/root.tex @@ -1,76 +1,77 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \renewcommand{\isasymlonglonglongrightarrow}{$\longrightarrow$} \begin{document} \title{Matrices for ODEs} \author{Jonathan Juli\'an Huerta y Munive} \maketitle \begin{abstract} Our theories formalise various matrix properties that serve to establish existence, uniqueness and characterisation of the solution to affine systems of ordinary differential equations (ODEs). In particular, we formalise the operator and maximum norm of matrices. Then we use them to prove that square matrices form a Banach space, and in this setting, we show an instance of Picard-Lindel\"of's theorem for affine systems of ODEs. Finally, we apply this formalisation by verifying three simple hybrid programs. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introductory Remarks} Affine systems of ordinary differential equations (ODEs) are those whose associated vector fields are linear transformations. That is, if there is a matrix-valued function $A:\mathbb{R}\to M_{n\times n}(\mathbb{R})$ and vector function $B:\mathbb{R}\to\mathbb{R}^n$ such that the system of ODEs $x'\, t=f\, (t,x\, t)$ can be rewritten as $x'\, t=A\cdot (x\, t)+B\, t$, then the system is affine. Similarly, the associated linear system of ODEs is $x'\, t=A\cdot (x\, t)$ for matrix-vector multiplication $\cdot$. Our theories formalise affine (hence linear) systems of ordinary differential equations. For this purpose, we extend the ODE libraries of~\cite{ImmlerH12a} and linear algebra in HOL-Analysis. We add to them various results about invertibility of matrices, their diagonalisation, their operator and maximum norms, and properties relating them with vectors. We also define a new type of square matrices and prove that this is a Banach space. Then we obtain results about derivatives of matrix-vector multiplication and use them to prove Picard-Lindel\"of's theorem as formalised in~\cite{afp:hybrid}. The Banach space instance allows us to characterise the general solution to affine systems of ODEs in terms of the matrix-exponential. Finally, we use the components of~\cite{afp:hybrid} to do three simple verification examples in the style of differential dynamic logic~\cite{Platzer10} as showcased in~\cite{ArmstrongGS16,FosterMS19,MuniveS19}. The paper~\cite{Munive20} has a detailed overview of the various contributions that this formalisation adds to the verification components. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Matrix/document/root.tex b/thys/Matrix/document/root.tex --- a/thys/Matrix/document/root.tex +++ b/thys/Matrix/document/root.tex @@ -1,50 +1,51 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \begin{document} \title{Executable Matrix Operations on Matrices of Arbitrary Dimensions} \author{Christian Sternagel and Ren\'e Thiemann} \maketitle \begin{abstract} We provide the operations of matrix addition, multiplication, transposition, and matrix comparisons as executable functions over ordered semirings. Moreover, it is proven that strongly normalizing (monotone) orders can be lifted to strongly normalizing (monotone) orders over matrices. We further show that the standard semirings over the naturals, integers, and rationals, as well as the arctic semirings satisfy the axioms that are required by our matrix theory. Our formalization was performed as part of the \isafor/\ceta-system \cite{CeTA}\footnote{\url{http://cl-informatik.uibk.ac.at/software/ceta}} which contains several termination techniques. The provided theories have been essential to formalize matrix-interpretations \cite{MatrixJAR} and arctic interpretations \cite{Arctic}. A short description of this formalization can be found in \cite{WST10}. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Matrix_Tensor/document/root.tex b/thys/Matrix_Tensor/document/root.tex --- a/thys/Matrix_Tensor/document/root.tex +++ b/thys/Matrix_Tensor/document/root.tex @@ -1,35 +1,36 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Tensor Product of Matrices} \author{T.V.H. Prathamesh} \maketitle \begin{abstract} In this work, the Kronecker tensor product of matrices and the proofs of some of its properties are formalized. Properties which have been formalized include associativity of the tensor product and the mixed-product property. This formalization of tensor product of matrices relies on the formalization of matrices by Christian Sternagel and Rene Thiemann under the title `Executable Matrix Operations on Matrices of Arbitrary Dimensions'. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Matroids/document/root.tex b/thys/Matroids/document/root.tex --- a/thys/Matroids/document/root.tex +++ b/thys/Matroids/document/root.tex @@ -1,39 +1,40 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Matroids} \author{Jonas Keinholz} \maketitle \begin{abstract} This article defines combinatorial structures known as \emph{Independence Systems} and \emph{Matroids} and provides basic concepts and theorems related to them. These structures play an important role in combinatorial optimisation, e.\,g.\ greedy algorithms such as Kruskal's algorithm. The development is based on Oxley's `What is a Matroid?'~\cite{oxley}. \end{abstract} \newpage \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \nocite{oxley} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Max-Card-Matching/document/root.tex b/thys/Max-Card-Matching/document/root.tex --- a/thys/Max-Card-Matching/document/root.tex +++ b/thys/Max-Card-Matching/document/root.tex @@ -1,105 +1,106 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,amsmath,amsthm} % this should be the last package used \usepackage{pdfsetup} \theoremstyle{definition} \newtheorem{theorem}{Theorem} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand{\OSC}{\mathit{OSC}} \newcommand{\abs}[1]{\left\lvert #1 \right\rvert} \begin{document} \title{Maximum Cardinality Matching} \author{Christine Rizkallah} \maketitle \begin{abstract} A \emph{matching} in a graph $G$ is a subset $M$ of the edges of $G$ such that no two share an endpoint. A matching has maximum cardinality if its cardinality is at least as large as that of any other matching. An \emph{odd-set cover} $\OSC$ of a graph $G$ is a labeling of the nodes of $G$ with integers such that every edge of $G$ is either incident to a node labeled 1 or connects two nodes labeled with the same number $i \ge 2$. \begin{theorem}[Edmonds~\cite{Edmonds:matching}] \label{thm-edm} Let $M$ be a matching in a graph $G$ and let $OSC$ be an odd-set cover of $G$. For any $i \ge 0$, let $n_i$ be the number of nodes labeled $i$. If $$\abs{M} = n_1 + \sum_{i\ge 2}\lfloor n_i/2 \rfloor$$ then $M$ is a maximum cardinality matching. \end{theorem} We provide an Isabelle proof of Edmonds theorem. For an explanation of the proof see \cite{VerificationofCertifyingComputations}. %\begin{proof} Let $N$ be any matching in $G$. %For $i \ge 2$, let $N_i$ be the edges in $N$ that connect two nodes labeled $i$ %and let $N_1$ be the remaining edges in $N$. Then, by the definition of odd-set %cover, every edge in $N_1$ is incident to a vertex labeled 1. Since edges in a %matching do not share endpoints, we have %\[\abs{N_1} \le n_1\;\;\text{and}\;\;\abs{N_i} \le \lfloor n_i/2 \rfloor \;\;\text{for %$i \ge 2$.}\] %Thus $\abs{N} \le n_1 + \sum_{i\ge 2} \lfloor n_i / 2 \rfloor = %\abs{M}$. %\qed %\end{proof} %In the following we present an Isabelle/HOL proof of Theorem \ref{thm-edm}. %The Isabelle/HOL proof follows the scheme of the informal proof and is split %into two main parts. % %For $i \ge 2$, let $M_i$ be the edges in $M$ that connect two nodes labeled $i$ %and let $M_1$ be the remaining edges in $M$. We use the definition of odd-set %cover to prove that $M \subseteq \bigcup_{i\ge1} M_i$ and thus $\abs{M} \le \sum_{i}\abs{M_i}$. %Let $V_i$ be the nodes labeled $i$ and let $n_i = \abs{V_i}$. %We formally prove: $\abs{M_1} \le n_1$ and $\abs{M_i} \le \lfloor n_i/2 %\rfloor$. % %\newcommand{\pinV}{\mathit{endpoint}_{V_1}} % %In order to prove $\abs{M_1} \le n_1$, we exhibit an injective function from $M_1$ %to $V_1$. We first prove, using the definition of odd-set cover, that every %edge $e \in M_1$ has at least one endpoint in $V_1$. This gives rise to a function %$\pinV: M_1 \mapsto V_1$. We then use the fact that edges in %a matching do not share endpoints, i.e., are disjoint when interpreted as %sets, to conclude that $\pinV$ is injective. This establishes $\abs{M_1} \le %\abs{V_i}$. % %For $i\ge2$ the proof of the inequality $\abs{M_i} \le \lfloor n_i/2 \rfloor$ is similar, %but more involved. $M_i$ is a set of edges. %If we represent edges as sets (each has cardinality equals two), then $M_i$ is a collection of sets. %We define the set of vertices $V^\prime_i$ to be $\bigcup M_i$ and use the definition of odd-set cover to %prove $V^\prime_i \subseteq V_i$. %Then, we use the fact that the edges in a matching are pairwise disjoint to % prove $\abs{V^\prime_i} = 2 * \abs{M_i}$. %Note also that $\abs{V^\prime_i}$ must be even since $\abs{M_i}$ is a natural %number. Thus we can prove that $\abs{M_i} \le \lfloor\abs{V^\prime_i}/2\rfloor$ and hence %$\abs{M_i} \le \lfloor\abs{V^\prime_i} / 2\rfloor \le \lfloor \abs{V_i}/2 \rfloor %= \lfloor n_i/2 \rfloor$. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Median_Of_Medians_Selection/document/root.tex b/thys/Median_Of_Medians_Selection/document/root.tex --- a/thys/Median_Of_Medians_Selection/document/root.tex +++ b/thys/Median_Of_Medians_Selection/document/root.tex @@ -1,63 +1,64 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{The Median-Of-Medians Selection Algorithm} \author{Manuel Eberl} \maketitle \begin{abstract} This entry provides an executable functional implementation of the Median-of-Medians algorithm~\cite{clrs2009} for selecting the $k$-th smallest element of an unsorted list deterministically in linear time. The size bounds for the recursive call that lead to the linear upper bound on the run-time of the algorithm are also proven. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Menger/document/root.tex b/thys/Menger/document/root.tex --- a/thys/Menger/document/root.tex +++ b/thys/Menger/document/root.tex @@ -1,136 +1,135 @@ \documentclass[11pt,a4paper,DIV=11]{scrartcl} -\usepackage[utf8]{inputenc} \usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath,amsfonts} \usepackage[standard]{ntheorem} \renewcommand{\bf}{\normalfont\bfseries} \renewcommand{\rm}{\normalfont\rmfamily} \renewcommand{\it}{\normalfont\itshape} \usepackage{pdfsetup} \hypersetup{ pdfinfo={ Title={Menger's Theorem}, Subject={}, Keywords={Formal Proof, Graph Theory, Menger's Theorem}, Author={Christoph Dittmann}, Creator={} }, bookmarksopen=true, bookmarksnumbered, bookmarksopenlevel=2, bookmarksdepth=3 } % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Menger's Theorem} \author{Christoph Dittmann\\isabelle@christoph-d.de} \date{\today} \maketitle \begin{abstract} We present a formalization of Menger's Theorem for directed and undirected graphs in Isabelle/HOL. This well-known result shows that if two non-adjacent distinct vertices $u,v$ in a directed graph have no separator smaller than $n$, then there exist $n$ internally vertex-disjoint paths from $u$ to $v$. The version for undirected graphs follows immediately because undirected graphs are a special case of directed graphs. \end{abstract} \tableofcontents \newpage \section{Introduction} Given two non-adjacent distinct vertices $u, v$ in a finite directed graph, a \emph{$u$-$v$-separator} is a set of vertices $S$ with $u \notin S, v \notin S$ such that every $u$-$v$-path visits a vertex of $S$. Two $u$-$v$-paths are \emph{internally vertex-disjoint} if their intersection is exactly $\{u,v\}$. A famous classical result of graph theory relates the size of a minimum separator to the maximal number of internally vertex-disjoint paths. \begin{theorem}[Menger \cite{Menger1927}]\label{thm:menger} Let $u,v$ be two non-adjacent distinct vertices. Then the size of a minimum $u$-$v$-separator equals the maximal number of pairwise internally vertex-disjoint $u$-$v$-paths. \end{theorem} This theorem has many proofs, but as far as the author is aware, there was no formalized proof. We follow a proof given by William McCuaig, who calls it ``A simple proof of Menger's theorem''~\cite{DBLP:journals/jgt/McCuaig84}. His proof is roughly one page in length. Our formalization is significantly longer than that because we had to fill in a lot of details. Most of the work goes into showing the following theorem, which proves one direction of Theorem~\ref{thm:menger}. \begin{theorem} Let $u,v$ be two non-adjacent distinct vertices. If every $u$-$v$-separator has size at least $n$, then there exists $n$ pairwise internally vertex-disjoint $u$-$v$-paths. \end{theorem} Compared to this, the other direction of Theorem~\ref{thm:menger} is easy because the existence of $n$ internally vertex-disjoint paths implies that every separator needs to cut at least these paths, so every separator needs to have size at least $n$. \section{Relation to Min-Cut Max-Flow} Another famous result of graph theory is the Min-Cut Max-Flow Theorem, stating that the size of a minimum $u$-$v$-cut equals the value of a maximum $u$-$v$-flow. There exists a formalization of a very general version of this theorem for countable graphs in the Archive of Formal Proofs, written by Andreas Lochbihler~\cite{MFMC_Countable-AFP}. Technically, our version of Menger's Theorem should follow from Lochbihler's very general result. However, the author was of the opinion that a fresh formalization of Menger's Theorem was warranted given the complexity of the Min-Cut Max-Flow formalization. Our formalization is about a sixth of the size of the Min-Cut Max-Flow formalization (not counting comments). It may also be easier to grasp by readers who are unfamiliar with the intricacies of countable networks. Let us also note that the Min-Cut Max-Flow Theorem considers \emph{edge cuts} whereas Menger's Theorem works with \emph{vertex cuts}. This is a minor difference because one can be reduced to the other, but it makes Menger's Theorem not a trivial corollary of the Min-Cut Max-Flow formalization. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \clearpage \phantomsection \addcontentsline{toc}{section}{Bibliography} \bibliographystyle{alphaurl} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Mersenne_Primes/document/root.tex b/thys/Mersenne_Primes/document/root.tex --- a/thys/Mersenne_Primes/document/root.tex +++ b/thys/Mersenne_Primes/document/root.tex @@ -1,38 +1,39 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Mersenne primes and the Lucas--Lehmer test} \author{Manuel Eberl} \maketitle \begin{abstract} This article provides formal proofs of basic properties of Mersenne numbers, i.\,e.\ numbers of the form $2^n - 1$, and especially of Mersenne primes. In particular, an efficient, verified, and executable version of the Lucas--Lehmer test is developed. This test decides primality for Mersenne numbers in time polynomial in $n$. \end{abstract} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/MiniML/document/root.tex b/thys/MiniML/document/root.tex --- a/thys/MiniML/document/root.tex +++ b/thys/MiniML/document/root.tex @@ -1,35 +1,36 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} \addtolength{\hoffset}{-1,5cm} \addtolength{\textwidth}{3cm} \begin{document} \title{MiniML} \author{Wolfgang Naraschewski and Tobias Nipkow} \maketitle \begin{abstract} This theory defines the type inference rules and the type inference algorithm \emph{W} for MiniML (simply-typed lambda terms with \texttt{let}) due to Milner. It proves the soundness and completeness of \emph{W} w.r.t. the rules. A report describing the theory is found in \cite{Naraschewski-Nipkow-TYPES96} and \cite{NaraschewskiN-JAR}. \end{abstract} % \tableofcontents \parindent 0pt\parskip 0.5ex % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Minkowskis_Theorem/document/root.tex b/thys/Minkowskis_Theorem/document/root.tex --- a/thys/Minkowskis_Theorem/document/root.tex +++ b/thys/Minkowskis_Theorem/document/root.tex @@ -1,42 +1,43 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Minkowski's Theorem} \author{Manuel Eberl} \maketitle \begin{abstract} Minkowski's theorem relates a subset of $\mathbb{R}^n$, the Lebesgue measure, and the integer lattice $\mathbb{Z}^n$: It states that any convex subset of $\mathbb{R}^n$ with volume greater than $2^n$ contains at least one lattice point from $\mathbb{Z}^n\setminus\{0\}$, i.\,e. a non-zero point with integer coefficients. A related theorem which directly implies this is Blichfeldt's theorem, which states that any subset of $\mathbb{R}^n$ with a volume greater than 1 contains two different points whose difference vector has integer components. The entry contains a proof of both theorems. \end{abstract} \nocite{dummit} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Minsky_Machines/document/root.tex b/thys/Minsky_Machines/document/root.tex --- a/thys/Minsky_Machines/document/root.tex +++ b/thys/Minsky_Machines/document/root.tex @@ -1,81 +1,81 @@ \documentclass[11pt,a4paper]{article} -\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} \usepackage{amstext} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \newcommand{\from}{\leftarrow} \newcommand{\isaname}[1]{\textit{#1}} \begin{document} \title{Minsky Machines% \thanks{This work was supported by FWF (Austrian Science Fund) project P30301.}} \author{Bertram Felgenhauer} \maketitle \begin{abstract} We formalize undecidablity results for Minsky machines. To this end, we also formalize recursive inseparability. We start by proving that Minsky machines can compute arbitrary primitive recursive and recursive functions. We then show that there is a deterministic Minsky machine with one argument (modeled by assigning the argument to register $0$ in the initial configuration) and final states $0$ and $1$ such that the set of inputs that are accepted in state $0$ is recursively inseparable from the set of inputs that are accepted in state $1$. As a corollary, the set of Minsky configurations that reach state $0$ but not state $1$ is recursively inseparable from the set of Minsky configurations that reach state $1$ but not state $0$. In particular both these sets are undecidable. We do \emph{not} prove that recursive functions can simulate Minsky machines. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Modal_Logics_for_NTS/document/root.tex b/thys/Modal_Logics_for_NTS/document/root.tex --- a/thys/Modal_Logics_for_NTS/document/root.tex +++ b/thys/Modal_Logics_for_NTS/document/root.tex @@ -1,71 +1,72 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} % for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Modal Logics for Nominal Transition Systems} \author{Tjark Weber et al.} \maketitle \begin{abstract} These Isabelle theories formalize a modal logic for nominal transition systems, as presented in the paper \emph{Modal Logics for Nominal Transition Systems} by Joachim Parrow, Johannes Borgstr{\"o}m, Lars-Henrik Eriksson, Ram{\=u}nas Gutkovas, and Tjark Weber~\cite{DBLP:conf/concur/ParrowBEGW15}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \cleardoublepage % generated text of all theories \input{session} % bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Modular_Assembly_Kit_Security/document/root.tex b/thys/Modular_Assembly_Kit_Security/document/root.tex --- a/thys/Modular_Assembly_Kit_Security/document/root.tex +++ b/thys/Modular_Assembly_Kit_Security/document/root.tex @@ -1,141 +1,142 @@ \documentclass[10pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{csquotes} \usepackage[a4paper, total={6in, 8in}]{geometry} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \date{} \begin{document} \title{An Isabelle/HOL Formalization of the Modular Assembly Kit for Security Properties} \author{Oliver Bra\v{c}evac, Richard Gay, Sylvia Grewe,\\ Heiko Mantel, Henning Sudbrock, Markus Tasch} \maketitle \begin{abstract} The \enquote{Modular Assembly Kit for Security Properties} (MAKS) is a framework for both the definition and verification of possibilistic information-flow security properties at the specification-level. MAKS supports the uniform representation of a wide range of possibilistic information-flow properties and provides support for the verification of such properties via unwinding results and compositionality results. We provide a formalization of this framework in Isabelle/HOL. \end{abstract} \tableofcontents \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories %\input{session} \section{Introduction} This is a formalization of the Modular Assembly Kit for Security Properties (MAKS) {\cite{inp:Mantel2000a,phd:Mantel2003}} in its version from {\cite{phd:Mantel2003}}. We provide a more detailed explanation on how key concepts of MAKS are formalized in Isabelle/HOL in {\cite{tr:GreweMantelTaschGaySudbrock2018a}}. \section{Basic Definitions} In the following, we define the notion of prefixes and the notion of projection. These definitions are preliminaries for the remaining parts of the Isabelle/HOL formalization of MAKS.\\ \input{Prefix.tex} \input{Projection.tex} \section{System Specification} \subsection{Event Systems} We define the system model of event systems as well as the parallel composition operator for event systems provided as part of MAKS in {\cite{phd:Mantel2003}}.\\ \input{EventSystems.tex} \subsection{State-Event Systems} We define the system model of state-event systems as well as the translation from state-event systems to event systems provided as part of MAKS in {\cite{phd:Mantel2003}}. State-event systems are the basis for the unwinding theorems that we prove later in this entry.\\ \input{StateEventSystems.tex} \section{Security Specification} \subsection{Views \& Flow Policies} We define views, flow policies and how views can be derived from a given flow policy.\\ \input{Views.tex} \input{FlowPolicies.tex} \subsection{Basic Security Predicates} We define all 14 basic security predicates provided as part of MAKS in {\cite{phd:Mantel2003}}.\\ \input{BasicSecurityPredicates.tex} \subsection{Information-Flow Properties} We define the notion of information-flow properties from {\cite{phd:Mantel2003}}.\\ \input{InformationFlowProperties.tex} \subsection{Property Library} We define the representations of several possibilistic information-flow properties from the literature that are provided as part of MAKS in {\cite{phd:Mantel2003}}.\\ \input{PropertyLibrary.tex} \section{Verification} \subsection{Basic Definitions} We define when an event system and a state-event system are secure given an information-flow property.\\ \input{SecureSystems.tex} \subsection{Taxonomy Results} We prove the taxonomy results from {\cite{phd:Mantel2003}}.\\ \input{BSPTaxonomy.tex} \subsection{Unwinding} We define the unwinding conditions provided in {\cite{phd:Mantel2003}} and prove the unwinding theorems from {\cite{phd:Mantel2003}} that use these unwinding conditions.\\ \subsubsection{Unwinding Conditions} \input{UnwindingConditions.tex} \subsubsection{Auxiliary Results} \input{AuxiliaryLemmas.tex} \subsubsection{Unwinding Theorems} \input{UnwindingResults.tex} \subsection{Compositionality} We prove the compositionality results from {\cite{phd:Mantel2003}}. \subsubsection{Auxiliary Definitions \& Results} \input{CompositionBase.tex} \input{CompositionSupport.tex} \subsubsection{Generalized Zipping Lemma} \input{GeneralizedZippingLemma.tex} \subsubsection{Compositionality Results} \input{CompositionalityResults.tex} \section*{Acknowledgments} This work was partially funded by the DFG (German Research Foundation) under the projects FM-SecEng (MA 3326/1-2, MA 3326/1-3) and RSCP (MA 3326/4-3). % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Monad_Memo_DP/document/root.tex b/thys/Monad_Memo_DP/document/root.tex --- a/thys/Monad_Memo_DP/document/root.tex +++ b/thys/Monad_Memo_DP/document/root.tex @@ -1,67 +1,68 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \pagestyle{plain} % turn on page numbers \usepackage{isabelle,isabellesym} \usepackage{latexsym} \usepackage{amssymb} \usepackage{mathpartir} %\usepackage{tikz} %\usepackage{pgfplots} \usepackage[hidelinks]{hyperref} % no right margin in quote: \renewenvironment{quote} {\list{}{}% \item\relax} {\endlist} \newcommand{\noquotes}[1]{{\renewcommand{\isachardoublequote}{}\renewcommand{\isachardoublequoteopen}{}\renewcommand{\isachardoublequoteclose}{}#1}} \isabellestyle{it} \renewcommand{\isacharunderscore}{\_} \renewcommand{\isacharunderscorekeyword}{\_} \renewcommand{\isadigit}[1]{{\rm #1}} % for uniform font size \renewcommand{\isastyle}{\isastyleminor} \newcommand{\eqnum}{\refstepcounter{equation}\hfill(\theequation)} \hyphenation{Isa-belle} \begin{document} \title{Monadification, Memoization\\ and Dynamic Programming} \author{Simon Wimmer \and Shuwei Hu \and Tobias Nipkow} \date{Technical University of Munich\\[\baselineskip] \today} \maketitle \begin{abstract} We present a lightweight framework for the automatic verified (functional or imperative) memoization of recursive functions. Our tool can turn a pure Isabelle/HOL function definition into a monadified version in a state monad or the Imperative HOL heap monad, and prove a correspondence theorem. We provide a variety of memory implementations for the two types of monads. A number of simple techniques allow us to achieve bottom-up computation and space-efficient memoization. The framework's utility is demonstrated on a number of representative dynamic programming problems. A detailed description of our work can be found in the accompanying paper \cite{DP-ITP-2018}. \end{abstract} \tableofcontents \pagebreak % sane default for proof documents \parindent 0pt\parskip 0.5ex \input{session.tex} %\bibliographystyle{splncs03} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Monad_Normalisation/document/root.tex b/thys/Monad_Normalisation/document/root.tex --- a/thys/Monad_Normalisation/document/root.tex +++ b/thys/Monad_Normalisation/document/root.tex @@ -1,44 +1,45 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,amsmath} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{wasysym} \usepackage{booktabs} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Monad Normalisation} \author{Joshua Schneider and Manuel Eberl and Andreas Lochbihler} \maketitle \begin{abstract} The usual monad laws can directly be used as rewrite rules for Isabelle's simplifier to normalise monadic HOL terms and decide equivalences. In a commutative monad, however, the commutativity law is a higher-order permutative rewrite rule that makes the simplifier loop. This AFP entry implements a simproc that normalises monadic expressions in commutative monads using ordered rewriting. The simproc can also permute computations across control operators like \textit{if} and \textit{case}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/MonoBoolTranAlgebra/document/root.tex b/thys/MonoBoolTranAlgebra/document/root.tex --- a/thys/MonoBoolTranAlgebra/document/root.tex +++ b/thys/MonoBoolTranAlgebra/document/root.tex @@ -1,100 +1,101 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Algebra of Monotonic Boolean Transformers} \author{Viorel Preoteasa} \maketitle \begin{abstract} Algebras of imperative programming languages have been successful in reasoning about programs. In general an algebra of programs is an algebraic structure with programs as elements and with program compositions (sequential composition, choice, skip) as algebra operations. Various versions of these algebras were introduced to model partial correctness, total correctness, refinement, demonic choice, and other aspects. We formalize here an algebra which can be used to model total correctness, refinement, demonic and angelic choice. The basic model of this algebra are monotonic Boolean transformers (monotonic functions from a Boolean algebra to itself). \end{abstract} \tableofcontents \section{Introduction} Abstract algebra is a useful tool in mathematics. Rather than working with specific models like natural numbers and algebra of truth values, one could reason in a more abstract setting and obtain results which are more general and applicable in different models. Algebras of logics are very important tools in studying various aspects of logical systems. Algebras of programming theories have also a significant contribution to the simplification of reasoning about programs. Programs are elements of an algebra and program compositions and program constants (sequential composition, choice, iteration, skip, fail) are the operations of the algebra. These operations satisfy a number of relations which are used for reasoning about programs. Kleene algebra with tests (KAT) \cite{kozen:1997} is an extension of Kleene algebra and it is suitable for reasoning about programs in a partial correctness framework. Various versions of Kleene algebras have been introduced, ranging from Kleene algebra with domain \cite{desharnais:moller:struth:2006} and concurrent Kleene algebra \cite{hoare:moller:struth:wehrman:2009} to an algebra for separation logic \cite{dang:hofner:moller:2011}. Refinement Calculus \cite{back-1978,back-1980,back-wright-98,morgan-90} is a calculus based on (monotonic) predicate transformers suitable for program development in a total correctness framework. Within this calculus various aspects of imperative programming languages can be formalized. These include total correctness, partial correctness, demonic choice, and angelic choice. Demonic refinement algebra (DRA) was introduced in \cite{vonwright:2002,vonwright:2004} as a variation of KAT to allow also reasoning about total correctness. The intended model of DRA is the set of conjunctive predicate transformers and this algebra cannot represent angelic choice. General refinement algebra (GRA) was also introduced in \cite{vonwright:2004}, but few results were proved and they were mostly related to iteration. Although the intended model for GRA is the set of monotonic predicate transformers, GRA does not include the angelic choice operator. GRA has been further extended in \cite{solin:vonwright:2009} with enabledness and termination operators, and it was extended for probabilistic programs in \cite{meinicke:solin:2010}. This formalization is based on \cite{preoteasa:2011c} where a different extension of GRA is introduced. In \cite{preoteasa:2011c} GRA is extended with a dual operator \cite{guerreiro:82,back:vonwright:1989,back:vonwright:1990,back-wright-98}. The intended model for this algebra is the set of monotonic Boolean transformers (monotonic functions from a Boolean algebra to itself). This formalization is structured as follows. Section 2 introduces the monotonic Boolean transformers that are the basic model of the algebra. Section 3 introduces the monotonic Boolean transformers algebra and some of its properties. Section 4 introduces the Boolean algebra of assertions. In section 5 we introduce standard program statements and we prove their Hoare total correctness rules. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/MonoidalCategory/document/root.tex b/thys/MonoidalCategory/document/root.tex --- a/thys/MonoidalCategory/document/root.tex +++ b/thys/MonoidalCategory/document/root.tex @@ -1,204 +1,205 @@ \documentclass[11pt,notitlepage,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym,eufrak} \usepackage[english]{babel} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % XYPic package, for drawing commutative diagrams. \input{xy} \xyoption{curve} \xyoption{arrow} \xyoption{matrix} %\xyoption{2cell} %\UseAllTwocells % Even though I stayed within the default boundary in the JEdit buffer, % some proof lines wrap around in the PDF document. To minimize this, % increase the text width a bit from the default. \addtolength\textwidth{60pt} \addtolength\oddsidemargin{-30pt} \addtolength\evensidemargin{-30pt} \begin{document} \title{Monoidal Categories} \author{Eugene W. Stark\\[\medskipamount] Department of Computer Science\\ Stony Brook University\\ Stony Brook, New York 11794 USA} \maketitle \begin{abstract} Building on the formalization of basic category theory set out in the author's previous AFP article \cite{Category3-AFP}, the present article formalizes some basic aspects of the theory of monoidal categories. Among the notions defined here are monoidal category, monoidal functor, and equivalence of monoidal categories. The main theorems formalized are MacLane's coherence theorem and the constructions of the free monoidal category and free strict monoidal category generated by a given category. The coherence theorem is proved syntactically, using a structurally recursive approach to reduction of terms that might have some novel aspects. We also give proofs of some results given by Etingof {\em et al} \cite{Etingof15}, which may prove useful in a formal setting. In particular, we show that the left and right unitors need not be taken as given data in the definition of monoidal category, nor does the definition of monoidal functor need to take as given a specific isomorphism expressing the preservation of the unit object. Our definitions of monoidal category and monoidal functor are stated so as to take advantage of the economy afforded by these facts. Revisions made subsequent to the first version of this article added material on cartesian monoidal categories; showing that the underlying category of a cartesian monoidal category is a cartesian category, and that every cartesian category extends to a cartesian monoidal category. \end{abstract} \tableofcontents \chapter{Introduction} A {\em monoidal category} is a category $C$ equipped with a binary ``tensor product'' functor $\otimes: C \times C \rightarrow C$, which is associative up to a given natural isomorphism, and an object ${\cal I}$ that behaves up to isomorphism like a unit for $\otimes$. The associativity and unit isomorphisms are assumed to satisfy certain axioms known as {\em coherence conditions}. Monoidal categories were introduced by B\'{e}nabou \cite{Benabou63} and MacLane \cite{MacLane63}. MacLane showed that the axioms for a monoidal category imply that all diagrams in a large class are commutative. This result, known as MacLane's Coherence Theorem, is the first important result in the theory of monoidal categories. Monoidal categories are important partly because of their ubiquity. The category of sets and functions is monoidal; more generally any category with binary products and a terminal object becomes a monoidal category if we take the categorical product as $\otimes$ and the terminal object as ${\cal I}$. The category of vector spaces over a field, with linear maps as morphisms, not only admits monoidal structure with respect to the categorical product, but also with respect to the usual tensor product of vector spaces. Monoidal categories serve as the starting point for enriched category theory in that they provide a setting in which ordinary categories, having ``homs in the category of sets,'' can be generalized to ``categories having homs in a monoidal category ${\cal V}$''. In addition, the theory of monoidal categories can be regarded as a stepping stone to the theory of bicategories, as monoidal categories are the same thing as one-object bicategories. Building on the formalization of basic category theory set out in the author's previous AFP article \cite{Category3-AFP}, the present article formalizes some basic aspects of the theory of monoidal categories. In Chapter \ref{monoidal-category-chap}, we give a definition of the notion of monoidal category and develop consequences of the axioms. We then give a proof of MacLane's coherence theorem. The proof is syntactic: we define a language of terms built from arrows of a given category $C$ using constructors that correspond to formal composition and tensor product as well as to the associativity and unit isomorphisms and their formal inverses, we then define a mapping that interprets terms of the language in an arbitrary monoidal category $D$ via a valuation functor $V: C \rightarrow D$, and finally we syntactically characterize a class of equations between terms that hold in any such interpretation. Among these equations are all those that relate formally parallel ``canonical'' terms, where a term is canonical if the only arrows of $C$ that are used in its construction are identities. Thus, all formally parallel canonical terms have identical interpretations in any monoidal category, which is the content of MacLane's coherence theorem. In Chapter \ref{monoidal-functor-chap}, we define the notion of a {\em monoidal functor} between monoidal categories. A monoidal functor from a monoidal category $C$ to a monoidal category $D$ is a functor $F: C \rightarrow D$, equipped with additional data that express that the monoidal structure is preserved by $F$ up to natural isomorphism. A monoidal functor is {\em strict} if it preserves the monoidal structure ``on the nose'' ({\em i.e.}~the natural isomorphism is an identity). We also define the notion of an {\em equivalence of monoidal categories}, which is a monoidal functor $F: C \rightarrow D$ that is part of an ordinary equivalence of categories between $C$ and $D$. In Chapter \ref{fmc-chap}, we use the language of terms defined in Chapter \ref{monoidal-category-chap} to give a syntactic construction of the free monoidal category ${\cal F}C$ generated by a category $C$. The arrows ${\cal F}C$ are defined to be certain equivalence classes of terms, where composition and tensor product, as well as the associativity and unit isomorphisms, are determined by the syntactic operations. After proving that the construction does in fact yield a monoidal category, we establish its freeness: every functor from $C$ to a monoidal category $D$ extends uniquely to a strict monoidal functor from ${\cal F}C$ to $D$. We then consider the subcategory ${\cal F}_S C$ of ${\cal F}C$ whose arrows are equivalence classes of terms that we call ``diagonal.'' Diagonal terms amount to lists of arrows of $C$, composition in ${\cal F}_S C$ is given by elementwise composition of compatible lists of arrows, and tensor product in ${\cal F}_S C$ is given by concatenation of lists. We show that the subcategory ${\cal F}_S C$ is monoidally equivalent to the category ${\cal F} C$ and in addition that ${\cal F}_S C$ is the free strict monoidal category generated by ${\cal C}$. The formalizations of the notions of monoidal category and monoidal functor that we give here are not quite the traditional ones. The traditional definition of monoidal category assumes as given not only an ``associator'' natural isomorphism, which expresses the associativity of the tensor product, but also left and right ``unitor'' isomorphisms, which correspond to unit laws. However, as pointed out in \cite{Etingof15}, it is not necessary to take the unitors as given, because they are uniquely determined by the other structure and the condition that left and right tensoring with the unit object are endo-equivalences. This leads to a definition of monoidal category that requires fewer data to be given and fewer conditions to be verified in applications. As this is likely to be especially important in a formal setting, we adopt this more economical definition and go to the trouble to obtain the unitors as defined notions. A similar situation occurs with the definition of monoidal functor. The traditional definition requires two natural isomorphisms to be given: one that expresses the preservation of tensor product and another that expresses the preservation of the unit object. Once again, as indicated in \cite{Etingof15}, it is logically unnecessary to take the latter isomorphism as given, since there is a canonical definition of it in terms of the other structure. We adopt the more economical definition of monoidal functor and prove that the traditionally assumed structure can be derived from it. Finally, the proof of the coherence theorem given here potentially has some novel aspects. A typical syntactic proof of this theorem, such as that described in \cite{MacLane71}, involves the identification, for each term constructed as a formal tensor product of the unit object ${\cal I}$ and ``primitive objects'' ({\em i.e.}~the elements of a given set of generators), of a ``reduction'' isomorphism obtained by composing ``basic reductions'' in which occurrences of ${\cal I}$ are eliminated using components of the left and right unitors and ``parentheses are moved to one end'' using components of the associator. The construction of these reductions is performed, as in \cite{MacLane71}, using an approach that can be thought of as the application of an iterative strategy for normalizing a term. My thoughts were initially along these lines, and I did succeed in producing a formal proof of the coherence theorem in this way. However, proving the termination of the reduction strategy was complicated by the necessity of using of a ``rank function'' on terms, and the lemmas required for the remainder of the proof had to be proved by induction on rank, which was messy. At some point, I realized that it ought to be possible to define reductions in a structurally recursive way, which would permit the lemmas in the rest of the proof to be proved by structural induction, rather than induction on rank. It took some time to find the right definitions, but in the end this approach worked out more simply, and is what is presented here. \medskip\par\noindent {\bf Revision Notes} The original version of this document dates from May, 2017. The current version of this document incorporates revisions made in mid-2020 after the release of Isabelle2020. Aside from various minor improvements, the main change was the addition of a new theory, concerning cartesian monoidal categories, which coordinates with material on cartesian categories that was simultaneously added to \cite{Category3-AFP}. The new theory defines ``cartesian monoidal category'' as an extension of ``monoidal category'' obtained by adding additional functors, natural transformations, and coherence conditions. The main results proved are that the underlying category of a cartesian monoidal category is a cartesian category, and that every cartesian category extends to a cartesian monoidal category. % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Monomorphic_Monad/document/root.tex b/thys/Monomorphic_Monad/document/root.tex --- a/thys/Monomorphic_Monad/document/root.tex +++ b/thys/Monomorphic_Monad/document/root.tex @@ -1,74 +1,75 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[english]{babel} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amsmath} \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ \usepackage{wasysym} %\usepackage{eurosym} %for \ \usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Effect Polymorphism in Higher-Order Logic} \author{Andreas Lochbihler} \maketitle \begin{abstract} The notion of a \emph{monad} cannot be expressed within higher-order logic (HOL) due to type system restrictions. We show that if a monad is used with values of only one type, this notion \emph{can} be formalised in HOL. Based on this idea, we develop a library of effect specifications and implementations of monads and monad transformers. Hence, we can abstract over the concrete monad in HOL definitions and thus use the same definition for different (combinations of) effects. We illustrate the usefulness of effect polymorphism with a monadic interpreter for a simple language. \end{abstract} \tableofcontents \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/MuchAdoAboutTwo/document/root.tex b/thys/MuchAdoAboutTwo/document/root.tex --- a/thys/MuchAdoAboutTwo/document/root.tex +++ b/thys/MuchAdoAboutTwo/document/root.tex @@ -1,40 +1,41 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Much Ado about Two} \author{By Sascha B\"ohme} \maketitle \begin{abstract} This article is an Isabelle formalisation of a paper with the same. In a similar way as Knuth's 0-1-principle for sorting algorithms, that paper develops a ``0-1-2-principle'' for parallel prefix computations. \end{abstract} \tableofcontents %\parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Multi_Party_Computation/document/root.tex b/thys/Multi_Party_Computation/document/root.tex --- a/thys/Multi_Party_Computation/document/root.tex +++ b/thys/Multi_Party_Computation/document/root.tex @@ -1,48 +1,49 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,amsmath} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{wasysym} \usepackage{booktabs} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Multi-Party Computation} \author{David Aspinall and David Butler} \maketitle \begin{abstract} We use CryptHOL~\cite{Basin2017, Lochbihler2017AFP} to consider Multi-Party Computation (MPC) protocols. MPC was first considered in \cite{Yao_MPC} and recent advances in efficiency and an increased demand mean it is now deployed in the real world. Security is considered using the real/ideal world paradigm. We first define security in the semi-honest security setting where parties are assumed not to deviate from the protocol transcript. In this setting we prove multiple Oblivious Transfer (OT) protocols secure and then show security for the gates of the GMW protocol \cite{DBLP:conf/stoc/GoldreichMW87}. We then define malicious security, this is a stronger notion of security where parties are assumed to be fully corrupted by an adversary. In this setting we again consider OT. \end{abstract} \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Multirelations/document/root.tex b/thys/Multirelations/document/root.tex --- a/thys/Multirelations/document/root.tex +++ b/thys/Multirelations/document/root.tex @@ -1,83 +1,84 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Binary Multirelations} \author{Hitoshi Furusawa and Georg Struth} \maketitle \begin{abstract} Binary multirelations associate elements of a set with its subsets; hence they are binary relations of type $A\times 2^A$. Applications include alternating automata, models and logics for games, program semantics with dual demonic and angelic nondeterministic choices and concurrent dynamic logics. This proof document supports an arXiv article that formalises the basic algebra of multirelations and proposes axiom systems for them, ranging from weak bi-monoids to weak bi-quantales. \end{abstract} \tableofcontents \section{Introduction} This proof document contains the formal proofs for an article on \emph{Taming Multirelations}~\cite{FurusawaS15a}. Individual cross-references to statements in~\cite{FurusawaS15a} have been added to this document so that both can be read in parallel. The first part of this document contains algebraic axiom systems and equational proofs. Some of these proofs are presented in a human-readable style to indicate the kind of algebraic reasoning involved. The second part contains set-theoretic reasoning with concrete multirelations. Its main purpose is to justify the algebraic development and to prepare the soundness proofs of the algebraic axiomatisations with respect to the concrete multirelational model. Set-theoretic reasoning with multirelations tends to be very tedious and showing detailed proofs has not been the aim. The algebras of multirelations proposed are based on Peleg's multirelational semantics for concurrent dynamic logic~\cite{Peleg87}. The most basic axiom systems consider multirelations under the operations of sequential and concurrent composition with two corresponding units. These are enriched by lattice operations and various fixpoints. A main source of complexity is the set-theoretic definition of sequential composition of multirelations, which is based on higher-order logic. Its use often requires the Axiom of Choice. In addition, sequential composition is not associative. Part of this formalisation is also relevant to a previous approach to concurrent dynamic algebra by Furusawa and Struth~\cite{FurusawaS15b}. More material on variants of multirelations, game algebras and concurrent dynamic algebras will be added in the future. The authors are indebted to Alasdair Armstrong and Victor Gomes for help with some tricky Isabelle proofs. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{plain} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Myhill-Nerode/document/root.tex b/thys/Myhill-Nerode/document/root.tex --- a/thys/Myhill-Nerode/document/root.tex +++ b/thys/Myhill-Nerode/document/root.tex @@ -1,40 +1,41 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsfonts} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Myhill-Nerode Theorem\\ Based on Regular Expressions} \author{Chunhan Wu, Xingyuan Zhang and Christian Urban} \maketitle \begin{abstract} There are many proofs of the Myhill-Nerode theorem using automata. In this library we give a proof entirely based on regular expressions, since regularity of languages can be conveniently defined using regular expressions (it is more painful in HOL to define regularity in terms of automata). We prove the first direction of the Myhill-Nerode theorem by solving equational systems that involve regular expressions. For the second direction we give two proofs: one using tagging-functions and another using partial derivatives. We also establish various closure properties of regular languages.\footnote{Most details of the theories are described in the paper \cite{WuZhangUrban11}.} \end{abstract} \tableofcontents \bigskip % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Name_Carrying_Type_Inference/document/root.tex b/thys/Name_Carrying_Type_Inference/document/root.tex --- a/thys/Name_Carrying_Type_Inference/document/root.tex +++ b/thys/Name_Carrying_Type_Inference/document/root.tex @@ -1,65 +1,66 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Verified Metatheory and Type Inference for a Name-Carrying Simply-Typed \(\lambda\)-Calculus} \author{Michael Rawson} \maketitle \begin{abstract} I formalise a Church-style simply-typed \(\lambda\)-calculus, extended with pairs, a unit value, and projection functions, and show some metatheory of the calculus, such as the subject reduction property. Particular attention is paid to the treatment of names in the calculus. A nominal style of binding is used, but I use a manual approach over Nominal Isabelle in order to extract an executable type inference algorithm. More information can be found in my \href{http://www.openthesis.org/documents/Verified-Metatheory-Type-Inference-Simply-603182.html}{undergraduate dissertation}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Nash_Williams/document/root.tex b/thys/Nash_Williams/document/root.tex --- a/thys/Nash_Williams/document/root.tex +++ b/thys/Nash_Williams/document/root.tex @@ -1,33 +1,34 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[english]{babel} % for guillemots % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Nash-Williams Theorem} \author{Lawrence C. Paulson} \maketitle \begin{abstract} In 1965, Nash-Williams~\cite{nash-williams-quasi} discovered a generalisation of the infinite form of Ramsey's theorem. Where the latter concerns infinite sets of $n$-element sets for some fixed~$n$, the Nash-Williams theorem concerns infinite sets of finite sets (or lists) subject to a ``no initial segment'' condition. The present formalisation follows Todor\v{c}evi{\'c} \cite{todorcevic-ramsey}. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \section{Acknowledgements} The author was supported by the ERC Advanced Grant ALEXANDRIA (Project 742178) funded by the European Research Council. Todor\v{c}evi{\'c} provided help with the proofs by email. \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Nat-Interval-Logic/document/root.tex b/thys/Nat-Interval-Logic/document/root.tex --- a/thys/Nat-Interval-Logic/document/root.tex +++ b/thys/Nat-Interval-Logic/document/root.tex @@ -1,63 +1,63 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{graphicx} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{wasysym} -\usepackage[utf8]{inputenc} \usepackage[only,bigsqcap]{stmaryrd} %\usepackage{masmath} % this should be the last package used \usepackage{pdfsetup} \newcommand{\isasymNoMsg}{\ensuremath\varepsilon} %\newcommand{\isasymMsg}{\texttt{Msg}} %\newcommand{\isasymMsg}{\isatext{\rm\sffamily{}Msg}} \newcommand{\isasymMsg}{\textsf{Msg}} % \newcommand{\isasymB}{\textsf{B}} % \newcommand{\isasymR}{\textsf{R}} % \newcommand{\isasymS}{\textsf{S}} % \newcommand{\isasymU}{\textsf{U}} % \newcommand{\isasymW}{\textsf{W}} \newcommand{\backslashlessgreater}[1]{\ensuremath{\backslash\!\!<}#1\ensuremath{>}} \newcommand{\isasymHTMLNoMsg}{\backslashlessgreater{HTMLNoMsg}} \newcommand{\isasymHTMLMsg}{\backslashlessgreater{HTMLMsg}} \urlstyle{rm} \isabellestyle{it} \pagestyle{myheadings} \begin{document} \title{Interval Temporal Logic on Natural Numbers} \author{David Trachtenherz} \maketitle \begin{abstract} We introduce a theory of temporal logic operators using sets of natural numbers as time domain, formalized in a shallow embedding manner. The theory comprises special natural intervals (theory IL\_Interval: open and closed intervals, continuous and modulo intervals, interval traversing results), operators for shifting intervals to left/right on the number axis as well as expanding/contracting intervals by constant factors (theory IL\_IntervalOperators.thy), and ultimately definitions and results for unary and binary temporal operators on arbitrary natural sets (theory IL\_TemporalOperators). \end{abstract} \tableofcontents \begin{center} \includegraphics[scale=0.5]{session_graph} \end{center} \clearpage \parindent 0pt\parskip 0.5ex \input{session} \end{document} diff --git a/thys/Native_Word/document/root.tex b/thys/Native_Word/document/root.tex --- a/thys/Native_Word/document/root.tex +++ b/thys/Native_Word/document/root.tex @@ -1,72 +1,73 @@ \documentclass[11pt,a4paper]{book} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{booktabs} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % Tweaks \newcounter{TTStweak_tag} \setcounter{TTStweak_tag}{0} \newcommand{\setTTS}{\setcounter{TTStweak_tag}{1}} \newcommand{\resetTTS}{\setcounter{TTStweak_tag}{0}} \newcommand{\insertTTS}{\ifnum\value{TTStweak_tag}=1 \ \ \ \fi} \renewcommand{\isakeyword}[1]{\resetTTS\emph{\bf\def\isachardot{.}\def\isacharunderscore{\isacharunderscorekeyword}\def\isacharbraceleft{\{}\def\isacharbraceright{\}}#1}} \renewcommand{\isachardoublequoteopen}{\insertTTS} \renewcommand{\isachardoublequoteclose}{\setTTS} \renewcommand{\isanewline}{\mbox{}\par\mbox{}\resetTTS} \renewcommand{\isamarkupcmt}[1]{\hangindent5ex{\isastylecmt --- #1}} \makeatletter \newenvironment{abstract}{% \small \begin{center}% {\bfseries \abstractname\vspace{-.5em}\vspace{\z@}}% \end{center}% \quotation}{\endquotation} \makeatother \begin{document} \title{Native Words} \author{Andreas Lochbihler} \maketitle \begin{abstract} This entry makes machine words and machine arithmetic available for code generation from Isabelle/HOL. It provides a common abstraction that hides the differences between the different target languages. The code generator maps these operations to the APIs of the target languages. Apart from that, we extend the available bit operations on types int and integer, and map them to the operations in the target languages. \end{abstract} \clearpage \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Nested_Multisets_Ordinals/document/root.tex b/thys/Nested_Multisets_Ordinals/document/root.tex --- a/thys/Nested_Multisets_Ordinals/document/root.tex +++ b/thys/Nested_Multisets_Ordinals/document/root.tex @@ -1,77 +1,76 @@ \documentclass[10pt,a4paper]{article} -\usepackage[utf8]{inputenc} \usepackage[T1]{fontenc} \usepackage{amssymb} \usepackage[left=2.25cm,right=2.25cm,top=2.25cm,bottom=2.75cm]{geometry} \usepackage{graphicx} \usepackage{isabelle} \usepackage{isabellesym} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{pdfsetup} \urlstyle{tt} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \renewcommand{\isacharunderscore}{\_} \begin{document} \title{Formalization of Nested Multisets, Hereditary Multisets, and Syntactic Ordinals} \author{Jasmin Christian Blanchette, Mathias Fleury, and Dmitriy Traytel} \maketitle \begin{abstract} \noindent This Isabelle/HOL formalization introduces a nested multiset datatype and defines Dershowitz and Manna's nested multiset order. The order is proved well founded and linear. By removing one constructor, we transform the nested multisets into hereditary multisets. These are isomorphic to the syntactic ordinals---the ordinals can be recursively expressed in Cantor normal form. Addition, subtraction, multiplication, and linear orders are provided on this type. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt \parskip 0.5ex \section{Introduction} This Isabelle/HOL formalization introduces a nested multiset datatype and defines Dershowitz and Manna's nested multiset order. The order is proved well founded and linear. By removing one constructor, we transform the nested multisets into hereditary multisets. These are isomorphic to the syntactic ordinals---the ordinals can be recursively expressed in Cantor normal form. Addition, subtraction, multiplication, and linear orders are provided on this type. In addition, signed (or hybrid) multisets are provided (i.e., multisets with possibly negative multiplicities), as well as signed hereditary multisets and signed ordinals (e.g., $\omega^2 - 2\omega + 1$). We refer to the following conference paper for details: \begin{quote} Jasmin Christian Blanchette, Mathias Fleury, Dmitriy Traytel: \\ Nested Multisets, Hereditary Multisets, and Syntactic Ordinals in Isabelle/HOL. \\ FSCD 2017: 11:1-11:18 \\ \url{https://hal.inria.fr/hal-01599176/document} \end{quote} % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} %\bibliographystyle{abbrv} %\bibliography{bib} \end{document} diff --git a/thys/Network_Security_Policy_Verification/document/root.tex b/thys/Network_Security_Policy_Verification/document/root.tex --- a/thys/Network_Security_Policy_Verification/document/root.tex +++ b/thys/Network_Security_Policy_Verification/document/root.tex @@ -1,72 +1,73 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} %make a bit more space \addtolength{\hoffset}{-1,5cm} \addtolength{\textwidth}{3cm} \addtolength{\voffset}{-1cm} \addtolength{\textheight}{2cm} % needed for complete lattice \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Network Security Policy Verification} \author{Cornelius Diekmann} \maketitle \begin{trivlist} \item \textbf{Abstract.} We present a unified theory for verifying network security policies. A security policy is represented as directed graph. To check high-level security goals, security invariants over the policy are expressed. We cover monotonic security invariants, i.e.\ prohibiting more does not harm security. We provide the following contributions for the security invariant theory. (\emph{i}) Secure auto-completion of scenario-specific knowledge, which eases usability. (\emph{ii}) Security violations can be repaired by tightening the policy iff the security invariants hold for the deny-all policy. (\emph{iii}) An algorithm to compute a security policy. (\emph{iv}) A formalization of stateful connection semantics in network security mechanisms. (\emph{v}) An algorithm to compute a secure stateful implementation of a policy. (\emph{vi}) An executable implementation of all the theory. (\emph{vii}) Examples, ranging from an aircraft cabin data network to the analysis of a large real-world firewall. For a detailed description, see \cite{diekmann2015mansdnnfv,diekmann2014forte,diekmann2014esss}. \end{trivlist} \medskip \begin{trivlist} \item \textbf{Acknowledgements.} This entry contains contributions by Lars Hupel and would not have made it into the AFP without him. I want to thank the Isabelle group Munich for always providing valuable help. I would like to express my deep gratitude to my supervisor, Georg Carle, for supporting this topic and facilitating further research possibilities in this field. \end{trivlist} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \newpage % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Neumann_Morgenstern_Utility/document/root.tex b/thys/Neumann_Morgenstern_Utility/document/root.tex --- a/thys/Neumann_Morgenstern_Utility/document/root.tex +++ b/thys/Neumann_Morgenstern_Utility/document/root.tex @@ -1,64 +1,65 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Von Neumann Morgenstern Utility Theorem \thanks{% This work is supported by the Austrian Science Fund (FWF) project P26201 and the European Research Council (ERC) grant no 714034 \emph{SMART}.}} \author{Julian Parsert \and Cezary Kaliszyk} \maketitle \begin{abstract} Utility functions form an essential part of game theory and economics. In order to guarantee the existence of utility functions most of the time sufficient properties are assumed in an axiomatic manner. One famous and very common set of such assumptions is that of expected utility theory. Here, the rationality, continuity, and independence of preferences is assumed. The von-Neumann-Morgenstern Utility theorem shows that these assumptions are necessary and sufficient for an expected utility function to exists. This theorem was proven by Neumann and Morgenstern in ``Theory of Games and Economic Behavior'' which is regarded as one of the most influential works in game theory. We formalize these results in Isabelle/HOL. The formalization includes formal definitions of the underlying concepts including continuity and independence of preferences. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \input{session} \section{Related work} Formalizations in Social choice theory has been formalized by Wiedijk~\cite{Wiedijk2009}, Nipkow~\cite{DBLP:journals/afp/Nipkow08b}, and Gammie~\cite{SenSocialChoice:AFP,StableMatching:AFP}. Vestergaard~\cite{DBLP:journals/ipl/Vestergaard06}, Le Roux, Martin-Dorel, and Soloviev~\cite{DBLP:conf/tphol/Roux09,DBLP:journals/corr/abs-1709-02096} provide formalizations of results in game theory. A library for algorithmic game theory in Coq is described in\cite{JFR7235}. Related work in economics includes the verification of financial systems~\cite{passmoreInf}, binomial pricing models~\cite{DBLP:conf/cade/EchenimP17}, and VCG-Auctions~\cite{kerber2013developing}. In microeconomics we discussed a formalization of two economic models and the First Welfare Theorem~\cite{Parsert:2018:FMF:3176245.3167100}. To our knowledge the only work that uses expected utility theory is that of Eberl~\cite{Randomised:Social:ChoiceAFP}. Since we focus on the underlying theory of expected utility, we found that there is only little overlap. \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/No_FTL_observers/document/root.tex b/thys/No_FTL_observers/document/root.tex --- a/thys/No_FTL_observers/document/root.tex +++ b/thys/No_FTL_observers/document/root.tex @@ -1,64 +1,65 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{No Faster-Than-Light Observers} \author{Mike Stannett} \maketitle \begin{abstract} We provide a formal proof within First Order Relativity Theory that no observer can travel faster than the speed of light. Originally reported by Stannett and N\'emeti \cite{SN}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Nominal2/document/root.tex b/thys/Nominal2/document/root.tex --- a/thys/Nominal2/document/root.tex +++ b/thys/Nominal2/document/root.tex @@ -1,41 +1,42 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Nominal 2} \author{Christian Urban, Stefan Berghofer, and Cezary Kaliszyk} \maketitle \begin{abstract} Dealing with binders, renaming of bound variables, capture-avoiding substitution, etc., is very often a major problem in formal proofs, especially in proofs by structural and rule induction. Nominal Isabelle is designed to make such proofs easy to formalise: it provides an infrastructure for declaring nominal datatypes (that is alpha-equivalence classes) and for defining functions over them by structural recursion. It also provides induction principles that have Barendregt’s variable convention already built in. This entry can be used as a more advanced replacement for HOL/Nominal in the Isabelle distribution. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Noninterference_CSP/document/root.tex b/thys/Noninterference_CSP/document/root.tex --- a/thys/Noninterference_CSP/document/root.tex +++ b/thys/Noninterference_CSP/document/root.tex @@ -1,49 +1,50 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \renewcommand{\isastyletxt}{\isastyletext} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Noninterference Security in\\Communicating Sequential Processes} \author{Pasquale Noce\\Security Certification Specialist at Arjo Systems - Gep S.p.A.\\pasquale dot noce dot lavoro at gmail dot com\\pasquale dot noce at arjowiggins-it dot com} \maketitle \begin{abstract} An extension of classical noninterference security for deterministic state machines, as introduced by Goguen and Meseguer and elegantly formalized by Rushby, to nondeterministic systems should satisfy two fundamental requirements: it should be based on a mathematically precise theory of nondeterminism, and should be equivalent to (or at least not weaker than) the classical notion in the degenerate deterministic case. This paper proposes a definition of noninterference security applying to Hoare's Communicating Sequential Processes (CSP) in the general case of a possibly intransitive noninterference policy, and proves the equivalence of this security property to classical noninterference security for processes representing deterministic state machines. Furthermore, McCullough's generalized noninterference security is shown to be weaker than both the proposed notion of CSP noninterference security for a generic process, and classical noninterference security for processes representing deterministic state machines. This renders CSP noninterference security preferable as an extension of classical noninterference security to nondeterministic systems. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Noninterference_Concurrent_Composition/document/root.tex b/thys/Noninterference_Concurrent_Composition/document/root.tex --- a/thys/Noninterference_Concurrent_Composition/document/root.tex +++ b/thys/Noninterference_Concurrent_Composition/document/root.tex @@ -1,73 +1,74 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \renewcommand{\isastyletxt}{\isastyletext} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Conservation of CSP Noninterference Security\\under Concurrent Composition} \author{Pasquale Noce\\Security Certification Specialist at Arjo Systems, Italy\\pasquale dot noce dot lavoro at gmail dot com\\pasquale dot noce at arjosystems dot com} \maketitle \begin{abstract} In his outstanding work on Communicating Sequential Processes, Hoare has defined two fundamental binary operations allowing to compose the input processes into another, typically more complex, process: sequential composition and concurrent composition. Particularly, the output of the latter operation is a process in which any event not shared by both operands can occur whenever the operand that admits the event can engage in it, whereas any event shared by both operands can occur just in case both can engage in it. This paper formalizes Hoare's definition of concurrent composition and proves, in the general case of a possibly intransitive policy, that CSP noninterference security is conserved under this operation. This result, along with the previous analogous one concerning sequential composition, enables the construction of more and more complex processes enforcing noninterference security by composing, sequentially or concurrently, simpler secure processes, whose security can in turn be proven using either the definition of security, or unwinding theorems. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Noninterference_Generic_Unwinding/document/root.tex b/thys/Noninterference_Generic_Unwinding/document/root.tex --- a/thys/Noninterference_Generic_Unwinding/document/root.tex +++ b/thys/Noninterference_Generic_Unwinding/document/root.tex @@ -1,64 +1,65 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \renewcommand{\isastyletxt}{\isastyletext} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Generic Unwinding Theorem\\for CSP Noninterference Security} \author{Pasquale Noce\\Security Certification Specialist at Arjo Systems - Gep S.p.A.\\pasquale dot noce dot lavoro at gmail dot com\\pasquale dot noce at arjowiggins-it dot com} \maketitle \begin{abstract} The classical definition of noninterference security for a deterministic state machine with outputs requires to consider the outputs produced by machine actions after any trace, i.e. any indefinitely long sequence of actions, of the machine. In order to render the verification of the security of such a machine more straightforward, there is a need of some sufficient condition for security such that just individual actions, rather than unbounded sequences of actions, have to be considered. By extending previous results applying to transitive noninterference policies, Rushby has proven an unwinding theorem that provides a sufficient condition of this kind in the general case of a possibly intransitive policy. This condition has to be satisfied by a generic function mapping security domains into equivalence relations over machine states. An analogous problem arises for CSP noninterference security, whose definition requires to consider any possible future, i.e. any indefinitely long sequence of subsequent events and any indefinitely large set of refused events associated to that sequence, for each process trace. This paper provides a sufficient condition for CSP noninterference security, which indeed requires to just consider individual accepted and refused events and applies to the general case of a possibly intransitive policy. This condition follows Rushby's one for classical noninterference security, and has to be satisfied by a generic function mapping security domains into equivalence relations over process traces; hence its name, Generic Unwinding Theorem. Variants of this theorem applying to deterministic processes and trace set processes are also proven. Finally, the sufficient condition for security expressed by the theorem is shown not to be a necessary condition as well, viz. there exists a secure process such that no domain-relation map satisfying the condition exists. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Noninterference_Inductive_Unwinding/document/root.tex b/thys/Noninterference_Inductive_Unwinding/document/root.tex --- a/thys/Noninterference_Inductive_Unwinding/document/root.tex +++ b/thys/Noninterference_Inductive_Unwinding/document/root.tex @@ -1,49 +1,50 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \renewcommand{\isastyletxt}{\isastyletext} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Inductive Unwinding Theorem\\for CSP Noninterference Security} \author{Pasquale Noce\\Security Certification Specialist at Arjo Systems - Gep S.p.A.\\pasquale dot noce dot lavoro at gmail dot com\\pasquale dot noce at arjowiggins-it dot com} \maketitle \begin{abstract} The necessary and sufficient condition for CSP noninterference security stated by the Ipurge Unwinding Theorem is expressed in terms of a pair of event lists varying over the set of process traces. This does not render it suitable for the subsequent application of rule induction in the case of a process defined inductively, since rule induction may rather be applied to a single variable ranging over an inductively defined set. Starting from the Ipurge Unwinding Theorem, this paper derives a necessary and sufficient condition for CSP noninterference security that involves a single event list varying over the set of process traces, and is thus suitable for rule induction; hence its name, Inductive Unwinding Theorem. Similarly to the Ipurge Unwinding Theorem, the new theorem only requires to consider individual accepted and refused events for each process trace, and applies to the general case of a possibly intransitive noninterference policy. Specific variants of this theorem are additionally proven for deterministic processes and trace set processes. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Noninterference_Ipurge_Unwinding/document/root.tex b/thys/Noninterference_Ipurge_Unwinding/document/root.tex --- a/thys/Noninterference_Ipurge_Unwinding/document/root.tex +++ b/thys/Noninterference_Ipurge_Unwinding/document/root.tex @@ -1,63 +1,64 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \renewcommand{\isastyletxt}{\isastyletext} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Ipurge Unwinding Theorem\\for CSP Noninterference Security} \author{Pasquale Noce\\Security Certification Specialist at Arjo Systems - Gep S.p.A.\\pasquale dot noce dot lavoro at gmail dot com\\pasquale dot noce at arjowiggins-it dot com} \maketitle \begin{abstract} The definition of noninterference security for Communicating Sequential Processes requires to consider any possible future, i.e. any indefinitely long sequence of subsequent events and any indefinitely large set of refused events associated to that sequence, for each process trace. In order to render the verification of the security of a process more straightforward, there is a need of some sufficient condition for security such that just individual accepted and refused events, rather than unbounded sequences and sets of events, have to be considered. Of course, if such a sufficient condition were necessary as well, it would be even more valuable, since it would permit to prove not only that a process is secure by verifying that the condition holds, but also that a process is not secure by verifying that the condition fails to hold. This paper provides a necessary and sufficient condition for CSP noninterference security, which indeed requires to just consider individual accepted and refused events and applies to the general case of a possibly intransitive policy. This condition follows Rushby's output consistency for deterministic state machines with outputs, and has to be satisfied by a specific function mapping security domains into equivalence relations over process traces. The definition of this function makes use of an intransitive purge function following Rushby's one; hence the name given to the condition, Ipurge Unwinding Theorem. Furthermore, in accordance with Hoare's formal definition of deterministic processes, it is shown that a process is deterministic just in case it is a trace set process, i.e. it may be identified by means of a trace set alone, matching the set of its traces, in place of a failures-divergences pair. Then, variants of the Ipurge Unwinding Theorem are proven for deterministic processes and trace set processes. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Noninterference_Sequential_Composition/document/root.tex b/thys/Noninterference_Sequential_Composition/document/root.tex --- a/thys/Noninterference_Sequential_Composition/document/root.tex +++ b/thys/Noninterference_Sequential_Composition/document/root.tex @@ -1,71 +1,72 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \renewcommand{\isastyletxt}{\isastyletext} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Conservation of CSP Noninterference Security\\under Sequential Composition} \author{Pasquale Noce\\Security Certification Specialist at Arjo Systems, Italy\\pasquale dot noce dot lavoro at gmail dot com\\pasquale dot noce at arjosystems dot com} \maketitle \begin{abstract} In his outstanding work on Communicating Sequential Processes, Hoare has defined two fundamental binary operations allowing to compose the input processes into another, typically more complex, process: sequential composition and concurrent composition. Particularly, the output of the former operation is a process that initially behaves like the first operand, and then like the second operand once the execution of the first one has terminated successfully, as long as it does. This paper formalizes Hoare's definition of sequential composition and proves, in the general case of a possibly intransitive policy, that CSP noninterference security is conserved under this operation, provided that successful termination cannot be affected by confidential events and cannot occur as an alternative to other events in the traces of the first operand. Both of these assumptions are shown, by means of counterexamples, to be necessary for the theorem to hold. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/NormByEval/document/root.tex b/thys/NormByEval/document/root.tex --- a/thys/NormByEval/document/root.tex +++ b/thys/NormByEval/document/root.tex @@ -1,34 +1,35 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Normalization by Evaluation} \author{Klaus Aehlig and Tobias Nipkow} \maketitle \begin{abstract} This article formalizes normalization by evaluation as implemented in Isabelle. Lambda calculus plus term rewriting is compiled into a functional program with pattern matching. It is proved that the result of a successful evaluation is a) correct, i.e.\ equivalent to the input, and b) in normal form. \end{abstract} An earlier version of this theory is described in a paper by Aehlig \emph{et al.}~\cite{AehligHN-TPHOLs08}. The normal form proof is not in that paper. \input{session} \bibliographystyle{plain} \bibliography{root} \end{document} diff --git a/thys/Nullstellensatz/document/root.tex b/thys/Nullstellensatz/document/root.tex --- a/thys/Nullstellensatz/document/root.tex +++ b/thys/Nullstellensatz/document/root.tex @@ -1,68 +1,69 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym,latexsym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Hilbert's Nullstellensatz} \author{Alexander Maletzky\thanks{Funded by the Austrian Science Fund (FWF): grant no. P 29498-N31}} \maketitle \begin{abstract} This entry formalizes Hilbert's Nullstellensatz, an important theorem in algebraic geometry that can be viewed as the generalization of the Fundamental Theorem of Algebra to multivariate polynomials: If a set of (multivariate) polynomials over an algebraically closed field has no common zero, then the ideal it generates is the entire polynomial ring. The formalization proves several equivalent versions of this celebrated theorem: the weak Nullstellensatz, the strong Nullstellensatz (connecting algebraic varieties and radical ideals), and the field-theoretic Nullstellensatz. The formalization follows Chapter~4.1. of \emph{Ideals, Varieties, and Algorithms} by Cox, Little and O'Shea. % https://link.springer.com/book/10.1007/978-0-387-35651-8 \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \newpage % generated text of all theories \input{session} % optional bibliography \nocite{CLO} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Octonions/document/root.tex b/thys/Octonions/document/root.tex --- a/thys/Octonions/document/root.tex +++ b/thys/Octonions/document/root.tex @@ -1,44 +1,45 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Octonions} \author{Angeliki Koutsoukou-Argyraki} \maketitle \begin{abstract} We develop the basic theory of Octonions, including various identities and properties of the octonions and of the octonionic product, a description of 7D isometries and representations of orthogonal transformations. To this end we first develop the theory of the vector cross product in 7 dimensions. The development of the theory of Octonions is inspired by that of the theory of Quaternions by Lawrence Paulson. However, we do not work within the type class \textit{real\_algebra\_1} because the octonionic product is not associative. \end{abstract} \newpage \tableofcontents \newpage \noindent\textbf{Acknowledgements.}\ A.K.-A. was supported by the ERC Advanced Grant ALEXANDRIA (Project 742178) funded by the European Research Council and led by Professor Lawrence Paulson at the University of Cambridge, UK. Many thanks to Manuel Eberl, Wenda Li and Lawrence Paulson for their suggestions and improvements. % include generated text of all theories \input{session} \nocite{*} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/OpSets/document/root.tex b/thys/OpSets/document/root.tex --- a/thys/OpSets/document/root.tex +++ b/thys/OpSets/document/root.tex @@ -1,86 +1,85 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[a4paper]{geometry} - -\usepackage[utf8]{inputenc} \usepackage[english]{babel} \usepackage{csquotes} \usepackage{authblk} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{OpSets: Sequential Specifications for Replicated Datatypes\\Proof Document} \author[1]{Martin Kleppmann} \author[1]{Victor B.\ F.\ Gomes} \author[2]{Dominic P.\ Mulligan} \author[1]{Alastair R.\ Beresford} \date{} \affil[1]{Department of Computer Science and Technology, University of Cambridge, UK} \affil[2]{Security Research Group, Arm Research, Cambridge, UK} \maketitle \abstract{We introduce OpSets, an executable framework for specifying and reasoning about the semantics of replicated datatypes that provide eventual consistency in a distributed system, and for mechanically verifying algorithms that implement these datatypes. Our approach is simple but expressive, allowing us to succinctly specify a variety of abstract datatypes, including maps, sets, lists, text, graphs, trees, and registers. Our datatypes are also composable, enabling the construction of complex data structures. To demonstrate the utility of OpSets for analysing replication algorithms, we highlight an important correctness property for collaborative text editing that has traditionally been overlooked; algorithms that do not satisfy this property can exhibit awkward interleaving of text. We use OpSets to specify this correctness property and prove that although one existing replication algorithm satisfies this property, several other published algorithms do not.} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Open_Induction/document/root.tex b/thys/Open_Induction/document/root.tex --- a/thys/Open_Induction/document/root.tex +++ b/thys/Open_Induction/document/root.tex @@ -1,42 +1,43 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Open Induction} \author{Mizuhito Ogawa \and Christian Sternagel\thanks{% The research was partly funded by the Austrian Science Fund (FWF): J3202.}} \maketitle \begin{abstract} A proof of the open induction schema based on \cite{Raoult1988}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Optics/document/root.tex b/thys/Optics/document/root.tex --- a/thys/Optics/document/root.tex +++ b/thys/Optics/document/root.tex @@ -1,107 +1,108 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{fullpage} \usepackage[usenames,dvipsnames]{color} \usepackage{graphicx} \usepackage{document} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ \usepackage[greek,english]{babel} %option greek for \ %option english (default language) for \, \ \usepackage[only,bigsqcap]{stmaryrd} %for \ \usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ \usepackage{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} % Lens operations \newcommand{\view}{\mathit{V}} \newcommand{\src}{\mathit{S}} \newcommand{\lsbs}{{L}} \newcommand{\lput}{\textit{\textsf{put}}} \newcommand{\lget}{\textit{\textsf{get}}} \newcommand{\lcreate}{\mathit{create}} \newcommand{\lto}{\Longrightarrow} \newcommand{\lsubseteq}{\preceq} \newcommand{\lsupseteq}{\mathop{\supseteq_\lsbs}} \newcommand{\lequiv}{\approx} \newcommand{\lcomp}{;_\lsbs} \newcommand{\lplus}{+_\lsbs} \newcommand{\lquot}{\mathop{/\!_\lsbs}} \newcommand{\lindep}{\mathop{\,\bowtie\,}} \newcommand{\lone}{\mathbf{1}} \newcommand{\lzero}{\mathbf{0}} \newcommand{\lfst}{\textit{\textsf{\textbf{fst}}}} \newcommand{\lsnd}{\textit{\textsf{\textbf{snd}}}} \setcounter{topnumber}{1} \setcounter{bottomnumber}{1} \setcounter{totalnumber}{1} \begin{document} \title{Optics in Isabelle/HOL} \author{Simon Foster and Frank Zeyda \\[.5ex] University of York, UK \\[2ex] \texttt{\small $\{$simon.foster,frank.zeyda$\}$@york.ac.uk}} \maketitle \begin{abstract} Lenses provide an abstract interface for manipulating data types through spatially-separated views. They are defined abstractly in terms of two functions, $\lget$, the return a value from the source type, and $\lput$ that updates the value. We mechanise the underlying theory of lenses, in terms of an algebraic hierarchy of lenses, including well-behaved and very well-behaved lenses, each lens class being characterised by a set of lens laws. We also mechanise a lens algebra in Isabelle that enables their composition and comparison, so as to allow construction of complex lenses. This is accompanied by a large library of algebraic laws. Moreover we also show how the lens classes can be applied by instantiating them with a number of Isabelle data types. This theory development is based on our recent papers~\cite{Foster16a,Foster2020-IsabelleUTP}, which show how lenses can be used to unify heterogeneous representations of state-spaces in formalised programs. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \vspace{4ex} % Acknowledgments \noindent\textbf{Acknowledgements}. This work is partly supported by EU H2020 project \emph{INTO-CPS}, grant agreement 644047. \url{http://into-cps.au.dk/}. We would also like to thank Prof. Burkhart Wolff and Dr. Achim Brucker for their generous and helpful comments on our work, and particurlarly their invaluable advice on Isabelle mechanisation and ML coding. % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Optimal_BST/document/root.tex b/thys/Optimal_BST/document/root.tex --- a/thys/Optimal_BST/document/root.tex +++ b/thys/Optimal_BST/document/root.tex @@ -1,68 +1,69 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \renewcommand{\isacharunderscore}{\_} \renewcommand{\isacharunderscorekeyword}{\_} \renewcommand{\isadigit}[1]{{\rm #1}} \begin{document} \title{Optimal Binary Search Trees} \author{Tobias Nipkow and D\'aniel Somogyi\\ Technical University Munich} \maketitle \begin{abstract} This article formalizes recursive algorithms for the construction of optimal binary search trees given fixed access frequencies. We follow Knuth~\cite{Knuth71}, Yao~\cite{Yao80} and Mehlhorn~\cite{Mehlhorn84}. The algorithms are memoized with the help of an AFP entry for memoization~\cite{Monad_Memo_DP-AFP}, thus yielding dynamic programming algorithms. \end{abstract} \tableofcontents \section{Introduction} These theories formalize algorithms for the construction of optimal binary search trees from fixed access frequencies for a fixed list of items. The work is based on the original article by Knuth~\cite{Knuth71} and the textbook by Mehlhorn \cite[Part III, Chapter 4]{Mehlhorn84}. Initially the algorithms are expressed as naive recursive functions and have exponential complexity. Nevertheless we already refer to them as the cubic (Section~\ref{sec:cubic}) and the quadratic algorithm (Section~\ref{sec:quadratic}), their running times of their fully memoized dynamic programming versions. In Section~\ref{sec:memo} the algorithms are memoized with the help of an existing framework \cite{Monad_Memo_DP-AFP}. \subsection{Data Representation} Instead of labeling our BSTs with (ascending) keys $x_i < \dots < x_j$ we label them with the indices of the actual keys, some interval of integers. Functions taking two integer arguments $i$ and $j$ construct or analyze trees such that $\textit{inorder}\ t = [i..j]$. The access frequencies are given by two tables (functions) $a$ and $b$: \begin{description} \item[$a\, k$] ($i \le k \le j+1$) is the frequency of (failing) searches with a key in the interval $(x_{k-1},x_k)$. \item[$b\, k$] ($i \le k \le j$) is the frequency of (successful) searches with key $x_k$. \end{description} % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Orbit_Stabiliser/document/root.tex b/thys/Orbit_Stabiliser/document/root.tex --- a/thys/Orbit_Stabiliser/document/root.tex +++ b/thys/Orbit_Stabiliser/document/root.tex @@ -1,66 +1,66 @@ \documentclass[11pt,a4paper]{article} -\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{xspace} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{url} \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size \renewcommand{\isastyle}{\isastyleminor} \renewcommand{\isamarkupchapter}[1]{\section{#1}} \renewcommand{\isamarkupsection}[1]{\subsection{#1}} \renewcommand{\isamarkupsubsection}[1]{\subsubsection{#1}} \renewcommand{\isamarkupsubsubsection}[1]{\paragraph{#1}} \begin{document} \title{Orbit-Stabiliser Theorem with Application to Rotational Symmetries} \author{Jonas Rädle} \maketitle \begin{abstract} The Orbit-Stabiliser theorem is a simple result in the algebra of groups that factors the order of a group into the sizes of its orbits and stabilisers. We formalize the notion of a group action and the related concepts of orbits and stabilisers. This allows us to prove the orbit-stabiliser theorem. In the second part of this work, we formalize the tetrahedral group and use the orbit-stabiliser theorem to prove that there are twelve (orientation-preserving) rotations of the tetrahedron. \end{abstract} \setcounter{tocdepth}{2} \tableofcontents \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{plain} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Order_Lattice_Props/document/root.tex b/thys/Order_Lattice_Props/document/root.tex --- a/thys/Order_Lattice_Props/document/root.tex +++ b/thys/Order_Lattice_Props/document/root.tex @@ -1,174 +1,175 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ \usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Properties of Orderings and Lattices} \author{Georg Struth} \maketitle \begin{abstract} These components add further fundamental order and lattice-theoretic concepts and properties to Isabelle's libraries. They follow by and large the introductory sections of the \emph{Compendium of Continuous Lattices}, covering directed and filtered sets, down-closed and up-closed sets, ideals and filters, Galois connections, closure and co-closure operators. Some emphasis is on duality and morphisms between structures---as in the Compendium. To this end, three ad-hoc approaches to duality are compared. \end{abstract} \tableofcontents \section{Introductory Remarks} Basic order- and lattice-theoretic concepts are well covered in Isabelle's libraries, and widely used. More advanced components are spread out over various sites (e.g.~\cite{Wenzel,Preoteasa11a,Preoteasa11b,ArmstrongS12,GomesS15,Ballarin}). This formalisation takes the initial steps towards a modern structural approach to orderings and lattices, as for instance in denotational semantics of programs, algebraic logic or pointfree topology. Building on the components for orderings and lattices in Isabelle's main libraries, it follows the classical textbook \emph{A Compendium of Continuous Lattices}~\cite{GierzHKLMS80} and, to a lesser extent, Johnstone's monograph on \emph{Stone Spaces}~\cite{Johnstone82}. By integrating material from other sources and extending it, a formalisation of undergraduate-level textbook material on orderings and lattices might eventually emerge. In the textbooks mentioned, concepts such as dualities, isomorphisms between structures and relationships between categories are emphasised. These are essential to modern mathematics beyond orderings and lattices; their formalisation with interactive theorem provers is therefore of wider interest. Nevertheless such notions seem rather underexplored with Isabelle, and I am not aware of a standard way of modelling and using them. The present setting is perhaps the simplest one in which their formalisation can be studied. These components use Isabelle's axiomatic approach without carrier sets. This is certainly a limitation, but it can be taken quite far. Yet well known facts such as Tarski's theorem---the set of fixpoints of an isotone endofunction on a complete lattice forms a complete lattice---seem hard to formalise with it (at least without using recent experimental extensions~\cite{Kuncar016}). Firstly, leaner versions of complete lattices are introduced: Sup-lattices (and their dual Inf-lattices), in which only Sups (or Infs) are axiomatised, whereas the remaining operators, which are axiomatised in the standard Isabelle class for complete lattices, are defined explicitly. This not only reduces of proof obligations in instantiation or interpretation proofs, it also helps in constructions where only suprema are represented faithfully (e.g. using morphisms that preserve sups, but not infs, or vice versa). At the moment, Sup-lattices remain rather loosely integrated into Isabelle's lattice hierarchy; a tighter one seems rather delicate. Order and lattice duality is modelled, rather ad hoc, within a type class that can be added to those for orderings and lattices. Duality thus becomes a functor that reverses the order and maps Sups to Infs and vice versa, as expected. It also maps order-preserving functions to order-preserving functions, Sup-preserving to Inf-preserving ones and vice versa. This simple approach has not yet been optimised for automatic generation of dual statements (which seems hard to achieve anyway). It works quite well on simple examples. The class-based approach to duality is contrasted by an implicit, locale-based one (which is quite standard in Isabelle), and Wenzel's data-type-based one~\cite{Wenzel}. Wenzel's approach generates many properties of the duality functor automatically from Isabelle's data type package. However, duality is not involutive, and this limits the dualisation of theorems quite severely. The local-based approach dualises theorems within the context of a type class or locale highly automatically. But, unlike the present approach, it is limited to such contexts. Yet another approach to duality has been taken in HOL-Algebra~\cite{Ballarin}, but it is essentially based on set theory and therefore beyond the reach of simple axiomatic type classes. The components presented also cover fundamental concepts such as directed and filtered sets, down-closed and up-closed sets, ideals and filters, notions of sup-closure and inf-closure, sup-preservation and inf-preservation, properties of adjunctions (or Galois connections) between orderings and (complete) lattices, fusion theorems for least and greatest fixpoints, and basic properties of closure and co-closure (kernel) operations, following the Compendium (most of these concepts come as dual pairs!). As in this monograph, emphasis lies on categorical aspects, but no formal category theory is used. In addition, some simple representation theorems have been formalised, including Stone's theorem for atomic boolean algebras (objects only). The non-atomic case seems possible, but is left for future work. Dealing with opposite maps properly, which is essential for dualities, remains an issue. Finally, in Isabelle's main libraries, complete distributive lattices and complete boolean algebras are currently based on a very strong distributivity law, which makes these structures \emph{completely distributive} and is basically an Axiom of Choice. While powerset algebras satisfy this law, other applications, for instance in topology require different axiomatisations. Complete boolean algebras, in particular, are usually defined as complete lattices which are also boolean algebras. Hence only a finite distributivity law holds. Weaker distributivity laws are also essential for axiomatising complete Heyting algebras (aka frames or locales), which are relevant for point-free topology~\cite{Johnstone82}. Many questions remain, in particular on tighter integrations of duality and reasoning up to isomorphism with Isabelle and beyond. In its present form, duality is often not picked up in the proofs of more complex statements. Some statements from the Compendium and Johnstone's book had to be ignored due to the absence of carrier sets in Isabelle's standard components for orderings and lattices. Whether Kuncar and Popescu's new types-to-sets translation~\cite{Kuncar016} provides a satisfactory solution remains to be seen. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Ordered_Resolution_Prover/document/root.tex b/thys/Ordered_Resolution_Prover/document/root.tex --- a/thys/Ordered_Resolution_Prover/document/root.tex +++ b/thys/Ordered_Resolution_Prover/document/root.tex @@ -1,98 +1,99 @@ \documentclass[10pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{amssymb} \usepackage[left=2.25cm,right=2.25cm,top=2.25cm,bottom=2.75cm]{geometry} \usepackage{graphicx} \usepackage{isabelle} \usepackage{isabellesym} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{pdfsetup} \urlstyle{tt} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \renewcommand{\isacharunderscore}{\_} \begin{document} \title{Formalization of Bachmair and Ganzinger's \\ Ordered Resolution Prover} \author{Anders Schlichtkrull, Jasmin Christian Blanchette, Dmitriy Traytel, and Uwe Waldmann} \maketitle \begin{abstract} \noindent This Isabelle/HOL formalization covers Sections 2 to 4 of Bachmair and Ganzinger's ``Resolution Theorem Proving'' chapter in the \emph{Handbook of Automated Reasoning}. This includes soundness and completeness of unordered and ordered variants of ground resolution with and without literal selection, the standard redundancy criterion, a general framework for refutational theorem proving, and soundness and completeness of an abstract first-order prover. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt \parskip 0.5ex \section{Introduction} Bachmair and Ganzinger's ``Resolution Theorem Proving'' chapter %\cite{bachmair-ganzinger-2001} in the \emph{Handbook of Automated Reasoning} is the standard reference on the topic. It defines a general framework for propositional and first-order resolution-based theorem proving. Resolution forms the basis for superposition, the calculus implemented in many popular automatic theorem provers. \medskip This Isabelle/HOL formalization covers Sections 2.1, 2.2, 2.4, 2.5, 3, 4.1, 4.2, and 4.3 of Bachmair and Ganzinger's chapter. Section 2 focuses on preliminaries. Section 3 introduces unordered and ordered variants of ground resolution with and without literal selection and proves them refutationally complete. Section 4.1 presents a framework for theorem provers based on refutation and saturation. Section 4.2 generalizes the refutational completeness argument and introduces the standard redundancy criterion, which can be used in conjunction with ordered resolution. Finally, Section 4.3 lifts the result to a first-order prover, specified as a calculus. Figure~\ref{fig:thys} shows the corresponding Isabelle theory structure. \medskip We refer to the following publications for details: \begin{quote} Anders Schlichtkrull, Jasmin Christian Blanchette, Dmitriy Traytel, Uwe Waldmann: \\ Formalizing Bachmair and Ganzinger's Ordered Resolution Prover. \\ IJCAR 2018: 89-107 \\ \url{http://matryoshka.gforge.inria.fr/pubs/rp_paper.pdf} \medskip Anders Schlichtkrull, Jasmin Blanchette, Dmitriy Traytel, Uwe Waldmann: \\ Formalizing Bachmair and Ganzinger's Ordered Resolution Prover. \\ Journal of Automated Reasoning \\ \url{http://matryoshka.gforge.inria.fr/pubs/rp_article.pdf} \end{quote} \begin{figure} \begin{center} \includegraphics[width=0.75\textwidth,keepaspectratio]{session_graph} \end{center} \caption{Theory dependency graph} \label{fig:thys} \end{figure} % generated text of all theories \input{session} % optional bibliography % \bibliographystyle{abbrv} % \bibliography{bib} \end{document} diff --git a/thys/Ordinal/document/root.tex b/thys/Ordinal/document/root.tex --- a/thys/Ordinal/document/root.tex +++ b/thys/Ordinal/document/root.tex @@ -1,45 +1,46 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{graphicx} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Countable Ordinals} \author{Brian Huffman} \maketitle \begin{abstract} This development defines a well-ordered type of countable ordinals. It includes notions of continuous and normal functions, recursively defined functions over ordinals, least fixed-points, and derivatives. Much of ordinal arithmetic is formalized, including exponentials and logarithms. The development concludes with formalizations of Cantor Normal Form and Veblen hierarchies over normal functions. \end{abstract} \tableofcontents %\begin{center} % \includegraphics[scale=0.7]{session_graph} %\end{center} \newpage \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Ordinal_Partitions/document/root.tex b/thys/Ordinal_Partitions/document/root.tex --- a/thys/Ordinal_Partitions/document/root.tex +++ b/thys/Ordinal_Partitions/document/root.tex @@ -1,40 +1,41 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{A Partition Theorem for the Ordinal $\omega^\omega$} \author{Lawrence C. Paulson} \maketitle \begin{abstract} The theory of partition relations concerns generalisations of Ramsey's theorem. For any ordinal $\alpha$, write $\alpha \to (\alpha, m)^2$ if for each function~$f$ from unordered pairs of elements of~$\alpha$ into $\{0,1\}$, either there is a subset $X\subseteq \alpha$ order-isomorphic to $\alpha$ such that $f\{x,y\}=0$ for all $\{x,y\}\subseteq X$, or there is an $m$ element set $Y\subseteq \alpha$ such that $f\{x,y\}=1$ for all $\{x,y\}\subseteq Y$. (In both cases, with $\{x,y\}$ we require $x\not=y$.) In particular, the infinite Ramsey theorem can be written in this notation as $\omega \to (\omega, \omega)^2$, or if we restrict~$m$ to the positive integers as above, then $\omega \to (\omega, m)^2$ for all~$m$ \cite{larson-short-proof}. This entry formalises Larson's proof of $\omega^\omega \to (\omega^\omega, m)^2$ along with a similar proof of a result due to Specker: $\omega^2 \to (\omega^2, m)^2$. Also proved is a necessary result by Erd{\H o}s and Milner~\cite{erdos-theorem-partition,erdos-theorem-partition-corr}: $\omega^{1+\alpha\cdot n} \to (\omega^{1+\alpha}, 2^n)^2$. These examples demonstrate the use of Isabelle/HOL to formalise advanced results that combine ZF set theory with basic concepts like lists and natural numbers. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \section{Acknowledgements} The author was supported by the ERC Advanced Grant ALEXANDRIA (Project 742178) funded by the European Research Council. Many thanks to Mirna D\v{z}amonja (who suggested the project) and Angeliki Koutsoukou-Argyraki for assistance at tricky moments. \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Ordinals_and_Cardinals/document/root.tex b/thys/Ordinals_and_Cardinals/document/root.tex --- a/thys/Ordinals_and_Cardinals/document/root.tex +++ b/thys/Ordinals_and_Cardinals/document/root.tex @@ -1,29 +1,30 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \bibliographystyle{plain} \begin{document} \title{Ordinals and cardinals in HOL} \author{Andrei Popescu} \maketitle % sane default for proof documents \parindent 0pt\parskip 0.5ex \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Ordinary_Differential_Equations/document/root.tex b/thys/Ordinary_Differential_Equations/document/root.tex --- a/thys/Ordinary_Differential_Equations/document/root.tex +++ b/thys/Ordinary_Differential_Equations/document/root.tex @@ -1,154 +1,154 @@ \documentclass[11pt,a4paper]{article} -\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath} \usepackage{amssymb} \usepackage[english]{babel} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand{\etal}{\emph{et al.}} \newcommand{\keyword}[1]{\ensuremath{\textsf{\textbf{#1}}}} \newcommand{\Klemma}{\keyword{lemma}} \newcommand{\Ktheorem}{\keyword{theorem}} \newcommand{\Kif}{\keyword{if}} \newcommand{\Klet}{\keyword{let}} \newcommand{\Kleft}{\boldsymbol \leftarrow} \newcommand{\Kdo}{\keyword{do}} \newcommand{\Kin}{\keyword{in}} \newcommand{\Kthen}{\keyword{then}} \newcommand{\Kelse}{\keyword{else}} \newcommand{\identifier}[1]{\textsl{\textsf{#1}}} \newcommand{\Iaexp}{\identifier{aexp}} \newcommand{\IAffine}{\identifier{Affine}} \newcommand{\IAffines}{\identifier{Affines}} \newcommand{\Iaffineofivl}{\identifier{affine-of-ivl}} \newcommand{\IAdd}{\identifier{Add}} \newcommand{\Iaddaffine}{\identifier{add-affine}} \newcommand{\IAddE}{\identifier{AddE}} \newcommand{\IBasis}{\identifier{Basis}} \newcommand{\Ibinop}{\identifier{binop}} \newcommand{\Ibox}{\identifier{box}} \newcommand{\Icenter}{\identifier{center}} \newcommand{\Icoeff}{\identifier{coeff}} \newcommand{\Icoeffs}{\identifier{coeffs}} \newcommand{\Iapprox}{\identifier{approx}} \newcommand{\ID}{\identifier{D}} \newcommand{\Ideg}{\identifier{deg}} \newcommand{\Idim}{\identifier{dim}} \newcommand{\Idivl}{\identifier{div}^-} \newcommand{\Idivr}{\identifier{div}^+} \newcommand{\Ieexp}{\identifier{eexp}} \newcommand{\IElem}{\identifier{elem}} \newcommand{\Ieulerseries}{\identifier{euler-series}} \newcommand{\Ieulerstep}{\identifier{euler-step}} \newcommand{\Ifalse}{\identifier{False}} \newcommand{\Ifilter}{\identifier{filter}} \newcommand{\Ifold}{\identifier{fold}} \newcommand{\Ifor}{\identifier{for}} \newcommand{\Ifst}{\identifier{fst}} \newcommand{\IFloat}{\identifier{Float}} \newcommand{\Iindices}{\identifier{indices}} \newcommand{\IInverse}{\identifier{Inverse}} \newcommand{\Iinverseaffine}{\identifier{inverse-affine}} \newcommand{\Iivp}{\identifier{ivp}} \newcommand{\Ilen}{\identifier{len}} \newcommand{\Imap}{\identifier{map}} \newcommand{\Imerge}{\identifier{merge}} \newcommand{\IMinus}{\identifier{Minus}} \newcommand{\Iminusaffine}{\identifier{minus-affine}} \newcommand{\IMult}{\identifier{Mult}} \newcommand{\Imultaffine}{\identifier{mult-affine}} \newcommand{\INone}{\identifier{None}} \newcommand{\INum}{\identifier{Num}} \newcommand{\Irad}{\identifier{rad}} \newcommand{\Iradup}{\identifier{rad}^+} \newcommand{\Iround}{\identifier{round}} \newcommand{\IScale}{\identifier{Scale}} \newcommand{\Iscaleaffine}{\identifier{scale-affine}} \newcommand{\Isol}{\identifier{sol}} \newcommand{\ISome}{\identifier{Some}} \newcommand{\Isplit}{\identifier{split}} \newcommand{\Isummarize}{\identifier{summarize}} \newcommand{\To}{\Rightarrow} \newcommand{\Itrue}{\identifier{True}} \newcommand{\Itruncatedown}{\identifier{trunc}^-} \newcommand{\Itruncateup}{\identifier{trunc}^+} \newcommand{\Iroundbinop}{\identifier{round-binop}} \newcommand{\UNIV}[1]{\mathcal{U}_{#1}} \newcommand{\Iunzip}{\identifier{unzip}} \newcommand{\IVar}{\identifier{Var}} \newcommand{\Izip}{\identifier{zip}} \newcommand{\Tset}[1]{#1\,\identifier{set}} \newcommand{\Tlist}[1]{#1\,\identifier{list}} \newcommand{\Taffine}[1]{#1\,\identifier{affine}} \newcommand{\Toption}[1]{#1\,\identifier{option}} \newcommand{\Tbcontfun}[2]{#1\To_{\identifier{bc}}#2} \newcommand{\Tfinmap}[2]{#1\rightharpoondown_{\identifier{f}}#2} \newcommand{\Tfilter}[1]{#1\,\identifier{filter}} \newcommand{\Bool}{\ensuremath{\mathbb{B}}} \newcommand{\Real}{\ensuremath{\mathbb{R}}} \newcommand{\Float}{\ensuremath{\mathbb{F}}} \newcommand{\Eucl}[1]{\ensuremath{\mathbb{R}^{#1}}} \newcommand{\Complex}{\ensuremath{\mathbb{C}}} \newcommand{\Nat}{\ensuremath{\mathbb{N}}} \newcommand{\Integer}{\ensuremath{\mathbb{Z}}} \newcommand{\ToDO}[1]{{\color{red}\textbf{TODO:} #1}} \newcommand{\Todo}[1]{{\color{red}[#1]}} \newcommand{\limseq}{\xrightarrow{\hspace*{2em}}} \newcommand{\interpret}[1]{\ensuremath{[\![#1]\!]}} \title{Ordinary Differential Equations} \author{Fabian Immler} \begin{document} \maketitle \begin{abstract} Session \texttt{Ordinary-Differential-Equations} formalizes ordinary differential equations (ODEs) and initial value problems. This work comprises proofs for local and global existence of unique solutions (Picard-Lindelöf theorem). Moreover, it contains a formalization of the (continuous or even differentiable) dependency of the flow on initial conditions as the \emph{flow} of ODEs. Not in the generated document are the following sessions: \begin{itemize} \item \texttt{HOL-ODE-Numerics}: Rigorous numerical algorithms for computing enclosures of solutions based on Runge-Kutta methods and affine arithmetic. Reachability analysis with splitting and reduction at hyperplanes. \item \texttt{HOL-ODE-Examples}: Applications of the numerical algorithms to concrete systems of ODEs (e.g., van der Pol and Lorenz attractor). \end{itemize} \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/PAC_Checker/document/root.tex b/thys/PAC_Checker/document/root.tex --- a/thys/PAC_Checker/document/root.tex +++ b/thys/PAC_Checker/document/root.tex @@ -1,109 +1,106 @@ %Some LaTeX checking: no bad pratices %\RequirePackage[l2tabu, orthodox]{nag} %\RequirePackage[all,error]{onlyamsmath} \RequirePackage{fixltx2e} \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed % lualatex %\usepackage{spelling} \usepackage{fullpage} \usepackage{graphicx} \usepackage{comment} \usepackage{mdframed} -%% Saisie en UTF-8 -\usepackage[utf8]{inputenc} -\usepackage[T1]{fontenc} -\usepackage{lmodern} \usepackage{subcaption} %% Pour composer des mathématiques \usepackage{amsmath,amssymb, amsthm} \usepackage{nicefrac} \usepackage{tikz} \usetikzlibrary{decorations, arrows, shapes, automata, mindmap, trees} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ \usepackage[only,bigsqcap]{stmaryrd} %for \ \usepackage{wasysym} %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ \usepackage[english]{babel} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \let\set\mathbb \newcommand{\mailto}[1]{\href{mailto:#1}{#1}} \newcommand{\shortrules}[3]{#2$\Rightarrow^{\text{#1}}$ #3} \newcommand{\isasymRes}{\ensuremath{\text{Res}}} \begin{document} \title{PAC Checker} \author{Mathias Fleury and Daniela Kaufmann} \maketitle \begin{abstract} Generating and checking proof certificates is important to increase the trust in automated reasoning tools. In recent years formal verification using computer algebra became more important and is heavily used in automated circuit verification. An existing proof format which covers algebraic reasoning and allows efficient proof checking is the practical algebraic calculus. In this development, we present the verified checker Pastèque that is obtained by synthesis via the Refinement Framework. This is the formalization going with our FMCAD'20 tool presentation~\cite{KaufmannFleuryBiere-FMCAD20}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} {\section*{Acknowledgment} This work is supported by Austrian Science Fund (FWF), NFN S11408-N23 (RiSE), and LIT AI Lab funded by the State of Upper Austria. } % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/PCF/document/root.tex b/thys/PCF/document/root.tex --- a/thys/PCF/document/root.tex +++ b/thys/PCF/document/root.tex @@ -1,101 +1,102 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{a4wide} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand{\isasymnotsqsubseteq}{\isamath{\not\sqsubseteq}} \renewcommand{\isacharminus}{\mbox{--}} % Bibliography \usepackage{natbib} \bibpunct();A{}, % sane default for proof documents \parindent 0pt \begin{document} \title{Logical Relations for PCF} \author{Peter Gammie} \maketitle \begin{abstract} We apply Andy Pitts's methods of defining relations over domains to several classical results in the literature. We show that the Y combinator coincides with the domain-theoretic fixpoint operator, that parallel-or and the Plotkin existential are not definable in PCF, that the continuation semantics for PCF coincides with the direct semantics, and that our domain-theoretic semantics for PCF is adequate for reasoning about contextual equivalence in an operational semantics. Our version of PCF is untyped and has both strict and non-strict function abstractions. The development is carried out in HOLCF. \end{abstract} \tableofcontents \parskip 0.5ex \section{Introduction} \label{sec:introduction} Showing the existence of relations on domains has historically been an involved process. This is due to the presence of the contravariant function space domain constructor that defeats familiar inductive constructions; in particular we wish to define ``logical'' relations, where related functions take related arguments to related results, and the corresponding relation transformers are not monotonic. Before \citet{PittsAM:relpod} such demonstrations involved laborious appeals to the details of the domain constructions themselves. (See \citet{Mulmuley:1987,Stoy:1977} for historical perspective.) Here we develop some standard results about PCF using Pitts's technique for showing the existence of particular recursively-defined relations on domains. By doing so we demonstrate that HOLCF \citep{HOLCF:1999,holcf11} is useful for reasoning about programming language semantics and not just particular programs. We treat a variant of the PCF language due to \citet{Plotkin77}. It contains both call-by-name and call-by-value abstractions and is untyped. We show the breadth of Pitts's technique by compiling several results, some of which have only been shown in simply-typed settings where the existence of the logical relations is straightforward to demonstrate. % generated text of all theories \input{session} \section{Concluding remarks} We have seen that Pitts's techniques for showing the existence of relations over domains is straightforward to mechanise and use in HOLCF. One source of irritation in doing so is that Pitts's technique is formulated in terms of minimal invariants, which presently must be written out by hand. (Earlier versions of HOLCF's domain package provided these copy functions, though we would still need to provide our own in such cases as \S\ref{sec:continuations}.) HOLCF~'11 provides us with take functions (approximations, deflations) on domains that compose, and so one might hope to adapt Pitts's technique to use these instead. This has been investigated by \citet[\S6]{DBLP:conf/ppdp/BentonKBH09}, but it is unclear that the deflations involved are those generated by HOLCF~'11. \bibliographystyle{plainnat} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/PLM/document/root.tex b/thys/PLM/document/root.tex --- a/thys/PLM/document/root.tex +++ b/thys/PLM/document/root.tex @@ -1,214 +1,215 @@ \documentclass[a4paper,enabledeprecatedfontcommands,abstract=on,twoside=true,bibliography=totoc]{scrreprt} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{url} \usepackage[usenames]{color} \usepackage{csquotes} \usepackage{graphicx} \usepackage{geometry} \usepackage{epigraph} \usepackage{tabularx} \usepackage{array} \usepackage[all]{nowidow} \usepackage[stable]{footmisc} \usepackage[ngerman,english]{babel} \newcommand{\embeddedstyle}[1]{{\color{blue}#1}} \setcounter{secnumdepth}{2} \setcounter{tocdepth}{1} \input{external.tex} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ \usepackage{amsthm} \usepackage{amsmath} %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} \definecolor{linkcolor}{rgb}{0,0,0} \definecolor{citecolor}{rgb}{0,0,0} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size \renewcommand{\isastyleminor}{\isastyle} % theorem environments \newtheorem*{remark}{Remark} % \numberwithin{remark}{chapter} \newtheorem{TODO}{TODO} \numberwithin{TODO}{chapter} \numberwithin{equation}{section} \title{Representation and Partial Automation of the Principia Logico-Metaphysica in Isabelle/HOL} \author{Daniel Kirchner} \begin{document} \begin{titlepage} \vspace{1cm} \begin{center} \includegraphics[width=0.6\textwidth]{logo} \vspace{1cm} Master's thesis at the institute of mathematics at Freie Universit\"at Berlin \vspace{2cm} \Large{\textsf{Representation and Partial Automation of the Principia Logico-Metaphysica in Isabelle/HOL}} \vspace{2cm} \large{\textbf{Daniel Kirchner}} \vspace{0.25cm} \small{Matrikelnummer: 4387161} \vspace{2cm} \large{\textbf{ Supervisors:\\ Priv.-Doz. Dr.-Ing. Christoph Benzm\"uller\\ Dr. Edward N. Zalta }} \vspace{2cm} \large{Berlin, \today} \end{center} \end{titlepage} \cleardoublepage \begin{abstract} We present an embedding of the second-order fragment of the Theory of Abstract Objects as described in Edward Zalta's upcoming work Principia Logico-Metaphysica (PLM\cite{PM}) in the automated reasoning framework Isabelle/HOL. The Theory of Abstract Objects is a metaphysical theory that reifies property patterns, as they for example occur in the abstract reasoning of mathematics, as \emph{abstract objects} and provides an axiomatic framework that allows to reason about these objects. It thereby serves as a fundamental metaphysical theory that can be used to axiomatize and describe a wide range of philosophical objects, such as Platonic forms or Leibniz' concepts, and has the ambition to function as a foundational theory of mathematics. The target theory of our embedding as described in chapters 7-9 of PLM\cite{PM} employs a modal relational type theory as logical foundation for which a representation in functional type theory is known to be challenging\cite{rtt}. Nevertheless we arrive at a functioning representation of the theory in the functional logic of Isabelle/HOL based on a semantical representation of an Aczel-model of the theory. Based on this representation we construct an implementation of the deductive system of PLM (\cite[Chap. 9]{PM}) which allows to automatically and interactively find and verify theorems of PLM. Our work thereby supports the concept of shallow semantical embeddings of logical systems in HOL as a universal tool for logical reasoning as promoted by Christoph Benzm\"uller\cite{UniversalReasoning}. The most notable result of the presented work is the discovery of a previously unknown paradox in the formulation of the Theory of Abstract Objects. The embedding of the theory in Isabelle/HOL played a vital part in this discovery. Furthermore it was possible to immediately offer several options to modify the theory to guarantee its consistency. Thereby our work could provide a significant contribution to the development of a proper grounding for object theory. \end{abstract} \cleardoublepage \tableofcontents \cleardoublepage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{Thesis} \newgeometry{margin=1in} \appendix \setcounter{secnumdepth}{3} \chapter{Isabelle Theory} \input{TAO_1_Embedding} \input{TAO_2_Semantics} \input{TAO_3_Quantifiable} \input{TAO_4_BasicDefinitions} \input{TAO_5_MetaSolver} \input{TAO_6_Identifiable} \input{TAO_7_Axioms} \input{TAO_8_Definitions} \input{TAO_9_PLM} \input{TAO_10_PossibleWorlds} \input{TAO_98_ArtificialTheorems} \input{TAO_99_SanityTests} \input{TAO_99_Paradox} \restoregeometry % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \cleardoublepage \chapter*{Selbstst\"andigkeitserkl\"arung} \selectlanguage{ngerman} \begin{center} \setlength\extrarowheight{4pt} \begin{tabularx}{\textwidth}{|X|X|} \hline Name: & Kirchner \\ \hline Vorname: & Daniel \\ \hline geb.am: & 22.05.1989 \\ \hline Matr.Nr.: & 4387161 \\ \hline \end{tabularx} \end{center} Hiermit versichere ich, dass ich die vorliegende Arbeit selbstst\"andig verfasst und keine anderen als die angegebenen Quellen und Hilfsmittel benutzt habe. Alle Ausf\"uhrungen, die w\"ortlich oder inhaltlich aus fremden Quellen \"ubernommen sind, habe ich als solche kenntlich gemacht. Diese Arbeit wurde in gleicher oder \"ahnlicher Form noch bei keiner anderen Universit\"at als Pr\"ufungsleistung eingereicht und ist auch noch nicht ver\"offentlicht. \vspace{50pt} \noindent\hfill\rule{7cm}{.4pt}\par \hfill Daniel Kirchner \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/POPLmark-deBruijn/document/root.tex b/thys/POPLmark-deBruijn/document/root.tex --- a/thys/POPLmark-deBruijn/document/root.tex +++ b/thys/POPLmark-deBruijn/document/root.tex @@ -1,48 +1,49 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \isadroptag{theory} \newcommand{\fsub}{$\hbox{F}_{<:}$} \newcommand{\secref}[1]{\S\ref{#1}} \begin{document} \title{A Solution to the {\sc PoplMark} Challenge in Isabelle/HOL} \author{Stefan Berghofer} \maketitle \begin{abstract} We present a solution to the {\sc PoplMark} challenge designed by Aydemir et al., which has as a goal the formalization of the meta-theory of System \fsub{}. The formalization is carried out in the theorem prover Isabelle/HOL using an encoding based on de Bruijn indices. We start with a relatively simple formalization covering only the basic features of System \fsub{}, and explain how it can be extended to also cover records and more advanced binding constructs. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/PSemigroupsConvolution/document/root.tex b/thys/PSemigroupsConvolution/document/root.tex --- a/thys/PSemigroupsConvolution/document/root.tex +++ b/thys/PSemigroupsConvolution/document/root.tex @@ -1,131 +1,132 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym,fullpage} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ \usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Partial Semigroups and Convolution Algebras} \author{Brijesh Dongol, Victor B F Gomes, Ian J Hayes and Georg Struth} \maketitle \begin{abstract} Partial Semigroups are relevant to the foundations of quantum mechanics and combinatorics as well as to interval and separation logics. Convolution algebras can be understood either as algebras of generalised binary modalities over ternary Kripke frames, in particular over partial semigroups, or as algebras of quantale-valued functions which are equipped with a convolution-style operation of multiplication that is parametrised by a ternary relation. Convolution algebras provide algebraic semantics for various substructural logics, including categorial, relevance and linear logics, for separation logic and for interval logics; they cover quantitative and qualitative applications. These mathematical components for partial semigroups and convolution algebras provide uniform foundations from which models of computation based on relations, program traces or pomsets, and verification components for separation or interval temporal logics can be built with little effort. \end{abstract} \tableofcontents \section{Introductory Remarks} These mathematical components supply formal proofs for two articles on \emph{Convolution Algebras}~\cite{DongolHS17} and \emph{Convolution as a Unifying Concept}~\cite{DongolHS16}. They are sparsely documented and referenced; additional information can be found in these articles, and in particular the first one. The approach generalises previous Isabelle components for covolution algebras that were intended for separation logic and used partial abelian semigroups and monoids for modelling store-heap pairs~\cite{DongolGS15}. Due to the applications in separation logic, a detailed account of cancellative and positive partial abelian monoids has been included, as these structures characterise the heap succinctly. Isabelle verification components based on this approach will be submitted as a separate AFP entry. Our article on convolution algebras~\cite{DongolHS17} provides a detailed account of convolution-based semantics for Halpern-Shoham-style interval logics~\cite{HalpernS91,Venema91}, interval temporal logics~\cite{Moszkowski00} and duration calculi~\cite{ZhouH04} based on partial monoids. While general approaches, including modal algebras over semi-infinite intervals, are supported by the mathematical components provided, additional work on store models and assignments of variables to values is needed in order to build verification components for such interval logics. Convolution-based liftings of partial semigroups of graphs and partial orders allow formalisations of models of true concurrency such as pomset languages and concurrent Kleene algebras~\cite{HoareMSW11} in Isabelle, too. An AFP entry for these is in preparation. In all these approaches, the main task is to construct suitable partial semigroups or monoids of the computational models intended, for instance, closed intervals over the reals under fusion product, unions of heaplets (i.e. partial functions) provided their domains are disjoint, disjoint unions of graphs as parallel products. Our approach then allows a generic lifting to convolution algebras on suitable function spaces with algebraic properties, for instance of heaplets to the assertion algebra of separation logic with separating conjunction as convolution~\cite{DongolGS15,DongolHS16}, or of intervals to algebraic counterparts of interval temporal logics or duration calculi with the chop operation as convolution~\cite{DongolHS17}. We believe that this general construction supports other applications as well---qualitative and quantitative ones. We would like to thank Alasdair Armstrong for his help with some Isabelle proofs and Tony Hoare for many discussions that helped us shaping the general approach. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv}\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Pairing_Heap/document/root.tex b/thys/Pairing_Heap/document/root.tex --- a/thys/Pairing_Heap/document/root.tex +++ b/thys/Pairing_Heap/document/root.tex @@ -1,35 +1,36 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Pairing Heap} \author{Hauke Brinkop and Tobias Nipkow} \maketitle \begin{abstract} This library defines three different versions of pairing heaps: a functional version of the original design based on binary trees~\cite{FredmanSST86}, the version by Okasaki~\cite{Okasaki} and a modified version of the latter that is free of structural invariants. The amortized complexities of these implementations are analyzed in the AFP article \href{http://isa-afp.org/entries/Amortized_Complexity.shtml}{Amortized Complexity}. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Paraconsistency/document/root.tex b/thys/Paraconsistency/document/root.tex --- a/thys/Paraconsistency/document/root.tex +++ b/thys/Paraconsistency/document/root.tex @@ -1,124 +1,125 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \title{Paraconsistency} \author{Anders Schlichtkrull \&\ J{\o}rgen Villadsen, DTU Compute, Denmark} \date{\isadate\today} \usepackage{datetime,isabelle,isabellesym,parskip,underscore} \newdateformat{isadate}{\THEDAY\ \monthname[\THEMONTH] \THEYEAR} \usepackage[cm]{fullpage} \usepackage{pdfsetup} \isabellestyle{tt} \urlstyle{rm} \renewcommand{\isachardoublequote}{} \renewcommand{\isachardoublequoteopen}{} \renewcommand{\isachardoublequoteclose}{} \renewcommand{\isamarkupchapter}[1]{\clearpage\isamarkupsection{#1}} \renewcommand{\isamarkupsection}[1]{\section*{#1}\addcontentsline{toc}{section}{#1}} \renewcommand{\isamarkupsubsection}[1]{\medskip\subsection*{#1}} \renewcommand{\isamarkupsubsubsection}[1]{\medskip\subsubsection*{#1}} \renewcommand{\isabeginpar}{\par\ifisamarkup\relax\else\bigskip\fi} \renewcommand{\isaendpar}{\par\bigskip} \begin{document} \makeatletter \parbox[t]{\textwidth}{\centering\Huge\bfseries\@title}\par\kern5mm \parbox[t]{\textwidth}{\centering\Large\bfseries\@author}\par\kern3mm \parbox[t]{\textwidth}{\centering\bfseries\@date}\par\kern8mm \makeatother \begin{abstract}\normalsize\noindent Paraconsistency is about handling inconsistency in a coherent way. In classical and intuitionistic logic everything follows from an inconsistent theory. A paraconsistent logic avoids the explosion. Quite a few applications in computer science and engineering are discussed in the Intelligent Systems Reference Library Volume 110: Towards Paraconsistent Engineering (Springer 2016). We formalize a paraconsistent many-valued logic that we motivated and described in a special issue on logical approaches to paraconsistency (Journal of Applied Non-Classical Logics 2005). We limit ourselves to the propositional fragment of the higher-order logic. The logic is based on so-called key equalities and has a countably infinite number of truth values. We prove theorems in the logic using the definition of validity. We verify truth tables and also counterexamples for non-theorems. We prove meta-theorems about the logic and finally we investigate a case study. \end{abstract} \tableofcontents \isamarkupsection{Preface} The present formalization in Isabelle essentially follows our extended abstract \cite{Jensen+12}. The Stanford Encyclopedia of Philosophy has a comprehensive overview of logical approaches to paraconsistency \cite{Priest+15}. We have elsewhere explained the rationale for our paraconsistent many-valued logic and considered applications in multi-agent systems and natural language semantics \cite{Villadsen05-JANCL,Villadsen09,Villadsen10,Villadsen14}. It is a revised and extended version of our formalization \url{https://github.com/logic-tools/mvl} that accompany our chapter in a book on partiality published by Cambridge Scholars Press. The GitHub link provides more information. We are grateful to the editors --- Henning Christiansen, M. Dolores Jim\'{e}nez L\'{o}pez, Roussanka Loukanova and Larry Moss --- for the opportunity to contribute to the book. \input{session} \clearpage\addcontentsline{toc}{section}{References} \begin{thebibliography}{0} \bibitem{Jensen+12} A.~S. Jensen and J.~Villadsen. \newblock \emph{Paraconsistent Computational Logic}. \newblock In P.~Blackburn, K.~F.~J{\o}rgensen, N.~Jones, and E.~Palmgren, editors, 8th Scandinavian Logic Symposium: Abstracts, pages 59--61, Roskilde University, 2012. \bibitem{Priest+15} G.~Priest, K.~Tanaka and Z.~Weber. \newblock \emph{Paraconsistent Logic}. \newblock In E.~N. Zalta et~al., editors, Stanford Encyclopedia of Philosophy, Online Entry \url{http://plato.stanford.edu/entries/logic-paraconsistent/} Spring Edition, 2015. \bibitem{Villadsen05-JANCL} J.~Villadsen. \newblock \emph{Supra-logic: Using Transfinite Type Theory with Type Variables for Paraconsistency}. \newblock Logical Approaches to Paraconsistency, Journal of Applied Non-Classical Logics, 15(1):45--58, 2005. \bibitem{Villadsen09} J.~Villadsen. \newblock \emph{Infinite-Valued Propositional Type Theory for Semantics}. \newblock In J.-Y.~B\'{e}ziau and A.~Costa-Leite, editors, Dimensions of Logical Concepts, pages 277--297, Unicamp Cole\c{c}.~CLE 54, 2009. \bibitem{Villadsen10} J.~Villadsen. \newblock \emph{Nabla: A Linguistic System Based on Type Theory}. \newblock Foundations of Communication and Cognition (New Series), LIT Verlag, 2010. \bibitem{Villadsen14} J.~Villadsen. \newblock \emph{Multi-dimensional Type Theory: Rules, Categories and Combinators for Syntax and Semantics}. \newblock In P.~Blache, H.~Christiansen, V.~Dahl, D.~Duchier, and J.~Villadsen, editors, Constraints and Language, pages 167--189, Cambridge Scholars Press, 2014. \end{thebibliography} \end{document} diff --git a/thys/Parity_Game/document/root.tex b/thys/Parity_Game/document/root.tex --- a/thys/Parity_Game/document/root.tex +++ b/thys/Parity_Game/document/root.tex @@ -1,159 +1,158 @@ \documentclass[11pt,a4paper]{scrartcl} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsfonts,amssymb} \usepackage{xspace} -\usepackage[utf8]{inputenc} -\usepackage[T1]{fontenc} \typearea{11} \renewcommand{\bf}{\normalfont\bfseries} \renewcommand{\rm}{\normalfont\rmfamily} \renewcommand{\it}{\normalfont\itshape} \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \newcommand{\Even}{\textsc{Even}\xspace} \newcommand{\Odd}{\textsc{Odd}\xspace} \begin{document} \title{Positional Determinacy of Parity Games} \author{Christoph Dittmann\\christoph.dittmann@tu-berlin.de} \date{\today} \maketitle \begin{abstract} We present a formalization of parity games (a two-player game on directed graphs) and a proof of their positional determinacy in Isabelle/HOL. This proof works for both finite and infinite games. We follow the proof in \cite{kreutzer2015}, which is based on \cite{zielonka1998}. \end{abstract} \tableofcontents \newpage \section{Introduction} Parity games are games played by two players, called \Even and \Odd, on labelled directed graphs. Each node is labelled with their player and with a natural number, called its \emph{priority}. To call this a \emph{parity game}, we only need to assume that the number of different priorities is finite. Of course, this condition is only relevant on infinite graphs. One reason parity games are important is that determining the winner is polynomial-time equivalent to the model-checking problem of the modal $\mu$-calculus, a logic able to express LTL and CTL* properties (\cite{bradfield2007}). \subsection{Formal Introduction} Formally, a parity game is $G = (V,E,V_0,\omega)$, where $(V,E)$ is a directed graph, $V_0 \subseteq V$ is the set of \Even nodes, and $\omega: V \to \mathbb{N}$ is a function with $|f(V)| < \infty$. A \emph{play} is a maximal path in $G$. A finite play is winning for \Even iff the last node is not in $V_0$. An infinite play is winning for \Even iff the minimum priority occurring infinitely often on the path is even. On an infinite path at least one priority occurs infinitely often because there is only a finite number of different priorities. A node $v$ is \emph{winning} for a player~$p$ iff all plays starting from $v$ are winning for~$p$. It is well-known that parity games are \emph{determined}, that is, every node is winning for some player. A more surprising property is that parity games are also \emph{positionally determined}. This means that for every node $v$ winning for \Even, there is a function $\sigma: V_0 \to V$ such that all \Even needs to do in order to win from $v$ is to consult this function whenever it is his turn (similarly if $v$ is winning for \Odd). This is also called a \emph{positional strategy} for the winning player. We define the \emph{winning region} of player~$p$ as the set of nodes from which player~$p$ has positional winning strategies. Positional determinacy then says that the winning regions of \Even and of \Odd partition the graph. See \cite{automata2002/kuesters} for a modern survey on positional determinacy of parity games. Their proof is based on a proof by Zielonka \cite{zielonka1998}. \subsection{Overview} Here we formalize the proof from \cite{kreutzer2015} in Isabelle/HOL. This proof is similar to the proof in \cite{automata2002/kuesters}, but we do not explicitly define so-called ``$\sigma$-traps''. Using $\sigma$-traps could be worth exploring, because it has the potential to simplify our formalization. Our proof has no assumptions except those required by every parity game. In particular the parity game \begin{itemize} \item may have arbitrary cardinality, \item may have loops, \item may have deadends, that is, nodes with no successors. \end{itemize} The main theorem is in section \ref{subsec:positional_determinacy}. \subsection{Technical Aspects} We use a coinductive list of nodes to represent paths in a graph because this gives us a uniform representation for finite and infinite paths. We can then express properties such as that a path is maximal or conforms to a given strategy directly as coinductive properties. We use the coinductive list developed by Lochbihler in \cite{Coinductive-AFP}. We also explored representing paths as functions \isa{nat\ {\isasymRightarrow}\ {\isacharprime}a\ option} with the property that the domain is an initial segment of \isa{nat} (and where \isa{{\isacharprime}a} is the node type). However, it turned out that coinductive lists give simpler proofs. It is possible to represent a graph as a function \isa{{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a\ {\isasymRightarrow}\ bool}, see for example in the proof of König's lemma in \cite{Coinductive-AFP}. However, we instead go for a record which contains a set of nodes and a set of edges explicitly. By not requiring that the set of nodes is \isa{UNIV\ ::\ {\isacharprime}a\ set} but rather a subset of \isa{UNIV\ ::\ {\isacharprime}a\ set}, it becomes easier to reason about subgraphs. Another point is that we make extensive use of locales, in particular to represent maximal paths conforming to a specific strategy. Thus proofs often start with \isa{\isacommand{interpret}\ vmc{\isacharunderscore}path\ G\ P\ \ensuremath{v_0}\ p\ \isasymsigma} to say that $P$ is a valid maximal path in the graph $G$ starting in $v_0$ and conforming to the strategy $\sigma$ for player $p$. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \clearpage \phantomsection \addcontentsline{toc}{section}{Bibliography} \bibliographystyle{plain} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Partial_Function_MR/document/root.tex b/thys/Partial_Function_MR/document/root.tex --- a/thys/Partial_Function_MR/document/root.tex +++ b/thys/Partial_Function_MR/document/root.tex @@ -1,191 +1,192 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isakwd[1]{\textsf{\isa{#1}}} \newcommand\isasimpmp{\isa{simplify-emp-main}} \newcommand\parfun{\isakwd{partial-function}} \newcommand\vect[1]{\overrightarrow{#1}} \newcommand\fs{\isa{fs}} \newcommand\xs{\isa{xs}} \newcommand\xst{\isa{xs}_t} \newcommand\inT{\isa{in}} \newcommand\cprod[1]{({#1})} \newcommand\outT{\isa{out}} \newcommand\monad{\isa{monad}} \newcommand\tto\Rightarrow \newcommand\ar{\isa{ar}} \newcommand\inj{\isa{inj}} \newcommand\proj{\isa{proj}} \newcommand\mapM{\isa{map-monad}} \newcommand\curry{\isa{curry}} \newcommand\case{\isakwd{case}} \newcommand\of{\isakwd{of}} \begin{document} \title{Mutually Recursive Partial Functions\thanks{This research is supported by FWF (Austrian Science Fund) project P22767-N13. We thank Makarius Wenzel for several hints on how to properly localize our wrapper.}} \author{Ren\'e Thiemann} \maketitle \begin{abstract} We provide a wrapper around the partial-function command which supports mutual recursion. Our results have been used to simplify the development of mutually recursive parsers, e.g., a parser to convert external proofs given in XML into some mutually recursive datatype within Isabelle/HOL. \end{abstract} \tableofcontents \section{Introduction} The partial function command of Krauss \cite{partial_function} turns monotone monadic function specifications into equational theorems. Here, monadic means that the output type of the function must be a monad like the option-monad. This is required to prohibit specifications like \[ f\ x = 1 + f\ x \] which would immediately lead to a contradiction. Since the command produces unconditional equations, it is extremely helpful in writing possibly nonterminating functions which are amenable to code generation. For example, using \parfun, one can write a recursive parser in Isabelle/HOL and can then use it in several target languages---without having to struggle with a tedious termination proof which might have to reason about the internal state of the parser. Unfortunately, the command currently does not support mutually recursive functions, which however would be a convenient feature when writing parsers for mutually recursive datatypes. To be more precise, a specification of a partial function has to be of the following shape \begin{equation} \label{nmr} f\ \vect{\xs} = F\ f\ \vect{\xs} \end{equation} where $\vect{\xs}$ is a sequence of distinct variables and $F$ is an arbitrary monotone functional that may depend on $f$ and $\vect{\xs}$. For mutually recursive functions we would like to specify functions in the more general form \begin{align} \notag f_1\ \vect{\xs_1} & = F_1\ \vect{\fs}\ \vect{\xs_1} \\ \label{mr} & \ \,\vdots \\ \notag f_n\ \vect{\xs_n} & = F_n\ \vect{\fs}\ \vect{\xs_n} \end{align} where $\vect{\fs} = f_1, \ldots, f_n$ and $\vect{\xs_i}$ are the individual arguments to each of the functions $f_i$. In the following, we describe our wrapper around the partial function command which supports mutual recursion. We first synthesize a global function $g$ from the specifications in (\ref{mr}) which itself has a defining equation in the form of (\ref{nmr}). Then we register $g$ and derive the defining equation for $g$ as theorem in Isabelle/HOL using $\parfun$. Afterwards, it will be easy to define each $f_i$ in terms of $g$, and finally derive the equations in (\ref{mr}) as theorems. Let us now consider the details. Assume each $f_i$ has a type $\inT_{i,1} \tto \ldots \tto \inT_{i,\ar(f_i)} \tto \outT_{f_i}\ \monad$, where for each $f$, $\ar(f)$ is the arity of $f$, and $\monad$ is the common monad. For $g$ there will only be one input, and this input has type $\cprod{\inT_{f_1}} + \ldots + \cprod{\inT_{f_n}}$: each sequence of input types $\inT_{i,1}, \ldots, \inT_{i,\ar(f_i)}$ is first transformed into a single argument of type $\cprod{\inT_{f_i}} := \inT_{i,1} \times \ldots \times \inT_{i,\ar(f_i)}$, and afterwards the sum type is used to distinguish between the inputs of the individual functions. Similarly, the output type of $g$ will be $(\outT_{f_1} + \ldots + \outT_{f_n})\ \monad$. Note that we did not choose ${\outT_{f_1}\ \monad} + \ldots + {\outT_{f_n} \monad}$ as output of $g$ as it is not monadic, and thus, $g$ would not be definable via \parfun. Next, we define $g$ via a single equation which can then be passed to \parfun. Here, we have to \begin{itemize} \item convert between tuples and sequences of arguments via currying and uncurrying. To this end, we use the predefined \curry-function for currying and for uncurrying we perform pattern matching in expressions like $\lambda \cprod{\xs}. h\ \vect{xs}$ which take a tuple of variables as argument and then feed these variables sequentially to some function $h$. \item convert between argument and sum-types. To this end, we use constructors $\inj_i$ of type $\alpha_i \tto \alpha_1 + \ldots + \alpha_i + \ldots \alpha_n$, and destructors $\proj_i$ which work in exactly the opposite direction. Moreover, we perform case-analyses via pattern matching on the $\inj_i$'s. Note that internally each $\inj_i$ is encoded via repeated usage of the constructors $\isa{Inl}$ and $\isa{Inr}$ of Isabelle/HOL's \isa{sum}-type, and similarly we nest \isa{Projl} and \isa{Projr} to encode arbitrary $\proj_i$-functions. \item work within the monad to combine the various result types into a single one. To this end, we demand that there is some $\mapM$-function which lifts an operation $\alpha \tto \beta$ to a function of type $\alpha\ \monad \tto \beta\ \monad$. In general, these mappings may also take several functions as input, depending on the number of type-variables of the monad-constructor. For each kind of monad that should be supported by our method, a user-defined $\mapM$ function can be registered. It is important, to also register a monotonicity lemma of each $\mapM$ function within the partial function package. Otherwise, monotonicity proofs for $g$ will most likely fail. \end{itemize} Putting everything together, we setup the following equation \begin{align} g\ x = \case\ x\ \of \notag\\ \inj_1 \xst & \tto \mapM\ \inj_1\ ((\lambda \cprod{\xs}. F_1\ \vect{\fs'}\ \vect\xs)\ \xst) \notag\\ \mid \ldots\hspace{1.8em} \label{gsimp} \\ \mid \inj_n \xst & \tto \mapM\ \inj_n\ ((\lambda \cprod{\xs}. F_n\ \vect{\fs'}\ \vect\xs)\ \xst)\notag \end{align} where $\vect{\fs'}$ is the sequence of abbreviations $f'_1$, \ldots, $f'_n$ and where \begin{equation} \label{fi'} f'_i = \curry\ (\lambda \xst. \ \mapM\ \proj_i\ (g\ (\inj_i\ \xst))) \end{equation} Once, $g$ has been defined using \parfun, we obtain Equality (\ref{gsimp}) as a theorem. Afterwards, it is easy to define \begin{equation} \label{fi} f_i = \curry\ (\lambda \xst.\ \mapM\ \proj_i\ (g\ (\inj_i\ \xst))) \end{equation} and it remains to derive the equations in (\ref{mr}) as theorems. To this end, first note the difference in (\ref{fi'}) and (\ref{fi}). In the former, $g$ is a free variable which should be defined as a constant at that point, whereas $g$ is already the newly defined constant in (\ref{fi}). Obviously, at this point one can now replace the abbreviations (\ref{fi'}) in Equation (\ref{gsimp}) by the real constants $f_i$ via the defining equations (\ref{fi}). This yields the following modified theorem for $g$ where now $\vect{\fs}$ is the sequence $f_1,\dots,f_n$. \begin{align} g\ x = \case\ x\ \of \notag\\ \inj_1 \xst & \tto \mapM\ \inj_1\ ((\lambda \cprod{\xs}. F_1\ \vect{\fs}\ \vect\xs)\ \xst) \notag\\ \mid \ldots\hspace{1.8em} \label{gsimp2} \\ \mid \inj_n \xst & \tto \mapM\ \inj_n\ ((\lambda \cprod{\xs}. F_n\ \vect{\fs}\ \vect\xs)\ \xst)\notag \end{align} Now it is indeed easy to derive the desired equations in (\ref{mr}): \begin{align*} f_i\ \vect\xs & \stackrel{(\ref{fi})}= (\curry\ (\lambda \xst.\ \mapM\ \proj_i\ (g\ (\inj_i\ \xst)))) \ \vect\xs \\ & \stackrel{(\star)}= \mapM\ \proj_i\ (g\ (\inj_i\ (\vect\xs)))) \\ & \stackrel{(\ref{gsimp2})}= \mapM\ \proj_i\ (\mapM\ \inj_i\ (F_i\ \vect{\fs}\ \vect\xs))\\ & \stackrel{(\star\star)}= F_i\ \vect{\fs}\ \vect\xs \end{align*} Here, ($\star$) used the definition of \curry\ and splitting of tuples, and for $(\star\star)$ we demand that $\mapM$ is compositional and that $\mapM$ applied on the identity function is the identity function itself. % include generated text of all theories \section{Implementation} \subsection{Known limitations} \begin{itemize} \item The method does only provide equational theorems. It does not convert the induction rule for the global function $g$ from the partial function command into an induction rule for the set of mutually recursive functions. \end{itemize} \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Partial_Order_Reduction/document/root.tex b/thys/Partial_Order_Reduction/document/root.tex --- a/thys/Partial_Order_Reduction/document/root.tex +++ b/thys/Partial_Order_Reduction/document/root.tex @@ -1,31 +1,30 @@ \documentclass[11pt, a4paper]{article} -\usepackage[utf8]{inputenc} \usepackage[T1]{fontenc} -\usepackage{isabelle, isabellesym} +\usepackage{isabelle,isabellesym} \usepackage{pdfsetup} \usepackage{stmaryrd} \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Partial Order Reduction} \author{Julian Brunner} \maketitle \begin{abstract} This entry provides a formalization of the abstract theory of ample set partial order reduction as presented in \cite{partial_order_reduction_ample_set_on-the-fly, partial_order_reduction_ample_set_verification_abstract}. The formalization includes transition systems with actions, trace theory, as well as basics on finite, infinite, and lazy sequences. We also provide a basic framework for static analysis on concurrent systems with respect to the ample set condition. \end{abstract} \tableofcontents \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Password_Authentication_Protocol/document/root.tex b/thys/Password_Authentication_Protocol/document/root.tex --- a/thys/Password_Authentication_Protocol/document/root.tex +++ b/thys/Password_Authentication_Protocol/document/root.tex @@ -1,69 +1,70 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \renewcommand{\isastyletxt}{\isastyletext} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Verification of a Diffie-Hellman Password-based Authentication Protocol by Extending the Inductive Method} \author{Pasquale Noce\\Security Certification Specialist at Arjo Systems, Italy\\pasquale dot noce dot lavoro at gmail dot com\\pasquale dot noce at arjosystems dot com} \maketitle \begin{abstract} This paper constructs a formal model of a Diffie-Hellman password-based authentication protocol between a user and a smart card, and proves its security. The protocol provides for the dispatch of the user's password to the smart card on a secure messaging channel established by means of Password Authenticated Connection Establishment (PACE), where the mapping method being used is Chip Authentication Mapping. By applying and suitably extending Paulson's Inductive Method, this paper proves that the protocol establishes trustworthy secure messaging channels, preserves the secrecy of users' passwords, and provides an effective mutual authentication service. What is more, these security properties turn out to hold independently of the secrecy of the PACE authentication key. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Pell/document/root.tex b/thys/Pell/document/root.tex --- a/thys/Pell/document/root.tex +++ b/thys/Pell/document/root.tex @@ -1,42 +1,43 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Pell's Equation} \author{Manuel Eberl} \maketitle \begin{abstract} This article gives the basic theory of Pell's equation $x^2 = 1 + D y^2$, where $D\in\mathbb{N}$ is a parameter and $x$, $y$ are integer variables. The main result that is proven is the following: If $D$ is not a perfect square, then there exists a \emph{fundamental solution} $(x_0, y_0)$ that is not the trivial solution $(1, 0)$ and which generates all other solutions $(x, y)$ in the sense that there exists some $n\in\mathbb{N}$ such that $|x| + |y| \sqrt{D} = (x_0 + y_0 \sqrt{D})^n$. This also implies that the set of solutions is infinite, and it gives us an explicit and executable characterisation of all the solutions. Based on this, simple executable algorithms for computing the fundamental solution and the infinite sequence of all non-negative solutions are also provided. \end{abstract} \newpage \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Perfect-Number-Thm/document/root.tex b/thys/Perfect-Number-Thm/document/root.tex --- a/thys/Perfect-Number-Thm/document/root.tex +++ b/thys/Perfect-Number-Thm/document/root.tex @@ -1,44 +1,45 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{textcomp} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Perfect Number Theorem} \author{Mark IJbema} \maketitle \begin{abstract} This document presents the formal proof of the Perfect Number Theorem. The result can also be found as number 70 on the list of ``top 100 mathematical theorems''~\cite{Wiedijk100}. This document was produced as result of a B.Sc. Thesis under supervision of Jaap Top and Wim H. Hesselink (University of Groningen) in 2009. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{PerfectBasics} \input{Sigma} \input{Perfect} % optional bibliography \bibliographystyle{alpha} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Perron_Frobenius/document/root.tex b/thys/Perron_Frobenius/document/root.tex --- a/thys/Perron_Frobenius/document/root.tex +++ b/thys/Perron_Frobenius/document/root.tex @@ -1,125 +1,124 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amsmath} \usepackage{amssymb} \usepackage{amsthm} \usepackage{xspace} -\usepackage[utf8]{inputenc} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newtheorem{theorem}{Theorem}%[section] \newtheorem{corollary}{Corollary}%[section] \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \newcommand\rats{\mathbb{Q}} \newcommand\ints{\mathbb{Z}} \newcommand\reals{\mathbb{R}} \newcommand\complex{\mathbb{C}} \newcommand\rai{real algebraic number\xspace} \newcommand\rais{real algebraic numbers\xspace} \begin{document} \title{Perron-Frobenius Theorem for Spectral Radius Analysis\footnote{Supported by FWF (Austrian Science Fund) project Y757.}} \author{Jose Divas\'on, Ondřej Kunčar, Ren\'e Thiemann and Akihisa Yamada} \maketitle \begin{abstract} The spectral radius of a matrix $A$ is the maximum norm of all eigenvalues of $A$. In previous work we already formalized that for a complex matrix $A$, the values in $A^n$ grow polynomially in $n$ if and only if the spectral radius is at most one. One problem with the above characterization is the determination of all \emph{complex} eigenvalues. In case $A$ contains only non-negative real values, a simplification is possible with the help of the Perron-Frobenius theorem, which tells us that it suffices to consider only the \emph{real} eigenvalues of $A$, i.e., applying Sturm's method can decide the polynomial growth of $A^n$. We formalize the Perron-Frobenius theorem based on a proof via Brouwer's fixpoint theorem, which is available in the HOL multivariate analysis (HMA) library. Since the results on the spectral radius is based on matrices in the Jordan normal form (JNF) library, we further develop a connection which allows us to easily transfer theorems between HMA and JNF. With this connection we derive the combined result: if $A$ is a non-negative real matrix, and no real eigenvalue of $A$ is strictly larger than one, then $A^n$ is polynomially bounded in $n$. \end{abstract} \tableofcontents \section{Introduction} The spectral radius of a matrix $A$ over $\reals$ or $\complex$ is defined as \begin{equation*} \rho(A) = \max\,\{|x| .\ \chi_A(x) = 0, x \in \complex\} \end{equation*} where $\chi_A$ is the characteristic polynomial of $A$. It is a central notion related to the growth rate of matrix powers. A matrix $A$ has polynomial growth, i.e., all values of $A^n$ can be bounded polynomially in $n$, if and only if $\rho(A) \leq 1$. It is quite easy to see that $\rho(A) \leq 1$ is a necessary criterion,\footnote{ Let $\lambda$ and $v$ be some eigenvalue and eigenvector pair such that $|\lambda| > 1$. Then $|A^n v| = |\lambda^n v| = |\lambda|^n |v|$ grows exponentially in $n$, where $|w|$ denotes the component-wise application of $|\cdot|$ to vector elements of $w$.} but it is more complicated to argue about sufficiency. In previous work we formalized this statement via Jordan normal forms \cite{JNF}. \begin{theorem}[in JNF] \label{sr} The values in $A^n$ are polynomially bounded in $n$ if $\rho(A) \leq 1$. \end{theorem} In order to perform the proof via Jordan normal forms, we did not use the HMA library from the distribution to represent matrices. The reason is that already the definition of a Jordan normal form is naturally expressed via block-matrices, and arbitrary block-matrices are hard to express in HMA, if at all. The problem in applying Theorem~\ref{sr} in concrete examples is the determination of all complex roots of the polynomial $\chi_A$. For instance, one can utilize complex algebraic numbers for this purpose, which however are computationally expensive. To avoid this problem, in this work we formalize the Perron Frobenius theorem. It states that for non-negative real-valued matrices, $\rho(A)$ is an eigenvalue of $A$. \begin{theorem}[in HMA] \label{pf} If $A \in \reals_{\geq 0}^{k \times k}$, then $\chi_A(\rho(A)) = 0$. \end{theorem} We decided to perform the formalization based on the HMA library, since there is a short proof of Theorem~\ref{pf} via Brouwer's fixpoint theorem \cite[Section 5.2]{SerreMatrices}. The latter is a well-known but complex theorem that is available in HMA, but not in the JNF library. Eventually we want to combine both theorems to obtain: \begin{corollary} \label{final} If $A \in \reals_{\geq 0}^{k \times k}$, then the values in $A^n$ are polynomially bounded in $n$ if $\chi_A$ has no real roots in the interval $(1,\infty)$. \end{corollary} This criterion is computationally far less expensive -- one invocation of Sturm's method on $\chi_A$ suffices. Unfortunately, we cannot immediately combine both theorems. We first have to bridge the gap between the HMA-world and the JNF-world. To this end, we develop a setup for the transfer-tool which admits to translate theorems from JNF into HMA. Moreover, using a recent extension for local type definitions within proofs \cite{LTD}, we also provide a translation from HMA into JNF. With the help of these translations, we prove Corollary~\ref{final} and make it available in both HMA and JNF. (In the formalization the corollary looks a bit more complicated as it also contains an estimation of the the degree of the polynomial growth.) % include generated text of all theories \input{session} \paragraph*{Acknowledgements} We thank Fabian Immler for an introduction to continuity proving using HMA. \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Physical_Quantities/document/root.tex b/thys/Physical_Quantities/document/root.tex --- a/thys/Physical_Quantities/document/root.tex +++ b/thys/Physical_Quantities/document/root.tex @@ -1,243 +1,244 @@ \documentclass[11pt,a4paper]{book} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{graphicx} \graphicspath {{figures/}} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{latexsym} \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage[greek,english]{babel} %option greek for \ %option english (default language) for \, \ %\usepackage[latin1]{inputenc} %for \, \, \, \, %\, \, \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand{\HOL}[1]{\verb{HOL}} \newcommand{\eg}[1]{e.g.} \renewcommand{\isasymdegree}{XXX} \newcommand{\acs}[1]{\textsc{#1}} \begin{document} \title{A Sound Type System for Physical \\ Quantities, Units, and Measurements} \author{Simon Foster \and Burkhart Wolff} \maketitle \chapter*{Abstract} The present Isabelle theory builds a formal model for both the \emph{International System of Quantities} (ISQ) and the \emph{International System of Units} (SI), which are both fundamental for physics and engineering~\cite{bipm-jcgm:2012:VIM}. Both the ISQ and the SI are deeply integrated into Isabelle's type system. Quantities are parameterised by \emph{dimension types}, which correspond to base vectors, and thus only quantities of the same dimension can be equated. Since the underlying ``algebra of quantities'' from~\cite{bipm-jcgm:2012:VIM} induces congruences on quantity and SI types, specific tactic support is developed to capture these. Our construction is validated by a test-set of known equivalences between both quantities and SI units. Moreover, the presented theory can be used for type-safe conversions between the SI system and others, like the British Imperial System (BIS). \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \chapter{ISQ and SI: An Introduction} Modern Physics is based on the concept of quantifiable properties of physical phenomena such as mass, length, time, current, etc. These phenomena, called \emph{quantities}, are linked via an \emph{algebra of quantities} to derived concepts such as speed, force, and energy. The latter allows for a \emph{dimensional analysis} of physical equations, which had already been the backbone of Newtonian Physics. In parallel, physicians developed their own research field called ``metrology'' defined as a scientific study of the \emph{measurement} of physical quantities. The relevant international standard for quantities and measurements is distributed by the \emph{Bureau International des Poids et des Mesures} (BIPM), which also provides the \emph{Vocabulaire International de M\`etrologie} (VIM)~\cite{bipm-jcgm:2012:VIM}. The VIM actually defines two systems: the \emph{International System of Quantities} (ISQ) and the \emph{International System of Units} (SI, abbreviated from the French Syst\`eme international (d’unit\'es)). The latter is also documented in the \emph{SI Brochure}~\cite{SI-Brochure}, a standard that is updated periodically, most recently in 2019. Finally, the VIM defines concrete reference measurement procedures as well as a terminology for measurement errors. Conceived as a refinement of the ISQ, the SI comprises a coherent system of units of measurement built on seven base units, which are the metre, kilogram, second, ampere, kelvin, mole, candela, and a set of twenty prefixes to the unit names and unit symbols, such as milli- and kilo-, that may be used when specifying multiples and fractions of the units. The system also specifies names for 22 derived units, such as lumen and watt, for other common physical quantities. While there is still nowadays a wealth of different measuring systems such as the \emph{British Imperial System} (BIS) and the \emph{United States Customary System} (USC), the SI is more or less the de-facto reference behind all these systems. The present Isabelle theory builds a formal model for both the ISQ and the SI, together with a deep integration into Isabelle's type system~\cite{nipkow.ea:isabelle:2002}. Quantities and units are represented in a way that they have a \emph{quantity type} as well as a \emph{unit type} based on its base vectors and their magnitudes. Since the algebra of quantities induces congruences on quantity and SI types, specific tactic support has been developed to capture these. Our construction is validated by a test-set of known equivalences between both quantities and SI units. Moreover, the presented theory can be used for type-safe conversions between the SI system and others, like the British Imperial System (BIS). % We would like to stress that it is not only our objective to provide a sound type-system for % ISQ and SI; rather, our semantic construction produces an integration of quantities and SI units % \emph{as types} inside the Hindley-Milner style type system of % Isabelle/HOL\cite{nipkow.ea:isabelle:2002}. The objective of our construction is to % reflect the types of the magnitudes as well as their dimensions in order to allow type-safe % calculations on SI units and their conversion to other measuring systems. % The International System of Units (SI, abbreviated from the French % Système International (d'unités)) is the modern form of the metric % system and is the most widely used system of measurement. It comprises % a coherent system of units of measurement built on seven base units, % which are the second, metre, kilogram, ampere, kelvin, mole, candela, % and a set of twenty prefixes to the unit names and unit symbols that % may be used when specifying multiples and fractions of the units. % The system also specifies names for 22 derived units, such as lumen and % watt, for other common physical quantities. % % (cited from \url{https://en.wikipedia.org/wiki/International_System_of_Units}). In the following we describe the overall theory architecture in more detail. Our ISQ model provides the following fundamental concepts: % \begin{enumerate}% \item \emph{dimensions} represented by a type \isa{(int, 'd::enum) dimvec} , i.e. a \isa{'d}-indexed vector space of integers representing the exponents of the dimension vector. \isa{'d} is constrained to be a dimension type later. \item \emph{quantities} represented by type \isa{('a, 'd::enum) Quantity}, which are constructed as a vector space and a magnitude type \isa{'a}. \item{quantity calculus} consisting of \emph{quantity equations} allowing to infer that $LT^{-1}T^{-1}M = MLT^{-2} = F$ (the left-hand-side equals mass times acceleration which is equal to force). \item a kind of equivalence relation $\cong_{Q}$ on quantities, permitting to relate quantities of different dimension types. \item \emph{base quantities} for \emph{length}, \emph{mass}, \emph{time}, \emph{electric current}, \emph{temperature}, \emph{amount of substance}, and \emph{luminous intensity}, serving as concrete instance of the vector instances, and for syntax a set of the symbols \isa{L}, \isa{M}, \isa{T}, \isa{I}, \isa{{\isasymTheta}}, \isa{N}, \isa{J} corresponding to the above mentioned base vectors. \item \emph{(Abstract) Measurement Systems} represented by type \isa{('a, 'd::enum, 's::unit\_system) Measurement\_System}, which are a refinement of quantities. The refinement is modelled by a polymorphic record extensions; as a consequence, Measurement Systems inherit the algebraic properties of quantities. \item \emph{derived dimensions} such as \emph{volume} $\isa{L}^3$ or energy $\isa{M}\isa{L}^2\isa{T}^{-2}$ corresponding to \emph{derived quantities}. \end{enumerate} Then, through a fresh type-constructor \isa{SI}, the abstract measurement systems are instantiated to the SI system --- the \emph{British Imperial System} (BIS) is constructed analogously. Technically, \isa{SI} is a tag-type that represents the fact that the magnitude of a quantity is actually a quantifiable entity in the sense of the SI system. In other words, this means that the magnitude $1$ in quantity \isa{1[L]} actually refers to one metre intended to be measured according to the SI standard. At this point, it becomes impossible, for example, to add to one foot, in the sense of the BIS, to one metre in the SI without creating a type-inconsistency. The theory of the SI is created by specialising the \isa{Measurement\_System}-type with the SI-tag-type and adding new infrastructure. The SI theory provides the following fundamental concepts: \begin{enumerate}% \item measuring units and types corresponding to the ISQ base quantities sich as \emph{metre}, \emph{kilogram}, \emph{second}, \emph{ampere}, \emph{kelvin}, \emph{mole} and \emph{candela} (together with procedures how to measure a metre, for example, which are defined in accompanying standards); \item a standardised set of symbols for units such as $m$, $kg$, $s$, $A$, $K$, $mol$, and $cd$; \item a standardised set of symbols of SI prefixes for multiples of SI units, such as $giga$ ($=10^9$), $kilo$ ($=10^3$), $milli$ ($=10^-3$), etc.; and a set of \item \emph{unit equations} and conversion equations such as $J = kg\,m^2/s^2$ or $1 km/h = 1/3.6\,m/s$. \end{enumerate} As a result, it is possible to express ``4500.0 kilogram times metre per second squared'' which has the type \isa{{\isasymreal}\ {\isacharbrackleft}M\ \isactrlsup {\isachardot}\ L\ \isactrlsup {\isachardot}\ T\isactrlsup {\isacharminus}\isactrlsup {\isadigit{3}} \isactrlsup {\isachardot}\, SI{\isacharbrackright}}. This type means that the magnitude $4500$ of the dimension $M \cdot L \cdot T^{- 3}$ is a quantity intended to be measured in the SI-system, which means that it actually represents a force measured in Newtons. % For short, the above expression gets thy type $(\isasymreal)newton$. In the example, the \emph{magnitude} type of the measurement unit is the real numbers ($\isasymreal$). In general, however, magnitude types can be arbitrary types from the HOL library, so for example integer numbers (\isa{int}), integer numbers representable by 32 bits (\isa{int32}), IEEE-754 floating-point numbers (\isa{float}), or, a vector in the three-dimensional space \isa{\isasymreal}$^3$. Thus, our type-system allows to capture both conceptual entities in physics as well as implementation issues in concrete physical calculations on a computer. As mentioned before, it is a main objective of this work to support the quantity calculus of ISQ and the resulting equations on derived SI entities (cf. \cite{SI-Brochure}), both from a type checking as well as a proof-checking perspective. Our design objectives are not easily reconciled, however, and so some substantial theory engineering is required. On the one hand, we want a deep integration of dimensions and units into the Isabelle type system. On the other, we need to do normal-form calculations on types, so that, for example, the units $m$ and $ms^{-1}s$ can be equated. Isabelle's type system follows the Curry-style paradigm, which rules out the possibility of direct calculations on type-terms (in contrast to Coq-like systems). However, our semantic interpretation of ISQ and SI allows for the foundation of the heterogeneous equivalence relation $\cong_{Q}$ in semantic terms. This means that we can relate quantities with syntactically different dimension types, yet with same dimension semantics. This paves the way for derived rules that do computations of terms, which represent type computations indirectly. This principle is the basis for the tactic support, which allows for the dimensional type checking of key definitions of the SI system. Some examples are given below. \begin{isamarkuptext}% \isa{\isacommand{theorem}\ metre{\isacharunderscore}definition{\isacharcolon} \newline \ {\isachardoublequoteopen} {\isadigit{1}}\ {\isacharasterisk}\isactrlsub Q\ metre\ {\isasymcong}\isactrlsub Q \ {\isacharparenleft}\isactrlbold c\ \isactrlbold {\isacharslash}\ {\isacharparenleft}{\isadigit{2}}{\isadigit{9}}{\isadigit{9}}{\isadigit{7}}{\isadigit{9}}{\isadigit{2}}{\isadigit{4}}{\isadigit{5}}{\isadigit{8}}\ {\isacharasterisk}\isactrlsub Q\ {\isasymone}{\isacharparenright}{\isacharparenright}\isactrlbold {\isasymcdot}second{\isachardoublequoteclose}\ {\isachardoublequoteopen} \newline \isacommand{by}\ si{\isacharunderscore}calc\ \ \newline \newline \isacommand{theorem}\ kilogram{\isacharunderscore}definition{\isacharcolon} \newline \ {\isachardoublequoteopen}{\isadigit{1}}\ {\isacharasterisk}\isactrlsub Q\ kilogram\ {\isasymcong}\isactrlsub Q\ {\isacharparenleft}\isactrlbold h\ \isactrlbold {\isacharslash}\ {\isacharparenleft}{\isadigit{6}}{\isachardot}{\isadigit{6}}{\isadigit{2}}{\isadigit{6}}{\isadigit{0}}{\isadigit{7}}{\isadigit{0}}{\isadigit{1}}{\isadigit{5}}\ {\isasymcdot}\ {\isadigit{1}}{\isacharslash}{\isacharparenleft}{\isadigit{1}}{\isadigit{0}}{\isacharcircum}{\isadigit{3}}{\isadigit{4}}{\isacharparenright}\ {\isacharasterisk}\isactrlsub Q\ {\isasymone}{\isacharparenright}{\isacharparenright}\isactrlbold {\isasymcdot}metre\isactrlsup {\isacharminus}\isactrlsup {\isasymtwo}\isactrlbold {\isasymcdot}second{\isachardoublequoteclose}\ \newline \isacommand{by}\ si{\isacharunderscore}calc\ \ \ }% \end{isamarkuptext}\isamarkuptrue% These equations are both adapted from the SI Brochure, and give the concrete definitions for the metre and kilogram in terms of the physical constants \textbf{c} (speed of light) and \textbf{h} (Planck constant). They are both proved using the tactic \textit{si-calc}. This work has drawn inspiration from some previous formalisations of the ISQ and SI, notably Hayes and Mahoney's formalisation in Z~\cite{HayesBrendan95} and Aragon's algebraic structure for physical quantities~\cite{Aragon2004-SI}. To the best of our knowledge, our mechanisation represents the most comprehensive account of ISQ and SI in a theory prover. % \subsubsection{Previous Attempts.} The work of \cite{HayesBrendan95} represents to our knowledge a % first attempt to formalize SI units in Z, thus a similar language of HOL. While our typing % representation is more rigourous due to the use of type-classes, this works lacks any attempt % to support formal and automated deduction on Si unit equivalences. % % MORE TO COME. \chapter{Preliminaries} \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Pi_Calculus/document/root.tex b/thys/Pi_Calculus/document/root.tex --- a/thys/Pi_Calculus/document/root.tex +++ b/thys/Pi_Calculus/document/root.tex @@ -1,82 +1,82 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The pi-calculus} \author{Jesper Bengtson} \maketitle \begin{abstract} We formalise the pi-calculus using the nominal datatype package, based on ideas from the nominal logic by Pitts et al., and demonstrate an implementation in Isabelle/HOL. The purpose is to derive powerful induction rules for the semantics in order to conduct machine checkable proofs, closely following the intuitive arguments found in manual proofs. In this way we have covered many of the standard theorems of bisimulation equivalence and congruence, both late and early, and both strong and weak in a uniform manner. We thus provide one of the most extensive formalisations of a the pi-calculus ever done inside a theorem prover. A significant gain in our formulation is that agents are identified up to alpha-equivalence, thereby greatly reducing the arguments about bound names. This is a normal strategy for manual proofs about the pi-calculus, but that kind of hand waving has previously been difficult to incorporate smoothly in an interactive theorem prover. We show how the nominal logic formalism and its support in Isabelle accomplishes this and thus significantly reduces the tedium of conducting completely formal proofs. This improves on previous work using weak higher order abstract syntax since we do not need extra assumptions to filter out exotic terms and can keep all arguments within a familiar first-order logic. \end{abstract} \tableofcontents \section{Overview} The following results of the pi-calculus meta-theory are formalised, where the notation (e) means that the results cover the early operational semantics and (l) the late one. \begin{itemize} \item strong bisimilarity is preserved by all operators except the input-prefix (e/l) \item strong equivalence is a congruence (e/l) \item weak bisimilarity is preserved by all operators except the input-prefix and sum (e/l) \item weak congruence is a congruence (e/l) \item strong equivalence respect the laws of structural congruence (l) \item all strongly equivalent agents are also weakly congruent which in turn are weakly bisimilar. Moreover, strongly equivalent agents are also strongly bisimilar (e/l) \item all late equivalences are included in their early counterparts. \item as a corollary of the last three points, all mentioned equivalences respect the laws of structural congruence \item the axiomatisation of the finite fragment of strong late bisimilarity is sound and complete \item The Hennessy lemma (l) \end{itemize} The file naming convention is hopefully self-explanatory, where the prefixes \emph{Strong} and \emph{Weak} denote that the file covers theories required to formalise properties of strong and weak bisimilarity respectively; if the file name contians \emph{Early} or \emph{Late} the theories work with the early or the late operational semantics of the pi-calculus respectively; if the file name contains \emph{Sim} the theories cover simulation, file names containing \emph{Bisim} cover bisimulation, and file names containing \emph{Cong} cover weak congruence; files with the suffix \emph{Pres} deal with theories that reason about preservation properties of operators such as a certain simulation or bisimulation being preserved by a certain operator; files with the suffix \emph{SC} reason about structural congruence. For a complete exposition of all of theories, please consult Bengtson's Ph. D. thesis \cite{bengtson:thesis}. A shorter presentation can be found in our LMCS article 'Formalising the pi-calculus using nominal logic' from 2009 \cite{bengtson:lmcs09}. A recollection of the axiomatisation results can be found in the SOS article 'A completeness proof for bisimulation in the pi-calculus using Isabelle' from 2007 \cite{bengtson:sos07}. % include generated text of all theories \section{Formalisation} \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Pi_Transcendental/document/root.tex b/thys/Pi_Transcendental/document/root.tex --- a/thys/Pi_Transcendental/document/root.tex +++ b/thys/Pi_Transcendental/document/root.tex @@ -1,37 +1,38 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Transcendence of $\pi$} \author{Manuel Eberl} \maketitle \begin{abstract} This entry shows the transcendence of $\pi$ based on the classic proof using the fundamental theorem of symmetric polynomials first given by von Lindemann in 1882, but the mostly formalisation follows the version by Niven~\cite{niven_pi39}. The proof reuses much of the machinery developed in the AFP entry on the transcendence of $e$. \end{abstract} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Planarity_Certificates/document/root.tex b/thys/Planarity_Certificates/document/root.tex --- a/thys/Planarity_Certificates/document/root.tex +++ b/thys/Planarity_Certificates/document/root.tex @@ -1,46 +1,47 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage[english]{babel} \usepackage{amssymb} \usepackage{wasysym} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Graph Theory} \author{By Lars Noschinski} \maketitle \begin{abstract} This development provides a formalization of planarity based on combinatorial maps and proves that Kuratowski's theorem implies combinatorial planarity. Moreover, it contains verified implementations of programs checking certificates for planarity (i.e., a combinatorial map) or non-planarity (i.e., a Kuratowski subgraph). The development is described in \cite{noschinski_formalizing_2015}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Poincare_Bendixson/document/root.tex b/thys/Poincare_Bendixson/document/root.tex --- a/thys/Poincare_Bendixson/document/root.tex +++ b/thys/Poincare_Bendixson/document/root.tex @@ -1,60 +1,61 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} \usepackage{amsmath} %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \newcommand{\repeatisanl}[1] {\ifnum#1=0\else\isanewline\repeatisanl{\numexpr#1-1}\fi} \newcommand{\snip}[4]{\repeatisanl#2#4\repeatisanl#3} \begin{document} \title{The Poincar\'e-Bendixson Theorem} \author{Fabian Immler and Yong Kiam Tan} \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Poincare_Disc/document/root.tex b/thys/Poincare_Disc/document/root.tex --- a/thys/Poincare_Disc/document/root.tex +++ b/thys/Poincare_Disc/document/root.tex @@ -1,79 +1,80 @@ \documentclass[8pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage[margin=2cm]{geometry} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \usepackage{amsmath} \begin{document} \title{Poincar\'e Disc Model} \author{Danijela Simi\'c \and Filip Mari\'c \and Pierre Boutry} \maketitle \begin{abstract} We describe formalization of the Poincar\'e disc model of hyperbolic geometry within the Isabelle/HOL proof assistant. The model is defined within the extended complex plane (one dimensional complex projective space $\mathbb{C}P^1$), formalized in the AFP entry ``Complex Geometry'' \cite{afp-complex-geometry}. Points, lines, congruence of pairs of points, betweenness of triples of points, circles, and isometries are defined within the model. It is shown that the model satisfies all Tarski's axioms except the Euclid's axiom. It is shown that it satisfies its negation and the limiting parallels axiom (which proves it to be a model of hyperbolic geometry). \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \clearpage % generated text of all theories \input{session} % optional bibliography \clearpage \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Polynomial_Factorization/document/root.tex b/thys/Polynomial_Factorization/document/root.tex --- a/thys/Polynomial_Factorization/document/root.tex +++ b/thys/Polynomial_Factorization/document/root.tex @@ -1,94 +1,94 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb} \usepackage{xspace} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \newcommand\rats{\mathbb{Q}} \newcommand\ints{\mathbb{Z}} \newcommand\nats{\mathbb{N}} \newcommand\reals{\mathbb{R}} \newcommand\mod{\mathit{mod}} \newcommand\complex{\mathbb{C}} \newcommand\rai{real algebraic number\xspace} \newcommand\rais{real algebraic numbers\xspace} \begin{document} \title{Polynomial Factorization\footnote{Supported by FWF (Austrian Science Fund) project Y757.}} \author{Ren\'e Thiemann and Akihisa Yamada} \maketitle \begin{abstract} Based on existing libraries for polynomial interpolation and matrices, we formalized several factorization algorithms for polynomials, including Kronecker's algorithm for integer polynomials, Yun's square-free factorization algorithm for field polynomials, and a factorization algorithm which delivers root-free polynomials. As side products, we developed division algorithms for polynomials over integral domains, as well as primality-testing and prime-factorization algorithms for integers. \end{abstract} \tableofcontents \section{Introduction} The details of the factorization algorithms have mostly been extracted from Knuth's Art of Computer Programming \cite{Knuth}. Also Wikipedia provided valuable help. \medskip As a first fast preprocessing for factorization we integrated Yun's factorization algorithm which identifies duplicate factors \cite{Yun}. In contrast to the existing formalized result that the GCD of $p$ and $p'$ has no duplicate factors (and the same roots as $p$), Yun's algorithm decomposes a polynomial $p$ into $p_1^1 \cdot \ldots \cdot p_n^n$ such that no $p_i$ has a duplicate factor and there is no common factor of $p_i$ and $p_j$ for $i \neq j$. As a comparison, the GCD of $p$ and $p'$ is exactly $p_1 \cdot \ldots \cdot p_n$, but without decomposing this product into the list of $p_i$'s. Factorization over $\rats$ is reduced to factorization over $\ints$ with the help of Gauss' Lemma. Kronecker's algorithm for factorization over $\ints$ requires both polynomial interpolation over $\ints$ and prime factorization over $\nats$. Whereas the former is available as a separate AFP-entry, for prime factorization we mechanized a simple algorithm depicted in \cite{Knuth}: For a given number $n$, the algorithm iteratively checks divisibility by numbers until $\sqrt n$, with some optimizations: it uses a precomputed set of small primes (all primes up to 1000), and if $n\ \mod\ 30 = 11$, the next test candidates in the range $[n,n+30)$ are only the 8 numbers $n,n+2,n+6,n+8,n+12,n+18,n+20,n+26$. However, in theory and praxis it turned out that Kronecker's algorithm is too inefficient. Therefore, in a separate AFP-entry we formalized the Berlekamp-Zassenhaus factorization.\footnote{The Berlekamp-Zassenhaus AFP-entry was originally not present and at that time, this AFP-entry contained an implementation of Berlekamp-Zassenhaus as a non-certified function.} There also is a combined factorization algorithm: For polynomials of degree 2, the closed form for the roots of quadratic polynomials is applied. For polynomials of degree 3, the rational root test determines whether the polynomial is irreducible or not, and finally for degree 4 and higher, Kronecker's factorization algorithm is applied. \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Polynomial_Interpolation/document/root.tex b/thys/Polynomial_Interpolation/document/root.tex --- a/thys/Polynomial_Interpolation/document/root.tex +++ b/thys/Polynomial_Interpolation/document/root.tex @@ -1,95 +1,95 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb,amsmath} \usepackage{xspace} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \newcommand\rats{\mathbb{Q}} \newcommand\ints{\mathbb{Z}} \newcommand\reals{\mathbb{R}} \newcommand\complex{\mathbb{C}} \newcommand\rai{real algebraic number\xspace} \newcommand\rais{real algebraic numbers\xspace} \begin{document} \title{Polynomial Interpolation\footnote{Supported by FWF (Austrian Science Fund) project Y757.}} \author{Ren\'e Thiemann and Akihisa Yamada} \maketitle \begin{abstract} We formalized three algorithms for polynomial interpolation over arbitrary fields: Lagrange's explicit expression, the recursive algorithm of Neville and Aitken, and the Newton interpolation in combination with an efficient implementation of divided differences. Variants of these algorithms for integer polynomials are also available, where sometimes the interpolation can fail; e.g., there is no linear integer polynomial $p$ such that $p(0) = 0$ and $p(2) = 1$. Moreover, for the Newton interpolation for integer polynomials, we proved that all intermediate results that are computed during the algorithm must be integers. This admits an early failure detection in the implementation. Finally, we proved the uniqueness of polynomial interpolation. The development also contains improved code equations to speed up the division of integers in target languages. \end{abstract} \tableofcontents \section{Introduction} We formalize three basic algorithms for interpolation for univariate field polynomials and integer polynomials which can be found in various textbooks or on Wikipedia. However, this formalization covers only basic results, e.g., compared to a specialized textbook on interpolation \cite{interpolation}, we only cover results of the first of the eight chapters. Given distinct inputs $x_0,\dots,x_n$ and corresponding outputs $y_0,\dots,y_n$, \emph{polynomial interpolation} is to provide a polynomial $p$ (of degree at most $n$) such that $p(x_i) = y_i$ for every $i < n$. The first solution we formalize is Lagrange's explicit expression: \[ p(x) = \sum_{ik$. \end{abstract} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Pratt_Certificate/document/root.tex b/thys/Pratt_Certificate/document/root.tex --- a/thys/Pratt_Certificate/document/root.tex +++ b/thys/Pratt_Certificate/document/root.tex @@ -1,49 +1,50 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{amsmath} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{A Formalization of Pratt's Primality Certificates} \author{By Simon Wimmer and Lars Noschinski} \maketitle \begin{abstract} In 1975, Pratt introduced a proof system for certifying primes \cite{pratt1975certificate}. He showed that a number $p$ is prime iff a primality certificate for $p$ exists. By showing a logarithmic upper bound on the length of the certificates in size of the prime number, he concluded that the decision problem for prime numbers is in NP. This work formalizes soundness and completeness of Pratt's proof system as well as an upper bound for the size of the certificate. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \nocite{*} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End\dots diff --git a/thys/Presburger-Automata/document/root.tex b/thys/Presburger-Automata/document/root.tex --- a/thys/Presburger-Automata/document/root.tex +++ b/thys/Presburger-Automata/document/root.tex @@ -1,48 +1,49 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \isadroptag{theory} \renewcommand{\isadigit}[1]{\isamath{#1}} \begin{document} \title{Formalizing the Logic-Automaton Connection} \author{Markus Reiter \and Stefan Berghofer} \maketitle \begin{abstract} This work presents a formalization of a library for automata on bit strings. It forms the basis of a reflection-based decision procedure for Presburger arithmetic, which is efficiently executable thanks to Isabelle's code generator. With this work, we therefore provide a mechanized proof of a well-known connection between logic and automata theory. The formalization is also described in a publication~\cite{BerghoferR-TPHOLs09}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \nocite{Boudet-Comon-CAAP96,Klarlund-CSL97} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Prim_Dijkstra_Simple/document/root.tex b/thys/Prim_Dijkstra_Simple/document/root.tex --- a/thys/Prim_Dijkstra_Simple/document/root.tex +++ b/thys/Prim_Dijkstra_Simple/document/root.tex @@ -1,69 +1,69 @@ \documentclass[11pt,a4paper,notitlepage]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Purely Functional, Simple, and Efficient Implementation of Prim and Dijkstra} \author{Peter Lammich \and Tobias Nipkow} \maketitle \begin{abstract} We verify purely functional, simple and efficient implementations of Prim's and Dijkstra's algorithms. This constitutes the first verification of an executable and even efficient version of Prim's algorithm. This entry formalizes the second part of our ITP-2019 proof pearl \emph{Purely Functional, Simple and Efficient Priority Search Trees and Applications to Prim and Dijkstra} ~\cite{LaNi19}. \end{abstract} \clearpage \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \clearpage \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Prime_Distribution_Elementary/document/root.tex b/thys/Prime_Distribution_Elementary/document/root.tex --- a/thys/Prime_Distribution_Elementary/document/root.tex +++ b/thys/Prime_Distribution_Elementary/document/root.tex @@ -1,38 +1,39 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Elementary Facts About the Distribution of Primes} \author{Manuel Eberl} \maketitle \begin{abstract} This entry is a formalisation of Chapter 4 (and parts of Chapter 3) of Apostol's \emph{Introduction to Analytic Number Theory}. The main topics that are addressed are properties of the distribution of prime numbers that can be shown in an elementary way (i.\,e.\ without the Prime Number Theorem), the various equivalent forms of the PNT (which imply each other in elementary ways), and consequences that follow from the PNT in elementary ways. The latter include bounds for the number of distinct prime factors of $n$, the divisor function $d(n)$, Euler's totient function $\varphi(n)$, and $\text{lcm}(1,\ldots,n)$. \end{abstract} \newpage \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \nocite{apostol1976analytic} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Prime_Harmonic_Series/document/root.tex b/thys/Prime_Harmonic_Series/document/root.tex --- a/thys/Prime_Harmonic_Series/document/root.tex +++ b/thys/Prime_Harmonic_Series/document/root.tex @@ -1,37 +1,38 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Divergence of the Prime Harmonic Series} \author{Manuel Eberl} \maketitle \begin{abstract} In this work, we prove the lower bound $\ln (H_n) - \ln(\frac{5}{3})$ for the partial sum of the Prime Harmonic series and, based on this, the divergence of the Prime Harmonic Series $\sum_{p=1}^n [p\ \mathrm{prime}] \cdot \frac{1}{p}$. The proof relies on the unique squarefree decomposition of natural numbers. This proof is similar to Euler's original proof (which was highly informal and morally questionable). Its advantage over proofs by contradiction, like the famous one by Paul Erd\H{o}s, is that it provides a relatively good lower bound for the partial sums. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \input{session} \nocite{*} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Prime_Number_Theorem/document/root.tex b/thys/Prime_Number_Theorem/document/root.tex --- a/thys/Prime_Number_Theorem/document/root.tex +++ b/thys/Prime_Number_Theorem/document/root.tex @@ -1,46 +1,47 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Prime Number Theorem} \author{Manuel Eberl and Larry Paulson} \maketitle \begin{abstract} This article provides a short proof of the Prime Number Theorem in several equivalent forms, most notably $\pi(x)\sim x / \ln x$ where $\pi(x)$ is the number of primes no larger than $x$. It also defines other basic number-theoretic functions related to primes like Chebyshev's $\vartheta$ and $\psi$ and the ``$n$-th prime number'' function $p_n$. We also show various bounds and relationship between these functions are shown. Lastly, we derive Mertens' First and Second Theorem, i.\,e.\ $\sum_{p\leq x} \frac{\ln p}{p} = \ln x + O(1)$ and $\sum_{p\leq x} \frac{1}{p} = \ln\ln x + M + O(1/\ln x)$. We also give explicit bounds for the remainder terms. The proof of the Prime Number Theorem builds on a library of Dirichlet series and analytic combinatorics. We essentially follow the presentation by Newman~\cite{newman1998analytic}. The core part of the proof is a Tauberian theorem for Dirichlet series, which is proven using complex analysis and then used to strengthen Mertens' First Theorem to $\sum_{p\leq x} \frac{\ln p}{p} = \ln x + c + o(1)$. A variant of this proof has been formalised before by Harrison in HOL Light~\cite{harrison-pnt}, and formalisations of Selberg's elementary proof exist both by Avigad \textit{et al.}\ \cite{avigad_pnt}\ in Isabelle and by Carneiro~\cite{carneiro_pnt} in Metamath. The advantage of the analytic proof is that, while it requires more powerful mathematical tools, it is considerably shorter and clearer. This article attempts to provide a short and clear formalisation of all components of that proof using the full range of mathematical machinery available in Isabelle, staying as close as possible to Newman's simple paper proof. \end{abstract} \newpage \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \section{Acknowledgements} Paulson was supported by the ERC Advanced Grant ALEXANDRIA (Project 742178) funded by the European Research Council at the University of Cambridge, UK. \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Priority_Queue_Braun/document/root.tex b/thys/Priority_Queue_Braun/document/root.tex --- a/thys/Priority_Queue_Braun/document/root.tex +++ b/thys/Priority_Queue_Braun/document/root.tex @@ -1,32 +1,33 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Priority Queues Based on Braun Trees} \author{Tobias Nipkow} \maketitle \begin{abstract} This entry verifies priority queues based on Braun trees. Insertion and deletion take logarithmic time and preserve the balanced nature of Braun trees. Two implementations of deletion are provided. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Priority_Search_Trees/document/root.tex b/thys/Priority_Search_Trees/document/root.tex --- a/thys/Priority_Search_Trees/document/root.tex +++ b/thys/Priority_Search_Trees/document/root.tex @@ -1,87 +1,88 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Priority Search Trees} \author{Peter Lammich \and Tobias Nipkow} \maketitle \begin{abstract} We present a new, purely functional, simple and efficient data structure combining a search tree and a priority queue, which we call a \emph{priority search tree}. The salient feature of priority search trees is that they offer a decrease-key operation, something that is missing from other simple, purely functional priority queue implementations. Priority search trees can be implemented on top of any search tree. This entry does the implementation for red-black trees. This entry formalizes the first part of our ITP-2019 proof pearl \emph{Purely Functional, Simple and Efficient Priority Search Trees and Applications to Prim and Dijkstra} ~\cite{LaNi19}. \end{abstract} \clearpage \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \section{Related Work} Our priority map ADT is close to Hinze's \cite{DBLP:conf/icfp/Hinze01} \emph{priority search queue} interface, except that he also supports a few further operations that we could easily add but do not need for our applications. However, it is not clear if his implementation technique is the same as our priority search tree because his description employs a plethora of concepts, e.g.\ \emph{priority search pennants}, \emph{tournament trees}, \emph{semi-heaps}, and multiple \emph{views} of data types that obscure a direct comparison. We claim that at the very least our presentation is new because it is much simpler; we encourage the reader to compare the two. As already observed by Hinze, McCreight's \cite{McCreight85} priority search trees support range queries more efficiently than our trees. However, we can support the same range queries as Hinze efficiently, but that is outside the scope of this entry. % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Probabilistic_Noninterference/document/root.tex b/thys/Probabilistic_Noninterference/document/root.tex --- a/thys/Probabilistic_Noninterference/document/root.tex +++ b/thys/Probabilistic_Noninterference/document/root.tex @@ -1,59 +1,59 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{textcomp} \usepackage{amssymb} -\usepackage[utf8]{inputenc} \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} \usepackage{hyperref} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Probabilistic Noninterference} \author{Andrei Popescu \hspace*{10ex} Johannes H\"{o}lzl} \maketitle \begin{abstract} We formalize a probabilistic noninterference for a multi-threaded language with uniform scheduling, where probabilistic behaviour comes from both the scheduler and the individual threads. We define notions probabilistic noninterference in two variants: resumption-based and trace-based. For the resumption-based notions, we prove compositionality w.r.t.\ the language constructs and establish sound type-system-like syntactic criteria. This is a formalization of the mathematical development presented in the papers~\cite{cpp2013,calco2013}. It is the probabilistic variant of the \href{http://isa-afp.org/entries/Possibilistic_Noninterference.shtml}{Possibilistic Noninterference} AFP entry. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Probabilistic_Prime_Tests/document/root.tex b/thys/Probabilistic_Prime_Tests/document/root.tex --- a/thys/Probabilistic_Prime_Tests/document/root.tex +++ b/thys/Probabilistic_Prime_Tests/document/root.tex @@ -1,40 +1,41 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Probabilistic Primality Testing} \author{Daniel Stüwe and Manuel Eberl} \maketitle \begin{abstract} The most efficient known primality tests are \emph{probabilistic} in the sense that they use randomness and may, with some probability, mistakenly classify a composite number as prime -- but never a prime number as composite. Examples of this are the Miller--Rabin test, the Solovay--Strassen test, and (in most cases) Fermat's test. This entry defines these three tests and proves their correctness. It also develops some of the number-theoretic foundations, such as Carmichael numbers and the Jacobi symbol with an efficient executable algorithm to compute it. \end{abstract} \newpage \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Probabilistic_System_Zoo/document/root.tex b/thys/Probabilistic_System_Zoo/document/root.tex --- a/thys/Probabilistic_System_Zoo/document/root.tex +++ b/thys/Probabilistic_System_Zoo/document/root.tex @@ -1,39 +1,40 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[ngerman,english]{babel} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{eufrak} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Probabilistic Hierarchy} \author{Johannes H\"olzl \and Andreas Lochbihler \and Dmitriy Traytel} \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{Probabilistic_Hierarchy} \input{Vardi} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Probabilistic_System_Zoo/document/root_bnfs.tex b/thys/Probabilistic_System_Zoo/document/root_bnfs.tex --- a/thys/Probabilistic_System_Zoo/document/root_bnfs.tex +++ b/thys/Probabilistic_System_Zoo/document/root_bnfs.tex @@ -1,38 +1,39 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[ngerman,english]{babel} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{eufrak} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Types Proved Being BNFs during the\\Formalization of the Probabilistic Hierarchy} \author{Johannes H\"olzl \and Andreas Lochbihler \and Dmitriy Traytel} \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{Nonempty_Bounded_Set} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Probabilistic_System_Zoo/document/root_non_bnfs.tex b/thys/Probabilistic_System_Zoo/document/root_non_bnfs.tex --- a/thys/Probabilistic_System_Zoo/document/root_non_bnfs.tex +++ b/thys/Probabilistic_System_Zoo/document/root_non_bnfs.tex @@ -1,39 +1,40 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[ngerman,english]{babel} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{eufrak} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Types Disproved Being BNFs during the Formalization of the Probabilistic Hierarchy} \author{Johannes H\"olzl \and Andreas Lochbihler \and Dmitriy Traytel} \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{Finitely_Bounded_Set_Counterexample} \input{Vardi_Counterexample} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Probabilistic_Timed_Automata/document/root.tex b/thys/Probabilistic_Timed_Automata/document/root.tex --- a/thys/Probabilistic_Timed_Automata/document/root.tex +++ b/thys/Probabilistic_Timed_Automata/document/root.tex @@ -1,69 +1,69 @@ \documentclass[11pt,a4paper]{article} -\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} \usepackage[margin=2cm]{geometry} \usepackage{isabelle,isabellesym} \usepackage{amsmath} \usepackage{amssymb} \usepackage[english]{babel} \usepackage{stmaryrd} \usepackage{eufrak} \usepackage{wasysym} \usepackage{tikz} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Probabilistic Timed Automata} \author{Simon Wimmer and Johannes Hölzl} \maketitle \begin{abstract} We present a formalization of probabilistic timed automata (PTA) for which we try to follow the formula ``MDP + TA = PTA'' as far as possible: our work starts from our existing formalizations of Markov decision processes (MDP) and timed automata (TA) and combines them modularly. We prove the fundamental result for probabilistic timed automata: the region construction that is known from timed automata carries over to the probabilistic setting. In particular, this allows us to prove that minimum and maximum reachability probabilities can be computed via a reduction to MDP model checking, including the case where one wants to disregard unrealizable behavior. Further information can be found in our ITP paper \cite{PTA-ITP-2018}. \end{abstract} The definition of the PTA semantics can be found in Section~\ref{sem:mdp}, the region MDP is in Section~\ref{sem:mdprg}, the bisimulation theorem is in Section~\ref{thm:bisim}, and the final theorems can be found in Section~\ref{thm:minmax}. The background theory we formalize is described in the seminal paper on PTA \cite{KNSS2002}. \tableofcontents \pagebreak % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Probabilistic_While/document/root.tex b/thys/Probabilistic_While/document/root.tex --- a/thys/Probabilistic_While/document/root.tex +++ b/thys/Probabilistic_While/document/root.tex @@ -1,40 +1,41 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,amsmath} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{wasysym} \usepackage{booktabs} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Probabilistic while loop} \author{Andreas Lochbihler} \maketitle \begin{abstract} This AFP entry defines a probabilistic while operator based on sub-probability mass functions and formalises zero-one laws and variant rules for probabilistic loop termination. As applications, we implement probabilistic algorithms for the Bernoulli, geometric and arbitrary uniform distributions that only use fair coin flips, and prove them correct and terminating with probability 1. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Program-Conflict-Analysis/document/root.tex b/thys/Program-Conflict-Analysis/document/root.tex --- a/thys/Program-Conflict-Analysis/document/root.tex +++ b/thys/Program-Conflict-Analysis/document/root.tex @@ -1,150 +1,151 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Formalization of Conflict Analysis of Programs with Procedures, Thread Creation, and Monitors in Isabelle/HOL} \author{Peter Lammich \and Markus M\"uller-Olm \\[2ex] % Institut f\"ur Informatik, Fachbereich Mathematik und Informatik\\ Westf\"alische Wilhelms-Universit\"at M\"unster\\[1ex] % \texttt{peter.lammich@uni-muenster.de} and \texttt{mmo@math.uni-muenster.de} } % \institute{ % Institut für Informatik, Fachbereich Mathematik und Informatik\\ % Westfälische Wilhelms-Universität Münster\\ % \email{peter.lammich@uni-muenster.de} and \email{mmo@math.uni-muenster.de} % } \maketitle \begin{abstract} In this work we formally verify the soundness and precision of a static program analysis that detects conflicts (e.g.\ data races) in programs with procedures, thread creation and monitors with the Isabelle theorem prover. As common in static program analysis, our program model abstracts guarded branching by nondeterministic branching, but completely interprets the call-/return behavior of procedures, synchronization by monitors, and thread creation. The analysis is based on the observation that all conflicts already occur in a class of particularly restricted schedules. These restricted schedules are suited to constraint-system-based program analysis. The formalization is based upon a flowgraph-based program model with an operational semantics as reference point. \end{abstract} \clearpage \tableofcontents \clearpage \parindent 0pt\parskip 0.5ex \section{Introduction} Conflicts are a common programming error in parallel programs. A conflict occurs if the same resource is accessed simultaneously by more than one process. Given a program $\pi$ and two sets of control points $U$ and $V$, the analysis problem is to decide whether there is an execution of $\pi$ that simultaneously reaches one control point from $U$ and one from $V$. In this work, we use a flowgraph-based program model that extends a previously studied model \cite{LM07} by reentrant monitors. In our model, programs can call recursive procedures, dynamically create new threads and synchronize via reentrant monitors. As usual in static program analysis, our program model abstracts away guarded branching by nondeterministic choice. We use an operational semantics as reference point for the correctness proofs. It models parallel execution by interleaving, i.e. just one thread is executed at any time and context switches may occur after every step. The next step is nondeterministically selected from all threads ready for execution. The analysis is based on a constraint system generated from the flowgraph. From its least solution, one can decide whether control points from $U$ and $V$ are simultaneously reachable or not. It is notoriously hard to analyze concurrent programs with constraint systems because of the arbitrary fine-grained interleaving. The key idea behind our analysis is to use a restricted scheduling: While the interleaving semantics can switch the context after each step, the restricted scheduling just allows context switches at certain points of a thread's execution. We can show that each conflict is also reachable under this restricted scheduling. The restricted schedules can be easily analyzed with constraint systems as most of the complexity generated by arbitrary interleaving does no longer occur due to the restrictions. The remaining concurrency effects can be smoothly handled by using the concept of acquisition histories \cite{KIG05}. \paragraph{Related Work} In \cite{LM07} we present a constraint-system-based analysis for programs with thread creation and procedures but without monitors. The abstraction from synchronization is common in this line of research: There are automata-based techniques \cite{BMT05,EK99,EP00} as well as constraint-system-based techniques \cite{SeSt00,LM07} to analyze programs with procedures and either parallel calls or thread creation, but without any synchronization. In \cite{KIG05,KG06} analysis techniques for interprocedural parallel programs with a fixed number of initial threads and nested locks are presented. These nested locks are not syntactically bound to the program structure, but assumed to be well-nested, that is any unlock statement is required to release the lock that was acquired last by the thread. Moreover, there is no support for reentrant locks\footnote{Reentrant locks can always be simulated by non-reentrant ones, at the cost of a worst-case exponential blowup of the program size}. We use monitors instead of locks. Monitors are syntactically bound to the program structure and thus well-nestedness is guaranteed statically. Additionally we directly support reentrant monitors. Our model cannot simulate well-nested locks where a lock statement and its corresponding unlock statement may be in different procedures (as in \cite{KIG05,KG06}). As common programming languages like Java also use reentrant monitors rather than locks, we believe our model to be useful as well. \paragraph{Document structure} This document contains a commented formalization of these ideas as a collection of Isabelle/HOL theories. A more abstract description is in preparation. This document starts with formalization monitor consistent interleaving (Section~\ref{thy:ConsInterleave}) and acquisition histories (Section~\ref{thy:AcquisitionHistory}). Labeled transition systems are formalized in Section~\ref{thy:LTS}, and Section~\ref{thy:ThreadTracking} defines the notion of interleaving semantics. Flowgraphs are defined in Section~\ref{thy:Flowgraph}, and Section~\ref{thy:Semantics} describes their operational semantics. Section~\ref{thy:Normalization} contains the formalization of the restricted interleaving and Section~\ref{thy:ConstraintSystems} contains the constraint systems. Finally, the main result of this development -- the correctness of the constraint systems w.r.t. to the operational semantics -- is briefly stated in Section~\ref{thy:MainResult}. % While it is notoriously hard to analyze unrestricted interleaving semantics with constraint systems, our restricted scheduling is easy to % analyze % We use a flowgraph based program model that is an extension of the one we used in \cite{LM07}. We represent a program by an edge annotated graph. % The graph is partitioned by a set of procedures, that is each node of the graph belongs to exactly % one procedure, and there are no edges across procedures. The nodes of the graph correspond to the control points of the program, and the edges correspond to the statements. The edges are annotated with % the statements they execute. There are base statements, whose structure is not relevant for this work and thus left undefined. The further statements are call statements to call a procedure and spawn statements % to create a new thread. Each procedure has a designated entry and return node as well as a set of monitors it synchronizes on, and the whole program has a designated $main$ procedure. % For technical reasons, we impose some additional structural restrictions on flowgraphs. However, those restrictions do not limit the power of our analysis, as any flowgraph can be mapped to a restricted one with the same % conflicts. % We define an operational semantics on flowgraphs. A configuration is a multiset of stacks of nodes, and a step is labelled with either the annotation of the edge that was executed or with a special return label, % if a procedure return was executed. The current state of a single thread is modelled as a stack, the top entry being the node corresponding to the current control point, and the nodes deeper on the stack being stored % return addresses. The thread may make any step corresponding to an outgoing edge or a return step if it is at a return node. A call step may only be performed if all monitors required by the called procedure are free. % In our model, monitors are {\em reentrant}, that is a thread may recursively enter the same monitor. A spawn step may always be performed, as we constrain initial procedures of threads not to synchronize on monitors. % A spawn step creates a new stack containing just the initial procedure's entry point. % The concurrency aspect is modelled by interleaving, that is one step of the semantics corresponds to a single thread's step. The thread to make the next step is nondeterministically selected from all available threads that are % ready to make a step. % Based on the operational semantics, we can formally define our analysis problem. We use this definition as a reference point, that is we trust that this definition does what we want and prove our analysis does the same. % The aim of this work is to develop a constraint system based static program analysis for the simultaneous reachability problem. In the isabelle formalization, we describe the constraint systems by inductively defined sets. This % description is not exactly what we want, since we cannot use other lattices than the powerset lattice and cannot use finite chain height properties to derive executable algorithms. However, this description is sufficient to % capture all the other aspects of the analysis. % It is particular hard to describe interleaving and thread creation in a constraint system directly (c.f. \cite{BMT05}). The key idea to our algorithm is to consider a semantics that only allows for a restricted interleaving. % We call an execution adhering to this restricted interleaving {\em normalized}. We then show that all configurations that are reachable via some execution are also reachable via a normalized one. Thus it is sufficient to % consider the normalized executions, which have some nice properties allowing a concise treatment with constraint system based techniques. For the treatment of concurrency, we use the concept of % {\em acquisition histories} \cite{KIG05}. % \paragraph{Related Work} % In \cite{LM07} we present a constraint system based analysis for programs with thread creation and procedures but without monitors. The abstraction from any synchronization is common in this line of research: % There are automata based techniques \cite{BMT05,EK99,EP00} as well as constraint system based techniques \cite{SeSt00,LM07} to analyze programs with procedures and either parallel calls or thread creation, but without any % synchronization. In \cite{KIG05,KG06} analysis techniques for interprocedural parallel programs with a fixed number of initial threads and nested locks are developped. The nested locks are not syntactically bound to the program % structure, but assumed to be well-nested, that is any unlock statement is required to be for the lock that was acquired last by the thread. Moreover, they do not support reentrant locks. We use monitors instead of locks, that are % syntactically bound to the program structure and thus guarantee well-nesting. Additionally we allow reentrant locks. % Our model cannot simulate the one used in \cite{KIG05,KG06} and vice versa. However, since languages like Java also use monitors rather than locks, we believe our model to also be useful. % generated text of all theories \input{session} \section{Conclusion} We have formalized a flowgraph-based model for programs with recursive procedure calls, dynamic thread creation and reentrant monitors and its operational semantics. Based on the operational semantics, we defined a conflict as being able to simultaneously reach two control points from two given sets $U$ and $V$ when starting at the initial program configuration, just consisting of a single thread at the entry point of the main procedure. We then formalized a constraint-system-based analysis for conflicts and proved it sound and precise w.r.t. the operational definition of a conflict. The main idea of the analysis was to restrict the possible schedules of a program. On the one hand, this restriction enabled the constraint system based analysis, on the other hand it did not change the set of reachable configurations (and thus the set of conflicts). We characterized the constraint systems as inductive sets. While we did not derive an executable algorithm explicitly, the steps from the inductive sets characterization to an algorithm follow the path common in program analysis and pose no particular difficulty. The algorithm would have to construct a constraint system (system of inequalities over a finite height lattice) from a given program corresponding to the inductively defined sets studied here and then determine its least solution, e.g. by a worklist algorithm. In order to make the algorithm executable, we would have to introduce finiteness assumptions for our programs. The derivation of executable algorithms is currently in preparation. A formal analysis of the algorithmic complexity of the problem will be presented elsewhere. Here we only present some results: Already the problem of deciding the reachability of a single control node is NP-hard, as can be shown by a simple reduction from SAT. On the other hand, we can decide simultaneous reachability in nondeterministic polynomial time in the program size, where the number of random bits depends on the possible nesting depth of the monitors. This can be shown by analyzing the constraint systems. \paragraph{Acknowledgement} We thank Dejvuth Suwimonteerabuth for an interesting discussion about static analysis of programs with locks. We also thank the people on the Isabelle mailing list for quick and useful responses. % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Projective_Geometry/document/root.tex b/thys/Projective_Geometry/document/root.tex --- a/thys/Projective_Geometry/document/root.tex +++ b/thys/Projective_Geometry/document/root.tex @@ -1,35 +1,35 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Projective Geometry} \author{Anthony Bordg} \maketitle \begin{abstract} We formalize the basics of projective geometry. \\ In particular, we give a proof of the so-called Hessenberg's theorem in projective plane geometry (see \cite{Bezem2008} for an alternative proof using a Coherent Logic prover in Prolog which generates Coq proof scripts). \\ We also provide a proof of the so-called Desargues's theorem based on an axiomatization~\cite{Magaud_2012} of (higher) projective space geometry using the notion of rank of a matroid. This last approach allows to handle incidence relations in an homogeneous way dealing only with points and without the need of talking explicitly about lines, planes or any higher entity. \end{abstract} \tableofcontents \input{session} \section{Acknowledgements} The author was supported by the ERC Advanced Grant ALEXANDRIA (Project 742178) funded by the European Research Council and led by Professor Lawrence Paulson at the University of Cambridge, UK. \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Promela/document/root.tex b/thys/Promela/document/root.tex --- a/thys/Promela/document/root.tex +++ b/thys/Promela/document/root.tex @@ -1,59 +1,60 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[english]{babel} \usepackage{amssymb} \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand{\isaheader}[1]{#1} \newcommand{\isachapter}[1]{\chapter{#1}} \newcommand{\isasection}[1]{\section{#1}} % General \newcommand{\ie}{i.\,e.\ } \newcommand{\eg}{e.\,g.\ } \newcommand{\wrt}{w.\,r.\,t.\ } \newcommand{\cf}{cf.\ } \begin{document} \title{Promela Formalization} \author{By Ren\'{e} Neumann} \maketitle \begin{abstract} We present an executable formalization of the language Promela, the description language for models of the model checker SPIN. This formalization is part of the work for a completely verified model checker (CAVA), but also serves as a useful (and executable!) description of the semantics of the language itself, something that is currently missing. The formalization uses three steps: It takes an abstract syntax tree generated from an SML parser, removes syntactic sugar and enriches it with type information. This further gets translated into a transition system, on which the semantic engine (read: successor function) operates. \end{abstract} \clearpage \tableofcontents \clearpage \input{intro} % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Proof_Strategy_Language/document/root.tex b/thys/Proof_Strategy_Language/document/root.tex --- a/thys/Proof_Strategy_Language/document/root.tex +++ b/thys/Proof_Strategy_Language/document/root.tex @@ -1,78 +1,79 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{PSL: Proof Strategy Language for Isabelle/HOL} \author{Yutaka Nagashima \\ Data61, CSIRO / NICTA \footnote{NICTA is funded by the Australian Government through the Department of Communications and the Australian Research Council through the ICT Centre of Excellence Program.} } \maketitle \begin{abstract} Isabelle includes various automatic tools for finding proofs under certain conditions. However, for each conjecture, knowing which automation to use, and how to tweak its parameters, is currently labour intensive. We have developed a language, PSL \cite{DBLP:journals/corr/NagashimaK16}, designed to capture high level proof strategies. PSL offloads the construction of human-readable fast-to-replay proof scripts to automatic search, making use of search-time information about each conjecture. Our preliminary evaluations show that PSL reduces the labour cost of interactive theorem proving. This submission contains the implementation of PSL and an example theory file, Example.thy, showing how to write poof strategies in PSL. \end{abstract} %\tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories %\input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/PropResPI/document/root.tex b/thys/PropResPI/document/root.tex --- a/thys/PropResPI/document/root.tex +++ b/thys/PropResPI/document/root.tex @@ -1,68 +1,69 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Propositional Resolution and Prime Implicates Generation} \author{Nicolas Peltier\\Laboratory of Informatics of Grenoble/CNRS \\University Grenoble Alps} \maketitle \begin{abstract} We provide formal proofs in Isabelle-HOL (using mostly structured Isar proofs) of the soundness and completeness of the Resolution rule in propositional logic. The completeness proofs take into account the usual redundancy elimination rules (namely tautology elimination and subsumption), and several refinements of the Resolution rule are considered: ordered resolution (with selection functions), positive and negative resolution, semantic resolution and unit resolution (the latter refinement is complete only for clause sets that are Horn-renamable). We also define a concrete procedure for computing saturated sets and establish its soundness and completeness. The clause sets are not assumed to be finite, so that the results can be applied to formulas obtained by grounding sets of first-order clauses (however, a total ordering among atoms is assumed to be given). Next, we show that the unrestricted Resolution rule is deductive-complete, in the sense that it is able to generate all (prime) implicates of any set of propositional clauses (i.e., all entailment-minimal, non-valid, clausal consequences of the considered set). The generation of prime implicates is an important problem, with many applications in artificial intelligence and verification (for abductive reasoning, knowledge compilation, diagnosis, debugging etc.). We also show that implicates can be computed in an incremental way, by fixing an ordering among all the atoms and resolving upon these atoms one by one in the considered order (with no backtracking). This feature is critical for the efficient computation of prime implicates. Building on these results, we provide a procedure for computing such implicates and establish its soundness and completeness. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Propositional_Proof_Systems/document/root.tex b/thys/Propositional_Proof_Systems/document/root.tex --- a/thys/Propositional_Proof_Systems/document/root.tex +++ b/thys/Propositional_Proof_Systems/document/root.tex @@ -1,90 +1,90 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[x11names, rgb]{xcolor} -\usepackage[utf8]{inputenc} \usepackage{tikz} \usetikzlibrary{snakes,arrows,shapes} \usepackage{amsmath} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ %\renewcommand{\isasymdots}{\dots} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Propositional Proof Systems} \author{Julius Michaelis and Tobias Nipkow} \maketitle \begin{abstract} We present a formalization of Sequent Calculus, Natural Deduction, Hilbert Calculus, and Resolution using a deep embedding of propositional formulas. We provide proofs of many of the classical results, including Cut Elimination, Craig's Interpolation, proof transformation between all calculi, and soundness and completeness. Additionally, we formalize the Model Existence Theorem. \end{abstract} \tableofcontents \vspace{1em} The files of this entry are organized as a web of results that should allow loading only that part of the formalization that the user is interested in. Special care was taken not to mix proofs that require semanics and proofs that talk about transformation between proof systems. An overview of the different theory files and their dependencies can be found in figures \ref{fig:prooftran} and \ref{fig:sema}. % ./overview.sh tex sema >document/fig_sema.tex && ./overview.sh tex prooftran >document/fig_tran.tex \begin{figure} \centering \input{fig_tran} \caption{Overview of results considering Proof Transformation} \label{fig:prooftran} \end{figure} \begin{figure} \centering \scalebox{0.8}{\input{fig_sema}} \caption{Overview of results considering Semantics} \label{fig:sema} \end{figure} % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Prpu_Maxflow/document/root.tex b/thys/Prpu_Maxflow/document/root.tex --- a/thys/Prpu_Maxflow/document/root.tex +++ b/thys/Prpu_Maxflow/document/root.tex @@ -1,107 +1,108 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{wasysym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % Tweaks \newcounter{TTStweak_tag} \setcounter{TTStweak_tag}{0} \newcommand{\setTTS}{\setcounter{TTStweak_tag}{1}} \newcommand{\resetTTS}{\setcounter{TTStweak_tag}{0}} \newcommand{\insertTTS}{\ifnum\value{TTStweak_tag}=1 \ \ \ \fi} \renewcommand{\isakeyword}[1]{\resetTTS\emph{\bf\def\isachardot{.}\def\isacharunderscore{\isacharunderscorekeyword}\def\isacharbraceleft{\{}\def\isacharbraceright{\}}#1}} \renewcommand{\isachardoublequoteopen}{\insertTTS} \renewcommand{\isachardoublequoteclose}{\setTTS} \renewcommand{\isanewline}{\mbox{}\par\mbox{}\resetTTS} \renewcommand{\isamarkupcmt}[1]{\hangindent5ex{\isastylecmt --- #1}} %\newcommand{\isaheader}[1]{\section{#1}} \newcommand{\DefineSnippet}[2]{#2} \newcommand{\cormen}[1]{[Cormen~$#1$]} \begin{document} \title{Formalizing Push-Relabel Algorithms} \author{Peter Lammich and S.~Reza Sefidgar} \maketitle \begin{abstract} We present a formalization of push-relabel algorithms for computing the maximum flow in a network. We start with Goldberg's et al.~generic push-relabel algorithm, for which we show correctness and the time complexity bound of $O(V^2E)$. We then derive the relabel-to-front and FIFO implementation. Using stepwise refinement techniques, we derive an efficient verified implementation. Our formal proof of the abstract algorithms closely follows a standard textbook proof, and is accessible even without being an expert in Isabelle/HOL--- the interactive theorem prover used for the formalization. \end{abstract} \clearpage \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introduction} Computing the maximum flow of a network is an important problem in graph theory. Many other problems, like maximum-bipartite-matching, edge-disjoint-paths, circulation-demand, as well as various scheduling and resource allocating problems can be reduced to it. The practically most efficient algorithms to solve the maximum flow problem are push-relabel algorithms~\cite{ChGo97}. In this entry, we present a formalization of Goldberg's et al.\ generic push-relabel algorithm~\cite{GoTa88}, and two instances: The relabel-to-front algorithm~\cite{CLRS09} and the FIFO push-relabel algorithm~\cite{GoTa88}. Using stepwise refinement techniques~\cite{Wirth71,Back78,BaWr98}, we derive efficient verified implementations. Moreover, we show that the generic push-relabel algorithm has a time complexity of $O(V^2E)$. This entry re-uses and extends theory developed for our formalization of the Edmonds-Karp maximum flow algorithm~\cite{LaSe16,LaSe16_afp}. While there exists another formalization of the Ford-Fulkerson method in Mizar~\cite{Lee05}, we are, to the best of our knowledge, the first that verify a polynomial maximum flow algorithm, prove a polynomial complexity bound, or provide a verified executable implementation. % generated text of all theories \input{session} \section{Conclusion}\label{sec:concl} We have presented a verification of two push-relabel algorithms for solving the maximum flow problem. Starting with a generic push-relabel algorithm, we have used stepwise refinement techniques to derive the relabel-to-front and FIFO push-relabel algorithms. Further refinement yields verified efficient imperative implementations of the algorithms. % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/PseudoHoops/document/root.tex b/thys/PseudoHoops/document/root.tex --- a/thys/PseudoHoops/document/root.tex +++ b/thys/PseudoHoops/document/root.tex @@ -1,63 +1,63 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage[utf8]{inputenc} \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Pseudo-hoops} \author{George Georgescu and Lauren\c tiu Leu\c stean and Viorel Preoteasa} \maketitle \begin{abstract} Pseudo-hoops are algebraic structures introduced in \cite{bosbach:1969,bosbach:1970} by B. Bosbach under the name of complementary semigroups. This is a formalization of the paper \cite{georgescu:leustean:preoteasa:2005}. Following \cite{georgescu:leustean:preoteasa:2005} we prove some properties of pseudo-hoops and we define the basic concepts of filter and normal filter. The lattice of normal filters is isomorphic with the lattice of congruences of a pseudo-hoop. We also study some important classes of pseudo-hoops. Bounded Wajsberg pseudo-hoops are equivalent to pseudo-Wajsberg algebras and bounded basic pseudo-hoops are equiv- alent to pseudo-BL algebras. Some examples of pseudo-hoops are given in the last section of the formalization. \end{abstract} \tableofcontents \section{Overview} Section 2 introduces some operations and their infix syntax. Section 3 and 4 introduces some facts about residuated and complemented monoids. Section 5 introduces the pseudo-hoops and some of their properties. Section 6 introduces filters and normal filters and proves that the lattice of normal filters and the lattice of congruences are isomorphic. Following \cite{ceterchi:2001}, section 7 introduces pseudo-Waisberg algebras and some of their properties. In Section 8 we investigate some classes of pseudo-hoops. Finally section 9 presents some examples of pseudo-hoops and normal filters. \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Psi_Calculi/document/root.tex b/thys/Psi_Calculi/document/root.tex --- a/thys/Psi_Calculi/document/root.tex +++ b/thys/Psi_Calculi/document/root.tex @@ -1,79 +1,79 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The pi-calculus} \author{Jesper Bengtson} \maketitle \begin{abstract} \end{abstract} \tableofcontents \section{Overview} These theories formalise the following results for psi-calculi. Note that there is only an early semantics for psi-calculi, although a late one may appear later. \begin{itemize} \item strong bisimilarity is preserved by all operators except the input-prefix \item strong equivalence is a congruence \item weak bisimilarity is preserved by all operators except case and the input-prefix \item weak congruence is a congruence \item strong equivalence respect the laws of structural congruence \item all strongly equivalent agents are also weakly congruent which in turn are weakly bisimilar. Moreover, strongly equivalent agents are also strongly bisimilar \item as a corollary of the last two points, all mentioned equivalences respect the law of structural congruence \item for instances of psi-calculi where assertion composition satisfies weakening, the definition of weak bisimilarity can be simplified significantly and proven equivalent to the version that applies when weakening does not hold \item for certain versions of psi-calculi, sum can be encoded \item for certain versions of psi-calculi, the tau-prefix can be encoded and when weakening is satisfied, all of the tau-laws hold. \end{itemize} The file naming convention is hopefully self explanatory, where the prefixes \emph{Strong} and \emph{Weak} denote that the file covers theories required to formalise properties of strong and weak bisimilarity respectively; files with the prefix \emph{Weaken} cover theories where weakening holds for the static implication; if the file name contains \emph{Sim} the theories cover simulation, file names containing \emph{Bisim} cover bisimulation, and file names containing \emph{Cong} cover weak congruence; files with the suffix \emph{Pres} deal with theories that reason about preservation properties of operators such as a simulation or bisimulation being preserved by a certain operator; files with the suffix \emph{StructCong} reason about structural congruence. For a complete exposition of all of theories, please consult Bengtson's Ph. D. thesis \cite{bengtson:thesis}. A shorter presentation can be found in our TPHOLs paper 'Psi-calculi in Isabelle' from 2009 \cite{bengtson:tphols09}. There are also two LICS-papers that focus on the mathematical theories, rather than the Isabelle formalisations \cite{bengtson:lics09, johansson:lics10}. % include generated text of all theories \section{Formalisation} \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Ptolemys_Theorem/document/root.tex b/thys/Ptolemys_Theorem/document/root.tex --- a/thys/Ptolemys_Theorem/document/root.tex +++ b/thys/Ptolemys_Theorem/document/root.tex @@ -1,40 +1,40 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Ptolemy's Theorem} \author{Lukas Bulwahn} \maketitle \begin{abstract} This entry provides an analytic proof to Ptolemy's Theorem using polar form transformation and trigonometric identities. In this formalization, we use ideas from John Harrison's HOL Light formalization~\cite{Harrison} and the proof sketch on the Wikipedia entry of Ptolemy's Theorem~\cite{wiki:PtolemysTheorem-2016}. This theorem is the 95th theorem of the Top 100 Theorems list~\cite{Wiedijk}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} \ No newline at end of file diff --git a/thys/QHLProver/document/root.tex b/thys/QHLProver/document/root.tex --- a/thys/QHLProver/document/root.tex +++ b/thys/QHLProver/document/root.tex @@ -1,37 +1,38 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Quantum Hoare Logic} \author{Junyi Liu, Bohua Zhan, Shuling Wang, Shenggang Ying,\\ Tao Liu, Yangjia Li, Mingsheng Ying, and Naijun Zhan} \maketitle \begin{abstract} We formalize quantum Hoare logic as given in \cite{Ying12}. In particular, we specify the syntax and denotational semantics of a simple model of quantum programs. Then, we write down the rules of quantum Hoare logic for partial correctness, and show the soundness and completeness of the resulting proof system. As an application, we verify the correctness of Grover's algorithm. \end{abstract} \tableofcontents \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/QR_Decomposition/document/root.tex b/thys/QR_Decomposition/document/root.tex --- a/thys/QR_Decomposition/document/root.tex +++ b/thys/QR_Decomposition/document/root.tex @@ -1,46 +1,47 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{QR Decomposition} \author{By Jose Divas\'on and Jes\'us Aransay\thanks{This research has been funded by the research grant FPI-UR-12 of the Universidad de La Rioja and by the project MTM2014-54151-P from Ministerio de Econom\'ia y Competitividad (Gobierno de Espa\~na).}} \maketitle \begin{abstract} In this work we present a formalization of the QR decomposition, an algorithm which decomposes a real matrix $A$ in the product of another two matrices $Q$ and $R$, where $Q$ is an orthogonal matrix and $R$ is invertible and upper triangular. The algorithm is useful for the least squares problem, i.e. the computation of the best approximation of an unsolvable system of linear equations. As a side-product, the Gram-Schmidt process has also been formalized. A refinement using immutable arrays is presented as well. The development relies, among others, on the AFP entry \emph{Implementing field extensions of the form $\mathbb{Q}[\sqrt{b}]$} by Ren\'e Thiemann, which allows to execute the algorithm using symbolic computations. Verified code can be generated and executed using floats as well. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Quantales/document/root.tex b/thys/Quantales/document/root.tex --- a/thys/Quantales/document/root.tex +++ b/thys/Quantales/document/root.tex @@ -1,108 +1,109 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ \usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Quantales} \author{Georg Struth} \maketitle \begin{abstract} These mathematical components formalise basic properties of quantales, together with some important models, constructions, and concepts, including quantic nuclei and conuclei. \end{abstract} \tableofcontents \section{Introductory Remarks} Quantales are complete lattices equipped with an associative composition that preserves suprema in both arguments. They have been used---under various names and in various guises---in mathematics for almost a century. One important context is the structure of ideals in rings and $C^\ast$-algebras, another one the foundations of quantum mechanics, a third one lies in approaches to generalised metric spaces. In computing, quantales occur naturally in program semantics---algebras of predicate transformers, for instance, form quantales, the semantics of linear logic, the foundations of fuzzy systems and program construction; but also languages or binary relations form quantales. These components formalise the basic concepts and properties of quantales, following by and large Rosenthal's monograph~\cite{Rosenthal90}. Because of applications to predicate transformer semantics, families of quantales are considered in which certain Sup-preservation laws are absent (nomenclature diverges from Rosenthal, but is consistent with AFP entries for dioids and Kleene algebras~\cite{ArmstrongSW13}). Beyond basic equational reasoning, some models of quantales are presented, though those that arise from ring theory or $C^\ast$-algebras are currently not supported. Nuclei and conuclei of quantales are also investigated, and some important relationships with quotients and subalgebras of quantales are formalised, following Rosenthal. In particular, I (re)prove his representation theorem that every quantale is isomorphic to a nucleus of a powerset quantale over some semigroup. Beyond that it is shown how left-sided elements give rise to nuclei and conuclei. Another subject of study are quantale-modules, which have been introduced by Abramsky and Vickers~\cite{AbramskyV93} and widely used since, with some original results on semidirect products over these~\cite{DongolHS17} and some new results on the Kleene star in this setting. Quantales draw heavily on lattice and order theory, Galois connections and the associated monads and comonads. They are also strongly related to complete Heyting algebras, frames and locales~\cite{Johnstone82}, for which future AFP entries might be worth creating. Further variants, such as Girard quantales, might also be worth exploring. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Quaternions/document/root.tex b/thys/Quaternions/document/root.tex --- a/thys/Quaternions/document/root.tex +++ b/thys/Quaternions/document/root.tex @@ -1,36 +1,37 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Quaternions} \author{Lawrence C. Paulson} \maketitle \begin{abstract} This theory is inspired by the HOL Light development of quaternions~\cite{gabrielli-quaternions}, but follows its own route. Quaternions are developed coinductively, as in the existing formalisation of the complex numbers. Quaternions are quickly shown to belong to the type classes of real normed division algebras and real inner product spaces. And therefore they inherit a great body of facts involving algebraic laws, limits, continuity, etc., which must be proved explicitly in the HOL Light version. The development concludes with the geometric interpretation of the product of imaginary quaternions. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \section{Acknowledgements} The author was supported by the ERC Advanced Grant ALEXANDRIA (Project 742178) funded by the European Research Council. \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Quick_Sort_Cost/document/root.tex b/thys/Quick_Sort_Cost/document/root.tex --- a/thys/Quick_Sort_Cost/document/root.tex +++ b/thys/Quick_Sort_Cost/document/root.tex @@ -1,37 +1,38 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Cost Analysis of QuickSort} \author{Manuel Eberl} \maketitle \begin{abstract} We give a formal proof of the well-known results about the number of comparisons performed by two variants of QuickSort: first, the expected number of comparisons of randomised QuickSort (i.\,e. QuickSort with random pivot choice) is $2(n+1)H_n - 4n$, which is asymptotically equivalent to $2\,n\ln n$; second, the number of comparisons performed by the classic non-randomised QuickSort has the same distribution in the average case as the randomised one. \end{abstract} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/RIPEMD-160-SPARK/document/root.tex b/thys/RIPEMD-160-SPARK/document/root.tex --- a/thys/RIPEMD-160-SPARK/document/root.tex +++ b/thys/RIPEMD-160-SPARK/document/root.tex @@ -1,34 +1,35 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{RIPEMD-160 - Verification of a SPARK/ADA Implementation} \author{Fabian Immler} \maketitle \begin{abstract} This work presents a verification of an implementation in SPARK/ADA \cite{highintegritysoftware} of the cryptographic hash-function RIPEMD-160. A functional specification of RIPEMD-160 \cite{ripemd} is given in Isabelle/HOL \cite{LNCS2283}. Proofs for the verification conditions generated by the static-analysis toolset of SPARK certify the functional correctness of the implementation. The verification conditions are translated to Isabelle/HOL with a modified version of Victor-0.8.0~\cite{vct}. This entry is now obsolete, it is contained as example in the Isabelle distibution. \end{abstract} \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/ROBDD/document/root.tex b/thys/ROBDD/document/root.tex --- a/thys/ROBDD/document/root.tex +++ b/thys/ROBDD/document/root.tex @@ -1,80 +1,81 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \usepackage[english]{babel} % for \frqq (whatever that actually is) \begin{document} \title{An implementation of ROBDDs for Isabelle/HOL} \author{Julius Michaelis and Maximilian Haslbeck and Peter Lammich and Lars Hupel} \maketitle \begin{abstract} We present a verified and executable implementation of ROBDDs in Isabelle/HOL. Our implementation relates pointer-based computation in the Heap monad to operations on an abstract definition of boolean functions. Internally, we implemented the if-then-else combinator in a recursive fashion, following the Shannon decomposition of the argument functions. The implementation mixes and adapts known techniques and is built with efficiency in mind. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Preface} This work is not the first to deal with BDDs in Isabelle/HOL. Ortner and Schirmer have formalized BDDs in~\cite{BDD-AFP} and proved the correctness of an algorithm that transforms arbitrary BDDs to ROBDDs. However, their specification does not provide efficiently executable algorithms on BDDs. Giorgino and Strecker have presented efficiently executable algorithms for ROBDDs~\cite{giorgino2012correctness} by reducing their arguments to manipulating edges of graphs. However, they have, to the best of our knowledge, not made their theory files available. Thus, no library for efficient computation on (RO)BDDs in Isabelle/HOL existed. Our work is a response to that situation. The theoretic background of the implementation is mostly based on~\cite{brace1991efficient}. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/RSAPSS/document/root.tex b/thys/RSAPSS/document/root.tex --- a/thys/RSAPSS/document/root.tex +++ b/thys/RSAPSS/document/root.tex @@ -1,58 +1,59 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{RSAPSS} \author{Christina Lindenberg and Kai Wirt \\ Darmstadt Technical University \\ Cryptography and Computeralgebra} \maketitle \begin{abstract} Formal verification is getting more and more important in computer science. However the state of the art formal verification methods in cryptography are very rudimentary. These theories are one step to provide a tool box allowing the use of formal methods in every aspect of cryptography. Moreover we present a proof of concept for the feasibility of verification techniques to a standard signature algorithm. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex % include generated text of theories \input{WordOperations} \input{SHA1Padding} \input{SHA1} \input{Crypt} \input{Mod} \input{Pdifference} \input{Productdivides} \input{Cryptinverts} \input{Wordarith} \input{EMSAPSS} \input{RSAPSS} \nocite{Bellare-Rogaway:98PSS} \nocite{ Boyer-Moore:82RSA} \nocite{ Nipkow-Paulson-Wenzel:02Isabelle} \nocite{ PKCS} \nocite{ Rivest-Shamir-Adleman:78RSA} \nocite{ TU-Munich:05Isabelle} \nocite{ fips:02SHA} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Ramsey-Infinite/document/root.tex b/thys/Ramsey-Infinite/document/root.tex --- a/thys/Ramsey-Infinite/document/root.tex +++ b/thys/Ramsey-Infinite/document/root.tex @@ -1,26 +1,27 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Ramsey's Theorem} \author{Tom Ridge} \maketitle \begin{abstract} The infinite form of Ramsey's Theorem is proved following Boolos and Jeffrey, Chapter 26. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \input{session} \end{document} diff --git a/thys/Random_BSTs/document/root.tex b/thys/Random_BSTs/document/root.tex --- a/thys/Random_BSTs/document/root.tex +++ b/thys/Random_BSTs/document/root.tex @@ -1,43 +1,44 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} \usepackage{upgreek} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Expected Shape of Random Binary Search Trees} \author{Manuel Eberl} \maketitle \begin{abstract} This entry contains proofs for the textbook results about the distributions of the height and internal path length of random binary search trees (BSTs), i.\,e.\ BSTs that are formed by taking an empty BST and inserting elements from a fixed set in random order. In particular, we prove a logarithmic upper bound on the expected height and the $\Theta(n \log n)$ closed-form solution for the expected internal path length in terms of the harmonic numbers. We also show how the internal path length relates to the average-case cost of a lookup in a BST. \end{abstract} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \begingroup \raggedright \bibliographystyle{abbrv} \bibliography{root} \endgroup \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Random_Graph_Subgraph_Threshold/document/root.tex b/thys/Random_Graph_Subgraph_Threshold/document/root.tex --- a/thys/Random_Graph_Subgraph_Threshold/document/root.tex +++ b/thys/Random_Graph_Subgraph_Threshold/document/root.tex @@ -1,71 +1,71 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amsmath,amssymb,amsthm} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newtheoremstyle{normalfont}{ }{ }{\normalfont}{ }{\normalfont\bfseries}{}{ }{} \theoremstyle{normalfont} \newtheorem*{notation}{Notation} \newcommand{\flush}{\leavevmode\newline\vspace*{-1.5em}} \newcommand{\Ex}{\operatorname{E}} \newcommand{\Var}{\operatorname{Var}} \newenvironment{remark}{\begin{small}$\RHD$ Remark: \itshape}{\end{small}} \begin{document} \title{Properties of Random Graphs -- Subgraph Containment} \author{Lars Hupel} \maketitle \begin{abstract} Random graphs are graphs with a fixed number of vertices, where each edge is present with a fixed probability. We are interested in the probability that a random graph contains a certain pattern, for example a cycle or a clique. A very high edge probability gives rise to perhaps too many edges (which degrades performance for many algorithms), whereas a low edge probability might result in a disconnected graph. We prove a theorem about a threshold probability such that a higher edge probability will asymptotically almost surely produce a random graph with the desired subgraph. \end{abstract} \tableofcontents \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introduction} Random graphs have been introduced by Erd\H{o}s and R\'enyi in \cite{erdos}. They describe a probability space where, for a fixed number of vertices, each possible edge is present with a certain probability independent from other edges, but with the same probability for each edge. They study what properties emerge when increasing the number of vertices, or as they call it, ``the evolution of such a random graph''. The theorem which we will prove here is a slightly different version from that in the first section of that paper. Here, we are interested in the probability that a random graph contains a certain pattern, for example a cycle or a clique. A very high edge probability gives rise to perhaps too many edges, which is usually undesired since it degrades the performance of many algorithms, whereas a low edge probability might result in a disconnected graph. The central theorem determines a threshold probability such that a higher edge probability will asymptotically almost surely produce a random graph with the desired subgraph. The proof is outlined in \cite[\S\ 11.4]{graph-theory} and \cite[\S\ 3]{random-graphs}. The work is based on the comprehensive formalization of probability theory in Isabelle/HOL and on a previous definition of graphs in a work by Noschinski \cite{girth-chromatic-afp}. There, Noschinski formalized the proof that graphs with arbitrarily large girth and chromatic number exist. While the proof in this paper uses a different approach, the definition of a probability space on edges turned out to be quite useful. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Randomised_BSTs/document/root.tex b/thys/Randomised_BSTs/document/root.tex --- a/thys/Randomised_BSTs/document/root.tex +++ b/thys/Randomised_BSTs/document/root.tex @@ -1,37 +1,38 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Randomised Binary Search Trees} \author{Manuel Eberl} \maketitle \begin{abstract} This work is a formalisation of the Randomised Binary Search Trees introduced by Mart\'{i}nez and Roura~\cite{martinez_roura}, including definitions and correctness proofs. Like randomised treaps, they are a probabilistic data structure that behaves exactly as if elements were inserted into a non-balancing BST in random order. However, unlike treaps, they only use discrete probability distributions, but their use of randomness is more complicated. \end{abstract} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Randomised_Social_Choice/document/root.tex b/thys/Randomised_Social_Choice/document/root.tex --- a/thys/Randomised_Social_Choice/document/root.tex +++ b/thys/Randomised_Social_Choice/document/root.tex @@ -1,72 +1,73 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Randomised Social Choice} \author{Manuel Eberl} \maketitle \begin{abstract} This work contains a formalisation of basic Randomised Social Choice, including Stochastic Dominance and Social Decision Schemes (SDSs) along with some of their most important properties (Anonymity, Neutrality, \textit{SD}-Efficiency, \textit{SD}-Strategy-Proofness) and two particular SDSs -- Random Dictatorship and Random Serial Dictatorship (with proofs of the properties that they satisfy). Many important properties of these concepts are also proven – such as the two equivalent characterisations of Stochastic Dominance and the fact that SD-efficiency of a lottery only depends on the support. The entry also provides convenient commands to define Preference Profiles, prove their well-formedness, and automatically derive restrictions that sufficiently nice SDSs need to satisfy on the defined profiles. (cf. \cite{smt}) Currently, the formalisation focuses on weak preferences and Stochastic Dominance (\textit{SD}), but it should be easy to extend it to other domains -- such as strict preferences -- or other lottery extensions -- such as Bilinear Dominance or Pairwise Comparison. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \newpage \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Rank_Nullity_Theorem/document/root.tex b/thys/Rank_Nullity_Theorem/document/root.tex --- a/thys/Rank_Nullity_Theorem/document/root.tex +++ b/thys/Rank_Nullity_Theorem/document/root.tex @@ -1,51 +1,52 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Rank-Nullity Theorem in Linear Algebra} \author{By Jose Divas\'on and Jes\'us Aransay\thanks{This research has been funded by the research grant FPIUR12 of the Universidad de La Rioja.}} \maketitle \begin{abstract} In this contribution, we present some formalizations based on the HOL-Multivariate-Analysis session of Isabelle. Firstly, a generalization of several theorems of such library are presented. Secondly, some definitions and proofs involving Linear Algebra and the four fundamental subspaces of a matrix are shown. Finally, we present a proof of the result known in Linear Algebra as the ``Rank-Nullity Theorem'', which states that, given any linear map $f$ from a finite dimensional vector space $V$ to a vector space $W$, then the dimension of $V$ is equal to the dimension of the kernel of $f$ (which is a subspace of $V$) and the dimension of the range of $f$ (which is a subspace of $W$). The proof presented here is based on the one given in \cite{AX97}. As a corollary of the previous theorem, and taking advantage of the relationship between linear maps and matrices, we prove that, for every matrix $A$ (which has associated a linear map between finite dimensional vector spaces), the sum of its null space and its column space (which is equal to the range of the linear map) is equal to the number of columns of $A$. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Real_Impl/document/root.tex b/thys/Real_Impl/document/root.tex --- a/thys/Real_Impl/document/root.tex +++ b/thys/Real_Impl/document/root.tex @@ -1,69 +1,70 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \newcommand\nats{\mathbb{N}} \newcommand\reals{\mathbb{R}} \newcommand\rats{\mathbb{Q}} \newcommand\fieldext[2]{#1[#2]} \newcommand\ratsb{\fieldext\rats{\sqrt b}} \begin{document} \title{Implementing field extensions of the form $\ratsb$\thanks{This research is supported by FWF (Austrian Science Fund) project P22767-N13.}} \author{Ren\'e Thiemann} \maketitle \begin{abstract} We apply data refinement to implement the real numbers, where we support all numbers in the field extension $\ratsb$, i.e., all numbers of the form $p + q \sqrt{b}$ for rational numbers $p$ and $q$ and some fixed natural number $b$. To this end, we also developed algorithms to precisely compute roots of a rational number, and to perform a factorization of natural numbers which eliminates duplicate prime factors. Our results have been used to certify termination proofs which involve polynomial interpretations over the reals. \end{abstract} \tableofcontents \section{Introduction} It has been shown that polynomial interpretations over the reals are strictly more powerful for termination proving than polynomial interpretations over the rationals. To this end, also automated termination prover started to generate such interpretations. \cite{Rational,Luc06,Luc07,LPAR09,SCSS10}. However, for all current implementations, only reals of the form $p + q \cdot \sqrt{b}$ are generated where $b$ is some fixed natural number and $p$ and $q$ may be arbitrary rationals, i.e., we get numbers within $\ratsb$. To support these termination proofs in our certifier \ceta\ \cite{CeTA}, we therefore required executable functions on $\ratsb$, which can then be used as an implementation type for the reals. Here, we used ideas from \cite{datarefinement,Loc13} to provide a sufficiently powerful partial implementations via data refinement. \input{session} \section*{Acknowledgements} We thank Bertram Felgenhauer for interesting discussions and especially for mentioning Cauchy's mean theorem during the formalization of the algorithms for computing roots. \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Recursion-Addition/document/root.tex b/thys/Recursion-Addition/document/root.tex --- a/thys/Recursion-Addition/document/root.tex +++ b/thys/Recursion-Addition/document/root.tex @@ -1,36 +1,37 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Recursion Theorem} \author{Georgy Dunaev} \maketitle \begin{abstract} This document contains a proof of the recursion theorem. This is a mechanization of the proof of the recursion theorem from the text \textit{Introduction to Set Theory}, by Karel Hrbacek and Thomas Jech. This implementation may be used as the basis for a model of Peano Arithmetic in ZF\@. While recursion and the natural numbers are already available in ZF, this clean development is much easier to follow. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Recursion-Theory-I/document/root.tex b/thys/Recursion-Theory-I/document/root.tex --- a/thys/Recursion-Theory-I/document/root.tex +++ b/thys/Recursion-Theory-I/document/root.tex @@ -1,35 +1,36 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Recursion Theory I} \author{Michael Nedzelsky} \maketitle \begin{abstract} This document presents the formalization of introductory material from recursion theory --- definitions and basic properties of primitive recursive functions, Cantor pairing function and computably enumerable sets (including a proof of existence of a one-complete computably enumerable set and a proof of the Rice's theorem). \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Refine_Imperative_HOL/document/root.tex b/thys/Refine_Imperative_HOL/document/root.tex --- a/thys/Refine_Imperative_HOL/document/root.tex +++ b/thys/Refine_Imperative_HOL/document/root.tex @@ -1,82 +1,83 @@ \documentclass[11pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{railsetup} \usepackage{amssymb} \usepackage[english]{babel} \usepackage{wasysym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \renewcommand{\isamarkupcmt}[1]{\hangindent5ex{\isastylecmt --- #1}} \begin{document} \title{The Imperative Refinement Framework} \author{Peter Lammich} \maketitle \begin{abstract} We present the Imperative Refinement Framework (IRF), a tool that supports a stepwise refinement based approach to imperative programs. This entry is based on the material we presented in [ITP-2015, CPP-2016]. It uses the Monadic Refinement Framework as a frontend for the specification of the abstract programs, and Imperative/HOL as a backend to generate executable imperative programs. The IRF comes with tool support to synthesize imperative programs from more abstract, functional ones, using efficient imperative implementations for the abstract data structures. This entry also includes the Imperative Isabelle Collection Framework (IICF), which provides a library of re-usable imperative collection data structures. Moreover, this entry contains a quickstart guide and a reference manual, which provide an introduction to using the IRF for Isabelle/HOL experts. It also provids a collection of (partly commented) practical examples, some highlights being Dijkstra's Algorithm, Nested-DFS, and a generic worklist algorithm with subsumption. Finally, this entry contains benchmark scripts that compare the runtime of some examples against reference implementations of the algorithms in Java and C++. \vfill {\footnotesize \begin{description} \item[{[{ITP-2015}]}] Peter Lammich: Refinement to Imperative/HOL. ITP 2015: 253--269 \item[{[{CPP-2016}]}] Peter Lammich: Refinement based verification of imperative data structures. CPP 2016: 27--36 \end{description} } \end{abstract} \clearpage \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Refine_Monadic/document/root.tex b/thys/Refine_Monadic/document/root.tex --- a/thys/Refine_Monadic/document/root.tex +++ b/thys/Refine_Monadic/document/root.tex @@ -1,206 +1,207 @@ \documentclass[11pt,a4paper]{book} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % Tweaks \newcounter{TTStweak_tag} \setcounter{TTStweak_tag}{0} \newcommand{\setTTS}{\setcounter{TTStweak_tag}{1}} \newcommand{\resetTTS}{\setcounter{TTStweak_tag}{0}} \newcommand{\insertTTS}{\ifnum\value{TTStweak_tag}=1 \ \ \ \fi} \renewcommand{\isakeyword}[1]{\resetTTS\emph{\bf\def\isachardot{.}\def\isacharunderscore{\isacharunderscorekeyword}\def\isacharbraceleft{\{}\def\isacharbraceright{\}}#1}} \renewcommand{\isachardoublequoteopen}{\insertTTS} \renewcommand{\isachardoublequoteclose}{\setTTS} \renewcommand{\isanewline}{\mbox{}\par\mbox{}\resetTTS} \renewcommand{\isamarkupcmt}[1]{\hangindent5ex{\isastylecmt --- #1}} \makeatletter \newenvironment{abstract}{% \small \begin{center}% {\bfseries \abstractname\vspace{-.5em}\vspace{\z@}}% \end{center}% \quotation}{\endquotation} \makeatother \begin{document} \title{Refinement for Monadic Programs} \author{Peter Lammich} \maketitle \begin{abstract} We provide a framework for program and data refinement in Isabelle/HOL. The framework is based on a nondeterminism-monad with assertions, i.e., the monad carries a set of results or an assertion failure. Recursion is expressed by fixed points. For convenience, we also provide while and foreach combinators. The framework provides tools to automatize canonical tasks, such as verification condition generation, finding appropriate data refinement relations, and refine an executable program to a form that is accepted by the Isabelle/HOL code generator. Some basic usage examples can be found in this entry, but most of the examples and the userguide have been moved to the Collections AFP entry. For more advanced examples, consider the AFP entries that are based on the Refinement Framework. \end{abstract} \clearpage \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex \chapter{Introduction} Isabelle/HOL\cite{NPW02} is a higher order logic theorem prover. Recently, we started to use it to implement automata algorithms (e.g., \cite{L09_tree_automata}). There, we do not only want to specify an algorithm and prove it correct, but we also want to obtain efficient executable code from the formalization. This can be done with Isabelle/HOL's code generator \cite{Haft09,HaNi10}, that converts functional specifications inside Isabelle/HOL to executable programs. In order to obtain a uniform interface to efficient data structures, we developed the Isabelle Collection Framework (ICF) \cite{L09_collections,LL10}. It provides a uniform interface to various (collection) data structures, as well as generic algorithm, that are parametrized over the data structure actually used, and can be instantiated for any data structure providing the required operations. E.g., a generic algorithm may be parametrized over a set data structure, and then instantiated with a hashtable or a red-black tree. The ICF features a data-refinement approach to prove an algorithm correct: First, the algorithm is specified using the abstract data structures. These are usually standard datatypes on Isabelle/HOL, and thus enjoy a good tool support for proving. Hence, the correctness proof is most conveniently performed on this abstract level. In a next step, the abstract algorithm is refined to a concrete algorithm that uses some efficient data structures. Finally, it is shown that the result of the concrete algorithm is related to the result of the abstract algorithm. This last step is usually fairly straightforward. This approach works well for simple operations. However, it is not applicable when using inherently nondeterministic operations on the abstract level, such as choosing an arbitrary element from a non-empty set. In this case, any choice of the element on the abstract level over-specifies the algorithm, as it forces the concrete algorithm to choose the same element. One possibility is to initially specify and prove correct the algorithm on the concrete level, possibly using parametrization to leave the concrete implementation unspecified. The problem here is, that the correctness proofs have to be performed on the concrete level, involving abstraction steps during the proof, which makes it less readable and more tedious. Moreover, this approach does not support stepwise refinement, as all operations have to work on the most concrete datatypes. Another possibility is to use a non-deterministic algorithm on the abstract level, that is then refined to a deterministic algorithm. Here, the correctness proofs may be done on the abstract level, and stepwise refinement is properly supported. However, as Isabelle/HOL primarily supports functions, not relations, formulating nondeterministic algorithms is more tedious. This development provides a framework for formulating nondeterministic algorithms in a monadic style, and using program and data refinement to eventually obtain an executable algorithm. The monad is defined over a set of results and a special {\em FAIL}-value, that indicates a failed assertion. The framework provides some tools to make reasoning about those monadic programs more comfortable. \section{Related Work} Data refinement dates back to Hoare \cite{Hoa72}. Using {\em refinement calculus} for stepwise program refinement, including data refinement, was first proposed by Back \cite{Back78}. In the last decades, these topics have been subject to extensive research. Good overviews are \cite{BaWr98,RoEn98}, that cover the main concepts on which this formalization is based. There are various formalizations of refinement calculus within theorem provers \cite{BaWr90,LRW95,RuWr97,Stap99,Preo06}. All these works focus on imperative programs and therefore have to deal with the representation of the state space (e.g., local variables, procedure parameters). In our monadic approach, there is no need to formalize state spaces or procedures, which makes it quite simple. Note, that we achieve modularization by defining constants (or recursive functions), thus moving the burden of handling parameters and procedure calls to the underlying theorem prover, and at the same time achieving a more seamless integration of our framework into the theorem prover. In the seL4-project \cite{CKS08}, a nondeterministic state-exception monad is used to refine the abstract specification of the kernel to an executable model. The basic concept is closely related to ours. However, as the focus is different (Verification of kernel operations vs. verification of model-checking algorithms), there are some major differences in the handling of recursion and data refinement. In \cite{SchM98}, {\em refinement monads} are studied. The basic constructions there are similar to ours. However, while we focus on data refinement, they focus on introducing commands with side-effects and a predicate-transformer semantics to allow angelic nondeterminism. % generated text of all theories \input{session} \chapter{Conclusion and Future Work} We have presented a framework for program and data refinement. The notion of a program is based on a nondeterminism monad, and we provided tools for verification condition generation, finding data refinement relations, and for generating executable code by Isabelle/HOL's code generator \cite{Haft09,HaNi10}. We illustrated the usability of our framework by various examples, among others a breadth-first search algorithm, which was our solution to task~5 of the VSTTE 2012 verification competition. There is lots of possible future work. We sketch some major directions here: \begin{itemize} \item Some of our refinement rules (e.g.\ for while-loops) are only applicable for single-valued relations. This seems to be related to the monadic structure of our programs, which focuses on single values. A direction of future research is to understand this connection better, and to develop usable rules for non single-valued abstraction relations. \item Currently, transfer for partial correct programs is done to a complete-lattice domain. However, as assertions need not to be included in the transferred program, we could also transfer to a ccpo-domain, as, e.g., the option monad that is integrated into Isabelle/HOL by default. This is, however, only a technical problem, as ccpo and lattice typeclasses are not properly linked\footnote{This has also been fixed in the development version of Isabelle/HOL}. Moreover, with the partial function package \cite{Kr10}, Isabelle/HOL has a powerful tool to express arbitrary recursion schemes over monadic programs. Currently, we have done the basic setup for the partial function package, i.e., we can define recursions over our monad. However, induction-rule generation does not yet work, and there is potential for more tool-support regarding refinement and transfer to deterministic programs. \item Finally, our framework only supports functional programs. However, as shown in Imperative/HOL \cite{BKHEM08}, monadic programs are well-suited to express a heap. Hence, a direction of future research is to add a heap to our nondeterminism monad. Argumentation about the heap could be done with a separation logic \cite{Rey02} formalism, like the one that we already developed for Imperative/HOL \cite{Meis2011}. \end{itemize} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/RefinementReactive/document/root.tex b/thys/RefinementReactive/document/root.tex --- a/thys/RefinementReactive/document/root.tex +++ b/thys/RefinementReactive/document/root.tex @@ -1,98 +1,98 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{wasysym} -\usepackage[utf8]{inputenc} \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} \newcommand{\tv}{{\isacharprime}\,} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Formalization of Refinement Calculus for Reactive Systems} \author{Viorel Preoteasa\\ Aalto University, Finland} \maketitle \begin{abstract} We present a formalization of refinement calculus for reactive systems. Refinement calculus is based on monotonic predicate transformers (monotonic functions from sets of post-states to sets of pre-states), and it is a powerful formalism for reasoning about imperative programs. We model reactive systems as monotonic property transformers that transform sets of output infinite sequences into sets of input infinite sequences. Within this semantics we can model refinement of reactive systems, (unbounded) angelic and demonic nondeterminism, sequential composition, and other semantic properties. We can model systems that may fail for some inputs, and we can model compatibility of systems. We can specify systems that have liveness properties using linear temporal logic, and we can refine system specifications into systems based on symbolic transitions systems, suitable for implementations. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \section{Introduction} This is a formalization of refinement calculus for reactive systems that is presented in \cite{preoteasa:tripakis:2014tr}. Refinement calculus \cite{back-1978,back-wright-98} has been developed originally for input output imperative programs, and is based on a predicate transformer semantics of programs with a weakest precondition interpretation. We extend the standard refinement calculus to reactive systems \cite{Harel:1989:DRS:101969.101990}. Within our framework a reactive system is seen as a system that accepts as input an infinite sequence of values and productes as output an infinite sequence of values. The semantics of these systems is given as {\em monotonic property transformers}. These are monotonic functions which maps sets of output sequences (output properties) into sets of input sequences (input properties). For a set of output sequences $q$, the monotonic property transformer $S$ applied to $q$ returns all input sequences from which the computation of $S$ always produces a sequence from $q$. Our work extends also the relational interfaces framework of \cite{tripakis:2011} which can handle only finite safety properties to infinite properties and liveness. This formalization is organized in three sections. Section 2 presents an algebraic formalization of linear temporal locic. Section 3 introduces basic constructs from refinement calculus, and finally Section 4 applies the refinement calculus to reactive systems. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Regex_Equivalence/document/root.tex b/thys/Regex_Equivalence/document/root.tex --- a/thys/Regex_Equivalence/document/root.tex +++ b/thys/Regex_Equivalence/document/root.tex @@ -1,51 +1,52 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[english]{babel} \usepackage{eufrak} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Regular Expression Equivalence} \author{Tobias Nipkow \and Dmitriy Traytel} \maketitle \begin{abstract} We formalize a unified framework for verified decision procedures for regular expression equivalence. Five recently published formalizations of such decision procedures (three based on derivatives, two on marked regular expressions) can be obtained as instances of the framework. We discover that the two approaches based on marked regular expressions, which were previously thought to be the same, are different, and one seems to produce uniformly smaller automata. The common framework makes it possible to compare the performance of the different decision procedures in a meaningful way. The formalization is also described in a submitted paper draft \cite{NipkowT-urexp}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Regular-Sets/document/root.tex b/thys/Regular-Sets/document/root.tex --- a/thys/Regular-Sets/document/root.tex +++ b/thys/Regular-Sets/document/root.tex @@ -1,47 +1,48 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{eufrak} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Regular Sets, Expressions, Derivatives and Relation Algebra} \author{Alexander Krauss, Tobias Nipkow,\\ Chunhan Wu, Xingyuan Zhang and Christian Urban} \maketitle \begin{abstract} This is a library of constructions on regular expressions and languages. It provides the operations of concatenation, Kleene star and left-quotients of languages. A theory of derivatives and partial derivatives is provided. Arden's lemma and finiteness of partial derivatives is established. A simple regular expression matcher based on Brozowski's derivatives is proved to be correct. An executable equivalence checker for regular expressions is verified; it does not need automata but works directly on regular expressions. By mapping regular expressions to binary relations, an automatic and complete proof method for (in)equalities of binary relations over union, concatenation and (reflexive) transitive closure is obtained. For an exposition of the equivalence checker for regular and relation algebraic expressions see the paper by Krauss and Nipkow~\cite{KraussN-JAR}. Extended regular expressions with complement and intersection are also defined and an equivalence checker is provided. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Regular_Algebras/document/root.tex b/thys/Regular_Algebras/document/root.tex --- a/thys/Regular_Algebras/document/root.tex +++ b/thys/Regular_Algebras/document/root.tex @@ -1,56 +1,57 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} % this should be the last package used \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Regular Algebras} \author{Simon Foster and Georg Struth} \maketitle \begin{abstract} Regular algebras axiomatise the equational theory of regular expressions as induced by regular language identity. We use Isabelle/HOL for a detailed systematic study of regular algebras given by Boffa, Conway, Kozen and Salomaa. We investigate the relationships between these classes, formalise a soundness proof for the smallest class (Salomaa's) and obtain completeness of the largest one (Boffa's) relative to a deep result by Krob. In addition we provide a large collection of regular identities in the general setting of Boffa's axiom. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introductory Remarks} These Isabelle theories complement the article on \emph{On the Fine-Structure of Regular Algebra}~\cite{FosterS15}. For an introduction to the topic, conceptual explanations and references we refer to this article. Our regular algebra hierarchy is orthogonal to the Kleene algebra hierarchy in the Archive of Formal Proofs~\cite{ArmstrongStruthWeberArchive}; we have not aimed at an integration for pragmatic reasons. \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Relation_Algebra/document/root.tex b/thys/Relation_Algebra/document/root.tex --- a/thys/Relation_Algebra/document/root.tex +++ b/thys/Relation_Algebra/document/root.tex @@ -1,55 +1,56 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Relation Algebra} \author{Alasdair Armstrong, Simon Foster, Georg Struth, Tjark Weber} \maketitle \begin{abstract} Tarski's algebra of binary relations is formalised along the lines of the standard textbooks of Maddux and Schmidt and Str\"ohlein. This includes relation-algebraic concepts such as subidentities, vectors and a domain operation as well as various notions associated to functions. Relation algebras are also expanded by a reflexive transitive closure operation, and they are linked with Kleene algebras and models of binary relations and Boolean matrices. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introductory Remarks} These theory files are only sparsely commented. Background information can be found in Tarski's original article~\cite{tarski41} and in the books by Maddux~\cite{maddux06} and Schmidt and Str{\"o}hlein~\cite{schmidt87}. We briefly discuss proof automation and the formalisation of direct products in~\cite{armstrong14}. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Relational-Incorrectness-Logic/document/root.tex b/thys/Relational-Incorrectness-Logic/document/root.tex --- a/thys/Relational-Incorrectness-Logic/document/root.tex +++ b/thys/Relational-Incorrectness-Logic/document/root.tex @@ -1,50 +1,51 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{An Under-Approximate Relational Logic} \author{Toby Murray} \maketitle \begin{abstract} Recently, authors have proposed \emph{under-approximate} logics for reasoning about programs~\cite{OHearn_19,deVries_Koutavas_11}. So far, all such logics have been confined to reasoning about individual program behaviours. Yet there exist many over-approximate \emph{relational} logics for reasoning about pairs of programs and relating their behaviours. We present the first under-approximate relational logic, for the simple imperative language IMP. We prove our logic is both sound and complete. Additionally, we show how reasoning in this logic can be decomposed into non-relational reasoning in an under-approximate Hoare logic, mirroring Beringer's result for over-approximate relational logics. We illustrate the application of our logic on some small examples in which we provably demonstrate the presence of insecurity. These proofs accompany a paper~\cite{murray2020underapproximate} that explains the results in more detail. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Relational_Disjoint_Set_Forests/document/root.tex b/thys/Relational_Disjoint_Set_Forests/document/root.tex --- a/thys/Relational_Disjoint_Set_Forests/document/root.tex +++ b/thys/Relational_Disjoint_Set_Forests/document/root.tex @@ -1,61 +1,61 @@ \documentclass[11pt,a4paper]{article} - +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,ragged2e} \usepackage{pdfsetup} \isabellestyle{it} \renewenvironment{isamarkuptext}{\par\isastyletext\begin{isapar}\justifying\color{blue}}{\end{isapar}} \renewcommand\labelitemi{$*$} %\urlstyle{rm} \begin{document} \title{Relational Disjoint-Set Forests} \author{Walter Guttmann} \maketitle \begin{abstract} We give a simple relation-algebraic semantics of read and write operations on associative arrays. The array operations seamlessly integrate with assignments in the Hoare-logic library. Using relation algebras and Kleene algebras we verify the correctness of an array-based implementation of disjoint-set forests with a naive union operation and a find operation with path compression. \end{abstract} \tableofcontents \section{Overview} Relation algebras and Kleene algebras have previously been used to reason about graphs and graph algorithms \cite{BackhouseCarre1975,Berghammer1999,BerghammerStruth2010,BerghammerKargerWolf1998,GondranMinoux2008,HoefnerMoeller2012,Moeller1993}. The operations of these algebras manipulate entire graphs, which is useful for specification but not directly intended for implementation. Low-level array access is a key ingredient for efficient algorithms \cite{CormenLeisersonRivest1990}. We give a relation-algebraic semantics for such read/write access to associative arrays. This allows us to extend relation-algebraic verification methods to a lower level of more efficient implementations. In this theory we focus on arrays with the same index and value sets, which can be modelled as homogeneous relations and therefore as elements of relation algebras and Kleene algebras \cite{Kozen1994,Tarski1941}. We implement and verify the correctness of disjoint-set forests with path compression and naive union \cite{CormenLeisersonRivest1990,GallerFisher1964,Tarjan1975}. In order to prepare this theory for future applications with weighted graphs, the verification uses Stone relation algebras, which have weaker axioms than relation algebras \cite{Guttmann2018c}. Section 2 contains the simple relation-algebraic semantics of associative array read and write and basic properties of these access operations. In Section 3 we give a Kleene-relation-algebraic semantics of disjoint-set forests. The make-set, find-set and union-sets operations are implemented and verified in Section 4. This Isabelle/HOL theory formally verifies results in \cite{Guttmann2020b}. Theorem numbers from this paper are mentioned in the theory for reference. See the paper for further details and related work. Several Isabelle/HOL theories are related to disjoint sets. The theory \texttt{HOL/Library/Disjoint\_Sets.thy} contains results about partitions and sets of disjoint sets and does not consider their implementation. An implementation of disjoint-set forests with path compression and a size-based heuristic in the Imperative/HOL framework is verified in Archive of Formal Proofs entry \cite{LammichMeis2012}. Improved automation of this proof is considered in Archive of Formal Proofs entry \cite{Zhan2018}. These approaches are based on logical specifications whereas the present theory uses relation algebras and Kleene algebras. \begin{flushleft} \input{session} \end{flushleft} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Relational_Method/document/root.tex b/thys/Relational_Method/document/root.tex --- a/thys/Relational_Method/document/root.tex +++ b/thys/Relational_Method/document/root.tex @@ -1,68 +1,69 @@ \documentclass[11pt,a4paper,fleqn]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \renewcommand{\isastyletxt}{\isastyletext} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{The Relational Method with Message Anonymity\\for the Verification of Cryptographic Protocols} \author{Pasquale Noce\\Software Engineer at HID Global, Italy\\pasquale dot noce dot lavoro at gmail dot com\\pasquale dot noce at hidglobal dot com} \maketitle \begin{abstract} This paper introduces a new method for the formal verification of cryptographic protocols, the relational method, derived from Paulson's inductive method by means of some enhancements aimed at streamlining formal definitions and proofs, specially for protocols using public key cryptography. Moreover, this paper proposes a method to formalize a further security property, message anonymity, in addition to message confidentiality and authenticity. The relational method, including message anonymity, is then applied to the verification of a sample authentication protocol, comprising Password Authenticated Connection Establishment (PACE) with Chip Authentication Mapping followed by the explicit verification of an additional password over the PACE secure channel. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Relational_Minimum_Spanning_Trees/document/root.tex b/thys/Relational_Minimum_Spanning_Trees/document/root.tex --- a/thys/Relational_Minimum_Spanning_Trees/document/root.tex +++ b/thys/Relational_Minimum_Spanning_Trees/document/root.tex @@ -1,58 +1,58 @@ \documentclass[11pt,a4paper]{article} - +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,ragged2e} \usepackage{pdfsetup} \isabellestyle{it} \renewenvironment{isamarkuptext}{\par\isastyletext\begin{isapar}\justifying\color{blue}}{\end{isapar}} \renewcommand\labelitemi{$*$} \urlstyle{rm} \begin{document} \title{Relational Minimum Spanning Tree Algorithms} \author{Walter Guttmann and Nicolas Robinson-O'Brien} \maketitle \begin{abstract} We verify the correctness of Prim's, Kruskal's and Bor\r{u}vka's minimum spanning tree algorithms based on algebras for aggregation and minimisation. \end{abstract} \tableofcontents \section{Overview} The theories described in this document prove the correctness of Prim's, Kruskal's and Bor\r{u}vka's minimum spanning tree algorithms. Specifications and algorithms work in Stone-Kleene relation algebras extended by operations for aggregation and minimisation. The algorithms are implemented in a simple imperative language and their proof uses Hoare logic. The correctness proofs are discussed in \cite{Guttmann2016c,Guttmann2018b,Guttmann2018c,RobinsonOBrien2020}. \subsection{Prim's and Kruskal's minimum spanning tree algorithms} A framework based on Stone relation algebras and Kleene algebras and extended by operations for aggregation and minimisation was presented by the first author in \cite{Guttmann2016c,Guttmann2018b} and used to formally verify the correctness of Prim's minimum spanning tree algorithm. It was extended in \cite{Guttmann2018c} and applied to prove the correctness of Kruskal's minimum spanning tree algorithm. Two theories, one each for Prim's and Kruskal's algorithms, prove total correctness of these algorithms. As case studies for the algebraic framework, these two theories combined were originally part of another AFP entry \cite{Guttmann2018a}. \subsection{Bor\r{u}vka's minimum spanning tree algorithm} Otakar Bor\r{u}vka formalised the minimum spanning tree problem and proposed a solution to it \cite{Boruvka1926}. Bor\r{u}vka's original paper is written in Czech; translations of varying completeness can be found in \cite{GrahamHell1985,NesetrilMilkovaNesetrilova2001}. The theory for Bor\r{u}vka's minimum spanning tree algorithm proves partial correctness of this algorithm. This work is based on the same algebraic framework as the proof of Kruskal's algorithm; in particular it uses many theories from the hierarchy underlying \cite{Guttmann2018a}. The theory for Bor\r{u}vka's algorithm formally verifies results from the second author's Master's thesis \cite{RobinsonOBrien2020}. Certain lemmas in this theory are numbered for easy correlation to theorems from the thesis. \begin{flushleft} \input{session} \end{flushleft} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Relational_Paths/document/root.tex b/thys/Relational_Paths/document/root.tex --- a/thys/Relational_Paths/document/root.tex +++ b/thys/Relational_Paths/document/root.tex @@ -1,51 +1,51 @@ \documentclass[11pt,a4paper]{article} - +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,ragged2e} \usepackage{pdfsetup} \isabellestyle{it} \renewenvironment{isamarkuptext}{\par\isastyletext\begin{isapar}\justifying\color{blue}}{\end{isapar}} \renewcommand\labelitemi{$*$} \begin{document} \title{Relational Characterisations of Paths} \author{Walter Guttmann and Peter H\"ofner} \maketitle \begin{abstract} Binary relations are one of the standard ways to encode, characterise and reason about graphs. Relation algebras provide equational axioms for a large fragment of the calculus of binary relations. Although relations are standard tools in many areas of mathematics and computing, researchers usually fall back to point-wise reasoning when it comes to arguments about paths in a graph. We present a purely algebraic way to specify different kinds of paths in Kleene relation algebras, which are relation algebras equipped with an operation for reflexive transitive closure. We study the relationship between paths with a designated root vertex and paths without such a vertex. Since we stay in first-order logic this development helps with mechanising proofs. To demonstrate the applicability of the algebraic framework we verify the correctness of three basic graph algorithms. \end{abstract} \tableofcontents \section*{Overview} A path in a graph can be defined as a connected subgraph of edges where each vertex has at most one incoming edge and at most one outgoing edge \cite{Diestel2005,Tinhofer1976}. We develop a theory of paths based on this representation and use it for algorithm verification. All reasoning is done in variants of relation algebras and Kleene algebras \cite{Kozen1994,Ng1984,Tarski1941}. Section 1 presents fundamental results that hold in relation algebras. Relation-algebraic characterisations of various kinds of paths are introduced and compared in Section 2. We extend this to paths with a designated root in Section 3. Section 4 verifies the correctness of a few basic graph algorithms. These Isabelle/HOL theories formally verify results in \cite{BerghammerFurusawaGuttmannHoefner2020}. See this paper for further details and related work. \begin{flushleft} \input{session} \end{flushleft} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Rep_Fin_Groups/document/root.tex b/thys/Rep_Fin_Groups/document/root.tex --- a/thys/Rep_Fin_Groups/document/root.tex +++ b/thys/Rep_Fin_Groups/document/root.tex @@ -1,49 +1,50 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[nottoc,numbib]{tocbibind} \usepackage{textcomp} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \renewcommand{\refname}{Bibliography} \begin{document} \title{Representations of Finite Groups} \author{Jeremy Sylvestre \\ University of Alberta, Augustana Campus \\ \href{mailto:jsylvest@ualberta.ca}{\url{jeremy.sylvestre@ualberta.ca}}} \maketitle \begin{abstract} We provide a formal framework for the theory of representations of finite groups, as modules over the group ring. Along the way, we develop the general theory of groups (relying on the \textit{group{\_}add} class for the basics), modules, and vector spaces, to the extent required for theory of group representations. We then provide formal proofs of several important introductory theorems in the subject, including Maschke's theorem, Schur's lemma, and Frobenius reciprocity. We also prove that every irreducible representation is isomorphic to a submodule of the group ring, leading to the fact that for a finite group there are only finitely many isomorphism classes of irreducible representations. In all of this, no restriction is made on the characteristic of the ring or field of scalars until the definition of a group representation, and then the only restriction made is that the characteristic must not divide the order of the group. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \vspace*{32pt} \textit{Note:} A number of the proofs in this theory were modelled on or inspired by proofs in the books listed in the bibliography. \vspace*{32pt} % generated text of all theories \input{session} % optional bibliography \nocite{*} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Residuated_Lattices/document/root.tex b/thys/Residuated_Lattices/document/root.tex --- a/thys/Residuated_Lattices/document/root.tex +++ b/thys/Residuated_Lattices/document/root.tex @@ -1,66 +1,67 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Residuated Lattices} \author{Victor B. F. Gomes \and Georg Struth \\ Department of Computer Science, University of Sheffield} \maketitle \begin{abstract} The theory of residuated lattices, first proposed by Ward and Dilworth~\cite{Ward39}, is formalised in Isabelle/HOL. This includes concepts of residuated functions; their adjoints and conjugates. It also contains necessary and sufficient conditions for the existence of these operations in an arbitrary lattice. The mathematical components for residuated lattices are linked to the AFP entry for relation algebra. In particular, we prove J{\'o}nsson and Tsinakis~\cite{Jonsson93} conditions for a residuated boolean algebra to form a relation algebra. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \section {Introduction} text {* These theory files formalise algebraic residuated structures. They are briefly and sparsely commented. More information can be found in the books by Galatos and \emph{al.}~\cite{Galatos07}, or the originals papers by Ward and Dilworth~\cite{Ward39}, Jonsson and Tsinakis~\cite{Jonsson93}, and Maddux~\cite{Maddux96}. The mathematical components for residuated lattices are linked to the AFP entry for relation algebra. Residuated lattices are also important in the context of Pratt's action algebras, which are currently formalised whitin the AFP entry for Kleene algebra. We are planning to link Kleene algebras and action algebras with this entry in the future. Isabelle/HOL default notation for lattices is used whenever possible. Nevertheless, we use $\cdot$ as the multiplicative symbol instead of $*$, which is the one used in Isabelle libraries. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Resolution_FOL/document/root.tex b/thys/Resolution_FOL/document/root.tex --- a/thys/Resolution_FOL/document/root.tex +++ b/thys/Resolution_FOL/document/root.tex @@ -1,49 +1,48 @@ \documentclass[11pt,a4paper]{article} -\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - % this should be the last package used! \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Resolution Calculus for First-Order Logic} \author{Anders Schlichtkrull} \maketitle \begin{abstract} This theory is a formalization of the resolution calculus for first-order logic. It is proven sound and complete. The soundness proof uses the substitution lemma, which shows a correspondence between substitutions and updates to an environment. The completeness proof uses semantic trees, i.e. trees whose paths are partial Herbrand interpretations. It employs Herbrand's theorem in a formulation which states that an unsatisfiable set of clauses has a finite closed semantic tree. It also uses the lifting lemma which lifts resolution derivation steps from the ground world up to the first-order world. The theory is presented in a paper in the Journal of Automated Reasoning \cite{schlichtkrull2018} which extends a paper presented at the International Conference on Interactive Theorem Proving \cite{schlichtkrull2016}. An earlier version was presented in an MSc thesis \cite{thesis}. The formalization mostly follows textbooks by Ben-Ari \cite{ben-ari}, Chang and Lee \cite{chang}, and Leitsch \cite{leitsch}. The theory is part of the IsaFoL project \cite{isafol}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Rewriting_Z/document/root.tex b/thys/Rewriting_Z/document/root.tex --- a/thys/Rewriting_Z/document/root.tex +++ b/thys/Rewriting_Z/document/root.tex @@ -1,70 +1,71 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{The Z Property} \author{Bertram Felgenhauer, Julian Nagele, Vincent van Oostrom, Christian Sternagel\thanks{% This work was partially supported by FWF (Austrian Science Fund) projects P27502 and P27528.}} \maketitle \begin{abstract} We formalize the Z property introduced by Dehornoy and van~Oostrom~\cite{DO08}. First we show that for any abstract rewrite system, Z implies confluence. Then we give two examples of proofs using Z: confluence of lambda-calculus with respect to beta-reduction and confluence of combinatory logic. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Ribbon_Proofs/document/root.tex b/thys/Ribbon_Proofs/document/root.tex --- a/thys/Ribbon_Proofs/document/root.tex +++ b/thys/Ribbon_Proofs/document/root.tex @@ -1,55 +1,56 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Ribbon Proofs for Separation Logic \\ (Isabelle Formalisation)} \author{John Wickerson} \maketitle \begin{abstract} This document concerns the theory of \emph{ribbon proofs}: a diagrammatic proof system, based on separation logic, for verifying program correctness. We include the syntax, proof rules, and soundness results for two alternative formalisations of ribbon proofs. Compared to traditional `proof outlines', ribbon proofs emphasise the structure of a proof, so are intelligible and pedagogical. Because they contain less redundancy than proof outlines, and allow each proof step to be checked locally, they may be more scalable. Where proof outlines are cumbersome to modify, ribbon proofs can be visually manoeuvred to yield proofs of variant programs. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introduction} Ribbon proofs are a diagrammatic approach for proving program correctness, based on separation logic. They are due to Wickerson, Dodds and Parkinson~\cite{wickerson+13}, and are also described in Wickerson's PhD dissertation~\cite{wickerson13}. An early version of the proof system, for proving entailments between quantifier-free separation logic assertions, was introduced by Bean~\cite{bean06}. Compared to traditional `proof outlines', ribbon proofs emphasise the structure of a proof, so are intelligible and pedagogical. Because they contain less redundancy than proof outlines, and allow each proof step to be checked locally, they may be more scalable. Where proof outlines are cumbersome to modify, ribbon proofs can be visually manoeuvred to yield proofs of variant programs. In this document, we formalise a two-dimensional graphical syntax for ribbon proofs, provide proof rules, and show that any provable ribbon proof can be recreated using the ordinary rules of separation logic. In fact, we provide two different formalisations. Our ``stratified'' formalisation sees a ribbon proof as a sequence of rows, with each row containing one step of the proof. This formalisation is very simple, but it does not reflect the visual intuition of ribbon proofs, which suggests that some proof steps can be slid up or down without affecting the validity of the overall proof. Our ``graphical'' formalisation sees a ribbon proof as a graph; specifically, as a directed acyclic nested graph. Ribbon proofs formalised in this way are more manoeuvrable, but proving soundness is trickier, and requires the assumption that separation logic's Frame rule has no side-condition (an assumption that can be validated by using, for instance, variables-as-resource~\cite{bornat+06}). % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Robbins-Conjecture/document/root.tex b/thys/Robbins-Conjecture/document/root.tex --- a/thys/Robbins-Conjecture/document/root.tex +++ b/thys/Robbins-Conjecture/document/root.tex @@ -1,30 +1,31 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{A Complete Proof of the Robbins Conjecture} \author{Matthew Wampler-Doty} \maketitle \begin{abstract} The document gives a formalization of the proof of the Robbins conjecture, following A. Mann, \emph{A Complete Proof of the Robbins Conjecture}, 2003. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \end{document} diff --git a/thys/Robinson_Arithmetic/document/root.tex b/thys/Robinson_Arithmetic/document/root.tex --- a/thys/Robinson_Arithmetic/document/root.tex +++ b/thys/Robinson_Arithmetic/document/root.tex @@ -1,43 +1,43 @@ \documentclass[10pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{a4wide} \usepackage[english]{babel} \usepackage{eufrak} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{literal} \begin{document} \title{Robinson Arithmetic} \author{Andrei Popescu \and Dmitriy Traytel} \maketitle \begin{abstract} We instantiate our syntax-independent logic infrastructure developed in \href{https://www.isa-afp.org/entries/Syntax_Independent_Logic.html}{a separate AFP entry} to the FOL theory of Robinson arithmetic (also known as Q). The latter was formalised using Nominal Isabelle by adapting \href{https://www.isa-afp.org/entries/Incompleteness.html}{Larry Paulson’s formalization of the Hereditarily Finite Set theory}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Root_Balanced_Tree/document/root.tex b/thys/Root_Balanced_Tree/document/root.tex --- a/thys/Root_Balanced_Tree/document/root.tex +++ b/thys/Root_Balanced_Tree/document/root.tex @@ -1,40 +1,41 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Root-Balanced Tree} \author{Tobias Nipkow} \maketitle \begin{abstract} Andersson~\cite{Andersson89,Andersson99} introduced \emph{general balanced trees}, search trees based on the design principle of partial rebuilding: perform update operations naively until the tree becomes too unbalanced, at which point a whole subtree is rebalanced. This article defines and analyzes a functional version of general balanced trees, which we call \emph{root-balanced trees}. Using a lightweight model of execution time, amortized logarithmic complexity is verified in the theorem prover Isabelle. This is the Isabelle formalization of the material decribed in the APLAS 2017 article \emph{Verified Root-Balanced Trees} by the same author~\cite{Nipkow-APLAS2017} which also presents experimental results that show competitiveness of root-balanced with AVL and red-black trees. \end{abstract} % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Routing/document/root.tex b/thys/Routing/document/root.tex --- a/thys/Routing/document/root.tex +++ b/thys/Routing/document/root.tex @@ -1,57 +1,58 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Routing} \author{Julius Michaelis, Cornelius Diekmann} \maketitle \begin{abstract} This entry contains definitions for routing with routing tables/longest prefix matching. A routing table entry is modelled as a record of a prefix match, a metric, an output port, and an optional next hop. A routing table is a list of entries, sorted by prefix length and metric. Additionally, a parser and serializer for the output of the ip-route command, a function to create a relation from output port to corresponding destination IP space, and a model of a linux style router are included. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Roy_Floyd_Warshall/document/root.tex b/thys/Roy_Floyd_Warshall/document/root.tex --- a/thys/Roy_Floyd_Warshall/document/root.tex +++ b/thys/Roy_Floyd_Warshall/document/root.tex @@ -1,41 +1,41 @@ \documentclass[11pt,a4paper]{article} -\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} \usepackage{url} \usepackage{isabelle,isabellesym} \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \renewcommand{\isadigit}[1]{\isamath{#1}} \isadroptag{theory} \begin{document} \title{Transitive closure according to Roy-Floyd-Warshall} \author{Makarius Wenzel} \maketitle \begin{abstract} This formulation of the Roy-Floyd-Warshall algorithm for the transitive closure bypasses matrices and arrays, but uses a more direct mathematical model with adjacency functions for immediate predecessors and successors. This can be implemented efficiently in functional programming languages and is particularly adequate for sparse relations. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/SATSolverVerification/document/root.tex b/thys/SATSolverVerification/document/root.tex --- a/thys/SATSolverVerification/document/root.tex +++ b/thys/SATSolverVerification/document/root.tex @@ -1,61 +1,62 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{SAT Solver verification} \author{By Filip Mari\' c} \maketitle \abstract{ This document contains formall correctness proofs of modern SAT solvers. Two different approaches are used --- state-transition systems and shallow embedding into HOL. Formalization based on state-transition systems follows \cite{KrsticGoel,NieuwenhuisOliverasTinelli}. Several different SAT solver descriptions are given and their partial correctness and termination is proved. These include: \begin{enumerate} \item a solver based on classical DPLL procedure (based on backtrack-search with unit propagation), \item a very general solver with backjumping and learning (similiar to the description given in \cite{NieuwenhuisOliverasTinelli}), and \item a solver with a specific conflict analysis algorithm (similiar to the description given in \cite{KrsticGoel}). \end{enumerate} Formalization based on shallow embedding into HOL defines a SAT solver as a set or recursive HOL functions. Solver supports most state-of-the art techniques including the two-watch literal propagation scheme. Within the SAT solver correctness proofs, a large number of lemmas about propositional logic and CNF formulae are proved. This theory is self-contained and could be used for further exploring of properties of CNF based SAT algorithms. } \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/SC_DOM_Components/document/root.tex b/thys/SC_DOM_Components/document/root.tex --- a/thys/SC_DOM_Components/document/root.tex +++ b/thys/SC_DOM_Components/document/root.tex @@ -1,255 +1,256 @@ \documentclass[10pt,DIV16,a4paper,abstract=true,twoside=semi,openright] {scrreprt} +\usepackage[T1]{fontenc} \usepackage[USenglish]{babel} \usepackage[numbers, sort&compress]{natbib} \usepackage{isabelle,isabellesym} \usepackage{booktabs} \usepackage{paralist} \usepackage{graphicx} \usepackage{amssymb} \usepackage{xspace} \usepackage{xcolor} \usepackage{listings} \lstloadlanguages{HTML} \usepackage[]{mathtools} \usepackage[pdfpagelabels, pageanchor=false, plainpages=false]{hyperref} \lstdefinestyle{html}{language=XML, basicstyle=\ttfamily, commentstyle=\itshape, keywordstyle=\color{blue}, ndkeywordstyle=\color{blue}, } \lstdefinestyle{displayhtml}{style=html, floatplacement={tbp}, captionpos=b, framexleftmargin=0pt, basicstyle=\ttfamily\scriptsize, backgroundcolor=\color{black!2}, frame=lines, } \lstnewenvironment{html}[1][]{\lstset{style=displayhtml, #1}}{} \def\inlinehtml{\lstinline[style=html, columns=fullflexible]} \newsavebox{\fstlst} \newsavebox{\sndlst} \usepackage[caption=false]{subfig} \pagestyle{headings} \isabellestyle{default} \setcounter{tocdepth}{1} \newcommand{\ie}{i.\,e.\xspace} \newcommand{\eg}{e.\,g.\xspace} \newcommand{\thy}{\isabellecontext} \renewcommand{\isamarkupsection}[1]{% \begingroup% \def\isacharunderscore{\textunderscore}% \section{#1 (\thy)}% \endgroup% } \title{A Formalization of Safely Composable Web Components} \author{Achim~D.~Brucker \and Michael~Herzberg}% \publishers{ \footnotemark[1]~Department of Computer Science, University of Exeter, Exeter, UK\texorpdfstring{\\}{, } \texttt{a.brucker@exeter.ac.uk}\\[2em] % \footnotemark[2]~ Department of Computer Science, The University of Sheffield, Sheffield, UK\texorpdfstring{\\}{, } \texttt{msherzberg1@sheffield.ac.uk} } \begin{document} \maketitle \begin{abstract} \begin{quote} While the (safely composable) DOM with shadow trees provide the technical basis for defining web components, it does neither defines the concept of web components nor specifies the safety properties that web components should guarantee. Consequently, the standard also does not discuss how or even if the methods for modifying the DOM respect component boundaries. In AFP entry, we present a formally verified model of \emph{safely composable} web components and define safety properties which ensure that different web components can only interact with each other using well-defined interfaces. Moreover, our verification of the application programming interface (API) of the DOM revealed numerous invariants that implementations of the DOM API need to preserve to ensure the integrity of components. In comparison to the strict standard compliance formalization of Web Components in the AFP entry ``DOM Components'', the notion of components in this entry (based on ``SC DOM'' and ``Shadow SC DOM'') provides much stronger safety guarantees. \bigskip \noindent{\textbf{Keywords:} Web Components, DOM} \end{quote} \end{abstract} \tableofcontents \cleardoublepage \chapter{Introduction} The trend towards ever more complex client-side web applications is unstoppable. Compared to traditional software development, client-side web development lacks a well-established component model which allows easily and safely reusing implementations. The Document Object Model (DOM) essentially defines a tree-like data structure (the \emph{node tree}) for representing documents in general and HTML documents in particular. \emph{Shadow trees} are a recent addition to the DOM standard~\cite{whatwg:dom:2019} to enable web developers to partition the node tree into ``sub-trees.'' The vision of shadow trees is to enable web developers to provide a library of re-usable and customizable widgets. For example, let us consider a multi-tab view called \emph{Fancy Tab}, which is a simplified version of~\cite{bidelman:self-contained:2017}. \begin{figure}[b] \begin{lrbox}{\fstlst}% \begin{minipage}{.34\linewidth} \centering \includegraphics[width=\linewidth]{fancytabs-normal} \end{minipage} \end{lrbox} \begin{lrbox}{\sndlst}% \begin{minipage}{.63\linewidth} \begin{html}[basicstyle=\ttfamily\scriptsize]
content panel 1
  • News Item 1
  • News Item 2
  • News Item 3
content panel 3
 \end{html} \end{minipage} \end{lrbox} \subfloat[\label{fig:running-example-user} User view ]{\usebox{\fstlst}}% \hfill% \subfloat[\label{fig:running-example-consumer} Consumer view ]{\usebox{\sndlst}} \caption{A simple example: a fancy tab component.}\label{fig:running-example} \end{figure} The left-hand side of \autoref{fig:running-example} shows the rendered output of the widget in use while the right-hand side shows the HTML source code snippet. It provides a custom HTML tag \inlinehtml{} using an HTML template that developers can use to include the widget. Its children will be rendered inside the widget, more precisely, inside its \emph{slots} (elements of type \inlinehtml{slot}). It has a slot called ``title'' and a default slot, which receives all children that do not specify a ``slot'' attribute. It is important to understand that slotting does \emph{not change} the structure of the DOM (\ie, the underlying pointer graph): instead, slotting is implemented using special element attributes such as ``slot,'' which control the final rendering. The DOM standard specifies methods that inspect the effect of these attributes such as \texttt{assigned\_slot}, but the majority of DOM methods do not consider the semantics of these attributes and therefore do not traverse into shadow trees. This provides an important boundary for client-side code. For example, a JavaScript program coming from the widget developer that changes the style attributes of the ``Previous Tab'' and ``Next Tab'' buttons in the lower corners of the widget will not affect buttons belonging to other parts coming from outside, \ie, the application of the widget consumer. Similarly, a JavaScript program that changes the styles of buttons outside of Fancy Tab, such as the navigation buttons, will not have any effect on them, even in the case of duplicate identifiers. Sadly, the DOM standard neither defines the concept of web components nor specifies the safety properties that they should guarantee, not even informally. Consequently, the standard also does not discuss how or even if the methods for modifying the node tree respect component boundaries. Thus, shadow roots are only the very first step in defining a safe web component model. Earlier~\cite{brucker.ea:core-dom:2018,brucker.ea:afp-core-sc-dom:2020}, we presented a formalization of the ``flat'' DOM (called Core DOM) without any support for shadow trees or components. We then extended this formalisation with support for shadow trees and slots~\cite{brucker.ea:afp-shadow-sc-dom:2020}. In this AFP entries, we use the basis provided by our earlier work for defining a \emph{formally verified model of web components} in general and, in particular, the notion of \emph{weak} and \emph{strong component safety}. For all methods that query, modify, or transform the DOM, we formally analyze their level of component safety. In more detail, the contribution of this AFP entry is four-fold: \begin{enumerate} \item We provide a formal model of web components and their safety guarantees to web developers, enabling a compositional development of web applications, \item for each method, we formally verify that it is either weakly or strongly component safe, or we provide a proof showing that it is not component safe, \item we fill the gaps in the standard by explicitly formalizing invariants that are left out in the standard. These invariants are required to ensure that methods in the standard preserve a valid node tree. Finally, \item we present a formal model of the DOM with shadow roots including the methods for querying, modifying, and transforming DOM instances with shadow roots. \end{enumerate} Overall, our work gives web developers the guarantee that their code will respect the component boundaries as long as they abstain from or are careful when using certain DOM methods such as \texttt{appendChild} or \texttt{ownerDocument}. The rest of this document is automatically generated from the formalization in Isabelle/HOL, i.e., all content is checked by Isabelle (we refer readers interested in a more high-level presentation of the work to \cite{herzberg:web-components:2020, brucker.ea:web-components:2019}. The structure follows the theory dependencies (see \autoref{fig:session-graph}). \paragraph{Important Note:} This document describes the formalization of the \emph{Safely Composable Web Components} (based on the SC DOM), which deviated in one important aspect from the official DOM standard: in the SC DOM, the shadow root is a sub-class of the document class (instead of a base class). This modification results in a stronger notion of web components that provide improved safety properties for the composition of web components. While the SC DOM still passes the compliance test suite as provided by the authors of the DOM standard, its data model is different. We refer readers interested in a formalisation of the standard compliant DOM to the AFP entries ``Core\_DOM''~\cite{brucker.ea:afp-core-dom:2018}, ``Shadow\_DOM''~\cite{brucker.ea:afp-shadow-dom:2020}, and ``COM\_Components''~\cite{brucker.ea:afp-dom-components:2020}. \begin{figure} \centering \includegraphics[width=.8\textwidth]{session_graph} \caption{The Dependency Graph of the Isabelle Theories.\label{fig:session-graph}} \end{figure} \clearpage \chapter{Safely Composable Web Components} \label{cha:components} \input{Core_DOM_DOM_Components.tex} \input{Core_DOM_SC_DOM_Components.tex} \input{Shadow_DOM_DOM_Components.tex} \input{Shadow_DOM_SC_DOM_Components.tex} {\small \bibliographystyle{abbrvnat} \bibliography{root} } \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/SDS_Impossibility/document/root.tex b/thys/SDS_Impossibility/document/root.tex --- a/thys/SDS_Impossibility/document/root.tex +++ b/thys/SDS_Impossibility/document/root.tex @@ -1,65 +1,66 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{The Incompatibility of \textit{SD}-Efficiency and \textit{SD}-Strategy-Proofness} \author{Manuel Eberl} \maketitle \begin{abstract} This formalisation contains the proof that there is no anonymous and neutral Social Decision Scheme for at least four voters and alternatives that fulfils both \textit{SD}-Efficiency and \textit{SD}-Strategy-Proofness. The proof is a fully structured and quasi-human-redable one. It was derived from the (unstructured) SMT proof of the case for exactly four voters and alternatives by Brandl\ \textit{et~al.}~\cite{smt}. Their proof relies on an unverified translation of the original problem to SMT, and the proof that lifts the argument for exactly four voters and alternatives to the general case is also not machine-checked. In this Isabelle proof, on the other hand, all of these steps are also fully proven and machine-checked. This is particularly important seeing as a previously published informal proof of a weaker statement contained a mistake in precisely this lifting step.~\cite{extendrd} \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \newpage \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/SIFPL/document/root.tex b/thys/SIFPL/document/root.tex --- a/thys/SIFPL/document/root.tex +++ b/thys/SIFPL/document/root.tex @@ -1,52 +1,51 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{url,amssymb,amsthm} - \usepackage{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Secure information flow and program logics --- Isabelle/HOL sources} \author{Lennart Beringer and Martin Hofmann} \maketitle \begin{abstract} We present interpretations of type systems for secure information flow in Hoare logic, complementing previous encodings in relational program logics. We first treat the imperative language {\bf IMP}, extended by a simple procedure call mechanism. For this language we consider base-line non-interference in the style of Volpano et al.~\cite{VolpanoSmithIrvine:JCS1996} and the flow-sensitive type system by Hunt and Sands \cite{HuntSands:POPL2006}. In both cases, we show how typing derivations may be used to automatically generate proofs in the program logic that certify the absence of illicit flows. We then add instructions for object creation and manipulation, and derive appropriate proof rules for base-line non-interference. As a consequence of our work, standard verification technology may be used for verifying that a concrete program satisfies the non-interference property. The present proof development represents an update of the formalisation underlying our paper~\cite{BeringerHofmann:CSF2007} and is intended to resolve any ambiguities that may be present in the paper. \end{abstract} \tableofcontents \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/SIFUM_Type_Systems/document/root.tex b/thys/SIFUM_Type_Systems/document/root.tex --- a/thys/SIFUM_Type_Systems/document/root.tex +++ b/thys/SIFUM_Type_Systems/document/root.tex @@ -1,104 +1,104 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage[utf8]{inputenc} % Input encoding \usepackage[american]{babel} % Language \usepackage[defblank]{paralist} % for compact lists \usepackage{amsmath} \usepackage{amssymb} \usepackage{amsthm} \usepackage{stmaryrd} \usepackage{verbatim} \usepackage{dot2texi} \usepackage{pdfpages} \newtheorem{definition}{Definition}[section] \newtheorem{theorem}{Theorem}[section] \newtheorem{lemma}{Lemma}[section] \newcommand{\definitionautorefname}{Definition} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} %========= DRAFT ONLY =============== \makeatletter \newcommand\CO[1]{% \@tempdima=\linewidth% \advance\@tempdima by -2\fboxsep% \advance\@tempdima by -2\fboxrule% \leavevmode\par\noindent% \fbox{\parbox{\the\@tempdima}{\small\sf #1}}% \smallskip\par} \newcommand\NOTE[2][Note]{% \leavevmode\marginpar{\raggedright\hangindent=1ex\small\textbf{#1: }#2}} \newcommand\OLD[1]{% \slshape[\textbf{old: }\ignorespaces #1\unskip]} %======= END DRAFT ONLY ============= \title{A Formalization of Assumptions and Guarantees for Compositional Noninterference} \author{Sylvia Grewe, Heiko Mantel, Daniel Schoepe} \begin{document} \maketitle % sane default for proof documents \parindent 0pt\parskip 0.5ex \begin{abstract} Research in information-flow security aims at developing methods to identify undesired information leaks within programs from private (high) sources to public (low) sinks. For a concurrent system, it is desirable to have compositional analysis methods that allow for analyzing each thread independently and that nevertheless guarantee that the parallel composition of successfully analyzed threads satisfies a global security guarantee. However, such a compositional analysis should not be overly pessimistic about what an environment might do with shared resources. Otherwise, the analysis will reject many intuitively secure programs. The paper "Assumptions and Guarantees for Compositional Noninterference" by Mantel et. al. \cite{conf/csfw/MantelSS11} presents one solution for this problem: an approach for compositionally reasoning about non-interference in concurrent programs via rely-guarantee-style reasoning. We present an Isabelle/HOL formalization of the concepts and proofs of this approach. The formalization includes the following parts: \begin{compactitem} \item Notion of SIFUM-security and preliminary concepts:\\ \texttt{Preliminaries.thy}, \texttt{Security.thy} \item Compositionality proof: \texttt{Compositionality.thy} \item Example language: \texttt{Language.thy} \item Type system for ensuring SIFUM-security and soundness proof: \\ \texttt{TypeSystem.thy} \item Type system for ensuring sound use of modes and soundness proof: \texttt{LocallySoundUseOfModes.thy} \end{compactitem} \end{abstract} \tableofcontents \input{Preliminaries.tex} \input{Security.tex} \input{Compositionality.tex} \input{Language.tex} \input{TypeSystem.tex} \input{LocallySoundModeUse.tex} \bibliography{root} \bibliographystyle{alpha} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/SPARCv8/document/root.tex b/thys/SPARCv8/document/root.tex --- a/thys/SPARCv8/document/root.tex +++ b/thys/SPARCv8/document/root.tex @@ -1,74 +1,75 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{A formal model for the SPARCv8 ISA and a proof of non-interference for the LEON3 processor} \author{Zh\'e H\'ou, David San\'an, Alwen Tiu and Yang Liu} \maketitle \begin{abstract} We formalise the SPARCv8 instruction set architecture (ISA) which is used in processors such as LEON3. Our formalisation can be specialised to any SPARCv8 CPU, here we use LEON3 as a running example. Our model covers the operational semantics for all the instructions in the integer unit of the SPARCv8 architecture and it supports Isabelle code export, which effectively turns the Isabelle model into a SPARCv8 CPU simulator. We prove the language-based non-interference property for the LEON3 processor. Our model is based on deterministic monad, which is a modified version of the non-deterministic monad from NICTA/l4v. We also use the Word library developed by Jeremy Dawson and Gerwin Klein. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Safe_Distance/document/root.tex b/thys/Safe_Distance/document/root.tex --- a/thys/Safe_Distance/document/root.tex +++ b/thys/Safe_Distance/document/root.tex @@ -1,73 +1,74 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amsmath} \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{A Formally Verified Checker of the Safe Distance Traffic Rules for Autonomous Vehicles} \author{Albert Rizaldi, Fabian Immler} \maketitle \begin{abstract} The Vienna Convention on Road Traffic defines the safe distance traffic rules informally. This could make autonomous vehicle liable for safe-distance-related accidents because there is no clear definition of how large a safe distance is. We provide a formally proven prescriptive definition of a safe distance, and checkers which can decide whether an autonomous vehicle is obeying the safe distance rule. Not only does our work apply to the domain of law, but it also serves as a specification for autonomous vehicle manufacturers and for online verification of path planners. This formalization accompanies our paper "A Formally Verified Checker of the Safe Distance Traffic Rules for Autonomous Vehicles".~\cite{NASA/RizaldiImmlerAlthoff16} \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Safe_OCL/document/root.tex b/thys/Safe_OCL/document/root.tex --- a/thys/Safe_OCL/document/root.tex +++ b/thys/Safe_OCL/document/root.tex @@ -1,73 +1,74 @@ \documentclass[11pt,a4paper]{book} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[english]{babel} \usepackage{caption} \usepackage[flushleft]{threeparttable} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \captionsetup[table]{skip=10pt} \makeatletter \newenvironment{abstract}{% \small \begin{center}% {\bfseries \abstractname\vspace{-.5em}\vspace{\z@}}% \end{center}% \quotation}{\endquotation} \makeatother % HACK: It's required to align multiline definitions and lemmas \renewcommand{\isachardoublequoteopen}{\ } \renewcommand{\isachardoublequoteclose}{\ } \begin{document} \title{Safe OCL} \author{Denis Nikiforov} \maketitle \begin{abstract} The theory is a formalization of the OCL type system, its abstract syntax and expression typing rules~\cite{OCL24}. The theory does not define a concrete syntax and a semantics. In contrast to Featherweight OCL~\cite{Featherweight_OCL-AFP}, it is based on a deep embedding approach. The type system is defined from scratch, it is not based on the Isabelle HOL type system. The Safe OCL distincts nullable and non-nullable types. Also the theory gives a formal definition of safe navigation operations~\cite{DBLP:conf/models/Willink15}. The Safe OCL typing rules are much stricter than rules given in the OCL specification. It allows one to catch more errors on a type checking phase. The type theory presented is four-layered: classes, basic types, generic types, errorable types. We introduce the following new types: non-nullable types (\isa{{\isasymtau}{\isacharbrackleft}{\isadigit{1}}{\isacharbrackright}}), nullable types (\isa{{\isasymtau}{\isacharbrackleft}{\isacharquery}{\isacharbrackright}}), \isa{OclSuper}. \isa{OclSuper} is a supertype of all other types (basic types, collections, tuples). This type allows us to define a total supremum function, so types form an upper semilattice. It allows us to define rich expression typing rules in an elegant manner. The Preliminaries Section of the theory defines a number of helper lemmas for transitive closures and tuples. It defines also a generic object model independent from OCL. It allows one to use the theory as a reference for formalization of analogous languages. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{ieeetr} \bibliography{root} \end{document} diff --git a/thys/Saturation_Framework/document/root.tex b/thys/Saturation_Framework/document/root.tex --- a/thys/Saturation_Framework/document/root.tex +++ b/thys/Saturation_Framework/document/root.tex @@ -1,90 +1,87 @@ %Some LaTeX checking: no bad pratices %\RequirePackage[l2tabu, orthodox]{nag} %\RequirePackage[all,error]{onlyamsmath} \RequirePackage{fixltx2e} \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed % lualatex %\usepackage{spelling} \usepackage{fullpage} \usepackage{graphicx} \usepackage{comment} \usepackage{mdframed} -%% Saisie en UTF-8 -\usepackage[utf8]{inputenc} -\usepackage[T1]{fontenc} -\usepackage{lmodern} \usepackage{subcaption} %% Pour composer des mathématiques \usepackage{amsmath,amssymb, amsthm} \usepackage{nicefrac} \usepackage{tikz} \usetikzlibrary{decorations, arrows, shapes, automata, mindmap, trees} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ \usepackage[only,bigsqcap]{stmaryrd} %for \ \usepackage{wasysym} %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ \usepackage[english]{babel} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{A Comprehensive Framework for Saturation Theorem Proving} \author{Sophie Tourret} \maketitle \begin{abstract} This Isabelle/HOL formalization is the companion of the technical report ``A comprehensive framework for saturation theorem proving'', itself companion of the eponym IJCAR 2020 paper, written by Uwe Waldmann, Sophie Tourret, Simon Robillard and Jasmin Blanchette. It verifies a framework for formal refutational completeness proofs of abstract provers that implement saturation calculi, such as ordered resolution or superposition, and allows to model entire prover architectures in such a way that the static refutational completeness of a calculus immediately implies the dynamic refutational completeness of a prover implementing the calculus using a variant of the given clause loop. The technical report ``A comprehensive framework for saturation theorem proving'' is available at \url{http://matryoshka.gforge.inria.fr/pubs/satur\_report.pdf}. The names of the Isabelle lemmas and theorems corresponding to the results in the report are indicated in the margin of the report. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Saturation_Framework_Extensions/document/root.tex b/thys/Saturation_Framework_Extensions/document/root.tex --- a/thys/Saturation_Framework_Extensions/document/root.tex +++ b/thys/Saturation_Framework_Extensions/document/root.tex @@ -1,103 +1,100 @@ %Some LaTeX checking: no bad pratices %\RequirePackage[l2tabu, orthodox]{nag} %\RequirePackage[all,error]{onlyamsmath} \RequirePackage{fixltx2e} \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed % lualatex %\usepackage{spelling} \usepackage{fullpage} \usepackage{graphicx} \usepackage{comment} \usepackage{mdframed} -%% Saisie en UTF-8 -\usepackage[utf8]{inputenc} -\usepackage[T1]{fontenc} -\usepackage{lmodern} \usepackage{subcaption} %% Pour composer des mathématiques \usepackage{amsmath,amssymb, amsthm} \usepackage{nicefrac} \usepackage{tikz} \usetikzlibrary{decorations, arrows, shapes, automata, mindmap, trees} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ \usepackage[only,bigsqcap]{stmaryrd} %for \ \usepackage{wasysym} %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ \usepackage[english]{babel} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \hyphenation{Schlicht-krull} \begin{document} \title{Extensions to the Comprehensive Framework for Saturation Theorem Proving} \author{Jasmin Blanchette \and Sophie Tourret} \maketitle \begin{abstract} \noindent This Isabelle/HOL formalization extends the \verb|Saturation_Framework| entry of the \emph{Archive of Formal Proofs} with the following contributions: \begin{itemize} \item an application of the framework to prove Bachmair and Ganzinger's resolution prover \textsf{RP} refutationally complete, which was formalized in a more ad hoc fashion by Schlichtkrull et al.\ in the \emph{AFP} entry \verb|Ordered_Resultion_Prover|; \item generalizations of various basic concepts formalized by Schlichtkrull et al., which were needed to verify \textsf{RP} and could be useful to formalize other calculi, such as superposition; \item alternative proofs of fairness (and hence saturation and ultimately refutational completeness) for the eager and lazy given clause procedures (\textsf{GC} and \textsf{LGC}) based on invariance. \end{itemize} \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Secondary_Sylow/document/root.tex b/thys/Secondary_Sylow/document/root.tex --- a/thys/Secondary_Sylow/document/root.tex +++ b/thys/Secondary_Sylow/document/root.tex @@ -1,40 +1,40 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Secondary Sylow Theorems} \author{Jakob von Raumer} \maketitle \begin{abstract} These theories extend the existent proof of the first sylow theorem (written by Florian Kammueller and L. C. Paulson) by what is often called the second, third and fourth sylow theorem. These theorems state propositions about the number of Sylow $p$-subgroups of a group and the fact that they are conjugate to each other. The proofs make use of an implementation of group actions and their properties. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Security_Protocol_Refinement/document/root.tex b/thys/Security_Protocol_Refinement/document/root.tex --- a/thys/Security_Protocol_Refinement/document/root.tex +++ b/thys/Security_Protocol_Refinement/document/root.tex @@ -1,164 +1,165 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % % Project: Development of Security Protocols by Refinement % % Module: document/session_graph.tex (Isabelle/HOL 2016-1) % ID: $Id: root.tex 134929 2017-05-24 18:27:58Z csprenge $ % Author: Christoph Sprenger, ETH Zurich % % session graph for PDF document % % Copyright (c) 2009-2017 Christoph Sprenger % Licence: LGPL % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \documentclass[11pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % input user-defined stuff \usepackage{a4wide} \input{isapreamble.tex} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage[greek,english]{babel} %option greek for \ %option english (default language) for \, \ %\usepackage[utf8]{inputenc} %for \, \, \, \, %\, \, \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Development of Security Protocols by Refinement} \author{Christoph Sprenger and Ivano Somaini \\[.5ex] ETH Zurich, Switzerland} \maketitle \begin{abstract} We propose a development method for security protocols based on stepwise refinement. Our refinement strategy transforms abstract security goals into protocols that are secure when operating over an insecure channel controlled by a Dolev-Yao-style intruder. As intermediate levels of abstraction, we employ messageless guard protocols and channel protocols communicating over channels with security properties. These abstractions provide insights on why protocols are secure and foster the development of families of protocols sharing common structure and properties. We have implemented our method in Isabelle/HOL and used it to develop different entity authentication and key establishment protocols, including realistic features such as key confirmation, replay caches, and encrypted tickets. Our development highlights that guard protocols and channel protocols provide fundamental abstractions for bridging the gap between security properties and standard protocol descriptions based on cryptographic messages. It also shows that our refinement approach scales to protocols of nontrivial size and complexity. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % display the theory dependency graph \include{session_graph} \section*{Preamble} \subsection*{Related Publications} The following papers describe our results in more detail: \begin{itemize} \item Christoph Sprenger and David Basin, \emph{Developing Security Protocols by Refinement}, CCS 2010. \item Christoph Sprenger and David Basin, \emph{Refining Key Establishment}, CSF 2012. \item Christoph Sprenger and David Basin, \emph{Refining Security Protocols}, Journal of Computer Security (in submission), 2017. \end{itemize} Note: The Isabelle/HOL sources in this distribution also include the treatment of session key compromise. This is described in our journal paper (see above), which subsumes the CCS 2010 and CSF 2012 papers. \subsection*{Mapping the model names in our papers to the Isabelle/HOL theories} For the sake of the presentation, the papers use shorter names for the models than the Isabelle theories. Here is a mapping of the names. On the left you find the model name used in the papers and on the right the corresponding Isabelle/HOL theory name. Note that the Isabelle theories contain a separate lemma or theorem for each invariant and refinement result. \begin{description} \item[Level 0] \mbox{ } \begin{verbatim} Refinement/ s0 s0g_secrecy a0n a0n_agree a0i a0i_agree \end{verbatim} \item[Level 1] \mbox{ } \begin{verbatim} Auth_simple/ a1 m1_auth Key_establish/ kt1 m1_keydist kt1in m1_keydist_iirn kt1nn m1_keydist_inrn nssk1 m1_nssk krb1 m1_kerberos ds1 m1_ds \end{verbatim} \item[Level 2] \mbox{ } \begin{verbatim} Auth_simple/ a2 m2_auth_chan c2 m2_confid_chan Key_establish/ nssk2 m2_nssk krb2 m2_kerberos ds2 m2_ds \end{verbatim} \item[Level 3] \mbox{ } \begin{verbatim} Auth_simple/ iso3 m3_sig nsl3 m3_enc Key_establish/ nssk3d m3_nssk_par nssk3 m3_nssk krb3d m3_kerberos_par krb3v m3_kerberos5 krb3iv m3_kerberos4 ds3d m3_ds_par ds3 m3_ds \end{verbatim} \end{description} % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Selection_Heap_Sort/document/root.tex b/thys/Selection_Heap_Sort/document/root.tex --- a/thys/Selection_Heap_Sort/document/root.tex +++ b/thys/Selection_Heap_Sort/document/root.tex @@ -1,294 +1,295 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{ Verification of Selection and Heap Sort Using Locales} \author{Danijela Petrovi\'c} \maketitle \begin{abstract} Stepwise program refinement techniques can be used to simplify program verification. Programs are better understood since their main properties are clearly stated, and verification of rather complex algorithms is reduced to proving simple statements connecting successive program specifications. Additionally, it is easy to analyze similar algorithms and to compare their properties within a single formalization. Usually, formal analysis is not done in educational setting due to complexity of verification and a lack of tools and procedures to make comparison easy. Verification of an algorithm should not only give correctness proof, but also better understanding of an algorithm. If the verification is based on small step program refinement, it can become simple enough to be demonstrated within the university-level computer science curriculum. In this paper we demonstrate this and give a formal analysis of two well known algorithms (Selection Sort and Heap Sort) using proof assistant Isabelle/HOL and program refinement techniques. \end{abstract} \tableofcontents % ------------------------------------------------------------------------------ \section{Introduction} % ------------------------------------------------------------------------------ \paragraph*{Using program verification within computer science education.} Program verification is usually considered to be too hard and long process that acquires good mathematical background. A verification of a program is performed using mathematical logic. Having the specification of an algorithm inside the logic, its correctness can be proved again by using the standard mathematical apparatus (mainly induction and equational reasoning). These proofs are commonly complex and the reader must have some knowledge about mathematical logic. The reader must be familiar with notions such as satisfiability, validity, logical consequence, etc. Any misunderstanding leads into a loss of accuracy of the verification. These formalizations have common disadvantage, they are too complex to be understood by students, and this discourage students most of the time. Therefore, programmers and their educators rather use traditional (usually trial-and-error) methods. However, many authors claim that nowadays education lacks the formal approach and it is clear why many advocate in using proof assistants\cite{LSDtrip}. This is also the case with computer science education. Students are presented many algorithms, but without formal analysis, often omitting to mention when algorithm would not work properly. Frequently, the center of a study is implementation of an algorithm whereas understanding of its structure and its properties is put aside. Software verification can bring more formal approach into teaching of algorithms and can have some advantages over traditional teaching methods. \begin{itemize} \item Verification helps to point out what are the requirements and conditions that an algorithm satisfies (pre-conditions, post-conditions and invariant conditions) and then to apply this knowledge during programming. This would help both students and educators to better understand input and output specification and the relations between them. \item Though program works in general case, it can happen that it does not work for some inputs and students must be able to detect these situations and to create software that works properly for all inputs. \item It is suitable to separate abstract algorithm from its specific implementation. Students can compare properties of different implementations of the same algorithms, to see the benefits of one approach or another. Also, it is possible to compare different algorithms for same purpose (for example, for searching element, sorting, etc.) and this could help in overall understanding of algorithm construction techniques. \end{itemize} Therefore, lessons learned from formal verification of an algorithm can improve someones style of programming. \paragraph*{Modularity and refinement.} The most used languages today are those who can easily be compiled into efficient code. Using heuristics and different data types makes code more complex and seems to novices like perplex mixture of many new notions, definitions, concepts. These techniques and methods in programming makes programs more efficient but are rather hard to be intuitively understood. On the other hand highly accepted principle in nowadays programming is modularity. Adhering to this principle enables programmer to easily maintain the code. The best way to apply modularity on program verification and to make verification flexible enough to add new capabilities to the program keeping current verification intact is \emph{program refinement}. Program refinement is the verifiable transformation of an abstract (high-level) formal specification into a concrete (low-level) executable program. It starts from the abstract level, describing only the requirements for input and output. Implementation is obtained at the end of the verification process (often by means of code generation \cite{codegeneration}). Stepwise refinement allows this process to be done in stages. There are many benefits of using refinement techniques in verification. \begin{itemize} \item It gives a better understanding of programs that are verified. \item The algorithm can be analyzed and understood on different level of abstraction. \item It is possible to verify different implementations for some part of the program, discussing the benefits of one approach or another. \item It can be easily proved that these different implementation share some same properties which are proved before splitting into two directions. \item It is easy to maintain the code and the verification. Usually, whenever the implementation of the program changes, the correctness proofs must be adapted to these changes, and if refinement is used, it is not necessary to rewrite entire verification, just add or change small part of it. \item Using refinement approach makes algorithm suitable for a case study in teaching. Properties and specifications of the program are clearly stated and it helps teachers and students better to teach or understand them. \end{itemize} We claim that the full potential of refinement comes only when it is applied stepwise, and in many small steps. If the program is refined in many steps, and data structures and algorithms are introduced one-by-one, then proving the correctness between the successive specifications becomes easy. Abstracting and separating each algorithmic idea and each data-structure that is used to give an efficient implementation of an algorithm is very important task in programmer education. As an example of using small step refinement, in this paper we analyze two widely known algorithms, Selection Sort and Heap Sort. There are many reasons why we decided to use them. \begin{itemize} \item They are largely studied in different contexts and they are studied in almost all computer science curricula. \item They belong to the same family of algorithms and they are good example for illustrating the refinement techniques. They are a nice example of how one can improve on a same idea by introducing more efficient underlying data-structures and more efficient algorithms. \item Their implementation uses different programming constructs: loops (or recursion), arrays (or lists), trees, etc. We show how to analyze all these constructs in a formal setting. \end{itemize} There are many formalizations of sorting algorithms that are done both automatically or interactively and they undoubtedly proved that these algorithms are correct. In this paper we are giving a new approach in their verification, that insists on formally analyzing connections between them, instead of only proving their correctness (which has been well established many times). Our central motivation is that these connections contribute to deeper algorithm understanding much more than separate verification of each algorithm. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % ------------------------------------------------------------------------------ \section{Related work} \label{sec:related} % ------------------------------------------------------------------------------ To study sorting algorithms from a top down was proposed in \cite{meritt}. All sorting algorithms are based on divide-and-conquer algorithm and all sorts are divided into two groups: hard\_split/easy\_join and easy\_split/hard\_join. Fallowing this idea in \cite{dps}, authors described sorting algorithms using object-oriented approach. They suggested that this approach could be used in computer science education and that presenting sorting algorithms from top down will help students to understand them better. The paper \cite{sortMorp} represent different recursion patterns --- catamorphism, anamorphism, hylomorphism and paramorphisms. Selection, buble, merge, heap and quick sort are expressed using these patterns of recursion and it is shown that there is a little freedom left in implementation level. Also, connection between different patterns are given and thus a conclusion about connection between sorting algorithms can be easily conducted. Furthermore, in the paper are generalized tree data types -- list, binary trees and binary leaf trees. Satisfiability procedures for working with arrays was proposed in paper ``What is decidable about arrays?''\cite{arrays}. This procedure is called $SAT_A$ and can give an answer if two arrays are equal or if array is sorted and so on. Completeness and soundness for procedures are proved. There are, though, several cases when procedures are unsatisfiable. They also studied theory of maps. One of the application for these procedures is verification of sorting algorithms and they gave an example that insertion sort returns sorted array. Tools for program verification are developed by different groups and with different results. Some of them are automated and some are half-automated. Ralph-Johan Back and Johannes Eriksson \cite{socos} developed SOCOS, tool for program verification based on invariant diagrams. SOCOS environment supports interactive and non-interactive checking of program correctness. For each program tree types of verification conditions are generated: consistency, completeness and termination conditions. They described invariant-based programming in SOCOS. In \cite{back2011correct} this tool was used to verify heap sort algorithm. There are many tools for Java program developers maid to automatically prove program correctness. Krakatoa Modeling Language (KML) is described in \cite{spsa} with example of sorting algorithms. Refinement is not supported in KML and any refinement property could not automatically be proved. The language KML is also not formally verified, but some parts are proved by Alt-Ergo, Simplify and Yices. The paper proposed some improvements for working with permutation and arrays in KML. Why/Krakatoa/Caduceus\cite{krakatoa} is a tool for deductive program verification for Java and C. The approach is to use Krakatoa and Caduceus to translate Java/C programs into Why program. This language is suitable for program verification. The idea is to generate verification conditions based on weakest precondition calculus. % ------------------------------------------------------------------------------ \section{Conclusions and Further Work} \label{sec:conclusion} % ------------------------------------------------------------------------------ In this paper we illustrated a proof management technology. The methodology that we use in this paper for the formalization is refinement: the formalization begins with a most basic specification, which is then refined by introducing more advanced techniques, while preserving the correctness. This incremental approach proves to be a very natural approach in formalizing complex software systems. It simplifies understanding of the system and reduces the overall verification effort. Modularity is very popular in nowadays imperative languages. This approach could be used for software verification and Isabelle/HOL locales provide means for modular reasoning. They support multiple inheritance and this means that locales can imitate connections between functions, procedures or objects. It is possible to establish some general properties of an algorithm or to compare these properties. So, it is possible to compare programs. And this is a great advantage in program verification, something that is not done very often. This could help in better understanding of an algorithm which is essential for computer science education. So apart from being able to formalize verification in easier manner, this approach gives us opportunity to compare different programs. This was showed on Selection and Heap sort example and the connection between these two sorts was easy to comprehend. The value of this approach is not so much in obtaining a nice implementation of some algorithm, but in unraveling its structure. This is very important for computer science education and this can help in better teaching and understanding of an algorithms. Using experience from this formalization, we came to conclusion that the general principle for refinement in program verification should be: {\em divide program into small modules (functions, classes) and verify each modulo separately in order that corresponds to the order in entire program implementation}. Someone may argue that this principle was not followed in each step of formalization, for example when we implemented {\em Selection sort} or when we defined {\em is\_heap} and {\em multiset} in one step, but we feel that those function were simple and deviations in their implementations are minimal. The next step is to formally verify all sorting algorithms and using refinement method to formally analyze and compare different sorting algorithms. % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/SenSocialChoice/document/root.tex b/thys/SenSocialChoice/document/root.tex --- a/thys/SenSocialChoice/document/root.tex +++ b/thys/SenSocialChoice/document/root.tex @@ -1,48 +1,49 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{a4wide} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Arrow's General Possibility Theorem} \author{Peter Gammie\\ \texttt{peteg42 at gmail.com} } \maketitle \tableofcontents \section{Overview} This is a fairly literal encoding of some of Armatya Sen's proofs \cite{Sen:70a} in Isabelle/HOL. The author initially wrote it while learning to use the proof assistant, and some locutions remain naive. This work is somewhat complementary to the mechanisation of more recent proofs of Arrow's Theorem and the Gibbard-Satterthwaite Theorem by Tobias Nipkow \cite{Nipkow:2008}. I strongly recommend Sen's book to anyone interested in social choice theory; his proofs are quite lucid and accessible, and he situates the theory quite well within the broader economic tradition. % generated text of all theories \input{session} \section{Bibliography} \bibliographystyle{alpha} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Separata/document/root.tex b/thys/Separata/document/root.tex --- a/thys/Separata/document/root.tex +++ b/thys/Separata/document/root.tex @@ -1,72 +1,73 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Separata: Isabelle tactics for Separation Algebra} \author{By Zh\'e H\'ou, David San\'an, Alwen Tiu, Rajeev Gor\'e, Ranald Clouston} \maketitle \begin{abstract} We bring the labelled sequent calculus $LS_{PASL}$ for propositional abstract separation logic to Isabelle. The tactics given here are directly applied on an extension of the separation algebra in the AFP. In addition to the cancellative separation algebra, we further consider some useful properties in the heap model of separation logic, such as indivisible unit, disjointness, and cross-split. The tactics are essentially a proof search procedure for the calculus $LS_{PASL}$. We wrap the tactics in an Isabelle method called separata, and give a few examples of separation logic formulae which are provable by separata. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Separation_Algebra/document/root.tex b/thys/Separation_Algebra/document/root.tex --- a/thys/Separation_Algebra/document/root.tex +++ b/thys/Separation_Algebra/document/root.tex @@ -1,46 +1,47 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Separation Algebra} \author{Gerwin Klein and Rafal Kolanski and Andrew Boyton} \maketitle \begin{abstract} We present a generic type class implementation of separation algebra for Isabelle/HOL as well as lemmas and generic tactics which can be used directly for any instantiation of the type class. The ex directory contains example instantiations that include structures such as a heap or virtual memory. The abstract separation algebra is based upon ``Abstract Separation Logic'' by Calcagno et al. These theories are also the basis of ``Mechanised Separation Algebra'' by the authors \cite{KleinKB-ITP12}. The aim of this work is to support and significantly reduce the effort for future separation logic developments in Isabelle/HOL by factoring out the part of separation logic that can be treated abstractly once and for all. This includes developing typical default rule sets for reasoning as well as automated tactic support for separation logic. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Separation_Logic_Imperative_HOL/document/root.tex b/thys/Separation_Logic_Imperative_HOL/document/root.tex --- a/thys/Separation_Logic_Imperative_HOL/document/root.tex +++ b/thys/Separation_Logic_Imperative_HOL/document/root.tex @@ -1,108 +1,109 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[english]{babel} % this should be the last package used \usepackage{pdfsetup} \begin{document} \title{A Separation Logic Framework for Imperative HOL} \author{Peter Lammich and Rene Meis} \maketitle \begin{abstract} We provide a framework for separation-logic based correctness proofs of Imperative HOL programs. Our framework comes with a set of proof methods to automate canonical tasks such as verification condition generation and frame inference. Moreover, we provide a set of examples that show the applicability of our framework. The examples include algorithms on lists, hash-tables, and union-find trees. We also provide abstract interfaces for lists, maps, and sets, that allow to develop generic imperative algorithms and use data-refinement techniques. As we target Imperative HOL, our programs can be translated to efficiently executable code in various target languages, including ML, OCaml, Haskell, and Scala. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introduction} We provide a separation logic framework for Imperative/HOL. Imperative/HOL \cite{Bulwahn2008} is a framework for imperative monadic programs in Isabelle/HOL. It allows to combine imperative and functional concepts, and supports generation of efficient, verified code in various target languages, including SML, OCaml, Haskell, and Scala. Thus, it is the ideal platform for writing verified, efficient algorithms. However, it only has rudimentary support for proving programs correct. We close this gap by providing a separation logic \cite{OHearn2001} for total correctness, and tools to automate canonical tasks, such as a verification condition generator, a frame inference method, and a set of simprocs for assertions. We test the applicability of our framework by formalizing various data structures, such as linked lists, hash-tables and union-find trees. Moreover, we provide abstract interfaces for lists, maps, and sets in the style of the Isabelle Collection Framework \cite{Lammich2010}. They allow to write generic imperative algorithms and use data refinement techniques. \paragraph{Related Work} This work is based on the diploma thesis of Rene Meis \cite{Meis2011}, that contains a preliminary version of the framework. Independently of us, Klein et. al. \cite{Klein2012} formalized a general separation algebra framework in Isabelle/HOL. It also contains a frame-inference algorithm, and is intended to be instantiated to various target languages. However, due to technical issues, we cannot use this framework, as it would require to change the formal foundation of Imperative/HOL, such that partial heaps are properly supported. Recently several formalizations of separation logic in theorem provers were published. Jesper et. al. \cite{Bengtson2011} formalized separation logic in Coq for object-oriented programs. Tuerk \cite{Tuerk2011} formalized and extended smallfoot \cite{Berdine2005} in his PhD thesis in HOL4. These approaches are based on a deeply embedded programming and assertion language with a fixed finite set of constructs. \paragraph{Organization of the Entry} This entry consists of two parts, the main separation logic framework, and a bunch of examples. The theory {\em Sep-Main} is the entry point for the framework. The examples are contained in the {\em Examples}-subdirectory. They serve as documentation and to show the applicability of the framework. Moreover, the {\em Tools}-subdirectory contains some general prerequisites. \paragraph{Documentation} The methods provided by the framework are documented in Section~\ref{sec:auto:overview}. Moreover, Section~\ref{thy:ex:idioms} contains some heavily documented examples that show common idioms for using the framework. % generated text of all theories \input{session} \section{Conclusion} We have presented a separation logic framework for Imperative HOL. It provides powerful proof methods for reasoning over imperative monadic programs, thus rectifying the lack of good proof support in the original Imperative HOL formalization. We verified the applicability of our framework by proving algorithms on various data structures. Moreover, we showed how to construct an imperative collection framework, that supports generic algorithms and data refinement. \paragraph{Acknowledgments} We thank Thomas Tuerk, the author of Holfoot \cite{Tuerk2011}, for useful discussions on the automation of separation logic. Moreover, we thank Lukas Bulwahn and Brian Huffman for help with the Isabelle ML interface. \clearpage % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/SequentInvertibility/document/root.tex b/thys/SequentInvertibility/document/root.tex --- a/thys/SequentInvertibility/document/root.tex +++ b/thys/SequentInvertibility/document/root.tex @@ -1,59 +1,60 @@ \documentclass{llncs} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{latexsym,proof,stmaryrd} \usepackage[english]{babel} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % Linenumber gubbins \newcommand{\implies}[2]{#1 \!\supset\! #2} \newcommand{\SSeq}[3]{ % judgement with stoup \mbox{$#1\raisebox{.2mm}{$\,\,\stackrel{{}^{#2}}{\Longrightarrow}\,\,$}#3$}} \newcommand{\SC}{uniprincipal } \newcommand{\SCCap}{Uniprincipal } \newcommand{\eat}[1]{} \newcommand{\com}{combinable } \newcommand{\Com}{Combinable } \newcommand{\commed}{combined } \newcommand{\Commed}{Combined } \newcommand{\isasymLM}{\isamath{\Lbag}} \newcommand{\isasymRM}{\isamath{\Rbag}} \newcommand{\isasymEmpt}{\isamath{\emptyset}} % Make the comments within proofs the same size as elsewhere \renewcommand{\isastyletxt}{\isastyletext} \date{} \title{Invertibility in Sequent Calculi} \author{Peter Chapman} \institute{School of Computer Science, University of St Andrews \\ Email: \texttt{pc@cs.st-andrews.ac.uk}} \begin{document} \maketitle \begin{abstract} The invertibility of the rules of a sequent calculus is important for guiding proof search and can be used in some formalised proofs of Cut admissibility. We present sufficient conditions for when a rule is invertible with respect to a calculus. We illustrate the conditions with examples. It must be noted we give purely syntactic criteria; no guarantees are given as to the suitability of the rules. \end{abstract} % sane default for proof documents % \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{plain} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Shadow_DOM/document/root.tex b/thys/Shadow_DOM/document/root.tex --- a/thys/Shadow_DOM/document/root.tex +++ b/thys/Shadow_DOM/document/root.tex @@ -1,216 +1,217 @@ \documentclass[10pt,DIV16,a4paper,abstract=true,twoside=semi,openright] {scrreprt} +\usepackage[T1]{fontenc} \usepackage[USenglish]{babel} \usepackage[numbers, sort&compress]{natbib} \usepackage{isabelle,isabellesym} \usepackage{booktabs} \usepackage{paralist} \usepackage{graphicx} \usepackage{amssymb} \usepackage{xspace} \usepackage{xcolor} \usepackage{listings} \lstloadlanguages{HTML} \usepackage[]{mathtools} \usepackage[pdfpagelabels, pageanchor=false, plainpages=false]{hyperref} \lstdefinestyle{html}{language=XML, basicstyle=\ttfamily, commentstyle=\itshape, keywordstyle=\color{blue}, ndkeywordstyle=\color{blue}, } \lstdefinestyle{displayhtml}{style=html, floatplacement={tbp}, captionpos=b, framexleftmargin=0pt, basicstyle=\ttfamily\scriptsize, backgroundcolor=\color{black!2}, frame=lines, } \lstnewenvironment{html}[1][]{\lstset{style=displayhtml, #1}}{} \def\inlinehtml{\lstinline[style=html, columns=fullflexible]} \pagestyle{headings} \isabellestyle{default} \setcounter{tocdepth}{1} \newcommand{\ie}{i.\,e.\xspace} \newcommand{\eg}{e.\,g.\xspace} \newcommand{\thy}{\isabellecontext} \renewcommand{\isamarkupsection}[1]{% \begingroup% \def\isacharunderscore{\textunderscore}% \section{#1 (\thy)}% \endgroup% } \title{Shadow DOM\\\medskip \Large A Formal Model of the Document Object Model \emph{with Shadow Roots}}% \author{% \href{https://www.brucker.ch/}{Achim~D.~Brucker}\footnotemark[1] \and \href{https://www.michael-herzberg.de/}{Michael Herzberg}\footnotemark[2] } \publishers{ \footnotemark[1]~Department of Computer Science, University of Exeter, Exeter, UK\texorpdfstring{\\}{, } \texttt{a.brucker@exeter.ac.uk}\\[2em] % \footnotemark[2]~ Department of Computer Science, The University of Sheffield, Sheffield, UK\texorpdfstring{\\}{, } \texttt{msherzberg1@sheffield.ac.uk} } \begin{document} \maketitle \begin{abstract} \begin{quote} In this AFP entry, we extend our formalization of the core DOM (AFP entry \href{https://www.isa-afp.org/entries/Core_DOM.html} {Core\_DOM}) with \emph{Shadow Roots}. Shadow roots are a recent proposal of the web community to support a component-based development approach for client-side web applications. Shadow roots are a significant extension to the DOM standard and, as web standards are condemned to be backward compatible, such extensions often result in complex specification that may contain unwanted subtleties that can be detected by a formalization. Our Isabelle/HOL formalization is, in the sense of object-orientation, an extension of our formalization of the core DOM and enjoys the same basic properties, i.e., it is \begin{inparaenum} \item \emph{extensible}, i.e., can be extended without the need of re-proving already proven properties and \item \emph{executable}, i.e., we can generate executable code from our specification. \end{inparaenum} We exploit the executability to show that our formalization complies to the official standard of the W3C, respectively, the WHATWG. \bigskip \noindent{\textbf{Keywords:}} Document Object Model, DOM, Shadow Root, Web Component, Formal Semantics, Isabelle/HOL \end{quote} \end{abstract} \tableofcontents \cleardoublepage \chapter{Introduction} In a world in which more and more applications are offered as services on the internet, web browsers start to take on a similarly central role in our daily IT infrastructure as operating systems. Thus, web browsers should be developed as rigidly and formally as operating systems. While formal methods are a well-established technique in the development of operating systems (see, \eg,~\citet{klein:operating:2009} for an overview of formal verification of operating systems), there are few proposals for improving the development of web browsers using formal approaches~\cite{gardner.ea:dom:2008,raad.ea:dom:2016,jang.ea:establishing:2012,bohannon.ea:featherweight:2010}. In~\cite{brucker.ea:afp-core-dom:2018}, we formalized the core of the Document Object Model (DOM) in Isabelle/HOL\@. The DOM~\cite{whatwg:dom:2017,w3c:dom:2015} is \emph{the} central data structure of all modern web browsers. In this work, we extend the formalization presented in~\cite{brucker.ea:afp-core-dom:2018} with support for \emph{shadow trees}. Shadow trees are a recent addition to the DOM standard~\cite{whatwg:dom:2017} that promise support for web components. As we will see, this promise is not fully achieved and, for example, the DOM standard itself does not formally define what a component should be. In this work, we focus on a standard compliant representation of the DOM with shadow trees. As~\cite{brucker.ea:afp-core-dom:2018}, our formalization has the following properties: \begin{itemize} \item It provides a \emph{consistency guarantee.} Since all definitions in our formal semantics are conservative and all rules are derived, the logical consistency of the DOM node-tree is reduced to the consistency of HOL. \item It serves as a \emph{technical basis for a proof system.} Based on the derived rules and specific setup of proof tactics over node-trees, our formalization provides a generic proof environment for the verification of programs manipulating node-trees. \item It is \emph{executable}, which allows to validate its compliance to the standard by evaluating the compliance test suite on the formal model and \item It is \emph{extensible} in the sense of~\cite{brucker.ea:extensible:2008-b,brucker:interactive:2007}, \ie, properties proven over the core DOM do not need to be re-proven for object-oriented extensions such as the HTML document model. \end{itemize} In this AFP entry, we limit ourselves to the faithful formalization of the DOM. As the DOM standard does not formally define web components, we address the question of formally defining web components and discussing their safety properties elsewhere~\cite{brucker.ea:afp-dom-components:2020,brucker.ea:web-components:2019}. The rest of this document is automatically generated from the formalization in Isabelle/HOL, i.e., all content is checked by Isabelle (we refer readers interested in a more high-level presentation and additional explanations to~\cite{herzberg:web-components:2020,brucker.ea:web-components:2019}. The structure follows the theory dependencies (see \autoref{fig:session-graph}): first, we formalize the DOM with Shadow Roots (\autoref{cha:dom}) and then formalize we the relevant compliance test cases in \autoref{cha:tests}. \begin{figure} \centering \includegraphics[height=.9\textheight]{session_graph} \caption{The Dependency Graph of the Isabelle Theories.\label{fig:session-graph}} \end{figure} \clearpage \chapter{The Shadow DOM} \label{cha:dom} In this chapter, we introduce the formalization of the core DOM \emph{with Shadow Roots}, i.e., the most important algorithms for querying or modifying the Shadow DOM, as defined in the standard. \input{ShadowRootClass.tex} \input{ShadowRootMonad.tex} \input{Shadow_DOM.tex} \chapter{Test Suite} \label{cha:tests} In this chapter, we present the formalized compliance test cases for the core DOM. As our formalization is executable, we can (symbolically) execute the test cases on top of our model. Executing these test cases successfully shows that our model is compliant to the official DOM standard. As future work, we plan to generate test cases from our formal model (e.g., using~\cite{brucker.ea:interactive:2005,brucker.ea:theorem-prover:2012}) to improve the quality of the official compliance test suite. For more details on the relation of test and proof in the context of web standards, we refer the reader to \cite{brucker.ea:standard-compliance-testing:2018}. \input{Shadow_DOM_BaseTest.tex} \input{slots.tex} \input{slots_fallback.tex} \input{Shadow_DOM_Document_adoptNode.tex} \input{Shadow_DOM_Document_getElementById.tex} \input{Shadow_DOM_Node_insertBefore.tex} \input{Shadow_DOM_Node_removeChild.tex} \input{Shadow_DOM_Tests.tex} {\small \bibliographystyle{abbrvnat} \bibliography{root} } \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Shadow_SC_DOM/document/root.tex b/thys/Shadow_SC_DOM/document/root.tex --- a/thys/Shadow_SC_DOM/document/root.tex +++ b/thys/Shadow_SC_DOM/document/root.tex @@ -1,231 +1,232 @@ \documentclass[10pt,DIV16,a4paper,abstract=true,twoside=semi,openright] {scrreprt} +\usepackage[T1]{fontenc} \usepackage[USenglish]{babel} \usepackage[numbers, sort&compress]{natbib} \usepackage{isabelle,isabellesym} \usepackage{booktabs} \usepackage{paralist} \usepackage{graphicx} \usepackage{amssymb} \usepackage{xspace} \usepackage{xcolor} \usepackage{listings} \lstloadlanguages{HTML} \usepackage[]{mathtools} \usepackage[pdfpagelabels, pageanchor=false, plainpages=false]{hyperref} \lstdefinestyle{html}{language=XML, basicstyle=\ttfamily, commentstyle=\itshape, keywordstyle=\color{blue}, ndkeywordstyle=\color{blue}, } \lstdefinestyle{displayhtml}{style=html, floatplacement={tbp}, captionpos=b, framexleftmargin=0pt, basicstyle=\ttfamily\scriptsize, backgroundcolor=\color{black!2}, frame=lines, } \lstnewenvironment{html}[1][]{\lstset{style=displayhtml, #1}}{} \def\inlinehtml{\lstinline[style=html, columns=fullflexible]} \pagestyle{headings} \isabellestyle{default} \setcounter{tocdepth}{1} \newcommand{\ie}{i.\,e.\xspace} \newcommand{\eg}{e.\,g.\xspace} \newcommand{\thy}{\isabellecontext} \renewcommand{\isamarkupsection}[1]{% \begingroup% \def\isacharunderscore{\textunderscore}% \section{#1 (\thy)}% \endgroup% } \title{Shadow SC DOM\\\medskip \Large A Formal Model of the Safely Composable Document Object Model \emph{with Shadow Roots}}% \author{% \href{https://www.brucker.ch/}{Achim~D.~Brucker}\footnotemark[1] \and \href{https://www.michael-herzberg.de/}{Michael Herzberg}\footnotemark[2] } \publishers{ \footnotemark[1]~Department of Computer Science, University of Exeter, Exeter, UK\texorpdfstring{\\}{, } \texttt{a.brucker@exeter.ac.uk}\\[2em] % \footnotemark[2]~ Department of Computer Science, The University of Sheffield, Sheffield, UK\texorpdfstring{\\}{, } \texttt{msherzberg1@sheffield.ac.uk} } \begin{document} \maketitle \begin{abstract} \begin{quote} In this AFP entry, we extend our formalization of the safely composable DOM (\href{https://www.isa-afp.org/entries/Core_SC_DOM.html} {Core\_SC\_DOM}) with \emph{Shadow Roots}. Shadow roots are a recent proposal of the web community to support a component-based development approach for client-side web applications. Shadow roots are a significant extension to the DOM standard and, as web standards are condemned to be backward compatible, such extensions often result in complex specification that may contain unwanted subtleties that can be detected by a formalization. Our Isabelle/HOL formalization is, in the sense of object-orientation, an extension of our formalization of the core DOM and enjoys the same basic properties, i.e., it is \begin{inparaenum} \item \emph{extensible}, i.e., can be extended without the need of re-proving already proven properties and \item \emph{executable}, i.e., we can generate executable code from our specification. \end{inparaenum} We exploit the executability to show that our formalization complies to the official standard of the W3C, respectively, the WHATWG. \bigskip \noindent{\textbf{Keywords:}} Document Object Model, DOM, Shadow Root, Web Component, Formal Semantics, Isabelle/HOL \end{quote} \end{abstract} \tableofcontents \cleardoublepage \chapter{Introduction} In a world in which more and more applications are offered as services on the internet, web browsers start to take on a similarly central role in our daily IT infrastructure as operating systems. Thus, web browsers should be developed as rigidly and formally as operating systems. While formal methods are a well-established technique in the development of operating systems (see, \eg,~\citet{klein:operating:2009} for an overview of formal verification of operating systems), there are few proposals for improving the development of web browsers using formal approaches~\cite{gardner.ea:dom:2008,raad.ea:dom:2016,jang.ea:establishing:2012,bohannon.ea:featherweight:2010}. In~\cite{brucker.ea:afp-core-sc-dom:2020}, we formalized the core of the safely composable Document Object Model (DOM) in Isabelle/HOL\@. The DOM~\cite{whatwg:dom:2017,w3c:dom:2015} is \emph{the} central data structure of all modern web browsers. In this work, we extend the formalization presented in~\cite{brucker.ea:afp-core-dom:2018} with support for \emph{shadow trees}. Shadow trees are a recent addition to the DOM standard~\cite{whatwg:dom:2017} that promise support for web components. As we will see, this promise is not fully achieved and, for example, the DOM standard itself does not formally define what a component should be. In this work, we focus on a standard compliant representation of the DOM with shadow trees. As~\cite{brucker.ea:afp-core-sc-dom:2020}, our formalization has the following properties: \begin{itemize} \item It provides a \emph{consistency guarantee.} Since all definitions in our formal semantics are conservative and all rules are derived, the logical consistency of the DOM node-tree is reduced to the consistency of HOL. \item It serves as a \emph{technical basis for a proof system.} Based on the derived rules and specific setup of proof tactics over node-trees, our formalization provides a generic proof environment for the verification of programs manipulating node-trees. \item It is \emph{executable}, which allows to validate its compliance to the standard by evaluating the compliance test suite on the formal model and \item It is \emph{extensible} in the sense of~\cite{brucker.ea:extensible:2008-b,brucker:interactive:2007}, \ie, properties proven over the core DOM do not need to be re-proven for object-oriented extensions such as the HTML document model. \end{itemize} In this AFP entry, we limit ourselves to the faithful formalization of the DOM. As the DOM standard does not formally define web components, we address the question of formally defining web components and discussing their safety properties elsewhere~\cite{brucker.ea:afp-sc-dom-components:2020,brucker.ea:web-components:2019}. The rest of this document is automatically generated from the formalization in Isabelle/HOL, i.e., all content is checked by Isabelle (for a more abstract presentation and more explanations, please see~\cite{herzberg:web-components:2020}). The structure follows the theory dependencies (see \autoref{fig:session-graph}): first, we formalize the DOM with Shadow Roots (\autoref{cha:dom}) and then formalize we the relevant compliance test cases in \autoref{cha:tests}. \paragraph{Important Note:} This document describes the formalization of the \emph{Safely Composable Document Object Model with Shadow Roots} (SC DOM with Shadow Roots), which deviated in one important aspect from the official DOM standard: in the SC DOM, the shadow root is a sub-class of the document class (instead of a base class). This modification results in a stronger notion of web components that provide improved safety properties for the composition of web components. While the SC DOM still passes the compliance test suite as provided by the authors of the DOM standard, its data model is different. We refer readers interested in a formalisation of the standard compliant DOM to the AFP entries ``Core\_DOM''~\cite{brucker.ea:afp-core-dom:2018} and ``Shadow\_DOM''~\cite{brucker.ea:afp-shadow-dom:2020}. \begin{figure} \centering \includegraphics[angle=90,scale=0.5]{session_graph} \caption{The Dependency Graph of the Isabelle Theories.\label{fig:session-graph}} \end{figure} \clearpage \chapter{The Shadow DOM} \label{cha:dom} In this chapter, we introduce the formalization of the core DOM \emph{with Shadow Roots}, i.e., the most important algorithms for querying or modifying the Shadow DOM, as defined in the standard. \input{ShadowRootClass.tex} \input{ShadowRootMonad.tex} \input{Shadow_DOM.tex} \chapter{Test Suite} \label{cha:tests} In this chapter, we present the formalized compliance test cases for the core DOM. As our formalization is executable, we can (symbolically) execute the test cases on top of our model. Executing these test cases successfully shows that our model is compliant to the official DOM standard. As future work, we plan to generate test cases from our formal model (e.g., using~\cite{brucker.ea:interactive:2005,brucker.ea:theorem-prover:2012}) to improve the quality of the official compliance test suite. For more details on the relation of test and proof in the context of web standards, we refer the reader to \cite{brucker.ea:standard-compliance-testing:2018}. \input{Shadow_DOM_BaseTest.tex} \input{slots.tex} \input{slots_fallback.tex} \input{Shadow_DOM_Document_adoptNode.tex} \input{Shadow_DOM_Document_getElementById.tex} \input{Shadow_DOM_Node_insertBefore.tex} \input{Shadow_DOM_Node_removeChild.tex} \input{Shadow_DOM_Tests.tex} {\small \bibliographystyle{abbrvnat} \bibliography{root} } \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Shivers-CFA/document/root.tex b/thys/Shivers-CFA/document/root.tex --- a/thys/Shivers-CFA/document/root.tex +++ b/thys/Shivers-CFA/document/root.tex @@ -1,77 +1,78 @@ \documentclass[11pt,a4paper,parskip,abstract]{scrartcl} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{amsmath} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand{\isasymbinit}{\isamath{b_0}} \newcommand{\isasymabinit}{\isamath{\widehat{b_0}}} \newcommand{\isasymPR}{\isamath{\mathcal{PR}}} \newcommand{\isasymaPR}{\isamath{\widehat{\mathcal{PR}}}} \newcommand{\isasymanb}{\isamath{\widehat{{nb}}}} \newcommand{\isasymaA}{\isamath{\widehat{\mathcal{A}}}} \newcommand{\isasymaF}{\isamath{\widehat{\mathcal{F}}}} \newcommand{\isasymaC}{\isamath{\widehat{\mathcal{C}}}} % Types \newcommand{\isasymabenv}{\isamath{\widehat{{benv}}}} \newcommand{\isasymavenv}{\isamath{\widehat{{venv}}}} \newcommand{\isasymaclosure}{\isamath{\widehat{{closure}}}} \newcommand{\isasymaproc}{\isamath{\widehat{{proc}}}} \newcommand{\isasymad}{\isamath{\widehat{{d}}}} \newcommand{\isasymafstate}{\isamath{\widehat{{fstate}}}} \newcommand{\isasymacstate}{\isamath{\widehat{{cstate}}}} \newcommand{\isasymaccache}{\isamath{\widehat{{ccache}}}} \newcommand{\isasymaans}{\isamath{\widehat{{ans}}}} \newcommand{\isactrlps}[1]{\underline{#1}} \begin{document} \title{Shivers' Control Flow Analysis} \author{Joachim Breitner} \maketitle \begin{abstract} In his dissertation~\cite{Shivers}, Olin Shivers introduces a concept of control flow graphs for functional languages, provides an algorithm to statically derive a safe approximation of the control flow graph and proves this algorithm correct. In this research project~\cite{Studienarbeit}, Shivers' algorithms and proofs are formalized using the HOLCF extension of the logic HOL in the theorem prover Isabelle. \end{abstract} \tableofcontents % include generated text of all theories %\input{session} \part{The definitions} \input{CPSScheme} \input{Eval} \input{ExCF} \input{AbsCF} \part{The main results} \input{ExCFSV} \input{AbsCFCorrect} \input{Computability} \input{AbsCFComp} \part{The auxiliary theories} \input{CPSUtils} \input{Utils} \input{SetMap} \input{MapSets} \input{HOLCFUtils} \input{FixTransform} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/ShortestPath/document/root.tex b/thys/ShortestPath/document/root.tex --- a/thys/ShortestPath/document/root.tex +++ b/thys/ShortestPath/document/root.tex @@ -1,43 +1,44 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} \usepackage{amssymb,amsmath,amsthm} \newcommand{\real}{\mathbb{R}} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{An Axiomatic Characterization of the Single-Source Shortest Path Problem} \author{By Christine Rizkallah} \maketitle \begin{abstract} % We provide an axiomatic characterization of the single-source shortest path problem. This theory is split into two sections. In the first section, we give a formal proof that a well-known axiomatic characterization of the single-source shortest path problem is correct. Namely, we prove that in a directed graph $G=(V,E)$ with a non-negative cost function on the edges the single-source shortest path function $\mu:V\to\real\cup\{\infty\}$ is the only function that satisfies a set of four axioms. The first axiom states that the distance from the source vertex $s$ to itself should be equal to zero. The second states that the distance from $s$ to a vertex $v\in V$ should be infinity if and only if there is no path from $s$ to $v$. The third axiom is called triangle inequality and states that if there is a path from $s$ to $v$, and an edge $(u,v)\in E$, the distance from $s$ to $v$ is less than or equal to the distance from $s$ to $u$ plus the cost of $(u,v)$. The last axiom is called justification, it states that for every vertex $v$ other than $s$, if there is a path $p$ from $s$ to $v$ in $G$, then there is a predecessor edge $(u,v)$ on $p$ such that the distance from $s$ to $v$ is equal to the distance from $s$ to $u$ plus the cost of $(u,v)$. In the second section, we give a formal proof of the correctness of an axiomatic characterization of the single-source shortest path problem for directed graphs with general cost functions $c:E\to\real$. The axioms here are more involved because we have to account for potential negative cycles in the graph. The axioms are summarized in the three isabelle locales. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Show/document/root.tex b/thys/Show/document/root.tex --- a/thys/Show/document/root.tex +++ b/thys/Show/document/root.tex @@ -1,44 +1,45 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \newcommand\nats{\mathbb{N}} \newcommand\bools{\mathbb{B}} \newcommand\reals{\mathbb{R}} \newcommand\ints{\mathbb{Z}} \newcommand\rats{\mathbb{Q}} %\newcommand\isa[1]{\textit{#1}} \newcommand\Show{\texttt{Show}} \begin{document} \title{Haskell's \Show-Class in Isabelle/HOL\thanks{This research is supported by FWF (Austrian Science Fund) projects J3202 and P22767.}} \author{Christian Sternagel \and Ren\'e Thiemann} \maketitle \begin{abstract} We implemented a type-class for pretty-printing, similar to Haskell's \Show-class \cite{HaskellTutorial}. Moreover, we provide instantiations for Isabelle/HOL's standard types like $\bools$, \isa{prod}, \isa{sum}, $\nats$, $\ints$, and $\rats$. It is further possible, to automatically derive ``to-string'' functions for arbitrary user defined datatypes similar to Haskell's ``\texttt{deriving Show}''. \end{abstract} \tableofcontents \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Sigma_Commit_Crypto/document/root.tex b/thys/Sigma_Commit_Crypto/document/root.tex --- a/thys/Sigma_Commit_Crypto/document/root.tex +++ b/thys/Sigma_Commit_Crypto/document/root.tex @@ -1,64 +1,65 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{$\Sigma$-protocols and Commitment Schemes} \author{David Butler, Andreas Lochbihler} \maketitle \begin{abstract} We use CryptHOL~\cite{Basin2017} to formalise commitment schemes and $\Sigma$-protocols. Both are widely used fundamental two party cryptographic primitives. Security for commitment schemes is considered using game-based definitions whereas the security of $\Sigma$-protocols is considered using both the game-based and simulation-based security paradigms. In this work we first define security for both primitives and then prove secure multiple examples namely; the Schnorr, Chaum-Pedersen and Okamoto $\Sigma$-protocols as well as a construction that allows for compound (AND and OR) $\Sigma$-protocols and the Pedersen and Rivest commitment schemes. We also prove that commitment schemes can be constructed from $\Sigma$-protocols. We formalise this proof at an abstract level, only assuming the existence of a $\Sigma$-protocol, consequently the instantiations of this result for the concrete $\Sigma$-protocols we consider come for free. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Signature_Groebner/document/root.tex b/thys/Signature_Groebner/document/root.tex --- a/thys/Signature_Groebner/document/root.tex +++ b/thys/Signature_Groebner/document/root.tex @@ -1,109 +1,110 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym,latexsym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Signature-Based Gr\"obner Basis Algorithms} \author{Alexander Maletzky\thanks{Supported by the Austrian Science Fund (FWF): P 29498-N31}} \maketitle \begin{abstract} This article formalizes signature-based algorithms for computing Gr\"obner bases. Such algorithms are, in general, superior to other algorithms in terms of efficiency, and have not been formalized in any proof assistant so far. The present development is both generic, in the sense that most known variants of signature-based algorithms are covered by it, and effectively executable on concrete input thanks to Isabelle's code generator. Sample computations of benchmark problems show that the verified implementation of signature-based algorithms indeed outperforms the existing implementation of Buchberger's algorithm in Isabelle/HOL. Besides total correctness of the algorithms, the article also proves that under certain conditions they a-priori detect and avoid all useless zero-reductions, and always return `minimal' (in some sense) Gr\"obner bases if an input parameter is chosen in the right way. The formalization follows the recent survey article by Eder and Faug\`ere. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \newpage \section{Introduction} Signature-based algorithms~\cite{Faugere2002,Eder2017} play are central role in modern computer algebra systems, as they allow to compute Gr\"obner bases of ideals of multivariate polynomials much more efficiently than other algorithms. Although they also belong to the class of critical-pair/completion algorithms, as almost all algorithms for computing Gr\"obner bases, they nevertheless possess some quite unique features that render a formal development in proof assistants challenging. In fact, this is the first formalization of signature-based algorithms in any proof assistant. The formalization builds upon the existing formalization of Gr\"obner bases theory~\cite{Immler2016} and closely follows Sections~4--7 of the excellent survey article~\cite{Eder2017}. Some proofs were taken from~\cite{Roune2012,Eder2013}. Summarizing, the main features of the formalization are as follows: \begin{itemize} \item It is \emph{generic}, in the sense that it considers the computation of so-called \emph{rewrite bases} and neither fixes the term order nor the rewrite-order. \item It is \emph{efficient}, in the sense that all executable algorithms (e.\,g. \textit{gb-sig}) operate on sig-poly-pairs rather than module elements, and that polynomials are represented efficiently using ordered associative lists. \item It proves that if the input is a regular sequence and the term order is a POT order, there are no useless zero-reductions (Theorem \textit{gb-sig-no-zero-red}). \item It proves that the signature Gr\"obner bases computed w.\,r.\,t. the `ratio' rewrite order are minimal (Theorem \textit{gb-sig-z-is-min-sig-GB}). \item It features sample computations of benchmark problems to illustrate the practical usability of the verified algorithms. \end{itemize} % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Simpl/document/root.tex b/thys/Simpl/document/root.tex --- a/thys/Simpl/document/root.tex +++ b/thys/Simpl/document/root.tex @@ -1,88 +1,87 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{eufrak} \usepackage{textcomp} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} % for rule output in LaTeXsugar \usepackage{mathpartir} \usepackage{graphicx} \isabellestyle{it} % this should be the last package used \usepackage{pdfsetup} \renewcommand{\isasymacute}{\isatext{\'\relax\hspace{-0.20em}}} \DeclareRobustCommand{\isactrlesup}{\egroup\egroup\endmath\egroup\relax\hspace{-0.15em}} \begin{document} \title{--- \textbf{Simpl} --- \\ A Sequential Imperative Programming Language\\ Syntax, Semantics, Hoare Logics and Verification Environment} \author{Norbert W. Schirmer} \begin{abstract} We present the theory of Simpl, a sequential imperative programming language. We introduce its syntax, its semantics (big and small-step operational semantics) and Hoare logics for both partial as well as total correctness. We prove soundness and completeness of the Hoare logic. We integrate and automate the Hoare logic in Isabelle/HOL to obtain a practically usable verification environment for imperative programs. Simpl is independent of a concrete programming language but expressive enough to cover all common language features: mutually recursive procedures, abrupt termination and exceptions, runtime faults, local and global variables, pointers and heap, expressions with side effects, pointers to procedures, partial application and closures, dynamic method invocation and also unbounded nondeterminism. \end{abstract} \maketitle \tableofcontents \parindent 0pt\parskip 0.5ex \pagebreak \begin{center} \makebox[0pt]{\includegraphics[width=\paperwidth=\textheight,keepaspectratio]{session_graph} }\end{center} \pagebreak \section{Introduction} The work presented in these theories was developed within the German Verisoft project\footnote{\url{http://www.verisoft.de}}. A thorough description of the core parts can be found in my PhD thesis~\cite{Schirmer-PhD}. A tutorial-like user guide is in Section~\ref{sec:UserGuide}. Applications so far include BDD-normalisation~\cite{Ortner-Schirmer-TPHOL05}, a C0 compiler~\cite{Leinenbach:SSV08-??}, a page fault handler~\cite{Alkassar:TACAS08-??} and extensions towards separation logic~\cite{Tuch:separation-logic:2007}. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Simple_Firewall/document/root.tex b/thys/Simple_Firewall/document/root.tex --- a/thys/Simple_Firewall/document/root.tex +++ b/thys/Simple_Firewall/document/root.tex @@ -1,62 +1,62 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb} %drawing a graph in Service_Matrix.thy \usepackage{tikz} \usetikzlibrary{arrows} \usetikzlibrary{arrows,decorations.markings} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Simple Firewall} \author{Cornelius Diekmann, Julius Michaelis, Max Haslbeck} \maketitle \begin{abstract} We present a simple model of a firewall. The firewall can accept or drop a packet and can match on interfaces, IP addresses, protocol, and ports. It was designed to feature nice mathematical properties: The type of match expressions was carefully crafted such that the conjunction of two match expressions is only one match expression. This model is too simplistic to mirror all aspects of the real world. In the upcoming entry ``Iptables Semantics'', we will translate the Linux firewall iptables to this model. For a fixed service (e.g.\ ssh, http), this entry provides an algorithm to compute an overview of the firewall's filtering behavior. The algorithm computes minimal service matrices, i.e.\ graphs which partition the complete IPv4 and IPv6 address space and visualize the allowed accesses between partitions. For a detailed description, see \cite{diekmann2016networking}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Simplex/document/root.tex b/thys/Simplex/document/root.tex --- a/thys/Simplex/document/root.tex +++ b/thys/Simplex/document/root.tex @@ -1,77 +1,77 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb} \usepackage{xspace} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{An Incremental Simplex Algorithm with Unsatisfiable Core Generation\footnote{% Supported by the Serbian Ministry of Education and Science grant 174021, by the SNF grant SCOPES IZ73Z0127979/1, and by FWF (Austrian Science Fund) project Y757. The authors are listed in alphabetical order regardless of individual contributions or seniority.}} \author{Filip Mari\'c \and Mirko Spasi\'c \and Ren\'e Thiemann} \maketitle \begin{abstract} We present an Isabelle/HOL formalization and total correctness proof for the incremental version of the Simplex algorithm which is used in most state-of-the-art SMT solvers. It supports extraction of satisfying assignments, extraction of minimal unsatisfiable cores, incremental assertion of constraints and backtracking. The formalization relies on stepwise program refinement, starting from a simple specification, going through a number of refinement steps, and ending up in a fully executable functional implementation. Symmetries present in the algorithm are handled with special care. \end{abstract} \tableofcontents \section{Introduction} This formalization closely follows the simplex algorithm as it is described by Dutertre and de~Moura~\cite{simplex-rad}. The original formalization has been developed and is extensively described by Spasi\'c and Mari\'c~\cite{SpasicMaric}. It features a front-end that for a given set of constraints either returns a satisfying assignment or the information that it is unsatisfiable. The original formalization was extended by Thiemann in three different ways. \begin{itemize} \item The extended simplex method returns a minimal unsatisfiable core instead of just a bit ``unsatisfiable''. \item The extension also contains an incremental interface to the simplex method where one can dynamically assert and retract linear constraints. In contrast, the original simplex formalization only offered an interface which demands all constraints as input and which restarts the computation from scratch on every input. \item The optimization of eliminating unused variables in the preprocessing phase~\cite[Section~3]{simplex-rad} has been integrated in the formalization. \end{itemize} The first two of these extensions required the introduction of \emph{indexed} constraints in combination with generalised lemmas. In these generalisations, global constraints had to be replaced by arbitrary (indexed) subsets of constraints. \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Skew_Heap/document/root.tex b/thys/Skew_Heap/document/root.tex --- a/thys/Skew_Heap/document/root.tex +++ b/thys/Skew_Heap/document/root.tex @@ -1,36 +1,37 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Skew Heap} \author{Tobias Nipkow} \maketitle \begin{abstract} Skew heaps are an amazingly simple and lightweight implementation of priority queues. They were invented by Sleator and Tarjan~\cite{SleatorT-SIAM86} and have logarithmic amortized complexity. This entry provides executable and verified functional skew heaps. The amortized complexity of skew heaps is analyzed in the AFP entry \href{http://isa-afp.org/entries/Amortized_Complexity.shtml}{Amortized Complexity}. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Skip_Lists/document/root.tex b/thys/Skip_Lists/document/root.tex --- a/thys/Skip_Lists/document/root.tex +++ b/thys/Skip_Lists/document/root.tex @@ -1,42 +1,43 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Randomised Skip Lists} \author{Max W. Haslbeck, Manuel Eberl} \maketitle \begin{abstract} Skip lists are sorted linked lists enhanced with shortcuts and are an alternative to binary search trees \cite{pugh1989skip}. A skip lists consists of multiple levels of sorted linked lists where a list on level $n$ is a subsequence of the list on level $n - 1$. In the ideal case, elements are \emph{skipped} in such a way that a lookup in a skip lists takes $\mathcal{O}(\log{n})$ time. In a randomised skip list the skipped elements are choosen randomly. This entry contains formalized proofs of the textbook results about the expected height and the expected length of a search path in a randomised skip list \cite{motwani1995}. \end{abstract} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Slicing/document/root.tex b/thys/Slicing/document/root.tex --- a/thys/Slicing/document/root.tex +++ b/thys/Slicing/document/root.tex @@ -1,77 +1,77 @@ \documentclass[11pt,a4paper,notitlepage]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{latexsym} \usepackage{amssymb} \usepackage{textcomp} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} \usepackage{wasysym} \usepackage{graphicx} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \renewcommand{\setisabellecontext}[1]{\markright{#1}} \begin{document} \title{Towards Certified Slicing} \author{Daniel Wasserrab} \maketitle \begin{abstract} Slicing is a widely-used technique with applications in e.g. compiler technology and software security. Thus verification of algorithms in these areas is often based on the correctness of slicing, which should ideally be proven independent of concrete programming languages and with the help of well-known verifying techniques such as proof assistants. As a first step in this direction, this contribution presents a framework for dynamic \cite{WasserrabL:08} and static intraprocedural slicing \cite{WasserrabLS:09} based on control flow and program dependence graphs. Abstracting from concrete syntax we base the framework on a graph representation of the program fulfilling certain structural and well-formedness properties. We provide two instantiations to show the validity of the framework: a simple While language and the sophisticated object-oriented byte code language from Jinja \cite{KleinN:06}. \end{abstract} \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \begin{thebibliography}{10} \bibitem{WasserrabLS:09} Daniel Wasserrab and Denis Lohner and Gregor Snelting \newblock On PDG-Based Noninterference and its Modular Proof \newblock In {\em Proc. of PLAS'09}, pages 31--44. ACM, 2009. \bibitem{WasserrabL:08} Daniel Wasserrab and Andreas Lochbihler. \newblock Formalizing a framework for dynamic slicing of program dependence graphs in {Isabelle/HOL}. \newblock In {\em Proc. of TPHOLS'08}, pages 294--309. Springer-Verlag, 2008. \bibitem{KleinN:06} Gerwin Klein and Tobias Nipkow. \newblock {A Machine-Checked Model for a Java-Like Language, Virtual Machine and Compiler}. \newblock {\em ACM Transactions on Programming Languages and Systems}, 28(4):619--695, 2006. \end{thebibliography} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Sliding_Window_Algorithm/document/root.tex b/thys/Sliding_Window_Algorithm/document/root.tex --- a/thys/Sliding_Window_Algorithm/document/root.tex +++ b/thys/Sliding_Window_Algorithm/document/root.tex @@ -1,43 +1,43 @@ \documentclass[10pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{a4wide} \usepackage[english]{babel} \usepackage{eufrak} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{literal} \begin{document} \title{Formalization of an Algorithm for\\ Greedily Computing Associative Aggregations on Sliding Windows} \author{Lukas Heimes \and Dmitriy Traytel \and Joshua Schneider} \maketitle \begin{abstract} Basin et al.'s sliding window algorithm (SWA)~\cite{BASIN2015186} is an algorithm for combining the elements of subsequences of a sequence with an associative operator. It is greedy and minimizes the number of operator applications. We formalize the algorithm and verify its functional correctness. We extend the algorithm with additional operations and provide an alternative interface to the slide operation that does not require the entire input sequence. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Smith_Normal_Form/document/root.tex b/thys/Smith_Normal_Form/document/root.tex --- a/thys/Smith_Normal_Form/document/root.tex +++ b/thys/Smith_Normal_Form/document/root.tex @@ -1,73 +1,74 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{A verified algorithm for computing the Smith normal form of a matrix} \author{Jose Divas\'on} \maketitle \begin{abstract} This work presents a formal proof in Isabelle/HOL of an algorithm to transform a matrix into its Smith normal form, a canonical matrix form, in a general setting: the algorithm is parameterized by operations to prove its existence over elementary divisor rings, while execution is guaranteed over Euclidean domains. We also provide a formal proof on some results about the generality of this algorithm as well as the uniqueness of the Smith normal form. Since Isabelle/HOL does not feature dependent types, the development is carried out switching conveniently between two different existing libraries: the Hermite normal form (based on HOL Analysis) and the Jordan normal form AFP entries. This permits to reuse results from both developments and it is done by means of the lifting and transfer package together with the use of local type definitions. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Smooth_Manifolds/document/root.tex b/thys/Smooth_Manifolds/document/root.tex --- a/thys/Smooth_Manifolds/document/root.tex +++ b/thys/Smooth_Manifolds/document/root.tex @@ -1,69 +1,70 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ \usepackage{amsmath} %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Smooth Manifolds} \author{Fabian Immler and Bohua Zhan} \maketitle \begin{abstract} We formalize the definition and basic properties of smooth manifolds~\cite{lee} in Isabelle/HOL. Concepts covered include partition of unity, tangent and cotangent spaces, and the fundamental theorem of path integrals. We also examine some concrete manifolds such as spheres and projective spaces. The formalization makes extensive use of the analysis and linear algebra libraries in Isabelle/HOL, in particular its ``types-to-sets'' mechanism. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Sort_Encodings/document/root.tex b/thys/Sort_Encodings/document/root.tex --- a/thys/Sort_Encodings/document/root.tex +++ b/thys/Sort_Encodings/document/root.tex @@ -1,65 +1,66 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Sound and Complete Sort Encodings \\for First-Order Logic} \author{Jasmin Christian Blanchette and Andrei Popescu} \date{} \maketitle \begin{abstract} This is a formalization of the soundness and completeness properties for various efficient encodings of sorts in unsorted first-order logic used by Isabelle's Sledgehammer tool. The results are reported in \cite[\S2,3]{blanchette-et-al-2013-types-conf}, and the formalization itself is presented in \cite[\S3--5]{froc}. % The encodings proceed as follows:\ a many-sorted problem is decorated with (as few as possible) tags or guards that make the problem monotonic; then sorts can be soundly erased. % The proofs rely on monotonicity criteria recently introduced by Claessen, Lilliestr{\"o}m, and Smallbone \cite{claessen-et-al-2011}. The development employs a formalization of many-sorted first-order logic in clausal form (clauses, structures, and the basic properties of the satisfaction relation), which could be of interest as the starting point for other formalizations of first-order logic metatheory. \end{abstract} \bibliographystyle{abbrv} \bibliography{root} \newpage \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Source_Coding_Theorem/document/root.tex b/thys/Source_Coding_Theorem/document/root.tex --- a/thys/Source_Coding_Theorem/document/root.tex +++ b/thys/Source_Coding_Theorem/document/root.tex @@ -1,38 +1,39 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{One Part of Shannon's Source Coding Theorem} \author{Quentin Hibon} \maketitle \begin{abstract} This document contains a proof of the necessary condition on the code rate of a source code, namely that this code rate is bounded by the entropy of the source. This represents one half of Shannon's source coding theorem, which is itself an equivalence. This proof is taken directly from the textbook \cite{ref}, and transcribed rather literally into Isabelle. It is thus easier to keep the textbook proof in mind to understand this formal proof. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Special_Function_Bounds/document/root.tex b/thys/Special_Function_Bounds/document/root.tex --- a/thys/Special_Function_Bounds/document/root.tex +++ b/thys/Special_Function_Bounds/document/root.tex @@ -1,34 +1,35 @@ \documentclass[11pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{amsmath} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Real-Valued Special Functions: \\ Upper and Lower Bounds} \author{Lawrence C. Paulson} \maketitle \begin{abstract} This development proves upper and lower bounds for several familiar real-valued functions. For $\sin$, $\cos$, $\exp$ and the square root function, it defines and verifies infinite families of upper and lower bounds, mostly based on Taylor series expansions. For $\tan^{-1}$, $\ln$ and $\exp$, it verifies a finite collection of upper and lower bounds, originally obtained from the functions' continued fraction expansions using the computer algebra system Maple. A common theme in these proofs is to take the difference between a function and its approximation, which should be zero at one point, and then consider the sign of the derivative. The immediate purpose of this development is to verify axioms used by MetiTarski \cite{metitarski-jar}, an automatic theorem prover for real-valued special functions. Crucial to MetiTarski's operation is the provision of upper and lower bounds for each function of interest. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Splay_Tree/document/root.tex b/thys/Splay_Tree/document/root.tex --- a/thys/Splay_Tree/document/root.tex +++ b/thys/Splay_Tree/document/root.tex @@ -1,37 +1,38 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Splay Tree} \author{Tobias Nipkow} \maketitle \begin{abstract} Splay trees are self-adjusting binary search trees which were invented by Sleator and Tarjan~\cite{SleatorT-JACM85}. This entry provides executable and verified functional splay trees as well as the related splay heaps due to Okasaki~\cite{Okasaki}. The amortized complexity of splay trees and heaps is analyzed in the AFP entry \href{http://isa-afp.org/entries/Amortized_Complexity.shtml}{Amortized Complexity}. \end{abstract} \tableofcontents \bigskip % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Sqrt_Babylonian/document/root.tex b/thys/Sqrt_Babylonian/document/root.tex --- a/thys/Sqrt_Babylonian/document/root.tex +++ b/thys/Sqrt_Babylonian/document/root.tex @@ -1,47 +1,48 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \newcommand\nats{\mathbb{N}} \newcommand\reals{\mathbb{R}} \newcommand\rats{\mathbb{Q}} \newcommand\fieldext[2]{#1[#2]} \newcommand\ratsb{\fieldext\rats{\sqrt b}} \begin{document} \title{Computing N-th Roots using the Babylonian Method\thanks{This research is supported by FWF (Austrian Science Fund) project P22767-N13.}} \author{Ren\'e Thiemann} \maketitle \begin{abstract} We implement the Babylonian method \cite{Babylon} to compute n-th roots of numbers. We provide precise algorithms for naturals, integers and rationals, and offer an approximation algorithm for square roots within linear ordered fields. Moreover, there are precise algorithms to compute the floor and the ceiling of n-th roots. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \section*{Acknowledgements} We thank Bertram Felgenhauer for for mentioning Cauchy's mean theorem during the formalization of the algorithms for computing n-th roots. \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Stable_Matching/document/root.tex b/thys/Stable_Matching/document/root.tex --- a/thys/Stable_Matching/document/root.tex +++ b/thys/Stable_Matching/document/root.tex @@ -1,229 +1,228 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage[a4paper,margin=1cm,footskip=.5cm]{geometry} \usepackage{isabelle,isabellesym} \usepackage{amsmath} \usepackage[only,bigsqcap]{stmaryrd} -\usepackage[utf8]{inputenc} - % Bibliography \usepackage[authoryear,sort]{natbib} \bibpunct();A{}, % Allow pdflatex to do some fancier spacing. \usepackage{microtype} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size \renewcommand{\isastyle}{\isastyleminor} \begin{document} % sane default for proof documents \parindent 0pt\parskip 0.5ex \title{Stable Matching} \author{Peter Gammie} \maketitle \begin{abstract} \noindent We mechanize proofs of several results from the \emph{matching with contracts} literature, which generalize those of the classical two-sided matching scenarios that go by the name of \emph{stable marriage}. Our focus is on game theoretic issues. Along the way we develop executable algorithms for computing optimal stable matches. \end{abstract} \tableofcontents \section{Introduction} \label{sec:introduction} As economists have turned their attention to the design of such markets as school enrolments, internships, and housing refugees \citep{AnderssonEhlers:2016}, particular \emph{matching} scenarios have proven to be useful models. \citet{Roth:2015} defines matching as ``economist-speak for how we get the many things we choose in life that also must choose us,'' and one such two-sided market is now colloquially known as the \href{https://en.wikipedia.org/wiki/Stable_marriage_problem}{\emph{stable marriage problem}}. It was initially investigated by \citet{GaleShapley:1962}, who introduced the key solution concept of \emph{stability}, and the \emph{deferred-acceptance algorithm} that efficiently constructs stable matches for it. We refer readers unfamiliar with this classical work to \S\ref{sec:sotomayor}, where we formalize this scenario and mechanize a non-constructive existence proof of stable matches due to \citet{Sotomayor:1996}. Further in-depth treatment can be found in the very readable monographs by \citet{GusfieldIrving:1989} (algorithmics), \citet{RothSotomayor:1990} (economics), and \citet{Manlove:2013}. Recently \citet{HatfieldMilgrom:2005} (see also \citet{Fleiner:2000,Fleiner:2002,Fleiner:2003}) have recast the two-sided matching model to incorporate \emph{contracts}, which intuitively allow agents to additionally indicate preferences over conditions such as salary. By allowing many-to-one matches, some aspects of a labour market can be modelled. Their analysis leans heavily on the lattice structure of the stable matches, and yields pleasingly simple and general algorithms (\S\ref{sec:contracts}). Later work trades this structure for generality, and the analysis becomes more intricate (\S\ref{sec:cop}). The key game-theoretic result is the (one-sided) strategy-proofness of the optimal stable match (\S\ref{sec:strategic}). This work was motivated by the difficulty of navigating the literature on \emph{matching with contracts} by non-specialists, as observed by \citet{VCG-EC:2015,VCG-AFP:2015}. We impose some order by formalizing much of it in Isabelle/HOL \citep{Nipkow-Paulson-Wenzel:2002}, a proof assistant for a simply-typed higher-order logic. By carefully writing definitions that are executable and testable, we avail ourselves of Isabelle's automatic tools, specifically \verb!nitpick! and \verb!sledgehammer!, to rapidly identify errors when formulating assertions. We focus primarily on strategic (game theoretic) issues, but our development is also intended to serve as a foundation for further results. The proof assistant forces us to take care of all details, which yields a verbosity that may deter some readers. We suggest that most will fare best by reading the definitions and \isa{\isacommand{lemma}}/\isa{\isacommand{theorem}} statements closely, and skipping the proofs. (The important results are labelled \isa{\isacommand{theorem}} and \isa{\isacommand{proposition}}, but often the \isa{\isacommand{lemma}}s contain the meat.) The material in \S\ref{sec:cf} on choice functions is mostly for reference. This PDF is generated directly from the development's sources and is extensively hyperlinked, but for some purposes there is no substitute to firing up Isabelle. % generated text of all theories \input{session} \section{Concluding remarks} We conclude with a brief and inexhaustive survey of related work. \subsection{Related work} \paragraph{Computer-assisted and formal reasoning.} \citet{Bijlsma:1991} gives a formal pencil-and-paper derivation of the Gale-Shapley deferred-acceptance algorithm under total strict preferences and one-to-one matching (colloquially, a marriage market). He provides termination and complexity arguments, and discusses representation issues. \citet{HamidCastleberry:2010} treat the same algorithm in the Coq proof assistant, give a termination proof and show that it always yields a stable match. Both focus more on reasoning about programs than the theory of stable matches. Intriguingly, the latter claims that Akamai uses (modified) stable matching to assign clients to servers in their content distribution network. \citet{DBLP:conf/atal/BrandtG14} use SAT technology to find results in social choice theory. They claim that the encodings used by general purpose tools like \verb!nitpick! are too inefficient for their application. \paragraph{Stable matching.} In addition to the monographs \citet{GusfieldIrving:1989,RothSotomayor:1990,Manlove:2013}, \citet{Roth:2008} provides a good overview up to 2007 of open problems and other aspects of this topic that we did not explore here. \citet{SonmezSwitzer:2013} incorporate quotas and put the COP to work at the United States Military Academy. \citet{AnderssonEhlers:2016} analyze the possibility of matching of refugees with landlords in Sweden (without mentioning matching with contracts). One of the more famous applications of matching theory is to kidney donation \citep{Roth:2015}, a \emph{repugnant market} where the economists' basic tool of pricing things is considered verboten. These markets are sometimes, but not always, two-sided -- kidneys are often exchanged due to compatibility issues, but there are also altruistic donations and recipients who cannot reciprocate -- and so the model we discussed here is not applicable. Instead generalizations of Gale's \emph{top trading cycles} algorithm are pressed into service \citep{ShapleyScarf:1974,AbdulkadirogluSonmez:1999,SonmezUnver:2010}. Much recent work has hybridized these approaches -- for instance, \citet{Dworczak:2016} uses a combination to enumerate all stable matches. \citet{Echenique:2012} shows that the matching with contracts model of \S\ref{sec:contracts} is no more general than that of \citet{KelsoCrawford:1982} (a job matching market with salaries). \citeauthor{Schlegel:2015} generalizes this result to the COP setting of \S\ref{sec:cop}, and moreover shows how lattice structure can be recovered there, which yields a hospital-proposing deferred-acceptance algorithm that relies only on unilaterally substitutable hospital choice functions. See \citet{HatfieldKominers:2016} for a discussion of the many-to-many case. \citet[Theorem~2.33]{RothSotomayor:1990} point to alternatives to the deferred-acceptance algorithm, and to more general matching scenarios involving couples and roommates. \citet{Manlove:2013} provides a comprehensive survey of matching with preferences. \paragraph{Further results: COP.} \citet{Afacan:2014} explores the following two properties: \begin{quote} \emph{[Population monotonicity]} says that no doctor is to be worse off whenever some others leave the market. \emph{[Resource monotonicity]}, on the other hand, requires that no doctor should lose whenever hospitals start hiring more doctors. \end{quote} He shows that the COP is population and resource monotonic under \emph{irc} and \emph{bilateral\_substitutes}. Also \citet{Afacan:2015} characterizes the COP by the properties \emph{truncation proof} (``no doctor can ever benefit from truncating his preferences'') and \emph{invariant to lower tail preferences change} (``any doctor's assignment does not depend on his preferences over worse contracts''); that the COP satisfies these properties was demonstrated in \S\ref{sec:cop}. See also \citet{HatfieldKominersWestkamp:2016} for another set of conditions that characterize the COP. \citet{HirataKasuya:2016} show how the strategic results can be obtained without the rural hospitals theorem, in a setting that requires \emph{irc} but not substitutability. \paragraph{Further results: Strategy.} There are many different ways to think about the manipulation of economic mechanisms. Some continue in the game-theoretic tradition \citep{Gonczarowski:2014}, and, for instance, compare the manipulability of mechanisms that yield stable matches \citep{ChenEgesdalPyciaUenmez:2016}. Techniques from computer science help refine the notion of strategy-proofness \citep{AshlagiGonczarowski:2015} and enable complexity-theoretic arguments \citep{DBLP:conf/atal/AzizSW15,DengShenTang:2016}. \citet{KojimaPathak:2009} have analyzed the scope for manipulation in large matching markets. \section{Acknowledgements} I thank \href{http://www.dcs.gla.ac.uk/~rwi/}{Rob Irving} for a copy of his excellent monograph \citep{GusfieldIrving:1989}, Jasmin C. Blanchette for help with nitpick, Andreas Lochbihler for his Bourbaki-Witt Fixpoint theory, Orhan Aygün for a helpful discussion of \citet{AygunSonmez:2012-WP}, and Roman Werpachowski for general comments. \bibliographystyle{plainnat} \bibliography{root} \addcontentsline{toc}{section}{References} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Statecharts/document/root.tex b/thys/Statecharts/document/root.tex --- a/thys/Statecharts/document/root.tex +++ b/thys/Statecharts/document/root.tex @@ -1,89 +1,90 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Formalizing Statecharts using Hierarchical Automata} \author{Steffen Helke and Florian Kamm\"uller} \maketitle \begin{abstract} We formalize in Isabelle/HOL the abtract syntax and a synchronous step semantics for the specification language Statecharts \cite{HN96}. The formalization is based on Hierarchical Automata \cite{MLS97} which allow a structural decomposition of Statecharts into Sequential Automata. To support the composition of Statecharts, we introduce calculating operators to construct a Hierarchical Automaton in a stepwise manner \cite{HK01}. Furthermore, we present a complete semantics of Statecharts including a theory of data spaces, which enables the modelling of racing effects \cite{HK05}. We also adapt CTL for Statecharts to build a bridge for future combinations with model checking. However the main motivation of this work is to provide a sound and complete basis for reasoning on Statecharts. As a central meta theorem we prove that the well-formedness of a Statechart is preserved by the semantics \cite{Hel07}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \begin{thebibliography}{MLSH99} \bibitem[HN96]{HN96} D.~Harel and D.~Naamad. \newblock {A STATEMATE semantics for statecharts}. \newblock {\em ACM Transactions on Software Engineering and Methodology}, 5(4):293--333, Oct 1996. \bibitem[MLS97]{MLS97} E.~Mikk, Y.~Lakhnech, and M.~Siegel. \newblock {Hierarchical automata as model for statecharts}. \newblock In {\em Asian Computing Science Conference (ASIAN'97)}, \newblock \textit{Springer LNCS}, \textbf{1345}, 1997. \bibitem[HK01]{HK01} S.~Helke and F.~Kamm{\"u}ller. \newblock {Representing Hierarchical Automata in Interactive Theorem Provers}. \newblock In R. J. Boulton, P. B. Jackson, editors, {\em Theorem Proving in Higher Order Logics, TPHOLs 2001}, \textit{Springer LNCS}, \textbf{2152}, 2001. \bibitem[HK05]{HK05} S.~Helke and F.~Kamm{\"u}ller. \newblock {Structure Preserving Data Abstractions for Statecharts}. \newblock In F. Wang, editors, {\em Formal Techniques for Networked and Distributed Systems, FORTE 2005}, \textit{Springer LNCS}, \textbf{3731}, 2005. \bibitem[Hel07]{Hel07} S.~Helke. \newblock {\em Verification of Statecharts using Structure- and Property-Preserving Data Abstraction {$[$}german{$]$} }. \newblock PhD thesis, Fakult{\"a}t IV, Technische Universit{\"a}t Berlin, Germany, 2007. \end{thebibliography} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Stateful_Protocol_Composition_and_Typing/document/root.tex b/thys/Stateful_Protocol_Composition_and_Typing/document/root.tex --- a/thys/Stateful_Protocol_Composition_and_Typing/document/root.tex +++ b/thys/Stateful_Protocol_Composition_and_Typing/document/root.tex @@ -1,149 +1,150 @@ \documentclass[10pt,DIV16,a4paper,abstract=true,twoside=semi,openright] {scrreprt} +\usepackage[T1]{fontenc} \usepackage[english]{babel} \usepackage[numbers, sort&compress]{natbib} \usepackage{isabelle,isabellesym} \usepackage{booktabs} \usepackage{paralist} \usepackage{graphicx} \usepackage{amssymb} \usepackage{xspace} \usepackage{xcolor} \usepackage{hyperref} \sloppy \pagestyle{headings} \isabellestyle{default} \setcounter{tocdepth}{1} \newcommand{\ie}{i.\,e.\xspace} \newcommand{\eg}{e.\,g.\xspace} \newcommand{\thy}{\isabellecontext} \renewcommand{\isamarkupsection}[1]{% \begingroup% \def\isacharunderscore{\textunderscore}% \section{#1 (\thy)}% \endgroup% } \title{Stateful Protocol Composition and Typing} \author{% \href{https://www.dtu.dk/english/service/phonebook/person?id=64207}{Andreas~V.~Hess}\footnotemark[1] \and \href{https://people.compute.dtu.dk/samo/}{Sebastian~M{\"o}dersheim}\footnotemark[1] \and \href{http://www.brucker.ch/}{Achim~D.~Brucker}\footnotemark[2] } \publishers{% \footnotemark[1]~DTU Compute, Technical University of Denmark, Lyngby, Denmark\texorpdfstring{\\}{, } \texttt{\{avhe, samo\}@dtu.dk}\\[2em] % \footnotemark[2]~ Department of Computer Science, University of Exeter, Exeter, UK\texorpdfstring{\\}{, } \texttt{a.brucker@exeter.ac.uk} % } \begin{document} \maketitle \begin{abstract} \begin{quote} We provide in this AFP entry several relative soundness results for security protocols. In particular, we prove typing and compositionality results for stateful protocols (i.e., protocols with mutable state that may span several sessions), and that focuses on reachability properties. Such results are useful to simplify protocol verification by reducing it to a simpler problem: Typing results give conditions under which it is safe to verify a protocol in a typed model where only ``well-typed'' attacks can occur whereas compositionality results allow us to verify a composed protocol by only verifying the component protocols in isolation. The conditions on the protocols under which the results hold are furthermore syntactic in nature allowing for full automation. The foundation presented here is used in another entry to provide fully automated and formalized security proofs of stateful protocols. \bigskip \noindent{\textbf{Keywords:}} Security protocols, stateful protocols, relative soundness results, proof assistants, Isabelle/HOL, compositionality \end{quote} \end{abstract} \tableofcontents \cleardoublepage \chapter{Introduction} The rest of this document is automatically generated from the formalization in Isabelle/HOL, i.e., all content is checked by Isabelle. The formalization presented in this entry is described in more detail in several publications: \begin{itemize} \item The typing result (\autoref{sec:Typing-Result} ``Typing\_Result'') for stateless protocols, the TLS formalization (\autoref{sec:Example-TLS} ``Example\_TLS''), and the theories depending on those (see \autoref{fig:session-graph}) are described in~\cite{hess.ea:formalizing:2017} and~\cite[chapter 3]{hess:typing:2018}. \item The typing result for stateful protocols (\autoref{sec:Stateful-Typing} ``Stateful\_Typing'') and the keyserver example (\autoref{sec:Example-Keyserver} ``Example\_Keyserver'') are described in~\cite{hess.ea:typing:2018} and~\cite[chapter 4]{hess:typing:2018}. \item The results on parallel composition for stateless protocols (\autoref{sec:Parallel-Compositionality} ``Parallel\_Compositionality'') and stateful protocols (\autoref{sec:Stateful-Compositionality} ``Stateful\_Compositionality'') are described in~\cite{hess.ea:stateful:2018} and~\cite[chapter 5]{hess:typing:2018}. \end{itemize} Overall, the structure of this document follows the theory dependencies (see \autoref{fig:session-graph}): we start with introducing the technical preliminaries of our formalization (\autoref{cha:preliminaries}). Next, we introduce the typing results in \autoref{cha:typing} and \autoref{cha:stateful-typing}. We introduce our compositionality results in \autoref{cha:composition} and \autoref{cha:stateful-composition}. Finally, we present two example protocols \autoref{cha:examples}. \paragraph{Acknowledgments} This work was supported by the Sapere-Aude project ``Composec: Secure Composition of Distributed Systems'', grant 4184-00334B of the Danish Council for Independent Research. \clearpage \begin{figure} \centering \includegraphics[height=\textheight]{session_graph} \caption{The Dependency Graph of the Isabelle Theories.\label{fig:session-graph}} \end{figure} \clearpage % \input{session} \chapter{Preliminaries and Intruder Model} \label{cha:preliminaries} In this chapter, we introduce the formal preliminaries, including the intruder model and related lemmata. \input{Miscellaneous.tex} \input{Messages.tex} \input{More_Unification.tex} \input{Intruder_Deduction.tex} \chapter{The Typing Result for Non-Stateful Protocols} \label{cha:typing} In this chapter, we formalize and prove a typing result for ``stateless'' security protocols. This work is described in more detail in~\cite{hess.ea:formalizing:2017} and~\cite[chapter 3]{hess:typing:2018}. \input{Strands_and_Constraints.tex} \input{Lazy_Intruder.tex} \input{Typed_Model.tex} \input{Typing_Result.tex} \chapter{The Typing Result for Stateful Protocols} \label{cha:stateful-typing} In this chapter, we lift the typing result to stateful protocols. For more details, we refer the reader to~\cite{hess.ea:typing:2018} and~\cite[chapter 4]{hess:typing:2018}. \input{Stateful_Strands.tex} \input{Stateful_Typing.tex} \chapter{The Parallel Composition Result for Non-Stateful Protocols} \label{cha:composition} In this chapter, we formalize and prove a compositionality result for security protocols. This work is an extension of the work described in~\cite{hess.ea:stateful:2018} and~\cite[chapter 5]{hess:typing:2018}. \input{Labeled_Strands.tex} \input{Parallel_Compositionality.tex} \chapter{The Stateful Protocol Composition Result} \label{cha:stateful-composition} In this chapter, we extend the compositionality result to stateful security protocols. This work is an extension of the work described in~\cite{hess.ea:stateful:2018} and~\cite[chapter 5]{hess:typing:2018}. \input{Labeled_Stateful_Strands.tex} \input{Stateful_Compositionality.tex} \chapter{Examples} \label{cha:examples} In this chapter, we present two examples illustrating our results: In \autoref{sec:Example-TLS} we show that the TLS example from~\cite{hess.ea:formalizing:2017} is type-flaw resistant. In \autoref{sec:Example-Keyserver} we show that the keyserver examples from~\cite{hess.ea:typing:2018,hess.ea:stateful:2018} are also type-flaw resistant and that the steps of the composed keyserver protocol from~\cite{hess.ea:stateful:2018} satisfy our conditions for protocol composition. \input{Example_TLS.tex} \input{Example_Keyserver.tex} {\small \bibliographystyle{abbrvnat} \bibliography{root} } \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Stellar_Quorums/document/root.tex b/thys/Stellar_Quorums/document/root.tex --- a/thys/Stellar_Quorums/document/root.tex +++ b/thys/Stellar_Quorums/document/root.tex @@ -1,66 +1,67 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Stellar Quorum Systems} \author{Giuliano Losa\\Galois, Inc., USA\\giuliano@galois.com} \maketitle \begin{abstract} We formalize the static properties of personal Byzantine quorum systems (PBQSs) and Stellar quorum systems, as described in the paper ``Stellar Consensus by Reduction'', to appear at DISC 2019. \end{abstract} \tableofcontents \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Stern_Brocot/document/root.tex b/thys/Stern_Brocot/document/root.tex --- a/thys/Stern_Brocot/document/root.tex +++ b/thys/Stern_Brocot/document/root.tex @@ -1,53 +1,54 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{tikz} \usetikzlibrary{arrows} \usepackage{amssymb} % Bibliography \usepackage[authoryear,sort]{natbib} \bibpunct();A{}, % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Stern-Brocot Tree} \author{Peter Gammie \and Andreas Lochbihler} \maketitle \begin{abstract} The Stern-Brocot tree contains all rational numbers exactly once and in their lowest terms. We formalise the Stern-Brocot tree as a coinductive tree using recursive and iterative specifications, which we have proven equivalent, and show that it indeed contains all the numbers as stated. Following Hinze, we prove that the Stern-Brocot tree can be linearised looplessly into Stern's diatonic sequence (also known as Dijkstra's fusc function) and that it is a permutation of the Bird tree. The reasoning stays at an abstract level by appealing to the uniqueness of solutions of guarded recursive equations and lifting algebraic laws point-wise to trees and streams using applicative functors. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \paragraph{Acknowledgements} Thanks to Dave Cock for a fruitful discussion about unique fixed points. % generated text of all theories \input{session} \bibliographystyle{plainnat} \bibliography{root} %\addcontentsline{toc}{section}{References} \end{document} diff --git a/thys/Stewart_Apollonius/document/root.tex b/thys/Stewart_Apollonius/document/root.tex --- a/thys/Stewart_Apollonius/document/root.tex +++ b/thys/Stewart_Apollonius/document/root.tex @@ -1,71 +1,72 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Stewart's Theorem and Apollonius' Theorem} \author{Lukas Bulwahn} \maketitle \begin{abstract} This entry formalizes the two geometric theorems, Stewart's and Apollonius' theorem. Stewart's Theorem~\cite{wikipedia:Stewart} relates the length of a triangle's cevian to the lengths of the triangle's two sides. Apollonius' Theorem~\cite{wikipedia:Apollonius} is a specialisation of Stewart's theorem, restricting the cevian to be the median. The proof applies the law of cosines, some basic geometric facts about triangles and then simply transforms the terms algebraically to yield the conjectured relation. The formalization in Isabelle can closely follow the informal proofs described in the Wikipedia articles of those two theorems. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \nocite{*} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Stirling_Formula/document/root.tex b/thys/Stirling_Formula/document/root.tex --- a/thys/Stirling_Formula/document/root.tex +++ b/thys/Stirling_Formula/document/root.tex @@ -1,68 +1,69 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb,amsmath} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Stirling's formula} \author{Manuel Eberl} \maketitle \begin{abstract} This work contains a proof of Stirling's formula both for the factorial $n! \sim \sqrt{2\pi n} (n/e)^n$ on natural numbers and the real Gamma function $\Gamma(x)\sim \sqrt{2\pi/x} (x/e)^x$. The proof is based on work by Graham Jameson~\cite{jameson}. This is then extended to the full asymptotic expansion \begin{multline*} \log\Gamma(z) = \big(z - \tfrac{1}{2}\big)\log z - z + \tfrac{1}{2}\log(2\pi) + \sum_{k=1}^{n-1} \frac{B_{k+1}}{k(k+1)} z^{-k}\\ {} - \frac{1}{n} \int_0^\infty B_n([t])(t + z)^{-n}\,\text{d}t \end{multline*} uniformly for all complex $z\neq 0$ in the cone $\text{arg}(z)\leq \alpha$ for any $\alpha\in(0,\pi)$, with which the above asymptotic relation for $\Gamma$ is also extended to complex arguments. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \input{session} \nocite{*} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Stochastic_Matrices/document/root.tex b/thys/Stochastic_Matrices/document/root.tex --- a/thys/Stochastic_Matrices/document/root.tex +++ b/thys/Stochastic_Matrices/document/root.tex @@ -1,70 +1,69 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amsmath} \usepackage{amssymb} \usepackage{amsthm} \usepackage{xspace} -\usepackage[utf8]{inputenc} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newtheorem{theorem}{Theorem}%[section] \newtheorem{corollary}{Corollary}%[section] \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \newcommand\rats{\mathbb{Q}} \newcommand\ints{\mathbb{Z}} \newcommand\reals{\mathbb{R}} \newcommand\complex{\mathbb{C}} \begin{document} \title{Stochastic Matrices and the Perron--Frobenius Theorem\footnote{Supported by FWF (Austrian Science Fund) project Y757.}} \author{Ren\'e Thiemann} \maketitle \begin{abstract} Stochastic matrices are a convenient way to model discrete-time and finite state Markov chains. The Perron--Frobenius theorem tells us something about the existence and uniqueness of non-negative eigenvectors of a stochastic matrix. In this entry, we formalize stochastic matrices, link the formalization to the existing AFP-entry on Markov chains, and apply the Perron--Frobenius theorem to prove that stationary distributions always exist, and they are unique if the stochastic matrix is irreducible. \end{abstract} \tableofcontents \section{Introduction} In their AFP entry Markov Models \cite{Markov_Models-AFP}, H\"olzl and Nipkow provide a framework for specifying discrete- and continuous-time Markov chains. In the following, we instantiate their framework by formalizing right-stochastic matrices and stochastic vectors. These vectors encode probability mass functions over a finite set of states, whereas stochastic matrices can be utilized to model discrete-time and finite space Markov chains. The formulation of Markov chains as matrices has the advantage that certain concepts can easily be expressed via matrices. For instance, a stationary distribution is nothing else than a non-negative real eigenvector of the transition matrix for eigenvalue 1. As a consequence, we can derive certain properties on Markov chains using results on matrices. To be more precise, we utilize the formalization of the Perron--Frobenius theorem \cite{Perron_Frobenius-AFP} to prove that a stationary distribution always exists, and that it is unique if the transition matrix is irreducible. \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Stone_Algebras/document/root.tex b/thys/Stone_Algebras/document/root.tex --- a/thys/Stone_Algebras/document/root.tex +++ b/thys/Stone_Algebras/document/root.tex @@ -1,82 +1,82 @@ \documentclass[11pt,a4paper]{article} - +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,ragged2e} \usepackage{pdfsetup} \isabellestyle{it} \renewenvironment{isamarkuptext}{\par\isastyletext\begin{isapar}\justifying\color{blue}}{\end{isapar}} \renewcommand\labelitemi{$*$} \begin{document} \title{Stone Algebras} \author{Walter Guttmann} \maketitle \begin{abstract} A range of algebras between lattices and Boolean algebras generalise the notion of a complement. We develop a hierarchy of these pseudo-complemented algebras that includes Stone algebras. Independently of this theory we study filters based on partial orders. Both theories are combined to prove Chen and Gr\"atzer's construction theorem for Stone algebras. The latter involves extensive reasoning about algebraic structures in addition to reasoning in algebraic structures. \end{abstract} \tableofcontents \section{Synopsis and Motivation} This document describes the following four theory files: \begin{itemize} \item Lattice Basics is a small theory with basic definitions and facts extending Isabelle/HOL's lattice theory. It is used by the following theories. \item Pseudocomplemented Algebras contains a hierarchy of algebraic structures between lattices and Boolean algebras. Many results of Boolean algebras can be derived from weaker axioms and are useful for more general models. In this theory we develop a number of algebraic structures with such weaker axioms. The theory has four parts. We first extend lattices and distributive lattices with a pseudocomplement operation to obtain (distributive) p-algebras. An additional axiom of the pseudocomplement operation yields Stone algebras. The third part studies a relative pseudocomplement operation which results in Heyting algebras and Brouwer algebras. We finally show that Boolean algebras instantiate all of the above structures. \item Filters contains an order-/lattice-theoretic development of filters. We prove the ultrafilter lemma in a weak setting, several results about the lattice structure of filters and a few further results from the literature. Our selection is due to the requirements of the following theory. \item Construction of Stone Algebras contains the representation of Stone algebras as triples and the corresponding isomorphisms \cite{ChenGraetzer1969,Katrinak1973}. It is also a case study of reasoning about algebraic structures. Every Stone algebra is isomorphic to a triple comprising a Boolean algebra, a distributive lattice with a greatest element, and a bounded lattice homomorphism from the Boolean algebra to filters of the distributive lattice. We carry out the involved constructions and explicitly state the functions defining the isomorphisms. A function lifting is used to work around the need for dependent types. We also construct an embedding of Stone algebras to inherit theorems using a technique of universal algebra. \end{itemize} Algebras with pseudocomplements in general, and Stone algebras in particular, appear widely in mathematical literature; for example, see \cite{BalbesDwinger1974,Birkhoff1967,Blyth2005,Graetzer1971}. We apply Stone algebras to verify Prim's minimum spanning tree algorithm in Isabelle/HOL in \cite{Guttmann2016c}. There are at least two Isabelle/HOL theories related to filters. The theory \texttt{HOL/Algebra/Ideal.thy} defines ring-theoretic ideals in locales with a carrier set. In the theory \texttt{HOL/Filter.thy} a filter is defined as a set of sets. Filters based on orders and lattices abstract from the inner set structure; this approach is used in many texts such as \cite{BalbesDwinger1974,Birkhoff1967,Blyth2005,DaveyPriestley2002,Graetzer1971}. Moreover, it is required for the construction theorem of Stone algebras, whence our theory implements filters this way. Besides proving the results involved in the construction of Stone algebras, we study how to reason about algebraic structures defined as Isabelle/HOL classes without carrier sets. The Isabelle/HOL theories \texttt{HOL/Algebra/*.thy} use locales with a carrier set, which facilitates reasoning about algebraic structures but requires assumptions involving the carrier set in many places. Extensive libraries of algebraic structures based on classes without carrier sets have been developed and continue to be developed \cite{ArmstrongFosterStruthWeber2016,ArmstrongGomesStruth2016,ArmstrongGomesStruthWeber2016,DivasonAransay2016,FosterStruth2016,FurusawaStruth2016,GeorgescuLeusteanPreoteasa2016,GomesGuttmannHoefnerStruthWeber2016,GomesStruth2016,Guttmann2015a,KleinKolanskiBoyton2016,Preoteasa2016b,Preoteasa2016a,WamplerDoty2016}. It is unlikely that these libraries will be converted to carrier-based theories and that carrier-free and carrier-based implementations will be consistently maintained and evolved; certainly this has not happened so far and initial experiments suggest potential drawbacks for proof automation \cite{FosterStruthWeber2011}. An improvement of the situation seems to require some form of automation or system support that makes the difference irrelevant. In the present development, we use classes without carrier sets to reason about algebraic structures. To instantiate results derived in such classes, the algebras must be represented as Isabelle/HOL types. This is possible to a certain extent, but causes a problem if the definition of the underlying set depends on parameters introduced in a locale; this would require dependent types. For the construction theorem of Stone algebras we work around this restriction by a function lifting. If the parameters are known, the functions can be specialised to obtain a simple (non-dependent) type that can instantiate classes. For the construction theorem this specialisation can be done using an embedding. The extent to which this approach can be generalised to other settings remains to be investigated. \begin{flushleft} \input{session} \end{flushleft} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Stone_Kleene_Relation_Algebras/document/root.tex b/thys/Stone_Kleene_Relation_Algebras/document/root.tex --- a/thys/Stone_Kleene_Relation_Algebras/document/root.tex +++ b/thys/Stone_Kleene_Relation_Algebras/document/root.tex @@ -1,62 +1,62 @@ \documentclass[11pt,a4paper]{article} - +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,ragged2e} \usepackage{pdfsetup} \isabellestyle{it} \renewenvironment{isamarkuptext}{\par\isastyletext\begin{isapar}\justifying\color{blue}}{\end{isapar}} \renewcommand\labelitemi{$*$} \begin{document} \title{Stone-Kleene Relation Algebras} \author{Walter Guttmann} \maketitle \begin{abstract} We develop Stone-Kleene relation algebras, which expand Stone relation algebras with a Kleene star operation to describe reachability in weighted graphs. Many properties of the Kleene star arise as a special case of a more general theory of iteration based on Conway semirings extended by simulation axioms. This includes several theorems representing complex program transformations. We formally prove the correctness of Conway's automata-based construction of the Kleene star of a matrix. We prove numerous results useful for reasoning about weighted graphs. \end{abstract} \tableofcontents \section{Synopsis and Motivation} This document describes the following five theory files: \begin{itemize} \item Iterings describes a general iteration operation that works for many different computation models. We first consider equational axioms based on variants of Conway semirings. We expand these structures by generalised simulation axioms, which hold in total and general correctness models, not just in partial correctness models like the induction axioms. Simulation axioms are still powerful enough to prove separation theorems and Back's atomicity refinement theorem \cite{BackWright1999}. \item Kleene Algebras form a particular instance of iterings in which the iteration is implemented as a least fixpoint. We implement them based on Kozen's axioms \cite{Kozen1994}, but most results are inherited from Conway semirings and iterings. \item Kleene Relation Algebras introduces Stone-Kleene relation algebras, which combine Stone relation algebras and Kleene algebras. This is similar to relation algebras with transitive closure \cite{Ng1984} but allows us to talk about reachability in weighted graphs. Many results in this theory are useful for verifying the correctness of Prim's and Kruskal's minimum spanning tree algorithms. \item Subalgebras of Kleene Relation Algebras studies the regular elements of a Stone-Kleene relation algebra and shows that they form a Kleene relation subalgebra. \item Matrix Kleene Algebras lifts the Kleene star to finite square matrices using Conway's automata-based construction. This involves an operation to restrict matrices to specific indices and a calculus for such restrictions. An implementation for the Kleene star of matrices was given in \cite{Asplund2014} without proof; this is the first formally verified correctness proof. \end{itemize} The development is based on a theory of Stone relation algebras \cite{Guttmann2017a,Guttmann2017b}. We apply Stone-Kleene relation algebras to verify Prim's minimum spanning tree algorithm in Isabelle/HOL in \cite{Guttmann2016c}. Related libraries for Kleene algebras, regular algebras and relation algebras in the Archive of Formal Proofs are \cite{ArmstrongFosterStruthWeber2016,ArmstrongGomesStruthWeber2016,FosterStruth2016}. Kleene algebras are covered in the theory \texttt{Kleene\_Algebra/Kleene\_Algebra.thy}, but unlike the present development it is not based on general algebras using simulation axioms, which are useful to describe various computation models. The theory \texttt{Regular\_Algebras/Regular\_Algebras.thy} compares different axiomatisations of regular algebras. The theory \texttt{Kleene\_Algebra/Matrix.thy} covers matrices over dioids, but does not implement the Kleene star of matrices. The theory \texttt{Relation\_Algebra/Relation\_Algebra\_RTC.thy} combines Kleene algebras and relation algebras, but is very limited in scope and not applicable as we need the weaker axioms of Stone relation algebras. \begin{flushleft} \input{session} \end{flushleft} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Stone_Relation_Algebras/document/root.tex b/thys/Stone_Relation_Algebras/document/root.tex --- a/thys/Stone_Relation_Algebras/document/root.tex +++ b/thys/Stone_Relation_Algebras/document/root.tex @@ -1,71 +1,71 @@ \documentclass[11pt,a4paper]{article} - +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,ragged2e} \usepackage{pdfsetup} \isabellestyle{it} \renewenvironment{isamarkuptext}{\par\isastyletext\begin{isapar}\justifying\color{blue}}{\end{isapar}} \renewcommand\labelitemi{$*$} \begin{document} \title{Stone Relation Algebras} \author{Walter Guttmann} \maketitle \begin{abstract} We develop Stone relation algebras, which generalise relation algebras by replacing the underlying Boolean algebra structure with a Stone algebra. We show that finite matrices over bounded linear orders form an instance. As a consequence, relation-algebraic concepts and methods can be used for reasoning about weighted graphs. We also develop a fixpoint calculus and apply it to compare different definitions of reflexive-transitive closures in semirings. \end{abstract} \tableofcontents \section{Synopsis and Motivation} This document describes the following six theory files: \begin{itemize} \item Fixpoints develops a fixpoint calculus based on partial orders. We also consider least (pre)fixpoints and greatest (post)fixpoints. The derived rules include unfold, square, rolling, fusion, exchange and diagonal rules studied in \cite{AartsBackhouseBoitenDoornbosGasterenGeldropHoogendijkVoermansWoude1995}. Our results are based on the existence of fixpoints instead of completeness of the underlying structure. \item Semirings contains a hierarchy of structures generalising idempotent semirings. In particular, several of these algebras do not assume that multiplication is associative in order to capture models such as multirelations. Even in such a weak setting we can derive several results comparing different definitions of reflexive-transitive closures based on fixpoints. \item Relation Algebras introduces Stone relation algebras, which weaken the Boolean algebra structure of relation algebras to Stone algebras. This is motivated by the wish to represent weighted graphs (matrices over numbers) in addition to unweighted graphs (Boolean matrices) that form relations. Many results of relation algebras can be derived from the weaker axioms and therefore also apply to weighted graphs. Some results hold in Stone relation algebras after small modifications. This allows us to apply relational concepts and methods also to weighted graphs. In particular, we prove a number of properties that have been used to verify graph algorithms. Tarski's relation algebras \cite{Tarski1941} arise as a special case by imposing further axioms. \item Subalgebras of Relation Algebras studies the structures of subsets of elements characterised by a given property. In particular we look at regular elements (which correspond to unweighted graphs), coreflexives (tests), vectors and covectors (which can be used to represent sets). The subsets are turned into Isabelle/HOL types, which are shown to form instances of various algebras. \item Matrix Relation Algebras lifts the Stone algebra hierarchy, the semiring structure and, finally, Stone relation algebras to finite square matrices. These are mostly standard constructions similar to those in \cite{ArmstrongFosterStruthWeber2016,ArmstrongGomesStruthWeber2016} implemented so that they work for many algebraic structures. In particular, they can be instantiated to weighted graphs (see below) and extended to Kleene algebras (not part of this development). \item Matrices over Bounded Linear Orders studies relational properties. In particular, we characterise univalent, injective, total, surjective, mapping, bijective, vector, covector, point, atom, reflexive, coreflexive, irreflexive, symmetric, antisymmetric and asymmetric matrices. Definitions of these properties are taken from relation algebras and their meaning for matrices over bounded linear orders (weighted graphs) is explained by logical formulas in terms of matrix entries. \end{itemize} The development is based on a theory of Stone algebras \cite{Guttmann2016b} and forms the basis for an extension to Kleene algebras to capture further properties of graphs. We apply Stone relation algebras to verify Prim's minimum spanning tree algorithm in Isabelle/HOL in \cite{Guttmann2016c}. Related libraries for semirings and relation algebras in the Archive of Formal Proofs are \cite{ArmstrongFosterStruthWeber2016,ArmstrongGomesStruthWeber2016}. The theory \texttt{Kleene\_Algebra/Dioid.thy} introduces a number of structures that generalise idempotent semirings, but does not cover most of the semiring structures in the present development. The theory \texttt{Relation\_Algebra/Relation\_Algebra.thy} covers Tarski's relation algebras and hence cannot be reused for the present development as most properties need to be derived from the weaker axioms of Stone relation algebras. The matrix constructions in theories \texttt{Kleene\_Algebra/Inf\_Matrix.thy} and \texttt{Relation\_Algebra/Relation\_Algebra\_Models.thy} are similar, but have strong restrictions on the matrix entry types not appropriate for many algebraic structures in the present development. We also deviate from these hierarchies by basing idempotent semirings directly on the Isabelle/HOL semilattice structures instead of a separate structure; this results in a somewhat smoother integration with the lattice structure of relation algebras. \begin{flushleft} \input{session} \end{flushleft} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Store_Buffer_Reduction/document/root.tex b/thys/Store_Buffer_Reduction/document/root.tex --- a/thys/Store_Buffer_Reduction/document/root.tex +++ b/thys/Store_Buffer_Reduction/document/root.tex @@ -1,725 +1,724 @@ \RequirePackage{luatex85} -%\documentclass[11pt,a4paper]{article} \documentclass[11pt]{llncs} +\usepackage[T1]{fontenc} \pdfoutput=1 -\usepackage[utf8]{inputenc} % replace by the encoding you are using \usepackage{geometry} \geometry{ a4paper, % or letterpaper textwidth=15cm, % llncs has 12.2cm textheight=24cm, % llncs has 19.3cm heightrounded, % integer number of lines hratio=1:1, % horizontally centered vratio=2:3, % not vertically centered } \usepackage{amsmath} \usepackage{graphicx} \usepackage{mathpartir} \usepackage{float} \usepackage{cite} % produce nice graphics using tikz and pgf %\usepackage{tikz} %\usetikzlibrary{snakes} \usepackage{xspace} \newcommand{\cf}{cf.\@\xspace} \newcommand{\eg}{e.g.,\xspace} \newcommand{\ie}{i.e.,\xspace} \newcommand{\Sound}{sound} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % We redefine it use the ragged2e package for \RaggedRight which makes better % use of hyphenation in Latex2e compared to standard \raggedright \usepackage{ragged2e} % {tabularx} provides an expanding column specifier X \usepackage{tabularx} % todo not loading tabularx seems to break compilation \usepackage{booktabs} \usepackage{longtable} \usepackage{amsmath} \usepackage{stmaryrd} \usepackage{subfig} \usepackage[draft]{fixme} % provides {inparaenum} for enumerations inside a paragraph \usepackage[defblank]{paralist} % make roman numerals default for {inparaenum}: \let\oldinparaenum=\inparaenum \def\inparaenum{\oldinparaenum[(i)]} %inference rules \usepackage{mathpartir} %for greek letters in our Isabelle setup \usepackage[greek, english]{babel} \usepackage{type1cm} \usepackage{float} \usepackage{tikz} \usetikzlibrary{calc} \usepackage{pdfsetup} %fix robustness issue in Isabelle 2007 \DeclareRobustCommand{\isascriptstyle}{\def\isamath##1{##1}\def\isatext##1{\mbox{\isastylescript##1}}} \newcommand{\isabellestylesf}{% \isabellestyleit% \renewcommand{\isastyle}{\small\sf}% \renewcommand{\isastyleminor}{\sf}% \renewcommand{\isastylescript}{\scriptsize}% \renewcommand{\isascriptstyle}{\def\isamath####1{####1}\def\isatext####1{\mbox{\isastylescript####1}}\def\isagreek####1{\foreignlanguage{greek}{\mbox{\isastylescript####1}}}}% \renewcommand{\isacharprime}{\ensuremath{\mskip2mu{'}\mskip-2mu}}% \DeclareRobustCommand{\isactrlsub}[1]{{\isascriptstyle${}\mathsf{\sb{\vphantom{gb}##1}}$}}% \DeclareRobustCommand{\isactrlsup}[1]{{\isascriptstyle${}\mathsf{\sp{\vphantom{gb}##1}}$}}% \DeclareRobustCommand{\isactrlisub}[1]{{\isascriptstyle${}\mathsf{\sb{\vphantom{gb}##1}}$}}% \DeclareRobustCommand{\isactrlisup}[1]{{\isascriptstyle${}\mathsf{\sp{\vphantom{gb}##1}}$}}% \DeclareRobustCommand{\isactrlbsub}{\bgroup\isascriptstyle\begin{math}{}\mathsf\bgroup\sb\bgroup}% \DeclareRobustCommand{\isactrlesub}{\egroup\egroup\end{math}\egroup}% \DeclareRobustCommand{\isactrlbsup}{\bgroup\isascriptstyle\begin{math}{}\mathsf\bgroup\sp\bgroup}% \DeclareRobustCommand{\isactrlesup}{\egroup\egroup\end{math}\egroup}% \renewcommand{\isamarkupchapter}[1]{\isastyletext\chapter{##1}} \renewcommand{\isamarkupsection}[1]{\isastyletext\section{##1}} \renewcommand{\isamarkupsubsection}[1]{\isastyletext\subsection{##1}} \renewcommand{\isamarkupsubsubsection}[1]{\isastyletext\subsubsection{##1}} %\renewcommand{\isamarkupsect}[1]{\isastyletext\section{##1}} %\renewcommand{\isamarkupsubsect}[1]{\isastyletext\subsection{##1}} %\renewcommand{\isamarkupsubsubsect}[1]{\isastyletext\subsubsection{##1}} %we use babel for greek letters to easily obtain different fontshapes; \mbox helps in math mode \newcommand{\isagreek}[1]{\foreignlanguage{greek}{\mbox{##1}}} \renewcommand{\isasymalpha}{\isagreek{a}} \renewcommand{\isasymbeta}{\isagreek{b}} \renewcommand{\isasymgamma}{\isagreek{g}} \renewcommand{\isasymdelta}{\isagreek{d}} \renewcommand{\isasymepsilon}{\isagreek{e}} \renewcommand{\isasymzeta}{\isagreek{z}} \renewcommand{\isasymeta}{\isagreek{h}} \renewcommand{\isasymtheta}{\isagreek{j}} \renewcommand{\isasymiota}{\isagreek{i}} \renewcommand{\isasymkappa}{\isagreek{k}} \renewcommand{\isasymlambda}{\isamath{\lambda}} \renewcommand{\isasymmu}{\isagreek{m}} \renewcommand{\isasymnu}{\isagreek{n}} \renewcommand{\isasymxi}{\isagreek{x}} \renewcommand{\isasympi}{\isagreek{p}} \renewcommand{\isasymrho}{\isagreek{r}} \renewcommand{\isasymsigma}{\isagreek{sv}} \renewcommand{\isasymtau}{\isagreek{t}} \renewcommand{\isasymupsilon}{\isagreek{u}} \renewcommand{\isasymphi}{\isagreek{f}} \renewcommand{\isasymchi}{\isagreek{q}} \renewcommand{\isasympsi}{\isagreek{y}} \renewcommand{\isasymomega}{\isagreek{w}} \renewcommand{\isasymGamma}{\isagreek{G}} \renewcommand{\isasymDelta}{\isagreek{D}} \renewcommand{\isasymTheta}{\isagreek{J}} \renewcommand{\isasymLambda}{\isagreek{L}} \renewcommand{\isasymXi}{\isagreek{X}} \renewcommand{\isasymPi}{\isagreek{P}} \renewcommand{\isasymSigma}{\isagreek{Sv}} \renewcommand{\isasymUpsilon}{\isagreek{U}} \renewcommand{\isasymPhi}{\isagreek{F}} \renewcommand{\isasymPsi}{\isagreek{Y}} \renewcommand{\isasymOmega}{\isagreek{W}} } \isabellestyle{sf} % todo compared to the original isabelle.sty, we have omitted some vertical % spacing and forced \par's -- check if we really want this in the end... % % The problems we tried to fix with the current solution is that `unmotivated' % vertical space appeared between alternations of "(*<*)...(*>*)" and "text {* % ... *}", which is not acceptable and must otherwise be fixed manually by % reordering the material in the theories. \renewcommand{\isabeginpar}{} \renewcommand{\isaendpar}{} \makeatletter \renewenvironment{isapar}{\parindent\isa@parindent\parskip\isa@parskip\isabeginpar}{\isaendpar} \makeatother \DeclareRobustCommand\ensuretext[1]{\ifmmode\text{#1}\else{#1}\fi} \newcommand{\freefnt}[1]{\textsl{\rmfamily#1}} \newcommand{\boundfnt}[1]{{\textsl{\sffamily#1}}} \newcommand{\constructorfnt}[1]{\textsc{#1}} \newcommand{\holkeywordfnt}[1]{\texttt{#1}} \newcommand{\tfreeify}[1]{\ensuretext{\freefnt{#1}}} \newcommand{\freeify}[1]{\ensuretext{\freefnt{#1}}} \newcommand{\boundify}[1]{\ensuretext{\boundfnt{#1}}} \newcommand{\constructor}[1]{\ensuretext{\constructorfnt{#1}}} \newcommand{\holkeyword}[1]{\ensuretext{\holkeywordfnt{#1}}} \newcommand{\isasymllceil}{\isamath{\llceil}} \newcommand{\isasymrrceil}{\isamath{\rrceil}} \renewcommand{\isasymturnstile}{\isamath{\,\vdash}} \renewcommand{\isasymTurnstile}{\isamath{\,\models}} \newcommand{\isastring}[1]{``#1''} \newcommand{\accessor}[1]{\isa{the}$_{\textsc{#1}}$} \newcommand{\isaclike}[1]{\texttt{#1}} \renewcommand{\isasymvv}{\mbox{\isastyleminor\isastylescript v+1}} % include pdfcolor when using pdflatex %\ifpdf % \input pdfcolor.tex %\fi \newcommand{\listty}[1]{% \ensuremath{\mathit{\id{#1} \ \id{list} } } } \newcommand{\texth}{\mathcode`\-=`\-\relax} \newcommand{\id}[1]{% \ensuremath{\mathit{\texth#1}}} \newcommand{\co}[1]{% \ensuremath{\mathsf{\texth#1}}} \newcommand{\rf}[1]{% \ensuremath{\mathsf{#1}}} \newcommand{\Some}[1]{% \ensuremath{\mathit{\left\lfloor #1 \right\rfloor} } } \newcommand{\cons}[1]{% \ensuremath{\mathsf{#1}}} % TODO: improve typesetting of formulas. use Isabelle's document generation? if so remove the following macro definitions % some macro's \DeclareRobustCommand{\listlength}[1]{\left|#1\right|} % Isabelle: length \DeclareRobustCommand{\MemConfLM}{\ensuremath{\id{lm}}\xspace} \DeclareRobustCommand{\recursiondepth}[1]{\listlength{#1.\MemConfLM}} \DeclareRobustCommand{\heapbase}{\ensuremath{\id{abase}_\text{heap}}\xspace} % Isabelle: heap_base, heap_base_word \DeclareRobustCommand{\maxheapsize}{\ensuremath{\id{asize}_\text{heap}^\text{max}}\xspace} % Isabelle: heap_size_max \DeclareRobustCommand{\maxheap}{\ensuremath{\heapbase+\maxheapsize}\xspace} % Isabelle: max_heap \DeclareRobustCommand{\intwdasnat}{\ensuremath{\id{i2n}}\xspace} % Isabelle: intwd_as_nat \DeclareRobustCommand{\gprs}{\ensuremath{\id{gpr}}\xspace} \DeclareRobustCommand{\heaptopreg}{\ensuremath{r_\text{htop}}\xspace} % Isabelle: heaptop_reg \DeclareRobustCommand{\lastframereg}{\ensuremath{r_\text{lframe}}\xspace} % Isabelle: last_frame_reg \DeclareRobustCommand{\sbasereg}{\ensuremath{r_\text{sbase}}\xspace} % Isabelle: sbase_reg \DeclareRobustCommand{\sbasebubble}{\ensuremath{\id{bubble}_\text{code}}\xspace} % Isabelle: sbase_bubble \DeclareRobustCommand{\computesbase}{\ensuremath{\id{abase}_\text{gm}}\xspace} % Isabelle: compute_sbase \DeclareRobustCommand{\programbase}{\ensuremath{\id{progbase}}\xspace} % Isabelle: program_basee, program_base_word \DeclareRobustCommand{\stackframebubble}{\ensuremath{\id{bubble}_\text{gm}}\xspace} % Isabelle: stack_frame_bubble \DeclareRobustCommand{\abaselocalframe}{\ensuremath{\id{abase}_\text{lm}}\xspace} % Isabelle: abase_local_frame \DeclareRobustCommand{\tenv}{\ensuremath{\id{te}}\xspace} \DeclareRobustCommand{\pt}{\ensuremath{\id{ft}}\xspace} \DeclareRobustCommand{\extractsymbolconf}{\ensuremath{\id{sc}}\xspace} % Isabelle: extract_symbolconf \DeclareRobustCommand{\stackstart}{\abaselocalframe} % Isabelle: stack_start \DeclareRobustCommand{\gmsymbols}{\ensuremath{\id{gst}}\xspace} % Isabelle: gm_symbols %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \def\listith{\id{!}} \def\implies {\ensuremath{\Rightarrow}} \def\ibool {\id{bool}} \def\inat{\Nat} \def\iff {\textbf{if }} \def\then {\textbf{then}} \def\elseif {\textbf{else}} \def\case{\id{\textbf{case}}} \def\of{\id{\textbf{ of }}} \def\indef{\id{\textbf{in }}} \def\letdef{\id{\textbf{let }}} \def\undef{\id{undef}} \def\funnames{\id{fun_n}} \def\cc {\id{c}} \def\sczero {\id{c0}} \def\confc {\ensuremath{\mathit{C_{\rm{co}}}}} \def\deltac {\ensuremath{\mathit{\delta_\sczero}}} \newcommand{\Def}[1]{\emph{#1}} \sloppy % The following is enclosed to allow easy detection of differences in % ascii coding. % Upper-case A B C D E F G H I J K L M N O P Q R S T U V W X Y Z % Lower-case a b c d e f g h i j k l m n o p q r s t u v w x y z % Digits 0 1 2 3 4 5 6 7 8 9 % Exclamation ! Double quote " Hash (number) # % Dollar $ Percent % Ampersand & % Acute accent ' Left paren ( Right paren ) % Asterisk * Plus + Comma , % Minus - Point . Solidus / % Colon : Semicolon ; Less than < % Equals =3D Greater than > Question mark ? % At @ Left bracket [ Backslash \ % Right bracket ] Circumflex ^ Underscore _ % Grave accent ` Left brace { Vertical bar | % Right brace } Tilde ~ \newcommand{\Nat}{{\mathbb N}} \newcommand{\Real}{{\mathbb R}} \def\lastname{Schirmer} \pagestyle{plain} \setcounter{tocdepth}{3} \begin{document} %\begin{frontmatter} \title{A Reduction Theorem for Store Buffers} \author{Ernie Cohen\inst{1}, Norbert Schirmer\inst{2}\fnmsep\thanks{Work funded by the German Federal Ministry of Education and Research (BMBF) in the framework of the Verisoft XT project under grant 01 IS 07 008.}} \institute{Microsoft Corp., Redmond, WA, USA \and German Research Center for Artificial Intelligence (DFKI) Saarbr\"ucken, Germany\\ \email{ecohen@amazon.com}, \email{norbert.schirmer@web.de}} \maketitle \begin{abstract} When verifying a concurrent program, it is usual to assume that memory is sequentially consistent. However, most modern multiprocessors depend on store buffering for efficiency, and provide native sequential consistency only at a substantial performance penalty. To regain sequential consistency, a programmer has to follow an appropriate programming discipline. However, na\"ive disciplines, such as protecting all shared accesses with locks, are not flexible enough for building high-performance multiprocessor software. We present a new discipline for concurrent programming under TSO (total store order, with store buffer forwarding). It does not depend on concurrency primitives, such as locks. Instead, threads use ghost operations to acquire and release ownership of memory addresses. A thread can write to an address only if no other thread owns it, and can read from an address only if it owns it or it is shared and the thread has flushed its store buffer since it last wrote to an address it did not own. This discipline covers both coarse-grained concurrency (where data is protected by locks) as well as fine-grained concurrency (where atomic operations race to memory). We formalize this discipline in Isabelle/HOL, and prove that if every execution of a program in a system without store buffers follows the discipline, then every execution of the program with store buffers is sequentially consistent. Thus, we can show sequential consistency under TSO by ordinary assertional reasoning about the program, without having to consider store buffers at all. \end{abstract} \tableofcontents %\begin{keyword} %Pervasive formal verification, systems verification, software verification, theorem proving %\end{keyword} %\end{frontmatter} \section{Introduction \label{sec:introduction}} When verifying a shared-memory concurrent program, it is usual to assume that each memory operation works directly on a shared memory state, a model sometimes called \Def{atomic} memory. A memory implementation that provides this abstraction for programs that communicate only through shared memory is said to be \Def{sequentially consistent}. Concurrent algorithms in the computing literature tacitly assume sequential consistency, as do most application programmers. However, modern computing platforms typically do not guarantee sequential consistency for arbitrary programs, for two reasons. First, optimizing compilers are typically incorrect unless the program is appropriately annotated to indicate which program locations might be concurrently accessed by other threads; this issue is addressed only cursorily in this report. Second, modern processors buffer stores of retired instructions. To make such buffering transparent to single-processor programs, subsequent reads of the processor read from these buffers in preference to the cache. (Otherwise, a program could write a new value to an address but later read an older value.) However, in a multiprocessor system, processors do not snoop the store buffers of other processors, so a store is visible to the storing processor before it is visible to other processors. This can result in executions that are not sequentially consistent. The simplest example illustrating such an inconsistency is the following program, consisting of two threads T0 and T1, where \texttt{x} and \texttt{y} are shared memory variables (initially 0) and \texttt{r0} and \texttt{r1} are registers: % \begin{center} \begin{minipage}{6cm} \begin{multicols}{3} T0 \begin{verbatim} x = 1; r0 = y; \end{verbatim} \columnbreak T1 \begin{verbatim} y = 1; r1 = x; \end{verbatim} \columnbreak \end{multicols} \end{minipage} \end{center} % In a sequentially consistent execution, it is impossible for both \texttt{r0} and \texttt{r1} to be assigned $0$. This is because the assignments to \texttt{x} and \texttt{y} must be executed in some order; if \texttt{x} (resp. \texttt{y}) is assigned first, then \texttt{r1} (resp. \texttt{r0}) will be set to $1$. However, in the presence of store buffers, the assignments to \texttt{r0} and \texttt{r1} might be performed while the writes to \texttt{x} and \texttt{y} are still in their respective store buffers, resulting in both \texttt{r0} and \texttt{r1} being assigned $0$. One way to cope with store buffers is make them an explicit part of the programming model. However, this is a substantial programming concession. First, because store buffers are FIFO, it ratchets up the complexity of program reasoning considerably; for example, the reachability problem for a finite set of concurrent finite-state programs over a finite set of finite-valued locations is in PSPACE without store buffers, but undecidable (even for two threads) with store buffers. Second, because writes from function calls might still be buffered when a function returns, making the store buffers explicit would break modular program reasoning. In practice, the usual remedy for store buffering is adherence to a programming discipline that provides sequential consistency for a suitable class of architectures. In this report, we describe and prove the correctness of such a discipline suitable for the memory model provided by existing x86/x64 machines, where each write emerging from a store buffer hits a global cache visible to all processors. Because each processor sees the same global ordering of writes, this model is sometimes called \Def{total store order} (TSO)\cite{Adve:Computer-29-12-66}\footnote{Before 2008, Intel \cite{IntelWhitePaper} and AMD \cite{AMD:AMD64A2006-ALL} both put forward a weaker memory model in which writes to different memory addresses may be seen in different orders on different processors, but respecting causal ordering. However, current implementations satisfy the stronger conditions described in this report and are also compliant with the latest revisions of the Intel specifications \cite{Intel:IIA2006-ALL}. According to Owens et al. \cite{Owens:TPHOL09-?} AMD is also planning a similar adaptation of their manuals.} The concurrency discipline most familiar to concurrent programs is one where each variable is protected by a lock, and a thread must hold the corresponding lock to access the variable. (It is possible to generalize this to allow shared locks, as well as variants such as split semaphores.) Such lock-based techniques are typically referred to as \Def{coarse-grained} concurrency control, and suffice for most concurrent application programming. However, these techniques do not suffice for low-level system programming (\eg the construction of OS kernels), for several reasons. First, in kernel programming efficiency is paramount, and atomic memory operations are more efficient for many problems. Second, lock-free concurrency control can sometimes guarantee stronger correctness (\eg wait-free algorithms can provide bounds on execution time). Third, kernel programming requires taking into account the implicit concurrency of concurrent hardware activities (\eg a hardware TLB racing to use page tables while the kernel is trying to access them), and hardware cannot be forced to follow a locking discipline. A more refined concurrency control discipline, one that is much closer to expert practice, is to classify memory addresses as lock-protected or shared. Lock-protected addresses are used in the usual way, but shared addresses can be accessed using atomic operations provided by hardware (e.g., on x86 class architectures, most reads and writes are atomic\footnote{This atomicity isn't guaranteed for certain memory types, or for operations that cross a cache line.}). The main restriction on these accesses is that if a processor does a shared write and a subsequent shared read (possibly from a different address), the processor must flush the store buffer somewhere in between. For example, in the example above, both \texttt{x} and \texttt{y} would be shared addresses, so each processor would have to flush its store buffer between its first and second operations. However, even this discipline is not very satisfactory. First, we would need even more rules to allow locks to be created or destroyed, or to change memory between shared and protected, and so on. Second, there are many interesting concurrency control primitives, and many algorithms, that allow a thread to obtain exclusive ownership of a memory address; why should we treat locking as special? In this report, we consider a much more general and powerful discipline that also guarantees sequential consistency. The basic rule for shared addresses is similar to the discipline above, but there are no locking primitives. Instead, we treat \Def{ownership} as fundamental. The difference is that ownership is manipulated by nonblocking ghost updates, rather than an operation like locking that have runtime overhead. Informally the rules of the discipline are as follows: \begin{itemize} \item In any state, each memory address is either \Def{shared} or \Def{unshared}. Each memory address is also either \Def{owned} by a unique thread or \Def{unowned}. Every unowned address must be shared. Each address is also either read-only or read-write. Every read-only address is unowned. \item A thread can (autonomously) acquire ownership of an unowned address, or release ownership of a address that it owns. It can also change whether an address it owns is shared or not. Upon release of an address it can mark it as read-only. \item Each memory access is marked as \Def{volatile} or \Def{non-volatile}. \item A thread can perform a write if it is \Def{\Sound}. It can perform a read if it is sound and \Def{clean}. \item A non-volatile write is \Sound\ if the thread owns the address and the address is unshared. \item A non-volatile read is \Sound\ if the thread owns the address or the address is read-only. \item A volatile write is \Sound\ if no other thread owns the address and the address is not marked as read-only. \item A volatile read is \Sound\ if the address is shared or the thread owns it. \item A volatile read is clean if the store buffer has been flushed since the last volatile write. Moreover, every non-volatile read is clean. \item For interlocked operations (like compare and swap), which have the side effect of the store buffer getting flushed, the rules for volatile accesses apply. \end{itemize} Note first that these conditions are not thread-local, because some actions are allowed only when an address is unowned, marked read-only, or not marked read-only. A thread can ascertain such conditions only through system-wide invariants, respected by all threads, along with data it reads. By imposing suitable global invariants, various thread-local disciplines (such as one where addresses are protected by locks, conditional critical reasons, or monitors) can be derived as lemmas by ordinary program reasoning, without need for meta-theory. Second, note that these rules can be checked in the context of a concurrent program without store buffers, by introducing ghost state to keep track of ownership and sharing and whether the thread has performed a volatile write since the last flush. Our main result is that if a program obeys the rules above, then the program is sequentially consistent when executed on a TSO machine. Consider our first example program. If we choose to leave both \texttt{x} and \texttt{y} unowned (and hence shared), then all accesses must be volatile. This would force each thread to flush the store buffer between their first and second operations. In practice, on an x86/x64 machine, this would be done by making the writes interlocked, which flushes store buffers as a side effect. Whichever thread flushes its store buffer second is guaranteed to see the write of the other thread, making the execution violating sequential consistency impossible. However, couldn't the first thread try to take ownership of \texttt{x} before writing it, so that its write could be non-volatile? The answer is that it could, but then the second thread would be unable to read \texttt{x} volatile (or take ownership of \texttt{x} and read it non-volatile), because we would be unable to prove that \texttt{x} is unowned at that point. In other words, a thread can take ownership of an address only if it is not racing to do so. Ultimately, the races allowed by the discipline involve volatile access to a shared address, which brings us back to locks. A spinlock is typically implemented with an interlocked read-modify-write on an address (the interlocking providing the required flushing of the store buffer). If the locking succeeds, we can prove (using for example a ghost variable giving the ID of the thread taking the lock) that no other thread holds the lock, and can therefore safely take ownership of an address ``protected'' by the lock (using the global invariant that only the lock owner can own the protected address). Thus, our discipline subsumes the better-known disciplines governing coarse-grained concurrency control. To summarize, our motivations for using ownership as our core notion of a practical programming discipline are the following: \begin{enumerate} \item the distinction between global (volatile) and local (non-volatile) accesses is a practical requirement to reduce the performance penalty due to necessary flushes and to allow important compiler optimizations (such as moving a local write ahead of a global read), \item coarse-grained concurrency control like locking is nothing special but only a derived concept which is used for ownership transfer (any other concurrency control that guarantees exclusive access is also fine), and \item we want that the conditions to check for the programming discipline can be discharged by ordinary state-based program reasoning on a sequentially consistent memory model (without having to talk about histories or complete executions). \end{enumerate} \paragraph{Overview} In Section \ref{sec:preliminaries} we introduce preliminaries of Isabelle/HOL, the theorem prover in which we mechanized our work. In Section \ref{sec:discipline} we informally describe the programming discipline and basic ideas of the formalization, which is detailed in Section \ref{sec:formalization} where we introduce the formal models and the reduction theorem. In Section \ref{sec:buildingblocks} we give some details of important building blocks for the proof of the reduction theorem. To illustrate the connection between a programming language semantics and our reduction theorem, we instantiate our framework with a simple semantics for a parallel WHILE language in Section \ref{sec:pimp}. Finally we conclude in Section \ref{sec:conclusion}. \input{Preliminaries.tex} %\input{thy/document/Text.tex} \input{Text.tex} \section{Conclusion \label{sec:conclusion}} We have presented a practical and flexible programming discipline for concurrent programs that ensures sequential consistency on TSO machines, such as present x64 architectures. Our approach covers a wide variety of concurrency control, covering locking, data races, single writer multiple readers, read only and thread local portions of memory. We minimize the need for store buffer flushes to optimize the usage of the hardware. Our theorem is not coupled to a specific logical framework like separation logic but is based on more fundamental arguments, namely the adherence to the programming discipline which can be discharged within any program logic using the standard sequential consistent memory model, without any of the complications of TSO. \paragraph{Related work.} \emph{Disclaimer.} This contribution presents the state of our work from 2010 \cite{Cohen:ITP2010-}. Finally, 8 years later, we made the AFP submission for Isabelle2018. This related work paragraph does not thoroughly cover publications that came up in the meantime. A categorization of various weak memory models is presented in \cite{Adve:Computer-29-12-66}. It is compatible with the recent revisions of the Intel manuals \cite{Intel:IIA2006-ALL} and the revised x86 model presented in \cite{Owens:TPHOL09-?}. The state of the art in formal verification of concurrent programs is still based on a sequentially consistent memory model. To justify this on a weak memory model often a quite drastic approach is chosen, allowing only coarse-grained concurrency usually implemented by locking. Thereby data races are ruled out completely and there are results that data race free programs can be considered as sequentially consistent for example for the Java memory model \cite{DBLP:conf/ecoop/SevcikA08,DBLP:conf/tphol/AspinallS07} or the x86 memory model\cite{Owens:TPHOL09-?}. Ridge \cite{conf/tphol/Ridge07} considers weak memory and data-races and verifies Peterson's mutual exclusion algorithm. He ensures sequentially consistency by flushing after every write to shared memory. % Burckhardt and Musuvathi\cite{Sober} describe an execution monitor that efficiently checks whether a sequentially consistent TSO execution has a single-step extension that is not sequentially consistent. Like our approach, it avoids having to consider the store buffers as an explicit part of the state. However, their condition requires maintaining in ghost state enough history information to determine causality between events, which means maintaining a vector clock (which is itself unbounded) for each memory address. Moreover, causality (being essentially graph reachability) is already not first-order, and hence unsuitable for many types of program verification. % Closely related to our work is the draft of Owens~\cite{Owens-draft} which also investigates on the conditions for sequential consistent reasoning within TSO. The notion of a \emph{triangular-race} free trace is established to exactly characterize the traces on a TSO machine that are still sequentially consistent. A triangular race occurs between a read and a write of two different threads to the same address, when the reader still has some outstanding writes in the store buffer. To avoid the triangular race the reader has to flush the store buffer before reading. This is essentially the same condition that our framework enforces, if we limit every address to be unowned and every access to be volatile. We regard this limitation as too strong for practical programs, where non-volatile accesses (without any flushes) to temporarily local portions of memory (e.g. lock protected data) is common practice. This is our core motivation for introducing the ownership based programming discipline. % We are aware of two extensions of our work that were published in the meantime. Chen \textit{et al}.~\cite{chen-2014} also take effects of the MMU into account and generalize our reduction theorem to handle programs that edit page tables. Oberhauser~\cite{Oberhauser-2016} improves on the flushing policy to also take non-triangular races into account and facilitates an alternative proof approach. \paragraph{Limitations.} There is a class of important programs that are not sequentially consistent but nevertheless correct. First consider a simple spinlock implementation with a volatile lock \texttt{l}, where \texttt{l == 0} indicates that the lock is not taken. The following code acquires the lock: \begin{verbatim} while(!interlocked_test_and_set(l)); , \end{verbatim} and with the assignment \texttt{l = 0} we can release the lock again. Within our framework address \texttt{l} can be considered \emph{unowned} (and hence shared) and every access to it is \emph{volatile}. We do not have to transfer ownership of the lock \texttt{l} itself but of the objects it protects. As acquiring the lock is an expensive interlocked oprations anyway there are no additional restrictions from our framework. The interesting point is the release of the lock via the volatile write \texttt{l=0}. This leaves the dirty bit set, and hence our programming discipline requires a flushing instruction before the next volatile read. If \texttt{l} is the only volatile variable this is fine, since the next operation will be a lock acquire again which is interlocked and thus flushes the store buffer. So there is no need for an additonal fence. But in general this is not the case and we would have to insert a fence after the lock release to make the dirty bit clean again and to stay sequentially consistent. However, can we live without the fence? For the correctness of the mutal-exclusion algorithm we can, but we leave the domain of sequential consistent reasoning. The intuitive reason for correctness is that the threads waiting for the lock do no harm while waiting. They only take some action if they see the lock being zero again, this is when the lock release has made its way out of the store buffer. Another typical example is the following simplified form of barrier synchronization: each processor has a flag that it writes (with ordinarry volatile writes without any flushing) and other processors read, and each processor waits for all processors to set their flags before continuing past the barrier. This is not sequentially consistent -- each processor might see his own flag set and later see all other flags clear -- but it is still correct. Common for these examples is that there is only a single writer to an address, and the values written are monotonic in a sense that allows the readers to draw the correct conlcusion when they observe a certain value. This pattern is named \emph{Publication Idiom} in Owens work~\cite{Owens-draft}. \paragraph{Future work.} The first direction of future work is to try to deal with the limitations of sequential consistency described above and try to come up with a more general reduction theorem that can also handle non sequential consistent code portions that follow some monotonicity rules. Another direction of future work is to take compiler optimization into account. Our volatile accesses correspond roughly to volatile memory accesses within a C program. An optimizing compiler is free to convert any sequence of non-volatile accesses into a (sequentially semantically equivalent) sequence of accesses. As long as execution is sequentially consistent, equivalence of these programs (\eg with respect to final states of executions that end with volatile operations) follows immediately by reduction. However, some compilers are a little more lenient in their optimizations, and allow operations on certain local variables to move across volatile operations. In the context of C (where pointers to stack variables can be passed by pointer), the notion of ``locality'' is somewhat tricky, and makes essential use of C forbidding (semantically) address arithmetic across memory objects. \section*{Acknowledgements} We thank Mark Hillebrand for discussions and feedback on this work and extensive comments on this report. \appendix \section{Appendix} After the explanatory text in the main body of the document we now show the plain theory files. \input{ReduceStoreBuffer.tex} \input{ReduceStoreBufferSimulation.tex} \input{PIMP.tex} \bibliographystyle{plain} \bibliography{root} %\pagebreak %\appendix %\input{thy/document/Appendix.tex} \end{document} diff --git a/thys/Stream-Fusion/document/root.tex b/thys/Stream-Fusion/document/root.tex --- a/thys/Stream-Fusion/document/root.tex +++ b/thys/Stream-Fusion/document/root.tex @@ -1,43 +1,44 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Stream Fusion} \author{Brian Huffman} \maketitle \begin{abstract} Stream Fusion \cite{CLS07} is a system for removing intermediate list structures from Haskell programs; it consists of a Haskell library along with several compiler rewrite rules. (The library is available online at \url{http://www.cse.unsw.edu.au/~dons/streams.html}.) These theories contain a formalization of much of the Stream Fusion library in HOLCF. Lazy list and stream types are defined, along with coercions between the two types, as well as an equivalence relation for streams that generate the same list. List and stream versions of \texttt{map}, \texttt{filter}, \texttt{foldr}, \texttt{enumFromTo}, \texttt{append}, \texttt{zipWith}, and \texttt{concatMap} are defined, and the stream versions are shown to respect stream equivalence. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Stream_Fusion_Code/document/root.tex b/thys/Stream_Fusion_Code/document/root.tex --- a/thys/Stream_Fusion_Code/document/root.tex +++ b/thys/Stream_Fusion_Code/document/root.tex @@ -1,57 +1,58 @@ \documentclass[11pt,a4paper]{scrartcl} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath,amssymb} \usepackage{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size \renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Stream Fusion in HOL} \author{Andreas Lochbihler \and Alexandra Maximova} \maketitle \begin{abstract} Stream Fusion is a system for removing intermediate list data structures from functional programs, in particular \href{http://hackage.haskell.org/package/stream-fusion}{Haskell}. This entry adapts stream fusion to Isabelle/HOL and its code generator. We define stream types for finite and possibly infinite lists and stream versions for most of the fusible list functions in the theories \isa{List} and \isa{Coinductive\isacharunderscore List}, and prove them correct with respect to the conversion functions between lists and streams. The Stream Fusion transformation itself is implemented as a simproc in the preprocessor of the code generator. Brian Huffman's AFP entry \cite{Huffman2009AFP} formalises stream fusion in HOLCF for the domain of lazy lists to prove the GHC compiler rewrite rules correct. In contrast, this work enables Isabelle's code generator to perform stream fusion itself. To that end, it covers both finite and coinductive lists from the HOL library and the Coinductive entry. The fusible list functions require specification and proof principles different from Huffman's. \end{abstract} \clearpage \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} %\input{conclusion} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Strong_Security/document/root.tex b/thys/Strong_Security/document/root.tex --- a/thys/Strong_Security/document/root.tex +++ b/thys/Strong_Security/document/root.tex @@ -1,167 +1,168 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{An Isabelle/HOL formalization of Strong Security} \author{Sylvia Grewe, Alexander Lux, Heiko Mantel, Jens Sauer} \maketitle \begin{abstract} Research in information-flow security aims at developing methods to identify undesired information leaks within programs from private sources to public sinks. Noninterference captures this intuition. Strong security from \cite{sabelfeld2000probabilistic} formalizes noninterference for concurrent systems. We present an Isabelle/HOL formalization of strong security for arbitrary security lattices (\cite{sabelfeld2000probabilistic} uses a two-element security lattice). The formalization includes compositionality proofs for strong security and a soundness proof for a security type system that checks strong security for programs in a simple while language with dynamic thread creation. Our formalization of the security type system is abstract in the language for expressions and in the semantic side conditions for expressions. It can easily be instantiated with different syntactic approximations for these side conditions. The soundness proof of such an instantiation boils down to showing that these syntactic approximations imply the semantic side conditions. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories %\input{session} \section{Preliminary definitions} \subsection{Type synonyms} The formalization is parametric in different aspects. Notably, it is parametric in the security lattice it supports. For better readability, we use the following type synonyms in our formalization: \input{Types.tex} \section{Strong security} \subsection{Definition of strong security} We define strong security such that it is parametric in a security lattice (\textit{'d}). The definition of strong security by itself is language-independent, therefore the definition is parametric in a programming language (\textit{'com}) in addition. \input{Strong_Security.tex} \subsection{Proof technique for compositionality results} For proving compositionality results for strong security, we formalize the following ``up-to technique'' and prove it sound: \input{Up_To_Technique.tex} \subsection{Proof of parallel compositionality} We prove that strong security is preserved under composition of strongly secure threads. \input{Parallel_Composition.tex} \section{Example language and compositionality proofs} \subsection{Example language with dynamic thread creation} As in \cite{sabelfeld2000probabilistic}, we instantiate the language with a simple while language that supports dynamic thread creation via a fork command (Multi-threaded While Language with fork, MWLf). Note that the language is still parametric in the language used for Boolean and arithmetic expressions (\textit{'exp}). \input{MWLf.tex} \subsection{Proofs of atomic compositionality results} We prove for each atomic command of our example programming language (i.e. a command that is not composed out of other commands) that it is strongly secure if the expressions involved are indistinguishable for an observer on security level $d$. \input{Strongly_Secure_Skip_Assign.tex} \subsection{Proofs of non-atomic compositionality results} We prove compositionality results for each non-atomic command of our example programming language (i.e. a command that is composed out of other commands): If the components are strongly secure and the expressions involved indistinguishable for an observer on security level $d$, then the composed command is also strongly secure. \input{Language_Composition.tex} \section{Security type system} \subsection{Abstract security type system with soundness proof} We formalize an abstract version of the type system in \cite{sabelfeld2000probabilistic} using locales \cite{conf/types/Ballarin03}. Our formalization of the type system is abstract in the sense that the rules specify abstract semantic side conditions on the expressions within a command that satisfy for proving the soundness of the rules. That is, it can be instantiated with different syntactic approximations for these semantic side conditions in order to achieve a type system for a concrete language for Boolean and arithmetic expressions. Obtaining a soundness proof for such a concrete type system then boils down to proving that the concrete type system interprets the abstract type system. We prove the soundness of the abstract type system by simply applying the compositionality results proven before. \input{Type_System.tex} \subsection{Example language for Boolean and arithmetic expressions} As and example, we provide a simple example language for instantiating the parameter \textit{'exp} for the language for Boolean and arithmetic expressions. \input{Expr.tex} \subsection{Example interpretation of abstract security type system} Using the example instantiation of the language for Boolean and arithmetic expressions, we give an example instantiation of our abstract security type system, instantiating the parameter for domains \textit{'d} with a two-level security lattice. \input{Domain_example.tex} \input{Type_System_example.tex} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Sturm_Sequences/document/root.tex b/thys/Sturm_Sequences/document/root.tex --- a/thys/Sturm_Sequences/document/root.tex +++ b/thys/Sturm_Sequences/document/root.tex @@ -1,50 +1,51 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{amsmath} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand{\NN}{\mathbb{N}} \newcommand{\RR}{\mathbb{R}} \begin{document} \title{A Formalisation of Sturm's Theorem} \author{Manuel Eberl} \maketitle \begin{abstract} \emph{Sturm sequences} are a method for computing the number of real roots of a real polynomial inside a given interval efficiently. In this project, this fact and a number of me\-thods to construct Sturm sequences efficiently have been formalised with the interactive theorem prover Isabelle\slash HOL. Buil\-ding upon this, an Isabelle\slash HOL proof method was then implemented to prove statements about the number of roots of a real polynomial and related properties. \end{abstract} \vskip10mm \newpage \tableofcontents \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Sturm_Sequences/document/root_userguide.tex b/thys/Sturm_Sequences/document/root_userguide.tex --- a/thys/Sturm_Sequences/document/root_userguide.tex +++ b/thys/Sturm_Sequences/document/root_userguide.tex @@ -1,146 +1,143 @@ \documentclass[11pt,a4paper,oneside]{article} +\usepackage[T1]{fontenc} \usepackage[english]{babel} - -\usepackage[T1]{fontenc} -\usepackage[utf8]{inputenc} - \usepackage{geometry} \usepackage{color} \usepackage{graphicx} \usepackage{pifont} \usepackage[babel]{csquotes} \usepackage{textcomp} \usepackage{upgreek} \usepackage{amsmath} \usepackage{textcomp} \usepackage{amssymb} \usepackage{latexsym} \usepackage{pgf} \usepackage{nicefrac} \usepackage{enumerate} \usepackage{stmaryrd} \usepackage{tgpagella} \DeclareFontFamily{OT1}{pzc}{} \DeclareFontShape{OT1}{pzc}{m}{it}{<-> s * [1.10] pzcmi7t}{} \DeclareMathAlphabet{\mathpzc}{OT1}{pzc}{m}{it} \newcommand{\ie}{i.\,e.} \newcommand{\wuppdi}[0]{\hfill\ensuremath{\square}} \newcommand{\qed}[0]{\vspace{-3mm}\begin{flushright}\textit{q.e.d.}\end{flushright}\vspace{3mm}} \newcommand{\bred}{\ensuremath{\longrightarrow_\beta}} \newcommand{\acos}{\textrm{arccos}} \newcommand{\determ}[1]{\textrm{det}(#1)} \newcommand{\RR}{\mathbb{R}} \newcommand{\BB}{\mathbb{B}} \newcommand{\NN}{\mathbb{N}} \newcommand{\QQ}{\mathbb{Q}} \newcommand{\ZZ}{\mathbb{Z}} \newcommand{\CC}{\mathbb{C}} \newcommand{\II}{\mathbb{I}} \newcommand{\kernel}[1]{\textrm{ker}(#1)} \renewcommand{\epsilon}{\varepsilon} \renewcommand{\phi}{\varphi} \renewcommand{\theta}{\vartheta} \newcommand{\atan}{\mathrm{arctan}} \newcommand{\rot}{\mathrm{rot}} \newcommand{\vdiv}{\mathrm{div}} \newcommand{\shouldbe}{\stackrel{!}{=}} \newcommand{\sturm}{\texttt{sturm}} \newcommand{\lemma}{\textbf{lemma}} \newcommand{\card}{\textrm{card}} \newcommand{\real}{\textrm{real}} \newcommand{\isabellehol}{\mbox{Isabelle}\slash HOL} \geometry{a4paper,left=30mm,right=30mm, top=25mm, bottom=30mm} \title{\LARGE User's Guide for the \texttt{sturm} Method\\[4mm]} \author{\Large Manuel Eberl \\[1mm]\large Institut für Informatik, Technische Universität München\\[4mm]} \begin{document} \begin{center} \vspace*{20mm} \includegraphics[width=4cm]{isabelle.pdf} \end{center} \vspace*{-5mm} {\let\newpage\relax\maketitle} \vspace*{10mm} \tableofcontents \newpage \section{Introduction} The \sturm\ method uses Sturm's theorem to determine the number of distinct real roots of a polynomial (with rational coefficients) within a certain interval. It also provides some preprocessing to decide a number of statements that can be reduced to real roots of polynomials, such as simple polynomial inequalities and logical combinations of polynomial equations. \vspace*{10mm} \section{Usage} \subsection{Examples} The following examples should give a good overview of what the \sturm\ method can do: \begin{align*} &\lemma\ "\card\ \{x::\real.\ (x - 1)^2 * (x + 1) = 0\}\ =\ 2"\ \textrm{\textbf{by}\ sturm}\\ &\lemma\ "\mathrm{card}\ \{x::\mathrm{real}.\ -0.010831 < x\ \wedge\ x < 0.010831\ \wedge\\ &\hskip20mm \mathrm{poly}\ [:0, -17/2097152, -49/16777216, 1/6, 1/24, 1/120:]\ \ x\ =\ 0\}\ =\ 3"\ \textrm{\textbf{by}\ sturm}\\ &\lemma\ "\card\ \{x::\real.\ x^3 + x = 2*x^2\ \wedge\ x^3-6*x^2+11*x=6\}\ =\ 1"\ \textrm{\textbf{by}\ sturm}\\ &\lemma\ "\card\ \{x::\real.\ x^3 + x = 2*x^2\ \vee\ x^3-6*x^2+11*x=6\}\ =\ 4"\ \textrm{\textbf{by}\ sturm}\\ &\lemma\ "(x::\real)^2+1 > 0"\ \textrm{\textbf{by}\ sturm}\\ &\lemma\ "(x::\real) > 0\ \Longrightarrow\ x^2+1 > 0"\ \textrm{\textbf{by}\ sturm}\\ &\lemma\ "\llbracket (x::\real) > 0; x \leq 2/3\rrbracket\ \Longrightarrow\ x*x \neq\ x"\ \textrm{\textbf{by}\ sturm}\\ &\lemma\ "(x::\real) > 1\ \Longrightarrow\ x*x > x"\ \textrm{\textbf{by}\ sturm}\\ \end{align*} \subsection{Determining the number of real roots} The \enquote{classical} application of Sturm's theorem is to count the number of real roots of a polynomial in a certain interval. The \sturm\ method supports this for any polynomial with rational coefficients and any real interval, \ie $[a;b]$, $(a;b]$, $[a;b)$, and $(a;b)$ where $a\in\QQ\cup\{-\infty\}$ and $b\in\QQ\cup\{\infty\}$.\footnote{The restriction to rational numbers for the coefficients and interval bounds is to the fact that the code generator is used internally, which, of course, does not support computations on irrational real numbers.} The general form of the theorems the method expects is: $$\card\ \{x::\real.\ a < x \wedge x < b \wedge p\ x = 0\}\ =\ ?n$$ $?n$ should be replaced by the actual number of such roots and $p$ may be any polynomial real function in $x$ with rational coefficients. The bounds $a < x$ and $x < b$ can be omitted for the \enquote{$\infty$} case.\\ Furthermore, the \sturm\ method can instantiate the number $?n$ on the right-hand side automatically if it is left unspecified (as a schematic variable in a schematic lemma). However, due to technical restrictions this also takes twice as long as simply proving that the specified number is correct. \newpage \subsection{Inequalities} A simple special case of root counting is the statement that a polynomial $p\in\RR[X]$ has no roots in a certain interval, which can be written as: $$\forall x::\real.\ x > a \wedge x < b \longrightarrow p\ x \neq 0$$ The \sturm\ method can be directly applied to statements such as this and prove them. \subsection{More complex expressions} By using some simple preprocessing, the \sturm\ method can also decide more complex statements: $$\card\ \{x::\real.\ x > a\ \wedge\ x < b\ \wedge\ P\ x\}\ =\ n$$ where $P\ x$ is a \enquote{polynomial expression}, which is defined as: \begin{enumerate} \item $p\ x= q\ x$, where $p$ and $q$ are polynomial functions, such as $\lambda x.\ a$, $\lambda x.\ x$, $\lambda x.\ x^2$, $\mathrm{poly}\ p$, and so on \item $P\ x\ \wedge\ Q\ x$ or $P\ x\ \vee\ Q\ x$, where $P\ x$ and $Q\ x$ are polynomial expressions \end{enumerate} Of course, by reduction to the case of zero roots, the following kind of statement is also provable by \sturm\ : $$\forall x::\real.\ x > a\ \wedge\ x < b\ \longrightarrow\ P\ x$$ where $P\ x$ is a \enquote{negated polynomial expression}, which is defined as: \begin{enumerate} \item $p\ x\neq q\ x$, where $p$ and $q$ are polynomial functions \item $P\ x\ \wedge\ Q\ x$ or $P\ x\ \vee\ Q\ x$, where $P\ x$ and $Q\ x$ are negated polynomial expressions \end{enumerate} \subsection{Simple ordered inequalities} For any polynomial $p\in\RR[X]$, the question whether $p(x) > 0$ for all $x\in I$ for a non-empty real interval $I$ can obviously be reduced to the question of whether $p(x) \neq 0$ for all $x\in I$, \ie $p$ has no roots in $I$, and $p(x) > 0$ for some arbitrary fixed $x\in I$, the first of which can be decided using Sturm's theorem and the second by choosing an arbitrary $x\in I$ and evaluating $p(x)$.\\ Using this reduction, the \sturm\ method can also decide single \enquote{less than}/\enquote{greater than} inequalities of the form $$\forall x::\real.\ x > a\ \wedge\ x < b\ \longrightarrow\ p\ x < q\ x$$ \subsection{A note on meta logic versus object logic} While statements like $\forall x::\real.\ x^2+1>0$ were expressed in their HOL notation in this guide, the \sturm\ method can also prove the meta logic equivalents $\bigwedge x::\real.\ x^2+1>0$ and $(x::\real)^2+1>0$ directly. \section{Troubleshooting} Should you find that the \sturm\ method fails to prove a statement that it should, according to the above text, be able to prove, please go through the following steps: \begin{enumerate} \item ensure that your function is indeed a \emph{real} polynomial. Add an appropriate type annotation if necessary. \item use a computer algebra system to ensure that the property is indeed correct \item if this did not help, send the statement in question to \texttt{eberlm@in.tum.de}; it may be a bug in the preprocessing of the proof method. \end{enumerate} \end{document} diff --git a/thys/Sturm_Tarski/document/root.tex b/thys/Sturm_Tarski/document/root.tex --- a/thys/Sturm_Tarski/document/root.tex +++ b/thys/Sturm_Tarski/document/root.tex @@ -1,33 +1,34 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Sturm-Tarski Theorem} \author{Wenda Li} \maketitle \begin{abstract} We have formalised the Sturm-Tarski theorem (also referred as the Tarski theorem): Given polynomials $p, q \in \mathbb{R}[x]$, the Sturm-Tarski theorem computes the sum of the signs of $q$ over the roots of $p$ by calculating some remainder sequences. Note, the better-known Sturm theorem is an instance of the Sturm-Tarski theorem when $q=1$. The proof follows the classic book by Basu et al. \cite{Basu:2006:ARA:1197095} and Cyril Cohen's work in Coq \cite{cohen_phd}. With the Sturm-Tarski theorem proved, it is possible to further build a quantifier elimination procedure for real numbers as Cohen did in Coq. Another application of the Sturm-Tarski theorem is to build sign determination procedures for polynomials at real algebraic points, as described in our formalisation of real algebraic numbers \cite{Li_CPP_16}. \end{abstract} %\tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Stuttering_Equivalence/document/root.tex b/thys/Stuttering_Equivalence/document/root.tex --- a/thys/Stuttering_Equivalence/document/root.tex +++ b/thys/Stuttering_Equivalence/document/root.tex @@ -1,66 +1,67 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Stuttering Equivalence and Stuttering Invariance} \author{ Stephan Merz\\ Inria Nancy \& LORIA\\ Villers-l\`es-Nancy, France } \maketitle \noindent% Two $\omega$-sequences are stuttering equivalent if they differ only by finite repetitions of elements. For example, the two sequences \[ (abbccca)^{\omega} \qquad\textrm{and}\qquad (aaaabc)^{\omega} \] are stuttering equivalent, whereas \[ (abac)^{\omega} \qquad\textrm{and}\qquad (aaaabcc)^{\omega} \] are not. Stuttering equivalence is a fundamental concept in the theory of concurrent and distributed systems. Notably, Lamport~\cite{lamport:what-good} argues that refinement notions for such systems should be insensitive to finite stuttering. Peled and Wilke~\cite{peled:ltl-x} showed that all PLTL (propositional linear-time temporal logic) properties that are insensitive to stuttering equivalence can be expressed without the next-time operator. Stuttering equivalence is also important for certain verification techniques such as partial-order reduction for model checking. We formalize stuttering equivalence in Isabelle/HOL. Our development relies on the notion of stuttering sampling functions that may skip blocks of identical sequence elements. We also encode PLTL and prove the theorem due to Peled and Wilke~\cite{peled:ltl-x}. \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Subresultants/document/root.tex b/thys/Subresultants/document/root.tex --- a/thys/Subresultants/document/root.tex +++ b/thys/Subresultants/document/root.tex @@ -1,72 +1,72 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb} \usepackage{xspace} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \newcommand\rats{\mathbb{Q}} \newcommand\ints{\mathbb{Z}} \newcommand\reals{\mathbb{R}} \newcommand\complex{\mathbb{C}} \newcommand\rai{real algebraic number\xspace} \newcommand\rais{real algebraic numbers\xspace} \begin{document} \title{Subresultants\footnote{Supported by FWF (Austrian Science Fund) project Y757.}} \author{Sebastiaan Joosten, Ren\'e Thiemann and Akihisa Yamada} \maketitle \begin{abstract} We formalize the theory of subresultants and the subresultant polynomial remainder sequence as described by Brown and Traub. As a result, we obtain efficient certified algorithms for computing the resultant and the greatest common divisor of polynomials. \end{abstract} \tableofcontents \section{Introduction} Computing the gcd of two polynomials can be done via the Euclidean algorithm, if the domain of the polynomials is a field. For non-field polynomials, one has to replace the modulo operation by the pseudo-modulo operation, which results in the exponential growth of coefficients in the gcd algorithm. To counter this problem, one may divide the intermediate polynomials by their contents in every iteration of the gcd algorithm. This is precisely the way how currently resultants and gcds are computed in Isabelle. Computing contents in every iteration is a costly operation, and therefore Brown and Traub have developed the subresultant PRS (polynomial remainder sequence) algorithm \cite{Brown,BrownTraub}. It avoids intermediate content computation and at the same time keeps the coefficients small, i.e., the coefficients grow at most polynomially. The soundness of the subresultant PRS gcd algorithm is in principle similar to the Euclidean algorithm, i.e., the intermediate polynomials that are computed in both algorithms differ only by a constant factor. The major problem is to prove that all the performed divisions are indeed exact divisions. To this end, we formalize the fundamental theorem of Brown and Traub as well as the resulting algorithms by following the original (condensed) proofs. This is in contrast to a similar Coq formalization by Mahboubi \cite{Mahboubi06}, which follows another proof based on polynomial determinants. As a consequence of the new algorithms, we significantly increased the speed of the algebraic number implementation \cite{AlgebraicNumbers} which heavily relies upon the computation of resultants of bivariate polynomials. % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Subset_Boolean_Algebras/document/root.tex b/thys/Subset_Boolean_Algebras/document/root.tex --- a/thys/Subset_Boolean_Algebras/document/root.tex +++ b/thys/Subset_Boolean_Algebras/document/root.tex @@ -1,50 +1,50 @@ \documentclass[11pt,a4paper]{article} - +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,ragged2e} \usepackage{pdfsetup} \isabellestyle{it} \renewenvironment{isamarkuptext}{\par\isastyletext\begin{isapar}\justifying\color{blue}}{\end{isapar}} \renewcommand\labelitemi{$*$} \begin{document} \title{A Hierarchy of Algebras for Boolean Subsets} \author{Walter Guttmann and Bernhard M\"oller} \maketitle \begin{abstract} We present a collection of axiom systems for the construction of Boolean subalgebras of larger overall algebras. The subalgebras are defined as the range of a complement-like operation on a semilattice. This technique has been used, for example, with the antidomain operation, dynamic negation and Stone algebras. We present a common ground for these constructions based on a new equational axiomatisation of Boolean algebras. \end{abstract} \tableofcontents \section{Overview} A Boolean algebra often arises as a subalgebra of some overall algebra. To avoid introducing a separate type for the subalgebra, the overall algebra can be enriched with a special operation leading into the intended subalgebra and axioms to guarantee that the range of this operation has a Boolean structure. Examples for this are the antidomain operation in idempotent (left) semirings \cite{DesharnaisStruth2008b,DesharnaisStruth2008a,DesharnaisStruth2011}, dynamic negation \cite{Hollenberg1997}, the operation yielding tests in \cite{Guttmann2012c,GuttmannStruthWeber2011b}, and the pseudocomplement operation in Stone algebras \cite{Frink1962,Graetzer1971,Guttmann2018c}. The present development looks at a common ground pattern. In Sections 2 and 3 we relate various axiomatisations of Boolean algebras from the literature and present a new equational one tailored to our needs. Section 4 adapts this for the construction of Boolean subalgebras of larger overall algebras. In Section 5 we add successively stronger assumptions to the overall algebra. Sections 6, 7 and 8 show how Stone algebras, domain semirings and antidomain semirings fit into this hierarchy. This Isabelle/HOL theory formally verifies results in \cite{GuttmannMoeller2020}. See that paper for further details and related work. Some proofs in this theory have been translated from proofs found by Prover9 \cite{McCune2010} using a program we wrote. \begin{flushleft} \input{session} \end{flushleft} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/SumSquares/document/root.tex b/thys/SumSquares/document/root.tex --- a/thys/SumSquares/document/root.tex +++ b/thys/SumSquares/document/root.tex @@ -1,91 +1,92 @@ \documentclass[11pt,a4paper,twoside]{article} +\usepackage[T1]{fontenc} \addtolength{\textwidth}{1cm} \addtolength{\textheight}{1cm} \addtolength{\hoffset}{-.5cm} \addtolength{\voffset}{-.5cm} \addtolength{\oddsidemargin}{24pt} \addtolength{\evensidemargin}{-24pt} \usepackage{isabelle,isabellesym} \usepackage{graphicx} \usepackage{amssymb} \usepackage{fancyhdr} \pagestyle{fancyplain} \renewcommand{\headrulewidth}{1.6pt} \renewcommand{\sectionmark}[1]{\markboth{\thesection\ #1}{\thesection\ #1}} \renewcommand{\subsectionmark}[1]{\markright{\thesubsection\ #1}} \lhead[\thepage] {\fancyplain{}{\rightmark}} \chead{} \rhead[\fancyplain{}{\leftmark}] {\thepage} \cfoot{} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Sums of two and four squares} \author{Roelof Oosterhuis\\University of Groningen} \maketitle \begin{abstract} This document gives the formal proofs of the following results about the sums of two and four squares: \begin{enumerate} \item Any prime number $p \equiv 1 \bmod 4$ can be written as the sum of two squares. %\item No prime number $p \equiv 3 \bmod 4$ can be written as the sum of two squares. %\item For any prime number $p \equiv 3 \bmod 4$ we have: $n$ can be written as the sum of two squares if and only if $np^2$ can be written as the sum of two squares. \item (Lagrange) Any natural number can be written as the sum of four squares. \end{enumerate} %Note that 1--3 completely determine the numbers that can be written as the sum of two squares.\\ The proofs are largely based on chapters II and III of the book by Weil~\cite{Weil}. The results %1--3 already have been formalised in the proof assistant `Coq'\footnote{See \href{http://coq.inria.fr/contribs/SumOfTwoSquare.html}{http://coq.inria.fr/contribs/SumOfTwoSquare.html}} and the results 1 and 4 have been formalised before in the proof assistant HOL Light~\cite{HOLLight}. A more complete study of the sum of two squares, including the first result, has been formalised in Coq~\cite{Thery}. The results can also be found as numbers 20 and 19 on the list of `top 100 mathematical theorems' \cite{Wiedijk100}. This research is part of an M.Sc.~thesis under supervision of Jaap Top and Wim H.~Hesselink (RU Groningen). For more information see \cite{Oosterhuis-MSc}. \end{abstract} \thispagestyle{empty} \clearpage \markboth{Contents}{Contents} \tableofcontents \markboth{Contents}{Contents} %\vspace{1cm} %\begin{figure}[hb] %\centering %\includegraphics[scale=0.5]{sumsq.pdf} %\caption{The depence on existing files in the Isabelle library.} %\end{figure} %\clearpage % generated text of all theories \input{session} % optional bibliography \bibliographystyle{alpha} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/SuperCalc/document/root.tex b/thys/SuperCalc/document/root.tex --- a/thys/SuperCalc/document/root.tex +++ b/thys/SuperCalc/document/root.tex @@ -1,80 +1,81 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{A Variant of the Superposition Calculus} \author{Nicolas Peltier\\ CNRS/University of Grenoble (LIG)} \maketitle \begin{abstract} We provide a formalization in Isabelle/Isar of (a variant of) the superposition calculus \cite{BG94,DBLP:books/el/RV01/NieuwenhuisR01}, together with formal proofs of soundness and refutational completeness (w.r.t.\ the usual redundancy criteria based on clause ordering). This version of the calculus uses all the standard restrictions of the superposition rules, together with the following refinement, inspired by the basic superposition calculus \cite{DBLP:conf/cade/BachmairGLS92,DBLP:journals/iandc/BachmairGLS95}: each clause is associated with a set of terms which are assumed to be in normal form -- thus any application of the replacement rule on these terms is blocked. The set is initially empty and terms may be added or removed at each inference step. The set of terms that are assumed to be in normal form includes any term introduced by previous unifiers as well as any term occurring in the parent clauses at a position that is smaller (according to some given ordering on positions) than a previously replaced term. This restriction is slightly weaker than that of the basic superposition calculus (since it is based on terms instead of positions), but it has the advantage that the irreducible terms may be propagated through the inferences (under appropriate conditions), even if they do not occur in the parent clauses. The standard superposition calculus corresponds to the case where the set of irreducible terms is always empty. The term representation and unification algorithm are taken from the theory {\tt Unification.thy} provided in Isabelle. \end{abstract} \tableofcontents \newpage \section{Preliminaries} % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Surprise_Paradox/document/root.tex b/thys/Surprise_Paradox/document/root.tex --- a/thys/Surprise_Paradox/document/root.tex +++ b/thys/Surprise_Paradox/document/root.tex @@ -1,70 +1,70 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage[utf8]{inputenc} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage[ngerman]{babel} % for guillemots %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Surprise Paradox} \author{Joachim Breitner\\ Programming Paradigms Group\\ Karlsruhe Institute for Technology\\ \url{breitner@kit.edu}} \maketitle \begin{abstract} In 1964, Fitch showed that the paradox of the surprise hanging can be resolved by showing that the judge’s verdict is inconsistent. His formalization builds on Gödel’s coding of provability. In this theory, we reproduce his proof in Isabelle, building on Paulson’s formalisation of Gödel’s incompleteness theorems. \end{abstract} \tableofcontents \bigskip % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Symmetric_Polynomials/document/root.tex b/thys/Symmetric_Polynomials/document/root.tex --- a/thys/Symmetric_Polynomials/document/root.tex +++ b/thys/Symmetric_Polynomials/document/root.tex @@ -1,47 +1,48 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Symmetric Polynomials} \author{Manuel Eberl} \maketitle \begin{abstract} A symmetric polynomial is a polynomial in variables $X_1, \ldots, X_n$ that does not discriminate between its variables, i.\,e.\ it is invariant under any permutation of them. These polynomials are important in the study of the relationship between the coefficients of a univariate polynomial and its roots in its algebraic closure. This article provides a definition of symmetric polynomials and the elementary symmetric polynomials $e_1,\ldots, e_n$ and proofs of their basic properties, including three notable ones: \begin{itemize} \item Vieta's formula, which gives an explicit expression for the $k$-th coefficient of a univariate monic polynomial in terms of its roots $x_1,\ldots,x_n$, namely $c_k = (-1)^{n-k}e_{n-k}(x_1,\ldots,x_n)$. \item Second, the Fundamental Theorem of Symmetric Polynomials, which states that any symmetric polynomial is itself a uniquely determined polynomial combination of the elementary symmetric polynomials. \item Third, as a corollary of the previous two, that given a polynomial over some ring $R$, any symmetric polynomial combination of its roots is also in $R$ even when the roots are not. \end{itemize} Both the symmetry property itself and the witness for the Fundamental Theorem are executable. \end{abstract} \newpage \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \nocite{blum_smith_coskey13} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Syntax_Independent_Logic/document/root.tex b/thys/Syntax_Independent_Logic/document/root.tex --- a/thys/Syntax_Independent_Logic/document/root.tex +++ b/thys/Syntax_Independent_Logic/document/root.tex @@ -1,56 +1,56 @@ \documentclass[10pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{a4wide} \usepackage[english]{babel} \usepackage{eufrak} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{literal} \begin{document} \title{Syntax-Independent Logic Infrastructure} \author{Andrei Popescu \and Dmitriy Traytel} \maketitle \begin{abstract} We formalize a notion of logic whose terms and formulas are kept abstract. In particular, logical connectives, substitution, free variables, and provability are not defined, but characterized by their general properties as locale assumptions. Based on this abstract characterization, we develop further reusable reasoning infrastructure. For example, we define parallel substitution (along with proving its characterizing theorems) from single-point substitution. Similarly, we develop a natural deduction style proof system starting from the abstract Hilbert-style one. These one-time efforts benefit different concrete logics satisfying our locales' assumptions. We instantiate the syntax-independent logic infrastructure to Robinson arithmetic (also known as Q) in the AFP entry \href{https://www.isa-afp.org/entries/Robinson_Arithmetic.html}{Robinson\_Arithmetic} and to hereditarily finite set theory in the AFP entries \href{https://www.isa-afp.org/entries/Goedel_HFSet_Semantic.html}{Goedel\_HFSet\_Semantic} and \href{https://www.isa-afp.org/entries/Goedel_HFSet_Semanticless.html}{Goedel\_HFSet\_Semanticless}, which are part of our formalization of G\"odel's Incompleteness Theorems described in our CADE-27 paper~\cite{DBLP:conf/cade/0001T19}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Szpilrajn/document/root.tex b/thys/Szpilrajn/document/root.tex --- a/thys/Szpilrajn/document/root.tex +++ b/thys/Szpilrajn/document/root.tex @@ -1,26 +1,27 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{url} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Szpilrajn Extension Theorem} \author{Peter Zeller} \maketitle % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/TESL_Language/document/figures/dilating.tex b/thys/TESL_Language/document/figures/dilating.tex --- a/thys/TESL_Language/document/figures/dilating.tex +++ b/thys/TESL_Language/document/figures/dilating.tex @@ -1,38 +1,39 @@ \documentclass{standalone} %\documentclass[a4paper]{article} %\usepackage{geometry} +\usepackage[T1]{fontenc} \usepackage{tikz} \begin{document} \begin{tikzpicture}[>=stealth,x=1.5cm,y=1.2cm] \sffamily \draw[->] (0.5,0) -- ++(7.2,0) ; \node[left, align=center] at (0.5,0) {original\\run} ; \node[left, align=center] at (0.5,3) {dilated\\run} ; \draw[->] (0.5,3) -- ++(7.2,0) ; \foreach \x in {1,...,7} { \draw[fill=black] (\x,0) circle[radius=0.07cm] ; \node[below] at (\x,-0.1) {\small\x} ; \node[above] at (\x,3.1) {\small\x} ; } \foreach \x in {1,2, 5, 7} \draw[fill=black] (\x,3.0) circle[radius=0.07cm] ; \foreach \x in { 3,4, 6 } \draw[fill=white] (\x,3.0) circle[radius=0.07cm] ; \foreach \x / \z in {1 / 1, 2 / 2, 3 / 5, 4 / 7} { \draw[->,shorten <=5pt] (\x,0.2) to[bend left=10] node[left,midway] {\(f\)} (\z, 2.8); \draw[<-,shorten >=5pt] (\x,0.2) to[bend right=10] node[right,midway] {\(g\)} (\z, 2.8); } \foreach \x / \z in {2 / 3, 2 / 4, 3 / 6} { \draw[<-,shorten <=5pt] (\x,0.2) to[bend right=10] node[right,midway] {\(g\)} (\z, 2.8); } \draw[dashed] (5,0.2) to [bend right=10] (7,1.6) ; \draw[dashed] (6,0.2) to [bend right=10] (7,0.9) ; \draw[fill=black] (0.5,-1) circle[radius=0.07cm] ; \node[right] at (0.6,-1) {instant of the original run} ; \draw[fill=white] (4.5,-1) circle[radius=0.07cm] ; \node[right] at (4.6,-1) {stuttering instant (no tick)} ; \end{tikzpicture} \end{document} diff --git a/thys/TESL_Language/document/root.tex b/thys/TESL_Language/document/root.tex --- a/thys/TESL_Language/document/root.tex +++ b/thys/TESL_Language/document/root.tex @@ -1,98 +1,99 @@ \documentclass[10pt,a4paper]{book} +\usepackage[T1]{fontenc} \usepackage{geometry} \usepackage{calc} \usepackage{isabelle,isabellesym} \usepackage{graphicx} \usepackage{color} \graphicspath {{figures/}} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} %\newcommand{\isaminorsize}{\fontsize{10}{12}\selectfont} \let\isaminorsize=\relax \newcommand{\isafontsize}{\fontsize{8}{10}\selectfont} \newcommand{\isascriptsize}{\fontsize{6}{8}\selectfont} \renewcommand{\isabellestylett}{% \def\isastyle{\isafontsize\normalfont\ttfamily}% \def\isastylett{\isafontsize\normalfont\ttfamily}% \def\isastyleminor{\isaminorsize\normalfont\ttfamily}% \def\isastyleminortt{\isaminorsize\normalfont\ttfamily}% \def\isastylescript{\isascriptsize\normalfont\ttfamily}% \isachardefaults% } \isabellestylett \renewcommand{\isamarkupcmt}[1]{{% \vspace{0.2\baselineskip}% \isastylecmt--- \parbox[t]{\linewidth - (\widthof{---} * 2)}{% \vspace*{-.6\baselineskip}\color[gray]{0.25}#1% }% \vspace{0.1\baselineskip}% }} \newcommand{\authorentry}[2]{% \urlstyle{sf} \parbox[t]{0.26\linewidth}{\centering #1\\ \makebox[0pt][c]{\small\href{mailto:#2}{\sffamily #2}}\\ }% } \title{A Formal Development of a Polychronous Polytimed Coordination Language} \author{% \authorentry{Hai Nguyen Van}{hai.nguyenvan.phie@gmail.com}% \and \authorentry{Fr\'ed\'eric Boulanger}{frederic.boulanger@centralesupelec.fr}% \and \authorentry{Burkhart Wolff}{burkhart.wolff@lri.fr}% } \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/TLA/document/root.tex b/thys/TLA/document/root.tex --- a/thys/TLA/document/root.tex +++ b/thys/TLA/document/root.tex @@ -1,62 +1,63 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} %\usepackage{amssymb, amsfonts} %\usepackage{hyperref} \usepackage{wasysym} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{textcomp} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand{\tlastar}{TLA$^{*}$} \begin{document} \title{A Definitional Encoding of TLA in Isabelle/HOL} \author{Gudmund Grov \& Stephan Merz} \maketitle \begin{abstract} We mechanise the logic \tlastar{} \cite{Merz99}, an extension of Lamport's Temporal Logic of Actions (TLA) \cite{Lamport94} for specifying and reasoning about concurrent and reactive systems. Aiming at a framework for mechanising the verification of TLA (or \tlastar{}) specifications, this contribution reuses some elements from a previous axiomatic encoding of TLA in Isabelle/HOL by the second author \cite{Merz98}, which has been part of the Isabelle distribution. In contrast to that previous work, we give here a shallow, definitional embedding, with the following highlights: \begin{itemize} \item a theory of infinite sequences, including a formalisation of the concepts of stuttering invariance central to TLA and TLA*; \item a definition of the semantics of TLA*, which extends TLA by a mutually-recursive definition of formulas and pre-formulas, generalising TLA action formulas; \item a substantial set of derived proof rules, including the TLA* axioms and Lamport's proof rules for system verification; \item a set of examples illustrating the usage of Isabelle/TLA* for reasoning about systems. \end{itemize} Note that this work is unrelated to the ongoing development of a proof system for the specification language TLA+, which includes an encoding of TLA+ as a new Isabelle object logic \cite{chaudhuri:tlaps}. A previous version of this embedding has been used heavily in the work described in \cite{Grov09}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Tail_Recursive_Functions/document/root.tex b/thys/Tail_Recursive_Functions/document/root.tex --- a/thys/Tail_Recursive_Functions/document/root.tex +++ b/thys/Tail_Recursive_Functions/document/root.tex @@ -1,37 +1,38 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \renewcommand{\isastyletxt}{\isastyletext} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{A General Method for the Proof of Theorems on Tail-recursive Functions} \author{Pasquale Noce\\Security Certification Specialist at Arjo Systems - Gep S.p.A.\\pasquale dot noce dot lavoro at gmail dot com\\pasquale dot noce at arjowiggins-it dot com} \maketitle \begin{abstract} Tail-recursive function definitions are sometimes more straightforward than alternatives, but proving theorems on them may be roundabout because of the peculiar form of the resulting recursion induction rules. This paper describes a proof method that provides a general solution to this problem by means of suitable invariants over inductive sets, and illustrates the application of such method by examining two case studies. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Tarskis_Geometry/document/root.tex b/thys/Tarskis_Geometry/document/root.tex --- a/thys/Tarskis_Geometry/document/root.tex +++ b/thys/Tarskis_Geometry/document/root.tex @@ -1,47 +1,46 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \newcommand{\isasymcongruent}{\isamath{\equiv}} \renewcommand{\isasymequiv}{\isamath{\triangleq}} -\usepackage[utf8]{inputenc} - % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The independence of Tarski's Euclidean axiom} \author{T.~J.~M.~Makarios} \maketitle \begin{abstract} Tarski's axioms of plane geometry are formalized and, using the standard real Cartesian model, shown to be consistent. A substantial theory of the projective plane is developed. Building on this theory, the Klein--Beltrami model of the hyperbolic plane is defined and shown to satisfy all of Tarski's axioms except his Euclidean axiom; thus Tarski's Euclidean axiom is shown to be independent of his other axioms of plane geometry. An earlier version of this work was the subject of the author's MSc thesis \cite{makarios}, which contains natural-language explanations of some of the more interesting proofs. \end{abstract} \tableofcontents % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Taylor_Models/document/root.tex b/thys/Taylor_Models/document/root.tex --- a/thys/Taylor_Models/document/root.tex +++ b/thys/Taylor_Models/document/root.tex @@ -1,71 +1,72 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amsmath} %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Taylor Models} \author{Christoph Traut and Fabian Immler} \maketitle \begin{abstract} We present a formally verified implementation of multivariate Taylor models. Taylor models are a form of rigorous polynomial approximation, consisting of an approximation polynomial based on Taylor expansions, combined with a rigorous bound on the approximation error. Taylor models were introduced as a tool to mitigate the dependency problem of interval arithmetic. Our implementation automatically computes Taylor models for the class of elementary functions, expressed by composition of arithmetic operations and basic functions like exp, sin, or square root. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Timed_Automata/document/root.tex b/thys/Timed_Automata/document/root.tex --- a/thys/Timed_Automata/document/root.tex +++ b/thys/Timed_Automata/document/root.tex @@ -1,77 +1,78 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size \renewcommand{\isastyle}{\isastyleminor} \renewcommand{\isamarkupchapter}[1]{\section{#1}} \renewcommand{\isamarkupsection}[1]{\subsection{#1}} \renewcommand{\isamarkupsubsection}[1]{\subsubsection{#1}} \renewcommand{\isamarkupsubsubsection}[1]{\paragraph{#1}} \begin{document} \title{Timed Automata} \author{Simon Wimmer} \maketitle \begin{abstract} Timed automata are a widely used formalism for modeling real-time systems, which is employed in a class of successful model checkers such as UPPAAL \cite{Larsen1997}, HyTech \cite{Henzinger97hytech} or Kronos \cite{Kronos97}. This work formalizes the theory for the subclass of diagonal-free timed automata, which is sufficient to model many interesting problems. We first define the basic concepts and semantics of diagonal-free timed automata. Based on this, we prove two types of decidability results for the language emptiness problem. The first is the classic result of Alur and Dill \cite{alur_automata_1990,alur_theory_1994}, which uses a finite partitioning of the state space into so-called \textit{regions}. Our second result focuses on an approach based on \textit{Difference Bound Matrices (DBMs)}, which is practically used by model checkers. We prove the correctness of the basic forward analysis operations on DBMs. One of these operations is the Floyd-Warshall algorithm for the all-pairs shortest paths problem. To obtain a finite search space, a widening operation has to be used for this kind of analysis. We use Patricia Bouyer's \cite{Bou_Forward_Analysis} approach to prove that this widening operation is correct in the sense that DBM-based forward analysis in combination with the widening operation also decides language emptiness. The interesting property of this proof is that the first decidability result is reused to obtain the second one. \end{abstract} \setcounter{tocdepth}{2} \tableofcontents \newpage % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{alpha} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Topological_Semantics/document/root.tex b/thys/Topological_Semantics/document/root.tex --- a/thys/Topological_Semantics/document/root.tex +++ b/thys/Topological_Semantics/document/root.tex @@ -1,67 +1,68 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} %\usepackage{a4wide} \usepackage{fullpage} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Topological semantics for paraconsistent and paracomplete logics} \author{David Fuenmayor} \maketitle \begin{abstract} We introduce a generalized topological semantics for paraconsistent and paracomplete logics by drawing upon early works on topological Boolean algebras (cf.~works by Kuratowski, Zarycki, McKinsey \& Tarski, etc.). In particular, this work exemplarily illustrates the shallow semantical embeddings approach (SSE) employing the proof assistant Isabelle/HOL. By means of the SSE technique we can effectively harness theorem provers, model finders and `hammers' for reasoning with quantified non-classical logics. \end{abstract} \tableofcontents \vspace*{40pt} % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Topology/document/root.tex b/thys/Topology/document/root.tex --- a/thys/Topology/document/root.tex +++ b/thys/Topology/document/root.tex @@ -1,40 +1,40 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{a4wide} \usepackage{amsmath,amssymb} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} \usepackage[only,bigsqcap]{stmaryrd} \usepackage{eufrak} \usepackage{textcomp} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{tt} \begin{document} \title{The Topology of Lazy Lists} \author{Stefan Friedrich} \maketitle \begin{abstract} This directory contains two theories. The first, \isa{Topology}, develops the basic notions of general topology. The second, \isa{LList\_Topology}, develops the topology of lazy lists. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/TortoiseHare/document/root.tex b/thys/TortoiseHare/document/root.tex --- a/thys/TortoiseHare/document/root.tex +++ b/thys/TortoiseHare/document/root.tex @@ -1,96 +1,94 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage[a4paper,margin=1cm,footskip=.5cm]{geometry} - \usepackage{isabelle,isabellesym} -\usepackage[utf8]{inputenc} - % Bibliography \usepackage[authoryear,sort]{natbib} \bibpunct();A{}, % this should be the last package used \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{literal} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} % sane default for proof documents \parindent 0pt\parskip 0.5ex \title{The Tortoise and the Hare Algorithm} \author{Peter Gammie} \maketitle \begin{abstract} We formalize the \href{http://en.wikipedia.org/wiki/Cycle_detection}{Tortoise and Hare cycle-finding algorithm} ascribed to Floyd by \citet[p7, exercise 6]{DBLP:books/aw/Knuth81}, and an improved version due to \citet{Brent:1980}. \end{abstract} \tableofcontents \section{Introduction} \citet[p7, exercise 6]{DBLP:books/aw/Knuth81} frames the problem like so: given a finite set $X$, an initial value $x_0 \in X$, and a function $f : X \rightarrow X$, define the infinite sequence $x$ by recursion: $x_{i+1} = f(x_i)$. Show that the sequence is ultimately periodic, i.e., that there exist $\lambda$ and $\mu$ where $$x_0, x_1, ... x_\mu, ..., x_{\mu + \lambda - 1}$$ are distinct, but $x_{n+\lambda} = x_n$ when $n \ge \mu$. % Knuth exercise: Characterize $f$ that yield max and min vals of mu and lambda. Secondly (and he ascribes this to Robert W. Floyd), show that there is an $\nu > 0$ such that $x_\nu = x_{2\nu}$. % Knuth observation: the X_n is unique in the sense that if X_n = X_{2n} and X_r = X_{2r}, then X_r = X_n. % Doesn't seem essential to the algorithm however. These facts are supposed to yield the insight required to develop the Tortoise and Hare algorithm, which calculates $\lambda$ and $\mu$ for any $f$ and $x_0$ using only $O(\lambda + \mu)$ steps and a bounded number of memory locations. We fill in the details in \S\ref{sec:th}. We also show the correctness of \citet{Brent:1980}'s algorithm in \S\ref{sec:brent}, which satisfies the same resource bounds and is more efficient in practice. These algorithms have been used to analyze random number generators \citep[op. cit.]{DBLP:books/aw/Knuth81} and factor large numbers \citep{Brent:1980}. See \citet{DBLP:journals/ipl/Nivasch04} for further discussion, and an algorithm that is not constant-space but is more efficient in some situations. \citet{DBLP:journals/jam/WangZ12} also survey these algorithms and present a new one. % generated text of all theories \input{session} \section{Concluding remarks} \citet{DBLP:conf/vmcai/Leino12} uses an SMT solver to verify a Tortoise-and-Hare cycle-finder. He finds the parameters \isa{lambda} and \isa{mu} initially by using a ``ghost'' depth-first search, while we use more economical non-constructive methods. I thank Christian Griset for patiently discussing the finer details of the proofs, and Makarius for many helpful suggestions. \bibliographystyle{plainnat} \bibliography{root} \addcontentsline{toc}{section}{References} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Transcendence_Series_Hancl_Rucki/document/root.tex b/thys/Transcendence_Series_Hancl_Rucki/document/root.tex --- a/thys/Transcendence_Series_Hancl_Rucki/document/root.tex +++ b/thys/Transcendence_Series_Hancl_Rucki/document/root.tex @@ -1,42 +1,43 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Transcendence of Certain Infinite Series} \author{Angeliki Koutsoukou-Argyraki and Wenda Li} \maketitle \begin{abstract} We formalize the proofs of two transcendence criteria by J. Han\v{c}l and P. Rucki that assert the transcendence of the sums of certain infinite series built up by sequences that fulfil certain properties. Both proofs make use of Roth's celebrated theorem on diophantine approximations to algebraic numbers from 1955 which we implement as an assumption without having formalised its proof. \end{abstract} \tableofcontents \input{session} \nocite{apostol1976analytic} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Transformer_Semantics/document/root.tex b/thys/Transformer_Semantics/document/root.tex --- a/thys/Transformer_Semantics/document/root.tex +++ b/thys/Transformer_Semantics/document/root.tex @@ -1,134 +1,135 @@ - \documentclass[11pt,a4paper]{article} +\documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ \usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Transformer Semantics} \author{Georg Struth} \maketitle \begin{abstract} These mathematical components formalise predicate transformer semantics for programs, yet currently only for partial correctness and in the absence of faults. A first part for isotone (or monotone), Sup-preserving and Inf-preserving transformers follows Back and von Wright's approach, with additional emphasis on the quantalic structure of algebras of transformers. The second part develops Sup-preserving and Inf-preserving predicate transformers from the powerset monad, via its Kleisli category and Eilenberg-Moore algebras, with emphasis on adjunctions and dualities, as well as isomorphisms between relations, state transformers and predicate transformers. \end{abstract} \tableofcontents \section{Introductory Remarks} Predicate transformers yield standard denotational semantics for imperative programs; they have been investigated for around fifty years and are widely used in program verification. These components provide yet another take on this topic with Isabelle (previous formalisations in the AFP include~\cite{Preoteasa11b,GomesGHSW16,GomesS16}). The first part, like Preoteasa's work~\cite{Preoteasa11b}, follows by and large Back and von Wright's seminal monograph~\cite{BackvW98}. Isotone (or monotone), sup-preserving and inf-preserving transformers are developed in a categorical setting as morphisms of orderings and complete lattices. The approach is type-driven; concepts are usually formalised with the most general suitable types. Due to this, the algebras of transformers cannot be captured within Isabelle's type classes or locales. They describe algebraic properties of typed function spaces (enriched homsets of categories of complete lattices) in terms of typed quantales or quantaloids~\cite{Rosenthal90}. Special focus is on notions of recursion and iteration in this typed setting. In particular, propositional Hoare logics and basic refinement calculi---for partial correctness and without assignment laws---are derived. For transformers that are endofunctions, instance proofs for quantales are given. This brings theorems about quantales and from the Kleene algebra hierarchy into scope. Based on this, the second part presents an alternative, more detailed development with sets. It starts from the monad of the powerset functor, its Kleisli category and its Eilenberg-Moore algebras; a view that has been promoted, for instance, by Jacobs~\cite{Jacobs17}. General monads cannot be handled by Isabelle's type system, only particular instances can be formalised---at the level of exercises in category theory textbooks. With this approach, binary relations, state transformers modelled as arrows of the Kleisli category of the powerset monad, and predicate transformer algebras, Sup-lattices which arise as Eilenberg-Moore algebras of the powerset monad, are related like in Jacob's state-effect triangles. In particular, the isomorphisms between the quantalic structure of relations, that of state transformers and that of various predicate transformers is spelled out in detail. In addition, the symmetries and dualities between four kinds of predicate transformers (forward and backward modal box and diamond operators in the parlance of dynamic logic) are formalised. Beyond that, the quantalic structure of state transformers is detailed first in a typed setting, and secondly in a single-typed one, where state transformers are shown to form quantales and hence Kleene algebras. It should be straightforward to integrate these mathematical components into verification components along the lines of~\cite{ArmstrongGS16,GomesS16}. Beyond that, an integration with the predicate transformers obtained from modal Kleene algebras~\cite{GomesGHSW16} seems interesting for verification applications. Possible extensions and refinements include the development of verification conditions for recursion beyond those for while-loops, approaches to total correctness and fault semantics, more complete (re)encodings of Back and von Wright's approach, formalisations of domain theory, links between isotone transformers and Isabelle components for multirelational semantics~\cite{FurusawaS15} and extensions to probabilistic transformers~\cite{McIverM05}. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Transition_Systems_and_Automata/document/root.tex b/thys/Transition_Systems_and_Automata/document/root.tex --- a/thys/Transition_Systems_and_Automata/document/root.tex +++ b/thys/Transition_Systems_and_Automata/document/root.tex @@ -1,29 +1,28 @@ \documentclass[11pt, a4paper]{article} -\usepackage[utf8]{inputenc} \usepackage[T1]{fontenc} -\usepackage{isabelle, isabellesym} +\usepackage{isabelle,isabellesym} \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Transition Systems and Automata} \author{Julian Brunner} \maketitle \begin{abstract} This entry provides a very abstract theory of transition systems that can be instantiated to express various types of automata. A transition system is typically instantiated by providing a set of initial states, a predicate for enabled transitions, and a transition execution function. From this, it defines the concepts of finite and infinite paths as well as the set of reachable states, among other things. Many useful theorems, from basic path manipulation rules to coinduction and run construction rules, are proven in this abstract transition system context. The library comes with instantiations for DFAs, NFAs, and Büchi automata. \end{abstract} \tableofcontents \input{session} \end{document} diff --git a/thys/Transitive-Closure-II/document/root.tex b/thys/Transitive-Closure-II/document/root.tex --- a/thys/Transitive-Closure-II/document/root.tex +++ b/thys/Transitive-Closure-II/document/root.tex @@ -1,46 +1,47 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \begin{document} \title{Executable Transitive Closures\footnote{Supported by FWF (Austrian Science Fund) project P22767-N13.}} \author{Ren\'e Thiemann} \maketitle \begin{abstract} We provide a generic work-list algorithm to compute the (reflexi\-\mbox{ve-)}transitive closure of relations where only successors of newly detected states are generated. In contrast to our previous work \cite{rtrancl_fin}, the relations do not have to be finite, but each element must only have finitely many (indirect) successors. Moreover, a subsumption relation can be used instead of pure equality. An executable variant of the algorithm is available where the generic operations are instantiated with list operations. This formalization was performed as part of the \isafor/\ceta{} project% \footnote{\url{http://cl-informatik.uibk.ac.at/software/ceta}} \cite{CeTA}, and it has been used to certify size-change termination proofs where large transitive closures have to be computed. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Transitive-Closure/document/root.tex b/thys/Transitive-Closure/document/root.tex --- a/thys/Transitive-Closure/document/root.tex +++ b/thys/Transitive-Closure/document/root.tex @@ -1,44 +1,45 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \newcommand\isafor{\textsf{IsaFoR}} \newcommand\ceta{\textsf{Ce\kern-.18emT\kern-.18emA}} \begin{document} \title{Executable Transitive Closures of Finite Relations\footnote{Supported by FWF (Austrian Science Fund) project P22767-N13.}} \author{Christian Sternagel and Ren\'e Thiemann} \maketitle \begin{abstract} We provide a generic work-list algorithm to compute the transitive closure of finite relations where only successors of newly detected states are generated. This algorithm is then instantiated for lists over arbitrary carriers and red black trees \cite{rbt} (which are faster but require a linear order on the carrier), respectively. Our formalization was performed as part of the \isafor/\ceta{} project% \footnote{\url{http://cl-informatik.uibk.ac.at/software/ceta}} \cite{CeTA}, where reflexive transitive closures of large tree automata have to be computed. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Treaps/document/root.tex b/thys/Treaps/document/root.tex --- a/thys/Treaps/document/root.tex +++ b/thys/Treaps/document/root.tex @@ -1,39 +1,40 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Treaps} \author{Max Haslbeck, Manuel Eberl, Tobias Nipkow} \maketitle \begin{abstract} A Treap~\cite{seidel1996} is a binary tree whose nodes contain pairs consisting of some payload and an associated priority. It must have the search-tree property w.\,r.\,t.\ the payloads and the heap property w.\,r.\,t.\ the priorities. Treaps are an interesting data structure that is related to binary search trees (BSTs) in the following way: if one forgets all the priorities of a treap, the resulting BST is exactly the same as if one had inserted the elements into an empty BST in order of ascending priority. This means that a treap behaves like a BST where we can pretend the elements were inserted in a different order from the one in which they were actually inserted. In particular, by choosing these priorities at random upon insertion of an element, we can pretend that we inserted the elements in \emph{random order}, so that the shape of the resulting tree is that of a random BST no matter in what order we insert the elements. This is the main result of this formalisation.~\cite{eberl18} \end{abstract} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Tree-Automata/document/root.tex b/thys/Tree-Automata/document/root.tex --- a/thys/Tree-Automata/document/root.tex +++ b/thys/Tree-Automata/document/root.tex @@ -1,78 +1,78 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb} \usepackage[english]{babel} \usepackage[only,bigsqcap]{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % Tweaks \newcounter{TTStweak_tag} \setcounter{TTStweak_tag}{0} \newcommand{\setTTS}{\setcounter{TTStweak_tag}{1}} \newcommand{\resetTTS}{\setcounter{TTStweak_tag}{0}} \newcommand{\insertTTS}{\ifnum\value{TTStweak_tag}=1 \ \ \ \fi} \renewcommand{\isakeyword}[1]{\resetTTS\emph{\bf\def\isachardot{.}\def\isacharunderscore{\isacharunderscorekeyword}\def\isacharbraceleft{\{}\def\isacharbraceright{\}}#1}} \renewcommand{\isachardoublequoteopen}{\insertTTS} \renewcommand{\isachardoublequoteclose}{\setTTS} \renewcommand{\isanewline}{\mbox{}\par\mbox{}\resetTTS} \renewcommand{\isamarkupcmt}[1]{\hangindent5ex{\isastylecmt --- #1}} \begin{document} \title{Tree Automata} \author{Peter Lammich} \maketitle \begin{abstract} This work presents a machine-checked tree automata library for Standard-ML, OCaml and Haskell. The algorithms are efficient by using appropriate data structures like RB-trees. The available algorithms for non-deterministic automata include membership query, reduction, intersection, union, and emptiness check with computation of a witness for non-emptiness. The executable algorithms are derived from less-concrete, non-executable algorithms using data-refinement techniques. The concrete data structures are from the Isabelle Collections Framework. Moreover, this work contains a formalization of the class of tree-regular languages and its closure properties under set operations. \end{abstract} \clearpage \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex \input{intro} % generated text of selected theories \input{Tree.tex} \input{Ta.tex} \input{AbsAlgo.tex} \input{Ta_impl.tex} \input{conclusion} \clearpage % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Tree_Decomposition/document/root.tex b/thys/Tree_Decomposition/document/root.tex --- a/thys/Tree_Decomposition/document/root.tex +++ b/thys/Tree_Decomposition/document/root.tex @@ -1,130 +1,129 @@ \documentclass[11pt,a4paper]{scrartcl} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath,amsfonts} -\usepackage[utf8]{inputenc} -\usepackage[T1]{fontenc} \typearea{11} \renewcommand{\bf}{\normalfont\bfseries} \renewcommand{\rm}{\normalfont\rmfamily} \renewcommand{\it}{\normalfont\itshape} \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Tree Decompositions} \author{Christoph Dittmann\\christoph.dittmann@tu-berlin.de} \date{\today} \maketitle \begin{abstract} We formalize tree decompositions and tree width in Isabelle/HOL, proving that trees have treewidth~1. We also show that every edge of a tree decomposition is a separation of the underlying graph. As an application of this theorem we prove that complete graphs of size $n$ have treewidth $n-1$. \end{abstract} \tableofcontents \newpage \section{Introduction} We follow \cite{diestel2006} in terms of the definition of tree decompositions and treewidth. We write a fairly minimal formalization of graphs and trees and then go straight to tree decompositions. Let $G = (V,E)$ be a graph and $(\mathcal{T},\beta)$ be a tree decomposition, where $\mathcal{T}$ is a tree and $\beta: V(\mathcal{T}) \to 2^V$ maps bags to sets of vertices. Our main theorem is that if $(s,t) \in V(\mathcal{T})$ is an edge of the tree decomposition, then $\beta(s) \cap \beta(t)$ is a separator of $G$, separating \[ \bigcup_{\text{$u \in V(T)$ is in the left subtree of $\mathcal{T} \setminus (s,t)$}} \beta(u) \] and \[ \bigcup_{\text{$u \in V(T)$ is in the right subtree of $\mathcal{T} \setminus (s,t)$}} \beta(u). \] As an application of this theorem we show that if $K_n$ is the complete graph on $n$ vertices, then the treewidth of $K_n$ is $n-1$. Independent of this theorem, relying only on the basic definitions of tree decompositions, we also prove that trees have treewidth 1 if they have at least one edge (and treewidth 0 otherwise, which is trivial and holds for all graphs). \subsection{Avoid List Indices} While this will be obvious for more experienced Isabelle/HOL users, what we learned in this work is that working with lists becomes significantly easier if we avoid indices. It turns out that indices often trip up Isabelle's automatic proof methods. Rewriting a proof with list indices to a proof without often reduced the length of the proof by 50\% or more. For example, instead of saying ``let $n \in \mathbb{N}$ be maximal such that the first $n$ elements of the list all satisfy property $P$'', it is better to say ``let $ps$ be a maximal prefix such that all elements of $ps$ satisfy $P$''. \subsection{Future Work} We have several ideas for future work. Let us enumerate them in order of ascending difficulty (subjectively, of course). \begin{enumerate} \item The easiest would be a formalization of the fact that treewidth is closed under minors and disjoint union, and that adding a single edge increases the treewidth by at most one. There are probably many more theorems similar to these. \item A more interesting project would be a formalization of the cops and robber game for treewidth, where the number of cops is equivalent to the treewidth plus one. See \cite{fomin2008} for a survey on these games. \item Another interesting project would be a formal proof that the treewidth of a square grid is large. It seems reasonable to expect that this could profit from a formalization of cops and robber games, but it is no prerequisite. \item An ambitious long-term project would be a full formalization of the grid theorem by Robertson and Seymour \cite{robertson_seymour_graphs/V}. They showed that there exists a function $f: \mathbb{N} \to \mathbb{N}$ such that for every $k \in \mathbb{N}$ it holds that if a graph has treewidth at least $f(k)$, then it contains a $k \times k$ grid as a minor. \end{enumerate} Another more technical point would be to evaluate whether it would be good to use the ``Graph Theory'' library \cite{Graph_Theory-AFP} from the Archive of Formal Proofs instead of reimplementing graphs here. At first glance it seems that the graph theory library would provide a lot of helpful lemmas. On the other hand, it would be a non-trivial dependency with its own idiosyncrasies, which could complicate the development of tree decomposition proofs. The author feels that overall it is probably a good idea to base this work on the graph theory library, but it needs further consideration. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \clearpage \phantomsection \addcontentsline{toc}{section}{Bibliography} \bibliographystyle{plain} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Triangle/document/root.tex b/thys/Triangle/document/root.tex --- a/thys/Triangle/document/root.tex +++ b/thys/Triangle/document/root.tex @@ -1,39 +1,40 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Basic Geometric Properties of Triangles} \author{Manuel Eberl} \maketitle \begin{abstract} In this work, we define angles between vectors and between three points. Building on this, we prove basic geometric properties of triangles, such as the Isosceles Triangle Theorem, the Law of Sines and the Law of Cosines, that the sum of the angles of a triangle is $\pi$, and the congruence theorems for triangles. The definitions and proofs were developed following those by John Harrison in HOL Light. However, due to Isabelle's type class system, all definitions and theorems in the Isabelle formalisation hold for all real inner product spaces. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \input{session} \nocite{*} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Trie/document/root.tex b/thys/Trie/document/root.tex --- a/thys/Trie/document/root.tex +++ b/thys/Trie/document/root.tex @@ -1,32 +1,33 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Tries} \author{Andreas Lochbihler and Tobias Nipkow} \maketitle \begin{abstract} This article formalizes the ``trie'' data structure invented by Fredkin~\cite{Fredkin}. It also provides a specialization where the entries in the trie are lists. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Twelvefold_Way/document/root.tex b/thys/Twelvefold_Way/document/root.tex --- a/thys/Twelvefold_Way/document/root.tex +++ b/thys/Twelvefold_Way/document/root.tex @@ -1,48 +1,49 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Twelvefold Way} \author{Lukas Bulwahn} \maketitle \begin{abstract} This entry provides all cardinality theorems of the Twelvefold Way. The Twelvefold Way~\cite{bogart-2004, stanley-2012, wikipedia:Twelvefold-Way} systematically classifies twelve related combinatorial problems concerning two finite sets, which include counting permutations, combinations, multisets, set partitions and number partitions. This development builds upon the existing formal developments~\cite{Card_Partitions-AFP, Card_Multisets-AFP, Card_Number_Partitions-AFP} with cardinality theorems for those structures. It provides twelve bijections from the various structures to different equivalence classes on finite functions, and hence, proves cardinality formulae for these equivalence classes on finite functions. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Tycon/document/root.tex b/thys/Tycon/document/root.tex --- a/thys/Tycon/document/root.tex +++ b/thys/Tycon/document/root.tex @@ -1,48 +1,49 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{graphicx,isabelle,isabellesym} \usepackage{amssymb} % for \ \usepackage[english]{babel} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Tycon: Type Constructor Classes \\ and Monad Transformers} \author{Brian Huffman} \maketitle \begin{abstract} These theories contain a formalization of first class type constructors and axiomatic constructor classes for HOLCF. This work is described in detail in the ICFP 2012 paper ``Formal Verification of Monad Transformers'' by the author \cite{huffman2012}. The formalization is a revised and updated version of earlier joint work with Matthews and White \cite{HMW05}. Based on the hierarchy of type classes in Haskell, we define classes for functors, monads, monad-plus, etc. Each one includes all the standard laws as axioms. We also provide a new user command, \emph{tycondef}, for defining new type constructors in HOLCF. Using \emph{tycondef}, we instantiate the type class hierarchy with various monads and monad transformers. \end{abstract} \tableofcontents \begin{center} \includegraphics[width=\textwidth,height=\textheight,keepaspectratio]{session_graph} \end{center} \newpage % use vertical space instead of indenting paragraphs \parindent 0pt \parskip 0.9ex % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Types_Tableaus_and_Goedels_God/document/root.tex b/thys/Types_Tableaus_and_Goedels_God/document/root.tex --- a/thys/Types_Tableaus_and_Goedels_God/document/root.tex +++ b/thys/Types_Tableaus_and_Goedels_God/document/root.tex @@ -1,80 +1,81 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{authblk} %\usepackage{a4wide} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Types, Tableaus and G\"odel's God \\ in Isabelle/HOL} %\author{David Fuenmayor, Christoph Benzm\"uller} \author[1]{David Fuenmayor} \author[2,1]{Christoph Benzm\"uller} \affil[1]{Freie Universit\"at Berlin, Germany} \affil[2]{University of Luxembourg, Luxembourg} \maketitle \begin{abstract} A computer-formalisation of the essential parts of Fitting's textbook \emph{Types, Tableaus and G\"odel's Go}d in Isabelle/HOL is presented. In particular, Fitting's (and Anderson's) variant of the ontological argument is verified and confirmed. This variant avoids the modal collapse, which has been criticised as an undesirable side-effect of Kurt G\"odel's (and Dana Scott's) versions of the ontological argument. Fitting's work is employing an intensional higher-order modal logic, which we shallowly embed here in classical higher-order logic. We then utilize the embedded logic for the formalisation of Fitting's argument. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \pagebreak % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/UPF/document/root.tex b/thys/UPF/document/root.tex --- a/thys/UPF/document/root.tex +++ b/thys/UPF/document/root.tex @@ -1,147 +1,148 @@ \documentclass[11pt,DIV10,a4paper,twoside=semi,openright,titlepage]{scrreprt} +\usepackage[T1]{fontenc} \usepackage{fixltx2e} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% Overrides the (rightfully issued) warning by Koma Script that \rm %%% etc. should not be used (they are deprecated since more than a %%% decade) \DeclareOldFontCommand{\rm}{\normalfont\rmfamily}{\mathrm} \DeclareOldFontCommand{\sf}{\normalfont\sffamily}{\mathsf} \DeclareOldFontCommand{\tt}{\normalfont\ttfamily}{\mathtt} \DeclareOldFontCommand{\bf}{\normalfont\bfseries}{\mathbf} \DeclareOldFontCommand{\it}{\normalfont\itshape}{\mathit} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \usepackage{isabelle,isabellesym} \usepackage{stmaryrd} \usepackage{paralist} \usepackage{xspace} \newcommand{\testgen}{HOL-TestGen\xspace} \newcommand{\testgenFW}{HOL-TestGen/FW\xspace} \usepackage[numbers, sort&compress, sectionbib]{natbib} \usepackage{graphicx} \usepackage{color} \sloppy \usepackage{amssymb} \newcommand{\isasymmodels}{\isamath{\models}} \newcommand{\HOL}{HOL} \newcommand{\ie}{i.\,e.} \newcommand{\eg}{e.\,g.} \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \renewcommand{\isastyle}{\isastyleminor} \pagestyle{empty} \begin{document} \renewcommand{\subsubsectionautorefname}{Section} \renewcommand{\subsectionautorefname}{Section} \renewcommand{\sectionautorefname}{Section} \renewcommand{\chapterautorefname}{Chapter} \newcommand{\subtableautorefname}{\tableautorefname} \newcommand{\subfigureautorefname}{\figureautorefname} \title{The Unified Policy Framework\\ (UPF)} \author{Achim D. Brucker\footnotemark[1] \quad Lukas Br\"ugger\footnotemark[2] \quad Burkhart Wolff\footnotemark[3]\\[1.5em] \normalsize \normalsize\footnotemark[1]~SAP SE, Vincenz-Priessnitz-Str. 1, 76131 Karlsruhe, Germany \texorpdfstring{\\}{} \normalsize\href{mailto:"Achim D. Brucker" }{achim.brucker@sap.com}\\[1em] % \normalsize\footnotemark[2]Information Security, ETH Zurich, 8092 Zurich, Switzerland \texorpdfstring{\\}{} \normalsize\href{mailto:"Lukas Bruegger" }{Lukas.A.Bruegger@gmail.com}\\[1em] % \normalsize\footnotemark[3]~Univ. Paris-Sud, Laboratoire LRI, UMR8623, 91405 Orsay, France France\texorpdfstring{\\}{} \normalsize\href{mailto:"Burkhart Wolff" }{burkhart.wolff@lri.fr} } \pagestyle{empty} \publishers{% \normalfont\normalsize% \centerline{\textsf{\textbf{\large Abstract}}} \vspace{1ex}% \parbox{0.8\linewidth}{% We present the \emph{Unified Policy Framework} (UPF), a generic framework for modelling security (access-control) policies; in Isabelle/\HOL. %\cite{}. UPF emphasizes the view that a policy is a policy decision function that grants or denies access to resources, permissions, etc. In other words, instead of modelling the relations of permitted or prohibited requests directly, we model the concrete function that implements the policy decision point in a system, seen as an ``aspect'' of ``wrapper'' around the business logic % Fachlogik of a system. In more detail, UPF is based on the following four principles: \begin{inparaenum} \item Functional representation of policies, \item No conflicts are possible, \item Three-valued decision type (allow, deny, undefined), \item Output type not containing the decision only. \end{inparaenum} } } \maketitle \cleardoublepage \pagestyle{plain} \tableofcontents \cleardoublepage \input{introduction} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % % \input{session} \chapter{The Unified Policy Framework (UPF)} \input{UPFCore} \input{ElementaryPolicies} \input{SeqComposition} \input{ParallelComposition} \input{Analysis} \input{Normalisation} \input{NormalisationTestSpecification} \input{UPF} \chapter{Example} \input{example-intro} \input{Service} \input{ServiceExample} % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \input{conclusion} \chapter{Appendix} \input{Monads} %%% Local Variables: %%% mode: latex %%% TeX-master: "root" %%% End: \nocite{brucker.ea:formal-fw-testing:2014,brucker.ea:hol-testgen-fw:2013,brucker.ea:theorem-prover:2012,brucker.ea:model-based:2011} \nocite{bruegger:generation:2012} \bibliographystyle{abbrvnat} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/UPF_Firewall/document/root.tex b/thys/UPF_Firewall/document/root.tex --- a/thys/UPF_Firewall/document/root.tex +++ b/thys/UPF_Firewall/document/root.tex @@ -1,186 +1,187 @@ \documentclass[11pt,DIV10,a4paper,twoside=semi,openright,titlepage]{scrreprt} +\usepackage[T1]{fontenc} \usepackage{fixltx2e} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% Overrides the (rightfully issued) warning by Koma Script that \rm %%% etc. should not be used (they are deprecated since more than a %%% decade) \DeclareOldFontCommand{\rm}{\normalfont\rmfamily}{\mathrm} \DeclareOldFontCommand{\sf}{\normalfont\sffamily}{\mathsf} \DeclareOldFontCommand{\tt}{\normalfont\ttfamily}{\mathtt} \DeclareOldFontCommand{\bf}{\normalfont\bfseries}{\mathbf} \DeclareOldFontCommand{\it}{\normalfont\itshape}{\mathit} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \usepackage{isabelle,isabellesym} \usepackage{stmaryrd} \usepackage{paralist} \usepackage{xspace} \usepackage{amsmath} \usepackage[english]{babel} \newcommand{\testgen}{HOL-TestGen\xspace} \newcommand{\testgenFW}{HOL-TestGen/FW\xspace} \usepackage[numbers, sort&compress, sectionbib]{natbib} \usepackage{graphicx} \usepackage{color} \sloppy \usepackage{amssymb} \newcommand{\isadefinition} {{\operatorname{definition}}} \newcommand{\types} {{\operatorname{type\_synonym}}} \newcommand{\datatype} {{\operatorname{datatype}}} \newcommand{\ap}{\,} \newcommand{\dom}{\mathrm{dom}} \newcommand{\ran}{\mathrm{ran}} \newcommand{\ofType}{\!::\!} \newcommand{\HolBin}[0]{\ensuremath{\mathrm{bin}}} \newcommand{\HolNum}[0]{\ensuremath{\mathrm{num}}} \newcommand{\HolBoolean}[0]{\ensuremath{\mathrm{bool}}} \newcommand{\HolString}[0]{\ensuremath{\mathrm{string}}} \newcommand{\HolInteger}[0]{\ensuremath{\mathrm{int}}} \newcommand{\HolNat}[0]{\ensuremath{\mathrm{nat}}} \newcommand{\HolReal}[0]{\ensuremath{\mathrm{real}}} \newcommand{\HolSet}[1]{#1\ap\ensuremath{\mathrm{set}}} \newcommand{\HolList}[1]{#1\ap\ensuremath{\mathrm{list}}} %\newcommand{\HolOrderedSet}[1]{#1~\ensuremath{\mathrm{orderedset}}} \newcommand{\HolMultiset}[1]{#1\ap\ensuremath{\mathrm{multiset}}} \newcommand{\classType}[2]{#1\ap\ensuremath{\mathrm{#2}}} \newcommand{\bottom}{\bot} \DeclareMathOperator{\HolSome}{Some} \DeclareMathOperator{\HolNone}{None} \DeclareMathOperator{\Poverride}{\oplus} \DeclareMathOperator{\prodTwo}{\otimes_2} \newcommand{\HolMkSet}[1]{\operatorname{set} #1} \newcommand{\spot}{.\;} \newcommand{\where} {{\operatorname{where}}} \DeclareMathOperator{\HolIf}{if} \DeclareMathOperator{\HolLet}{let} \DeclareMathOperator{\HolIn}{in} \DeclareMathOperator{\HolThen}{then} \DeclareMathOperator{\HolElse}{else} \newcommand{\isasymmodels}{\isamath{\models}} \newcommand{\HOL}{HOL} \newcommand{\ie}{i.\,e.} \newcommand{\eg}{e.\,g.} \usepackage{pdfsetup} \urlstyle{rm} \isabellestyle{it} \renewcommand{\isastyle}{\isastyleminor} \pagestyle{empty} \begin{document} \renewcommand{\subsubsectionautorefname}{Section} \renewcommand{\subsectionautorefname}{Section} \renewcommand{\sectionautorefname}{Section} \renewcommand{\chapterautorefname}{Chapter} \newcommand{\subtableautorefname}{\tableautorefname} \newcommand{\subfigureautorefname}{\figureautorefname} \title{Formal Network Models and Their Application to Firewall Policies\\ (UPF-Firewall)} \author{Achim D. Brucker\footnotemark[1] \quad Lukas Br\"ugger\footnotemark[2] \quad Burkhart Wolff\footnotemark[3]\\[1.5em] \normalsize \normalsize\footnotemark[1]~Department of Computer Science, The University of Sheffield, Sheffield, UK \texorpdfstring{\\}{} \normalsize\href{mailto:"Achim D. Brucker" }{a.brucker@sheffield.ac.uk}\\[1em] % \normalsize\footnotemark[2]Information Security, ETH Zurich, 8092 Zurich, Switzerland \texorpdfstring{\\}{} \normalsize\href{mailto:"Lukas Bruegger" }{Lukas.A.Bruegger@gmail.com}\\[1em] % \normalsize\footnotemark[3]~Univ. Paris-Sud, Laboratoire LRI, UMR8623, 91405 Orsay, France France\texorpdfstring{\\}{} \normalsize\href{mailto:"Burkhart Wolff" }{burkhart.wolff@lri.fr} } \pagestyle{empty} \publishers{% \normalfont\normalsize% \centerline{\textsf{\textbf{\large Abstract}}} \vspace{1ex}% \parbox{0.8\linewidth}{% We present a formal model of network protocols and their application to modeling firewall policies. The formalization is based on the \emph{Unified Policy Framework} (UPF). The formalization was originally developed with for generating test cases for testing the security configuration actual firewall and router (middle-boxes) using HOL-TestGen. Our work focuses on modeling application level protocols on top of tcp/ip. } } \maketitle \cleardoublepage \pagestyle{plain} \tableofcontents \cleardoublepage \chapter{Introduction} \input{introduction} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % % \input{session} \input{UPF-Firewall} \input{NetworkModels} \input{NetworkCore} \input{DatatypeAddress} \input{DatatypePort} \input{IntegerAddress} \input{IntegerPort} \input{IntegerPort_TCPUDP} \input{IPv4} \input{IPv4_TCPUDP.tex} \input{PacketFilter.tex} \input{PolicyCore} \input{PolicyCombinators} \input{PortCombinators} \input{ProtocolPortCombinators} \input{Ports} \input{NAT} \input{FWNormalisation.tex} \input{FWNormalisationCore.tex} \input{NormalisationGenericProofs.tex} \input{NormalisationIntegerPortProof.tex} \input{NormalisationIPPProofs.tex} \input{StatefulFW} \input{StatefulCore} \input{FTP} \input{FTP_WithPolicy} \input{VOIP} \input{FTPVOIP} %%%%%%%%%%%%%%%%%%%%%%%%%%%%% \input{Examples.tex} \input{DMZ.tex} \input{DMZDatatype.tex} \input{DMZInteger.tex} \input{PersonalFirewall.tex} \input{PersonalFirewallInt.tex} \input{PersonalFirewallIpv4.tex} \input{PersonalFirewallDatatype.tex} \input{Transformation.tex} \input{Transformation01.tex} \input{Transformation02.tex} \input{NAT-FW.tex} \input{Voice_over_IP.tex} % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \bibliographystyle{abbrvnat} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/UTP/document/root.tex b/thys/UTP/document/root.tex --- a/thys/UTP/document/root.tex +++ b/thys/UTP/document/root.tex @@ -1,150 +1,151 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{fullpage} \usepackage[usenames,dvipsnames]{color} \usepackage{document} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ \usepackage[english]{babel} %option greek for \ %option english (default language) for \, \ \usepackage{stmaryrd} %for \ \usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} \usepackage{graphicx} \usepackage{url} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Isabelle/UTP: Mechanised Theory Engineering for \\ Unifying Theories of Programming} \author{Simon Foster\footnote{Department of Computer Science, University of York. \href{mailto:simon.foster@york.ac.uk}{simon.foster@york.ac.uk}}, Frank Zeyda, Yakoub Nemouchi, Pedro Ribeiro, and Burkhart Wolff} \maketitle \begin{abstract} Isabelle/UTP is a mechanised theory engineering toolkit based on Hoare and He's Unifying Theories of Programming (UTP). UTP enables the creation of denotational, algebraic, and operational semantics for different programming languages using an alphabetised relational calculus. We provide a semantic embedding of the alphabetised relational calculus in Isabelle/HOL, including new type definitions, relational constructors, automated proof tactics, and accompanying algebraic laws. Isabelle/UTP can be used to both capture laws of programming for different languages, and put these fundamental theorems to work in the creation of associated verification tools, using calculi like Hoare logics. This document describes the relational core of the UTP in Isabelle/HOL. \end{abstract} \tableofcontents \begin{center} \includegraphics[height=\textheight]{session_graph} \end{center} % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introduction} This document contains the description of our mechanisation of Hoare and He's \emph{Unifying Theories of Programming}~\cite{Hoare&98,Cavalcanti&06} (UTP) in Isabelle/HOL. UTP uses the ``programs-as-predicates'' approach, pioneered by Hehner~\cite{Hehner1988,Hehner1990,Hehner93}, to encode denotational semantics and facilitate reasoning about programs. It uses the alphabetised relational calculus, which combines predicate calculus and relation algebra, to denote programs as relations between initial variables ($x$) and their subsequent values ($x'$). Isabelle/UTP\footnote{Isabelle/UTP website: \url{https://www.cs.york.ac.uk/circus/isabelle-utp/}}~\cite{Foster16a,Foster16c,Foster14c} semantically embeds this relational calculus into Isabelle/HOL, which enables application of the latter's proof facilities to program verification. For an introduction to UTP, we recommend two tutorials~\cite{Cavalcanti04,Cavalcanti&06}, and also the UTP book~\cite{Hoare&98}. The Isabelle/UTP core mechanises most of definitions and theorems from chapters 1, 2, 4, and 7 of \cite{Hoare&98}, and some material contained in chapters 5 and 10. This essentially amounts to alphabetised predicate calculus, its core laws, the UTP theory infrastructure, and also parallel-by-merge~\cite[chapter~5]{Hoare&98}, which adds concurrency primitives. The Isabelle/UTP core does not contain the theory of designs~\cite{Cavalcanti04} and CSP~\cite{Cavalcanti&06}, which are both represented in their own theory developments. A large part of the mechanisation, however, is foundations that enable these core UTP theories. In particular, Isabelle/UTP builds on our implementation of lenses~\cite{Foster16a,Optics-AFP}, which gives a formal semantics to state spaces and variables. This, in turn, builds on a previous version of Isabelle/UTP~\cite{Feliachi2010,Feliachi2012}, which provided a shallow embedding of UTP by using Isabelle record types to represent alphabets. We follow this approach and, additionally, use the lens laws~\cite{Foster09,Foster16a} to characterise well-behaved variables. We also add meta-logical infrastructure for dealing with free variables and substitution. All this, we believe, adds an additional layer rigour to the UTP. The alphabets-as-types approach does impose a number of theoretical limitations. For example, alphabets can only be extended when an injection into a larger state-space type can be exhibited. It is therefore not possible to arbitrarily augment an alphabet with additional variables, but new types must be created to do this. This is largely because as in previous work~\cite{Feliachi2010,Feliachi2012}, we actually encode state spaces rather than alphabets, the latter being implicit. Namely, a relation is typed by the state space type that it manipulates, and the alphabet is represented by collection of lenses into this state space. This aspect of our mechanisation is actually much closer to the relational program model in Back's refinement calculus~\cite{Back1998}. The pay-off is that the Isabelle/HOL type checker can be directly applied to relational constructions, which makes proof much more automated and efficient. Moreover, our use of lenses mitigates the limitations by providing meta-logical style operators, such as equality on variables, and alphabet membership~\cite{Foster16a}. Isabelle/UTP can therefore directly harness proof automation from Isabelle/HOL, which allows its use in building efficient verification tools~\cite{Foster18a,Foster18b}. For a detailed discussion of semantic embedding approaches, please see~\cite{Foster16c}. In addition to formalising variables, we also make a number of generalisations to UTP laws. Notably, our lens-based representation of state leads us to adopt Back's approach to both assignment and local variables~\cite{Back1998}. Assignment becomes a point-free operator that acts on state-space update functions, which provides a rich set of algebraic theorems. Local variables are represented using stacks, unlike in the UTP book where they utilise alphabet extension. \pagebreak We give a summary of the main contributions within the Isabelle/UTP core, which can all be seen in the table of contents. \begin{enumerate} \item Formalisation of variables and state-spaces using lenses~\cite{Foster16a}; \item an expression model, together with lifted operators from HOL; \item the meta-logical operators of unrestriction, used-by, substitution, alphabet extrusion, and alphabet restriction; \item the alphabetised predicate calculus and associated algebraic laws; \item the alphabetised relational calculus and associated algebraic laws; \item proof tactics for the above based on interpretation~\cite{Huffman13}; \item a formalisation of UTP theories using locales~\cite{Ballarin06} and building on HOL-Algebra~\cite{Ballarin17}; \item Hoare logic~\cite{Hoare1969-Logic} and dynamic logic~\cite{Harel1984-DynamicLogic}; \item weakest precondition and strongest postcondition calculi~\cite{Dijkstra75}; \item concurrent programming with parallel-by-merge; \item relational operational semantics. \end{enumerate} % generated text of all theories \input{session} \pagebreak \section*{Acknowledgements} This work is funded by the EPSRC projects CyPhyAssure\footnote{CyPhyAssure Project: \url{https://www.cs.york.ac.uk/circus/CyPhyAssure/}} (Grant EP/S001190/1), RoboCalc\footnote{RoboCalc Project: \url{https://www.cs.york.ac.uk/circus/RoboCalc/}} (Grant EP/M025756/1), and the Royal Academy of Engineering. % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/UTP/toolkit/document/root.tex b/thys/UTP/toolkit/document/root.tex --- a/thys/UTP/toolkit/document/root.tex +++ b/thys/UTP/toolkit/document/root.tex @@ -1,86 +1,87 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{fullpage} \usepackage[usenames,dvipsnames]{color} \usepackage{document} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ \usepackage[english]{babel} %option greek for \ %option english (default language) for \, \ \usepackage{stmaryrd} %for \ \usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Mathematical Toolkit for Isabelle/UTP} \author{Simon Foster \and Pedro Ribeiro \and Frank Zeyda} \maketitle \begin{abstract} This document describes our mathematical toolkit for Isabelle/UTP, which provides a foundational collection of definition, theorems, and proof facilities. This includes extensions to existing HOL libraries, such as for list and partial functions, and also new type definitions, theorems, and Isabelle/HOL commands. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introduction} This document contains the description of our mathematical toolkit for Isabelle/UTP~\cite{Feliachi2010,Foster14c,Foster16a,Foster16c}, a mechanisation of Hoare and He's \emph{Unifying Theories of Programming}~\cite{Hoare&98,Cavalcanti&06}. The toolkit provides a foundational collection of additional HOL theorems, new abstract types, and proof facilities, upon which Isabelle/UTP depends. In brief, the toolkit contains the following principal items: \begin{itemize} \item additional laws and functions for the list, map (partial functions), countable set, and finite set types; \item type definitions for partial and finite functions, together with additional functions and laws derived from the Z mathematical toolkit~\cite{zrm}; \item positive subtypes of existing types; \item infinite sequences; \item the ``total recall'' package, which allows us to precisely control overriding of existing syntax annotations. \end{itemize} A few other theories exist that add smaller utilities and additional laws. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Universal_Turing_Machine/document/root.tex b/thys/Universal_Turing_Machine/document/root.tex --- a/thys/Universal_Turing_Machine/document/root.tex +++ b/thys/Universal_Turing_Machine/document/root.tex @@ -1,87 +1,88 @@ \documentclass{article} +\usepackage[T1]{fontenc} %\documentclass[runningheads]{llncs} \usepackage{isabelle} \usepackage{isabellesym} \usepackage{times} \usepackage{amssymb} \usepackage{amsmath} \usepackage{stmaryrd} \usepackage{mathpartir} %\usepackage{pdfsetup} \usepackage{tikz} \usepackage{pgf} \usepackage{color} \usetikzlibrary{calc} \usetikzlibrary{positioning} %% for testing %\usepackage{endnotes} %\let\footnote=\endnote \def\inst#1{\unskip$^{#1}$} % urls in roman style, theory text in math-similar italics \isabellestyle{it} % this should be the last package used \usepackage{pdfsetup} % gray boxes \definecolor{mygrey}{rgb}{.80,.80,.80} % mathpatir \mprset{sep=0.9em} \mprset{center=false} \mprset{flushleft=true} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \def\dn{\,\stackrel{\mbox{\scriptsize def}}{=}\,} \renewcommand{\isasymequiv}{$\dn$} \renewcommand{\isasymemptyset}{$\varnothing$} \renewcommand{\isacharunderscore}{\mbox{$\_$}} \renewcommand{\isasymiota}{} \newcommand{\isasymulcorner}{$\ulcorner$} \newcommand{\isasymurcorner}{$\urcorner$} \newcommand{\chapter}{\section} \begin{document} \title{Universal Turing Machine and Computability Theory in Isabelle/HOL} \author{Jian Xu\inst{2} \and Xingyuan Zhang\inst{2} \and Christian Urban\inst{1} \and Sebastiaan J. C. Joosten\inst{3} \vspace{3pt} \\ \inst{1}King's College London, UK \\ \inst{2}PLA University of Science and Technology, China \\ \inst{3}University of Twente, the Netherlands} \maketitle \begin{abstract} We formalise results from computability theory: recursive functions, undecidability of the halting problem, and the existence of a universal Turing machine. This formalisation is the AFP entry corresponding to: Mechanising Turing Machines and Computability Theory in Isabelle/HOL, ITP 2013 \end{abstract} The AFP entry and by extension this document is largely written by Jian Xu, Xingyuan Zhang, and Christian Urban. The Universal Turing Machine is well explained in this document, starting at Figure~\ref{prepare_input}. Regardless, you may want to read the original ITP article~\cite{Xu13} instead of this pdf document corresponding to the AFP entry. If you are just interested in results about Turing Machines and Computability theory: the main book used for this formalisation is by Boolos~\cite{Boolos87}. Sebastiaan J. C. Joosten contributed mainly by making the files ready for the AFP. The need for a good formalisation of Turing Machines arose from realising that the current formalisation of saturation graphs~\cite{Graph_Saturation-AFP} is missing a key undecidability result present in the original paper~\cite{Joosten18}. Recently, an undecidability result has been added to the AFP by Bertram Felgenhauer~\cite{Minsky_Machines-AFP}, using a definition of computably enumerable sets formalised by Michael Nedzelsky~\cite{Recursion-Theory-I-AFP}. Showing the equivalence of these entirely separate notions of computability and decidability remains future work. % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/UpDown_Scheme/document/root.tex b/thys/UpDown_Scheme/document/root.tex --- a/thys/UpDown_Scheme/document/root.tex +++ b/thys/UpDown_Scheme/document/root.tex @@ -1,52 +1,52 @@ \documentclass[11pt,a4paper]{article} - +\usepackage[T1]{fontenc} \usepackage{german} \usepackage{isabelle,isabellesym} % urls in roman style, theory text in math-similar italics % \urlstyle{rm} \isabellestyle{it} \title{Verification of the \texttt{UpDown} scheme} \author{Johannes H{\"o}lzl} \begin{document} \maketitle \begin{abstract} The \texttt{UpDown} scheme is a recursive scheme used to compute the stiffness matrix on a special form of sparse grids. Usually, when discretizing a Euclidean space of dimension $d$ we need $O(n^d)$ points, for $n$ points along each dimension. Sparse grids are a hierarchical representation where the number of points is reduced to $O(n\cdot\log(n)^d)$. One disadvantage of such sparse grids is that the algorithm now operate recursively in the dimensions and levels of the sparse grid. The \texttt{UpDown} scheme allows us to compute the stiffness matrix on such a sparse grid. The stiffness matrix represents the influence of each representation function on the $L^2$ scalar product. For a detailed description see Pfl{\"u}ger's PhD thesis~\cite{pflueger10spatially}. This formalization was developed as an interdisciplinary project (IDP) at the TU~M{\"u}nchen~\cite{hoelzl09updown}. \end{abstract} \textbf{Note:} This development has two main theories. The correctnes of the UpDown scheme, and a verification of an imperative version of it. Both theories can not be merged, as they use different orders on the product type. \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Valuation/document/root.tex b/thys/Valuation/document/root.tex --- a/thys/Valuation/document/root.tex +++ b/thys/Valuation/document/root.tex @@ -1,29 +1,30 @@ \documentclass[11pt,a4paper]{report} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Fundamental Properties of Valuation Theory and Hensel's Lemma} \author{Hidetsune Kobayashi} \maketitle \begin{abstract} Convergence with respect to a valuation is discussed as convergence of a Cauchy sequence. Cauchy sequences of polynomials are defined. They are used to formalize Hensel's lemma. \end{abstract} \tableofcontents % include generated text of all theories \input{session} \end{document} diff --git a/thys/VectorSpace/document/root.tex b/thys/VectorSpace/document/root.tex --- a/thys/VectorSpace/document/root.tex +++ b/thys/VectorSpace/document/root.tex @@ -1,64 +1,65 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} \usepackage{amsmath} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{VectorSpace} \author{Holden Lee\thanks{This work was funded by the Post-Masters Consultancy and the Computer Laboratory at the University of Cambridge.}} \maketitle \abstract{ I present a formalisation of basic linear algebra based completely on locales, building off HOL-Algebra. It includes the following: \begin{enumerate} \item basic definitions: linear combinations, span, linear independence \item linear transformations \item interpretation of function spaces as vector spaces \item direct sum of vector spaces, sum of subspaces \item the replacement theorem \item existence of bases in finite-dimensional vector spaces, definition of dimension \item rank-nullity theorem. \end{enumerate} Note that some concepts are actually defined and proved for modules as they also apply there. In the process, I also prove some basic facts about rings, modules, and fields, as well as finite sums in monoids/modules. Note that infinite-dimensional vector spaces are supported, but dimension is only supported for finite-dimensional vector spaces. The proofs are standard; the proofs of the replacement theorem and rank-nullity theorem roughly follow the presentation in~\cite{FIS03}. The rank-nullity theorem generalises the existing development in~\cite{AD13} (originally using type classes, now using a mix of type classes and locales). } \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{alpha} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/VeriComp/document/root.tex b/thys/VeriComp/document/root.tex --- a/thys/VeriComp/document/root.tex +++ b/thys/VeriComp/document/root.tex @@ -1,67 +1,68 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{A Generic Framework for Verified Compilers} \author{Martin Desharnais} \maketitle \begin{abstract} This is a generic framework for formalizing compiler transformations. It leverages Isabelle/HOL’s locales to abstract over concrete languages and transformations. It states common definitions for language semantics, program behaviours, forward and backward simulations, and compilers. We provide generic operations, such as simulation and compiler composition, and prove general (partial) correctness theorems, resulting in reusable proof components. For more details, please see our paper \cite{desharnais-jfla2020}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Verified-Prover/document/root.tex b/thys/Verified-Prover/document/root.tex --- a/thys/Verified-Prover/document/root.tex +++ b/thys/Verified-Prover/document/root.tex @@ -1,147 +1,148 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{A Mechanically Verified, Efficient, Sound and Complete Theorem Prover For First Order Logic} \author{Tom Ridge} \maketitle \begin{abstract} Building on work by Wainer and Wallen, formalised by James Margetson, we present soundness and completeness proofs for a system of first order logic. The completeness proofs naturally suggest an algorithm to derive proofs. This algorithm can be implemented in a tail recursive manner. We provide the formalisation in Isabelle/HOL\@. The algorithm can be executed via the rewriting tactics of Isabelle. Alternatively, we transport the definitions to OCaml, to give a directly executable program. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex \section{Introduction} Wainer and Wallen gave soundness and completeness proofs for first order logic in \cite{Wainer:92}. This material was later formalised by James Margetson \cite{margetson99completeness}. We ported this to the current version of Isabelle in \cite{margetson04completeness}. Drawing on some of the proofs in previous versions, especially the proof of soundness for the $\forall I$ rule, we formalise modified proofs, for a related system. Implicit in \cite{Wainer:92}, and noted by Margetson in \cite{margetson99completeness}, is that the proofs of completeness suggest a constructive algorithm. We derive this algorithm, which turns out to be tail recursive, and this is the origin of our claim for efficiency. The algorithm can be executed in Isabelle using the rewriting engine. Alternatively, we provide an implementation in Ocaml. \section{Formalisation} % include generated text of all theories \input{session} \section{Optimisation and Extension} There are plenty of obvious optimisations. The first medium level optimisation is to avoid the recomputation of newvars by incorporating the maxvar into a sequent. At a low level, most of the list operations are just moving a pointer along a list: only FConj requires duplicating a list. Reporting ``not provable'' on obviously non-provable goals would be useful, as would a more efficient choice of witnessing terms for existentials. In terms of extensions, the obvious targets are function terms and equality. \section{OCaml Implementation} \begin{verbatim} open List;; type pred = int;; type var = int;; type form = PAtom of (pred*(var list)) | NAtom of (pred*(var list)) | FConj of form * form | FDisj of form * form | FAll of form | FEx of form ;; let rec preSuc t = match t with [] -> [] | (a::list) -> (match a with 0 -> preSuc list | sucn -> (sucn-1::preSuc list));; let rec fv t = match t with PAtom (p,vs) -> vs | NAtom (p,vs) -> vs | FConj (f,g) -> (fv f)@(fv g) | FDisj (f,g) -> (fv f)@(fv g) | FAll f -> preSuc (fv f) | FEx f -> preSuc (fv f);; let suc x = x+1;; let bump phi y = match y with 0 -> 0 | sucn -> suc (phi (sucn-1));; let rec subst r f = match f with PAtom (p,vs) -> PAtom (p,map r vs) | NAtom (p,vs) -> NAtom (p,map r vs) | FConj (f,g) -> FConj (subst r f, subst r g) | FDisj (f,g) -> FDisj (subst r f, subst r g) | FAll f -> FAll (subst (bump r) f) | FEx f -> FEx (subst (bump r) f);; let finst body w = subst (fun v -> match v with 0 -> w | sucn -> (sucn-1)) body;; let s_of_ns ns = map snd ns;; let sfv s = flatten (map fv s);; let rec maxvar t = match t with [] -> 0 | (a::list) -> max a (maxvar list);; let newvar vs = suc (maxvar vs);; let subs t = match t with [] -> [[]] | (x::xs) -> let (m,f) = x in match f with PAtom (p,vs) -> if mem (NAtom (p,vs)) (map snd xs) then [] else [xs@[(0,PAtom (p,vs))]] | NAtom (p,vs) -> if mem (PAtom (p,vs)) (map snd xs) then [] else [xs@[(0,NAtom (p,vs))]] | FConj (f,g) -> [xs@[(0,f)];xs@[(0,g)]] | FDisj (f,g) -> [xs@[(0,f);(0,g)]] | FAll f -> [xs@[(0,finst f (newvar (sfv (s_of_ns (x::xs)))))]] | FEx f -> [xs@[(0,finst f m);(suc m,FEx f)]];; let rec prove' l = (if l = [] then true else prove' ((fun x -> flatten (map subs x)) l));; let prove s = prove' [s];; let my_f = FDisj ( (FAll (FConj ((NAtom (0,[0])), (NAtom (1,[0])))), (FDisj ((FEx ((PAtom (1,[0])))),(FEx (PAtom (0,[0])))))));; prove [(0,my_f)];; \end{verbatim} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Verified_SAT_Based_AI_Planning/document/root.tex b/thys/Verified_SAT_Based_AI_Planning/document/root.tex --- a/thys/Verified_SAT_Based_AI_Planning/document/root.tex +++ b/thys/Verified_SAT_Based_AI_Planning/document/root.tex @@ -1,76 +1,78 @@ \documentclass[11pt,a4paper]{article} -\usepackage{amsmath, amssymb} +\usepackage[T1]{fontenc} +\usepackage{amsmath,amssymb} \usepackage{isabelle,isabellesym} \usepackage{verbatim} + % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ \usepackage{wasysym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Verified SAT-Based AI Planning} \author{Mohammad Abdulaziz and Friedrich Kurz\footnote{Author names are alphabetically ordered.}} % \subtitle{Proof Document} % \author{M. Abdulaziz \and P. Lammich} \date{} \maketitle We present an executable formally verified SAT encoding of classical AI planning that is based on the encodings by Kautz and Selman~\cite{kautz:selman:92} and the one by Rintanen et al.~\cite{DBLP:journals/ai/RintanenHN06}. The encoding was experimentally tested and shown to be usable for reasonably sized standard AI planning benchmarks. We also use it as a reference to test a state-of-the-art SAT-based planner, showing that it sometimes falsely claims that problems have no solutions of certain lengths. The formalisation in this submission was described in an independent publication~\cite{verifiedSATPlan}. \tableofcontents \clearpage % sane default for proof documents \parindent 0pt\parskip 0.5ex \newcommand{\isaname}[1]{} % generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/VerifyThis2018/document/root.tex b/thys/VerifyThis2018/document/root.tex --- a/thys/VerifyThis2018/document/root.tex +++ b/thys/VerifyThis2018/document/root.tex @@ -1,100 +1,101 @@ \documentclass[11pt,a4paper]{book} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ \usepackage{titlesec} \usepackage{amsmath,amsfonts,amsbsy,amssymb} \usepackage[scaled=.82]{beramono} \usepackage[scaled=.92]{helvet} \usepackage{mathptmx} \usepackage{t1enc,textcomp,upquote,listings} \usepackage{multicol} \lstset{basicstyle=\ttfamily,upquote,escapeinside={<@}{@>}, frame=none,showstringspaces=false,xleftmargin=\parindent, literate={À}{{\`{A}}}1 {Á}{{\'{A}}}1 {Â}{{\^{A}}}1 {Ä}{{\"{A}}}1 {Ç}{{\c{C}}}1 {È}{{\`{E}}}1 {É}{{\'{E}}}1 {Ê}{{\^{E}}}1 {Ë}{{\"{E}}}1 {Î}{{\^{I}}}1 {Ï}{{\"{I}}}1 {Ô}{{\^{O}}}1 {Ö}{{\"{O}}}1 {Ù}{{\`{U}}}1 {Û}{{\^{U}}}1 {à}{{\`{a}}}1 {á}{{\'{a}}}1 {â}{{\^{a}}}1 {ä}{{\"{a}}}1 {ç}{{\c{c}}}1 {è}{{\`{e}}}1 {é}{{\'{e}}}1 {ê}{{\^{e}}}1 {ë}{{\"{e}}}1 {î}{{\^{\i}}}1 {ï}{{\"{\i}}}1 {ô}{{\^{o}}}1 {ö}{{\"{o}}}1 {ù}{{\`{u}}}1 {û}{{\^{u}}}1 {`}{{\symbol{0}}}1 } % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \titleformat{\chapter}[display] {\normalfont\bfseries}{}{0pt}{\huge} \makeatletter \newenvironment{abstract}{% \small \begin{center}% {\bfseries Abstract\vspace{-.5em}\vspace{\z@}}% \end{center}% \quotation}{\endquotation} \makeatother \begin{document} \title{VerifyThis 2018 - Polished Isabelle Solutions} \author{Peter Lammich \and Simon Wimmer} \maketitle \begin{trivlist} \item \textbf{Abstract.} VerifyThis 2018 \url{http://www.pm.inf.ethz.ch/research/verifythis.html} was a program verification competition associated with ETAPS 2018. It was the 7th event in the VerifyThis competition series. In this entry, we present polished and completed versions of our solutions that we created during the competition. \end{trivlist} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/VerifyThis2019/document/root.tex b/thys/VerifyThis2019/document/root.tex --- a/thys/VerifyThis2019/document/root.tex +++ b/thys/VerifyThis2019/document/root.tex @@ -1,69 +1,70 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ \usepackage{wasysym} % for \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{VerifyThis 2019 -- Polished Isabelle Solutions} \author{Peter Lammich \and Simon Wimmer} \maketitle \begin{abstract} VerifyThis 2019 (\url{http://www.pm.inf.ethz.ch/research/verifythis.html}) was a program verification competition associated with ETAPS 2019. It was the 8th event in the VerifyThis competition series. In this entry, we present polished and completed versions of our solutions that we created during the competition. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Vickrey_Clarke_Groves/document/root.tex b/thys/Vickrey_Clarke_Groves/document/root.tex --- a/thys/Vickrey_Clarke_Groves/document/root.tex +++ b/thys/Vickrey_Clarke_Groves/document/root.tex @@ -1,170 +1,171 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{url} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Vickrey-Clarke-Groves (VCG) Auctions} \author{M. B. Caminati\footnote{School of Computer Science, University of Birmingham, UK}\addtocounter{footnote}{-1} \and M. Kerber\footnotemark \and C. Lange\footnote{Fraunhofer IAIS and University of Bonn, Germany, and School of Computer Science, University of Birmingham, UK} \and C. Rowat\footnote{Department of Economics, University of Birmingham, UK}} \maketitle \begin{abstract} A VCG auction (named after their inventors Vickrey, Clarke, and Groves) is a generalization of the single-good, second price Vickrey auction to the case of a combinatorial auction (multiple goods, from which any participant can bid on each possible combination). We formalize in this entry VCG auctions, including tie-breaking and prove that the functions for the allocation and the price determination are well-defined. Furthermore we show that the allocation function allocates goods only to participants, only goods in the auction are allocated, and no good is allocated twice. We also show that the price function is non-negative. These properties also hold for the automatically extracted Scala code. \end{abstract} \tableofcontents \section{Introduction} An auction mechanism is mathematically represented through a pair of functions $(a, p)$: the first describes how some given goods at stake are allocated among the bidders (also called participants or agents), while the second specifies how much each bidder pays following this allocation. Each possible output of this pair of functions is referred to as an outcome of the auction. Both functions take the same argument, which is another function, commonly called a bid vector $b$; it describes how much each bidder values the possible outcomes of the auction. This valuation is usually expressed through money. In this setting, some common questions are the study of the quantitative and qualitative properties of a given auction mechanism (e.g., whether it maximizes some relevant quantity, such as revenue, or whether it is efficient, that is, whether it allocates the item to the bidder who values it most), and the study of the algorithms running it (in particular, their correctness). A VCG auction (named after their inventors Vickrey, Clarke, and Groves) is a generalization of the single-good, second price Vickrey auction to the case of a combinatorial auction (multiple goods, from which any participant can bid on each possible combination). We formalize in this entry VCG auctions, including tie-breaking and prove that the functions $a$ and $p$ are well-defined. Furthermore we show that the allocation function $a$ allocates goods only to participants, only goods in the auction are allocated, and no good is allocated twice. Furthermore we show that the price function $p$ is non-negative. These properties also hold for the automatically extracted Scala code. For further details on the formalization, see \cite{ec15}. For background information on VCG auctions, see \cite{cramton}. The following files are part of the Auction Theory Toolbox (ATT)~\cite{github} developed in the ForMaRE project~\cite{formare}. The theories \texttt{CombinatorialAuction.thy}, \texttt{StrictCombinatorialAuction.thy} and \texttt{UniformTieBreaking.thy} contain the relevant definitions and theorems; \texttt{CombinatorialAuctionExamples.thy} and \texttt{CombinatorialAuctionCodeExtraction.thy} present simple helper definitions to run them on given examples and to export them to the Scala language, respectively; \texttt{FirstPrice.thy} shows how easy it is to adapt the definitions to the first price combinatorial auction. The remaining theories contain more general mathematical definitions and theorems. \subsection{Rationale for developing set theory as replacing one bidder in a second price auction} Throughout the whole ATT, there is a duality in the way mathematical notions are modeled: either through objects typical of lambda calculus and HOL (lambda-abstracted functions and lists, for example) or through objects typical of set theory (for example, relations, intersection, union, set difference, Cartesian product). This is possible because inside HOL, it is possible to model a simply-typed set theory which, although quite restrained if compared to, e.g., ZFC, is powerful enough for many standard mathematical purposes. ATT freely adopts one approach, the other, or a mixture thereof, depending on technical and expressive convenience. A technical discussion of this topic can be found in~\cite{cicm2014}. \subsection{Bridging} One of the differences between the approaches of functional definitions on the one hand and classical (often set-theoretical) definitions on the other hand is that, commonly (although not always), the first approach is better suited to produce Isabelle/HOL definitions which are computable (typically, inductive definitions); while the definitions from the second approach are often more general (e.g., encompassing infinite sets), closer to pen-and-paper mathematics, but also not computable. This means that many theorems are proved with respect to definitions of the second type, while in the end we want them to apply to definitions of the first type, because we want our theorems to hold for the code we will be actually running. Hence, bridging theorems are needed, showing that, for the limited portions of objects for which we state both kinds of definitions, they are the same. \subsection{Main theorems} The main theorems about VCG auctions are: \begin{description} \item[the definiteness theorem:] our definitions grant that there is exactly one solution; this is ensured by \texttt{vcgaDefiniteness}. \item[PairwiseDisjointAllocations:] no good is allocated to more than one participant. \item[onlyGoodsAreAllocated:] only the actually available goods are allocated. \item[the adequacy theorem:] the solution provided by our algorithm is indeed the one prescribed by standard pen-and-paper definition. \item[NonnegPrices:] no participant ends up paying a negative price (e.g., no participant receives money at the end of the auction). \item[Bridging theorems:] as discussed above, such theorems permit to apply the theorems in this list to the executable code Isabelle generates. \end{description} \subsection{Scala code extraction} Isabelle permits to generate, from our definition of VCG, Scala code to run any VCG auction. Use \texttt{CombinatorialAuctionCodeExtraction.thy} for this. This code is in the form of Scala functions which can be evaluated on any input (e.g., a bidvector) to return the resulting allocation and prices. To deploy such functions use the provided Scala wrapper (taking care of the output and including sample inputs). In order to do so, you can evaluate inside Isabelle/JEdit the file \texttt{CombinatorialAuctionCodeExtraction.thy} (position the cursor on its last line and wait for Isabelle/JEdit to end all its processing). This will result in the file \texttt{/dev/shm/VCG-withoutWrapper.scala}, which can be automatically appended to the wrapper by running the shell script at the end of \texttt{CombinatorialAuctionCodeExtraction.thy}. For details of how to run the Scala code see \url{http://www.cs.bham.ac.uk/research/projects/formare/vcg.php}. % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/VolpanoSmith/document/root.tex b/thys/VolpanoSmith/document/root.tex --- a/thys/VolpanoSmith/document/root.tex +++ b/thys/VolpanoSmith/document/root.tex @@ -1,66 +1,66 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{latexsym} \usepackage{amssymb} \usepackage{textcomp} \usepackage[english]{babel} -\usepackage[utf8]{inputenc} \usepackage{wasysym} \usepackage{graphicx} % this should be the last package used \usepackage{pdfsetup} % proper setup for best-style documents \urlstyle{rm} \isabellestyle{it} \hyphenation{Isabelle} \begin{document} \title{An Isabelle Correctness Proof for the Volpano/Smith Security Typing System} \author{Gregor Snelting and Daniel Wasserrab\\ IPD Snelting\\Universität Karlsruhe (TH)} \date{\today} \maketitle \begin{abstract} The Volpano/Smith/Irvine security type systems \cite{VolpanoSmith96} requires that variables are annotated as high (secret) or low (public), and provides typing rules which guarantee that secret values cannot leak to public output ports. This property of a program is called confidentiality. For a simple while-language without threads, our proof shows that typeability in the Volpano/Smith system guarantees noninterference. Noninterference means that if two initial states for program execution are low-equivalent, then the final states are low-equivalent as well. This indeed implies that secret values cannot leak to public ports. For more details on noninterference and security typing systems, see \cite{SabelfeldMyers03}. The proof defines an abstract syntax and operational semantics for programs, formalizes noninterference, and then proceeds by rule induction on the operational semantics. The mathematically most intricate part is the treatment of implicit flows. Note that the Volpano/Smith system is not flow-sensitive and thus quite unprecise, resulting in false alarms. However, due to the correctness property, all potential breaks of confidentiality are discovered. \end{abstract} \clearpage \tableofcontents \clearpage \input{session} \bibliographystyle{plain} \bibliography{root} \end{document} \ No newline at end of file diff --git a/thys/WHATandWHERE_Security/document/root.tex b/thys/WHATandWHERE_Security/document/root.tex --- a/thys/WHATandWHERE_Security/document/root.tex +++ b/thys/WHATandWHERE_Security/document/root.tex @@ -1,175 +1,176 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{A Formalization of Declassification with WHAT\&WHERE-Security} \author{Sylvia Grewe, Alexander Lux, Heiko Mantel, Jens Sauer} \maketitle \begin{abstract} Research in information-flow security aims at developing methods to identify undesired information leaks within programs from private sources to public sinks. Noninterference captures this intuition by requiring that no information whatsoever flows from private sources to public sinks. However, in practice this definition is often too strict: Depending on the intuitive desired security policy, the controlled declassification of certain private information (WHAT) at certain points in the program (WHERE) might not result in an undesired information leak. We present an Isabelle/HOL formalization of such a security property for controlled declassification, namely WHAT\&WHERE-security from \cite{scheduler-independent}. The formalization includes compositionality proofs for and a soundness proof for a security type system that checks for programs in a simple while language with dynamic thread creation. Our formalization of the security type system is abstract in the language for expressions and in the semantic side conditions for expressions. It can easily be instantiated with different syntactic approximations for these side conditions. The soundness proof of such an instantiation boils down to showing that these syntactic approximations imply the semantic side conditions. This Isabelle/HOL formalization uses theories from the entry Strong-Security (see proof document for details). \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories %\input{session} \section{Preliminary definitions} \subsection{Type synonyms} The formalization is parametric in different aspects. Notably, it is parametric in the security lattice it supports. For better readability, we use the following type synonyms in our formalization (from the entry Strong-Security): \input{Types.tex} \section{WHAT\&WHERE-security} \subsection{Definition of WHAT\&WHERE-security} The definition of WHAT\&WHERE-security is parametric in a security lattice (\textit{'d}) and in a programming language (\textit{'com}). \input{WHATWHERE_Security.tex} \subsection{Proof technique for compositionality results} For proving compositionality results for WHAT\&WHERE-security, we formalize the following ``up-to technique'' and prove it sound: \input{Up_To_Technique.tex} \subsection{Proof of parallel compositionality} We prove that WHAT\&WHERE-security is preserved under composition of WHAT\&WHERE-secure threads. \input{Parallel_Composition.tex} \section{Example language and compositionality proofs} \subsection{Example language with dynamic thread creation} As in \cite{scheduler-independent}, we instantiate the language with a simple while language that supports dynamic thread creation via a spawn command (Multi-threaded While Language with spawn, MWLs). Note that the language is still parametric in the language used for Boolean and arithmetic expressions (\textit{'exp}). \input{MWLs.tex} \subsection{Proofs of atomic compositionality results} We prove for each atomic command of our example programming language (i.e. a command that is not composed out of other commands) that it is strongly secure if the expressions involved are indistinguishable for an observer on security level $d$. \input{WHATWHERE_Secure_Skip_Assign.tex} \subsection{Proofs of non-atomic compositionality results} We prove compositionality results for each non-atomic command of our example programming language (i.e. a command that is composed out of other commands): If the components are strongly secure and the expressions involved indistinguishable for an observer on security level $d$, then the composed command is also strongly secure. \input{Language_Composition.tex} \section{Security type system} \subsection{Abstract security type system with soundness proof} We formalize an abstract version of the type system in \cite{scheduler-independent} using locales \cite{conf/types/Ballarin03}. Our formalization of the type system is abstract in the sense that the rules specify abstract semantic side conditions on the expressions within a command that satisfy for proving the soundness of the rules. That is, it can be instantiated with different syntactic approximations for these semantic side conditions in order to achieve a type system for a concrete language for Boolean and arithmetic expressions. Obtaining a soundness proof for such a concrete type system then boils down to proving that the concrete type system interprets the abstract type system. We prove the soundness of the abstract type system by simply applying the compositionality results proven before. \input{Type_System.tex} \subsection{Example language for Boolean and arithmetic expressions} As and example, we provide a simple example language for instantiating the parameter \textit{'exp} for the language for Boolean and arithmetic expressions (from the entry Strong-Security). \input{Expr.tex} \subsection{Example interpretation of abstract security type system} Using the example instantiation of the language for Boolean and arithmetic expressions, we give an example instantiation of our abstract security type system, instantiating the parameter for domains \textit{'d} with a two-level security lattice (from the entry Strong-Security). \input{Domain_example.tex} \input{Type_System_example.tex} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/WOOT_Strong_Eventual_Consistency/document/root.tex b/thys/WOOT_Strong_Eventual_Consistency/document/root.tex --- a/thys/WOOT_Strong_Eventual_Consistency/document/root.tex +++ b/thys/WOOT_Strong_Eventual_Consistency/document/root.tex @@ -1,217 +1,216 @@ \documentclass[11pt,a4paper]{article} - +\usepackage[T1]{fontenc} \usepackage{algorithmicx} \usepackage{algorithm} \usepackage{algpseudocode} \usepackage{amssymb} \usepackage{graphicx} \usepackage{hyphenat} -\usepackage[utf8]{inputenc} \usepackage{isabelle} \usepackage{isabellesym} \usepackage{subfig} \usepackage{tikz} \usepackage{todonotes} \usepackage{mathtools} \usepackage{csquotes} \usepackage{authblk} \usetikzlibrary{positioning} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % This should be the last package used. \usepackage{pdfsetup} % URLs in roman style, theory text in math-similar italics. \urlstyle{rm} \isabellestyle{it} % For uniform font size. %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Strong Eventual Consistency of the Collaborative Editing Framework WOOT} \author{Emin Karayel} \author{Edgar Gonzàlez} \affil{Google, Mountain View} \maketitle % Sane default for proof documents. % \parindent 0pt\parskip 0.5ex \setlength\parindent{1em} \setlength\parskip{0.5ex} \begin{abstract} Commutative Replicated Data Types (CRDTs) are a promising new class of data structures for large-scale shared mutable content in applications that only require eventual consistency. The WithOut Operational Transforms (WOOT) framework is a CRDT for collaborative text editing introduced by Oster et al. (CSCW 2006) for which the eventual consistency property was verified only for a bounded model to date. We contribute a formal proof for WOOTs strong eventual consistency. \end{abstract} \tableofcontents \section{Introduction}% A \emph{Replicated (Abstract) Data Type (RDT)} consists of ``\emph{multiple copies of a shared Abstract Data Type (ADT) replicated over distributed sites, [which] provides a set of primitive operation types corresponding to that of normal ADTs, concealing details for consistency maintenance}''~\cite{roh2009optimistic}. RDTs can be classified as \emph{state-based} or \emph{operation-based} depending on whether full states (e.g., a document's text) or only the operations performed on them (e.g., character insertions and deletions) are exchanged among replicas. Operation-based RDTs are \emph{commutative} when the integration of any two concurrent operations on any reachable replica state commutes~\cite{shapiro2011conflict}. Commutative (Operation-Based) Replicated Data Types (CRDTs\footnote{Note that other authors like Shapiro et al.~\cite{shapiro2011conflict} use CmRDT to refer to Commutative RDTs, with CRDT standing for \emph{Conflict-free RDTs}.} from now on) enable sharing mutable content with optimistic replication---ensu\-ring high\hyp{}availability, responsive interaction, and eventual consistency without consensus\hyp{}ba\-sed concurrency control~\cite{letia2010consistency}. They are used in highly scalable robust distributed applications~\cite{weiss2009logoot,brown2014riak}. An RDT is \emph{eventually consistent} when, if after some point in time no further updates are made at any replica, all replicas eventually converge to equivalent states. It is \emph{strongly eventually consistent} when it is eventually consistent and, whenever any two peers have seen the same set of updates (in possibly different order), they reach equivalent states immediately~\cite{shapiro2011conflict}. The WithOut Operational Transforms (WOOT) Framework~\cite{oster2006data} was the first proposed CRDT for collaborative text editing~\cite{Briot2016}. It has been implemented as part of several OSS projects~\cite{dallaway2016wootjs,emanouilov2016woot,kaplan2016woot,olson2016woot}. However, the eventual consistency of WOOT has only been verified for a bounded model~\cite{oster2006data, oster2005real}. A formal proof of WOOTs consistency can rigorously establish that there is no complex counter-example not identified by model checking. The contribution of this work is one such proof that the WOOT Framework is strongly eventually consistent. Its central idea is the association of a value from a dense totally ordered space to each inserted (and potentially deleted) character, using a recursive definition with respect to the acyclic graph induced by the predecessor and successor relation of the characters. We then show that the strings in each peer remain sorted with respect to that value, i.e., that the values form a sort key for W-characters.\footnote{Note that the values themselves do not have to be actually computed, during the execution of the framework. Their existence and compatibility with the integration algorithm forms a witness for the consistency proof we are presenting.} This resolves the conjecture posed by Oster et al.~\cite[conjecture 1]{oster2005real} and is also the key lemma to establish that the WOOT Framework has the strong eventual consistency property. After reviewing related work in the following section, we formalize the WOOT Framework as a distributed application in Section~\ref{sec:wootFramework}. We follow with the complete eventual consistency proof in Section~\ref{sec:proof} and summarize the established results in Section~\ref{sec:strong_eventual_consistency}. In Section~\ref{sec:proof_outline} we given overview of the proof and follow up with a conrete formalized example in Section~\ref{sec:example}. The presentation is structured such that all the definitions necessary to review the established results in Section~\ref{sec:strong_eventual_consistency} are part of Section~\ref{sec:wootFramework}. This means it is possible to skip Section~\ref{sec:proof} entirely. \section{Related Work}% \label{sec:relatedWork}% The first collaborative text editing tools were based on operational transformations (OT), and introduced by Ellis and Gibbs~\cite{ellis1989concurrency}. The basic idea behind OT-based frameworks is to adjust edit operations, based on the effects of previously executed concurrent operations. For instance, in Figure~\ref{fig:otDrawing}, peer B can execute the message received from peer A without correction, but peer A needs to transform the one received from peer B to reach the same state. Proving the correctness of OT-based frameworks is error-prone and requires complicated case coverage~\cite{li2010admissibility,molli2006tombstone}. Counter-examples have been found in most OT algorithms~\cite{roh2009optimistic}\cite[section 8.2]{gomes2017verifying}. \begin{figure}[t] \centering \subfloat[Transformation-based]{\label{fig:otDrawing}% \begin{tikzpicture}[ peernode/.style={rectangle, draw=black, thick}, editnode/.style={rectangle, draw=black, fill=black!20, thick,rounded corners=.1cm}, statenode/.style={rectangle, draw=black, thick,rounded corners=.1cm}, ] % Nodes. \node[peernode] (peerA) at (0, 4.6) {Peer A}; \node[peernode] (peerB) at (2.4, 4.6) {Peer B}; \node[statenode] (stateA1) at (0, 3.6) {c a u s e}; \node[statenode] (stateB1) at (2.4, 3.6) {c a u s e}; \node[editnode] (editA1) at (0, 2.6) {Ins 2 l}; \node[editnode] (editB1) at (2.4, 2.6) {Ins 5 s}; \node[statenode] (stateA2) at (0, 1.8) {c l a u s e}; \node[statenode] (stateB2) at (2.4, 1.8) {c a u s e s}; \node[editnode] (editA2) at (0, 0.8) {Ins 6 s}; \node[editnode] (editB2) at (2.4, 0.8) {Ins 1 l}; \node[statenode] (stateA3) at (0, 0) {c l a u s e s}; \node[statenode] (stateB3) at (2.4, 0) {c l a u s e s}; % Lines. \draw[->] (peerA.south) -- (stateA1.north); \draw[->] (peerB.south) -- (stateB1.north); \draw[->] (stateA1.south) -- (editA1.north); \draw[->] (stateB1.south) -- (editB1.north); \draw[->] (editA1.south) -- (stateA2.north); \draw[->] (editB1.south) -- (stateB2.north); \draw[->] (stateA2.south) -- (editA2.north); \draw[->] (stateB2.south) -- (editB2.north); \draw[->] (editA2.south) -- (stateA3.north); \draw[->] (editB2.south) -- (stateB3.north); \draw[->] (editA1.east) to[out=-40,in=140] (editB2.west); \draw[->] (editB1.west) to[out=220,in=40] (editA2.east); \end{tikzpicture}} \hspace{0.5em}\vline\hspace{0.5em}% \subfloat[Sort-key based]{\label{fig:crdtDrawing}% \begin{tikzpicture}[ peernode/.style={rectangle, draw=black, thick}, editnode/.style={rectangle, draw=black, fill=black!20, thick,rounded corners=.1cm}, statenode/.style={rectangle, draw=black, thick,rounded corners=.1cm}, ] % Nodes. 5.5 - 1.7 = 4.5 - 0.7 \node[peernode] (peerA) at (0, 4.6) {Peer A}; \node[peernode] (peerB) at (3.8, 4.6) {Peer B}; \node[statenode] (stateA1) at (0, 3.6) {$\textrm{c}_1$ $\textrm{a}_2$ $\textrm{u}_3$ $\textrm{s}_4$ $\textrm{e}_5$}; \node[statenode] (stateB1) at (3.8, 3.6) {$\textrm{c}_1$ $\textrm{a}_2$ $\textrm{u}_3$ $\textrm{s}_4$ $\textrm{e}_5$}; \node[editnode] (editA1) at (0, 2.6) {Ins 1.5 l}; \node[editnode] (editB1) at (3.8, 2.6) {Ins 6 s}; \node[statenode] (stateA2) at (0, 1.8) {$\textrm{c}_1$ $\textrm{l}_{1.5}$ $\textrm{a}_2$ $\textrm{u}_3$ $\textrm{s}_4$ $\textrm{e}_5$}; \node[statenode] (stateB2) at (3.8, 1.8) {$\textrm{c}_1$ $\textrm{a}_2$ $\textrm{u}_3$ $\textrm{s}_4$ $\textrm{e}_5$ $\textrm{s}_6$}; \node[editnode] (editA2) at (0, 0.8) {Ins 6 s}; \node[editnode] (editB2) at (3.8, 0.8) {Ins 1.5 l}; \node[statenode] (stateA3) at (0, 0) {$\textrm{c}_1$ $\textrm{l}_{1.5}$ $\textrm{a}_2$ $\textrm{u}_3$ $\textrm{s}_4$ $\textrm{e}_5$ $\textrm{s}_{6}$}; \node[statenode] (stateB3) at (3.8, 0) {$\textrm{c}_1$ $\textrm{l}_{1.5}$ $\textrm{a}_2$ $\textrm{u}_3$ $\textrm{s}_4$ $\textrm{e}_5$ $\textrm{s}_{6}$}; % Lines. \draw[->] (peerA.south) -- (stateA1.north); \draw[->] (peerB.south) -- (stateB1.north); \draw[->] (stateA1.south) -- (editA1.north); \draw[->] (stateB1.south) -- (editB1.north); \draw[->] (editA1.south) -- (stateA2.north); \draw[->] (editB1.south) -- (stateB2.north); \draw[->] (stateA2.south) -- (editA2.north); \draw[->] (stateB2.south) -- (editB2.north); \draw[->] (editA2.south) -- (stateA3.north); \draw[->] (editB2.south) -- (stateB3.north); \draw[->] (editA1.east) to[out=0,in=180] (editB2.west); \draw[->] (editB1.west) to[out=180,in=0] (editA2.east); \end{tikzpicture}} \caption{Collaborative text editing}% \end{figure}% LSEQ~\cite{nedelec2013lseq}, LOGOOT~\cite{weiss2009logoot} and TreeDoc~\cite{preguica2009commutative} are CRDTs that create and send sort keys for symbols (e.g., $1.5$ and $6$ in Figure~\ref{fig:crdtDrawing}). These keys can then be directly used to order them, without requiring any transformations, and are drawn from a dense totally ordered space. In the figure rational numbers were chosen for simplicity, but more commonly lexicographically ordered sequences are used.\footnote{In addition, peers draw sort keys from disjoint (but dense) subsets to avoid concurrently choosing the same sort key.} The consistency property of these frameworks can be established easily. However, the space required per sort key potentially grows linearly with the count of edit operations. In LSEQ, a randomized allocation strategy for new identifiers is used to reduce the key growth, based on empirically determined edit patterns---but in the worst-case the size of the keys will still grow linearly with the count of insert operations. Preguica et al.~\cite{preguica2009commutative} propose a solution for this problem using regular rebalancing operations. However, this can only be done using a consensus\hyp{}based mechanism, which is only possible when the number of participating peers is small. A benefit of LSEQ, LOGOOT, and TreeDoc is that deleted symbols can be garbage-collected (though delete messages may have to be kept in a buffer if the corresponding insertion message has not arrived at a peer), in contrast to the WOOT Framework, where deleted symbols (tombstones) cannot be removed. Replicated Growable Arrays (RGAs) are another data structure for collaborative editing, introduced by Roh et al.~\cite{roh2009optimistic}. Contrary to the previous approaches, the identifiers associated to the symbols are not sort keys, but are instead ordered consistently with the happened-before relation. A peer sends the identifier of the symbol immediately preceeding the new symbol at the time it was created and the actual identifier associated to the new symbol. The integration algorithm starts by finding the preceeding symbol and skipping following symbols with a larger identifier before placing the new symbol. The authors provide a mathematical eventual consistency proof. Recently, Gomes et. al.~\cite{gomes2017verifying} also formalized the eventual consistency property of RGAs using Isabelle/HOL. In addition to the original design of WOOT by Oster et al.~\cite{oster2006data}, a number of extensions have also been proposed. For instance, Weiss et al.~\cite{weiss2007wooki} propose a line-based version WOOTO, and Ahmed-Nacer et al.~\cite{nacer2011} introduce a second extension WOOTH which improves performance by using hash tables. The latter compare their implementation in benchmarks against LOGOOT, RGA, and an OT algorithm. To the best of our knowledge there are no publications that further expand on the correctness of the WOOT Framework. The fact that the general convergence proof is missing is also mentioned by Kumawat and Khun\-teta~\cite[Section 3.10]{kumawat2010survey}. % Generated text of all theories. \input{session} % Optional bibliography. \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/WebAssembly/document/root.tex b/thys/WebAssembly/document/root.tex --- a/thys/WebAssembly/document/root.tex +++ b/thys/WebAssembly/document/root.tex @@ -1,64 +1,65 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed \usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{WebAssembly} \author{Conrad Watt} \maketitle \begin{abstract} This is a mechanised specification of the WebAssembly language, drawn mainly from the previously published paper formalisation~\cite{Haas:2017:BWU:3062341.3062363}. Also included is a full proof of soundness of the type system, together with a verified type checker and interpreter. We include only a partial procedure for the extraction of the type checker and interpreter here. For more details, please see our paper~\cite{Watt:2018:MVW:3176245.3167082}. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Weight_Balanced_Trees/document/root.tex b/thys/Weight_Balanced_Trees/document/root.tex --- a/thys/Weight_Balanced_Trees/document/root.tex +++ b/thys/Weight_Balanced_Trees/document/root.tex @@ -1,55 +1,55 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage[T1]{fontenc} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \renewcommand{\isadigit}[1]{\ensuremath{#1}} \protected\def\isacharunderscore{\raisebox{2pt}{\_\kern-1.7pt}} \begin{document} \title{Weight-Balanced Trees} \author{Tobias Nipkow and Stefan Dirix} \maketitle \begin{abstract} This theory provides a verified implementation of weight-balanced trees following the work of Hirai and Yamamoto \cite{HiraiY11} who proved that all parameters in a certain range are valid, i.e. guarantee that insertion and deletion preserve weight-balance. Instead of a general theorem we provide parameterized proofs of preservation of the invariant that work for many (all?) valid parameters. \end{abstract} \section{Introduction} Weight-balanced trees (\emph{WB} trees) are a class of binary search trees of logarithmic height. They were invented by Nievergelt and Reingold \cite{NievergeltR72,NievergeltR73} who called them \emph{trees of bounded balance}. They are parametrized by a constant. Parameters are called \emph{valid} if they guarantee that insertion and deletion preserve the WB invariant. Blum and Mehlhorn \cite{BlumM80} later discovered that there is a flaw in Nievergelt and Reingold's analysis of valid parameters and gave a detailed correctness proof for a modified range of parameters. Adams \cite{Adams92,Adams93} considered a slightly modified version of WB trees and analyzed which parameters are valid. The Haskell libraries \texttt{Data.Set} and \texttt{Data.Map} are based on Adams' papers but it was found that the implementation did not preserve the invariant. This motivated Hirai and Yamamoto \cite{HiraiY11} to verify the valid parameter range for the original definition of WB tree formally in Coq. They also showed that Adams' analysis is flawed by giving a counterexample to Adams' claimed range of valid parameters. Straka \cite{Straka12} analyzes valid parameters for Adam's variant. Yet another variant of WB trees was considered by Roura \cite{Roura01}. % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Well_Quasi_Orders/document/root.tex b/thys/Well_Quasi_Orders/document/root.tex --- a/thys/Well_Quasi_Orders/document/root.tex +++ b/thys/Well_Quasi_Orders/document/root.tex @@ -1,52 +1,53 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Well-Quasi-Orders} \author{Christian Sternagel\thanks{% The research was funded by the Austrian Science Fund (FWF): J3202.}} \maketitle \begin{abstract} Based on Isabelle/HOL's type class for preorders, we introduce a type class for well-quasi-orders (wqo) which is characterized by the absence of ``bad'' sequences (our proofs are along the lines of the proof of Nash-Williams \cite{N1963}, from which we also borrow terminology). Our main results are instantiations for the product type, the list type, and a type of finite trees, which (almost) directly follow from our proofs of (1) Dickson's Lemma, (2) Higman's Lemma, and (3) Kruskal's Tree Theorem. More concretely: \begin{enumerate} \item If the sets $A$ and $B$ are wqo then their Cartesian product is wqo. \item If the set $A$ is wqo then the set of finite lists over $A$ is wqo. \item If the set $A$ is wqo then the set of finite trees over $A$ is wqo. \end{enumerate} \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} % optional bibliography \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Winding_Number_Eval/document/root.tex b/thys/Winding_Number_Eval/document/root.tex --- a/thys/Winding_Number_Eval/document/root.tex +++ b/thys/Winding_Number_Eval/document/root.tex @@ -1,36 +1,37 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amsmath} \usepackage{amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Evaluate Winding Numbers through Cauchy Indices} \author{Wenda Li} \maketitle \begin{abstract} In complex analysis, the winding number measures the number of times a path (counterclockwise) winds around a point, while the Cauchy index can approximate how the path winds. This entry provides a formalisation of the Cauchy index, which is then shown to be related to the winding number. In addition, this entry also offers a tactic that enables users to evaluate the winding number by calculating Cauchy indices. The connection between the winding number and the Cauchy index can be found in the literature \cite{eisermann2012fundamental} \cite[Chapter 11]{rahman2002analytic}. \end{abstract} %\tableofcontents % include generated text of all theories \input{session} \section{Acknowledgements} The work was supported by the ERC Advanced Grant ALEXANDRIA (Project 742178), funded by the European Research Council and led by Professor Lawrence Paulson at the University of Cambridge, UK. \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/Word_Lib/document/root.tex b/thys/Word_Lib/document/root.tex --- a/thys/Word_Lib/document/root.tex +++ b/thys/Word_Lib/document/root.tex @@ -1,51 +1,52 @@ % % Copyright 2020, Data61, CSIRO (ABN 41 687 119 230) % % SPDX-License-Identifier: CC-BY-SA-4.0 % \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{tt} \begin{document} \title{Finite Machine Word Library} \author{Joel Beeren, Sascha Böhme, Matthew Fernandez, Xin Gao, Gerwin Klein, Rafal Kolanski,\\ Japheth Lim, Corey Lewis, Daniel Matichuk, Thomas Sewell} \maketitle \begin{abstract} This entry contains an extension to the Isabelle library for fixed-width machine words. In particular, the entry adds printing as hexadecimals, additional operations, reasoning about alignment, signed words, enumerations of words, normalisation of word numerals, and an extensive library of properties about generic fixed-width words, as well as an instantiation of many of these to the commonly used 32 and 64-bit bases. In addition to the listed authors, the entry contains contributions by Nelson Billing, Andrew Boyton, Matthew Brecknell, Cornelius Diekmann, Peter Gammie, Gianpaolo Gioiosa, David Greenaway, Lars Noschinski, Sean Seefried, and Simon Winwood. \end{abstract} \tableofcontents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/WorkerWrapper/document/root.tex b/thys/WorkerWrapper/document/root.tex --- a/thys/WorkerWrapper/document/root.tex +++ b/thys/WorkerWrapper/document/root.tex @@ -1,81 +1,82 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{mathpartir} % Commuting diagrams \usepackage{pb-diagram} \usepackage{haskell} \usepackage{natbib} \bibpunct();A{}, \let\cite=\citep \newcommand{\isasymnotsqsubseteq}{\isamath{\not\sqsubseteq}} \usepackage{amssymb} \newcommand{\isafun}[1]{{\sf #1}} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Mechanising the worker/wrapper transformation} \author{Peter Gammie} \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \section{Introduction} This mechanisation of the worker/wrapper theory of \citet{GillHutton:2009} was carried out in Isabelle/HOLCF \citep{HOLCF:1999, DBLP:conf/tphol/Huffman09}. It accompanies \citet{Gammie:2011}. The reader should note that $oo$ stands for function composition, $\Lambda \_ . \_$ for continuous function abstraction, $\_\cdot\_$ for continuous function application, \textbf{domain} for recursive-datatype definition. % generated text of all theories \input{session} \section{Concluding remarks} Gill and Hutton provide two examples of fusion: accumulator introduction in their \S4, and the transformation in their \S7 of an interpreter for a language with exceptions into one employing continuations. Both involve strict \s and are indeed totally correct. The example in their \S5 demonstrates the unboxing of numerical computations using a different worker/wrapper rule and does not require fusion. In their \S6 a non-strict \ is used to memoise functions over the natural numbers using the rule considered here. It should in fact use the same rule as the unboxing example as the scheme only correctly memoises strict functions. We can see this by considering a base case missing from their inductive proof, viz that if \ is not strict -- in fact constant, as \ is a flat domain -- then \, where \ is the $n$th element of $xs$. % optional bibliography \addcontentsline{toc}{section}{Bibliography} %\nocite{*} \bibliographystyle{plainnat} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/XML/document/root.tex b/thys/XML/document/root.tex --- a/thys/XML/document/root.tex +++ b/thys/XML/document/root.tex @@ -1,42 +1,43 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % this should be the last package used \usepackage{pdfsetup} \usepackage[english]{babel} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{Xml\thanks{This research is supported by FWF (Austrian Science Fund) projects J3202 and P22767.}} \author{Christian Sternagel and Ren\'e Thiemann} \maketitle \begin{abstract} This entry provides an ``XML library'' for Isabelle/HOL. This includes parsing and pretty printing of XML trees as well as combinators for transforming XML trees into arbitrary user-defined data. The main contribution of this entry is an interface (fit for code generation) that allows for communication between verified programs formalized in Isabelle/HOL and the outside world via XML. This library was developed as part of the IsaFoR/CeTA project to which we refer for examples of its usage. \end{abstract} \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \input{session} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/ZFC_in_HOL/document/root.tex b/thys/ZFC_in_HOL/document/root.tex --- a/thys/ZFC_in_HOL/document/root.tex +++ b/thys/ZFC_in_HOL/document/root.tex @@ -1,64 +1,64 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} - \usepackage{amssymb} \usepackage{stmaryrd} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \begin{document} \title{Zermelo Fraenkel Set Theory in Higher-Order Logic} \author{Lawrence C. Paulson\\ Computer Laboratory\\ University of Cambridge} \maketitle \begin{abstract} This entry is a new formalisation of ZFC set theory in Isabelle/HOL\@. It is logically equivalent to Obua's HOLZF~\cite{obua-partizan-games}; the point is to have the closest possible integration with the rest of Isabelle/HOL, minimising the amount of new notations and exploiting type classes. There is a type \isa{V} of sets and a function \isa{elts :: V\ {\isasymRightarrow}\ V\ set} mapping a set to its elements. Classes simply have type \isa{V\ set}, and the predicate \isa{small} identifies those classes that correspond to actual sets. Type classes connected with orders and lattices are used to minimise the amount of new notation for concepts such as the subset relation, union and intersection. Basic concepts are formalised: Cartesian products, disjoint sums, natural numbers, functions, etc. More advanced set-theoretic concepts, such as transfinite induction, ordinals, cardinals and the transitive closure of a set, are also provided. The definition of addition and multiplication for general sets (not just ordinals) follows Kirby \cite{kirby-addition}. The development includes essential results about cardinal arithmetic. It also develops ordinal exponentiation, Cantor normal form and the concept of indecomposable ordinals. There are numerous results about order types. The theory provides two type classes with the aim of facilitating developments that combine \isa{V} with other Isabelle/HOL types: \isa{embeddable}, the class of types that can be injected into~\isa{V} (including \isa{V} itself as well as \isa{V*V}, \isa{V\ list}, etc.), and \isa{small}, the class of types that correspond to some ZF set. \end{abstract} \newpage \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex % generated text of all theories \newpage \input{session} \section{Acknowledgements} The author was supported by the ERC Advanced Grant ALEXANDRIA (Project 742178) funded by the European Research Council. \bibliographystyle{abbrv} \bibliography{root.bib} \end{document} diff --git a/thys/Zeta_3_Irrational/document/root.tex b/thys/Zeta_3_Irrational/document/root.tex --- a/thys/Zeta_3_Irrational/document/root.tex +++ b/thys/Zeta_3_Irrational/document/root.tex @@ -1,37 +1,38 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Irrationality of $\zeta(3)$} \author{Manuel Eberl} \maketitle \begin{abstract} This article provides a formalisation of Beukers's straightforward analytic proof~\cite{beukers} that $\zeta(3)$ is irrational. This was first proven by Ap\'{e}ry~\cite{apery} (which is why this result is also often called `Ap\'{e}ry's Theorem') using a more algebraic approach. This formalisation follows Filaseta's presentation of Beukers's proof~\cite{filaseta}. \end{abstract} \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Zeta_Function/document/root.tex b/thys/Zeta_Function/document/root.tex --- a/thys/Zeta_Function/document/root.tex +++ b/thys/Zeta_Function/document/root.tex @@ -1,52 +1,53 @@ \documentclass[11pt,a4paper]{article} +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} -\usepackage{amsfonts, amsmath, amssymb} +\usepackage{amsfonts,amsmath,amssymb} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{The Hurwitz and Riemann $\zeta$ functions} \author{Manuel Eberl} \maketitle \begin{abstract} This entry builds upon the results about formal and analytic Dirichlet series to define the Hurwitz $\zeta$ function $\zeta(a,s)$ and, based on that, the Riemann $\zeta$ function $\zeta(s)$. This is done by first defining them for $\mathfrak{R}(z) > 1$ and then successively extending the domain to the left using the Euler--MacLaurin formula. Apart from the most basic facts such as analyticity, the following results are provided: \begin{itemize} \item the Stieltjes constants and the Laurent expansion of $\zeta(s)$ at $s = 1$ \item the non-vanishing of $\zeta(s)$ for $\mathfrak{R}(s)\geq 1$ \item the relationship between $\zeta(a,s)$ and $\Gamma$ \item the special values at negative integers and positive even integers \item Hurwitz's formula and the reflection formula for $\zeta(s)$ \item the Hadjicostas--Chapman formula~\cite{chapman2004,hadjicostas2004} \end{itemize} The entry also contains Euler's analytic proof of the infinitude of primes, based on the fact that $\zeta(s)$ has a pole at $s = 1$. \end{abstract} \newpage \tableofcontents \newpage \parindent 0pt\parskip 0.5ex \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/pGCL/document/root.tex b/thys/pGCL/document/root.tex --- a/thys/pGCL/document/root.tex +++ b/thys/pGCL/document/root.tex @@ -1,109 +1,106 @@ \RequirePackage{luatex85} \documentclass[11pt,a4paper]{book} - +\usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage[english]{babel} \usepackage{natbib} \usepackage{times} \usepackage{amsmath} \usepackage{amssymb} \usepackage[only,bigsqcap]{stmaryrd} -\usepackage[T1]{fontenc} -\usepackage[utf8]{inputenc} \usepackage[all]{xy} -\usepackage{lmodern} \usepackage[pdftex,colorlinks=true,linkcolor=blue]{hyperref} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \renewcommand{\chapterautorefname}{Chapter} \renewcommand{\sectionautorefname}{Section} \renewcommand{\subsectionautorefname}{Section} \renewcommand{\subsubsectionautorefname}{Section} \renewcommand{\appendixautorefname}{Appendix} \renewcommand{\Hfootnoteautorefname}{Footnote} \newcommand{\lemmaautorefname}{Lemma} \newcommand{\definitionautorefname}{Definition} \frontmatter \title{pGCL for Isabelle} \author{David Cock} \maketitle \tableofcontents % sane default for proof documents \parindent 0pt\parskip 0.5ex \mainmatter \chapter{Overview} pGCL is both a programming language and a specification language that incorporates both probabilistic and nondeterministic choice, in a unified manner. Program verification is by \emph{refinement} or \emph{annotation} (or both), using either Hoare triples, or weakest-precondition entailment, in the style of GCL \citep{Dijkstra_75}. This document is divided into three parts: \autoref{c:intro} gives a tutorial-style introduction to pGCL, and demonstrates the tools provided by the package; \autoref{c:semantics} covers the development of the semantic interpretation: \emph{expectation transformers}; and \autoref{c:language} covers the formalisation of the language primitives, the associated \emph{healthiness} results, and the tools for structured and automated reasoning. This second part follows the technical development of the pGCL theory package, in detail. It is not a great place to start learning pGCL. For that, see either the tutorial or \citet{McIver_M_04}. This formalisation was first presented (as an overview) in \citet{Cock_12}. The language has previously been formalised in HOL4 by \citet{Hurd_05}. Two substantial results using this package were presented in \citet{Cock_13}, \citet{Cock_14} and \citet{Cock_14a}. \chapter{Introduction to pGCL} \label{c:intro} \input{Primitives} \input{LoopExamples} \input{Monty} \chapter{Semantic Structures} \label{c:semantics} \input{Expectations} \input{Transformers} \input{Induction} \chapter{The pGCL Language} \label{c:language} \input{Embedding} \input{Healthiness} \input{Continuity} \input{LoopInduction} \input{Sublinearity} \input{Determinism} \input{WellDefined} \input{Loops} \input{Algebra} \input{StructuredReasoning} \input{Termination} \input{Automation} \backmatter \chapter{Additional Material} \label{c:additional} \input{Misc} \bibliographystyle{plainnat} \bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: