diff --git a/thys/AnselmGod/document/root.bib b/thys/AnselmGod/document/root.bib --- a/thys/AnselmGod/document/root.bib +++ b/thys/AnselmGod/document/root.bib @@ -1,1485 +1,1485 @@ @inproceedings{benzmuller_automating_2013, title = {Automating {Quantified} {Conditional} {Logics} in {HOL}.}, url = {http://page.mi.fu-berlin.de/cbenzmueller/papers/2013-IJCAI-Poster.pdf}, urldate = {2016-10-25}, booktitle = {{IJCAI}}, author = {Benzmüller, Christoph}, year = {2013}, pages = {746--753}, file = {[PDF] fu-berlin.de:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/QQPPRPQ6/Benzmüller - 2013 - Automating Quantified Conditional Logics in HOL..pdf:application/pdf} } @article{gratzl_incomplete_2015, - title = {Incomplete {Symbols} — {Definite} {Descriptions} {Revisited}}, + title = {Incomplete {Symbols} --- {Definite} {Descriptions} {Revisited}}, volume = {44}, issn = {0022-3611, 1573-0433}, url = {https://link-springer-com.libproxy1.nus.edu.sg/article/10.1007/s10992-014-9339-1}, doi = {10.1007/s10992-014-9339-1}, abstract = {We investigate incomplete symbols, i.e. definite descriptions with scope-operators. Russell famously introduced definite descriptions by contextual definitions; in this article definite descriptions a}, language = {en}, number = {5}, urldate = {2017-03-01}, journal = {Journal of Philosophical Logic}, author = {Gratzl, Norbert}, month = oct, year = {2015}, pages = {489--506}, - file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/6C3WU9PE/Gratzl - 2015 - Incomplete Symbols — Definite Descriptions Revisit.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/ANZAXKIG/10.html:text/html} + file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/6C3WU9PE/Gratzl - 2015 - Incomplete Symbols --- Definite Descriptions Revisit.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/ANZAXKIG/10.html:text/html} } @inproceedings{alama_automating_2015, address = {Berlin}, title = {Automating {Leibniz}'s {Theory} of {Concepts}}, url = {https://link.springer.com/chapter/10.1007/978-3-319-21401-6_4}, abstract = {Our computational metaphysics group describes its use of automated reasoning tools to study Leibniz’s theory of concepts. We start with a reconstruction of Leibniz’s theory within the theory of abstract objects (henceforth ‘object theory’). Leibniz’s theory of concepts, under this reconstruction, has a non-modal algebra of concepts, a concept-containment theory of truth, and a modal metaphysics of complete individual concepts. We show how the object-theoretic reconstruction of these components of Leibniz’s theory can be represented for investigation by means of automated theorem provers and finite model builders. The fundamental theorem of Leibniz’s theory is derived using these tools.}, language = {en}, urldate = {2017-03-01}, booktitle = {Automated {Deduction} - {CADE}-25}, publisher = {Springer}, author = {Alama, Jesse and Oppenheimer, Paul and Zalta, Edward}, month = aug, year = {2015}, note = {DOI: 10.1007/978-3-319-21401-6\_4}, pages = {73--97}, file = {cade.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/9HQN5N53/cade.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/V5X5ECBB/978-3-319-21401-6_4.html:text/html} } @incollection{thion_general_2002, series = {Lecture {Notes} in {Computer} {Science}}, title = {A {General} {Theorem} {Prover} for {Quantified} {Modal} {Logics}}, copyright = {©2002 Springer-Verlag Berlin Heidelberg}, isbn = {978-3-540-43929-5 978-3-540-45616-2}, url = {http://link.springer.com.libproxy1.nus.edu.sg/chapter/10.1007/3-540-45616-3_19}, abstract = {The main contribution of this work is twofold. It presents a modular tableau calculus, in the free-variable style, treating the main domain variants of quantified modal logic and dealing with languages where rigid and non-rigid designation can coexist. The calculus uses, to this end, light and simple semantical annotations. Such a general proof-system results from the fusion into a unified framework of two calculi previously defined by the second and third authors. Moreover, the work presents a theorem prover, called GQML-Prover, based on such a calculus, which is accessible in the Internet. The fair deterministic proof-search strategy used by the prover is described and illustrated via a meaningful example.}, language = {en}, number = {2381}, urldate = {2016-10-09}, booktitle = {Automated {Reasoning} with {Analytic} {Tableaux} and {Related} {Methods}}, publisher = {Springer Berlin Heidelberg}, author = {Thion, V. and Cerrito, S. and Mayer, Marta Cialdea}, editor = {Egly, Uwe and Fermüller, Chritian G.}, month = jul, year = {2002}, note = {DOI: 10.1007/3-540-45616-3\_19}, keywords = {Artificial Intelligence (incl. Robotics), Mathematical Logic and Formal Languages, Programming Techniques, Software Engineering}, pages = {266--280}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/97CQFSVK/Thion et al. - 2002 - A General Theorem Prover for Quantified Modal Logi.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/35372XV2/Thion et al. - 2002 - A General Theorem Prover for Quantified Modal Logi.html:text/html} } @article{norby_against_2014, title = {Against {Fragmentation}}, volume = {3}, copyright = {© 2014 Wiley Periodicals, Inc and the Northern Institute of Philosophy}, issn = {2161-2234}, url = {http://onlinelibrary.wiley.com.libproxy1.nus.edu.sg/doi/10.1002/tht3.110/abstract}, doi = {10.1002/tht3.110}, - abstract = {I criticize the idea that theories of ‘fragmented’ or ‘compartmentalized’ belief (as found in, e.g., Lewis 1982, Egan 2008) can help to account for the puzzling phenomena they are often taken to account for. After introducing fragmentationalism and a paradigm case that purportedly motivates it, I criticize the view primarily on the grounds that the models and explanations it offers are at best trivial—as witnessed by examples of over-generation—and should be seen as merely re-describing in figurative terms the phenomena it is designed to account for. I also point out that fragments, as used in these theories, are not likely to be psychologically real in any robust sense and so cannot be appealed to on such grounds.}, + abstract = {I criticize the idea that theories of ‘fragmented’ or ‘compartmentalized’ belief (as found in, e.g., Lewis 1982, Egan 2008) can help to account for the puzzling phenomena they are often taken to account for. After introducing fragmentationalism and a paradigm case that purportedly motivates it, I criticize the view primarily on the grounds that the models and explanations it offers are at best trivial---as witnessed by examples of over-generation---and should be seen as merely re-describing in figurative terms the phenomena it is designed to account for. I also point out that fragments, as used in these theories, are not likely to be psychologically real in any robust sense and so cannot be appealed to on such grounds.}, language = {en}, number = {1}, urldate = {2014-11-25}, journal = {Thought: A Journal of Philosophy}, author = {Norby, Aaron}, month = mar, year = {2014}, keywords = {belief, compartmentalization, fragmentation, psychological explanation, rationality}, pages = {30--38}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/FKMGWE2C/Norby - 2014 - Against Fragmentation.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/U9W5G982/Norby - 2014 - Against Fragmentation.html:text/html} } @article{gustafsson_money-pump_2010, title = {A {Money}-{Pump} for {Acyclic} {Intransitive} {Preferences}}, volume = {64}, issn = {1746-8361}, url = {http://onlinelibrary.wiley.com.libproxy1.nus.edu.sg/doi/10.1111/j.1746-8361.2010.01230.x/abstract}, doi = {10.1111/j.1746-8361.2010.01230.x}, abstract = {The standard argument for the claim that rational preferences are transitive is the pragmatic money-pump argument. However, a money-pump only exploits agents with cyclic strict preferences. In order to pump agents who violate transitivity but without a cycle of strict preferences, one needs to somehow induce such a cycle. Methods for inducing cycles of strict preferences from non-cyclic violations of transitivity have been proposed in the literature, based either on offering the agent small monetary transaction premiums or on multi-dimensional preferences. This paper argues that previous proposals have been flawed and presents a new approach based on the dominance principle.}, language = {en}, number = {2}, urldate = {2016-11-16}, journal = {Dialectica}, author = {Gustafsson, Johan E.}, month = jun, year = {2010}, pages = {251--257}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/UEJQHI3G/Gustafsson - 2010 - A Money-Pump for Acyclic Intransitive Preferences.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/JPE9RXP4/abstract\;jsessionid=539AA6E7134562AFBAA6ECDD380F6A7F.html:text/html} } @article{russell_denoting_1905, title = {On {Denoting}}, volume = {14}, issn = {0026-4423}, url = {http://www.jstor.org.libproxy1.nus.edu.sg/stable/2248381}, number = {56}, urldate = {2017-02-28}, journal = {Mind}, author = {Russell, Bertrand}, year = {1905}, pages = {479--493}, file = {2248381.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/547QTU4A/2248381.pdf:application/pdf} } @incollection{dorsch_limits_2014, title = {The {Limits} of {Aesthetic} {Empiricism}}, booktitle = {Aesthetics and the {Sciences} of {Mind}}, publisher = {Oxford University Press}, author = {Dorsch, Fabian}, editor = {Currie, Gregory and Kieran, Matthew and Meskin, Aaron and Robson, Jon}, year = {2014}, pages = {75--100}, file = {DORTLO-7.1.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/HT8TDTE4/DORTLO-7.1.pdf:application/pdf;PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/QNQ3UUMW/undefined.html:text/html} } @article{garbacz_digitalizacja_2016, title = {Digitalizacja filozofii formalnej}, volume = {24}, issn = {1230-6894}, url = {https://www.ceeol.com/search/article-detail?id=470577}, language = {Polish}, number = {4 (96)}, urldate = {2017-03-01}, journal = {Filozofia Nauki}, author = {Garbacz, Paweł}, year = {2016}, pages = {27--47}, file = {Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/N47KWP2P/article-detail.html:text/html} } @book{szatkowski_ontological_2013, address = {Berlin, Boston}, title = {Ontological {Proofs} {Today}}, isbn = {978-3-11-032588-1}, url = {https://www.degruyter.com/viewbooktoc/product/209124}, language = {ENGL}, urldate = {2017-02-27}, publisher = {De Gruyter}, author = {Szatkowski, Miroslaw}, year = {2013}, note = {DOI: 10.1515/9783110325881}, file = {[Miroslaw_Szatkowski]_Ontological_Proofs_Today(BookZZ.org).pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/QVSWW62M/[Miroslaw_Szatkowski]_Ontological_Proofs_Today(BookZZ.org).pdf:application/pdf} } @book{mcclennen_rationality_1990, title = {Rationality and {Dynamic} {Choice}: {Foundational} {Explorations}}, shorttitle = {Rationality and {Dynamic} {Choice}}, publisher = {Cambridge University Press}, author = {McClennen, Edward F.}, year = {1990}, file = {[Edward_F._McClennen]_Rationality_and_Dynamic_Choi(BookZZ.org).pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/SFVRD8GP/[Edward_F._McClennen]_Rationality_and_Dynamic_Choi(BookZZ.org).pdf:application/pdf;PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/AS4CKMF5/undefined.html:text/html} } @book{williamson_modal_2013, address = {Oxford, New York}, title = {Modal {Logic} as {Metaphysics}}, isbn = {978-0-19-955207-8}, abstract = {Are there such things as merely possible people, who would have lived if our ancestors had acted differently? Are there future people, who have not yet been conceived? Questions like those raise deep issues about both the nature of being and its logical relations with contingency and change. In Modal Logic as Metaphysics, Timothy Williamson argues for positive answers to those questions on the basis of an integrated approach to the issues, applying the technical resources of modal logic to provide structural cores for metaphysical theories. He rejects the search for a metaphysically neutral logic as futile. The book contains detailed historical discussion of how the metaphysical issues emerged in the twentieth century development of quantified modal logic, through the work of such figures as Rudolf Carnap, Ruth Barcan Marcus, Arthur Prior, and Saul Kripke. It proposes higher-order modal logic as a new setting in which to resolve such metaphysical questions scientifically, by the construction of systematic logical theories embodying rival answers and their comparison by normal scientific standards. Williamson provides both a rigorous introduction to the technical background needed to understand metaphysical questions in quantified modal logic and an extended argument for controversial, provocative answers to them. He gives original, precise treatments of topics including the relation between logic and metaphysics, the methodology of theory choice in philosophy, the nature of possible worlds and their role in semantics, plural quantification compared to quantification into predicate position, communication across metaphysical disagreement, and problems for truthmaker theory.}, publisher = {Oxford University Press}, author = {Williamson, Timothy}, month = may, year = {2013}, file = {Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/962F9J3X/modal-logic-as-metaphysics-9780199552078.html:text/html;[Timothy_Williamson]_Modal_Logic_as_Metaphysics(BookZZ.org).pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/PTQM6X6E/[Timothy_Williamson]_Modal_Logic_as_Metaphysics(BookZZ.org).pdf:application/pdf} } @incollection{graham_aesthetic_2006, title = {Aesthetic {Empiricism} and the {Challenge} of {Fakes} and {Ready}-{Mades}}, booktitle = {Contemporary {Debates} in {Aesthetics} and the {Philosophy} of {Art}}, publisher = {Blackwell Pub.}, author = {Graham, Gordon}, editor = {Kieran, Matthew}, year = {2006}, pages = {11--21}, file = {PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/69F6AAVP/undefined.html:text/html} } @article{bjordal_understanding_1999, title = {Understanding {Gödel}'s {Ontological} {Argument}}, url = {https://www.duo.uio.no/handle/10852/24476}, urldate = {2016-10-25}, author = {Bjørdal, Frode}, year = {1999}, file = {[PDF] uio.no:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/XN6D592B/Bjørdal - 1999 - Understanding Gödel's Ontological Argument.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/DJR5CW9X/24476.html:text/html} } @incollection{gibbard_counterfactuals_1978, series = {The {University} of {Western} {Ontario} {Series} in {Philosophy} of {Science}}, title = {Counterfactuals and {Two} {Kinds} of {Expected} {Utility}}, copyright = {©1981 Springer Science+Business Media B.V.}, isbn = {978-90-277-1220-2 978-94-009-9117-0}, url = {http://link.springer.com.libproxy1.nus.edu.sg/chapter/10.1007/978-94-009-9117-0_8}, abstract = {We begin with a rough theory of rational decision-making. In the first place, rational decision-making involves conditional propositions: when a person weighs a major decision, it is rational for him to ask, for each act he considers, what would happen if he performed that act. It is rational, then, for him to consider propositions of the form ‘If I were to do a, then c would happen’. Such a proposition we shall call a counterfactual, and we shall form counterfactuals with a connective ‘☐→' on this pattern: ‘If I were to do a, then c would happen’ is to be written ‘I do a ‘☐→' c happens’.}, language = {en}, number = {15}, urldate = {2015-06-08}, booktitle = {{IFS}}, publisher = {Springer Netherlands}, author = {Gibbard, Allan and Harper, William L.}, editor = {Harper, William L. and Stalnaker, Robert and Pearce, Glenn}, year = {1978}, keywords = {Philosophy of Language, Philosophy of Science}, pages = {153--190}, file = {Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/WUAN3ZSR/978-94-009-9117-0_8.html:text/html} } @article{peterson_prospectism_2015, title = {Prospectism and the weak money pump argument}, volume = {78}, issn = {0040-5833, 1573-7187}, url = {http://link.springer.com.libproxy1.nus.edu.sg/article/10.1007/s11238-014-9435-2}, doi = {10.1007/s11238-014-9435-2}, abstract = {Hare (Analysis 70:237–247, 2010) proposes a view he calls prospectism for making choices in situations in which preferences have a common, but problematic structure. I show that prospectism permits the decision-maker to make a series of choices she knows in advance will lead to a sure loss. I also argue that a theory that permits the decision-maker to make choices she knows in advance will lead to a sure loss should be rejected.}, language = {en}, number = {3}, urldate = {2016-11-16}, journal = {Theory and Decision}, author = {Peterson, Martin}, month = mar, year = {2015}, pages = {451--456}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/E866DFMC/Peterson - 2015 - Prospectism and the weak money pump argument.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/BPAF8Q7G/10.html:text/html} } @article{temkin_continuum_1996, title = {A {Continuum} {Argument} for {Intransitivity}}, volume = {25}, copyright = {Copyright © 1996 Wiley}, issn = {0048-3915}, url = {http://www.jstor.org.libproxy1.nus.edu.sg/stable/2961924}, number = {3}, urldate = {2015-05-01}, journal = {Philosophy \& Public Affairs}, author = {Temkin, Larry S.}, month = jul, year = {1996}, pages = {175--210}, file = {JSTOR Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/MWW55M7F/Temkin - 1996 - A Continuum Argument for Intransitivity.pdf:application/pdf} } @inproceedings{benzmuller_computer-assisted_2015, title = {Computer-assisted analysis of the {Anderson}-{Hájek} ontological controversy}, url = {https://www.researchgate.net/profile/Christoph_Benzmueller/publication/271584989_COMPUTER-ASSISTED_ANALYSIS_OF_THE_ANDERSON-HJEK_ONTOLOGICAL_CONTROVERSY/links/54ccc0360cf29ca810f5a1c1.pdf}, urldate = {2016-10-25}, booktitle = {Handbook of the 1st {World} {Congress} on {Logic} and {Religion}, {Joao} {Pessoa}, {Brasil}}, author = {Benzmüller, Christoph and Weber, Leon and Paleo, B. Woltzenlogel}, year = {2015}, pages = {53--54}, file = {[PDF] fu-berlin.de:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/3XU8GQ9A/Benzmüller et al. - 2015 - Computer-assisted analysis of the Anderson-Hájek o.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/6VPPF7EW/54ccc0360cf29ca810f5a1c1.pdf:application/pdf} } @article{temkin_intransitivity_1999, title = {Intransitivity and the {Person}-{Affecting} {Principle}: {A} {Response}}, volume = {59}, copyright = {Copyright © 1999 International Phenomenological Society}, issn = {0031-8205}, shorttitle = {Intransitivity and the {Person}-{Affecting} {Principle}}, url = {http://www.jstor.org.libproxy1.nus.edu.sg/stable/2653796}, doi = {10.2307/2653796}, number = {3}, urldate = {2015-05-01}, journal = {Philosophy and Phenomenological Research}, author = {Temkin, Larry S.}, month = sep, year = {1999}, pages = {777--784}, file = {JSTOR Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/NZIPRPH5/Temkin - 1999 - Intransitivity and the Person-Affecting Principle.pdf:application/pdf} } @article{fitelson_steps_2007, title = {Steps {Toward} a {Computational} {Metaphysics}}, volume = {36}, url = {http://link.springer.com/article/10.1007/s10992-006-9038-7}, number = {2}, urldate = {2016-10-25}, journal = {Journal of Philosophical Logic}, author = {Fitelson, Branden and Zalta, Edward N.}, year = {2007}, pages = {227--247}, file = {[PDF] researchgate.net:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/VDN8IPIA/Fitelson and Zalta - 2007 - Steps toward a computational metaphysics.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/SI8X8XWJ/s10992-006-9038-7.html:text/html} } @article{smith_perceptual_2017, title = {The perceptual categorisation of blended and single malt {Scotch} whiskies}, volume = {6}, copyright = {2017 The Author(s).}, issn = {2044-7248}, url = {http://flavourjournal.biomedcentral.com.libproxy1.nus.edu.sg/articles/10.1186/s13411-017-0056-x}, doi = {10.1186/s13411-017-0056-x}, abstract = {Although most Scotch whisky is blended from different casks, a firm distinction exists in the minds of consumers and in the marketing of Scotch between single malts and blended whiskies. Consumers are offered cultural, geographical and production reasons to treat Scotch whiskies as falling into the categories of blends and single malts. There are differences in the composition, method of distillation and origin of the two kinds of bottled spirits. But does this category distinction correspond to a perceptual difference detectable by whisky drinkers? Do experts and novices show differences in their perceptual sensitivities to the distinction between blends and single malts? To test the sensory basis of this distinction, we conducted a series of blind tasting experiments in three countries with different levels of familiarity with the blends versus single malts distinction (the UK, the USA and France). In each country, expert and novice participants had to perform a free sorting task on nine whiskies (four blends, four single malts, one single grain, plus one repeat) first by olfaction, then by tasting. Overall, no reliable perceptual distinction was revealed in the tasting condition between blends and single malts by experts or novices when asked to group whiskies according to their similarities and differences. There was nonetheless a clear effect of expertise, with experts showing a more reliable classification of the repeat sample. French experts came closest to a making a distinction between blends and single malts in the olfactory condition, which might be explained by a lack of familiarity with blends. Interestingly, the similarity between the blends and some of their ingredient single malts explained more of participants’ groupings than the dichotomy between blends and single malts. The firmly established making and marketing distinction between blends and single malts corresponds to no broad perceptually salient difference for whisky tasters, whether experts or novices. The present study indicates that successfully blended whiskies have their own distinctive and recognizable profiles, taking their place in a common similarity space, with groupings that can reflect their component parts.}, language = {En}, number = {1}, urldate = {2017-03-17}, journal = {Flavour}, author = {Smith, Barry C. and Sester, Carole and Ballester, Jordi and Deroy, Ophelia}, month = mar, year = {2017}, pages = {5}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/R2TQNAXC/Smith et al. - 2017 - The perceptual categorisation of blended and singl.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/XXA38CAX/Smith et al. - 2017 - The perceptual categorisation of blended and singl.html:text/html} } @article{rushby_ontological_2013, title = {The {Ontological} {Argument} in {PVS}}, url = {http://www.csl.sri.com/users/rushby/papers/ontological.pdf}, urldate = {2016-10-25}, journal = {Fun With Formal Methods, St Petersburg, Russia}, author = {Rushby, John}, year = {2013}, file = {[PDF] from sri.com:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/G8FTR4UJ/Rushby - 2013 - The Ontological Argument in PVS.pdf:application/pdf} } @article{rabinowicz_centipede_2001, title = {A {Centipede} for {Intransitive} {Preferrers}}, volume = {67}, issn = {0039-3215, 1572-8730}, url = {http://link.springer.com.libproxy1.nus.edu.sg/article/10.1023/A:1010586802757}, doi = {10.1023/A:1010586802757}, abstract = {In the standard money pump, an agent with cyclical preferences can avoid exploitation if he shows foresight and solves his sequential decision problem using backward induction (BI). This way out is foreclosed in a modified money pump, which has been presented in Rabinowicz (2000). There, BI will lead the agent to behave in a self-defeating way. The present paper describes another sequential decision problem of this kind, the Centipede for an Intransitive Preferrer, which in some respects is even more striking than the modified pump. In the new problem, the BI reasoning that implies self-defeating behavior does not rest on the controversial robustness assumption concerning beliefs in one's future rationality. This strengthens the claim that foresight cannot save the intransitive preferrer from a self-defeating course of action.}, language = {en}, number = {2}, urldate = {2016-11-16}, journal = {Studia Logica}, author = {Rabinowicz, Wlodek}, month = mar, year = {2001}, pages = {167--178}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/855NBR66/Rabinowicz - 2001 - A Centipede for Intransitive Preferrers.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/74DRP34H/10.html:text/html} } @article{oppenheimer_reflections_2007, title = {Reflections on the {Logic} of the {Ontological} {Argument}: {A} {Journal} of {Analytic} {Scholasticism}}, volume = {4}, shorttitle = {Reflections on the {Logic} of the {Ontological} {Argument}}, url = {https://www-pdcnet-org.libproxy1.nus.edu.sg//pdc/bvdb.nsf/purchase?openform&fp=studneoar&id=studneoar_2007_0004_0001_0028_0035&onlyautologin=true}, doi = {10.5840/studneoar20074114}, number = {1}, urldate = {2016-12-15}, journal = {Studia Neoaristotelica}, author = {Oppenheimer, Paul E. and Zalta, Edward N.}, month = apr, year = {2007}, pages = {28--35}, file = {reflections-ontological.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/THV6AV8H/reflections-ontological.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/CSX6NPHN/purchase.html:text/html} } @article{garbacz_prover9s_2012, title = {Prover9's {Simplification} {Explained} {Away}}, volume = {90}, url = {http://www.tandfonline.com/doi/abs/10.1080/00048402.2011.636177}, number = {3}, urldate = {2016-10-25}, journal = {Australasian Journal of Philosophy}, author = {Garbacz, Pawe{\textbackslash}l}, year = {2012}, pages = {585--592}, file = {Prover9 s Simplification Explained Away.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/RCJUKWFJ/Prover9 s Simplification Explained Away.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/56GREU8G/cookieAbsent.html:text/html} } @article{kallestrup_causal_nodate, title = {The {Causal} {Exclusion} {Argument}}, volume = {131}, issn = {0031-8116, 1573-0883}, url = {http://link.springer.com.libproxy1.nus.edu.sg/article/10.1007/s11098-005-1439-x}, doi = {10.1007/s11098-005-1439-x}, abstract = {Jaegwon Kim’s causal exclusion argument says that if all physical effects have sufficient physical causes, and no physical effects are caused twice over by distinct physical and mental causes, there cannot be any irreducible mental causes. In addition, Kim has argued that the nonreductive physicalist must give up completeness, and embrace the possibility of downward causation. This paper argues first that this extra argument relies on a principle of property individuation, which the nonreductive physicalist need not accept, and second that once we get clear on overdetermination, there is a way to reject the exclusion principle upon which the causal exclusion argument depends, but third that this should not lead to the belief that mental causation is easily accounted for in terms of counterfactual dependencies.}, language = {en}, number = {2}, urldate = {2016-10-05}, journal = {Philosophical Studies}, author = {Kallestrup, Jesper}, pages = {459--485}, file = {Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/ESMKI44K/10.html:text/html} } @inproceedings{matichuk_isabelle_2014, title = {An {Isabelle} {Proof} {Method} {Language}}, url = {https://link-springer-com.libproxy1.nus.edu.sg/chapter/10.1007/978-3-319-08970-6_25}, doi = {10.1007/978-3-319-08970-6_25}, abstract = {Machine-checked proofs are becoming ever-larger, presenting an increasing maintenance challenge. Isabelle’s most popular language interface, Isar, is attractive for new users, and powerful in the hand}, language = {en}, urldate = {2017-03-07}, booktitle = {{SpringerLink}}, publisher = {Springer, Cham}, author = {Matichuk, Daniel and Wenzel, Makarius and Murray, Toby}, month = jul, year = {2014}, pages = {390--405}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/PIFEZS5N/Matichuk et al. - 2014 - An Isabelle Proof Method Language.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/W77NEMPQ/978-3-319-08970-6_25.html:text/html} } @article{benzmuller_godels_2013, title = {Godel's {God} in {Isabelle}/{HOL}}, url = {http://www.isa-afp.org/browser_info/devel/AFP/GoedelGod/document.pdf}, urldate = {2016-10-25}, journal = {Archive of Formal Proofs}, author = {Benzmuller, Christoph and Paleo, Woltzenlogel}, year = {2013}, file = {[PDF] isa-afp.org:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/FJUMBQKI/Benzmüller and Paleo - 2013 - Gödel’s god in isabellehol.pdf:application/pdf} } @book{harper_ifs_1980, address = {Dordrecht}, title = {{IFS}}, isbn = {978-90-277-1220-2 978-94-009-9117-0}, url = {http://link.springer.com/10.1007/978-94-009-9117-0}, urldate = {2015-06-08}, publisher = {Springer Netherlands}, editor = {Harper, William L. and Stalnaker, Robert and Pearce, Glenn}, year = {1980} } @incollection{otten_mleancop:_2014, series = {Lecture {Notes} in {Computer} {Science}}, title = {{MleanCoP}: {A} {Connection} {Prover} for {First}-{Order} {Modal} {Logic}}, copyright = {©2014 Springer International Publishing Switzerland}, isbn = {978-3-319-08586-9 978-3-319-08587-6}, shorttitle = {{MleanCoP}}, url = {http://link.springer.com.libproxy1.nus.edu.sg/chapter/10.1007/978-3-319-08587-6_20}, abstract = {MleanCoP is a fully automated theorem prover for first-order modal logic. The proof search is based on a prefixed connection calculus and an additional prefix unification, which captures the Kripke semantics of different modal logics. MleanCoP is implemented in Prolog and the source code of the core proof search procedure consists only of a few lines. It supports the standard modal logics D, T, S4, and S5 with constant, cumulative, and varying domain conditions. The most recent version also supports heterogeneous multimodal logics and outputs a compact prefixed connection proof. An experimental evaluation shows the strong performance of MleanCoP.}, language = {en}, number = {8562}, urldate = {2016-10-26}, booktitle = {Automated {Reasoning}}, publisher = {Springer International Publishing}, author = {Otten, Jens}, editor = {Demri, Stéphane and Kapur, Deepak and Weidenbach, Christoph}, month = jul, year = {2014}, note = {DOI: 10.1007/978-3-319-08587-6\_20}, keywords = {Artificial Intelligence (incl. Robotics), Logics and Meanings of Programs, Mathematical Logic and Formal Languages, Mathematics of Computing, Numeric Computing, Software Engineering}, pages = {269--276}, file = {chp%3A10.1007%2F978-3-319-08587-6_20.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/4IWM3JR4/chp%3A10.1007%2F978-3-319-08587-6_20.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/HB3PB4MS/10.html:text/html} } @article{oppenheimer_computationally-discovered_2011, title = {A {Computationally}-{Discovered} {Simplification} of the {Ontological} {Argument}}, volume = {89}, url = {http://www.tandfonline.com/doi/abs/10.1080/00048401003674482}, number = {2}, urldate = {2016-10-25}, journal = {Australasian Journal of Philosophy}, author = {Oppenheimer, Paul E. and Zalta, Edward N.}, year = {2011}, pages = {333--349}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/2AVNEF4Q/Oppenheimer and Zalta - 2011 - A Computationally-Discovered Simplification of the.pdf:application/pdf;[PDF] peoppenheimer.us:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/HC4WM87C/Oppenheimer and Zalta - 2011 - A computationally-discovered simplification of the.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/G53F8575/cookieAbsent.html:text/html} } @article{benzmuller_formalization_2013, title = {Formalization, {Mechanization} and {Automation} of {Godel}'s {Proof} of {God}'s {Existence}}, url = {http://arxiv.org/abs/1308.4526}, urldate = {2016-10-25}, journal = {arXiv preprint arXiv:1308.4526}, author = {Benzmüller, Christoph and Paleo, Bruno Woltzenlogel}, year = {2013}, file = {[PDF] arxiv.org:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/88RIIWTI/Benzmüller and Paleo - 2013 - Formalization, Mechanization and Automation of G\$.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/6JXQJ6TA/1308.html:text/html} } @article{thompson_when_1995, title = {When a "{White} {Horse}" {Is} {Not} a "{Horse}"}, volume = {45}, copyright = {Copyright © 1995 University of Hawai'i Press}, issn = {0031-8221}, url = {http://www.jstor.org.libproxy1.nus.edu.sg/stable/1399790}, doi = {10.2307/1399790}, abstract = {Is the white horse paradox just a sleight of hand, or is it indicative of some truths about words, language, and logic? The paradox underscores some differences in the significance and implications of terms when considered in the context of mention rather than use. Moreover, the paradox shows that insights into how words and phrases operate in language can be gained by considering them in the context of mention. The paradox also causes us to think of the instrumental value of words, as opposed to thinking of their roles just in referring and in judgments and inferences.}, number = {4}, urldate = {2014-10-16}, journal = {Philosophy East and West}, author = {Thompson, Kirill Ole}, month = oct, year = {1995}, pages = {481--499}, file = {JSTOR Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/5KPAP2CW/Thompson - 1995 - When a White Horse Is Not a Horse.pdf:application/pdf} } @incollection{benzmuller_automating_2016, title = {Automating {Free} {Logic} in {Isabelle}/{HOL}}, url = {http://link.springer.com.libproxy1.nus.edu.sg/chapter/10.1007/978-3-319-42432-3_6}, abstract = {We present an interactive and automated theorem prover for free higher-order logic. Our implementation on top of the Isabelle/HOL framework utilizes a semantic embedding of free logic in classical higher-order logic. The capabilities of our tool are demonstrated with first experiments in category theory.}, language = {en}, urldate = {2016-12-07}, booktitle = {Mathematical {Software} – {ICMS} 2016}, publisher = {Springer International Publishing}, author = {Benzmuller, Christoph and Scott, Dana}, month = jul, year = {2016}, note = {DOI: 10.1007/978-3-319-42432-3\_6}, pages = {43--50}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/2P62RQED/Benzmüller and Scott - 2016 - Automating Free Logic in IsabelleHOL.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/JXV6S9RQ/978-3-319-42432-3_6.html:text/html} } @inproceedings{benzmuller_automating_2014, title = {Automating {Gödel}'s {Ontological} {Proof} of {God}'s {Existence} with {Higher}-order {Automated} {Theorem} {Provers}.}, volume = {263}, url = {https://books.google.com.sg/books?hl=en&lr=&id=Kp3YBAAAQBAJ&oi=fnd&pg=PA93&dq=related:L9E7ZhVkupoJ:scholar.google.com/&ots=kqUzFeWOpU&sig=rpSMk2j1-CGV7uk5CcnAhrhIX-0}, urldate = {2016-10-25}, booktitle = {{ECAI}}, author = {Benzmüller, Christoph and Paleo, Bruno Woltzenlogel}, year = {2014}, pages = {93--98}, file = {C40.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/CVN5ETID/C40.pdf:application/pdf;[PDF] fu-berlin.de:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/KVZD8QJ4/Benzmüller and Paleo - 2014 - Automating Gödel's Ontological Proof of God's Exis.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/27E2XP7C/books.html:text/html} } @article{paleo_inconsistency_nodate, title = {The {Inconsistency} in {Gödel}’s {Ontological} {Argument}: {A} {Success} {Story} for {AI} in {Metaphysics}}, shorttitle = {The {Inconsistency} in {Gödel}’s {Ontological} {Argument}}, url = {http://page.mi.fu-berlin.de/cbenzmueller/papers/C55.pdf}, urldate = {2016-10-25}, author = {Paleo, Bruno Woltzenlogel}, file = {[PDF] fu-berlin.de:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/CN37EI7B/Paleo - The Inconsistency in Gödel’s Ontological Argument.pdf:application/pdf} } @article{benzmuller_formalization_2013-1, title = {Formalization, {Mechanization} and {Automation} of {G}{\textbackslash}"odel's {Proof} of {God}'s {Existence}}, url = {http://arxiv.org/abs/1308.4526}, doi = {10.3233/978-1-61499-419-0-93}, abstract = {Goedel's ontological proof has been analysed for the first-time with an unprecedent degree of detail and formality with the help of higher-order theorem provers. The following has been done (and in this order): A detailed natural deduction proof. A formalization of the axioms, definitions and theorems in the TPTP THF syntax. Automatic verification of the consistency of the axioms and definitions with Nitpick. Automatic demonstration of the theorems with the provers LEO-II and Satallax. A step-by-step formalization using the Coq proof assistant. A formalization using the Isabelle proof assistant, where the theorems (and some additional lemmata) have been automated with Sledgehammer and Metis.}, urldate = {2016-10-14}, journal = {arXiv:1308.4526 [cs, math]}, author = {Benzmüller, Christoph and Paleo, Bruno Woltzenlogel}, month = aug, year = {2013}, note = {arXiv: 1308.4526}, keywords = {03Axx, 68T27, 68T30, 68T15, Computer Science - Artificial Intelligence, Computer Science - Logic in Computer Science, F.4.1, I.2.3, I.2.4, Mathematics - Logic}, file = {FormalizationMechanizationandAutomationofGodelsProofOfGodsExistence.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/KDB4EF7T/FormalizationMechanizationandAutomationofGodelsProofOfGodsExistence.pdf:application/pdf} } @article{rabinowicz_have_1995, title = {To {Have} {One}'s {Cake} and {Eat} {It}, {Too}: {Sequential} {Choice} and {Expected}-{Utility} {Violations}}, volume = {92}, issn = {0022-362X}, shorttitle = {To {Have} {One}'s {Cake} and {Eat} {It}, {Too}}, url = {http://www.jstor.org.libproxy1.nus.edu.sg/stable/2941089}, doi = {10.2307/2941089}, number = {11}, urldate = {2016-11-17}, journal = {The Journal of Philosophy}, author = {Rabinowicz, Wlodek}, year = {1995}, pages = {586--620}, file = {2941089.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/5R4AXWXQ/2941089.pdf:application/pdf} } @book{zalta_abstract_1983, address = {Dordrecht}, title = {Abstract {Objects}}, isbn = {978-94-009-6982-7 978-94-009-6980-3}, url = {http://link.springer.com/10.1007/978-94-009-6980-3}, language = {en}, urldate = {2017-03-01}, publisher = {Springer Netherlands}, author = {Zalta, Edward N.}, year = {1983}, note = {DOI: 10.1007/978-94-009-6980-3}, file = {bok%3A978-94-009-6980-3.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/TQ9AV89R/bok%3A978-94-009-6980-3.pdf:application/pdf} } @article{parent_prover9_2015, title = {On the {Prover}9 {Ontological} {Argument}}, volume = {43}, url = {http://link.springer.com/article/10.1007/s11406-015-9594-6}, number = {2}, urldate = {2016-10-25}, journal = {Philosophia}, author = {Parent, T.}, year = {2015}, pages = {475--483}, file = {art%3A10.1007%2Fs11406-015-9594-6.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/KGEE6EU3/art%3A10.1007%2Fs11406-015-9594-6.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/Q57T5Z7R/s11406-015-9594-6.html:text/html} } @article{temkin_intransitivity_1987, title = {Intransitivity and the {Mere} {Addition} {Paradox}}, volume = {16}, copyright = {Copyright © 1987 Wiley}, issn = {0048-3915}, url = {http://www.jstor.org.libproxy1.nus.edu.sg/stable/2265425}, number = {2}, urldate = {2015-05-01}, journal = {Philosophy \& Public Affairs}, author = {Temkin, Larry S.}, month = apr, year = {1987}, pages = {138--187}, file = {JSTOR Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/X763URC8/Temkin - 1987 - Intransitivity and the Mere Addition Paradox.pdf:application/pdf} } @article{schick_dutch_1986, title = {Dutch {Bookies} and {Money} {Pumps}}, volume = {83}, issn = {0022-362X}, url = {http://www.jstor.org.libproxy1.nus.edu.sg/stable/2026054}, doi = {10.2307/2026054}, number = {2}, urldate = {2016-11-17}, journal = {The Journal of Philosophy}, author = {Schick, Frederic}, year = {1986}, pages = {112--119}, file = {2026054.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/CKNKXXQI/2026054.pdf:application/pdf} } @article{hansen_mass_1976, title = {Mass {Nouns} and "{A} {White} {Horse} {Is} {Not} a {Horse}"}, volume = {26}, copyright = {Copyright © 1976 University of Hawai'i Press}, issn = {0031-8221}, url = {http://www.jstor.org.libproxy1.nus.edu.sg/stable/1398188}, doi = {10.2307/1398188}, number = {2}, urldate = {2014-10-16}, journal = {Philosophy East and West}, author = {Hansen, Chad D.}, month = apr, year = {1976}, pages = {189--209}, file = {JSTOR Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/BG8QH6NZ/Hansen - 1976 - Mass Nouns and A White Horse Is Not a Horse.pdf:application/pdf} } @article{gustafsson_irrelevance_2013, title = {The {Irrelevance} of the {Diachronic} {Money}-{Pump} {Argument} for {Acyclicity}}, volume = {110}, number = {8}, journal = {Journal of Philosophy}, author = {Gustafsson, Johan E.}, year = {2013}, pages = {460--464}, file = {PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/GHS8W6ZX/undefined.html:text/html;the-irrelevance-of-the-diachronic-money-pump-argument-for-acyclicity.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/FMD6RWCQ/the-irrelevance-of-the-diachronic-money-pump-argument-for-acyclicity.pdf:application/pdf} } @article{walton_categories_1970, title = {Categories of {Art}}, volume = {79}, copyright = {Copyright © 1970 Duke University Press}, issn = {0031-8108}, url = {http://www.jstor.org/stable/2183933}, doi = {10.2307/2183933}, number = {3}, urldate = {2014-12-03}, journal = {The Philosophical Review}, author = {Walton, Kendall L.}, month = jul, year = {1970}, pages = {334--367}, file = {JSTOR Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/WRZCHUSP/Walton - 1970 - Categories of Art.pdf:application/pdf} } @inproceedings{benzmuller_godels_2013-1, title = {Godel’s {God} on the computer}, url = {http://page.mi.fu-berlin.de/cbenzmueller/papers/2013-IWIL.pdf}, urldate = {2016-10-25}, booktitle = {10th {Intl}. {Workshop} {Implementation} of {Logics}, {EPiC} {Series}. {EasyChair}}, author = {Benzmuller, Christoph and Paleo, Bruno Woltzenlogel}, year = {2013}, file = {[PDF] fu-berlin.de:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/GW9CXNRT/Benzmüller and Paleo - 2013 - Gödel’s God on the computer.pdf:application/pdf} } @incollection{fraser_school_2012, edition = {Winter 2012}, title = {School of {Names}}, url = {http://plato.stanford.edu/archives/win2012/entries/school-names/}, - abstract = {The “School of Names” (ming jia) is thetraditional Chinese label for a diverse group of Warring States(479–221 B.C.E.) thinkers who shared an interest in language,disputation, and metaphysics. They were notorious for logic-chopping,purportedly idle conceptual puzzles, and paradoxes such as“Today go to Yue but arrive yesterday” and “A whitehorse is not a horse.” Because reflection on language in ancientChina centered on “names” (ming, words) and theirrelation to “stuff” (shi, objects, events,situations), 2nd-century B.C.E. Han dynasty archivists dubbed thesethinkers the “School of Names,” one of six recognizedphilosophical movements. The “school” is a taxonomicalfiction, however. The varied figures assigned to it—Deng Xi, YinWen, Hui Shi, and Gongsun Long, among others—never formed adistinct circle or movement devoted to any particular doctrine or wayof life, and their intellectual interests overlapped extensively withthose of the later Mohists, Zhuangzi, and Xunzi. Several of these men were activepolitically: Hui Shi was a government minister, Yin Wen and GongsunLong political advisors and peace activists. Still, in the eyes of Hanhistorians, they devoted themselves to no signature ethical orpolitical doctrines. Hence they became known primarily for theirinterest in language and disputation and on that basis were deemed a“school.” , Before the Han dynasty, the social group of which these thinkers werea part was known as the bianzhe—“disputers” or“dialecticians”—because they spent much of theirtime in “disputation” (bian, also“discrimination” or “distinction drawing”), aform of dialectical persuasion and inquiry aimed fundamentally at“distinguishing” the proper semantic relations betweennames and the things or kinds of things to which theyrefer. “Disputers” is thus probably a more appropriateEnglish label for Hui Shi, Gongsun Long, and the others than is the“School of Names,” though it refers not specifically tothese figures but to the broader class of scholars to which theybelonged. (“Name-distinguishers” or“distinction-disputers” would be even more accurate,though these terms are too clumsy to adopt as English equivalents.)The disputers flourished for about a century and a half as wanderingpolitical advisors, counseling rulers throughout pre-unificationChina. They disappeared with the onset of the Qin dynasty (221 B.C.E.),partly because the political and intellectual climate of the newempire was hostile to their purely theoretical, occasionally flippantinquiries, and partly because with unification their politicalservices became obsolete.}, + abstract = {The “School of Names” (ming jia) is thetraditional Chinese label for a diverse group of Warring States(479–221 B.C.E.) thinkers who shared an interest in language,disputation, and metaphysics. They were notorious for logic-chopping,purportedly idle conceptual puzzles, and paradoxes such as“Today go to Yue but arrive yesterday” and “A whitehorse is not a horse.” Because reflection on language in ancientChina centered on “names” (ming, words) and theirrelation to “stuff” (shi, objects, events,situations), 2nd-century B.C.E. Han dynasty archivists dubbed thesethinkers the “School of Names,” one of six recognizedphilosophical movements. The “school” is a taxonomicalfiction, however. The varied figures assigned to it---Deng Xi, YinWen, Hui Shi, and Gongsun Long, among others---never formed adistinct circle or movement devoted to any particular doctrine or wayof life, and their intellectual interests overlapped extensively withthose of the later Mohists, Zhuangzi, and Xunzi. Several of these men were activepolitically: Hui Shi was a government minister, Yin Wen and GongsunLong political advisors and peace activists. Still, in the eyes of Hanhistorians, they devoted themselves to no signature ethical orpolitical doctrines. Hence they became known primarily for theirinterest in language and disputation and on that basis were deemed a“school.” , Before the Han dynasty, the social group of which these thinkers werea part was known as the bianzhe---“disputers” or“dialecticians”---because they spent much of theirtime in “disputation” (bian, also“discrimination” or “distinction drawing”), aform of dialectical persuasion and inquiry aimed fundamentally at“distinguishing” the proper semantic relations betweennames and the things or kinds of things to which theyrefer. “Disputers” is thus probably a more appropriateEnglish label for Hui Shi, Gongsun Long, and the others than is the“School of Names,” though it refers not specifically tothese figures but to the broader class of scholars to which theybelonged. (“Name-distinguishers” or“distinction-disputers” would be even more accurate,though these terms are too clumsy to adopt as English equivalents.)The disputers flourished for about a century and a half as wanderingpolitical advisors, counseling rulers throughout pre-unificationChina. They disappeared with the onset of the Qin dynasty (221 B.C.E.),partly because the political and intellectual climate of the newempire was hostile to their purely theoretical, occasionally flippantinquiries, and partly because with unification their politicalservices became obsolete.}, urldate = {2014-10-16}, booktitle = {The {Stanford} {Encyclopedia} of {Philosophy}}, author = {Fraser, Chris}, editor = {Zalta, Edward N.}, year = {2012}, keywords = {Confucius, Daoism, Mencius, mereology, Mohism, Mohist Canons, Xunzi, Zhuangzi}, file = {SEP - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/QZ25J2BT/Fraser and Zalta - 2012 - School of Names.html:text/html} } @article{norcross_intransitivity_1999, title = {Intransitivity and the {Person}-{Affecting} {Principle}}, volume = {59}, copyright = {Copyright © 1999 International Phenomenological Society}, issn = {0031-8205}, url = {http://www.jstor.org.libproxy1.nus.edu.sg/stable/2653795}, doi = {10.2307/2653795}, abstract = {Philosophy journals and conferences have recently seen several attempts to argue that 'all-things-considered better than' does not obey strict transitivity. This paper focuses on Larry Temkin's argument in "Intransitivity and the Mere Addition Paradox." Although his argument is not aimed just at utilitarians or even consequentialists in general, it is of prticular significance to consequentialists. If 'all-things-considered better than' does not obey transitivity, there may be choice situations in which there is no optimal choice, which would seem to open the door to a consequentialist account of moral dilemmas. Temkin's argument crucially appeals to what he calls "the Person-Affecting Principle (PAP)", which he roughly characterizes as follows, "On PAP, one outcome is worse than another only if it affects people for the worse" This paper argues that PAP, although plausible, does not hold in precisely those situations in which it would have to hold in order for Temkin's argument against transitivity to work.}, number = {3}, urldate = {2015-05-01}, journal = {Philosophy and Phenomenological Research}, author = {Norcross, Alastair}, month = sep, year = {1999}, pages = {769--776}, file = {JSTOR Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/VTFQZGBJ/Norcross - 1999 - Intransitivity and the Person-Affecting Principle.pdf:application/pdf} } @phdthesis{dowling_vindication_2007, type = {Ph.{D}.}, title = {The vindication of aesthetic empiricism}, url = {http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.485354}, abstract = {'This doctoral thesis is an examination, and vindication, of a position that has been identified with the expression 'aesthetic empiricism' and typically captured by the claim that 'what is aesthetically valuable in a painting can be detected merely by looking at it - features that cannot be so detected are not properly aesthetic ones' (Currie, 1989). Such a position continues to be a focus for contemporary discussion (e.g., Davies, 2004, 2006, and Graham, 2006), yet it is far from clear precisely what it entails or even who subscribes to it. All that seems to have been agreed is that aesthetic empiricism is false, demonstrably so in the light of Walton's claims in 'Categories of Art' (1970), and Danto's work on indiscernibles (1981). The lack of theoretical clarity would suffice to motivate a closer look at aesthetic empiricism; however, the more specific target of this thesis is· to show that the received treatment is mistaken - aesthetic empiricism, once clearly identified, can be seen to be both intuitive and beguiling. It earns our philosophical consideration by providing a formidable accoiint ofthe aesthetic and also a valuable contribution to our understanding of art criticism.}, language = {eng}, urldate = {2016-11-28}, school = {University of York}, author = {Dowling, Christopher Michael}, year = {2007}, file = {Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/F98BKMUA/OrderDetails.html:text/html} } @article{levy_money_2014, title = {Money {Pumps}, {Diachronic} and {Synchronic}}, journal = {Journal of Ethics and Social Philosophy}, author = {Levy, Yair}, year = {2014}, pages = {XX}, file = {money-pumps-diachronic-and-synchronic.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/AGMMXT6C/money-pumps-diachronic-and-synchronic.pdf:application/pdf;PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/UCD3838J/undefined.html:text/html} } @book{wiedijk_seventeen_2006, address = {Secaucus, NJ, USA}, title = {The {Seventeen} {Provers} of the {World}: {Foreword} by {Dana} {S}. {Scott} ({Lecture} {Notes} in {Computer} {Science} / {Lecture} {Notes} in {Artificial} {Intelligence})}, isbn = {978-3-540-30704-4}, shorttitle = {The {Seventeen} {Provers} of the {World}}, publisher = {Springer-Verlag New York, Inc.}, author = {Wiedijk, Freek}, year = {2006} } @book{rabinowicz_levi_2006, title = {Levi on {Money} {Pumps} and {Diachronic} {Dutch}-{Book} {Arguments}}, copyright = {info:eu-repo/semantics/openAccess}, isbn = {978-0-521-84556-4}, url = {http://lup.lub.lu.se/record/775394}, abstract = {My focus is on pragmatic arguments for various ‘rationality constraints’ on a decision maker’s state of mind: on his beliefs or preferences. An argument of this kind purports to show that a violator of a given constraint can be exposed to a decision problem in which he will act to his guaranteed disadvantage. Dramatically put, he can be exploited by a clever bookie who doesn’t know more than the agent himself. Examples of pragmatic arguments of this kind are synchronic Dutch Books, for the standard probability axioms, diachronic Dutch Books, for the more controversial principles of reflection and conditionalization, and Money Pumps, for the transitivity requirement on preferences.{\textless}br/{\textgreater}{\textless}br{\textgreater} The proposed exploitation set-ups share a common feature. If the violator of a given constraint is logically and mathematically competent, he can be exploited only if he is disunified in his decision-making. Exploitation is possible only if the agent makes decisions on various issues he confronts one by one, rather than on all of them together. {\textless}br/{\textgreater}{\textless}br{\textgreater} Unity in decision making may be quite costly and is often inconvenient, especially when it concerns opportunity packages that are spread over time. On my view, therefore, pragmatic arguments should be seen as delivering conditional conclusions: “If you want to afford being disunified as a decision maker, then you’d better satisfy these constraints.” The arguments of this kind fail to establish the inherent rationality of the constraints under consideration. {\textless}br/{\textgreater}{\textless}br{\textgreater} Levi’s view of the status of pragmatic arguments (cf. Levi 2002) is opposed to mine. According to him, only synchronic pragmatic arguments are valid (indeed, categorically valid). The diachronic ones, he argues, lack any validity at all. This line of reasoning is questioned in my paper.}, language = {eng}, urldate = {2016-11-16}, publisher = {Cambridge University Press}, author = {Rabinowicz, Wlodek}, year = {2006}, file = {Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/NZ8ATXDX/775394.html:text/html} } @incollection{piper_money_2014, title = {The {Money} {Pump} {Is} {Necessarily} {Diachronic}}, booktitle = {Adrian {Piper} {Research} {Archive} {Foundation} {Berlin}/{Philosophy}}, author = {Piper, Adrian M. S.}, year = {2014}, pages = {1--7}, file = {PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/C44WW8HJ/undefined.html:text/html;PIPTMP.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/6N52TRJM/PIPTMP.pdf:application/pdf} } @article{hansen_mass_1976-1, title = {Mass {Nouns} and "{A} {White} {Horse} {Is} {Not} a {Horse}"}, volume = {26}, copyright = {Copyright © 1976 University of Hawai'i Press}, issn = {0031-8221}, url = {http://www.jstor.org.libproxy1.nus.edu.sg/stable/1398188}, doi = {10.2307/1398188}, number = {2}, urldate = {2014-10-16}, journal = {Philosophy East and West}, author = {Hansen, Chad D.}, month = apr, year = {1976}, pages = {189--209}, file = {JSTOR Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/A7946HNU/Hansen - 1976 - Mass Nouns and A White Horse Is Not a Horse.pdf:application/pdf} } @article{nipkow_tutorial_2011, title = {A tutorial introduction to structured {Isar} proofs}, url = {http://arachne.it.uu.se/grad/courses/gc0910/isabelle/isar-overview.pdf}, urldate = {2016-12-12}, journal = {Available from World Wide Web: http://www. in. tum. de/∼ nipkow}, author = {Nipkow, Tobias}, year = {2011}, file = {isar-overview.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/6CJCJAF6/isar-overview.pdf:application/pdf;[PDF] uu.se:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/TB378QC3/Nipkow - 2011 - A tutorial introduction to structured Isar proofs.pdf:application/pdf} } @book{sobel_logic_2009, address = {Cambridge}, edition = {1 edition}, title = {Logic and {Theism}: {Arguments} for and against {Beliefs} in {God}}, isbn = {978-0-521-10866-9}, shorttitle = {Logic and {Theism}}, abstract = {This book includes arguments for and against belief in God. The arguments for the belief are analyzed in the first six chapters and include ontological arguments from Anselm through Gödel; the cosmological arguments of Aquinas and Leibniz; and arguments from evidence for design and miracles. The next two chapters consider arguments against belief. The last chapter examines Pascalian arguments for and against belief in God. This book is a valuable resource for philosophers of religion and theologians and interests logicians and mathematicians as well.}, language = {English}, publisher = {Cambridge University Press}, author = {Sobel, Jordan Howard}, month = apr, year = {2009}, file = {[Jordan_Howard_Sobel]_Logic_and_Theism_Arguments_(BookZZ.org).pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/P7Z4SNXI/[Jordan_Howard_Sobel]_Logic_and_Theism_Arguments_(BookZZ.org).pdf:application/pdf} } @article{portugal_weber-fechner_2011, title = {Weber-{Fechner} {Law} and the {Optimality} of the {Logarithmic} {Scale}}, volume = {21}, issn = {0924-6495, 1572-8641}, url = {http://link.springer.com.libproxy1.nus.edu.sg/article/10.1007/s11023-010-9221-z}, doi = {10.1007/s11023-010-9221-z}, abstract = {Weber-Fechner Law states that the perceived intensity is proportional to the logarithm of the stimulus. Recent experiments suggest that this law also holds true for perception of numerosity. Therefore, the use of a logarithmic scale for the quantification of the perceived intensity may also depend on how the cognitive apparatus processes information. If Weber-Fechner law is the result of natural selection, then the logarithmic scale should be better, in some sense, than other biologically feasible scales. We consider the minimization of the relative error as the target of natural selection and we provide a formal proof that the logarithmic scale minimizes the maximal relative error.}, language = {en}, number = {1}, urldate = {2017-02-10}, journal = {Minds and Machines}, author = {Portugal, R. D. and Svaiter, B. F.}, month = feb, year = {2011}, pages = {73--81}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/G43TII7D/Portugal and Svaiter - 2011 - Weber-Fechner Law and the Optimality of the Logari.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/HSP9NRJW/10.html:text/html} } @article{bourget_paperless_2010, title = {Paperless {Philosophy} as a {Philosophical} {Method}}, volume = {24}, issn = {0269-1728}, url = {https://doi.org/10.1080/02691728.2010.499180}, doi = {10.1080/02691728.2010.499180}, abstract = {I discuss the prospects for new forms of professional communication in philosophy. I argue that online discussions and online surveys ought to play a more important role in communications between philosophers than they play today. However, there are major obstacles to the widespread adoption of these media as channels of communication between academics. I offer an overview of these obstacles and sketch a strategy for surmounting them. The strategy I propose involves the development of a new kind of service which could expand the reach of the analytic method in philosophy.}, number = {4}, urldate = {2017-02-28}, journal = {Social Epistemology}, author = {Bourget, David}, month = oct, year = {2010}, keywords = {Paperless Philosophy, Philosophical Method, Professional Communication}, pages = {363--375}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/J7MXKM65/Bourget - 2010 - Paperless Philosophy as a Philosophical Method.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/8BXBWNP9/02691728.2010.html:text/html} } @article{omahony_who_1995, series = {Second {Sensometrics} {Meeting}}, title = {Who told you the triangle test was simple?}, volume = {6}, issn = {0950-3293}, url = {http://www.sciencedirect.com/science/article/pii/0950329395000224}, doi = {10.1016/0950-3293(95)00022-4}, abstract = {The effects of response bias, cognitive strategy change and the sequence of tasting are discussed in relation to the triangle test. Theoretical approaches like Thurstonian modelling and Sequential Sensitivity Analysis are reviewed. It is concluded that the triangle test is prone to many pitfalls; even a slight change in the instructions can bring about a radical change in performance.}, number = {4}, urldate = {2017-02-10}, journal = {Food Quality and Preference}, author = {O'Mahony, Michael}, month = jan, year = {1995}, pages = {227--238}, file = {ScienceDirect Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/25DZIPXX/0950329395000224.html:text/html} } @article{hales_formal_2015, title = {A formal proof of the {Kepler} conjecture}, url = {http://arxiv.org/abs/1501.02155}, abstract = {This article describes a formal proof of the Kepler conjecture on dense sphere packings in a combination of the HOL Light and Isabelle proof assistants. This paper constitutes the official published account of the now completed Flyspeck project.}, urldate = {2017-02-28}, journal = {arXiv:1501.02155 [cs, math]}, author = {Hales, Thomas and Adams, Mark and Bauer, Gertrud and Dang, Dat Tat and Harrison, John and Hoang, Truong Le and Kaliszyk, Cezary and Magron, Victor and McLaughlin, Sean and Nguyen, Thang Tat and Nguyen, Truong Quang and Nipkow, Tobias and Obua, Steven and Pleso, Joseph and Rute, Jason and Solovyev, Alexey and Ta, An Hoai Thi and Tran, Trung Nam and Trieu, Diep Thi and Urban, Josef and Vu, Ky Khac and Zumkeller, Roland}, month = jan, year = {2015}, note = {arXiv: 1501.02155}, keywords = {Computer Science - Logic in Computer Science, Mathematics - Metric Geometry}, file = {1501.02155.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/EPGESX9D/1501.02155.pdf:application/pdf;arXiv\:1501.02155 PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/SZ4WAEZQ/Hales et al. - 2015 - A formal proof of the Kepler conjecture.pdf:application/pdf;arXiv.org Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/23FGE5TR/1501.html:text/html} } @article{oppenheimer_logic_1991, title = {On the {Logic} of the {Ontological} {Argument}}, volume = {5}, issn = {1520-8583}, url = {http://www.jstor.org.libproxy1.nus.edu.sg/stable/2214107}, doi = {10.2307/2214107}, urldate = {2016-12-15}, journal = {Philosophical Perspectives}, author = {Oppenheimer, Paul E. and Zalta, Edward N.}, year = {1991}, pages = {509--529}, file = {2214107.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/8D9VIMAK/2214107.pdf:application/pdf} } @article{dehaene_neural_2003, title = {The neural basis of the {Weber}–{Fechner} law: a logarithmic mental number line}, volume = {7}, issn = {1364-6613}, shorttitle = {The neural basis of the {Weber}–{Fechner} law}, url = {http://www.sciencedirect.com/science/article/pii/S136466130300055X}, doi = {10.1016/S1364-6613(03)00055-X}, abstract = {The recent discovery of number neurons allows for a dissection of the neuronal implementation of number representation. In a recent article, Nieder and Miller demonstrate a neural correlate of Weber's law, and thus resolve a classical debate in psychophysics: the mental number line seems to be logarithmic rather than linear.}, number = {4}, urldate = {2017-02-10}, journal = {Trends in Cognitive Sciences}, author = {Dehaene, Stanislas}, month = apr, year = {2003}, pages = {145--147}, file = {ScienceDirect Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/PVTZR9EA/Dehaene - 2003 - The neural basis of the Weber–Fechner law a logar.pdf:application/pdf;ScienceDirect Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/CHVBJB9R/S136466130300055X.html:text/html} } @article{benzmuller_computer-assisted_2017, title = {Computer-{Assisted} {Analysis} of the {Anderson}–{Hájek} {Ontological} {Controversy}}, volume = {11}, issn = {1661-8297, 1661-8300}, url = {https://link-springer-com.libproxy1.nus.edu.sg/article/10.1007/s11787-017-0160-9}, doi = {10.1007/s11787-017-0160-9}, abstract = {A universal reasoning approach based on shallow semantical embeddings of higher-order modal logics into classical higher-order logic is exemplarily employed to analyze several modern variants of the o}, language = {en}, number = {1}, urldate = {2017-03-24}, journal = {Logica Universalis}, author = {Benzmüller, C. and Weber, L. and Paleo, B. Woltzenlogel}, month = mar, year = {2017}, pages = {139--151}, file = {art%3A10.1007%2Fs11787-017-0160-9.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/JEV87CVI/art%3A10.1007%2Fs11787-017-0160-9.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/GUT648XJ/Benzmüller et al. - 2017 - Computer-Assisted Analysis of the Anderson–Hájek O.html:text/html} } @article{benzmuller_systematic_2015, title = {Systematic {Verification} of the {Modal} {Logic} {Cube} in {Isabelle}/{HOL}}, volume = {186}, issn = {2075-2180}, url = {http://arxiv.org/abs/1507.08717}, doi = {10.4204/EPTCS.186.5}, abstract = {We present an automated verification of the well-known modal logic cube in Isabelle/HOL, in which we prove the inclusion relations between the cube's logics using automated reasoning tools. Prior work addresses this problem but without restriction to the modal logic cube, and using encodings in first-order logic in combination with first-order automated theorem provers. In contrast, our solution is more elegant, transparent and effective. It employs an embedding of quantified modal logic in classical higher-order logic. Automated reasoning tools, such as Sledgehammer with LEO-II, Satallax and CVC4, Metis and Nitpick, are employed to achieve full automation. Though successful, the experiments also motivate some technical improvements in the Isabelle/HOL tool.}, urldate = {2017-03-24}, journal = {Electronic Proceedings in Theoretical Computer Science}, author = {Benzmüller, Christoph and Claus, Maximilian and Sultana, Nik}, month = jul, year = {2015}, note = {arXiv: 1507.08717}, keywords = {Computer Science - Artificial Intelligence, Computer Science - Logic in Computer Science, F.4.1, I.2.3, I.2.4}, pages = {27--41}, file = {cade25_pxtp.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/VV7UW6UK/cade25_pxtp.pdf:application/pdf} } @article{kanckos_variants_2017, title = {Variants of {Gödel}’s {Ontological} {Proof} in a {Natural} {Deduction} {Calculus}}, issn = {0039-3215, 1572-8730}, url = {https://link-springer-com.libproxy1.nus.edu.sg/article/10.1007/s11225-016-9700-1}, doi = {10.1007/s11225-016-9700-1}, abstract = {This paper presents detailed formalizations of ontological arguments in a simple modal natural deduction calculus. The first formal proof closely follows the hints in Scott’s manuscript about Gödel’s}, language = {en}, urldate = {2017-03-24}, journal = {Studia Logica}, author = {Kanckos, Annika and Paleo, B. Woltzenlogel}, month = jan, year = {2017}, pages = {1--34}, file = {art%3A10.1007%2Fs11225-016-9700-1.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/PCHAQ932/art%3A10.1007%2Fs11225-016-9700-1.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/9P8EDSKJ/Kanckos and Paleo - 2017 - Variants of Gödel’s Ontological Proof in a Natural.html:text/html} } @inproceedings{benzmuller_interacting_2015, title = {Interacting with {Modal} {Logics} in the {Coq} {Proof} {Assistant}}, url = {https://link-springer-com.libproxy1.nus.edu.sg/chapter/10.1007/978-3-319-20297-6_25}, doi = {10.1007/978-3-319-20297-6_25}, abstract = {This paper describes an embedding of higher-order modal logics in the Coq proof assistant. Coq’s capabilities are used to implement modal logics in a minimalistic manner, which is nevertheless suffici}, language = {en}, urldate = {2017-03-24}, booktitle = {{SpringerLink}}, publisher = {Springer, Cham}, author = {Benzmüller, Christoph and Paleo, Bruno Woltzenlogel}, month = jul, year = {2015}, pages = {398--411}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/UA3H57GP/Benzmüller and Paleo - 2015 - Interacting with Modal Logics in the Coq Proof Ass.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/WS52VKMN/978-3-319-20297-6_25.html:text/html} } @article{benzmuller_ontological_2017, title = {The {Ontological} {Modal} {Collapse} as a {Collapse} of the {Square} of {Opposition}}, url = {http://link.springer.com.libproxy1.nus.edu.sg/chapter/10.1007/978-3-319-45062-9_18}, doi = {10.1007/978-3-319-45062-9_18}, language = {en}, urldate = {2017-03-24}, author = {Benzmüller, Christoph and Paleo, Bruno Woltzenlogel}, year = {2017}, pages = {307--313}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/4DURHPA6/Benzmüller and Paleo - 2017 - The Ontological Modal Collapse as a Collapse of th.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/TI2BBBIB/978-3-319-45062-9_18.html:text/html} } @article{benzmuller_cut-elimination_2016, title = {Cut-{Elimination} for {Quantified} {Conditional} {Logic}}, issn = {0022-3611, 1573-0433}, url = {https://link-springer-com.libproxy1.nus.edu.sg/article/10.1007/s10992-016-9403-0}, doi = {10.1007/s10992-016-9403-0}, abstract = {A semantic embedding of quantified conditional logic in classical higher-order logic is utilized for reducing cut-elimination in the former logic to existing results for the latter logic. The presente}, language = {en}, urldate = {2017-03-24}, journal = {Journal of Philosophical Logic}, author = {Benzmüller, Christoph}, month = jun, year = {2016}, pages = {1--21}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/T7EMRXS2/Benzmüller - 2016 - Cut-Elimination for Quantified Conditional Logic.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/EUVMTTIH/10.html:text/html} } @inproceedings{benzmuller_invited_2015, title = {Invited {Talk}: {On} a ({Quite}) {Universal} {Theorem} {Proving} {Approach} and {Its} {Application} in {Metaphysics}}, shorttitle = {Invited {Talk}}, url = {https://link-springer-com.libproxy1.nus.edu.sg/chapter/10.1007/978-3-319-24312-2_15}, doi = {10.1007/978-3-319-24312-2_15}, abstract = {Classical higher-order logic is suited as a meta-logic in which a range of other logics can be elegantly embedded. Interactive and automated theorem provers for higher-order logic are therefore readil}, language = {en}, urldate = {2017-03-24}, booktitle = {{SpringerLink}}, publisher = {Springer, Cham}, author = {Benzmüller, Christoph}, month = sep, year = {2015}, pages = {213--220}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/N9CT4EEQ/Benzmüller - 2015 - Invited Talk On a (Quite) Universal Theorem Provi.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/22MF3WKI/978-3-319-24312-2_15.html:text/html} } @inproceedings{benzmuller_hol_2013, title = {{HOL} {Based} {First}-{Order} {Modal} {Logic} {Provers}}, url = {https://link-springer-com.libproxy1.nus.edu.sg/chapter/10.1007/978-3-642-45221-5_9}, doi = {10.1007/978-3-642-45221-5_9}, abstract = {First-order modal logics (FMLs) can be modeled as natural fragments of classical higher-order logic (HOL). The FMLtoHOL tool exploits this fact and it enables the application of off-the-shelf HOL prov}, language = {en}, urldate = {2017-03-24}, booktitle = {{SpringerLink}}, publisher = {Springer, Berlin, Heidelberg}, author = {Benzmüller, Christoph and Raths, Thomas}, month = dec, year = {2013}, pages = {127--136}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/D9PWVNAS/Benzmüller and Raths - 2013 - HOL Based First-Order Modal Logic Provers.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/VU8AKJ3M/978-3-642-45221-5_9.html:text/html} } @article{benzmuller_quantified_2013, title = {Quantified {Multimodal} {Logics} in {Simple} {Type} {Theory}}, volume = {7}, issn = {1661-8297, 1661-8300}, url = {https://link-springer-com.libproxy1.nus.edu.sg/article/10.1007/s11787-012-0052-y}, doi = {10.1007/s11787-012-0052-y}, abstract = {We present an embedding of quantified multimodal logics into simple type theory and prove its soundness and completeness. A correspondence between QKπ models for quantified multimodal logics and Henki}, language = {en}, number = {1}, urldate = {2017-03-26}, journal = {Logica Universalis}, author = {Benzmüller, Christoph and Paulson, Lawrence C.}, month = mar, year = {2013}, pages = {7--20}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/RG3KG2MZ/Benzmüller and Paulson - 2013 - Quantified Multimodal Logics in Simple Type Theory.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/H8PQQURC/10.html:text/html} } @article{segerberg_two-dimensional_1973, title = {Two-dimensional modal logic}, volume = {2}, issn = {0022-3611, 1573-0433}, url = {https://link-springer-com.libproxy1.nus.edu.sg/article/10.1007/BF02115610}, doi = {10.1007/BF02115610}, language = {en}, number = {1}, urldate = {2017-03-30}, journal = {Journal of Philosophical Logic}, author = {Segerberg, Krister}, month = jan, year = {1973}, pages = {77--96}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/MQN6UFQT/Segerberg - 1973 - Two-dimensional modal logic.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/GKW4N2QQ/10.html:text/html} } @article{restall_cut-free_2012, series = {Kurt {Goedel} {Research} {Prize} {Fellowships} 2010}, title = {A cut-free sequent system for two-dimensional modal logic, and why it matters}, volume = {163}, issn = {0168-0072}, url = {http://www.sciencedirect.com/science/article/pii/S0168007211001850}, doi = {10.1016/j.apal.2011.12.012}, abstract = {The two-dimensional modal logic of Davies and Humberstone (1980) [3] is an important aid to our understanding the relationship between actuality, necessity and a priori knowability. I show how a cut-free hypersequent calculus for 2D modal logic not only captures the logic precisely, but may be used to address issues in the epistemology and metaphysics of our modal concepts. I will explain how the use of our concepts motivates the inference rules of the sequent calculus, and then show that the completeness of the calculus for Davies–Humberstone models explains why those concepts have the structure described by those models. The result is yet another application of the completeness theorem.}, number = {11}, urldate = {2017-03-30}, journal = {Annals of Pure and Applied Logic}, author = {Restall, Greg}, month = nov, year = {2012}, keywords = {Completeness, Hypersequent, Modal logic, Semantics}, pages = {1611--1623}, file = {ScienceDirect Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/J3QNNZP9/Restall - 2012 - A cut-free sequent system for two-dimensional moda.pdf:application/pdf;ScienceDirect Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/FPBUHXWB/S0168007211001850.html:text/html} } @article{fabio_actuality_nodate, title = {Actuality, {Tableaux}, and {Two}-{Dimensional} {Modal} {Logic}}, journal = {Erkenntnis}, author = {Fabio, Lampert}, file = {PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/FT34KVZM/undefined.html:text/html} } @article{davies_two_1980, title = {Two notions of necessity}, volume = {38}, issn = {0031-8116, 1573-0883}, url = {https://link-springer-com.libproxy1.nus.edu.sg/article/10.1007/BF00354523}, doi = {10.1007/BF00354523}, language = {en}, number = {1}, urldate = {2017-03-30}, journal = {Philosophical Studies}, author = {Davies, Martin and Humberstone, Lloyd}, month = jul, year = {1980}, pages = {1--30}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/2PQQ9VEV/Davies and Humberstone - 1980 - Two notions of necessity.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/TQUCP32Q/10.html:text/html} } @article{leuenberger_total_2014, title = {Total {Logic}}, volume = {7}, url = {/core/journals/review-of-symbolic-logic/article/total-logic/934AB649A89A7B2D56579E5FCBCF28DF}, number = {3}, urldate = {2017-03-30}, journal = {The Review of Symbolic Logic}, author = {Leuenberger, Stephan}, year = {2014}, pages = {529--547}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/R8SV2GN8/Leuenberger - 2014 - TOTAL LOGIC.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/IEMHRDAE/934AB649A89A7B2D56579E5FCBCF28DF.html:text/html} } @article{fritz_logic_2013, title = {A logic for epistemic two-dimensional semantics}, volume = {190}, issn = {0039-7857, 1573-0964}, url = {https://link-springer-com.libproxy1.nus.edu.sg/article/10.1007/s11229-013-0260-x}, doi = {10.1007/s11229-013-0260-x}, abstract = {Epistemic two-dimensional semantics is a theory in the philosophy of language that provides an account of meaning which is sensitive to the distinction between necessity and apriority. While this theo}, language = {en}, number = {10}, urldate = {2017-04-06}, journal = {Synthese}, author = {Fritz, Peter}, month = jul, year = {2013}, pages = {1753--1770}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/6TEJJD9S/Fritz - 2013 - A logic for epistemic two-dimensional semantics.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/5IZHUV4C/10.html:text/html} } @article{chalmers_two-dimensional_2014, title = {Two-dimensional semantics and the nesting problem}, volume = {74}, issn = {0003-2638}, url = {https://academic-oup-com.libproxy1.nus.edu.sg/analysis/article/74/2/210/208222/Two-dimensional-semantics-and-the-nesting-problem}, doi = {10.1093/analys/anu032}, number = {2}, urldate = {2017-04-06}, journal = {Analysis}, author = {Chalmers, David and Rabern, Brian}, month = apr, year = {2014}, pages = {210--224}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/DR857V4B/Chalmers and Rabern - 2014 - Two-dimensional semantics and the nesting problem.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/UEQIP9VX/anu032.html:text/html} } @misc{fritz_what_2014, title = {{WHAT} {IS} {THE} {CORRECT} {LOGIC} {OF} {NECESSITY}, {ACTUALITY} {AND} {APRIORITY}?}, url = {/core/journals/review-of-symbolic-logic/article/what-is-the-correct-logic-of-necessity-actuality-and-apriority/F3A98ED96296D123AC95D1B596BC7463}, abstract = {{\textless}div class="title"{\textgreater}WHAT IS THE CORRECT LOGIC OF NECESSITY, ACTUALITY AND APRIORITY?{\textless}/div{\textgreater} - Volume 7 Issue 3 - PETER FRITZ}, urldate = {2017-04-06}, journal = {The Review of Symbolic Logic}, author = {Fritz, Peter}, month = sep, year = {2014}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/3WSV94QP/Fritz - 2014 - WHAT IS THE CORRECT LOGIC OF NECESSITY, ACTUALITY .pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/644NUNXC/F3A98ED96296D123AC95D1B596BC7463.html:text/html} } @article{tymoczko_geometry_2006, title = {The {Geometry} of {Musical} {Chords}}, volume = {313}, copyright = {American Association for the Advancement of Science}, issn = {0036-8075, 1095-9203}, url = {http://science.sciencemag.org.libproxy1.nus.edu.sg/content/313/5783/72}, doi = {10.1126/science.1126287}, abstract = {A musical chord can be represented as a point in a geometrical space called an orbifold. Line segments represent mappings from the notes of one chord to those of another. Composers in a wide range of styles have exploited the non-Euclidean geometry of these spaces, typically by using short line segments between structurally similar chords. Such line segments exist only when chords are nearly symmetrical under translation, reflection, or permutation. Paradigmatically consonant and dissonant chords possess different near-symmetries and suggest different musical uses. Chords can be mapped as points onto a many-fold surface, on which consonant chords cluster together, connected by melodic lines that reveal western harmony and counterpoint. Chords can be mapped as points onto a many-fold surface, on which consonant chords cluster together, connected by melodic lines that reveal western harmony and counterpoint.}, language = {en}, number = {5783}, urldate = {2017-04-10}, journal = {Science}, author = {Tymoczko, Dmitri}, month = jul, year = {2006}, pmid = {16825563}, pages = {72--74}, file = {science.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/5SVZJCJ2/science.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/5SUWWTE6/72.html:text/html;supplement.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/FZSTJJ8Z/supplement.pdf:application/pdf} } @article{bourget_what_2014, title = {What do philosophers believe?}, volume = {170}, issn = {0031-8116, 1573-0883}, url = {https://link-springer-com.libproxy1.nus.edu.sg/article/10.1007/s11098-013-0259-7}, doi = {10.1007/s11098-013-0259-7}, abstract = {What are the philosophical views of contemporary professional philosophers? We surveyed many professional philosophers in order to help determine their views on 30 central philosophical issues. This a}, language = {en}, number = {3}, urldate = {2017-04-14}, journal = {Philosophical Studies}, author = {Bourget, David and Chalmers, David J.}, month = sep, year = {2014}, pages = {465--500}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/3W6QKGSU/Bourget and Chalmers - 2014 - What do philosophers believe.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/BPJC5PA6/10.html:text/html} } @book{nipkow_isabelle/hol_2002, address = {Berlin}, title = {Isabelle/{HOL}}, isbn = {978-3-540-43376-7 978-3-540-45949-1}, url = {http://link.springer.com/10.1007/3-540-45949-9}, urldate = {2017-04-16}, publisher = {Springer}, author = {Nipkow, Tobias and Wenzel, Markus and Paulson, Lawrence}, year = {2002}, file = {bok%3A978-3-540-45949-1.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/MHS48R93/bok%3A978-3-540-45949-1.pdf:application/pdf} } @book{chalmers_conscious_1996, address = {Oxford}, title = {The {Conscious} {Mind}}, shorttitle = {The {Conscious} {Mind}}, publisher = {Oxford University Press}, author = {Chalmers, David}, year = {1996}, file = {PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/Q3ECCQP2/undefined.html:text/html} } @book{chalmers_constructing_2012, address = {Oxford}, title = {Constructing the {World}}, publisher = {Oxford University Press}, author = {Chalmers, David}, year = {2012}, file = {PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/VDG8M8DH/undefined.html:text/html} } @incollection{lepore_two-dimensional_2006, title = {Two-{Dimensional} {Semantics}}, booktitle = {Oxford {Handbook} of the {Philosophy} of {Language}}, publisher = {Oxford University Press}, author = {Chalmers, David J.}, editor = {Lepore, E. and Smith, B.}, year = {2006}, file = {PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/I2TNUS2S/undefined.html:text/html} } @article{chalmers_conceptual_2001, title = {Conceptual {Analysis} and {Reductive} {Explanation}}, volume = {110}, number = {3}, journal = {Philosophical Review}, author = {Chalmers, David J. and Jackson, Frank}, year = {2001}, pages = {315--61}, file = {PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/NEEIVSI6/undefined.html:text/html} } @incollection{chalmers_does_2002, title = {Does {Conceivability} {Entail} {Possibility}?}, booktitle = {Conceivability and {Possibility}}, publisher = {Oxford University Press}, author = {Chalmers, David J.}, editor = {Gendler, Tamar S. and Hawthorne, John}, year = {2002}, pages = {145--200}, file = {PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/HDPTPKN5/undefined.html:text/html} } @incollection{garcia-carpintero_foundations_2006, title = {The {Foundations} of {Two}-{Dimensional} {Semantics}}, booktitle = {Two-{Dimensional} {Semantics}: {Foundations} and {Applications}}, publisher = {Oxford University Press}, author = {Chalmers, David J.}, editor = {Garcia-Carpintero, Manuel and Macia, Josep}, year = {2006}, pages = {55--140}, file = {PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/S2XEIVW4/undefined.html:text/html} } @article{chalmers_why_2015, title = {Why {Isn}'t {There} {More} {Progress} in {Philosophy}?}, volume = {90}, number = {1}, journal = {Philosophy}, author = {Chalmers, David J.}, year = {2015}, pages = {3--31}, file = {PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/NASZRV5M/undefined.html:text/html} } @article{chalmers_actuality_2011, title = {Actuality and {Knowability}}, volume = {71}, number = {3}, journal = {Analysis}, author = {Chalmers, David J.}, year = {2011}, pages = {411--419}, file = {PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/F97AN9PU/undefined.html:text/html} } @incollection{chalmers_nature_2011, title = {The {Nature} of {Epistemic} {Space}}, booktitle = {Epistemic {Modality}}, publisher = {Oxford University Press}, author = {Chalmers, David J.}, editor = {Egan, Andy and Weatherson, Brian}, year = {2011}, file = {PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/2W8NJJ8G/undefined.html:text/html} } @article{chalmers_sense_2002, title = {On {Sense} and {Intension}}, volume = {16}, number = {s16}, journal = {Philosophical Perspectives}, author = {Chalmers, David J.}, year = {2002}, pages = {135--82}, file = {PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/5JQRKQ5T/undefined.html:text/html} } @incollection{chalmers_two-dimensional_2010, address = {Oxford}, title = {The {Two}-{Dimensional} {Argument} {Against} {Materialism}}, booktitle = {The {Character} of {Consciousness}}, publisher = {Oxford University Press}, author = {Chalmers, David}, year = {2010}, pages = {141--205}, file = {PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/HA3ICBUP/undefined.html:text/html} } @article{chalmers_epistemic_2004, title = {Epistemic {Two}-{Dimensional} {Semantics}}, volume = {118}, issn = {0031-8116, 1573-0883}, url = {https://link-springer-com.libproxy1.nus.edu.sg/article/10.1023/B:PHIL.0000019546.17135.e0}, doi = {10.1023/B:PHIL.0000019546.17135.e0}, language = {en}, number = {1-2}, urldate = {2017-04-17}, journal = {Philosophical Studies}, author = {Chalmers, David}, year = {2004}, pages = {153--226}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/N2NDS2A6/Chalmers - 2004 - Epistemic Two-Dimensional Semantics.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/N7GSB7DD/10.1023BPHIL.0000019546.17135.html:text/html} } @incollection{stalnaker_assertion_1999, address = {Oxford}, title = {Assertion}, booktitle = {Context and {Content}}, publisher = {Oxford University Press}, author = {Stalnaker, Robert}, year = {1999}, pages = {78--95}, file = {PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/TRRXFTCA/undefined.html:text/html} } @incollection{kaplan_demonstratives_1989, title = {Demonstratives}, booktitle = {Themes {From} {Kaplan}}, publisher = {Oxford University Press}, author = {Kaplan, David}, editor = {Almog, Joseph and Perry, John and Wettstein, Howard}, year = {1989}, pages = {481--563}, file = {PhilPapers - Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/SPR66QIR/undefined.html:text/html} } @book{loveland_automated_1978, address = {Amsterdam}, title = {Automated {Theorem} {Proving}}, isbn = {978-0-7204-0499-9}, shorttitle = {Automated {Theorem} {Proving}}, language = {en}, publisher = {North-Holland Publishing Company}, author = {Loveland, Donald}, year = {1978} } @incollection{lewis_index_1980, title = {Index, {Context}, and {Content}}, copyright = {©1981 D. Reidel Publishing Company}, isbn = {978-94-009-9014-2 978-94-009-9012-8}, url = {http://link.springer.com/chapter/10.1007/978-94-009-9012-8_6}, abstract = {If a grammar is to do its jobs as part of a systematic restatement of our common knowledge about our practices of linguistic communication, it must assign semantic values that determine which sentences are true in which contexts. If the semantic values of sentences also serve to help determine the semantic values of larger sentences having the given sentence as a constituent, then also the semantic values must determine how the truth of a sentence varies when certain features of context are shifted, one feature at a time.}, language = {en}, urldate = {2017-04-17}, booktitle = {Philosophy and {Grammar}}, publisher = {Springer}, author = {Lewis, Davis}, editor = {Kanger, Stig and Ohman, Sven}, year = {1980}, note = {DOI: 10.1007/978-94-009-9012-8\_6}, keywords = {Philosophy of Language}, pages = {79--100}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/X9Q68U9B/Lewis - 1980 - Index, Context, and Content.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/A27HH6FG/10.html:text/html} } @inproceedings{haftmann_local_2008, title = {Local {Theory} {Specifications} in {Isabelle}/{Isar}}, url = {https://link-springer-com.libproxy1.nus.edu.sg/chapter/10.1007/978-3-642-02444-3_10}, doi = {10.1007/978-3-642-02444-3_10}, abstract = {The proof assistant Isabelle has recently acquired a “local theory” concept that integrates a variety of mechanisms for structured specifications into a common framework. We explicitly separate a loca}, language = {en}, urldate = {2017-05-02}, booktitle = {{SpringerLink}}, publisher = {Springer, Berlin, Heidelberg}, author = {Haftmann, Florian and Wenzel, Makarius}, month = mar, year = {2008}, pages = {153--168}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/BM9HE3V8/Haftmann and Wenzel - 2008 - Local Theory Specifications in IsabelleIsar.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/C77HNI3R/978-3-642-02444-3_10.html:text/html} } @article{church_formulation_1940, title = {A {Formulation} of the {Simple} {Theory} of {Types}}, volume = {5}, issn = {0022-4812}, url = {http://www.jstor.org.libproxy1.nus.edu.sg/stable/2266170}, doi = {10.2307/2266170}, number = {2}, urldate = {2017-05-15}, journal = {The Journal of Symbolic Logic}, author = {Church, Alonzo}, year = {1940}, pages = {56--68}, file = {JSTOR Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/FUPQ3RVJ/Church - 1940 - A Formulation of the Simple Theory of Types.pdf:application/pdf} } @article{eder_formal_2015, title = {Formal reconstructions of {St}. {Anselm}’s ontological argument}, volume = {192}, issn = {0039-7857, 1573-0964}, url = {https://link-springer-com.libproxy1.nus.edu.sg/article/10.1007/s11229-015-0682-8}, doi = {10.1007/s11229-015-0682-8}, - abstract = {In this paper, we discuss formal reconstructions of Anselm’s ontological argument. We first present a number of requirements that any successful reconstruction should meet. We then offer a detailed preparatory study of the basic concepts involved in Anselm’s argument. Next, we present our own reconstructions—one in modal logic and one in classical logic—and compare them with each other and with existing reconstructions from the reviewed literature. Finally, we try to show why and how one can gain a better understanding of Anselm’s argument by using modern formal logic. In particular, we try to explain why formal reconstructions of the argument, despite its apparent simplicity, tend to become quite involved.}, + abstract = {In this paper, we discuss formal reconstructions of Anselm’s ontological argument. We first present a number of requirements that any successful reconstruction should meet. We then offer a detailed preparatory study of the basic concepts involved in Anselm’s argument. Next, we present our own reconstructions---one in modal logic and one in classical logic---and compare them with each other and with existing reconstructions from the reviewed literature. Finally, we try to show why and how one can gain a better understanding of Anselm’s argument by using modern formal logic. In particular, we try to explain why formal reconstructions of the argument, despite its apparent simplicity, tend to become quite involved.}, language = {en}, number = {9}, urldate = {2017-09-04}, journal = {Synthese}, author = {Eder, Günther and Ramharter, Esther}, month = oct, year = {2015}, pages = {2795--2825}, file = {Full Text PDF:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/HQUFC7QC/Eder and Ramharter - 2015 - Formal reconstructions of St. Anselm’s ontological.pdf:application/pdf;Snapshot:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/S2IMR2F2/10.html:text/html} } @article{rushby_mechanized_2016, title = {Mechanized {Analysis} {Of} a {Formalization} of {Anselm}’s {Ontological} {Argument} by {Eder} and {Ramharter}}, url = {http://www.csl.sri.com/~rushby/papers/er-ontarg.pdf}, journal = {CSL technical note, SRI International, Menlo Park, CA}, author = {Rushby, John}, year = {2016} } @article{gratz_computerized_nodate, title = {Computerized {Verification} of {Formal} {Reconstructions} of {Anselm}’s {Argument} by {Eder} and {Ramharter}}, url = {http://page.mi.fu-berlin.de/cbenzmueller/compmeta/htdocs/poster4.pdf}, author = {Grätz, Lukas and Schütz, Fabian and Benzmüller, C. and Steen, A. and Wisniewski, M.}, file = {[PDF] fu-berlin.de:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/BS9BHCIN/Grätz et al. - Computerized Verification of Formal Reconstruction.pdf:application/pdf} } @article{rushby_proofs_nodate, title = {Proofs and {Assurance} {The} {Case} of {The} {Ontological} {Argument}}, url = {http://www.csl.sri.com/~rushby/slides/marktoberdorf16-3.pdf}, author = {Rushby, John} } @article{fuenmayor_types_2017, title = {Types, {Tableaus} and {Godel}'s {God} in {Isabelle}/{HOL}}, issn = {2150-914x}, url = {http://isa-afp.org/entries/Types_Tableaus_and_Goedels_God.html}, journal = {Archive of Formal Proofs}, author = {Fuenmayor, David and Benzmuller, Christoph}, year = {2017}, file = {document.pdf:/Users/nus/Library/Application Support/Zotero/Profiles/zo5xklzu.default/zotero/storage/RJ4AAEFZ/document.pdf:application/pdf} } \ No newline at end of file diff --git a/thys/Architectural_Design_Patterns/document/root.bib b/thys/Architectural_Design_Patterns/document/root.bib --- a/thys/Architectural_Design_Patterns/document/root.bib +++ b/thys/Architectural_Design_Patterns/document/root.bib @@ -1,2504 +1,2504 @@ % Encoding: UTF-8 @InProceedings{Mavridou2016, author = {Anastasia Mavridou and Eduard Baranov and Simon Bliudze and Joseph Sifakis}, title = {Architecture Diagrams: {A} Graphical Language for Architecture Style Specification}, booktitle = {Proceedings 9th Interaction and Concurrency Experience, {ICE} 2016, Heraklion, Greece, 8-9 June 2016.}, year = {2016}, pages = {83--97}, bibsource = {dblp computer science bibliography, http://dblp.org}, biburl = {http://dblp.org/rec/bib/journals/corr/MavridouBBS16}, crossref = {Bartoletti2016}, doi = {10.4204/EPTCS.223.6}, file = {:APVerification\\2016_Mavridou_Diagrams.pdf:PDF}, owner = {Diego}, timestamp = {Wed, 14 Jun 2017 20:37:22 +0200}, url = {https://doi.org/10.4204/EPTCS.223.6}, } @InProceedings{Marmsoler2015, author = {Diego Marmsoler and Alexander Malkis and Jonas Eckhardt}, title = {A Model of Layered Architectures}, booktitle = {Proceedings 12th International Workshop on Formal Engineering approaches to Software Components and Architectures, {FESCA} 2015, London, United Kingdom, April 12th, 2015.}, year = {2015}, pages = {47--61}, bibsource = {dblp computer science bibliography, http://dblp.org}, biburl = {http://dblp.org/rec/bib/journals/corr/MarmsolerME15}, crossref = {Buhnova2015}, doi = {10.4204/EPTCS.178.5}, owner = {Diego}, timestamp = {Mon, 06 Nov 2017 12:14:01 +0100}, url = {https://doi.org/10.4204/EPTCS.178.5}, } @InProceedings{Marmsoler2017c, author = {Diego Marmsoler}, title = {Towards a Calculus for Dynamic Architectures}, booktitle = {Theoretical Aspects of Computing - {ICTAC} 2017 - 14th International Colloquium, Hanoi, Vietnam, October 23-27, 2017, Proceedings}, year = {2017}, pages = {79--99}, bibsource = {dblp computer science bibliography, http://dblp.org}, biburl = {http://dblp.org/rec/bib/conf/ictac/Marmsoler17}, crossref = {Hung2017}, doi = {10.1007/978-3-319-67729-3_6}, owner = {Diego}, timestamp = {Fri, 29 Sep 2017 10:38:43 +0200}, url = {https://doi.org/10.1007/978-3-319-67729-3_6}, } @InProceedings{Zdun2005, author = {Uwe Zdun and Paris Avgeriou}, title = {Modeling architectural patterns using architectural primitives}, booktitle = {Proceedings of the 20th Annual {ACM} {SIGPLAN} Conference on Object-Oriented Programming, Systems, Languages, and Applications, {OOPSLA} 2005, October 16-20, 2005, San Diego, CA, {USA}}, year = {2005}, pages = {133--146}, bibsource = {dblp computer science bibliography, http://dblp.org}, biburl = {http://dblp.org/rec/bib/conf/oopsla/ZdunA05}, crossref = {Johnson2005}, doi = {10.1145/1094811.1094822}, owner = {Diego}, timestamp = {Wed, 25 Jun 2008 19:46:34 +0200}, url = {http://doi.acm.org/10.1145/1094811.1094822}, } @InProceedings{Li2013, author = {Yi Li and Meng Sun}, title = {Modeling and Analysis of Component Connectors in Coq}, booktitle = {Formal Aspects of Component Software - 10th International Symposium, {FACS} 2013, Nanchang, China, October 27-29, 2013, Revised Selected Papers}, year = {2013}, pages = {273--290}, bibsource = {dblp computer science bibliography, http://dblp.org}, biburl = {http://dblp.org/rec/bib/conf/facs2/LiS13}, crossref = {Fiadeiro2014}, doi = {10.1007/978-3-319-07602-7_17}, owner = {Diego}, timestamp = {Fri, 19 May 2017 01:26:24 +0200}, url = {https://doi.org/10.1007/978-3-319-07602-7_17}, } @InProceedings{Marmsoler2018b, author = {Diego Marmsoler}, title = {A Framework for the Verification of Dynamic Architectures based on Co-Inductive Lists}, booktitle = {Interactive Theorem Proving - 9th International Conference, {ITP} 2018, Proceedings}, year = {2018}, note = {Under review}, bibsource = {dblp computer science bibliography, https://dblp.org}, biburl = {https://dblp.org/rec/bib/conf/itp/KaliszykUV17}, } @InProceedings{Marmsoler2018e, author = {Diego Marmsoler}, title = {Towards Verified Blockchain Architectures}, booktitle = {Theoretical Aspects of Computing - {ICTAC} 2018 - 15th International Colloquium, Proceedings}, year = {2018}, note = {Under review}, } @Article{Abowd1995, author = {Abowd, Gregory D and Allen, Robert and Garlan, David}, title = {Formalizing Style to Understand Descriptions of Software Architecture}, journal = {ACM Transactions on Software Engineering and Methodology (TOSEM)}, year = {1995}, volume = {4}, number = {4}, pages = {319--364}, doi = {10.1145/226241.226244}, file = {:APSpecification\\Abowd_1995_Formalizing_Style_to_Understand_Desctiptions_of_SA.pdf:PDF}, owner = {Diego}, publisher = {ACM}, timestamp = {2015.08.21}, } @InCollection{Allen1998, author = {Allen, Robert and Douence, Remi and Garlan, David}, title = {Specifying and Analyzing Dynamic Software Architectures}, booktitle = {Fundamental Approaches to Software Engineering}, publisher = {Springer Berlin Heidelberg}, year = {1998}, editor = {Egidio Astesiano}, volume = {1382}, series = {Lecture Notes in Computer Science}, pages = {21--37}, doi = {10.1007/bfb0053581}, file = {:APSpecification\\Allen_1998_Specifying_Analyzing_Dynamic_Software_Architectures.pdf:PDF}, owner = {Diego}, timestamp = {2015.09.15}, } @TechReport{Allen1997, Title = {A Formal Approach to Software Architecture.}, Author = {Allen, Robert J}, Institution = {DTIC Document}, Year = {1997}, File = {:APSpecification\\Allen_1997_Formal_Software_Architectures.pdf:PDF}, Owner = {Diego}, Timestamp = {2015.08.21} } @Article{Arbab2004, author = {Arbab, Farhad}, title = {Reo: a channel-based coordination model for component composition}, journal = {Mathematical structures in computer science}, year = {2004}, volume = {14}, number = {03}, pages = {329--366}, doi = {10.1017/s0960129504004153}, file = {:CoordinationLanguages\\Arbab_2004_Reo.pdf:PDF}, owner = {Diego}, publisher = {Cambridge Univ Press}, timestamp = {2016.01.14}, } @Article{Baier2006, Title = {Modeling component connectors in Reo by constraint automata}, Author = {Baier, Christel and Sirjani, Marjan and Arbab, Farhad and Rutten, Jan}, Journal = {Science of computer programming}, Year = {2006}, Number = {2}, Pages = {75--113}, Volume = {61}, File = {:CoordinationLanguages\\Baier_2006_Reo_CA.pdf:PDF}, Owner = {Diego}, Publisher = {Elsevier}, Timestamp = {2016.01.25} } @TechReport{Basili1992, author = {Basili, Victor R}, title = {Software modeling and measurement: the Goal/Question/Metric paradigm}, year = {1992}, file = {:Methods\\Basili_1992_GQM.pdf:PDF}, owner = {Diego}, timestamp = {2016.04.05}, } @Book{Bass2007, Title = {Software Architecture in Practice}, Author = {Bass, Len and Clements, Paul and Kazman, Rick}, Publisher = {Addison-Wesley Longman Publishing Co., Inc.}, Year = {2007}, Owner = {Diego}, Timestamp = {2016.03.08} } @InProceedings{Bernardo2000, author = {Bernardo, Marco and Ciancarini, Paolo and Donatiello, Lorenzo}, title = {On the Formalization of Architectural Types with Process Algebras}, booktitle = {ACM SIGSOFT Software Engineering Notes}, year = {2000}, volume = {25}, number = {6}, pages = {140--148}, organization = {ACM}, doi = {10.1145/357474.355064}, file = {:APSpecification\\Bernardo_2000_On_the_Formalization_of_Architectural_Types.pdf:PDF}, owner = {Diego}, timestamp = {2015.08.21}, } @InProceedings{Bradbury2004, author = {Bradbury, Jeremy S and Cordy, James R and Dingel, Juergen and Wermelinger, Michel}, title = {A survey of self-management in dynamic software architecture specifications}, booktitle = {Proceedings of the 1st {ACM} {SIGSOFT} workshop on Self-managed systems}, year = {2004}, pages = {28--33}, organization = {ACM}, publisher = {{ACM} Press}, doi = {10.1145/1075405.1075411}, file = {:DynamicSystems\\Bradbury_2004_Survey.pdf:PDF}, owner = {Diego}, timestamp = {2016.05.03}, } @InCollection{Bratthall2000, author = {Bratthall, Lars and Johansson, Enrico and Regnell, Bj{\"o}rn}, title = {Is a Design Rationale Vital when Predicting Change Impact? --A Controlled Experiment on Software Architecture Evolution}, booktitle = {Product Focused Software Process Improvement}, publisher = {Springer}, year = {2000}, pages = {126--139}, doi = {10.1007/978-3-540-45051-1_14}, file = {:Motivation\\Bratthall_2000_RationalAndChange.pdf:PDF}, owner = {Diego}, timestamp = {2016.03.07}, } @InCollection{Broy2014, author = {Broy, Manfred}, title = {A Model of Dynamic Systems}, booktitle = {From Programs to Systems. The Systems Perspective in Computing}, publisher = {Springer Berlin Heidelberg}, year = {2014}, editor = {Bensalem, Saddek and Lakhneck, Yassine and Legay, Axel}, volume = {8415}, series = {Lecture Notes in Computer Science}, pages = {39-53}, isbn = {978-3-642-54847-5}, doi = {10.1007/978-3-642-54848-2_3}, file = {:Broy_2014_Model_Dynamic_Systems.pdf:PDF}, keywords = {Dynamic Systems; Mobility; Instantiation}, language = {English}, owner = {Diego}, timestamp = {2015.08.27}, url = {https://doi.org/10.1007/978-3-642-54848-2_3}, } @Unpublished{Broy2015, Title = {Theory and Methodology of Assumption/Promise Based System Interface Specification and Architectural Contracts}, Author = {Broy, Manfred}, Note = {TBP}, Year = {2015}, Abstract = {This paper addresses foundations, basic concepts, and paradigms for the specification of and reasoning about interactive real-time systems, their interfaces, and architectures as well as their properties in terms of contracts. Contracts are structured into assumptions about the behavior of the operational context of systems and promises about the system behavior (in the literature also called assumption/guarantee or assumption/commitment specification patterns). A logical analysis of assumption/promise specifications is carried out based on a mathematical system model: * From assumption/promise contracts two versions of interface specifications are derived and analysed. * Safety and liveness properties for assumption/promise contracts are analysed. * Healthiness conditions are worked out for assumption/promise contracts. * From interaction specifications describing the interaction between two systems assumption/promise contracts for the involved systems are derived. * Contracts for components in architectures are studied in terms of assumptions and promises and healthiness conditions are worked out that guarantee that assumptions for the composite systems guarantee the validity of the assumptions for components. Based on the theoretical analysis more practical issues are dealt with for a systematic use of assumption/promise patterns in system specification and architecture design.}, File = {:Broy_2015_Assumption_Promise.pdf:PDF;:Contracts\\Broy_2015_Assumption_Promise.pdf:PDF}, Keywords = {Specification, Design, Contracts, Assumptions, Commitments, Promises, Context, System Specification, Safety, Liveness, Causality, Realizability, Interface, Architecture}, Owner = {Diego}, Timestamp = {2015.07.02} } @Misc{Broy2011, Title = {Towards a Theory of Architectural Contracts:-Schemes and Patterns of Assumption/Promise Based System Specification.}, Author = {Broy, Manfred}, Year = {2011}, File = {:Contracts\\Broy_2011_Contracts.pdf:PDF}, Owner = {Diego}, Timestamp = {2016.02.14} } @Article{Broy2011a, author = {Broy, Manfred}, title = {Can practitioners neglect theory and theoreticians neglect practice?}, journal = {IEEE Computer}, year = {2011}, volume = {44}, number = {10}, pages = {19--24}, file = {:Theory\\Broy_2011_theory_practice.pdf:PDF}, owner = {Diego}, timestamp = {2016.02.15}, } @Article{Broy2010, author = {Broy, Manfred}, title = {A Logical Basis for Component-Oriented Software and Systems Engineering}, journal = {The Computer Journal}, year = {2010}, volume = {53}, number = {10}, pages = {1758--1782}, month = feb, doi = {10.1093/comjnl/bxq005}, file = {:Specification_Techniques\\Broy_2010_A_Logical_Basis.pdf:PDF}, owner = {Diego}, publisher = {Oxford University Press ({OUP})}, timestamp = {2016.03.08}, } @InCollection{Broy2005, Title = {Service-oriented systems engineering: Specification and design of services and layered architectures}, Author = {Broy, Manfred}, Booktitle = {Engineering Theories of Software Intensive Systems}, Publisher = {Springer}, Year = {2005}, Pages = {47--81}, File = {:Broy_2005_Janus_Approach.pdf:PDF}, Owner = {Diego}, Timestamp = {2015.07.03} } @Article{Broy2007, Title = {A formal model of services}, Author = {Broy, Manfred and Kr{\"u}ger, Ingolf H and Meisinger, Michael}, Journal = {ACM Transactions on Software Engineering and Methodology (TOSEM)}, Year = {2007}, Number = {1}, Pages = {5}, Volume = {16}, File = {:Broy_2007_Services.pdf:PDF}, Owner = {Diego}, Publisher = {ACM}, Timestamp = {2015.07.03} } @Book{Buschmann1996, title = {Pattern-Oriented Software Architecture: A System of Patterns}, publisher = {Wiley West Sussex, England}, year = {1996}, author = {Buschmann, Frank and Meunier, Regine and Rohnert, Hans and Sommerlad, Peter and Stal, Michael}, file = {:Software_Architecture\\Buschmann_1996_POSA.pdf:PDF}, owner = {Diego}, timestamp = {2016.01.22}, } @InCollection{Castro2010, author = {Castro, Pablo F and Aguirre, Nazareno M and Pombo, Carlos Gustavo L{\'o}pez and Maibaum, Thomas SE}, title = {Towards Managing Dynamic Reconfiguration of Software Systems in a Categorical Setting}, booktitle = {Lecture Notes in Computer Science}, publisher = {Springer}, year = {2010}, pages = {306--321}, doi = {10.1007/978-3-642-14808-8_21}, file = {:DynamicSystems\\Castro_2010_Dynamic_Reconfigurations.pdf:PDF}, owner = {Diego}, timestamp = {2016.05.03}, } @Book{Chandy1989, Title = {Parallel program design}, Author = {Chandy, K Mani}, Publisher = {Springer}, Year = {1989}, Owner = {Diego}, Timestamp = {2016.03.09} } @InProceedings{Clements1996, author = {Clements, Paul C}, title = {A Survey of Architecture Description Languages}, booktitle = {Proceedings of the 8th International Workshop on Software Specification and Design}, year = {1996}, pages = {16}, organization = {IEEE Computer Society}, publisher = {{IEEE} Comput. Soc. Press}, doi = {10.1109/iwssd.1996.501143}, owner = {Diego}, timestamp = {2016.05.03}, } @Misc{MITRE2011, Title = {{CWE}/{SANS} Top 25 Most Dangerous Software Errors}, Author = {{Corporation~MITRE}}, Year = {2011}, Owner = {Diego}, Timestamp = {2016.03.08}, Url = {https://cwe.mitre.org/top25/index.html} } @Misc{Dalmau1997, Title = {{A}riane-5: Learning from Flight 501 and Preparing for 502}, Author = {Juan de Dalmau and Jacques Gigou}, Month = feb, Note = {{ESA} Bulletin Nr.\ 89}, Year = {1997}, Institution = {ESA}, Owner = {Diego}, Timestamp = {2016.03.08}, Url = {http://www.esa.int/esapub/bulletin/bullet89/dalma89.htm} } @InProceedings{Dashofy2001, author = {Dashofy, Eric M and Van der Hoek, Andr{\'e} and Taylor, Richard N}, title = {A Highly-Extensible, XML-Based Architecture Description Language}, booktitle = {Software Architecture, 2001. Proceedings. Working IEEE/IFIP Conference on}, year = {2001}, pages = {103--112}, organization = {IEEE}, doi = {10.1109/wicsa.2001.948416}, file = {:APSpecification\\Dashofy_2001_xADL.pdf:PDF}, owner = {Diego}, timestamp = {2016.03.07}, } @InProceedings{DeAlfaro2001, author = {De Alfaro, Luca and Henzinger, Thomas A}, title = {Interface theories for component-based design}, booktitle = {Embedded Software}, year = {2001}, pages = {148--165}, organization = {Springer}, file = {:Contracts\\Alfaro_2001_InterfaceTheories.pdf:PDF}, owner = {Diego}, timestamp = {2016.07.01}, } @InCollection{Dormoy2010, author = {Dormoy, Julien and Kouchnarenko, Olga and Lanoix, Arnaud}, title = {Using temporal logic for dynamic reconfigurations of components}, booktitle = {Formal Aspects of Component Software}, publisher = {Springer}, year = {2010}, pages = {200--217}, doi = {10.1007/978-3-642-27269-1_12}, file = {:DynamicArchitectures\\Dormoy_2010_TemporalLogic.pdf:PDF}, owner = {Diego}, timestamp = {2016.06.13}, } @InProceedings{Eden2001, author = {Eden, Amnon H}, title = {Formal specification of object-oriented design}, booktitle = {Multidisciplinary Design in Engineering}, year = {2001}, pages = {21--22}, organization = {Citeseer}, file = {:DPSpecification\\Eden_2001_LePUS.pdf:PDF}, owner = {Diego}, timestamp = {2015.08.21}, } @Article{Fiadeiro2013, author = {Fiadeiro, Jos{\'e} Luiz and Lopes, Ant{\'o}nia}, title = {A Model for Dynamic Reconfiguration in Service-oriented Architectures}, journal = {Software \& Systems Modeling}, year = {2013}, volume = {12}, number = {2}, pages = {349--367}, doi = {10.1007/s10270-012-0236-1}, file = {:DynamicSystems\\Fiadeiro_2013_DynamicReconfiguration.pdf:PDF}, owner = {Diego}, publisher = {Springer}, timestamp = {2016.05.10}, } @InCollection{Garlan2003, author = {Garlan, David}, title = {Formal Modeling and Analysis of Software Architecture: Components, Connectors, and Events}, booktitle = {Formal Methods for Software Architectures}, publisher = {Springer}, year = {2003}, pages = {1--24}, doi = {10.1007/978-3-540-39800-4_1}, file = {:APSpecification\\Garlan_2003_Formal_Modeling_and_Analysis_of_Software_Architecture.pdf:PDF}, owner = {Diego}, timestamp = {2015.08.21}, } @InProceedings{Garlan2000, author = {Garlan, David}, title = {Software Architecture: a Roadmap}, booktitle = {Proceedings of the Conference on the Future of Software Engineering}, year = {2000}, pages = {91--101}, organization = {ACM}, doi = {10.1145/336512.336537}, file = {:Motivation\\Garlan_2000_Software_Architecture_Roadmap.pdf:PDF}, owner = {Diego}, timestamp = {2015.08.27}, } @Article{Hirsch2002, author = {Hirsch, Dan and Montanari, Ugo}, title = {Two Graph-Based Techniques for Software Architecture Reconfiguration}, journal = {Electronic Notes in Theoretical Computer Science}, year = {2002}, volume = {51}, pages = {177--190}, month = may, doi = {10.1016/s1571-0661(04)80201-9}, file = {:DynamicSystems\\Hirsch_2002_Graph-Based_Techniques.pdf:PDF}, owner = {Diego}, publisher = {Elsevier}, timestamp = {2016.05.03}, } @Article{Hoare1978, author = {Hoare, Charles Antony Richard}, title = {Communicating sequential processes}, journal = {Communications of the ACM}, year = {1978}, volume = {21}, number = {8}, pages = {666--677}, file = {:Specification_Techniques\\Hoare_1985_CSP.pdf:PDF}, owner = {Diego}, publisher = {ACM}, timestamp = {2015.08.21}, } @Book{Hungerford2012, Title = {Abstract algebra: an introduction}, Author = {Hungerford, Thomas}, Publisher = {Cengage Learning}, Year = {2012}, Owner = {Diego}, Timestamp = {2016.03.15} } @Article{Inverardi1995, author = {Inverardi, Paola and Wolf, Alexander L}, title = {Formal Specification and Analysis of Software Architectures Using the Chemical Abstract Machine Model}, journal = {Software Engineering, IEEE Transactions on}, year = {1995}, volume = {21}, number = {4}, pages = {373--386}, doi = {10.1109/32.385973}, file = {:APSpecification\\Inverardi_1995_CHAM.pdf:PDF}, owner = {Diego}, publisher = {IEEE}, timestamp = {2016.01.22}, } @Article{Jackson2002, author = {Jackson, Daniel}, title = {Alloy: A Lightweight Object Modelling Notation}, journal = {ACM Transactions on Software Engineering and Methodology (TOSEM)}, year = {2002}, volume = {11}, number = {2}, pages = {256--290}, doi = {10.1145/505145.505149}, file = {:Specification_Techniques\\Jackson_2002_Alloy.pdf:PDF}, owner = {Diego}, publisher = {ACM}, timestamp = {2015.08.26}, } @Article{Johnson2012, author = {Johnson, Pontus and Ekstedt, Mathias and Jacobson, Ivar}, title = {Where's the theory for software engineering?}, journal = {IEEE software}, year = {2012}, number = {5}, pages = {96}, file = {:Theory\\Johnson_2012_TheoryInSE.pdf:PDF}, owner = {Diego}, publisher = {IEEE}, timestamp = {2016.02.15}, } @InProceedings{Kim2006, author = {Kim, Jung Soo and Garlan, David}, title = {Analyzing Architectural Styles with Alloy}, booktitle = {Proceedings of the ISSTA 2006 workshop on Role of software architecture for testing and analysis}, year = {2006}, pages = {70--80}, organization = {ACM}, doi = {10.1145/1147249.1147259}, file = {:RelatedWork\\2006_Kim_Styles_Alloy.pdf:PDF}, owner = {Diego}, timestamp = {2016.05.27}, } @Article{Kitchenham2009, Title = {Systematic literature reviews in software engineering--a systematic literature review}, Author = {Kitchenham, Barbara and Brereton, O Pearl and Budgen, David and Turner, Mark and Bailey, John and Linkman, Stephen}, Journal = {Information and software technology}, Year = {2009}, Number = {1}, Pages = {7--15}, Volume = {51}, File = {:Methods\\Kitchenham_2009_SLR.pdf:PDF}, Owner = {Diego}, Publisher = {Elsevier}, Timestamp = {2016.04.05} } @Article{LeMetayer1998, author = {Le M{\'{e}}tayer, Daniel}, title = {Describing Software Architecture Styles Using Graph Grammars}, journal = {IEEE Transactions on Software Engineering}, year = {1998}, volume = {24}, number = {7}, pages = {521--533}, doi = {10.1109/32.708567}, file = {:APSpecification\\Metayer_1998_Software_Architecture_Styles_as_Graph_Grammars.pdf:PDF}, owner = {Diego}, publisher = {IEEE}, timestamp = {2015.08.21}, } @Article{Luckham1995, author = {Luckham, David C and Kenney, John J and Augustin, Larry M and Vera, James and Bryan, Doug and Mann, Walter}, title = {Specification and Analysis of System Architecture Using Rapide}, journal = {Software Engineering, IEEE Transactions on}, year = {1995}, volume = {21}, number = {4}, pages = {336--354}, doi = {10.1109/32.385971}, file = {:APSpecification\\Luckham_1995_Rapide.pdf:PDF}, owner = {Diego}, publisher = {IEEE}, timestamp = {2015.09.15}, } @InProceedings{Mak2004, author = {Mak, Jeffrey KH and Choy, Clifford ST and Lun, Daniel PK}, title = {Precise modeling of design patterns in UML}, booktitle = {Software Engineering}, year = {2004}, pages = {252--261}, organization = {IEEE}, file = {:DPSpecification\\Mak_2004_Precise_Modeling_of_Design_Patterns_in_UML.pdf:PDF}, owner = {Diego}, timestamp = {2015.08.21}, } @InProceedings{Malkis2015, Title = {A Model of Service-Oriented Architectures}, Author = {Malkis, Alexander and Marmsoler, Diego}, Booktitle = {Components, Architectures and Reuse Software (SBCARS), 2015 IX Brazilian Symposium on}, Year = {2015}, Organization = {IEEE}, Pages = {110--119}, File = {:Me\\Malkis_2015_A_Model_Of_Service-Oriented_Architectures.pdf:PDF}, Owner = {Diego}, Timestamp = {2016.02.15} } @Book{Manna2012, title = {The Temporal Logic of Reactive and Concurrent Systems}, publisher = {Springer New York}, year = {1992}, author = {Manna, Zohar and Pnueli, Amir}, doi = {10.1007/978-1-4612-0931-7}, owner = {Diego}, timestamp = {2016.03.08}, } @Misc{Marmsoler_BB, author = {Diego Marmsoler}, title = {{Isabelle/HOL} theory for the {Blackboard} pattern}, howpublished = {\url{http://www.marmsoler.com/pattern/Blackboard.thy}}, file = {:Me\\Marmsoler_PSL.pdf:PDF}, owner = {Diego}, timestamp = {2016.09.01}, url = {http://www.marmsoler.com/pattern/Blackboard.thy}, } @Misc{Marmsoler_PS, Title = {{Isabelle/HOL} theory for the {Publish-Subscriber} pattern}, Author = {Diego Marmsoler}, HowPublished = {\url{http://www.marmsoler.com/pattern/PublishSubscribe.thy}}, File = {:Me\\Marmsoler_PSL.pdf:PDF}, Owner = {Diego}, Timestamp = {2016.09.01}, Url = {\url{http://www.marmsoler.com/pattern/Blackboard.thy}} } @Article{Marmsoler2017, author = {Diego Marmsoler}, title = {On the Specification of Constraints for Dynamic Architectures}, journal = {ArXiv e-prints}, year = {2017}, month = mar, adsnote = {Provided by the SAO/NASA Astrophysics Data System}, adsurl = {http://adsabs.harvard.edu/abs/2017arXiv170306823M}, archiveprefix = {arXiv}, eprint = {1703.06823}, keywords = {Computer Science - Software Engineering}, primaryclass = {cs.SE}, } @InProceedings{Marmsoler2014, author = {Marmsoler, Diego}, title = {Towards a Theory of Architectural Styles}, booktitle = {Proceedings of the 22nd {ACM} {SIGSOFT} International Symposium on Foundations of Software Engineering - {FSE} 2014}, year = {2014}, pages = {823--825}, organization = {ACM}, publisher = {{ACM} Press}, doi = {10.1145/2635868.2661683}, file = {:Me\\Marmsoler_2014_Towards a Theory of Styles.pdf:PDF}, owner = {Diego}, timestamp = {2016.02.15}, } @InProceedings{Mavridou2015, author = {Anastasia Mavridou and Eduard Baranov and Simon Bliudze and Joseph Sifakis}, title = {Configuration Logics: Modelling Architecture Styles}, booktitle = {Formal Aspects of Component Software}, year = {2015}, editor = {Christiano Braga and Peter Csaba {\"{O}}lveczky}, volume = {9539}, series = {Lecture Notes in Computer Science}, pages = {256--274}, publisher = {Springer}, bibsource = {dblp computer science bibliography, http://dblp.org}, biburl = {http://dblp.uni-trier.de/rec/bib/conf/facs2/MavridouBBS15}, doi = {10.1007/978-3-319-28934-2_14}, file = {:DynamicArchitectures\\Mavridou_2015_ConfigurationLogics.pdf:PDF}, timestamp = {Fri, 29 Jan 2016 11:24:59 +0100}, url = {https://doi.org/10.1007/978-3-319-28934-2_14}, } @InProceedings{Medvidovic1996, author = {Medvidovic, Nenad}, title = {{ADLs} and dynamic architecture changes}, booktitle = {Joint proceedings of the second international software architecture workshop and international workshop on multiple perspectives in software development on {SIGSOFT} {\textquotesingle}96 workshops}, year = {1996}, pages = {24--27}, organization = {ACM}, publisher = {{ACM} Press}, doi = {10.1145/243327.243340}, file = {:DynamicSystems\\Medvidovic_1996_ADLsAndDynamic.pdf:PDF}, owner = {Diego}, timestamp = {2016.05.03}, } @InProceedings{Mehta2003, author = {Mehta, Nikunj R and Medvidovic, Nenad}, title = {Composing Architectural Styles From Architectural Primitives}, booktitle = {ACM SIGSOFT Software Engineering Notes}, year = {2003}, volume = {28}, number = {5}, pages = {347--350}, organization = {ACM}, doi = {10.1145/949952.940118}, file = {:APSpecification\\Mehta_2003_StylesFromPrimitives.pdf:PDF}, owner = {Diego}, timestamp = {2016.03.07}, } @InProceedings{Mikkonen1998, author = {Mikkonen, Tommi}, title = {Formalizing design patterns}, booktitle = {Software engineering}, year = {1998}, pages = {115--124}, organization = {IEEE Computer Society}, file = {:DPSpecification\\Mikkonen_1998_Formalizing_Design_Patterns.pdf:PDF}, owner = {Diego}, timestamp = {2015.08.21}, } @Book{Milner1999, title = {Communicating and Mobile Systems: the $\pi$-calculus}, publisher = {Cambridge university press}, year = {1999}, author = {Milner, Robin}, isbn = {9780521658690}, owner = {Diego}, timestamp = {2016.01.22}, } @Article{Moriconi1995, author = {Moriconi, Mark and Qian, Xiaolei and Riemenschneider, Robert A}, title = {Correct Architecture Refinement}, journal = {Software Engineering, IEEE Transactions on}, year = {1995}, volume = {21}, number = {4}, pages = {356--372}, doi = {10.1109/32.385972}, file = {:APSpecification\\Moriconi_Correct_Architecture_Refinement_1995.pdf:PDF}, owner = {Diego}, publisher = {IEEE}, timestamp = {2015.08.21}, } @Book{Nipkow2002, Title = {Isabelle/HOL: a proof assistant for higher-order logic}, Author = {Nipkow, Tobias and Paulson, Lawrence C and Wenzel, Markus}, Publisher = {Springer Science \& Business Media}, Year = {2002}, Volume = {2283}, File = {:Isabelle\\tutorial.pdf:PDF}, Owner = {Diego}, Timestamp = {2016.05.02} } @InProceedings{Nuzzo2014, author = {Nuzzo, Pierluigi and Iannopollo, Antonio and Tripakis, Stavros and Sangiovanni-Vincentelli, Alberto}, title = {Are interface theories equivalent to contract theories?}, booktitle = {Formal Methods and Models for Codesign}, year = {2014}, pages = {104--113}, organization = {IEEE}, file = {:Contracts\\Nuzzo_2014_InterfaceAndContracts.pdf:PDF}, owner = {Diego}, timestamp = {2016.07.01}, } @Article{Oquendo2004, author = {Oquendo, Flavio}, title = {$\pi$-ADL: An Architecture Description Language based on the Higher-Order Typed $\pi$-Calculus for Specifying Dynamic and Mobile Software Architectures}, journal = {{ACM} {SIGSOFT} Software Engineering Notes}, year = {2004}, volume = {29}, number = {3}, pages = {1--14}, month = may, doi = {10.1145/986710.986728}, file = {:APSpecification\\Oquendo_2004_PIADL.pdf:PDF}, owner = {Diego}, publisher = {ACM}, timestamp = {2016.03.07}, } @InProceedings{Penix1997, author = {Penix, John and Alexander, Perry and Havelund, Klaus}, title = {Declarative Specification of Software Architectures}, booktitle = {Automated Software Engineering}, year = {1997}, pages = {201--208}, organization = {IEEE}, doi = {10.1109/ase.1997.632840}, file = {:APSpecification\\Penix_1997_Declarative_Specifications_of_SA.pdf:PDF}, owner = {Diego}, timestamp = {2015.08.21}, } @Article{Perry1992, Title = {Foundations for the study of software architecture}, Author = {Perry, Dewayne E and Wolf, Alexander L}, Journal = {ACM SIGSOFT Software Engineering Notes}, Year = {1992}, Number = {4}, Pages = {40--52}, Volume = {17}, File = {:Software_Architecture\\Perry_Wolf_1992_Foundations_for_the_Study_of_Software_Architecture.pdf:PDF}, Owner = {Diego}, Publisher = {ACM}, Timestamp = {2015.09.15} } @Article{Shaw2006, Title = {The golden age of software architecture}, Author = {Shaw, Mary and Clements, Paul}, Journal = {Software, IEEE}, Year = {2006}, Number = {2}, Pages = {31--39}, Volume = {23}, File = {:Motivation\\Shaw_2006_The_Golden_Age.pdf:PDF}, Owner = {Diego}, Publisher = {IEEE}, Timestamp = {2015.08.27} } @Book{Shaw1996, title = {Software Architecture: Perspectives on an Emerging Discipline}, publisher = {Prentice Hall Englewood Cliffs}, year = {1996}, author = {Shaw, Mary and Garlan, David}, volume = {1}, isbn = {9780131829572}, file = {:Software_Architecture\\Shaw_Garlan_1996_Software_Architecture.pdf:PDF}, owner = {Diego}, timestamp = {2015.09.15}, } @InProceedings{Soundarajan2004, author = {Soundarajan, Neelam and Hallstrom, Jason O}, title = {Responsibilities and rewards: Specifying design patterns}, booktitle = {Software Engineering}, year = {2004}, pages = {666--675}, organization = {IEEE}, file = {:DPSpecification\\Soundarajan_2004_Specifying_Design_Patterns.pdf:PDF}, owner = {Diego}, timestamp = {2015.08.21}, } @Book{Spivey1992, title = {The Z Notation: A Reference Manual}, publisher = {Prentice Hall}, year = {1992}, author = {Spivey, J.M.}, series = {Prentice-Hall international series in computer science}, isbn = {9780139785290}, lccn = {lc92006090}, url = {https://books.google.de/books?id=wa1QAAAAMAAJ}, } @Book{Taylor2009, title = {Software Architecture: Foundations, Theory, and Practice}, publisher = {Wiley Publishing}, year = {2009}, author = {Taylor, Richard N and Medvidovic, Nenad and Dashofy, Eric M}, isbn = {9780470167748}, file = {:Software_Architecture\\Taylor_2010_Software_Architecture_Foundation_Theory_Practice_C4.pdf:PDF}, owner = {Diego}, timestamp = {2015.09.15}, } @Article{Wenzel2007, author = {Wenzel, Makarius}, title = {Isabelle/Isar -- a generic framework for human-readable proof documents}, journal = {From Insight to Proof -- Festschrift in Honour of Andrzej Trybulec}, year = {2007}, volume = {10}, number = {23}, pages = {277--298}, file = {:Isabelle\\Wenzel_2007_ISAR.pdf:PDF}, owner = {Diego}, timestamp = {2016.05.03}, } @InProceedings{Wermelinger2001, author = {Wermelinger, Michel and Lopes, Ant{\'o}nia and Fiadeiro, Jos{\'e} Luiz}, title = {A Graph Based Architectural (Re)configuration Language}, booktitle = {Software Engineering Notes}, year = {2001}, volume = {26}, number = {5}, pages = {21--32}, organization = {ACM}, doi = {10.1145/503271.503213}, file = {:DynamicSystems\\Wermelinger_2001_Graph_Based_Reconfig_Lang.pdf:PDF}, owner = {Diego}, timestamp = {2016.05.03}, } @InCollection{Wirsing1990, author = {Wirsing, Martin}, title = {Algebraic Specification}, booktitle = {Handbook of Theoretical Computer Science (Vol. B)}, publisher = {MIT Press}, year = {1990}, editor = {van Leeuwen, Jan}, pages = {675--788}, address = {Cambridge, MA, USA}, isbn = {0-444-88074-7}, acmid = {114904}, doi = {10.1016/b978-0-444-88074-1.50018-4}, numpages = {114}, url = {http://dl.acm.org/citation.cfm?id=114891.114904}, } @InCollection{Wirsing2012, author = {Wirsing, Martin and Eckhardt, Jonas and M{\"u}hlbauer, Tobias and Meseguer, Jos{\'e}}, title = {Design and Analysis of Cloud-Based Architectures with KLAIM and Maude}, booktitle = {Rewriting Logic and Its Applications}, publisher = {Springer}, year = {2012}, pages = {54--82}, doi = {10.1007/978-3-642-34005-5_4}, file = {:RelatedWork\\2012_Wirsing_CloudMaude.pdf:PDF}, owner = {Diego}, timestamp = {2016.05.27}, } @InProceedings{Wong2008, author = {Wong, Stephen and Sun, Jing and Warren, Ian and Sun, Jun}, title = {A Scalable Approach to Multi-Style Architectural Modeling and Verification}, booktitle = {Engineering of Complex Computer Systems}, year = {2008}, pages = {25--34}, organization = {IEEE}, doi = {10.1109/iceccs.2008.16}, file = {:RelatedWork\\2008_Wong_Multi_Style_Verification.pdf:PDF}, owner = {Diego}, timestamp = {2016.05.27}, } @InProceedings{Zhang2012, author = {Zhang, Jiexin and Liu, Yang and Sun, Jing and Dong, Jin Song and Sun, Jun}, title = {Model Checking Software Architecture Design}, booktitle = {High-Assurance Systems Engineering}, year = {2012}, pages = {193--200}, organization = {IEEE}, doi = {10.1109/hase.2012.12}, file = {:RelatedWork\\2012_Zhang_MCArchitecture Design.pdf:PDF}, owner = {Diego}, timestamp = {2016.05.27}, } @InProceedings{Aguirre2002, author = {Aguirre, Nazareno and Maibaum, Tom}, title = {A temporal logic approach to the specification of reconfigurable component-based systems}, booktitle = {Automated Software Engineering}, year = {2002}, pages = {271--274}, organization = {IEEE}, doi = {10.1109/ase.2002.1115028}, file = {:DynamicReconfiguration\\Aguirre_2002_Temporal.pdf:PDF}, owner = {Diego}, timestamp = {2016.09.14}, } @InProceedings{Leger2010, author = {L{\'e}ger, Marc and Ledoux, Thomas and Coupaye, Thierry}, title = {Reliable dynamic reconfigurations in a reflective component model}, booktitle = {Component-Based Software Engineering}, year = {2010}, pages = {74--92}, organization = {Springer}, file = {:DynamicReconfiguration\\Leger_2010_DynamicReconfiguration.pdf:PDF}, owner = {Diego}, timestamp = {2016.09.14}, } @InProceedings{Broy1996, author = {Broy, Manfred}, title = {Algebraic Specification of Reactive Systems}, booktitle = {Algebraic Methodology and Software Technology}, year = {1996}, pages = {487--503}, organization = {Springer}, publisher = {Springer Berlin Heidelberg}, doi = {10.1007/bfb0014335}, file = {:AlgebraicSpec\\Broy_1996_ASReactiveSystems.pdf:PDF}, owner = {Diego}, timestamp = {2016.09.30}, } @InCollection{Bruni2008, author = {Bruni, Roberto and Bucchiarone, Antonio and Gnesi, Stefania and Hirsch, Dan and Lafuente, Alberto Lluch}, title = {Graph-based design and analysis of dynamic software architectures}, booktitle = {Concurrency, Graphs and Models}, publisher = {Springer}, year = {2008}, pages = {37--56}, file = {:DynamicReconfiguration\\Bruni_2008_Graph-Based_Design.pdf:PDF}, owner = {Diego}, timestamp = {2016.09.30}, } @Article{Oreizy1998, author = {Oreizy, Peyman and Taylor, Richard N}, title = {On the role of software architectures in runtime system reconfiguration}, journal = {IEE Proceedings-Software}, year = {1998}, volume = {145}, number = {5}, pages = {137--145}, file = {:DynamicReconfiguration\\Oreizy_1998_SA_in_Runtime_System_Reconfiguration.pdf:PDF}, owner = {Diego}, publisher = {IET}, timestamp = {2016.09.30}, } @Article{Wermelinger2002, author = {Michel Wermelinger and Jos{\'e} Luiz Fiadeiro}, title = {A graph transformation approach to software architecture reconfiguration}, journal = {Science of Computer Programming}, year = {2002}, volume = {44}, number = {2}, pages = {133 - 155}, issn = {0167-6423}, note = {Special Issue on Applications of Graph Transformations (GRATRA 2000)}, doi = {10.1016/s0167-6423(02)00036-9}, file = {:DynamicReconfiguration\\Wermelinger_2002_Graph_Transformation.pdf:PDF}, owner = {Diego}, timestamp = {2016.09.30}, url = {http://www.sciencedirect.com/science/article/pii/S0167642302000369}, } @InProceedings{Morrison2004, author = {Morrison, Ronald and Kirby, Graham and Balasubramaniam, Dharini and Mickan, Kath and Oquendo, Flavio and Cimpan, Sorana and Warboys, Brian and Snowdon, Bob and Greenwood, R Mark}, title = {Support for evolving software architectures in the ArchWare ADL}, booktitle = {Software Architecture, 2004. WICSA 2004. Proceedings. Fourth Working IEEE/IFIP Conference on}, year = {2004}, pages = {69--78}, organization = {IEEE}, file = {:DynamicReconfiguration\\Morrison_2004_Evolution_ArchWare.pdf:PDF}, owner = {Diego}, timestamp = {2016.09.30}, } @InProceedings{Batista2005, author = {Batista, Thais and Joolia, Ackbar and Coulson, Geoff}, title = {Managing Dynamic Reconfiguration in Component-based Systems}, booktitle = {Proceedings of the 2Nd European Conference on Software Architecture}, year = {2005}, series = {EWSA'05}, pages = {1--17}, address = {Berlin, Heidelberg}, publisher = {Springer-Verlag}, acmid = {2129035}, doi = {10.1007/11494713_1}, file = {:DynamicReconfiguration\\Batista_2005_DynamicReconfigurationinCBS.pdf:PDF}, isbn = {3-540-26275-X, 978-3-540-26275-6}, location = {Pisa, Italy}, numpages = {17}, owner = {Diego}, timestamp = {2016.09.30}, url = {https://doi.org/10.1007/11494713_1}, } @InProceedings{Fensel1997, author = {D. Fensel and A. Schnogge}, title = {Using KIV to specify and verify architectures of knowledge-based systems}, booktitle = {Automated Software Engineering}, year = {1997}, pages = {71-80}, month = nov, doi = {10.1109/ASE.1997.632826}, keywords = {abstract data types;formal specification;formal verification;knowledge based systems;theorem proving;Karlsruhe interactive verifier;abstract data types;algorithmic specification;dynamic logic;formal specifications;functional specification;interactive theorem prover;knowledge-based systems;proof management;proof reuse;reusable elements;specification language;Buildings;Computer architecture;Counting circuits;Environmental management;Knowledge based systems;Knowledge engineering;Logic;Problem-solving;Software architecture;Terminology}, } @InProceedings{DeLucia2010, author = {De Lucia, Andrea and Deufemia, Vincenzo and Gravino, Carmine and Risi, Michele}, title = {Improving behavioral design pattern detection through model checking}, booktitle = {Software Maintenance and Reengineering (CSMR), 2010 14th European Conference on}, year = {2010}, pages = {176--185}, organization = {IEEE}, file = {:APVerification\\Lucia_2010_DesignPatternDetection.pdf:PDF}, } @InProceedings{Me2016, author = {G. Me and C. Calero and P. Lago}, title = {Architectural Patterns and Quality Attributes Interaction}, booktitle = {2016 Qualitative Reasoning about Software Architectures (QRASA)}, year = {2016}, pages = {27-36}, month = {April}, doi = {10.1109/QRASA.2016.10}, } @InProceedings{Feiler2006, author = {Feiler, Peter H and Lewis, Bruce A and Vestal, Steve}, title = {The SAE Architecture Analysis \& Design Language (AADL) a standard for engineering performance critical systems}, booktitle = {Computer Aided Control System Design, Control Applications, Intelligent Control}, year = {2006}, pages = {1206--1211}, organization = {IEEE}, owner = {Diego}, timestamp = {2016.12.05}, } @InProceedings{Harrison2007, author = {Harrison, Neil B and Avgeriou, Paris}, title = {Leveraging architecture patterns to satisfy quality attributes}, booktitle = {European Conference on Software Architecture}, year = {2007}, pages = {263--270}, organization = {Springer}, owner = {Diego}, timestamp = {2016.12.05}, } @Book{Wohlin2012, title = {Experimentation in software engineering}, publisher = {Springer Science \& Business Media}, year = {2012}, author = {Wohlin, Claes and Runeson, Per and H{\"o}st, Martin and Ohlsson, Magnus C and Regnell, Bj{\"o}rn and Wessl{\'e}n, Anders}, owner = {Diego}, timestamp = {2016.12.05}, } @Article{Broy1997, author = {Broy, Manfred}, title = {Compositional refinement of interactive systems}, journal = {Journal of the ACM (JACM)}, year = {1997}, volume = {44}, number = {6}, pages = {850--891}, owner = {Diego}, publisher = {ACM}, timestamp = {2016.12.05}, } @InCollection{Basili1993, author = {Basili, Victor R}, title = {The experimental paradigm in software engineering}, booktitle = {Experimental Software Engineering Issues: Critical Assessment and Future Directions}, publisher = {Springer}, year = {1993}, pages = {1--12}, owner = {Diego}, timestamp = {2016.12.05}, } @InProceedings{Bosch2010, author = {Bosch, Jan}, title = {Architecture in the age of compositionality}, booktitle = {European Conference on Software Architecture}, year = {2010}, pages = {1--4}, organization = {Springer}, owner = {Diego}, timestamp = {2016.12.19}, } @Book{Winskel1993, title = {The formal semantics of programming languages: an introduction}, publisher = {MIT press}, year = {1993}, author = {Winskel, Glynn}, owner = {Diego}, timestamp = {2016.12.19}, } @Article{Reussner2003, author = {Reussner, Ralf H and Schmidt, Heinz W and Poernomo, Iman H}, title = {Reliability prediction for component-based software architectures}, journal = {Journal of systems and software}, year = {2003}, volume = {66}, number = {3}, pages = {241--252}, owner = {Diego}, publisher = {Elsevier}, timestamp = {2016.12.19}, } @Book{Roever2003, title = {Compositionality: The Significant Difference: International Symposium, COMPOS’97 Bad Malente, Germany, September 8--12, 1997 Revised Lectures}, publisher = {Springer}, year = {2003}, author = {de Roever, Willem-Paul and Langmaack, Hans and Pnueli, Amir}, owner = {Diego}, timestamp = {2016.12.19}, } @InProceedings{Wang1999, author = {Wang, Wen-Li and Wu, Ye and Chen, Mei-Hwa}, title = {An architecture-based software reliability model}, booktitle = {Dependable Computing}, year = {1999}, pages = {143--150}, organization = {IEEE}, owner = {Diego}, timestamp = {2016.12.19}, } @InProceedings{Cortellessa2002, author = {Cortellessa, Vittorio and Singh, Harshinder and Cukic, Bojan}, title = {Early reliability assessment of UML based software models}, booktitle = {Software and performance}, year = {2002}, pages = {302--309}, organization = {ACM}, owner = {Diego}, timestamp = {2016.12.19}, } @InCollection{Grassi2005, author = {Grassi, Vincenzo}, title = {Architecture-based reliability prediction for service-oriented computing}, booktitle = {Architecting dependable systems III}, publisher = {Springer}, year = {2005}, pages = {279--299}, owner = {Diego}, timestamp = {2016.12.19}, } @InProceedings{Rodrigues2005, author = {Rodrigues, Gena{\'\i}na and Rosenblum, David and Uchitel, Sebastian}, title = {Using scenarios to predict the reliability of concurrent component-based software systems}, booktitle = {Fundamental Approaches to Software Engineering}, year = {2005}, pages = {111--126}, organization = {Springer}, owner = {Diego}, timestamp = {2016.12.19}, } @InProceedings{Yacoub1999, author = {Yacoub, Sherif M and Cukic, Bojan and Ammar, Hany H}, title = {Scenario-based reliability analysis of component-based software}, booktitle = {Software Reliability Engineering}, year = {1999}, pages = {22--31}, organization = {IEEE}, owner = {Diego}, timestamp = {2016.12.19}, } @InProceedings{Sitaraman2001, author = {Sitaraman, Murali}, title = {Compositional performance reasoning}, booktitle = {Procs. Fourth ICSE Workshop on Component-Based Software Engineering: Component-Certification and System Prediction}, year = {2001}, pages = {3--10}, organization = {Citeseer}, owner = {Diego}, timestamp = {2016.12.19}, } @InProceedings{Sitaraman2001a, author = {Sitaraman, Murali and Kulczycki, Greg and Krone, Joan and Ogden, William F and Reddy, AL Narasimha}, title = {Performance specification of software components}, booktitle = {ACM SIGSOFT Software Engineering Notes}, year = {2001}, volume = {26}, number = {3}, pages = {3--10}, organization = {ACM}, owner = {Diego}, timestamp = {2016.12.19}, } @InProceedings{DiMarco2004, author = {Di Marco, Antinisca and Inverardi, Paola}, title = {Compositional generation of software architecture performance QN models}, booktitle = {Software Architecture, 2004. WICSA 2004. Proceedings. Fourth Working IEEE/IFIP Conference on}, year = {2004}, pages = {37--46}, organization = {IEEE}, owner = {Diego}, timestamp = {2016.12.19}, } @InCollection{Klein1999, author = {Klein, Mark H and Kazman, Rick and Bass, Len and Carriere, Jeromy and Barbacci, Mario and Lipson, Howard}, title = {Attribute-based architecture styles}, booktitle = {Software Architecture}, publisher = {Springer}, year = {1999}, pages = {225--243}, owner = {Diego}, timestamp = {2016.12.19}, } @InProceedings{Caulfield2014, author = {Tristan Caulfield and David J. Pym and Julian Williams}, title = {Compositional Security Modelling - Structure, Economics, and Behaviour}, booktitle = {Human Aspects of Information Security, Privacy, and Trust}, year = {2014}, editor = {Theo Tryfonas and Ioannis G. Askoxylakis}, volume = {8533}, series = {Lecture Notes in Computer Science}, pages = {233--245}, publisher = {Springer}, bibsource = {dblp computer science bibliography, http://dblp.org}, biburl = {http://dblp.dagstuhl.de/rec/bib/conf/hci/CaulfieldPW14}, doi = {10.1007/978-3-319-07620-1_21}, owner = {Diego}, timestamp = {2016.12.19}, } @Article{Durgin2003, author = {Nancy A. Durgin and John C. Mitchell and Dusko Pavlovic}, title = {A Compositional Logic for Proving Security Properties of Protocols}, journal = {Journal of Computer Security}, year = {2003}, volume = {11}, number = {4}, pages = {677--722}, bibsource = {dblp computer science bibliography, http://dblp.org}, biburl = {http://dblp.dagstuhl.de/rec/bib/journals/jcs/DurginMP03}, owner = {Diego}, timestamp = {2016.12.19}, url = {http://content.iospress.com/articles/journal-of-computer-security/jcs205}, } @InProceedings{Khan2003, author = {Khaled M. Khan and Jun Han}, title = {A Security Characterisation Framework for Trustworthy Component Based Software Systems}, booktitle = {Computer Software and Applications}, year = {2003}, pages = {164--169}, publisher = {{IEEE} Computer Society}, bibsource = {dblp computer science bibliography, http://dblp.org}, biburl = {http://dblp.dagstuhl.de/rec/bib/conf/compsac/KhanH03}, doi = {10.1109/CMPSAC.2003.1245337}, owner = {Diego}, timestamp = {2016.12.19}, } @Book{Cook1979, title = {Quasi-experimentation: Design and analysis for field settings}, publisher = {Rand McNally}, year = {1979}, author = {Cook, Thomas D and Campbell, Donald Thomas}, owner = {Diego}, timestamp = {2016.12.29}, } @Book{Campbell2015, title = {Experimental and quasi-experimental designs for research}, publisher = {Ravenio Books}, year = {2015}, author = {Campbell, Donald T and Stanley, Julian C}, owner = {Diego}, timestamp = {2016.12.29}, } @Article{Hohpe2016, author = {Hohpe, Gregor and Ozkaya, Ipek and Zdun, Uwe and Zimmermann, Olaf}, title = {The Software Architect's Role in the Digital Age}, journal = {IEEE Software}, year = {2016}, volume = {33}, number = {6}, pages = {30--39}, file = {:C\:\\Users\\Diego\\SkyDrive\\Documents\\Literature\\Role\\Hohpe_2017_RoleDigitalAge.pdf:PDF;:Role\\Hohpe_2016_RoleDigitalAge.pdf:PDF}, owner = {Diego}, publisher = {IEEE}, timestamp = {2017.01.09}, } @Article{Woods2015, author = {Woods, Eoin}, title = {Architecting in the Gaps: A Metaphor for Architecture Work.}, journal = {IEEE Software}, year = {2015}, volume = {32}, number = {4}, file = {:Role\\Woods_2015_Gaps.pdf:PDF}, owner = {Diego}, timestamp = {2017.01.09}, } @Misc{Gamma1994, author = {Gamma, Erich and Helm, Richard and Johnson, Ralph and Vlissides, John}, title = {Design Patterns: Elements of Reusable Object-Oriented Software}, year = {1994}, journal = {1994}, owner = {Diego}, publisher = {Addison-Wesley}, timestamp = {2017.01.16}, } @Article{Clarke1986, author = {Clarke, Edmund M. and Emerson, E Allen and Sistla, A Prasad}, title = {Automatic verification of finite-state concurrent systems using temporal logic specifications}, journal = {ACM Transactions on Programming Languages and Systems (TOPLAS)}, year = {1986}, volume = {8}, number = {2}, pages = {244--263}, owner = {Diego}, publisher = {ACM}, timestamp = {2017.03.20}, } @Article{Wiedijk2006, author = {Wiedijk, Freek}, title = {The Seventeen Provers of the World. Vol. 3600}, journal = {Lecture Notes in Computer Science. Springer-Verlag}, year = {2006}, owner = {Diego}, timestamp = {2017.03.20}, } @Article{Berry1992, author = {Berry, G{\'e}rard and Boudol, G{\'e}rard}, title = {The chemical abstract machine}, journal = {Theoretical Computer Science}, year = {1992}, volume = {96}, number = {1}, pages = {217--248}, doi = {10.1016/0304-3975(92)90185-i}, file = {:DynamicCalculus\\Berry_1992_CHAM.pdf:PDF}, owner = {Diego}, publisher = {Elsevier}, timestamp = {2017.04.07}, } @Article{Cardelli2000, author = {Cardelli, Luca and Gordon, Andrew D}, title = {Mobile ambients}, journal = {Theoretical Computer Science}, year = {2000}, volume = {240}, number = {1}, pages = {177--213}, doi = {10.1016/s0304-3975(99)00231-5}, file = {:DynamicCalculus\\Cardelli_2000_Ambients.pdf:PDF}, owner = {Diego}, publisher = {Elsevier}, timestamp = {2017.04.07}, } @Book{Gordon1979, title = {Edinburgh LCF: A Mechanized Logic of Computation}, publisher = {Springer-Verlag Berlin Heidelberg}, year = {1979}, author = {Gordon, Michael and Milner, Robin and Wadsworth, Christopher}, volume = {78}, series = {Lecture Notes in Computer Science}, edition = {1}, isbn = {978-3-540-09724-2}, doi = {10.1007/3-540-09724-4}, howpublished = {Lecture Notes in Computer Science}, owner = {Diego}, timestamp = {2017.04.12}, } @Article{Sanchez2015, author = {Sanchez, Alejandro and Madeira, Alexandre and Barbosa, Lu{\'\i}s S}, title = {On the verification of architectural reconfigurations}, journal = {Computer Languages, Systems \& Structures}, year = {2015}, volume = {44}, pages = {218--237}, doi = {10.1016/j.cl.2015.07.001}, file = {:DynamicReconfiguration\\Sanchez_2015_Verification_of_Reconfiguration.pdf:PDF}, owner = {Diego}, publisher = {Elsevier}, timestamp = {2017.06.01}, } @Article{Ballarin2004, author = {Ballarin, Clemens}, title = {Locales and locale expressions in Isabelle/Isar}, journal = {Lecture notes in computer science}, year = {2004}, volume = {3085}, pages = {34--50}, doi = {10.1007/978-3-540-24849-1_3}, file = {:Isabelle\\Ballarin_2004_locales.pdf:PDF}, owner = {Diego}, publisher = {Springer}, timestamp = {2017.06.01}, } @Article{Wenzel1997, author = {Wenzel, Markus}, title = {Type classes and overloading in higher-order logic}, journal = {Theorem Proving in Higher Order Logics}, year = {1997}, pages = {307--322}, doi = {10.1007/bfb0028402}, file = {:Isabelle\\Wenzel_1997_type_classes.pdf:PDF}, owner = {Diego}, publisher = {Springer}, timestamp = {2017.06.01}, } @InProceedings{Marmsoler2017a, author = {Diego Marmsoler and Silvio Degenhardt}, title = {Verifying Patterns of Dynamic Architectures using Model Checking}, booktitle = {Proceedings International Workshop on Formal Engineering approaches to Software Components and Architectures, FESCA@ETAPS 2017, Uppsala, Sweden, 22nd April 2017.}, year = {2017}, pages = {16--30}, bibsource = {dblp computer science bibliography, http://dblp.org}, biburl = {http://dblp.uni-trier.de/rec/bib/journals/corr/MarmsolerD17}, doi = {10.4204/EPTCS.245.2}, timestamp = {Wed, 03 May 2017 14:47:58 +0200}, url = {https://doi.org/10.4204/EPTCS.245.2}, } @InCollection{Marmsoler2017b, author = {Marmsoler, Diego}, title = {On the Semantics of Temporal Specifications of Component-Behavior for Dynamic Architectures}, booktitle = {Eleventh International Symposium on Theoretical Aspects of Software Engineering}, publisher = {Springer}, year = {2017}, file = {:Me\\Marmsoler_2016_PropertiesDynamicArchitectures.pdf:PDF}, owner = {Diego}, timestamp = {2016.09.13}, } @Article{Marmsoler2016a, author = {D. Marmsoler and M. Gleirscher}, title = {On Activation, Connection, and Behavior in Dynamic Architectures}, journal = {Scientific Annals of Computer Science}, year = {2016}, volume = {26}, number = {2}, pages = {187–248}, doi = {10.7561/SACS.2016.2.187}, organization = {``A.I. Cuza'' University, Ia\c si, Rom\^ania}, publisher = {``A.I. Cuza'' University Press, Ia\c si}, } @Article{Lochbihler2010, author = {Lochbihler, Andreas}, title = {Coinduction}, journal = {The Archive of Formal Proof s. http://isa-afp.org/entries/Coinductive.html}, year = {2010}, owner = {Diego}, timestamp = {2017.07.26}, } @Article{Marmsoler2017d, author = {Diego Marmsoler}, title = {Dynamic Architectures}, journal = {Archive of Formal Proofs}, year = {2017}, month = jul, issn = {2150-914x}, note = {\url{http://isa-afp.org/entries/DynamicArchitectures.html}, Formal proof development}, owner = {Diego}, timestamp = {2017-08-08}, } @Article{Garlan2004, author = {Garlan, David and Cheng, S-W and Huang, A-C and Schmerl, Bradley and Steenkiste, Peter}, title = {Rainbow: Architecture-based self-adaptation with reusable infrastructure}, journal = {Computer}, year = {2004}, volume = {37}, number = {10}, pages = {46--54}, owner = {Diego}, publisher = {IEEE}, timestamp = {2017.09.08}, } @Proceedings{Bartoletti2016, title = {Proceedings 9th Interaction and Concurrency Experience, {ICE} 2016, Heraklion, Greece, 8-9 June 2016}, year = {2016}, editor = {Massimo Bartoletti and Ludovic Henrio and Sophia Knight and Hugo Torres Vieira}, volume = {223}, series = {{EPTCS}}, bibsource = {dblp computer science bibliography, http://dblp.org}, biburl = {http://dblp.org/rec/bib/journals/corr/BartolettiHKV16}, doi = {10.4204/EPTCS.223}, owner = {Diego}, timestamp = {Wed, 14 Jun 2017 20:37:22 +0200}, url = {https://doi.org/10.4204/EPTCS.223}, } @Article{Attie2016, author = {Attie, Paul and Baranov, Eduard and Bliudze, Simon and Jaber, Mohamad and Sifakis, Joseph}, title = {A general framework for architecture composability}, journal = {Formal Aspects of Computing}, year = {2016}, volume = {28}, number = {2}, pages = {207--231}, owner = {Diego}, publisher = {Springer}, timestamp = {2017.09.27}, } @Book{Steinberg2008, title = {EMF: eclipse modeling framework}, publisher = {Pearson Education}, year = {2008}, author = {Steinberg, Dave and Budinsky, Frank and Merks, Ed and Paternostro, Marcelo}, owner = {Diego}, timestamp = {2017.09.27}, } @InProceedings{Berghofer1999, author = {Berghofer, Stefan and Wenzel, Markus}, - title = {Inductive datatypes in HOL—lessons learned in Formal-Logic Engineering}, + title = {Inductive datatypes in HOL---lessons learned in Formal-Logic Engineering}, booktitle = {International Conference on Theorem Proving in Higher Order Logics}, year = {1999}, pages = {19--36}, organization = {Springer}, owner = {Diego}, timestamp = {2017.10.18}, } @Misc{Wenzel2004, author = {Wenzel, Makarius and others}, title = {The isabelle/isar reference manual}, year = {2004}, owner = {Diego}, timestamp = {2017.10.18}, } @Book{Broy2012, title = {Specification and development of interactive systems: focus on streams, interfaces, and refinement}, publisher = {Springer Science \& Business Media}, year = {2012}, author = {Broy, Manfred and Stolen, Ketil}, owner = {Diego}, timestamp = {2017.11.10}, } @Article{Lotos1988, author = {Lotos, ISO}, title = {A formal description technique based on the temporal ordering of observational behaviour}, journal = {International Organisation for Standardization-Information Processing Systems-Open Systems Interconnection, Geneva}, year = {1988}, note = {IS 8807}, owner = {Diego}, timestamp = {2017.11.20}, } @Book{Milner1989, title = {Communication and concurrency}, publisher = {Prentice hall New York etc.}, year = {1989}, author = {Milner, Robin}, volume = {84}, owner = {Diego}, timestamp = {2017.11.20}, } @Article{Misra1988, author = {Misra, Jayadev and Chandy, KM}, title = {Parallel program design: a foundation}, journal = {Addison-W esley}, year = {1988}, } @InProceedings{Magee1996a, author = {Jeff Magee and Jeff Kramer}, title = {Dynamic Structure in Software Architectures}, booktitle = {{SIGSOFT} '96, Proceedings of the Fourth {ACM} {SIGSOFT} Symposium on Foundations of Software Engineering, San Francisco, California, USA, October 16-18, 1996}, year = {1996}, editor = {David Garlan}, pages = {3--14}, publisher = {{ACM}}, bibsource = {dblp computer science bibliography, http://dblp.org}, biburl = {http://dblp.org/rec/bib/conf/sigsoft/MageeK96}, doi = {10.1145/239098.239104}, owner = {Diego}, timestamp = {2017.11.20}, } @Article{Ommering2000, author = {Rob C. van Ommering and Frank van der Linden and Jeff Kramer and Jeff Magee}, title = {The Koala Component Model for Consumer Electronics Software}, journal = {{IEEE} Computer}, year = {2000}, volume = {33}, number = {3}, pages = {78--85}, bibsource = {dblp computer science bibliography, http://dblp.org}, biburl = {http://dblp.org/rec/bib/journals/computer/OmmeringLKM00}, doi = {10.1109/2.825699}, owner = {Diego}, timestamp = {2017.11.20}, } @InProceedings{Gorlick1991, author = {Michael M. Gorlick and Rami R. Razouk}, title = {Using Weaves for Software Construction and Analysis}, booktitle = {Proceedings of the 13th International Conference on Software Engineering, Austin, TX, USA, May 13-17, 1991.}, year = {1991}, editor = {Les Belady and David R. Barstow and Koji Torii}, pages = {23--34}, publisher = {{IEEE} Computer Society / {ACM} Press}, bibsource = {dblp computer science bibliography, http://dblp.org}, biburl = {http://dblp.org/rec/bib/conf/icse/GorlickR91}, owner = {Diego}, timestamp = {2017.11.20}, url = {http://portal.acm.org/citation.cfm?id=256664.256677}, } @Article{Garlan2000a, author = {Garlan, David and Monroe, Robert T and Wile, David}, title = {Acme: Architectural description of component-based systems}, journal = {Foundations of component-based systems}, year = {2000}, volume = {68}, pages = {47--68}, } @PhdThesis{Rausch2001, author = {Rausch, Andreas}, title = {Componentware}, school = {Technische Universität München}, year = {2001}, type = {Dissertation}, address = {München}, } @PhdThesis{Bergner1996, author = {Klaus Bergner}, title = {Spezifikation großer Objektgeflechte mit Komponentendiagrammen}, school = {Technische Universität München}, year = {1996}, owner = {Diego}, timestamp = {2017.11.20}, } @PhdThesis{Spichkova2007, author = {Spichkova, Maria}, title = {Specification and seamless verification of embedded real-time systems: FOCUS on Isabelle}, school = {Technical University Munich, Germany}, year = {2007}, } @TechReport{Broy1993, author = {Manfred Broy and Christian Facchi and Radu Grosu and et al.}, title = {The Requirement and Design Specification Language SPECTRUM -- An Informal Introduction}, institution = {Technische Universität München}, year = {1993}, } @InProceedings{Hoelzl2010, author = {H\"{o}lzl, Florian and Feilkas, Martin}, title = {AutoFocus 3: A Scientific Tool Prototype for Model-based Development of Component-based, Reactive, Distributed Systems}, booktitle = {Proceedings of the 2007 International Dagstuhl Conference on Model-based Engineering of Embedded Real-time Systems}, year = {2010}, series = {MBEERTS'07}, pages = {317--322}, address = {Berlin, Heidelberg}, publisher = {Springer-Verlag}, acmid = {1927576}, isbn = {3-642-16276-2, 978-3-642-16276-3}, location = {Dagstuhl Castle, Germany}, numpages = {6}, url = {http://dl.acm.org/citation.cfm?id=1927558.1927576}, } @Book{Bertot2013, title = {Interactive theorem proving and program development: Coq’Art: the calculus of inductive constructions}, publisher = {Springer Science \& Business Media}, year = {2013}, author = {Bertot, Yves and Cast{\'e}ran, Pierre}, } @InProceedings{Aguirre2002a, author = {Aguirre, Nazareno and Maibaum, Tom}, title = {Reasoning about Reconfigurable Object-Based Systems in a Temporal Logic Setting}, booktitle = {Proceedings of IDPT}, year = {2002}, owner = {Diego}, timestamp = {2017.11.21}, } @Article{Fiadeiro1997, author = {Fiadeiro, Jos{\'e}Luiz and Maibaum, Tom}, title = {Categorical semantics of parallel program design}, journal = {Science of Computer Programming}, year = {1997}, volume = {28}, number = {2-3}, pages = {111--138}, owner = {Diego}, publisher = {Elsevier}, timestamp = {2017.11.21}, } @Book{Rumbaugh2004, title = {Unified modeling language reference manual, the}, publisher = {Pearson Higher Education}, year = {2004}, author = {Rumbaugh, James and Jacobson, Ivar and Booch, Grady}, } @Article{Marmsoler2018, author = {Diego Marmsoler}, title = {A Calculus of Component Behavior for Dynamic Architectures}, journal = {Science of Computer Programming}, year = {2018}, note = {Under review}, owner = {Diego}, timestamp = {2017.11.21}, } @InProceedings{Blanchette2014, author = {Blanchette, Jasmin Christian and H{\"o}lzl, Johannes and Lochbihler, Andreas and Panny, Lorenz and Popescu, Andrei and Traytel, Dmitriy}, title = {Truly modular (co) datatypes for Isabelle/HOL}, booktitle = {International Conference on Interactive Theorem Proving}, year = {2014}, pages = {93--110}, organization = {Springer}, owner = {Diego}, timestamp = {2017.12.12}, } @Article{Marmsoler2018a, author = {Diego Marmsoler}, title = {Axiomatic Specification and Verification of Architecture Design Patterns}, journal = {Formal Aspects of Computing}, year = {2018}, note = {Under review}, owner = {Diego}, timestamp = {2017.12.14}, } @InProceedings{Goethel2017, author = {G{\"o}thel, Thomas and J{\"a}hnig, Nils and Seif, Simon}, title = {Refinement-Based Modelling and Verification of Design Patterns for Self-adaptive Systems}, booktitle = {International Conference on Formal Engineering Methods}, year = {2017}, pages = {157--173}, organization = {Springer}, owner = {Diego}, timestamp = {2017.12.14}, } @InProceedings{Gibson-Robinson2014, author = {Gibson-Robinson, Thomas and Armstrong, Philip and Boulgakov, Alexandre and Roscoe, Andrew W}, - title = {FDR3—a modern refinement checker for CSP}, + title = {FDR3---a modern refinement checker for CSP}, booktitle = {International Conference on Tools and Algorithms for the Construction and Analysis of Systems}, year = {2014}, pages = {187--201}, organization = {Springer}, owner = {Diego}, timestamp = {2017.12.18}, } @Article{Cimatti2000, author = {Cimatti, Alessandro and Clarke, Edmund and Giunchiglia, Fausto and Roveri, Marco}, title = {NuSMV: a new symbolic model checker}, journal = {International Journal on Software Tools for Technology Transfer}, year = {2000}, volume = {2}, number = {4}, pages = {410--425}, owner = {Diego}, publisher = {Springer}, timestamp = {2017.12.20}, } @Article{Reif1995, author = {Reif, Wolfgang}, title = {The KIV-approach to software verification}, journal = {KORSO: Methods, Languages, and Tools for the Construction of Correct Software}, year = {1995}, pages = {339--368}, owner = {Diego}, publisher = {Springer}, timestamp = {2017.12.20}, } @Proceedings{Russo2018, title = {Fundamental Approaches to Software Engineering - 21th International Conference, {FASE} 2018, Held as Part of the European Joint Conferences on Theory and Practice of Software, {ETAPS} 2018, Thessaloniki, Greece, April 14-20, 2018, Proceedings}, year = {2018}, editor = {Alessandra Russo and Andy Schürr}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, owner = {Diego}, timestamp = {2017.12.28}, } @InProceedings{Marmsoler2018c, author = {Diego Marmsoler}, title = {Hierarchical Specication and Verication of Architecture Design Patterns}, booktitle = {Fundamental Approaches to Software Engineering - 21th International Conference, {FASE} 2018, Held as Part of the European Joint Conferences on Theory and Practice of Software, {ETAPS} 2018, Thessaloniki, Greece, April 14-20, 2018, Proceedings}, year = {2018}, owner = {Diego}, timestamp = {2017.12.28}, } @Proceedings{Buhnova2015, title = {Proceedings 12th International Workshop on Formal Engineering approaches to Software Components and Architectures, {FESCA} 2015, London, United Kingdom, April 12th, 2015}, year = {2015}, editor = {Bara Buhnova and Lucia Happe and Jan Kofron}, volume = {178}, series = {{EPTCS}}, bibsource = {dblp computer science bibliography, http://dblp.org}, biburl = {http://dblp.org/rec/bib/journals/corr/BuhnovaHK15}, doi = {10.4204/EPTCS.178}, owner = {Diego}, timestamp = {Wed, 03 May 2017 14:47:56 +0200}, url = {https://doi.org/10.4204/EPTCS.178}, } @Proceedings{Hung2017, title = {Theoretical Aspects of Computing - {ICTAC} 2017 - 14th International Colloquium, Hanoi, Vietnam, October 23-27, 2017, Proceedings}, year = {2017}, editor = {Dang Van Hung and Deepak Kapur}, volume = {10580}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, isbn = {978-3-319-67728-6}, bibsource = {dblp computer science bibliography, http://dblp.org}, biburl = {http://dblp.org/rec/bib/conf/ictac/2017}, doi = {10.1007/978-3-319-67729-3}, owner = {Diego}, timestamp = {Fri, 29 Sep 2017 10:37:11 +0200}, url = {https://doi.org/10.1007/978-3-319-67729-3}, } @Proceedings{Johnson2005, title = {Proceedings of the 20th Annual {ACM} {SIGPLAN} Conference on Object-Oriented Programming, Systems, Languages, and Applications, {OOPSLA} 2005, October 16-20, 2005, San Diego, CA, {USA}}, year = {2005}, editor = {Ralph E. Johnson and Richard P. Gabriel}, publisher = {{ACM}}, isbn = {1-59593-031-0}, bibsource = {dblp computer science bibliography, http://dblp.org}, biburl = {http://dblp.org/rec/bib/conf/oopsla/2005}, owner = {Diego}, timestamp = {Wed, 25 Jun 2008 19:46:34 +0200}, } @Proceedings{Fiadeiro2014, title = {Formal Aspects of Component Software - 10th International Symposium, {FACS} 2013, Nanchang, China, October 27-29, 2013, Revised Selected Papers}, year = {2014}, editor = {Jos{\'{e}} Luiz Fiadeiro and Zhiming Liu and Jinyun Xue}, volume = {8348}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, isbn = {978-3-319-07601-0}, bibsource = {dblp computer science bibliography, http://dblp.org}, biburl = {http://dblp.org/rec/bib/conf/facs2/2013}, doi = {10.1007/978-3-319-07602-7}, owner = {Diego}, timestamp = {Fri, 19 May 2017 01:26:24 +0200}, url = {https://doi.org/10.1007/978-3-319-07602-7}, } @Book{Milner1990, title = {The definition of Standard ML}, publisher = {MIT Pr.}, year = {1990}, author = {Robin Milner and Mads Tofte and Robert Harper}, address = {Cambridge, Mass. [u.a.]}, isbn = {0262631326}, note = {Literaturverz. S. [87] - 89}, owner = {Diego}, pagetotal = {XI, 101}, ppn_gvk = {025236385}, timestamp = {2018.01.10}, } @Article{Sickert2016, author = {Salomon Sickert}, title = {Linear Temporal Logic}, journal = {Archive of Formal Proofs}, year = {2016}, month = mar, issn = {2150-914x}, note = {\url{http://isa-afp.org/entries/LTL.html}, Formal proof development}, } @Article{Mattolini2001, author = {Mattolini, Riccardo and Nesi, Paolo}, title = {An interval logic for real-time system specification}, journal = {IEEE Transactions on Software Engineering}, year = {2001}, volume = {27}, number = {3}, pages = {208--227}, owner = {Diego}, publisher = {IEEE}, timestamp = {2018.01.29}, } @InProceedings{Schimpf2009, author = {Schimpf, Alexander and Merz, Stephan and Smaus, Jan-Georg}, title = {Construction of B{\"u}chi automata for LTL model checking verified in Isabelle/HOL}, booktitle = {International Conference on Theorem Proving in Higher Order Logics}, year = {2009}, pages = {424--439}, organization = {Springer}, owner = {Diego}, timestamp = {2018.01.29}, } @Article{Grov2011, author = {Gudmund Grov and Stephan Merz}, title = {A Definitional Encoding of TLA* in Isabelle/HOL}, journal = {Archive of Formal Proofs}, year = {2011}, month = nov, issn = {2150-914x}, note = {\url{http://isa-afp.org/entries/TLA.html}, Formal proof development}, } @InProceedings{Merz1999, author = {Merz, Stephan}, title = {A more complete TLA}, booktitle = {International Symposium on Formal Methods}, year = {1999}, pages = {1226--1244}, organization = {Springer}, owner = {Diego}, timestamp = {2018.01.29}, } @InProceedings{Merz1995, author = {Merz, Stephan}, title = {Mechanizing TLA in Isabelle}, booktitle = {Workshop on Verification in New Orientations}, year = {1995}, pages = {54--74}, organization = {Citeseer}, owner = {Diego}, timestamp = {2018.01.29}, } @Article{Lamport1994, author = {Lamport, Leslie}, title = {The temporal logic of actions}, journal = {ACM Transactions on Programming Languages and Systems (TOPLAS)}, year = {1994}, volume = {16}, number = {3}, pages = {872--923}, owner = {Diego}, publisher = {ACM}, timestamp = {2018.01.29}, } @TechReport{Srivastava2005, author = {Srivastava, Amitabh and Thiagarajan, Jay and Schertz, Craig}, title = {Efficient integration testing using dependency analysis}, institution = {Technical Report MSR-TR-2005-94, Microsoft Research}, year = {2005}, owner = {Diego}, timestamp = {2018.02.01}, } @Article{Podgurski1990, author = {Podgurski, Andy and Clarke, Lori A.}, title = {A formal model of program dependences and its implications for software testing, debugging, and maintenance}, journal = {IEEE Transactions on software Engineering}, year = {1990}, volume = {16}, number = {9}, pages = {965--979}, owner = {Diego}, publisher = {IEEE}, timestamp = {2018.02.01}, } @InProceedings{Sangal2005, author = {Sangal, Neeraj and Jordan, Ev and Sinha, Vineet and Jackson, Daniel}, title = {Using dependency models to manage complex software architecture}, booktitle = {ACM Sigplan Notices}, year = {2005}, volume = {40}, number = {10}, pages = {167--176}, organization = {ACM}, owner = {Diego}, timestamp = {2018.02.01}, } @InProceedings{Gu2003, author = {Gu, Zonghua and Kodase, Sharath and Wang, Shige and Shin, Kang G}, title = {A model-based approach to system-level dependency and real-time analysis of embedded software}, booktitle = {Real-Time and Embedded Technology and Applications Symposium, 2003. Proceedings. The 9th IEEE}, year = {2003}, pages = {78--85}, organization = {IEEE}, owner = {Diego}, timestamp = {2018.02.01}, } @InProceedings{Pich2008, author = {Pich, Christian and Nachmanson, Lev and Robertson, George G}, title = {Visual analysis of importance and grouping in software dependency graphs}, booktitle = {Proceedings of the 4th ACM symposium on Software visualization}, year = {2008}, pages = {29--32}, organization = {ACM}, owner = {Diego}, timestamp = {2018.02.01}, } @InProceedings{Xiao2014, author = {Xiao, Lu and Cai, Yuanfang and Kazman, Rick}, title = {Design rule spaces: A new form of architecture insight}, booktitle = {Proceedings of the 36th International Conference on Software Engineering}, year = {2014}, pages = {967--977}, organization = {ACM}, owner = {Diego}, timestamp = {2018.02.01}, } @InProceedings{Abadi1999, author = {Abadi, Mart{\'\i}n and Banerjee, Anindya and Heintze, Nevin and Riecke, Jon G}, title = {A core calculus of dependency}, booktitle = {Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages}, year = {1999}, pages = {147--160}, organization = {ACM}, owner = {Diego}, timestamp = {2018.02.01}, } @InProceedings{Guo2002, author = {Guo, Jiang}, title = {Using category theory to model software component dependencies}, booktitle = {Engineering of Computer-Based Systems, 2002. Proceedings. Ninth Annual IEEE International Conference and Workshop on the}, year = {2002}, pages = {185--192}, organization = {IEEE}, owner = {Diego}, timestamp = {2018.02.01}, } @Article{Broy2017, author = {Broy, Manfred}, - title = {A logical approach to systems engineering artifacts: semantic relationships and dependencies beyond traceability—from requirements to functional and architectural views}, + title = {A logical approach to systems engineering artifacts: semantic relationships and dependencies beyond traceability---from requirements to functional and architectural views}, journal = {Software \& Systems Modeling}, year = {2017}, pages = {1--29}, publisher = {Springer}, } @Article{Marmsoler2018d, author = {Diego Marmsoler}, title = {A Theory of Architectural Design Patterns}, journal = {Archive of Formal Proofs}, year = {2018}, month = mar, issn = {2150-914x}, note = {\url{http://isa-afp.org/entries/Architectural_Design_Patterns.html}, Formal proof development}, } @InCollection{Marmsoler2016, author = {Marmsoler, Diego and Gleirscher, Mario}, title = {Specifying Properties of Dynamic Architectures using Configuration Traces}, booktitle = {International Colloquium on Theoretical Aspects of Computing}, publisher = {Springer}, year = {2016}, pages = {235--254}, doi = {10.1007/978-3-319-46750-4_14}, file = {:Me\\Marmsoler_2016_PropertiesDynamicArchitectures.pdf:PDF}, owner = {Diego}, timestamp = {2016.09.13}, } @Proceedings{DBLP:conf/itp/2017, title = {Interactive Theorem Proving - 9th International Conference, {ITP} 2018, Proceedings}, year = {2018}, editor = {Mauricio Ayala{-}Rinc{\'{o}}n and C{\'{e}}sar A. Mu{\~{n}}oz}, volume = {10499}, series = {Lecture Notes in Computer Science}, publisher = {Springer}, isbn = {978-3-319-66106-3}, bibsource = {dblp computer science bibliography, https://dblp.org}, biburl = {https://dblp.org/rec/bib/conf/itp/2017}, doi = {10.1007/978-3-319-66107-0}, timestamp = {Wed, 06 Sep 2017 14:53:52 +0200}, url = {https://doi.org/10.1007/978-3-319-66107-0}, } @Article{Nakamoto2008, author = {Nakamoto, Satoshi}, title = {Bitcoin: A peer-to-peer electronic cash system}, year = {2008}, } @Misc{Pirlea2018, author = {P{\^\i}rlea, George and Sergey, Ilya}, title = {Mechanising blockchain consensus}, year = {2018}, publisher = {CPP}, } @Article{Atzei, author = {Atzei, Nicola and Bartoletti, Massimo and Lande, Stefano and Zunino, Roberto}, title = {A formal model of Bitcoin transactions}, } @Article{Abdellatif, author = {Abdellatif, Tesnim and Brousmiche, Kei-Leo}, title = {Formal verification of smart contracts based on users and blockchain behaviors models}, } @InProceedings{Bhargavan2016, author = {Bhargavan, Karthikeyan and Delignat-Lavaud, Antoine and Fournet, C{\'e}dric and Gollamudi, Anitha and Gonthier, Georges and Kobeissi, Nadim and Kulatova, Natalia and Rastogi, Aseem and Sibut-Pinote, Thomas and Swamy, Nikhil and others}, title = {Formal verification of smart contracts: Short paper}, booktitle = {Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security}, year = {2016}, pages = {91--96}, organization = {ACM}, } @InProceedings{Xu2017, author = {Xu, Xiwei and Weber, Ingo and Staples, Mark and Zhu, Liming and Bosch, Jan and Bass, Len and Pautasso, Cesare and Rimba, Paul}, title = {A taxonomy of blockchain-based systems for architecture design}, booktitle = {Software Architecture (ICSA), 2017 IEEE International Conference on}, year = {2017}, pages = {243--252}, organization = {IEEE}, } @Article{Yli-Huumo2016, author = {Yli-Huumo, Jesse and Ko, Deokyoon and Choi, Sujin and Park, Sooyong and Smolander, Kari}, - title = {Where is current research on blockchain technology?—a systematic review}, + title = {Where is current research on blockchain technology?---a systematic review}, journal = {PloS one}, year = {2016}, volume = {11}, number = {10}, pages = {e0163477}, publisher = {Public Library of Science}, } @InProceedings{Zheng2017, author = {Zheng, Zibin and Xie, Shaoan and Dai, Hongning and Chen, Xiangping and Wang, Huaimin}, title = {An overview of blockchain technology: Architecture, consensus, and future trends}, booktitle = {Big Data (BigData Congress), 2017 IEEE International Congress on}, year = {2017}, pages = {557--564}, organization = {IEEE}, } @InProceedings{Garay2015, author = {Garay, Juan and Kiayias, Aggelos and Leonardos, Nikos}, title = {The bitcoin backbone protocol: Analysis and applications}, booktitle = {Annual International Conference on the Theory and Applications of Cryptographic Techniques}, year = {2015}, pages = {281--310}, organization = {Springer}, } @InProceedings{Garay2017, author = {Garay, Juan and Kiayias, Aggelos and Leonardos, Nikos}, title = {The bitcoin backbone protocol with chains of variable difficulty}, booktitle = {Annual International Cryptology Conference}, year = {2017}, pages = {291--323}, organization = {Springer}, } @InProceedings{Pass2017, author = {Pass, Rafael and Seeman, Lior and Shelat, Abhi}, title = {Analysis of the blockchain protocol in asynchronous networks}, booktitle = {Annual International Conference on the Theory and Applications of Cryptographic Techniques}, year = {2017}, pages = {643--673}, organization = {Springer}, } @InProceedings{Hirai2017, author = {Hirai, Yoichi}, title = {Defining the ethereum virtual machine for interactive theorem provers}, booktitle = {International Conference on Financial Cryptography and Data Security}, year = {2017}, pages = {520--535}, organization = {Springer}, } @Article{Hirai2017b, author = {Hirai, Yoichi}, title = {Ethereum Virtual Machine for Coq (v0. 0.2)}, journal = {Published online on}, year = {2017}, volume = {5}, } @Article{Amani2018, author = {Amani, Sidney and B{\'e}gel, Myriam and Bortin, Maksym and Staples, Mark}, title = {Towards Verifying Ethereum Smart Contract Bytecode in Isabelle/HOL}, journal = {CPP. ACM. To appear}, year = {2018}, } @Article{Wood2014, author = {Wood, Gavin}, title = {Ethereum: A secure decentralised generalised transaction ledger}, journal = {Ethereum Project Yellow Paper}, year = {2014}, volume = {151}, pages = {1--32}, } @TechReport{Cachin2017, author = {Cachin, Christian and De Caro, Angelo and Moreno-Sanchez, Pedro and Tackmann, Bj{\"o}rn and Vukolic, Marko}, title = {The Transaction Graph for Modeling Blockchain Semantics}, institution = {Cryptology ePrint Archive, Report 2017/1070}, year = {2017}, } @Misc{White2015, author = {White, Bill}, title = {A theory for lightweight cryptocurrency ledgers}, year = {2015}, } @InProceedings{Dragoi2016, author = {Dr{\u{a}}goi, Cezara and Henzinger, Thomas A and Zufferey, Damien}, title = {PSync: a partially synchronous language for fault-tolerant distributed algorithms}, booktitle = {ACM SIGPLAN Notices}, year = {2016}, volume = {51}, number = {1}, pages = {400--415}, organization = {ACM}, } @Article{Jaskelioff2005, author = {Jaskelioff, Mauro and Merz, Stephan}, title = {Proving the correctness of disk paxos}, journal = {The Archive of Formal Proofs. http://afp. sf. net/entries/DiskPaxos. shtml}, year = {2005}, } @InProceedings{Wilcox2015a, author = {Wilcox, James R and Woos, Doug and Panchekha, Pavel and Tatlock, Zachary and Wang, Xi and Ernst, Michael D and Anderson, Thomas}, title = {Verdi: A framework for formally verifying distributed system implementations}, booktitle = {Proceedings of the 2015 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), Portland, OR}, year = {2015}, } @InProceedings{Woos2016, author = {Woos, Doug and Wilcox, James R and Anton, Steve and Tatlock, Zachary and Ernst, Michael D and Anderson, Thomas}, title = {Planning for change in a formal verification of the Raft consensus protocol}, booktitle = {Proceedings of the 5th ACM SIGPLAN Conference on Certified Programs and Proofs}, year = {2016}, pages = {154--165}, organization = {ACM}, } @Article{Sergey2017, author = {Sergey, Ilya and Wilcox, James R and Tatlock, Zachary}, title = {Programming and proving with distributed protocols}, journal = {Proceedings of the ACM on Programming Languages}, year = {2017}, volume = {2}, number = {POPL}, pages = {28}, publisher = {ACM}, } @InProceedings{Bentov2016, author = {Iddo Bentov and Ariel Gabizon and Alex Mizrahi}, title = {Cryptocurrencies Without Proof of Work}, booktitle = {Financial Cryptography and Data Security - {FC} 2016 International Workshops, BITCOIN, VOTING, and WAHC, Christ Church, Barbados, February 26, 2016, Revised Selected Papers}, year = {2016}, editor = {Jeremy Clark and Sarah Meiklejohn and Peter Y. A. Ryan and Dan S. Wallach and Michael Brenner and Kurt Rohloff}, volume = {9604}, series = {Lecture Notes in Computer Science}, pages = {142--157}, publisher = {Springer}, bibsource = {dblp computer science bibliography, https://dblp.org}, biburl = {https://dblp.org/rec/bib/conf/fc/BentovGM16}, doi = {10.1007/978-3-662-53357-4_10}, } @Misc{Hirai2017a, author = {Yoichi Hirai}, title = {A mechanized safety proof for PoS with dynamic validators}, howpublished = {\url{https://web.archive.org/web/20180518100918/https://medium.com/@pirapira/a-mechanized-safety-proof-for-pos-with-dynamic-validators-17e9b45faff4}}, month = mar, year = {2017}, } @InProceedings{Kiayias2017, author = {Kiayias, Aggelos and Russell, Alexander and David, Bernardo and Oliynykov, Roman}, title = {Ouroboros: A provably secure proof-of-stake blockchain protocol}, booktitle = {Annual International Cryptology Conference}, year = {2017}, pages = {357--388}, organization = {Springer}, } @InProceedings{Azaria2016, author = {Azaria, Asaph and Ekblaw, Ariel and Vieira, Thiago and Lippman, Andrew}, title = {Medrec: Using blockchain for medical data access and permission management}, booktitle = {Open and Big Data (OBD), International Conference on}, year = {2016}, pages = {25--30}, organization = {IEEE}, __markedentry = {[dmarm:]}, } @Misc{Yurcan2016, author = {Bryan Yurcan}, title = {How Blockchain Fits into the Future of Digital Identity}, howpublished = {\url{https://web.archive.org/web/20170119054131/https://www.americanbanker.com/news/how-blockchain-fits-into-the-future-of-digital-identity}}, month = apr, year = {2016}, } @Misc{Chavez-Dreyfuss2016, author = {GertrudeChavez-Dreyfuss}, title = {Sweden tests blockchain technology for land registry}, howpublished = {\url{https://web.archive.org/web/20161024065806/http://www.reuters.com/article/us-sweden-blockchain-idUSKCN0Z22KV}}, month = jun, year = {2016}, } @Article{Lamport1982, author = {Lamport, Leslie and Shostak, Robert and Pease, Marshall}, title = {The Byzantine generals problem}, journal = {ACM Transactions on Programming Languages and Systems (TOPLAS)}, year = {1982}, volume = {4}, number = {3}, pages = {382--401}, __markedentry = {[dmarm:6]}, publisher = {ACM}, } @Comment{jabref-meta: databaseType:bibtex;} diff --git a/thys/Belief_Revision/document/root.bib b/thys/Belief_Revision/document/root.bib --- a/thys/Belief_Revision/document/root.bib +++ b/thys/Belief_Revision/document/root.bib @@ -1,615 +1,615 @@ @article{adam2009logical, title={A logical formalization of the OCC theory of emotions}, author={Adam, Carole and Herzig, Andreas and Longin, Dominique}, journal={Synthese}, volume={168}, number={2}, pages={201--248}, year={2009}, publisher={Springer} } @inproceedings{dastani2012logic, title={A logic of emotions: from appraisal to coping.}, author={Dastani, Mehdi and Lorini, Emiliano}, booktitle={AAMAS}, pages={1133--1140}, year={2012} } @article{walmsley2016cognitive, title={Cognitive biases in visual pilots' weather-related decision making}, author={Walmsley, Stephen and Gilbey, Andrew}, journal={Applied Cognitive Psychology}, volume={30}, number={4}, pages={532--543}, year={2016}, publisher={Wiley Online Library} } @incollection{hoffman1998can, title={How can expertise be defined? Implications of research from cognitive psychology}, author={Hoffman, Robert R}, booktitle={Exploring expertise}, pages={81--100}, year={1998}, publisher={Springer} } @TECHREPORT{BEA, title={BEA f-cp090601}, institution={Bureau d’Enquêtes et d’Analyses pour la sécurité de l’aviation civile}, year={2012}} @inbook{gardenfors1995, author = {Gärdenfors, Peter and Rott, Hans}, year = {1995}, month = {04}, pages = {35-132}, title = {Belief Revision}, volume = {4}, _isbn = {0198537913}, journal = {Handbook of Logic in Artificial Intelligence and Logic Programming} } @TECHREPORT{Wassermann00analgorithm, author = {Renata Wassermann}, title = {An Algorithm for Belief Revision}, _institution = {In Proceedings of the Seventh International Conference on Principles of Knowledge Representation and Reasoning (KR2000)}, year = {2000} } @article{REITER198757, title = "A theory of diagnosis from first principles", journal = "Artificial Intelligence", volume = "32", number = "1", pages = "57 - 95", year = "1987", _issn = "0004-3702", _doi = "https://doi.org/10.1016/0004-3702(87)90062-2", _url = "http://www.sciencedirect.com/science/article/pii/0004370287900622", author = "Raymond Reiter", abstract = "Suppose one is given a description of a system, together with an observation of the system's behaviour which conflicts with the way the system is meant to behave. The diagnostic problem is to determine those components of the system which, when assumed to be functioning abnormally, will explain the discrepancy between the observed and correct system behaviour. We propose a general theory for this problem. The theory requires only that the system be described in a suitable logic. Moreover, there are many such suitable logics, e.g. first-order, temporal, dynamic, etc. As a result, the theory accommodates diagnostic reasoning in a wide variety of practical settings, including digital and analogue circuits, medicine, and database updates. The theory leads to an algorithm for computing all diagnoses, and to various results concerning principles of measurement for discriminating among competing diagnoses. Finally, the theory reveals close connections between diagnostic reasoning and nonmonotonic reasoning." } @article{liffiton2008algorithms, title={Algorithms for computing minimal unsatisfiable subsets of constraints}, author={Liffiton, Mark H and Sakallah, Karem A}, journal={Journal of Automated Reasoning}, volume={40}, number={1}, pages={1--33}, year={2008}, publisher={Springer} } @article {Tversky1124, author = {Tversky, Amos and Kahneman, Daniel}, title = {Judgment under Uncertainty: Heuristics and Biases}, volume = {185}, number = {4157}, pages = {1124--1131}, year = {1974}, _doi = {10.1126/science.185.4157.1124}, publisher = {American Association for the Advancement of Science}, abstract = {This article described three heuristics that are employed in making judgements under uncertainty: (i) representativeness, which is usually employed when people are asked to judge the probability that an object or event A belongs to class or process B; (ii) availability of instances or scenarios, which is often employed when people are asked to assess the frequency of a class or the plausibility of a particular development; and (iii) adjustment from an anchor, which is usually employed in numerical prediction when a relevant value is available. These heuristics are highly economical and usually effective, but they lead to systematic and predictable errors. A better understanding of these heuristics and of the biases to which they lead could improve judgements and decisions in situations of uncertainty.}, issn = {0036-8075}, _URL = {https://science.sciencemag.org/content/185/4157/1124}, _eprint = {https://science.sciencemag.org/content/185/4157/1124.full.pdf}, journal = {Science} } @book{Todd1999, author = {Todd, Peter and Czerlinski, Jean and Davis, Jennifer and Gigerenzer, Gerd and Goldstein, Daniel and Goodie, Adam and Hertwig, Ralph and Hoffrage, Ulrich and Laskey, Kathryn and Martignon, Laura and Miller, Geoffrey}, year = {1999}, month = {01}, pages = {}, title = {Simple Heuristics That Make Us Smart} } @ARTICLE{Dimara2020, author={E. {Dimara} and S. {Franconeri} and C. {Plaisant} and A. {Bezerianos} and P. {Dragicevic}}, journal={IEEE Transactions on Visualization and Computer Graphics}, title={A Task-Based Taxonomy of Cognitive Biases for Information Visualization}, year={2020}, volume={26}, number={2}, pages={1413-1432}, _doi={10.1109/TVCG.2018.2872577}} @article{Goldszlagier2015, author = {Goldszlagier, Julien}, year = {2015}, month = {01}, pages = {507}, title = {L'effet d'ancrage ou l'apport de la psychologie cognitive à l'étude de la décision judiciaire}, volume = {N° 4}, journal = {Les Cahiers de la Justice}, _doi = {10.3917/cdlj.1504.0507} } @article{Sullivan2018, title={Cognitive bias in clinical medicine}, author={O’Sullivan, ED and Schofield, SJ}, journal={JR Coll Physicians Edinb}, volume={48}, number={3}, pages={225--32}, year={2018} } @article{mynatt1977confirmation, title={Confirmation bias in a simulated research environment: An experimental study of scientific inference}, author={Mynatt, Clifford R and Doherty, Michael E and Tweney, Ryan D}, journal={Quarterly Journal of Experimental Psychology}, volume={29}, number={1}, pages={85--95}, year={1977}, publisher={SAGE Publications Sage UK: London, England} } @article{nickerson1998confirmation, title={Confirmation bias: A ubiquitous phenomenon in many guises}, author={Nickerson, Raymond S}, journal={Review of general psychology}, volume={2}, number={2}, pages={175--220}, year={1998}, publisher={SAGE Publications Sage CA: Los Angeles, CA} } @article{murata2015influence, title={Influence of cognitive biases in distorting decision making and leading to critical unfavorable incidents}, author={Murata, Atsuo and Nakamura, Tomoko and Karwowski, Waldemar}, journal={Safety}, volume={1}, number={1}, pages={44--58}, year={2015}, publisher={Multidisciplinary Digital Publishing Institute} } @article{takano1999psychological, title={Psychological biases affecting human cognitive performance in dynamic operational environments}, author={Takano, Kenichi and Reason, James}, journal={Journal of Nuclear Science and Technology}, volume={36}, number={11}, pages={1041--1051}, year={1999}, publisher={Taylor \& Francis} } @article{alchourron1985logic, title={On the logic of theory change: Partial meet contraction and revision functions}, author={Alchourr{\'o}n, Carlos E and G{\"a}rdenfors, Peter and Makinson, David}, journal={The journal of symbolic logic}, volume={50}, number={2}, pages={510--530}, year={1985}, publisher={Cambridge University Press} } @article{tsoukias2008decision, title={From decision theory to decision aiding methodology}, author={Tsouki{\`a}s, Alexis}, journal={European Journal of Operational Research}, volume={187}, number={1}, pages={138--161}, year={2008}, publisher={Elsevier} } @article{davidsson2002agent, title={Agent based social simulation: A computer science view}, author={Davidsson, Paul}, journal={Journal of artificial societies and social simulation}, volume={5}, number={1}, year={2002} } @article{voinson2015beyond, title={Beyond rational decision-making: modelling the influence of cognitive biases on the dynamics of vaccination coverage}, author={Voinson, Marina and Billiard, Sylvain and Alvergne, Alexandra}, journal={PloS one}, volume={10}, number={11}, year={2015}, publisher={Public Library of Science} } @article{kulick2003modeling, title={Modeling Adversaries and Related Cognitive Biases}, author={Kulick, Jonathan and Davis, Paul K}, journal={Modeling Adversaries and Related Cognitive Biases}, year={2003}, publisher={RAND Corporation} } @inproceedings{arnaud2017role, TITLE = {{The role of cognitive biases in reactions to bushfires}}, AUTHOR = {Arnaud, Ma{\"e}l and Adam, Carole and Dugdale, Julie}, _URL = {https://halshs.archives-ouvertes.fr/halshs-02116079}, BOOKTITLE = {{ISCRAM}}, ADDRESS = {Albi, France}, YEAR = {2017}, MONTH = May, KEYWORDS = {Multi-agent modelling ; social simulation ; cognitive biases ; BDI paradigm ; Victoria bushfires}, PDF = {https://halshs.archives-ouvertes.fr/halshs-02116079/file/ISCRAM17_cog_bias-author-version.pdf}, HAL_ID = {halshs-02116079}, HAL_VERSION = {v1}, } @article{CESCHI2019188, title = {Dimensions of decision-making: An evidence-based classification of heuristics and biases}, journal = {Personality and Individual Differences}, volume = {146}, pages = {188-200}, year = {2019}, issn = {0191-8869}, _doi = {https://doi.org/10.1016/j.paid.2018.07.033}, _url = {https://www.sciencedirect.com/science/article/pii/S0191886918304288}, author = {Andrea Ceschi and Arianna Costantini and Riccardo Sartori and Joshua Weller and Annamaria {Di Fabio}}, keywords = {Heuristics and Biases, Decision-Making, Individual differences, Mindware gaps, Positive Illusions, Negativity effect, Anchoring and Adjustment}, abstract = {Traditionally, studies examining decision-making heuristics and biases (H&B) have focused on aggregate effects using between-subjects designs in order to demonstrate violations of rationality. Although H&B are often studied in isolation from others, emerging research has suggested that stable and reliable individual differences in rational thought exist, and similarity in performance across tasks are related, which may suggest an underlying phenotypic structure of decision-making skills. Though numerous theoretical and empirical classifications have been offered, results have been mixed. The current study aimed to clarify this research question. Participants (N = 289) completed a battery of 17 H&B tasks, assessed with a within-subjects design, that we selected based on a review of prior empirical and theoretical taxonomies. Exploratory and confirmatory analyses yielded a solution that suggested that these biases conform to a model composed of three dimensions: Mindware gaps, Valuation biases (i.e., Positive Illusions and Negativity effect), and Anchoring and Adjustment. We discuss these findings in relation to proposed taxonomies and existing studies on individual differences in decision-making.} } @article{novaes, author = {Novaes, Catarina and Veluwenkamp, Herman}, year = {2016}, month = {12}, pages = {}, title = {Reasoning Biases, Non-Monotonic Logics and Belief Revision}, volume = {83}, journal = {Theoria}, _doi = {10.1111/theo.12108} } @article{Ferme2011, author = {Fermé, Eduardo and Hansson, Sven Ove}, year = {2011}, month = {04}, pages = {295-331}, title = {AGM 25 Years: Twenty-Five Years of Research in Belief Change}, volume = {40}, journal = {Journal of Philosophical Logic}, _doi = {10.2307/41487515} } @article{macleod1986attentional, title={Attentional bias in emotional disorders.}, author={MacLeod, Colin and Mathews, Andrew and Tata, Philip}, journal={Journal of abnormal psychology}, volume={95}, number={1}, pages={15}, year={1986}, publisher={American Psychological Association} } @inbook{staw_1996, place={Cambridge}, series={Cambridge Series on Judgment and Decision Making}, title={The escalation of commitment: An update and appraisal}, _doi={10.1017/CBO9780511584169.011}, booktitle={Organizational Decision Making}, publisher={Cambridge University Press}, author={Staw, Barry M.}, editor={Shapira, ZurEditor}, year={1996}, pages={191–215}, collection={Cambridge Series on Judgment and Decision Making}} @inproceedings{conversy:hal-01089633, TITLE = {{L'accident du vol AF447 Rio-Paris, un cas d'{\'e}tude pour la recherche en IHM}}, AUTHOR = {Conversy, St{\'e}phane and al.}, _URL = {https://hal.archives-ouvertes.fr/hal-01089633}, BOOKTITLE = {{IHM'14, 26e conf{\'e}rence francophone sur l'Interaction Homme-Machine}}, _ADDRESS = {Lille, France}, PUBLISHER = {{ACM}}, PAGES = {60-69}, YEAR = {2014}, MONTH = Oct, KEYWORDS = {Models of HCI ; Aviation ; Accident}, PDF = {https://hal.archives-ouvertes.fr/hal-01089633v2/file/p60-conversy.pdf}, HAL_ID = {hal-01089633}, HAL_VERSION = {v2}, } @article{postman1965short, title={Short-term temporal changes in free recall}, author={Postman, Leo and Phillips, Laura W}, journal={Quarterly journal of experimental psychology}, volume={17}, number={2}, pages={132--138}, year={1965}, publisher={Taylor \& Francis} } @article{moore2008trouble, title={The trouble with overconfidence.}, author={Moore, Don A and Healy, Paul J}, journal={Psychological review}, volume={115}, number={2}, pages={502}, year={2008}, publisher={American Psychological Association} } @book{kahneman2011thinking, title={Thinking, fast and slow}, author={Kahneman, Daniel}, year={2011}, publisher={Macmillan} } @article{Stanovich1998, author = {Stanovich, Keith and West, Richard}, year = {1998}, month = {07}, pages = {193-230}, title = {Cognitive Ability and Variation in Selection Task Performance}, volume = {4}, journal = {Thinking and Reasoning}, doi = {10.1080/135467898394139} } @article{Mcelroy2007, author = {Mcelroy, Todd and Dowd, Keith}, year = {2007}, month = {02}, pages = {48-53}, title = {Susceptibility to anchoring effects: How openness-to-experience influences responses to anchoring cues}, volume = {2}, journal = {Judgment and Decision Making} } @article{Oreg2009, author = {Oreg, Shaul and Bayazit, Mahmut}, year = {2009}, month = {09}, pages = {175-193}, title = {Prone to Bias: Development of a Bias Taxonomy From an Individual Differences Perspective}, volume = {13}, journal = {Review of General Psychology}, doi = {10.1037/a0015656} } @article{Slugosky1993, author = {Ben R. Slugoski and Heather A. Shields and Kim A. Dawson}, title ={Relation of Conditional Reasoning to Heuristic Processing}, journal = {Personality and Social Psychology Bulletin}, volume = {19}, number = {2}, pages = {158-166}, year = {1993}, doi = {10.1177/0146167293192004}, URL = { https://doi.org/10.1177/0146167293192004 }, eprint = { https://doi.org/10.1177/0146167293192004 } , abstract = { Wyer and Srull have proposed that a tendency to treat conditional relationships between events as if they were biconditional underlies a number of familiar biases in human social judgment. This hypothesis was tested in a factor-analytic study in which 111 subjects completed seven measures of heuristic use and three measures of conditional reasoning. A principal components analysis of the measures revealed two main factors, corresponding to an availability dimension and a representativeness dimension. There was no evidence for the hypothesis that the disposition to infer "Y is X" given "X is Y" underlies either dimension, although one measure of conditional reasoning, Wason's selection task, was related to both. This result is discussed in terms of Evans's two-stage (heuristic/analytic processing) model of reasoning. } } @article{Weaver2012, author = {Weaver, Elise A. and Stewart, Thomas R.}, title = {Dimensions of Judgment: Factor Analysis of Individual Differences}, journal = {Journal of Behavioral Decision Making}, volume = {25}, number = {4}, pages = {402-413}, keywords = {judgment, individual differences, reasoning, problem solving, probability, cognitive ability, performance}, doi = {https://doi.org/10.1002/bdm.748}, url = {https://onlinelibrary.wiley.com/doi/abs/10.1002/bdm.748}, eprint = {https://onlinelibrary.wiley.com/doi/pdf/10.1002/bdm.748}, abstract = {ABSTRACT In this paper, we explore a pattern of individual differences in performance on judgment tasks. One hundred participants completed a battery of standard judgment tasks, including multiple cue judgment and tasks based on the “heuristics and biases” and problem-solving literature. Participants also completed tests of fluid and crystallized intelligence, forward digit span memory, and multiple cue probability learning. Confirmatory factor analyses indicated a two-factor structure underlying performance on these tasks and tests. The two moderately correlated factors reflected a distinction between tasks requiring accurate judgments based on multiple cues (correspondence tasks) and those requiring coherent judgments (coherence tasks), in which probabilities are compared and combined. Measures of fluid and crystallized intelligence and forward digit span memory were correlated with both factors but were more associated with correspondence than with coherence. Copyright © 2011 John Wiley \& Sons, Ltd.}, year = {2012} } @article{TEOVANOVIC201575, title = "Individual differences in cognitive biases: Evidence against one-factor theory of rationality", journal = "Intelligence", volume = "50", pages = "75 - 86", year = "2015", issn = "0160-2896", doi = "https://doi.org/10.1016/j.intell.2015.02.008", url = "http://www.sciencedirect.com/science/article/pii/S0160289615000380", author = "Predrag Teovanović and Goran Knežević and Lazar Stankov", keywords = "Cognitive biases, Rationality, Judgment and decision making, Intelligence, Factor analysis", -abstract = "In this paper we seek to gain an improved understanding of the structure of cognitive biases and their relationship with measures of intelligence and relevant non-cognitive constructs. We report on the outcomes of a study based on a heterogeneous set of seven cognitive biases — anchoring effect, belief bias, overconfidence bias, hindsight bias, base rate neglect, outcome bias and sunk cost effect. New scales for the assessment of these biases were administered to 243 undergraduate students along with measures of fluid (Gf) and crystallized (Gc) intelligence, a Cognitive Reflection Test (CRT), Openness/Intellect (O/I) scale and Need for Cognition (NFC) scale. The expected experimental results were confirmed — i.e., each normatively irrelevant variable significantly influenced participants' responses. Also, with the exception of hindsight bias, all cognitive biases showed satisfactory reliability estimates (αs>.70). However, correlations among the cognitive bias measures were low (rs<.20). Although exploratory factor analysis produced two factors, their robustness was doubtful. Cognitive bias measures were also relatively independent (rs<.25) from the Gf, Gc, CRT, O/I and NFC and they define separate latent factors. This pattern of results suggests that a major part of the reliable variance of cognitive bias tasks is unique, and implies that a one-factor model of rational behavior is not plausible." +abstract = "In this paper we seek to gain an improved understanding of the structure of cognitive biases and their relationship with measures of intelligence and relevant non-cognitive constructs. We report on the outcomes of a study based on a heterogeneous set of seven cognitive biases --- anchoring effect, belief bias, overconfidence bias, hindsight bias, base rate neglect, outcome bias and sunk cost effect. New scales for the assessment of these biases were administered to 243 undergraduate students along with measures of fluid (Gf) and crystallized (Gc) intelligence, a Cognitive Reflection Test (CRT), Openness/Intellect (O/I) scale and Need for Cognition (NFC) scale. The expected experimental results were confirmed --- i.e., each normatively irrelevant variable significantly influenced participants' responses. Also, with the exception of hindsight bias, all cognitive biases showed satisfactory reliability estimates (αs>.70). However, correlations among the cognitive bias measures were low (rs<.20). Although exploratory factor analysis produced two factors, their robustness was doubtful. Cognitive bias measures were also relatively independent (rs<.25) from the Gf, Gc, CRT, O/I and NFC and they define separate latent factors. This pattern of results suggests that a major part of the reliable variance of cognitive bias tasks is unique, and implies that a one-factor model of rational behavior is not plausible." } @inproceedings{Arnott2001ATO, title={A Taxonomy of Decision Biases}, author={D. Arnott}, year={2001} } @article{Carter2007, author = {Carter, Craig and Kaufmann, Lutz and Michel, Alex}, year = {2007}, month = {09}, pages = {}, title = {Behavioral Supply Management: A Taxonomy of Judgment and Decision-Making Biases}, volume = {37}, journal = {International Journal of Physical Distribution \& Logistics Management}, doi = {10.1108/09600030710825694} } @article{Zhang2002, author = {Zhang, Jiajie and Patel, Vimla and Johnson, Todd and Shortliffe, Edward}, year = {2002}, month = {02}, pages = {934-8}, title = {Toward a cognitive taxonomy of medical errors}, journal = {Proceedings / AMIA ... Annual Symposium. AMIA Symposium} } @book{bratman1987intention, title={Intention, plans, and practical reason}, author={Bratman, Michael and others}, volume={10}, year={1987}, publisher={Harvard University Press Cambridge, MA} } @article{Herzig2016, author = {Herzig, Andreas and Lorini, Emiliano and Perrussel, Laurent and Xiao, Zhanhao}, year = {2016}, month = {10}, pages = {}, title = {BDI Logics for BDI Architectures: Old Problems, New Perspectives}, volume = {31}, journal = {KI - Künstliche Intelligenz}, doi = {10.1007/s13218-016-0457-5} } @article{cohen1990intention, title={Intention is choice with commitment}, author={Cohen, Philip R and Levesque, Hector J}, journal={Artificial intelligence}, volume={42}, number={2-3}, pages={213--261}, year={1990}, publisher={Elsevier} } @inproceedings{Rao1991ModelingRA, title={Modeling Rational Agents within a BDI-Architecture}, author={Anand Srinivasa Rao and M. Georgeff}, booktitle={KR}, year={1991} } @article{Shoham2009LogicalTO, title={Logical Theories of Intention and the Database Perspective}, author={Y. Shoham}, journal={Journal of Philosophical Logic}, year={2009}, volume={38}, pages={633-647} } @inproceedings{arnaud:hal-01561962, TITLE = {{Les limites du BDI pour rendre compte du comportement humain en situation de crise}}, AUTHOR = {Arnaud, Ma{\"e}l and Adam, Carole and Dugdale, Julie}, URL = {https://hal.archives-ouvertes.fr/hal-01561962}, BOOKTITLE = {{Rencontres des Jeunes Chercheurs en Intelligence Artificielle (RJCIA 2017)}}, ADDRESS = {Caen, France}, YEAR = {2017}, MONTH = Jul, PDF = {https://hal.archives-ouvertes.fr/hal-01561962/file/Arnaud_RJCIA_2017.pdf}, HAL_ID = {hal-01561962}, HAL_VERSION = {v1}, } @article{MAKINSON1997, author = {MAKINSON, DAVID}, title = {Screened revision}, journal = {Theoria}, volume = {63}, number = {1‐2}, pages = {14-23}, doi = {https://doi.org/10.1111/j.1755-2567.1997.tb00737.x}, url = {https://onlinelibrary.wiley.com/doi/abs/10.1111/j.1755-2567.1997.tb00737.x}, eprint = {https://onlinelibrary.wiley.com/doi/pdf/10.1111/j.1755-2567.1997.tb00737.x}, year = {1997} } @article{Feme1999, author = {Fermé, Eduardo and Hansson, Sven Ove}, year = {1999}, month = {11}, pages = {331-342}, title = {Selective Revision.}, volume = {63}, journal = {Studia Logica}, doi = {10.1023/A:1005294718935} } @article{Hansson1997, author = { Sven Hansson }, title = {Semi-revision}, journal = {Journal of Applied Non-Classical Logics}, volume = {7}, number = {1-2}, pages = {151-175}, year = {1997}, publisher = {Taylor & Francis}, doi = {10.1080/11663081.1997.10510904}, URL = { https://doi.org/10.1080/11663081.1997.10510904 }, eprint = { https://doi.org/10.1080/11663081.1997.10510904 } } @article{Levi1977SubjunctivesDA, title={Subjunctives, dispositions and chances}, author={I. Levi}, journal={Synthese}, year={1977}, volume={34}, pages={303-335} } @article{Harper1976, ISSN = {02708647}, URL = {http://www.jstor.org/stable/192397}, author = {William L. Harper}, journal = {PSA: Proceedings of the Biennial Meeting of the Philosophy of Science Association}, pages = {462--494}, publisher = {[University of Chicago Press, Springer, Philosophy of Science Association]}, title = {Rational Conceptual Change}, volume = {1976}, year = {1976} } @book{wojcicki2013theory, title={Theory of logical calculi: basic theory of consequence operations}, author={W{\'o}jcicki, Ryszard}, volume={199}, year={2013}, publisher={Springer Science \& Business Media} } diff --git a/thys/Blue_Eyes/Blue_Eyes.thy b/thys/Blue_Eyes/Blue_Eyes.thy --- a/thys/Blue_Eyes/Blue_Eyes.thy +++ b/thys/Blue_Eyes/Blue_Eyes.thy @@ -1,426 +1,426 @@ (*<*) theory Blue_Eyes imports "HOL-Combinatorics.Transposition" begin (*>*) section \Introduction\ text \The original problem statement @{cite xkcd} explains the puzzle well: \begin{quotation} A group of people with assorted eye colors live on an island. They are all perfect logicians -- if a conclusion can be logically deduced, they will do it instantly. No one knows the color of their eyes. Every night at midnight, a ferry stops at the island. Any islanders who have figured out the color of their own eyes then leave the island, and the rest stay. Everyone can see everyone else at all times and keeps a count of the number of people they see with each eye color (excluding themselves), but they cannot otherwise communicate. Everyone on the island knows all the rules in this paragraph. On this island there are 100 blue-eyed people, 100 brown-eyed people, and the Guru (she happens to have green eyes). So any given blue-eyed person can see 100 people with brown eyes and 99 people with blue eyes (and one with green), but that does not tell him his own eye color; as far as he knows the totals could be 101 brown and 99 blue. Or 100 brown, 99 blue, and he could have red eyes. The Guru is allowed to speak once (let's say at noon), on one day in all their endless years on the island. Standing before the islanders, she says the following: ``I can see someone who has blue eyes.'' Who leaves the island, and on what night? \end{quotation} It might seem weird that the Guru's declaration gives anyone any new information. For an informal discussion, see \cite[Section~1.1]{fagin1995}.\ section \Modeling the world \label{sec:world}\ text \We begin by fixing two type variables: @{typ "'color"} and @{typ "'person"}. The puzzle doesn't specify how many eye colors are possible, but four are mentioned. Crucially, we must assume they are distinct. We specify the existence of colors other than blue and brown, even though we don't mention them later, because when blue and brown -are the only possible colors, the puzzle has a different solution — the brown-eyed logicians +are the only possible colors, the puzzle has a different solution --- the brown-eyed logicians may leave one day after the blue-eyed ones. We refrain from specifying the exact population of the island, choosing to only assume it is finite and denote a specific person as the Guru. We could also model the Guru as an outside entity instead of a participant. This doesn't change the answer and results in a slightly simpler proof, but is less faithful to the problem statement.\ context fixes blue brown green red :: 'color assumes colors_distinct: "distinct [blue, brown, green, red]" fixes guru :: 'person assumes "finite (UNIV :: 'person set)" begin text \It's slightly tricky to formalize the behavior of perfect logicians. The representation we use is centered around the type of a @{emph \world\}, which describes the entire state of the environment. In our case, it's a function @{typ "'person => 'color"} that assigns an eye color to everyone.@{footnote \We would introduce a type synonym, but at the time of writing Isabelle doesn't support including type variables fixed by a locale in a type synonym.\} The only condition known to everyone and not dependent on the observer is Guru's declaration:\ definition valid :: "('person \ 'color) \ bool" where "valid w \ (\p. p \ guru \ w p = blue)" text \We then define the function @{term "possible n p w w'"}, which returns @{term True} if on day \n\ the potential world \w'\ is plausible from the perspective of person \p\, based on the observations they made in the actual world \w\. Then, @{term "leaves n p w"} is @{term True} if \p\ is able to unambiguously deduce the color of their own eyes, i.e. if it is the same in all possible worlds. Note that if \p\ actually left many moons ago, this function still returns @{term True}.\ fun leaves :: "nat \ 'person \ ('person \ 'color) \ bool" and possible :: "nat \ 'person \ ('person \ 'color) \ ('person \ 'color) \ bool" where "leaves n p w = (\w'. possible n p w w' \ w' p = w p)" | "possible n p w w' \ valid w \ valid w' \ (\p' \ p. w p' = w' p') \ (\n' < n. \p'. leaves n' p' w = leaves n' p' w')" text \Naturally, the act of someone leaving can be observed by others, thus the two definitions are mutually recursive. As such, we need to instruct the simplifier to not unfold these definitions endlessly.\ declare possible.simps[simp del] leaves.simps[simp del] text \A world is possible if \<^enum> The Guru's declaration holds. \<^enum> The eye color of everyone but the observer matches. \<^enum> The same people left on each of the previous days. Moreover, we require that the actual world \w\ is \valid\, so that the relation is symmetric:\ lemma possible_sym: "possible n p w w' = possible n p w' w" by (auto simp: possible.simps) text \In fact, \possible n p\ is an equivalence relation:\ lemma possible_refl: "valid w \ possible n p w w" by (auto simp: possible.simps) lemma possible_trans: "possible n p w1 w2 \ possible n p w2 w3 \ possible n p w1 w3" by (auto simp: possible.simps) section \Eye colors other than blue\ text \Since there is no way to distinguish between the colors other than blue, only the blue-eyed people will ever leave. To formalize this notion, we define a function that takes a world and replaces the eye color of a specified person. The original color is specified too, so that the transformation composes nicely with the recursive hypothetical worlds of @{const possible}.\ definition try_swap :: "'person \ 'color \ 'color \ ('person \ 'color) \ ('person \ 'color)" where "try_swap p c\<^sub>1 c\<^sub>2 w x = (if c\<^sub>1 = blue \ c\<^sub>2 = blue \ x \ p then w x else transpose c\<^sub>1 c\<^sub>2 (w x))" lemma try_swap_valid[simp]: "valid (try_swap p c\<^sub>1 c\<^sub>2 w) = valid w" by (cases \c\<^sub>1 = blue\; cases \c\<^sub>2 = blue\) (auto simp add: try_swap_def valid_def transpose_eq_iff) lemma try_swap_eq[simp]: "try_swap p c\<^sub>1 c\<^sub>2 w x = try_swap p c\<^sub>1 c\<^sub>2 w' x \ w x = w' x" by (auto simp add: try_swap_def transpose_eq_iff) lemma try_swap_inv[simp]: "try_swap p c\<^sub>1 c\<^sub>2 (try_swap p c\<^sub>1 c\<^sub>2 w) = w" by (rule ext) (auto simp add: try_swap_def swap_id_eq) lemma leaves_try_swap[simp]: assumes "valid w" shows "leaves n p (try_swap p' c\<^sub>1 c\<^sub>2 w) = leaves n p w" using assms proof (induction n arbitrary: p w rule: less_induct) case (less n) have "leaves n p w" if "leaves n p (try_swap p' c\<^sub>1 c\<^sub>2 w)" for w proof (unfold leaves.simps; rule+) fix w' assume "possible n p w w'" then have "possible n p (try_swap p' c\<^sub>1 c\<^sub>2 w) (try_swap p' c\<^sub>1 c\<^sub>2 w')" by (fastforce simp: possible.simps less.IH) with `leaves n p (try_swap p' c\<^sub>1 c\<^sub>2 w)` have "try_swap p' c\<^sub>1 c\<^sub>2 w' p = try_swap p' c\<^sub>1 c\<^sub>2 w p" unfolding leaves.simps by simp thus "w' p = w p" by simp qed with try_swap_inv show ?case by auto qed text \This lets us prove that only blue-eyed people will ever leave the island.\ proposition only_blue_eyes_leave: assumes "leaves n p w" and "valid w" shows "w p = blue" proof (rule ccontr) assume "w p \ blue" then obtain c where c: "w p \ c" "c \ blue" using colors_distinct by (metis distinct_length_2_or_more) let ?w' = "try_swap p (w p) c w" have "possible n p w ?w'" using `valid w` apply (simp add: possible.simps) by (auto simp: try_swap_def) moreover have "?w' p \ w p" using c `w p \ blue` by (auto simp: try_swap_def) ultimately have "\ leaves n p w" by (auto simp: leaves.simps) with assms show False by simp qed section "The blue-eyed logicians" text \We will now consider the behavior of the logicians with blue eyes. First, some simple lemmas. Reasoning about set cardinalities often requires considering infinite sets separately. Usefully, all sets of people are finite by assumption.\ lemma people_finite[simp]: "finite (S::'person set)" proof (rule finite_subset) show "S \ UNIV" by auto show "finite (UNIV::'person set)" by fact qed text \Secondly, we prove a destruction rule for @{const possible}. It is strictly weaker than the definition, but thanks to the simpler form, it's easier to guide the automation with it.\ lemma possibleD_colors: assumes "possible n p w w'" and "p' \ p" shows "w' p' = w p'" using assms unfolding possible.simps by simp text \A central concept in the reasoning is the set of blue-eyed people someone can see.\ definition blues_seen :: "('person \ 'color) \ 'person \ 'person set" where "blues_seen w p = {p'. w p' = blue} - {p}" lemma blues_seen_others: assumes "w p' = blue" and "p \ p'" shows "w p = blue \ card (blues_seen w p) = card (blues_seen w p')" and "w p \ blue \ card (blues_seen w p) = Suc (card (blues_seen w p'))" proof - assume "w p = blue" then have "blues_seen w p' = blues_seen w p \ {p} - {p'}" by (auto simp add: blues_seen_def) moreover have "p \ blues_seen w p" unfolding blues_seen_def by auto moreover have "p' \ blues_seen w p \ {p}" unfolding blues_seen_def using `p \ p'` `w p' = blue` by auto ultimately show "card (blues_seen w p) = card (blues_seen w p')" by simp next assume "w p \ blue" then have "blues_seen w p' = blues_seen w p - {p'}" by (auto simp add: blues_seen_def) moreover have "p' \ blues_seen w p" unfolding blues_seen_def using `p \ p'` `w p' = blue` by auto ultimately show "card (blues_seen w p) = Suc (card (blues_seen w p'))" by (simp only: card_Suc_Diff1 people_finite) qed lemma blues_seen_same[simp]: assumes "possible n p w w'" shows "blues_seen w' p = blues_seen w p" using assms by (auto simp: blues_seen_def possible.simps) lemma possible_blues_seen: assumes "possible n p w w'" assumes "w p' = blue" and "p \ p'" shows "w' p = blue \ card (blues_seen w p) = card (blues_seen w' p')" and "w' p \ blue \ card (blues_seen w p) = Suc (card (blues_seen w' p'))" using possibleD_colors[OF `possible n p w w'`] and blues_seen_others assms by (auto simp flip: blues_seen_same) text \Finally, the crux of the solution. We proceed by strong induction.\ lemma blue_leaves: assumes "w p = blue" and "valid w" and guru: "w guru \ blue" shows "leaves n p w \ n \ card (blues_seen w p)" using assms proof (induction n arbitrary: p w rule: less_induct) case (less n) show ?case proof \ \First, we show that day \n\ is sufficient to deduce that the eyes are blue.\ assume "n \ card (blues_seen w p)" have "w' p = blue" if "possible n p w w'" for w' proof (cases "card (blues_seen w' p)") case 0 moreover from `possible n p w w'` have "valid w'" by (simp add: possible.simps) ultimately show "w' p = blue" unfolding valid_def blues_seen_def by auto next case (Suc k) \ \We consider the behavior of somebody else, who also has blue eyes.\ then have "blues_seen w' p \ {}" by auto then obtain p' where "w' p' = blue" and "p \ p'" unfolding blues_seen_def by auto then have "w p' = blue" using possibleD_colors[OF `possible n p w w'`] by simp have "p \ guru" using `w p = blue` and `w guru \ blue` by auto hence "w' guru \ blue" using `w guru \ blue` and possibleD_colors[OF `possible n p w w'`] by simp have "valid w'" using `possible n p w w'` unfolding possible.simps by simp show "w' p = blue" proof (rule ccontr) assume "w' p \ blue" \ \If our eyes weren't blue, then \p'\ would see one blue-eyed person less than us.\ with possible_blues_seen[OF `possible n p w w'` `w p' = blue` `p \ p'`] have *: "card (blues_seen w p) = Suc (card (blues_seen w' p'))" by simp \ \By induction, they would've left on day \k = blues_seen w' p'\.\ let ?k = "card (blues_seen w' p')" have "?k < n" using `n \ card (blues_seen w p)` and * by simp hence "leaves ?k p' w'" using `valid w'` `w' p' = blue` `w' guru \ blue` by (intro less.IH[THEN iffD2]; auto) \ \However, we know that actually, \p'\ didn't leave that day yet.\ moreover have "\ leaves ?k p' w" proof assume "leaves ?k p' w" then have "?k \ card (blues_seen w p')" using `?k < n` `w p' = blue` `valid w` `w guru \ blue` by (intro less.IH[THEN iffD1]; auto) have "card (blues_seen w p) = card (blues_seen w p')" by (intro blues_seen_others; fact) with * have "?k < card (blues_seen w p')" by simp with `?k \ card (blues_seen w p')` show False by simp qed moreover have "leaves ?k p' w' = leaves ?k p' w" using `possible n p w w'` `?k < n` unfolding possible.simps by simp ultimately show False by simp qed qed thus "leaves n p w" unfolding leaves.simps using `w p = blue` by simp next \ \Then, we show that it's not possible to deduce the eye color any earlier.\ { assume "n < card (blues_seen w p)" \ \Consider a hypothetical world where \p\ has brown eyes instead. We will prove that this world is \possible\.\ let ?w' = "w(p := brown)" have "?w' guru \ blue" using `w guru \ blue` `w p = blue` by auto have "valid ?w'" proof - from `n < card (blues_seen w p)` have "card (blues_seen w p) \ 0" by auto hence "blues_seen w p \ {}" by auto then obtain p' where "p' \ blues_seen w p" by auto hence "p \ p'" and "w p' = blue" by (auto simp: blues_seen_def) hence "?w' p' = blue" by auto with `?w' guru \ blue` show "valid ?w'" unfolding valid_def by auto qed moreover have "leaves n' p' w = leaves n' p' ?w'" if "n' < n" for n' p' proof - have not_leavesI: "\leaves n' p' w'" if "valid w'" "w' guru \ blue" and P: "w' p' = blue \ n' < card (blues_seen w' p')" for w' proof (cases "w' p' = blue") case True then have "leaves n' p' w' \ n' \ card (blues_seen w' p')" using less.IH `n' < n` `valid w'` `w' guru \ blue` by simp with P[OF `w' p' = blue`] show "\leaves n' p' w'" by simp next case False then show "\ leaves n' p' w'" using only_blue_eyes_leave `valid w'` by auto qed have "\leaves n' p' w" proof (intro not_leavesI) assume "w p' = blue" with `w p = blue` have "card (blues_seen w p) = card (blues_seen w p')" apply (cases "p = p'", simp) by (intro blues_seen_others; auto) with `n' < n` and `n < card (blues_seen w p)` show "n' < card (blues_seen w p')" by simp qed fact+ moreover have "\ leaves n' p' ?w'" proof (intro not_leavesI) assume "?w' p' = blue" with colors_distinct have "p \ p'" and "?w' p \ blue" by auto hence "card (blues_seen ?w' p) = Suc (card (blues_seen ?w' p'))" using `?w' p' = blue` by (intro blues_seen_others; auto) moreover have "blues_seen w p = blues_seen ?w' p" unfolding blues_seen_def by auto ultimately show "n' < card (blues_seen ?w' p')" using `n' < n` and `n < card (blues_seen w p)` by auto qed fact+ ultimately show "leaves n' p' w = leaves n' p' ?w'" by simp qed ultimately have "possible n p w ?w'" using `valid w` by (auto simp: possible.simps) moreover have "?w' p \ blue" using colors_distinct by auto ultimately have "\ leaves n p w" unfolding leaves.simps using `w p = blue` by blast } then show "leaves n p w \ n \ card (blues_seen w p)" by fastforce qed qed text \This can be combined into a theorem that describes the behavior of the logicians based on the objective count of blue-eyed people, and not the count by a specific person. The xkcd puzzle is the instance where \n = 99\.\ theorem blue_eyes: assumes "card {p. w p = blue} = Suc n" and "valid w" and "w guru \ blue" shows "leaves k p w \ w p = blue \ k \ n" proof (cases "w p = blue") case True with assms have "card (blues_seen w p) = n" unfolding blues_seen_def by simp then show ?thesis using `w p = blue` `valid w` `w guru \ blue` blue_leaves by simp next case False then show ?thesis using only_blue_eyes_leave `valid w` by auto qed end (*<*) end (*>*) section \Future work\ text \After completing this formalization, I have been made aware of epistemic logic. The @{emph \possible worlds\} model in \cref{sec:world} turns out to be quite similar to the usual semantics of this logic. It might be interesting to solve this puzzle within the axiom system of epistemic logic, without explicit reasoning about possible worlds.\ \ No newline at end of file diff --git a/thys/CISC-Kernel/document/root.bib b/thys/CISC-Kernel/document/root.bib --- a/thys/CISC-Kernel/document/root.bib +++ b/thys/CISC-Kernel/document/root.bib @@ -1,426 +1,426 @@ @misc{Verbeek2013, author = {Freek Verbeek and Julien Schmaltz and Sergey Tverdyshev and Holger Blasum and Oto Havle}, title = {A New Theory of Intransitive Noninterference for Separation Kernels with Control (manuscript)}, year = {2013}, class = {}, filename = {post14_submission_37.pdf}, timestamp = {1381923125}, } @inproceedings{Liedtke1995, author = {Jochen Liedtke}, title = {On $\mu$-Kernel Construction}, booktitle = {Proceedings of the 15th ACM Symposium on Operating Systems Principles}, year = {1995}, isbn = {0-89791-715-4}, pages = {237--250}, location = {Copper Mountain, Colorado, United States}, doi = {http://doi.acm.org/10.1145/224056.224075}, publisher = {ACM Press}, } @TECHREPORT{Rushby1992noninterference, AUTHOR = {John Rushby}, TITLE = {Noninterference, Transitivity, and Channel-Control Security Policies}, YEAR = {1992}, MONTH = {dec}, URL = {http://www.csl.sri.com/papers/csl-92-2/}, BOOKTITLE = {Technical Report {CSL-92-02}} } @TECHREPORT{rushby92, AUTHOR = {John Rushby}, TITLE = {Noninterference, Transitivity, and Channel-Control Security Policies}, YEAR = {1992}, MONTH = {dec}, URL = {http://www.csl.sri.com/papers/csl-92-2/}, BOOKTITLE = {Technical Report {CSL-92-02}} } @inproceedings{kaiser07, author = {R. Kaiser and S. Wagner}, title = {{E}volution of the {P}ike{OS} microkernel}, booktitle = {In: FirstInternational Workshop on Microkernels for Embedded Systems}, year = {2007} } @article{rushby81, author = {John Rushby}, title = {Design and verification of secure systems}, journal = {ACM SIGOPS Operating Systems Review}, volume = {15}, publisher = {ACM}, year = {1981}, pages = {12--21} } @TECHREPORT{brygier09, AUTHOR = {J. Brygier and R. Fuchsen and H. Blasum}, TITLE = {PikeOS: Safe and secure virtualization in a separation microkernel}, YEAR = {2009}, BOOKTITLE = {Technical Report SYSGO (2009)} } @inproceedings{nipkow12, author = {Tobias Nipkow and Larry C. Paulson and Markus Wenzel}, title = {Isabelle/HOL: a proof assistant for higher- order logic}, year = {2012}, editor= {Springer-Verlag} } @inproceedings{Murray_MBGK_12, publisher = {Springer}, isbn = {978-3-642-35307-9}, author = {Murray, Toby and Matichuk, Daniel and Brassil, Matthew and Gammie, Peter and Klein, Gerwin}, month = {dec}, editor = {{Chris Hawblitzel and Dale Miller}}, year = {2012}, title = {Noninterference for Operating System Kernels}, booktitle = {The Second International Conference on Certified Programs and Proofs}, pages = {126-142}, address = {Kyoto} } @Article{SKIPaper6, author = { A. Sabelfeld and A. C. Myers}, title = {Language-based information-flow security,}, journal = {Selected Areas in Communications, IEEE Journal on,}, year = 2003, volume = 21, number = 1, pages = {5–19} } @InProceedings{SKIPaper7, author = {D. Greve and M. Wilding and W. M. Vanfleet}, title = {A separation kernel formal security policy}, booktitle = {Fourth International Workshop on the ACL2 Prover and Its Applications (ACL2-2003)}, year = {2003} } @inproceedings{Heitmeyer:2006:FSV:1180405.1180448, author = {Heitmeyer, Constance L. and Archer, Myla and Leonard, Elizabeth I. and McLean, John}, title = {Formal Specification and Verification of Data Separation in a Separation Kernel for an Embedded System}, booktitle = {Proceedings of the 13th ACM Conference on Computer and Communications Security}, series = {CCS '06}, year = {2006}, isbn = {1-59593-518-5}, location = {Alexandria, Virginia, USA}, pages = {346--355}, numpages = {10}, url = {http://doi.acm.org/10.1145/1180405.1180448}, doi = {10.1145/1180405.1180448}, acmid = {1180448}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {code verification, formal model, formal specification, separation kernel, theorem proving}, } @inproceedings{Martin:2000:FCM:786768.786973, author = {Martin, W. and White, P. and Taylor, F. S. and Goldberg, A.}, title = {Formal Construction of the Mathematically Analyzed Separation Kernel}, booktitle = {Proceedings of the 15th IEEE International Conference on Automated Software Engineering}, series = {ASE '00}, year = {2000}, isbn = {0-7695-0710-7}, pages = {133--}, url = {http://dl.acm.org/citation.cfm?id=786768.786973}, acmid = {786973}, publisher = {IEEE Computer Society}, address = {Washington, DC, USA}, } @inproceedings{Shapiro:2000:VEC:882494.884422, author = {Shapiro, Jonathan S. and Weber, Sam}, title = {Verifying the EROS Confinement Mechanism}, booktitle = {Proceedings of the 2000 IEEE Symposium on Security and Privacy}, series = {SP '00}, year = {2000}, isbn = {0-7695-0665-8}, pages = {166--}, url = {http://dl.acm.org/citation.cfm?id=882494.884422}, acmid = {884422}, publisher = {IEEE Computer Society}, address = {Washington, DC, USA}, keywords = {operating systems, capability systems, proof of correctness, confinement, verification, formal specification}, } @article{SKIPaper11, year={2009}, issn={0256-2499}, journal={Sadhana}, volume={34}, number={1}, doi={10.1007/s12046-009-0002-4}, - title={Operating system verification—An overview}, + title={Operating system verification---An overview}, url={https://doi.org/10.1007/s12046-009-0002-4}, publisher={Springer-Verlag}, keywords={Formal software verification; operating systems; theorem proving}, author={Klein, Gerwin}, pages={27-69}, language={English} } @article{SKIPaper12, title = "A comparison of semantic models for noninterference ", journal = "Theoretical Computer Science ", volume = "411", number = "47", pages = "4123 - 4147", year = "2010", note = "", issn = "0304-3975", doi = "https://doi.org/10.1016/j.tcs.2010.08.013", url = "http://www.sciencedirect.com/science/article/pii/S0304397510004482", author = "Ron van der Meyden and Chenyi Zhang", keywords = "Computer security", keywords = "Noninterference", keywords = "Information flow", keywords = "Comparison ", abstract = "The literature on definitions of security based on causality-like notions such as noninterference has used several distinct semantic models for systems. Early work was based on state machine and trace-set definitions; more recent work has dealt with definitions of security in two distinct process algebraic settings. Comparisons between the definitions has been carried out mainly within semantic frameworks. This paper studies the relationship between semantic frameworks, by defining mappings between a number of semantic models and studying the relationship between notions of noninterference under these mappings. " } @inproceedings{SKIPaper13, author = {Joseph A. Goguen and Jos{\'e} Meseguer}, title = {Security policies and security models}, booktitle = {IEEE Symposium on Security and Privacy}, year = {1984}, pages = {11-20} } @inproceedings{SKIPaper14, author = {Joseph A. Goguen and Jos{\'e} Meseguer}, title = {Unwinding and Inference Control}, booktitle = {IEEE Symposium on Security and Privacy}, year = {1984}, pages = {75-87} } @inproceedings{SKIPaper25, author = {Rebekah Leslie}, title = {Dynamic intransitive noninterference}, booktitle = {IEEE International Symposium on Secure Software Engineering}, year = {2006}, pages = {75-87} } @inproceedings{Klein:2009:SFV:1629575.1629596, author = {Klein, Gerwin and Elphinstone, Kevin and Heiser, Gernot and Andronick, June and Cock, David and Derrin, Philip and Elkaduwe, Dhammika and Engelhardt, Kai and Kolanski, Rafal and Norrish, Michael and Sewell, Thomas and Tuch, Harvey and Winwood, Simon}, title = {seL4: Formal Verification of an OS Kernel}, booktitle = {Proceedings of the ACM SIGOPS 22Nd Symposium on Operating Systems Principles}, series = {SOSP '09}, year = {2009}, isbn = {978-1-60558-752-3}, location = {Big Sky, Montana, USA}, pages = {207--220}, numpages = {14}, url = {http://doi.acm.org/10.1145/1629575.1629596}, doi = {10.1145/1629575.1629596}, acmid = {1629596}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {isabelle/hol, l4, microkernel, sel4}, } @inproceedings{SKIPaper30, author = "Toby Murray and Daniel Matichuk and Matthew Brassil and Peter Gammie and Timothy Bourke and Sean Seefried and Corey Lewis and Xin Gao and Gerwin Klein", isbn = "10.1109/SP.2013.35", month = "May", booktitle = "IEEE Symposium on Security and Privacy", year = "2013", pages = "415--429", title = "seL4: from General Purpose to a Proof of Information Flow Enforcement", abstract = "In contrast to testing, mathematical reasoning and formal verification can show the absence of whole classes of security vulnerabilities. We present the, to our knowledge, first complete, formal, machine-checked verification of information flow security for the implementation of a general-purpose microkernel; namely seL4. Unlike previous proofs of information flow security for operating system kernels, ours applies to the actual 8,830 lines of C code that implement seL4, and so rules out the possibility of invalidation by implementation errors in this code. We assume correctness of compiler, assembly code, hardware, and boot code. We prove everything else. This proof is strong evidence of seL4's utility as a separation kernel, and describes precisely how the general purpose kernel should be configured to enforce isolation and mandatory information flow control. We describe the information flow security statement we proved (a variant of intransitive noninterference), including the assumptions on which it rests, as well as the modifications that had to be made to seL4 to ensure it was enforced. We discuss the practical limitations and implications of this result, including covert channels not covered by the formal proof. ", address = "San Francisco, CA" } @incollection{SKIPaper31, year={2013}, isbn={978-3-642-40312-5}, booktitle={Mathematical Foundations of Computer Science 2013}, volume={8087}, series={Lecture Notes in Computer Science}, editor={Chatterjee, Krishnendu and Sgall, Jirí}, doi={10.1007/978-3-642-40313-2_31}, title={Noninterference with Local Policies}, url={https://doi.org/10.1007/978-3-642-40313-2_31}, publisher={Springer Berlin Heidelberg}, author={Eggert, Sebastian and Schnoor, Henning and Wilke, Thomas}, pages={337-348}, language={English} } @article{SKIPaper32, title = {Extending the Non-Interference Version of MLS for SAT}, journal = {IEEE Transactions on Software Engineering}, volume = {13}, year = {1987}, month = {1987}, pages = {141-150}, author = {J.Thomas Haigh and W.D. Young} } @inproceedings{Elphinstone:2007:TPV:1361397.1361417, author = {Elphinstone, Kevin and Klein, Gerwin and Derrin, Philip and Roscoe, Timothy and Heiser, Gernot}, title = {Towards a Practical, Verified Kernel}, booktitle = {Proceedings of the 11th USENIX Workshop on Hot Topics in Operating Systems}, series = {HOTOS'07}, year = {2007}, location = {San Diego, CA}, pages = {20:1--20:6}, articleno = {20}, numpages = {6}, url = {http://dl.acm.org/citation.cfm?id=1361397.1361417}, acmid = {1361417}, publisher = {USENIX Association}, address = {Berkeley, CA, USA}, } @article{DBLP:journals/jar/AlkassarHLSST09, author = {Eyad Alkassar and Mark A. Hillebrand and Dirk Leinenbach and Norbert Schirmer and Artem Starostin and Alexandra Tsyban}, title = {Balancing the Load}, journal = {J. Autom. Reasoning}, volume = {42}, number = {2-4}, year = {2009}, pages = {389-454}, ee = {https://doi.org/10.1007/s10817-009-9123-z}, bibsource = {DBLP, http://dblp.uni-trier.de} } @article{DBLP:journals/jar/DaumDW09, author = {Matthias Daum and Jan D{\"o}rrenb{\"a}cher and Burkhart Wolff}, title = {Proving Fairness and Implementation Correctness of a Microkernel Scheduler}, journal = {J. Autom. Reasoning}, volume = {42}, number = {2-4}, year = {2009}, pages = {349-388}, ee = {https://doi.org/10.1007/s10817-009-9119-8}, bibsource = {DBLP, http://dblp.uni-trier.de} } @incollection{SKIPaper15, year={2001}, isbn={978-3-540-41791-0}, booktitle={FME 2001: Formal Methods for Increasing Software Productivity}, volume={2021}, series={Lecture Notes in Computer Science}, editor={Oliveira, JoséNuno and Zave, Pamela}, doi={10.1007/3-540-45251-6_9}, -title={Information Flow Control and Applications — Bridging a Gap —}, +title={Information Flow Control and Applications --- Bridging a Gap ---}, url={https://doi.org/10.1007/3-540-45251-6_9}, publisher={Springer Berlin Heidelberg}, author={Mantel, Heiko}, pages={153-172}, language={English} } @incollection{SKIPaper16, year={2000}, isbn={978-3-540-41031-7}, booktitle={Computer Security - ESORICS 2000}, volume={1895}, series={Lecture Notes in Computer Science}, editor={Cuppens, Frédéric and Deswarte, Yves and Gollmann, Dieter and Waidner, Michael}, doi={10.1007/10722599_2}, title={Verification of a Formal Security Model for Multiapplicative Smart Cards}, url={https://doi.org/10.1007/10722599_2}, publisher={Springer Berlin Heidelberg}, author={Schellhorn, Gerhard and Reif, Wolfgang and Schairer, Axel and Karger, Paul and Austel, Vernon and Toll, David}, pages={17-36}, language={English} } @INPROCEEDINGS{SKIPaper18, author = {A. W. Roscoe}, title = {What is intransitive noninterference}, booktitle = {In Proc. of the 12th IEEE Computer Security Foundations Workshop}, year = {1999}, pages = {228--238} } @inproceedings{VanDerMeyden:2007:IIN:2393847.2393869, author = {Van Der Meyden, Ron}, title = {What, Indeed, is Intransitive Noninterference?}, booktitle = {Proceedings of the 12th European Conference on Research in Computer Security}, series = {ESORICS'07}, year = {2007}, isbn = {3-540-74834-2, 978-3-540-74834-2}, location = {Dresden, Germany}, pages = {235--250}, numpages = {16}, url = {http://dl.acm.org/citation.cfm?id=2393847.2393869}, acmid = {2393869}, publisher = {Springer-Verlag}, address = {Berlin, Heidelberg}, } @inproceedings{SKIPaper20, author = {Sebastian Eggert and Ron van der Meyden and Henning Schnoor and Thomas Wilke}, title = {The Complexity of Intransitive Noninterference}, booktitle = {IEEE Symposium on Security and Privacy}, year = {2011}, pages = {196-211}, ee = {http://doi.ieeecomputersociety.org/10.1109/SP.2011.30}, bibsource = {DBLP, http://dblp.uni-trier.de} } @incollection{SKIPaper21, year={2010}, isbn={978-1-4419-1538-2}, booktitle={Design and Verification of Microprocessor Systems for High-Assurance Applications}, editor={Hardin, David S.}, doi={10.1007/978-1-4419-1539-9_13}, title={Model Checking Information Flow}, url={https://doi.org/10.1007/978-1-4419-1539-9_13}, publisher={Springer US}, author={Whalen, MichaelW. and Greve, DavidA. and Wagner, LucasG.}, pages={381-428}, language={English} } diff --git a/thys/EdmondsKarp_Maxflow/document/root.bib b/thys/EdmondsKarp_Maxflow/document/root.bib --- a/thys/EdmondsKarp_Maxflow/document/root.bib +++ b/thys/EdmondsKarp_Maxflow/document/root.bib @@ -1,1450 +1,1450 @@ @STRING{LNCS = {LNCS}} @STRING{Springer = {Springer}} @inproceedings{LaSe16, author = {Peter Lammich and S. Reza Sefidgar}, title = {Formalizing the Edmonds-Karp Algorithm}, booktitle = {Interactive Theorem Proving}, publisher = Springer, year = {2016}, note = {to appear} } @inproceedings{LeRu07, author = {Lee, Gilbert and Rudnicki, Piotr}, title = {Alternative Aggregates in Mizar}, booktitle = {Calculemus '07 / MKM '07}, year = {2007}, pages = {327--341}, numpages = {15}, publisher = {Springer}, } @book{BeCa10, author = {Bertot, Yves and Castran, Pierre}, title = {Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions}, year = {2010}, edition = {1st}, publisher = Springer, } @inproceedings{La16, author = {Peter Lammich}, title = {Refinement based verification of imperative data structures}, booktitle = {{CPP}}, pages = {27--36}, publisher = {{ACM}}, year = {2016} } @inproceedings{GAK12, publisher = Springer, author = {Greenaway, David and Andronick, June and Klein, Gerwin}, month = {aug}, year = {2012}, title = {Bridging the Gap: Automatic Verified Abstraction of {C}}, booktitle = {ITP}, pages = {99-115}, } @phdthesis{Greenaway15, school = {CSE, UNSW}, author = {Greenaway, David}, month = {mar}, year = {2015}, keywords = {isabelle/hol, c verification, autocorres}, title = {Automated proof-producing abstraction of C code}, address = {Sydney, Australia} } @PHDTHESIS{Nosch15, author = {Lars Noschinski}, title = {Formalizing Graph Theory and Planarity Certificates}, school = {Fakultät für Informatik, Technische Universität München}, year = {2015}, month = {November}, } @ARTICLE{MaRu05, author = {Roman Matuszewski and Piotr Rudnicki}, title = {Mizar: the first 30 years}, journal = {Mechanized Mathematics and Its Applications}, year = {2005}, pages = {2005} } @inproceedings{Wenzel99, author = {Markus Wenzel}, title = {Isar - {A} Generic Interpretative Approach to Readable Formal Proof Documents}, booktitle = {TPHOLs'99}, pages = {167--184}, year = {1999}, crossref = {DBLP:conf/tphol/1999}, } @proceedings{DBLP:conf/tphol/1999, title = {Theorem Proving in Higher Order Logics, 12th International Conference, TPHOLs'99, Nice, France, September, 1999, Proceedings}, series = LNCS, volume = {1690}, publisher = Springer, year = {1999}, } @article{GoTa88, author = {Goldberg, Andrew V. and Tarjan, Robert E.}, title = {A New Approach to the Maximum-flow Problem}, journal = {J. ACM}, issue_date = {Oct. 1988}, volume = {35}, number = {4}, month = oct, year = {1988}, publisher = {ACM}, } @incollection{Di06, author = {Dinitz, Yefim}, chapter = {Dinitz' Algorithm: The Original Version and Even's Version}, title = {Theoretical Computer Science}, year = {2006}, pages = {218--240}, numpages = {23}, publisher = {Springer}, } @article{Wirth71, author = {Wirth, Niklaus}, title = {Program Development by Stepwise Refinement}, journal = {Commun. ACM}, issue_date = {April 1971}, volume = {14}, number = {4}, month = apr, year = {1971}, publisher = {ACM}, } @incollection{La15, year={2015}, booktitle={ITP}, volume={9236}, series={LNCS}, title={Refinement to {Imperative/HOL}}, publisher={Springer}, author={Lammich, Peter}, pages={253-269}, } @inproceedings{BCHP05, author = {Bornat, Richard and Calcagno, Cristiano and O'Hearn, Peter and Parkinson, Matthew}, title = {Permission Accounting in Separation Logic}, booktitle = {POPL}, year = {2005}, pages = {259--270}, numpages = {12}, publisher = {ACM}, } @INPROCEEDINGS{MA07, author = {Nicolas Marti and Reynald Affeldt}, title = {A certified verifier for a fragment of Separation logic}, booktitle = {PPL-Workshop}, year = {2007} } @INPROCEEDINGS{NMSGB08, author = {Aleksandar Nanevski and Greg Morrisett and Avi Shinnar and Paul Govereau and Lars Birkedal}, title = {Ynot: Reasoning with the awkward squad}, booktitle = {ICFP}, year = {2008} } @inproceedings{KKB12, publisher = {Springer}, author = {Klein, Gerwin and Kolanski, Rafal and Boyton, Andrew}, month = {Aug}, year = {2012}, title = {Mechanised Separation Algebra}, booktitle = {ITP}, pages = {332-337}, } @InProceedings{char11, author = "Arthur Chargu{\'e}raud", title = "Characteristic Formulae for the Verification of Imperative Programs", year = "2011", pages = "418--430", publisher = "ACM", booktitle = "ICFP", } @incollection{La14, year={2014}, booktitle={ITP}, volume={8558}, series={LNCS}, title={Verified Efficient Implementation of {G}abow’s Strongly Connected Component Algorithm}, publisher={Springer}, author={Lammich, Peter}, pages={325-340}, } @article{HiPa06, title = "Finger Trees: A Simple General-purpose Data Structure", author = "Ralf Hinze and Ross Paterson", journal = "Journal of Functional Programming", volume = 16, number = 2, pages = "197-217", year = 2006 } @incollection{Pe07, year={2007}, booktitle={Model Checking Software}, series={LNCS}, title={BEEM: Benchmarks for Explicit Model Checkers}, publisher={Springer}, author={Pelánek, Radek}, pages={263-267}, } @inproceedings{CDHY09, author = {Calcagno, Cristiano and Distefano, Dino and O'Hearn, Peter and Yang, Hongseok}, title = {Compositional Shape Analysis by Means of Bi-abduction}, booktitle = {POPL '09}, year = {2009}, pages = {289--300}, } @inproceedings{Neu12, author = {Rene Neumann}, booktitle = {Workshop on Automated Theory Exploration (ATX 2012)}, pages = {36--45}, title = {A Framework for Verified Depth-First Algorithms}, year = {2012} } @article{LaMe12, author = {Peter Lammich and Rene Meis}, title = {A Separation Logic Framework for Imperative HOL}, journal = {Archive of Formal Proofs}, month = nov, year = 2012, note = {\url{https://isa-afp.org/entries/Separation_Logic_Imperative_HOL.shtml}, Formal proof development}, ISSN = {2150-914x}, } @inproceedings{Bu62, author = {Buechi, Julius R.}, booktitle = {International Congress on Logic, Methodology, and Philosophy of Science}, citeulike-article-id = {2948751}, keywords = {automata\_theory}, pages = {1--11}, posted-at = {2008-07-01 16:58:48}, priority = {0}, publisher = {Stanford University Press}, title = {{On a Decision Method in Restricted Second-Order Arithmetic}}, year = {1962} } @ARTICLE{VaWo94, author = {Moshe Y. Vardi and Pierre Wolper}, title = {Reasoning about Infinite Computations}, journal = {Information and Computation}, year = {1994}, volume = {115}, pages = {1--37} } @article{GeVa05, author = {Geldenhuys, Jaco and Valmari, Antti}, title = {More Efficient On-the-fly {LTL} Verification with Tarjan's Algorithm}, journal = {Theor. Comput. Sci.}, issue_date = {21 November 2005}, volume = {345}, number = {1}, month = nov, year = {2005}, issn = {0304-3975}, pages = {60--82}, numpages = {23}, url = {https://doi.org/10.1016/j.tcs.2005.07.004}, doi = {10.1016/j.tcs.2005.07.004}, acmid = {1121853}, publisher = {Elsevier Science Publishers Ltd.}, address = {Essex, UK}, keywords = {model checking, verification}, } @inproceedings{CDP05, author = {Couvreur, Jean-Michel and Duret-Lutz, Alexandre and Poitrenaud, Denis}, title = {On-the-fly Emptiness Checks for Generalized B\&\#252;Chi Automata}, booktitle = {Proceedings of the 12th International Conference on Model Checking Software}, series = {SPIN'05}, year = {2005}, isbn = {3-540-28195-9, 978-3-540-28195-5}, location = {San Francisco, CA}, pages = {169--184}, numpages = {16}, url = {https://doi.org/10.1007/11537328_15}, doi = {10.1007/11537328_15}, acmid = {2156363}, publisher = {Springer-Verlag}, address = {Berlin, Heidelberg}, } @incollection{RDKP13, year={2013}, isbn={978-3-642-45220-8}, booktitle={Logic for Programming, Artificial Intelligence, and Reasoning}, volume={8312}, series={Lecture Notes in Computer Science}, editor={McMillan, Ken and Middeldorp, Aart and Voronkov, Andrei}, doi={10.1007/978-3-642-45221-5_44}, title={Three SCC-Based Emptiness Checks for Generalized Büchi Automata}, url={https://doi.org/10.1007/978-3-642-45221-5_44}, publisher={Springer Berlin Heidelberg}, author={Renault, Etienne and Duret-Lutz, Alexandre and Kordon, Fabrice and Poitrenaud, Denis}, pages={668-682} } @article{Purdom70, year={1970}, issn={0006-3835}, journal={BIT Numerical Mathematics}, volume={10}, number={1}, doi={10.1007/BF01940892}, title={A transitive closure algorithm}, url={https://doi.org/10.1007/BF01940892}, publisher={Kluwer Academic Publishers}, author={Purdom, Paul, Jr.}, pages={76-94}, language={English} } @article{Munro71, title = "Efficient determination of the transitive closure of a directed graph ", journal = "Information Processing Letters ", volume = "1", number = "2", pages = "56 - 58", year = "1971", note = "", issn = "0020-0190", author = "Ian Munro", } @article{ChMe96, year={1996}, issn={0178-4617}, journal={Algorithmica}, volume={15}, number={6}, doi={10.1007/BF01940880}, title={Algorithms for dense graphs and networks on the random access computer}, url={https://doi.org/10.1007/BF01940880}, publisher={Springer-Verlag}, keywords={Graph; Network; Algorithm; Dense graph; Dense network}, author={Cheriyan, J. and Mehlhorn, K.}, pages={521-549}, language={English} } @article{Gabow00, title = "Path-based depth-first search for strong and biconnected components ", journal = "Information Processing Letters ", volume = "74", number = "3–4", pages = "107 - 114", year = "2000", note = "", issn = "0020-0190", doi = "https://doi.org/10.1016/S0020-0190(00)00051-X", url = "http://www.sciencedirect.com/science/article/pii/S002001900000051X", author = "Harold N. Gabow", } @article{Tarjan72, author = {Tarjan, R.}, title = {Depth-First Search and Linear Graph Algorithms}, journal = {SIAM Journal on Computing}, volume = {1}, number = {2}, pages = {146-160}, year = {1972}, doi = {10.1137/0201010}, } @article{Sharir81, author = {Sharir, M.}, journal = {Computers \& Mathematics with Applications}, month = jan, number = {1}, pages = {67--72}, title = {{A strong-connectivity algorithm and its applications in data flow analysis}}, volume = {7}, year = {1981} } @book{SeWa11, author="Robert Sedgewick and Kevin Wayne", title="Algorithms", publisher="Addison-Wesley", year=2011, note = {4th edition} } @book{Dijk76, author="E. W. Dijkstra", title="A Discipline of Programming", publisher="Prentice Hall", year="1976", note="Ch. 25" } @inproceedings{MyOw12, author = {Myreen, Magnus O. and Owens, Scott}, title = {Proof-producing synthesis of {ML} from higher-order logic}, booktitle = {Proceedings of the 17th ACM SIGPLAN international conference on Functional programming}, series = {ICFP '12}, year = {2012}, pages = {115--126}, publisher = {ACM} } @misc{HuKu12, title = {Lifting and Transfer: A Modular Design for Quotients in {Isabelle/HOL}}, author = {Brian Huffman and Ondřej Kunčar}, year = {2012}, note = {Isabelle Users Workshop 2012} } @phdthesis{huff12, author = {Brian Huffman}, title = {HOLCF '11: A Definitional Domain Theory for Verifying Functional Programs}, school = {Portland State University}, year = {2012} } @INPROCEEDINGS{Wad89, author = {Philip Wadler}, title = {Theorems for free!}, booktitle = {Proc. of FPCA}, year = {1989}, pages = {347--359}, publisher = {ACM} } @inproceedings{Rey83, author = {John C. Reynolds}, title = {Types, Abstraction and Parametric Polymorphism}, booktitle = {IFIP Congress}, year = {1983}, pages = {513-523}, } @inproceedings{BBMV91, author = {Roland C. Backhouse and Peter de Bruin and Grant Malcolm and Ed Voermans and Jaap van der Woude}, title = {Relational catamorphisms}, booktitle = {Proc. of the IFIP TC2/WG2.1 Working Conference on Constructing Programs}, publisher = {Elsevier Science Publishers BV}, year = {1991} } @incollection{BJJM99, year={1999}, booktitle={Advanced Functional Programming}, volume={1608}, series=LNCS, title={Generic Programming}, publisher=Springer, author={Backhouse, Roland and Jansson, Patrik and Jeuring, Johan and Meertens, Lambert}, pages={28-115} } @inproceedings {Bul12, author = {Lukas Bulwahn}, title = {The New Quickcheck in {I}sabelle: Random, Exhaustive and Symbolic Testing Under One Roof}, booktitle = {Proc. of CPP}, year = {2012}, publisher = Springer, volume = {7679}, pages = {92--108}, series = LNCS } @incollection{INY04, year={2004}, booktitle={Theory Is Forever}, volume={3113}, series=LNCS, title={On {NFA} Reductions}, publisher=Springer, author={Ilie, Lucian and Navarro, Gonzalo and Yu, Sheng}, pages={112-124} } @mastersthesis{Eberl12, title = {Efficient and Verified Computation of Simulation Relations on {NFA}s}, author = {Manuel Eberl}, school = {Technische Universit\"at M\"unchen}, year = {2012}, type = {Bachelor's thesis} } @Misc{HKKN13, title = {Data Refinement in {Isabelle/HOL}}, author = {Florian Haftmann and Alexander Krauss and Ond\v{r}ej Kun\v{c}ar and Tobias Nipkow}, year = {2013}, note = {To appear in Proc. of ITP 2013} } @incollection{ELNN13, year={2013}, booktitle={CAV}, volume={8044}, series={LNCS}, title={A Fully Verified Executable {LTL} Model Checker}, publisher={Springer}, author={Esparza, Javier and Lammich, Peter and Neumann, René and Nipkow, Tobias and Schimpf, Alexander and Smaus, Jan-Georg}, pages={463-478}, } @inproceedings{MuSt89, author = {David R. Musser and Alexander A. Stepanov}, title = {Generic Programming}, booktitle = {Proc. of ISSAC}, year = {1989}, publisher = Springer, volume = {358}, pages = {13--25}, series = LNCS } @inproceedings{Hom09, title = {The {HOL}-{O}mega Logic}, author = {Peter V. Homeier}, booktitle = {Proc. of TPHOLs}, year = {2009}, publisher = Springer, volume = {5674}, pages = {244--259}, series = LNCS } @incollection{La13, year={2013}, booktitle={ITP}, volume={7998}, series={LNCS}, title={Automatic Data Refinement}, publisher={Springer}, author={Lammich, Peter}, pages={84-99} } @book{Holzmann03,author="Gerard J. Holzmann", title="The Spin Model Checker --- Primer and Reference Manual", publisher="Addison-Wesley",year=2003} @inproceedings{LaTu12, author = {Peter Lammich and Thomas Tuerk}, title = {Applying Data Refinement for Monadic Programs to {H}opcroft's Algorithm}, booktitle = {Proc. of ITP}, year = {2012}, publisher = Springer, volume = {7406}, pages = {166--182}, series = LNCS } @TechReport{Tu11, author = {Tuerk, Thomas}, title = {{A separation logic framework for HOL}}, year = 2011, month = jun, url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-799.pdf}, institution = {University of Cambridge, Computer Laboratory}, number = {UCAM-CL-TR-799} } @book{Abrial96,author="Jean-Raymond Abrial", title="The B-Book: Assigning Programs to Meanings", publisher="Cambridge University Press",year=1996} @article{KleinN-TOPLAS,author={Gerwin Klein and Tobias Nipkow}, title={A Machine-Checked Model for a {Java}-Like Language, Virtual Machine and Compiler}, journal=TOPLAS,volume = {28}, number = {4}, year = {2006}, pages = {619--695}} @inproceedings{KleinEHACDEEKNSTW09, author = {Gerwin Klein and Kevin Elphinstone and Gernot Heiser and June Andronick and David Cock and Philip Derrin and Dhammika Elkaduwe and Kai Engelhardt and Rafal Kolanski and Michael Norrish and Thomas Sewell and Harvey Tuch and Simon Winwood}, title = {{seL4}: formal verification of an {OS} kernel}, booktitle = {Proc.\ ACM Symp.\ Operating Systems Principles}, year = {2009}, pages = {207--220}, editor = {Jeanna Neefe Matthews and Thomas E. Anderson}, publisher = {ACM} } @article{Leroy-JAR09,author={Xavier Leroy}, title={A Formally Verified Compiler Back-end}, journal={J. Automated Reasoning},year=2009,volume=43,pages={363--446}} @InProceedings{MalechaMSW-POPL10, author={G. Malecha and G. Morrisett and A. Shinnar and R. Wisnesky}, title={Toward a verified relational database management system}, booktitle={Principles of Programming Languages (POPL'10)}, pages={237--248},year=2010,publisher={ACM}} @book{LNCS2283,author={Tobias Nipkow and Lawrence Paulson and Markus Wenzel}, title={{Isabelle/HOL} --- A Proof Assistant for Higher-Order Logic}, publisher=Springer,series=LNCS,volume=2283,year=2002} @PhdThesis{Schi06, author = {Norbert Schirmer}, title = {Verification of Sequential Imperative Programs in {I}sabelle/{HOL}}, school = {Technische Universit\"at M\"unchen}, year = {2006}, } @Misc{Haft10b, author = {Florian Haftmann}, title = {Data Refinement (Raffinement) in {Isabelle/HOL}}, year = {2010}, note = {Available at \url{https://isabelle.in.tum.de/community/}} } @inproceedings{LB11, title = {Animating the Formalised Semantics of a {J}ava-like Language}, booktitle = {Proc. of ITP}, year = {2011}, publisher = Springer, volume = {6898}, pages = {216--232}, author = {Andreas Lochbihler and Lukas Bulwahn}, series = LNCS } @InProceedings{CKS08, author = {David Cock and Gerwin Klein and Thomas Sewell}, title = {Secure Microkernels, State Monads and Scalable Refinement}, booktitle = {Proc. of TPHOLs}, year = {2008}, series = LNCS, publisher = Springer, pages = {167--182}, volume = {5170}, } @inproceedings{SchM98, author = {Martin Schwenke and Brendan Mahony}, title = {The Essence of Expression Refinement}, booktitle = {Proc. of International Refinement Workshop and Formal Methods}, year = {1998}, pages = {324--333} } @incollection{La12, author = {Peter Lammich}, title = {Refinement for Monadic Programs}, booktitle = {Archive of Formal Proofs}, publisher = {\url{https://isa-afp.org/entries/Refine\_Monadic.shtml}}, year = {2012}, note = {Formal proof development} } @article{NoLa12, author = {Benedikt Nordhoff and Peter Lammich}, title = {Formalization of {D}ijkstra's Algorithm}, journal = {Archive of Formal Proofs}, month = Jan, year = 2012, note = {\url{https://isa-afp.org/entries/Dijkstra_Shortest_Path.shtml}, Formal proof development}, ISSN = {2150-914x} } @inproceedings{BKHEM08, author = {Bulwahn, Lukas and Krauss, Alexander and Haftmann, Florian and Erk\"{o}k, Levent and Matthews, John}, title = {Imperative Functional Programming with {Isabelle/HOL}}, booktitle = {TPHOL}, year = {2008}, pages = {134--149}, numpages = {16}, publisher = Springer, series = LNCS, volume = {5170}, } @book{BaWr98, author = {Ralph-Johan Back and Joakim von Wright}, title = {Refinement Calculus --- A Systematic Introduction}, publisher = Springer, year = {1998} } @incollection {Old84, author = {Olderog, Ernst-R{\"u}diger}, - title = {Hoare's logic for programs with procedures — What has been achieved?}, + title = {Hoare's logic for programs with procedures --- What has been achieved?}, booktitle = {Logics of Programs}, series = LNCS, publisher = Springer, pages = {383-395}, volume = {164}, year = {1984} } @book{RoEn98, author = {Willem-Paul de Roever and Kai Engelhardt}, title = {Data Refinement: Model-Oriented Proof Methods and their Comparison}, publisher = {Cambridge University Press}, year = {1998} } @ARTICLE{BaWr90, author = {R. J. R. Back and J. von Wright}, title = {Refinement Concepts Formalized in Higher Order Logic}, journal = {Formal Aspects of Computing}, year = {1990}, volume = {2} } @ARTICLE{BaWr00, title = {Encoding, Decoding and Data Refinement}, author = {Back, Ralph-Johan and von Wright, Joakim}, journal = {Formal Aspects of Computing}, volume = {12}, pages = {313--349}, year = {2000}, } @incollection {MSS86, author = {Melton, A. and Schmidt, D. and Strecker, G.}, title = {{G}alois connections and computer science applications}, booktitle = {Category Theory and Computer Programming}, series = LNCS, publisher = Springer, pages = {299--312}, volume = {240}, year = {1986} } @INPROCEEDINGS{LRW95, author = {Thomas Langbacka and Rimvydas Ruksenas and Joakim von Wright}, title = {{TkWinHOL}: A Tool for Doing Window Inference in {HOL}}, booktitle = {Proc. of International Workshop on Higher Order Logic Theorem Proving and its Applications}, year = {1995}, pages = {245--260}, publisher = Springer } @techreport{RuWr97, author = {Rimvydas Ruksenas and Joakim von Wright}, title = {A Tool for Data Refinement}, year = {1997}, institution = {Turku Centre for Computer Science}, number = {TUCS Technical Report No 119} } @INPROCEEDINGS{Wri94, author = {J. von Wright}, title = {Program Refinement by Theorem Prover}, booktitle = {In BCS FACS Sixth Refinement Workshop -- Theory and Practise of Formal Software Development}, year = {1994}, publisher = Springer } @phdthesis{Haft09, author = {Florian Haftmann}, title = {Code Generation from Specifications in Higher Order Logic}, school = {Technische Universit\"at M\"unchen}, year = {2009}, } @techreport{Egl75, author = {Herbert Egli}, title = {A mathematical model for nondeterministic computations}, institution = {ETH Z{\"u}rich}, year = {1975} } @article{Plo76, author= {G. D. Plotkin}, title = {A Powerdomain Construction}, journal = {SIAM J. Comput.}, volume = {5}, issue = {3}, pages = {452--487}, year = {1976} } @phdthesis{Back78, author = {Ralph-Johan Back}, title = {On the correctness of refinement steps in program development}, school = {Department of Computer Science, University of Helsinki}, year = {1978}, } @phdthesis{Preo06, author= {Viorel Preoteasa}, title= {Program Variables --- The Core of Mechanical Reasoning about Imperative Programs}, school= {Turku Centre for Computer Science}, year= {2006} } @inproceedings{BeRe09, author = {Berghofer, Stefan and Reiter, Markus}, title = {Formalizing the Logic-Automaton Connection}, booktitle = {TPHOLs '09}, year = {2009}, isbn = {978-3-642-03358-2}, pages = {147--163}, location = {Munich, Germany}, doi = {https://doi.org/10.1007/978-3-642-03359-9_12}, publisher = Springer, address = {Berlin, Heidelberg}, } @incollection{BeRe09_afp, author = {Stefan Berghofer and Markus Reiter}, title = {Formalizing the Logic-Automaton Connection }, booktitle = {Archive of Formal Proofs}, editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, publisher = {\url{https://isa-afp.org/entries/Presburger-Automata.shtml}}, month = Dec, year = 2009, note = {Formal proof development}, ISSN = {2150-914x} } @incollection{Kun04, author = {Viktor Kuncak}, title = {Binary Search Trees}, booktitle = {Archive of Formal Proofs}, editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, publisher = {\url{https://isa-afp.org/entries/BinarySearchTree.shtml}}, month = Apr, year = 2004, note = {Formal proof development}, ISSN = {2150-914x} } @incollection{NiPu04, author = {Tobias Nipkow and Cornelia Pusch}, title = {{AVL} Trees}, booktitle = {Archive of Formal Proofs}, editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, publisher = {\url{https://isa-afp.org/entries/AVL-Trees.shtml}}, month = Mar, year = 2004, note = {Formal proof development}, ISSN = {2150-914x} } @inproceedings{DiPe09, author = {de Dios, Javier and Pe{\~n}a, Ricardo}, title = {Formal Certification of a Resource-Aware Language Implementation}, booktitle = {TPHOLs '09}, year = {2009}, isbn = {978-3-642-03358-2}, pages = {196--211}, location = {Munich, Germany}, doi = {https://doi.org/10.1007/978-3-642-03359-9_15}, publisher = Springer, address = {Berlin, Heidelberg}, } @ARTICLE{KaMo97, author = {Matt Kaufmann and J. Strother Moore}, title = {An Industrial Strength Theorem Prover for a Logic Based on {C}ommon {L}isp}, journal = {IEEE Transactions on Software Engineering}, year = {1997}, volume = {23}, pages = {203--213} } @techreport{C++STL, author = {Alexander Stepanov and Meng Lee}, title={The Standard Template Library}, institution = {HP Laboratories}, year = {1995}, month = {November}, number= {95-11(R.1)} } @Misc{JavaCollFr, key="Java Collections Framework", title = {{J}ava: The Collections Framework}, url = {http://java.sun.com/javase/6/docs/technotes/ guides/collections/} } @Misc{MLton, key="MLton", title = {{MLton} {Standard ML} compiler}, note = {http://mlton.org/}, url = {http://mlton.org/} } @misc{LETHAL, key = "Lethal", title = "{LETHAL} Tree and Hedge Automata Library", url = "http://lethal.sourceforge.net/" } @Misc{TIMBUK, author = {T. Genet and V. V. T. Tong}, title = {{T}imbuk 2.2}, url = {http://www.irisa.fr/celtique/genet/timbuk/}, } @misc{Coq:Std:Lib, key = "Coq", title = "The {Coq} Standard Library", url = "http://coq.inria.fr/stdlib/index.html" } @inproceedings{Ballarin:2006:MKM, author = "Clemens Ballarin", title = "Interpretation of Locales in {Isabelle}: Theories and Proof Contexts", editor = "J. M. Borwein and W. M. Farmer", booktitle = "MKM 2006", series = "LNAI", volume = "4108", pages = "31--43", year = 2006, publisher = Springer } @article{Hardy:Ramanujan:1917:QJM, author = "G. H. Hardy and S. Ramanujan", title = "The normal number of prime factors of a number", journal = "Quart. J. of Math.", volume = 48, pages = "76--92", year = "1917" } @inproceedings{Peyton:Jones:1996:FPW, author = "Peyton Jones, Simon", title = "Bulk types with class", booktitle = "FPW '96", year = 1996 } @InProceedings{LL10, author = {P. Lammich and A. Lochbihler}, title = {The {Isabelle} {Collections} {Framework}}, booktitle = {Proc. of ITP}, series = LNCS, publisher = Springer, pages = {339--354}, volume = {6172}, year = {2010} } @inproceedings{Kr10, author={Alexander Krauss}, title={Recursive definitions of monadic functions}, booktitle={Proc. of PAR}, volume={43}, pages={1--13}, year={2010} } @phdthesis{Stap99, author = {Mark Staples}, title = {A Mechanised Theory of Refinement}, school = {University of Cambridge}, year = {1999}, note = {2nd edition} } @article{Morr87, title = {A theoretical basis for stepwise refinement and the programming calculus}, author = {Joseph M. Morris}, journal = {Science of Computer Programming}, volume = {9}, number = {3}, pages = {287--306}, year = {1987} } @inproceedings{HaNi10, author = {Florian Haftmann and Tobias Nipkow}, title = {Code Generation via Higher-Order Rewrite Systems}, booktitle = {FLOPS 2010}, series = LNCS, year = {2010}, publisher = Springer } @incollection{L09_collections, author = {Peter Lammich}, title = {Collections Framework}, booktitle = {Archive of Formal Proofs}, publisher = {\url{https://isa-afp.org/entries/Collections.shtml}}, month = Dec, year = 2009, note = {Formal proof development}, ISSN = {2150-914x} } @incollection{L09_tree_automata, author = {Peter Lammich}, title = {Tree Automata}, booktitle = {Archive of Formal Proofs}, publisher = {\url{https://isa-afp.org/entries/Tree-Automata.shtml}}, month = Dec, year = {2009}, note = {Formal proof development}, ISSN = {2150-914x} } @INPROCEEDINGS{CHY07, author={Calcagno, C. and O'Hearn, P.W. and Hongseok Yang}, booktitle={LICS 2007}, title={Local Action and Abstract Separation Logic}, year={2007}, month={July}, pages={366-378}, } @inproceedings{Rey02, author = {John C. Reynolds}, title = {Separation Logic: A Logic for Shared Mutable Data Structures}, booktitle = {Proc of. Logic in Computer Science (LICS)}, year={2002}, pages={55--74}, publisher={IEEE} } @MasterThesis{Meis2011, author={Rene Meis}, title={{I}ntegration von {S}eparation {L}ogic in das {I}mperative {HOL}-{F}ramework}, note={Master Thesis, WWU M\"unster}, year={2011}, school={WWU M\"unster} } @INPROCEEDINGS{Wad92, author = {Philip Wadler}, title = {Comprehending Monads}, booktitle = {Mathematical Structures in Computer Science}, year = {1992}, pages = {61--78} } @book{mmo97, author={Markus M{\"u}ller-Olm}, title={Modular Compiler Verification {---} A Refinement-Algebraic Approach Advocating Stepwise Abstraction}, publisher=Springer, year={1997}, series=LNCS, volume={1283} } @book{NPW02, author = {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel}, title = {{Isabelle/HOL} --- A Proof Assistant for Higher-Order Logic}, publisher = Springer, series = LNCS, volume = 2283, year = 2002 } @InCollection{brz62, author = {J. A. Brzozowski}, title = {Canonical regular expressions and minimal state graphs for definite events}, booktitle = {Mathematical theory of Automata}, note = {Volume 12 of MRI Symposia Series}, pages = {529--561}, publisher = {Polytechnic Press, Polytechnic Institute of Brooklyn, N.Y.}, year = {1962} } @InCollection{Hop71, author = {John E. Hopcroft}, title = {An $n\log n$ algorithm for minimizing the states in a finite automaton}, booktitle = {Theory of Machines and Computations}, year = {1971}, publisher = {Academic Press}, pages = {189--196} } @TechReport{wat93, author = {Bruce W. Watson}, title = {A taxonomy of finite automata minimization algorithms}, institution = {Eindhoven University of Technology, The Netherlands}, year = 1993, type = {Comp. Sci. Note}, number = {93/44}, issn = "0926-4515" } @article {Hoa72, author = {Hoare, C. A. R.}, title = {Proof of correctness of data representations}, journal = {Acta Informatica}, publisher = Springer, keyword = {Computer Science}, pages = {271--281}, volume = {1}, issue = {4}, year = {1972} } @article{Hoa69, author = {Hoare, C. A. R.}, title = {An axiomatic basis for computer programming}, journal = {Commun. ACM}, volume = 12, issue = 10, month = {October}, year = 1969, pages = {576--580}, numpages = 5, publisher = {ACM}, address = {New York, NY, USA}, } @Book{GoMe93, Author = {M.J.C. Gordon and T.F. Melham}, Title = {Introduction to {HOL}: A Theorem Proving Environment for Higher Order Logic}, Publisher = {Cambridge University}, key = {GoMe93}, year = 1993 } @inproceedings{SlindN08, author = {Konrad Slind and Michael Norrish}, title = {A Brief Overview of {HOL4}}, booktitle = {TPHOLs}, year = 2008, pages = {28--32}, ee = {https://doi.org/10.1007/978-3-540-71067-7_6}, crossref = {DBLP:conf/tphol/2008}, bibsource = {DBLP, http://dblp.uni-trier.de} } @INPROCEEDINGS{Bra09, author = {Thomas Braibant and Damien Pous}, title = {A tactic for deciding {K}leene algebras}, booktitle = {First Coq Workshop}, year = {2009} } @MISC{Con97, author = {Robert L. Constable and Paul B. Jackson and Pavel Naumov and Juan Uribe}, title = {Formalizing Automata Theory {I}: Finite Automata}, year = {1997} } @inproceedings{Bac06, author = {Baclet, Manuel and Pagetti, Claire}, booktitle = {Proc. of CIAA 2006}, journal = {Implementation and Application of Automata}, pages = {114--125}, title = {Around {H}opcroft's Algorithm}, volume = {LNCS 4094}, year = 2006 } @article{AMR07, author = {Almeida, Marco and Moreira, Nelma and Reis, Rog\'{e}rio}, title = {Enumeration and generation with a string automata representation}, journal = {Theor. Comput. Sci.}, volume = {387}, issue = {2}, month = {November}, year = {2007}, issn = {0304-3975}, pages = {93--102}, numpages = {10}, url = {http://dl.acm.org/citation.cfm?id=1297415.1297473}, doi = {10.1016/j.tcs.2007.07.029}, acmid = {1297473}, publisher = {Elsevier Science Publishers Ltd.}, address = {Essex, UK}, keywords = {Exact enumeration, Finite automata, Initially-connected deterministic finite automata, Minimal automata, Random generation}, } @inproceedings{FAdo09, author = {Andr{\'e} Almeida and Marco Almeida and Jos{\'e} Alves and Nelma Moreira and Rog{\'e}rio Reis}, title = {{FAdo} and {GUItar}}, booktitle = {CIAA}, year = {2009}, pages = {65--74}, ee = {https://doi.org/10.1007/978-3-642-02979-0_10}, crossref = {DBLP:conf/wia/2009}, bibsource = {DBLP, http://dblp.uni-trier.de} } @proceedings{DBLP:conf/wia/2009, editor = {Sebastian Maneth}, title = {Implementation and Application of Automata}, booktitle = {CIAA}, publisher = Springer, series = LNCS, volume = {5642}, year = {2009}, isbn = {978-3-642-02978-3}, ee = {https://doi.org/10.1007/978-3-642-02979-0}, bibsource = {DBLP, http://dblp.uni-trier.de} } @article{Blum96, title={An {O}(n log n) implementation of the standard method for minimizing n-state finite automata}, volume={6}, number={2}, journal={Information Processing Letters}, author={Blum, Norbert}, year={1996}, pages={65--69}} @InProceedings{GerPelVarWol95, author = {Rob Gerth and Doron Peled and Moshe Y. Vardi and Pierre Wolper}, title = {Simple on-the-fly automatic verification of linear temporal logic}, editor = {Piotr Dembinski and Marek Sredniawa}, booktitle = {Proc.\ Int.\ Symp.\ Protocol Specification, Testing, and Verification}, pages = {3--18}, year = 1996, publisher = {Chapman \& Hall}, series = {IFIP Conference Proceedings}, volume = {38}, } @InProceedings{SchMerSma09, author = {Alexander Schimpf and Stephan Merz and Jan-Georg Smaus}, editor = {S. Berghofer and T. Nipkow and C. Urban and M. Wenzel}, title = {Construction of {B}{\"u}chi Automata for {LTL} Model Checking Verified in {I}sabelle/{HOL}}, booktitle = {Theorem Proving in Higher Order Logics, TPHOLs 2009}, year = 2009, pages = {424--439}, series = LNCS, volume = {5674}, publisher = Springer } @INPROCEEDINGS{SE05, author = {Stefan Schwoon and Javier Esparza}, title = {A Note on On-The-Fly Verification Algorithms}, booktitle = {TACAS}, year = {2005}, volume = {3440}, series = LNCS, pages = {174--190}, publisher = Springer } @ARTICLE{CVWY92, author = {Courcoubetis, C. and Vardi, M. and Wolper, P. and Yannakakis, M.}, title = {Memory-efficient algorithms for the verification of temporal properties}, journal = {Formal Methods in System Design}, year = {1992}, volume = {1}, pages = {275--288}, number = {2/3}, abstract = {This article addresses the problem of designing memory-efficient algorithms for the verification of temporal properties of finite-state programs. Both the programs and their desired temporal properties are modeled as automata on infinite words (B{\"u}chi automata). Verification is then reduced to checking the emptiness of the automaton resulting from the product of the program and the property. This problem is usually solved by computing the strongly connected components of the graph representing the product automaton. Here, we present algorithms that solve the emptiness problem without explicitly constructing the strongly connected components of the product graph. By allowing the algorithms to err with some probability, we can implement them with a randomly accessed memory of size O(n) bits, where n is the number of states of the graph, instead of O(n log n) bits that the presently known algorithms require.}, issn = {0925-9856}, issue = {2}, publisher = Springer } @INPROCEEDINGS{HPY96, author = {Gerard Holzmann and Doron Peled and Mihalis Yannakakis}, title = {On Nested Depth First Search}, booktitle = {SPIN}, year = {1996}, volume = {32}, series = {Discrete Mathematics and Theoretical Computer Science}, pages = {23--32}, publisher = {American Mathematical Society} } @inproceedings{DBLP:conf/tacas/ChouP96, author = {Ching-Tsun Chou and Doron Peled}, title = {Formal Verification of a Partial-Order Reduction Technique for Model Checking}, booktitle = {Tools and Algorithms for the Construction and Analysis of Systems (TACAS)}, year = {1996}, pages = {241--257}, ee = {https://doi.org/10.1007/3-540-61042-1_48}, crossref = {DBLP:conf/tacas/1996}, bibsource = {DBLP, http://dblp.uni-trier.de} } @proceedings{DBLP:conf/tacas/1996, editor = {Tiziana Margaria and Bernhard Steffen}, title = {Tools and Algorithms for Construction and Analysis of Systems}, booktitle = {TACAS}, publisher = Springer, series = LNCS, volume = {1055}, year = {1996}, isbn = {3-540-61042-1}, bibsource = {DBLP, http://dblp.uni-trier.de} } @ARTICLE{ChoySingh:1994:leaderfilters, author = {Choy, Manhoi and Singh, Ambuj K.}, title = {Adaptive solutions to the mutual exclusion problem}, journal = {Distributed Computing}, year = {1994}, volume = {8}, pages = {1--17}, number = {1}, issn = {0178-2770}, keywords = {Adaptive algorithms; Leader election; Mutual exclusion; Synchronization}, language = {English}, publisher = Springer } @BOOK{BaierKatoen:2008:modelchecking, title = {Principles of Model Checking}, publisher = {MIT Press}, year = {2008}, author = {Christel Baier and Joost-Pieter Katoen} } @INPROCEEDINGS{HaftmannNipkow:2010:codegeneration, author = {Florian Haftmann and Tobias Nipkow}, title = {Code Generation via Higher-Order Rewrite Systems}, booktitle = {Functional and Logic Programming (FLOPS)}, year = {2010}, editor = {Matthias Blume and Naoki Kobayashi and Germ{\'a}n Vidal}, volume = {6009}, pages = {103--117}, series = LNCS, publisher = Springer } @article{FF56, title={Maximal flow through a network}, author={Ford, Lester R and Fulkerson, Delbert R}, journal={Canadian journal of Mathematics}, volume={8}, number={3}, pages={399--404}, year={1956} } @article{Lee05, title={Correctnesss of Ford-Fulkerson’s Maximum Flow Algorithm1}, author={Lee, Gilbert}, journal={Formalized Mathematics}, volume={13}, number={2}, pages={305--314}, year={2005} } @book{CLRS09, author = {Cormen, Thomas H. and Leiserson, Charles E. and Rivest, Ronald L. and Stein, Clifford}, title = {Introduction to Algorithms, Third Edition}, year = {2009}, edition = {3rd}, publisher = {The MIT Press}, } @article{EK72, title={Theoretical improvements in algorithmic efficiency for network flow problems}, author={Edmonds, Jack and Karp, Richard M}, journal={J.~ACM}, volume={19}, number={2}, pages={248--264}, year={1972}, publisher={ACM} } @article{Zwick95, title={The smallest networks on which the {F}ord-{F}ulkerson maximum flow procedure may fail to terminate}, author={Zwick, Uri}, journal={Theoretical computer science}, volume={148}, number={1}, pages={165--170}, year={1995}, publisher={Elsevier} } diff --git a/thys/Flow_Networks/document/root.bib b/thys/Flow_Networks/document/root.bib --- a/thys/Flow_Networks/document/root.bib +++ b/thys/Flow_Networks/document/root.bib @@ -1,1466 +1,1466 @@ @STRING{LNCS = {LNCS}} @STRING{Springer = {Springer}} @article{EFS56, doi = {10.1109/tit.1956.1056816}, url = {https://doi.org/10.1109%2Ftit.1956.1056816}, year = {1956}, month = {dec}, publisher = {{IEEE}}, volume = {2}, number = {4}, pages = {117--119}, author = {P. Elias and A. Feinstein and C. Shannon}, title = {A note on the maximum flow through a network}, journal = {{IEEE} Transactions on Information Theory} } @inproceedings{LaSe16, author = {Peter Lammich and S. Reza Sefidgar}, title = {Formalizing the Edmonds-Karp Algorithm}, booktitle = {Interactive Theorem Proving}, publisher = Springer, year = {2016}, note = {to appear} } @inproceedings{LeRu07, author = {Lee, Gilbert and Rudnicki, Piotr}, title = {Alternative Aggregates in Mizar}, booktitle = {Calculemus '07 / MKM '07}, year = {2007}, pages = {327--341}, numpages = {15}, publisher = {Springer}, } @book{BeCa10, author = {Bertot, Yves and Castran, Pierre}, title = {Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions}, year = {2010}, edition = {1st}, publisher = Springer, } @inproceedings{La16, author = {Peter Lammich}, title = {Refinement based verification of imperative data structures}, booktitle = {{CPP}}, pages = {27--36}, publisher = {{ACM}}, year = {2016} } @inproceedings{GAK12, publisher = Springer, author = {Greenaway, David and Andronick, June and Klein, Gerwin}, month = {aug}, year = {2012}, title = {Bridging the Gap: Automatic Verified Abstraction of {C}}, booktitle = {ITP}, pages = {99-115}, } @phdthesis{Greenaway15, school = {CSE, UNSW}, author = {Greenaway, David}, month = {mar}, year = {2015}, keywords = {isabelle/hol, c verification, autocorres}, title = {Automated proof-producing abstraction of C code}, address = {Sydney, Australia} } @PHDTHESIS{Nosch15, author = {Lars Noschinski}, title = {Formalizing Graph Theory and Planarity Certificates}, school = {Fakultät für Informatik, Technische Universität München}, year = {2015}, month = {November}, } @ARTICLE{MaRu05, author = {Roman Matuszewski and Piotr Rudnicki}, title = {Mizar: the first 30 years}, journal = {Mechanized Mathematics and Its Applications}, year = {2005}, pages = {2005} } @inproceedings{Wenzel99, author = {Markus Wenzel}, title = {Isar - {A} Generic Interpretative Approach to Readable Formal Proof Documents}, booktitle = {TPHOLs'99}, pages = {167--184}, year = {1999}, crossref = {DBLP:conf/tphol/1999}, } @proceedings{DBLP:conf/tphol/1999, title = {Theorem Proving in Higher Order Logics, 12th International Conference, TPHOLs'99, Nice, France, September, 1999, Proceedings}, series = LNCS, volume = {1690}, publisher = Springer, year = {1999}, } @article{GoTa88, author = {Goldberg, Andrew V. and Tarjan, Robert E.}, title = {A New Approach to the Maximum-flow Problem}, journal = {J. ACM}, issue_date = {Oct. 1988}, volume = {35}, number = {4}, month = oct, year = {1988}, publisher = {ACM}, } @incollection{Di06, author = {Dinitz, Yefim}, chapter = {Dinitz' Algorithm: The Original Version and Even's Version}, title = {Theoretical Computer Science}, year = {2006}, pages = {218--240}, numpages = {23}, publisher = {Springer}, } @article{Wirth71, author = {Wirth, Niklaus}, title = {Program Development by Stepwise Refinement}, journal = {Commun. ACM}, issue_date = {April 1971}, volume = {14}, number = {4}, month = apr, year = {1971}, publisher = {ACM}, } @incollection{La15, year={2015}, booktitle={ITP}, volume={9236}, series={LNCS}, title={Refinement to {Imperative/HOL}}, publisher={Springer}, author={Lammich, Peter}, pages={253-269}, } @inproceedings{BCHP05, author = {Bornat, Richard and Calcagno, Cristiano and O'Hearn, Peter and Parkinson, Matthew}, title = {Permission Accounting in Separation Logic}, booktitle = {POPL}, year = {2005}, pages = {259--270}, numpages = {12}, publisher = {ACM}, } @INPROCEEDINGS{MA07, author = {Nicolas Marti and Reynald Affeldt}, title = {A certified verifier for a fragment of Separation logic}, booktitle = {PPL-Workshop}, year = {2007} } @INPROCEEDINGS{NMSGB08, author = {Aleksandar Nanevski and Greg Morrisett and Avi Shinnar and Paul Govereau and Lars Birkedal}, title = {Ynot: Reasoning with the awkward squad}, booktitle = {ICFP}, year = {2008} } @inproceedings{KKB12, publisher = {Springer}, author = {Klein, Gerwin and Kolanski, Rafal and Boyton, Andrew}, month = {Aug}, year = {2012}, title = {Mechanised Separation Algebra}, booktitle = {ITP}, pages = {332-337}, } @InProceedings{char11, author = "Arthur Chargu{\'e}raud", title = "Characteristic Formulae for the Verification of Imperative Programs", year = "2011", pages = "418--430", publisher = "ACM", booktitle = "ICFP", } @incollection{La14, year={2014}, booktitle={ITP}, volume={8558}, series={LNCS}, title={Verified Efficient Implementation of {G}abow’s Strongly Connected Component Algorithm}, publisher={Springer}, author={Lammich, Peter}, pages={325-340}, } @article{HiPa06, title = "Finger Trees: A Simple General-purpose Data Structure", author = "Ralf Hinze and Ross Paterson", journal = "Journal of Functional Programming", volume = 16, number = 2, pages = "197-217", year = 2006 } @incollection{Pe07, year={2007}, booktitle={Model Checking Software}, series={LNCS}, title={BEEM: Benchmarks for Explicit Model Checkers}, publisher={Springer}, author={Pelánek, Radek}, pages={263-267}, } @inproceedings{CDHY09, author = {Calcagno, Cristiano and Distefano, Dino and O'Hearn, Peter and Yang, Hongseok}, title = {Compositional Shape Analysis by Means of Bi-abduction}, booktitle = {POPL '09}, year = {2009}, pages = {289--300}, } @inproceedings{Neu12, author = {Rene Neumann}, booktitle = {Workshop on Automated Theory Exploration (ATX 2012)}, pages = {36--45}, title = {A Framework for Verified Depth-First Algorithms}, year = {2012} } @article{LaMe12, author = {Peter Lammich and Rene Meis}, title = {A Separation Logic Framework for Imperative HOL}, journal = {Archive of Formal Proofs}, month = nov, year = 2012, note = {\url{https://isa-afp.org/entries/Separation_Logic_Imperative_HOL.shtml}, Formal proof development}, ISSN = {2150-914x}, } @inproceedings{Bu62, author = {Buechi, Julius R.}, booktitle = {International Congress on Logic, Methodology, and Philosophy of Science}, citeulike-article-id = {2948751}, keywords = {automata\_theory}, pages = {1--11}, posted-at = {2008-07-01 16:58:48}, priority = {0}, publisher = {Stanford University Press}, title = {{On a Decision Method in Restricted Second-Order Arithmetic}}, year = {1962} } @ARTICLE{VaWo94, author = {Moshe Y. Vardi and Pierre Wolper}, title = {Reasoning about Infinite Computations}, journal = {Information and Computation}, year = {1994}, volume = {115}, pages = {1--37} } @article{GeVa05, author = {Geldenhuys, Jaco and Valmari, Antti}, title = {More Efficient On-the-fly {LTL} Verification with Tarjan's Algorithm}, journal = {Theor. Comput. Sci.}, issue_date = {21 November 2005}, volume = {345}, number = {1}, month = nov, year = {2005}, issn = {0304-3975}, pages = {60--82}, numpages = {23}, url = {https://doi.org/10.1016/j.tcs.2005.07.004}, doi = {10.1016/j.tcs.2005.07.004}, acmid = {1121853}, publisher = {Elsevier Science Publishers Ltd.}, address = {Essex, UK}, keywords = {model checking, verification}, } @inproceedings{CDP05, author = {Couvreur, Jean-Michel and Duret-Lutz, Alexandre and Poitrenaud, Denis}, title = {On-the-fly Emptiness Checks for Generalized B\&\#252;Chi Automata}, booktitle = {Proceedings of the 12th International Conference on Model Checking Software}, series = {SPIN'05}, year = {2005}, isbn = {3-540-28195-9, 978-3-540-28195-5}, location = {San Francisco, CA}, pages = {169--184}, numpages = {16}, url = {https://doi.org/10.1007/11537328_15}, doi = {10.1007/11537328_15}, acmid = {2156363}, publisher = {Springer-Verlag}, address = {Berlin, Heidelberg}, } @incollection{RDKP13, year={2013}, isbn={978-3-642-45220-8}, booktitle={Logic for Programming, Artificial Intelligence, and Reasoning}, volume={8312}, series={Lecture Notes in Computer Science}, editor={McMillan, Ken and Middeldorp, Aart and Voronkov, Andrei}, doi={10.1007/978-3-642-45221-5_44}, title={Three SCC-Based Emptiness Checks for Generalized Büchi Automata}, url={https://doi.org/10.1007/978-3-642-45221-5_44}, publisher={Springer Berlin Heidelberg}, author={Renault, Etienne and Duret-Lutz, Alexandre and Kordon, Fabrice and Poitrenaud, Denis}, pages={668-682} } @article{Purdom70, year={1970}, issn={0006-3835}, journal={BIT Numerical Mathematics}, volume={10}, number={1}, doi={10.1007/BF01940892}, title={A transitive closure algorithm}, url={https://doi.org/10.1007/BF01940892}, publisher={Kluwer Academic Publishers}, author={Purdom, Paul, Jr.}, pages={76-94}, language={English} } @article{Munro71, title = "Efficient determination of the transitive closure of a directed graph ", journal = "Information Processing Letters ", volume = "1", number = "2", pages = "56 - 58", year = "1971", note = "", issn = "0020-0190", author = "Ian Munro", } @article{ChMe96, year={1996}, issn={0178-4617}, journal={Algorithmica}, volume={15}, number={6}, doi={10.1007/BF01940880}, title={Algorithms for dense graphs and networks on the random access computer}, url={https://doi.org/10.1007/BF01940880}, publisher={Springer-Verlag}, keywords={Graph; Network; Algorithm; Dense graph; Dense network}, author={Cheriyan, J. and Mehlhorn, K.}, pages={521-549}, language={English} } @article{Gabow00, title = "Path-based depth-first search for strong and biconnected components ", journal = "Information Processing Letters ", volume = "74", number = "3–4", pages = "107 - 114", year = "2000", note = "", issn = "0020-0190", doi = "https://doi.org/10.1016/S0020-0190(00)00051-X", url = "http://www.sciencedirect.com/science/article/pii/S002001900000051X", author = "Harold N. Gabow", } @article{Tarjan72, author = {Tarjan, R.}, title = {Depth-First Search and Linear Graph Algorithms}, journal = {SIAM Journal on Computing}, volume = {1}, number = {2}, pages = {146-160}, year = {1972}, doi = {10.1137/0201010}, } @article{Sharir81, author = {Sharir, M.}, journal = {Computers \& Mathematics with Applications}, month = jan, number = {1}, pages = {67--72}, title = {{A strong-connectivity algorithm and its applications in data flow analysis}}, volume = {7}, year = {1981} } @book{SeWa11, author="Robert Sedgewick and Kevin Wayne", title="Algorithms", publisher="Addison-Wesley", year=2011, note = {4th edition} } @book{Dijk76, author="E. W. Dijkstra", title="A Discipline of Programming", publisher="Prentice Hall", year="1976", note="Ch. 25" } @inproceedings{MyOw12, author = {Myreen, Magnus O. and Owens, Scott}, title = {Proof-producing synthesis of {ML} from higher-order logic}, booktitle = {Proceedings of the 17th ACM SIGPLAN international conference on Functional programming}, series = {ICFP '12}, year = {2012}, pages = {115--126}, publisher = {ACM} } @misc{HuKu12, title = {Lifting and Transfer: A Modular Design for Quotients in {Isabelle/HOL}}, author = {Brian Huffman and Ondřej Kunčar}, year = {2012}, note = {Isabelle Users Workshop 2012} } @phdthesis{huff12, author = {Brian Huffman}, title = {HOLCF '11: A Definitional Domain Theory for Verifying Functional Programs}, school = {Portland State University}, year = {2012} } @INPROCEEDINGS{Wad89, author = {Philip Wadler}, title = {Theorems for free!}, booktitle = {Proc. of FPCA}, year = {1989}, pages = {347--359}, publisher = {ACM} } @inproceedings{Rey83, author = {John C. Reynolds}, title = {Types, Abstraction and Parametric Polymorphism}, booktitle = {IFIP Congress}, year = {1983}, pages = {513-523}, } @inproceedings{BBMV91, author = {Roland C. Backhouse and Peter de Bruin and Grant Malcolm and Ed Voermans and Jaap van der Woude}, title = {Relational catamorphisms}, booktitle = {Proc. of the IFIP TC2/WG2.1 Working Conference on Constructing Programs}, publisher = {Elsevier Science Publishers BV}, year = {1991} } @incollection{BJJM99, year={1999}, booktitle={Advanced Functional Programming}, volume={1608}, series=LNCS, title={Generic Programming}, publisher=Springer, author={Backhouse, Roland and Jansson, Patrik and Jeuring, Johan and Meertens, Lambert}, pages={28-115} } @inproceedings {Bul12, author = {Lukas Bulwahn}, title = {The New Quickcheck in {I}sabelle: Random, Exhaustive and Symbolic Testing Under One Roof}, booktitle = {Proc. of CPP}, year = {2012}, publisher = Springer, volume = {7679}, pages = {92--108}, series = LNCS } @incollection{INY04, year={2004}, booktitle={Theory Is Forever}, volume={3113}, series=LNCS, title={On {NFA} Reductions}, publisher=Springer, author={Ilie, Lucian and Navarro, Gonzalo and Yu, Sheng}, pages={112-124} } @mastersthesis{Eberl12, title = {Efficient and Verified Computation of Simulation Relations on {NFA}s}, author = {Manuel Eberl}, school = {Technische Universit\"at M\"unchen}, year = {2012}, type = {Bachelor's thesis} } @Misc{HKKN13, title = {Data Refinement in {Isabelle/HOL}}, author = {Florian Haftmann and Alexander Krauss and Ond\v{r}ej Kun\v{c}ar and Tobias Nipkow}, year = {2013}, note = {To appear in Proc. of ITP 2013} } @incollection{ELNN13, year={2013}, booktitle={CAV}, volume={8044}, series={LNCS}, title={A Fully Verified Executable {LTL} Model Checker}, publisher={Springer}, author={Esparza, Javier and Lammich, Peter and Neumann, René and Nipkow, Tobias and Schimpf, Alexander and Smaus, Jan-Georg}, pages={463-478}, } @inproceedings{MuSt89, author = {David R. Musser and Alexander A. Stepanov}, title = {Generic Programming}, booktitle = {Proc. of ISSAC}, year = {1989}, publisher = Springer, volume = {358}, pages = {13--25}, series = LNCS } @inproceedings{Hom09, title = {The {HOL}-{O}mega Logic}, author = {Peter V. Homeier}, booktitle = {Proc. of TPHOLs}, year = {2009}, publisher = Springer, volume = {5674}, pages = {244--259}, series = LNCS } @incollection{La13, year={2013}, booktitle={ITP}, volume={7998}, series={LNCS}, title={Automatic Data Refinement}, publisher={Springer}, author={Lammich, Peter}, pages={84-99} } @book{Holzmann03,author="Gerard J. Holzmann", title="The Spin Model Checker --- Primer and Reference Manual", publisher="Addison-Wesley",year=2003} @inproceedings{LaTu12, author = {Peter Lammich and Thomas Tuerk}, title = {Applying Data Refinement for Monadic Programs to {H}opcroft's Algorithm}, booktitle = {Proc. of ITP}, year = {2012}, publisher = Springer, volume = {7406}, pages = {166--182}, series = LNCS } @TechReport{Tu11, author = {Tuerk, Thomas}, title = {{A separation logic framework for HOL}}, year = 2011, month = jun, url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-799.pdf}, institution = {University of Cambridge, Computer Laboratory}, number = {UCAM-CL-TR-799} } @book{Abrial96,author="Jean-Raymond Abrial", title="The B-Book: Assigning Programs to Meanings", publisher="Cambridge University Press",year=1996} @article{KleinN-TOPLAS,author={Gerwin Klein and Tobias Nipkow}, title={A Machine-Checked Model for a {Java}-Like Language, Virtual Machine and Compiler}, journal=TOPLAS,volume = {28}, number = {4}, year = {2006}, pages = {619--695}} @inproceedings{KleinEHACDEEKNSTW09, author = {Gerwin Klein and Kevin Elphinstone and Gernot Heiser and June Andronick and David Cock and Philip Derrin and Dhammika Elkaduwe and Kai Engelhardt and Rafal Kolanski and Michael Norrish and Thomas Sewell and Harvey Tuch and Simon Winwood}, title = {{seL4}: formal verification of an {OS} kernel}, booktitle = {Proc.\ ACM Symp.\ Operating Systems Principles}, year = {2009}, pages = {207--220}, editor = {Jeanna Neefe Matthews and Thomas E. Anderson}, publisher = {ACM} } @article{Leroy-JAR09,author={Xavier Leroy}, title={A Formally Verified Compiler Back-end}, journal={J. Automated Reasoning},year=2009,volume=43,pages={363--446}} @InProceedings{MalechaMSW-POPL10, author={G. Malecha and G. Morrisett and A. Shinnar and R. Wisnesky}, title={Toward a verified relational database management system}, booktitle={Principles of Programming Languages (POPL'10)}, pages={237--248},year=2010,publisher={ACM}} @book{LNCS2283,author={Tobias Nipkow and Lawrence Paulson and Markus Wenzel}, title={{Isabelle/HOL} --- A Proof Assistant for Higher-Order Logic}, publisher=Springer,series=LNCS,volume=2283,year=2002} @PhdThesis{Schi06, author = {Norbert Schirmer}, title = {Verification of Sequential Imperative Programs in {I}sabelle/{HOL}}, school = {Technische Universit\"at M\"unchen}, year = {2006}, } @Misc{Haft10b, author = {Florian Haftmann}, title = {Data Refinement (Raffinement) in {Isabelle/HOL}}, year = {2010}, note = {Available at \url{https://isabelle.in.tum.de/community/}} } @inproceedings{LB11, title = {Animating the Formalised Semantics of a {J}ava-like Language}, booktitle = {Proc. of ITP}, year = {2011}, publisher = Springer, volume = {6898}, pages = {216--232}, author = {Andreas Lochbihler and Lukas Bulwahn}, series = LNCS } @InProceedings{CKS08, author = {David Cock and Gerwin Klein and Thomas Sewell}, title = {Secure Microkernels, State Monads and Scalable Refinement}, booktitle = {Proc. of TPHOLs}, year = {2008}, series = LNCS, publisher = Springer, pages = {167--182}, volume = {5170}, } @inproceedings{SchM98, author = {Martin Schwenke and Brendan Mahony}, title = {The Essence of Expression Refinement}, booktitle = {Proc. of International Refinement Workshop and Formal Methods}, year = {1998}, pages = {324--333} } @incollection{La12, author = {Peter Lammich}, title = {Refinement for Monadic Programs}, booktitle = {Archive of Formal Proofs}, publisher = {\url{https://isa-afp.org/entries/Refine\_Monadic.shtml}}, year = {2012}, note = {Formal proof development} } @article{NoLa12, author = {Benedikt Nordhoff and Peter Lammich}, title = {Formalization of {D}ijkstra's Algorithm}, journal = {Archive of Formal Proofs}, month = Jan, year = 2012, note = {\url{https://isa-afp.org/entries/Dijkstra_Shortest_Path.shtml}, Formal proof development}, ISSN = {2150-914x} } @inproceedings{BKHEM08, author = {Bulwahn, Lukas and Krauss, Alexander and Haftmann, Florian and Erk\"{o}k, Levent and Matthews, John}, title = {Imperative Functional Programming with {Isabelle/HOL}}, booktitle = {TPHOL}, year = {2008}, pages = {134--149}, numpages = {16}, publisher = Springer, series = LNCS, volume = {5170}, } @book{BaWr98, author = {Ralph-Johan Back and Joakim von Wright}, title = {Refinement Calculus --- A Systematic Introduction}, publisher = Springer, year = {1998} } @incollection {Old84, author = {Olderog, Ernst-R{\"u}diger}, - title = {Hoare's logic for programs with procedures — What has been achieved?}, + title = {Hoare's logic for programs with procedures --- What has been achieved?}, booktitle = {Logics of Programs}, series = LNCS, publisher = Springer, pages = {383-395}, volume = {164}, year = {1984} } @book{RoEn98, author = {Willem-Paul de Roever and Kai Engelhardt}, title = {Data Refinement: Model-Oriented Proof Methods and their Comparison}, publisher = {Cambridge University Press}, year = {1998} } @ARTICLE{BaWr90, author = {R. J. R. Back and J. von Wright}, title = {Refinement Concepts Formalized in Higher Order Logic}, journal = {Formal Aspects of Computing}, year = {1990}, volume = {2} } @ARTICLE{BaWr00, title = {Encoding, Decoding and Data Refinement}, author = {Back, Ralph-Johan and von Wright, Joakim}, journal = {Formal Aspects of Computing}, volume = {12}, pages = {313--349}, year = {2000}, } @incollection {MSS86, author = {Melton, A. and Schmidt, D. and Strecker, G.}, title = {{G}alois connections and computer science applications}, booktitle = {Category Theory and Computer Programming}, series = LNCS, publisher = Springer, pages = {299--312}, volume = {240}, year = {1986} } @INPROCEEDINGS{LRW95, author = {Thomas Langbacka and Rimvydas Ruksenas and Joakim von Wright}, title = {{TkWinHOL}: A Tool for Doing Window Inference in {HOL}}, booktitle = {Proc. of International Workshop on Higher Order Logic Theorem Proving and its Applications}, year = {1995}, pages = {245--260}, publisher = Springer } @techreport{RuWr97, author = {Rimvydas Ruksenas and Joakim von Wright}, title = {A Tool for Data Refinement}, year = {1997}, institution = {Turku Centre for Computer Science}, number = {TUCS Technical Report No 119} } @INPROCEEDINGS{Wri94, author = {J. von Wright}, title = {Program Refinement by Theorem Prover}, booktitle = {In BCS FACS Sixth Refinement Workshop -- Theory and Practise of Formal Software Development}, year = {1994}, publisher = Springer } @phdthesis{Haft09, author = {Florian Haftmann}, title = {Code Generation from Specifications in Higher Order Logic}, school = {Technische Universit\"at M\"unchen}, year = {2009}, } @techreport{Egl75, author = {Herbert Egli}, title = {A mathematical model for nondeterministic computations}, institution = {ETH Z{\"u}rich}, year = {1975} } @article{Plo76, author= {G. D. Plotkin}, title = {A Powerdomain Construction}, journal = {SIAM J. Comput.}, volume = {5}, issue = {3}, pages = {452--487}, year = {1976} } @phdthesis{Back78, author = {Ralph-Johan Back}, title = {On the correctness of refinement steps in program development}, school = {Department of Computer Science, University of Helsinki}, year = {1978}, } @phdthesis{Preo06, author= {Viorel Preoteasa}, title= {Program Variables --- The Core of Mechanical Reasoning about Imperative Programs}, school= {Turku Centre for Computer Science}, year= {2006} } @inproceedings{BeRe09, author = {Berghofer, Stefan and Reiter, Markus}, title = {Formalizing the Logic-Automaton Connection}, booktitle = {TPHOLs '09}, year = {2009}, isbn = {978-3-642-03358-2}, pages = {147--163}, location = {Munich, Germany}, doi = {https://doi.org/10.1007/978-3-642-03359-9_12}, publisher = Springer, address = {Berlin, Heidelberg}, } @incollection{BeRe09_afp, author = {Stefan Berghofer and Markus Reiter}, title = {Formalizing the Logic-Automaton Connection }, booktitle = {Archive of Formal Proofs}, editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, publisher = {\url{https://isa-afp.org/entries/Presburger-Automata.shtml}}, month = Dec, year = 2009, note = {Formal proof development}, ISSN = {2150-914x} } @incollection{Kun04, author = {Viktor Kuncak}, title = {Binary Search Trees}, booktitle = {Archive of Formal Proofs}, editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, publisher = {\url{https://isa-afp.org/entries/BinarySearchTree.shtml}}, month = Apr, year = 2004, note = {Formal proof development}, ISSN = {2150-914x} } @incollection{NiPu04, author = {Tobias Nipkow and Cornelia Pusch}, title = {{AVL} Trees}, booktitle = {Archive of Formal Proofs}, editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, publisher = {\url{https://isa-afp.org/entries/AVL-Trees.shtml}}, month = Mar, year = 2004, note = {Formal proof development}, ISSN = {2150-914x} } @inproceedings{DiPe09, author = {de Dios, Javier and Pe{\~n}a, Ricardo}, title = {Formal Certification of a Resource-Aware Language Implementation}, booktitle = {TPHOLs '09}, year = {2009}, isbn = {978-3-642-03358-2}, pages = {196--211}, location = {Munich, Germany}, doi = {https://doi.org/10.1007/978-3-642-03359-9_15}, publisher = Springer, address = {Berlin, Heidelberg}, } @ARTICLE{KaMo97, author = {Matt Kaufmann and J. Strother Moore}, title = {An Industrial Strength Theorem Prover for a Logic Based on {C}ommon {L}isp}, journal = {IEEE Transactions on Software Engineering}, year = {1997}, volume = {23}, pages = {203--213} } @techreport{C++STL, author = {Alexander Stepanov and Meng Lee}, title={The Standard Template Library}, institution = {HP Laboratories}, year = {1995}, month = {November}, number= {95-11(R.1)} } @Misc{JavaCollFr, key="Java Collections Framework", title = {{J}ava: The Collections Framework}, url = {http://java.sun.com/javase/6/docs/technotes/ guides/collections/} } @Misc{MLton, key="MLton", title = {{MLton} {Standard ML} compiler}, note = {http://mlton.org/}, url = {http://mlton.org/} } @misc{LETHAL, key = "Lethal", title = "{LETHAL} Tree and Hedge Automata Library", url = "http://lethal.sourceforge.net/" } @Misc{TIMBUK, author = {T. Genet and V. V. T. Tong}, title = {{T}imbuk 2.2}, url = {http://www.irisa.fr/celtique/genet/timbuk/}, } @misc{Coq:Std:Lib, key = "Coq", title = "The {Coq} Standard Library", url = "http://coq.inria.fr/stdlib/index.html" } @inproceedings{Ballarin:2006:MKM, author = "Clemens Ballarin", title = "Interpretation of Locales in {Isabelle}: Theories and Proof Contexts", editor = "J. M. Borwein and W. M. Farmer", booktitle = "MKM 2006", series = "LNAI", volume = "4108", pages = "31--43", year = 2006, publisher = Springer } @article{Hardy:Ramanujan:1917:QJM, author = "G. H. Hardy and S. Ramanujan", title = "The normal number of prime factors of a number", journal = "Quart. J. of Math.", volume = 48, pages = "76--92", year = "1917" } @inproceedings{Peyton:Jones:1996:FPW, author = "Peyton Jones, Simon", title = "Bulk types with class", booktitle = "FPW '96", year = 1996 } @InProceedings{LL10, author = {P. Lammich and A. Lochbihler}, title = {The {Isabelle} {Collections} {Framework}}, booktitle = {Proc. of ITP}, series = LNCS, publisher = Springer, pages = {339--354}, volume = {6172}, year = {2010} } @inproceedings{Kr10, author={Alexander Krauss}, title={Recursive definitions of monadic functions}, booktitle={Proc. of PAR}, volume={43}, pages={1--13}, year={2010} } @phdthesis{Stap99, author = {Mark Staples}, title = {A Mechanised Theory of Refinement}, school = {University of Cambridge}, year = {1999}, note = {2nd edition} } @article{Morr87, title = {A theoretical basis for stepwise refinement and the programming calculus}, author = {Joseph M. Morris}, journal = {Science of Computer Programming}, volume = {9}, number = {3}, pages = {287--306}, year = {1987} } @inproceedings{HaNi10, author = {Florian Haftmann and Tobias Nipkow}, title = {Code Generation via Higher-Order Rewrite Systems}, booktitle = {FLOPS 2010}, series = LNCS, year = {2010}, publisher = Springer } @incollection{L09_collections, author = {Peter Lammich}, title = {Collections Framework}, booktitle = {Archive of Formal Proofs}, publisher = {\url{https://isa-afp.org/entries/Collections.shtml}}, month = Dec, year = 2009, note = {Formal proof development}, ISSN = {2150-914x} } @incollection{L09_tree_automata, author = {Peter Lammich}, title = {Tree Automata}, booktitle = {Archive of Formal Proofs}, publisher = {\url{https://isa-afp.org/entries/Tree-Automata.shtml}}, month = Dec, year = {2009}, note = {Formal proof development}, ISSN = {2150-914x} } @INPROCEEDINGS{CHY07, author={Calcagno, C. and O'Hearn, P.W. and Hongseok Yang}, booktitle={LICS 2007}, title={Local Action and Abstract Separation Logic}, year={2007}, month={July}, pages={366-378}, } @inproceedings{Rey02, author = {John C. Reynolds}, title = {Separation Logic: A Logic for Shared Mutable Data Structures}, booktitle = {Proc of. Logic in Computer Science (LICS)}, year={2002}, pages={55--74}, publisher={IEEE} } @MasterThesis{Meis2011, author={Rene Meis}, title={{I}ntegration von {S}eparation {L}ogic in das {I}mperative {HOL}-{F}ramework}, note={Master Thesis, WWU M\"unster}, year={2011}, school={WWU M\"unster} } @INPROCEEDINGS{Wad92, author = {Philip Wadler}, title = {Comprehending Monads}, booktitle = {Mathematical Structures in Computer Science}, year = {1992}, pages = {61--78} } @book{mmo97, author={Markus M{\"u}ller-Olm}, title={Modular Compiler Verification {---} A Refinement-Algebraic Approach Advocating Stepwise Abstraction}, publisher=Springer, year={1997}, series=LNCS, volume={1283} } @book{NPW02, author = {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel}, title = {{Isabelle/HOL} --- A Proof Assistant for Higher-Order Logic}, publisher = Springer, series = LNCS, volume = 2283, year = 2002 } @InCollection{brz62, author = {J. A. Brzozowski}, title = {Canonical regular expressions and minimal state graphs for definite events}, booktitle = {Mathematical theory of Automata}, note = {Volume 12 of MRI Symposia Series}, pages = {529--561}, publisher = {Polytechnic Press, Polytechnic Institute of Brooklyn, N.Y.}, year = {1962} } @InCollection{Hop71, author = {John E. Hopcroft}, title = {An $n\log n$ algorithm for minimizing the states in a finite automaton}, booktitle = {Theory of Machines and Computations}, year = {1971}, publisher = {Academic Press}, pages = {189--196} } @TechReport{wat93, author = {Bruce W. Watson}, title = {A taxonomy of finite automata minimization algorithms}, institution = {Eindhoven University of Technology, The Netherlands}, year = 1993, type = {Comp. Sci. Note}, number = {93/44}, issn = "0926-4515" } @article {Hoa72, author = {Hoare, C. A. R.}, title = {Proof of correctness of data representations}, journal = {Acta Informatica}, publisher = Springer, keyword = {Computer Science}, pages = {271--281}, volume = {1}, issue = {4}, year = {1972} } @article{Hoa69, author = {Hoare, C. A. R.}, title = {An axiomatic basis for computer programming}, journal = {Commun. ACM}, volume = 12, issue = 10, month = {October}, year = 1969, pages = {576--580}, numpages = 5, publisher = {ACM}, address = {New York, NY, USA}, } @Book{GoMe93, Author = {M.J.C. Gordon and T.F. Melham}, Title = {Introduction to {HOL}: A Theorem Proving Environment for Higher Order Logic}, Publisher = {Cambridge University}, key = {GoMe93}, year = 1993 } @inproceedings{SlindN08, author = {Konrad Slind and Michael Norrish}, title = {A Brief Overview of {HOL4}}, booktitle = {TPHOLs}, year = 2008, pages = {28--32}, ee = {https://doi.org/10.1007/978-3-540-71067-7_6}, crossref = {DBLP:conf/tphol/2008}, bibsource = {DBLP, http://dblp.uni-trier.de} } @INPROCEEDINGS{Bra09, author = {Thomas Braibant and Damien Pous}, title = {A tactic for deciding {K}leene algebras}, booktitle = {First Coq Workshop}, year = {2009} } @MISC{Con97, author = {Robert L. Constable and Paul B. Jackson and Pavel Naumov and Juan Uribe}, title = {Formalizing Automata Theory {I}: Finite Automata}, year = {1997} } @inproceedings{Bac06, author = {Baclet, Manuel and Pagetti, Claire}, booktitle = {Proc. of CIAA 2006}, journal = {Implementation and Application of Automata}, pages = {114--125}, title = {Around {H}opcroft's Algorithm}, volume = {LNCS 4094}, year = 2006 } @article{AMR07, author = {Almeida, Marco and Moreira, Nelma and Reis, Rog\'{e}rio}, title = {Enumeration and generation with a string automata representation}, journal = {Theor. Comput. Sci.}, volume = {387}, issue = {2}, month = {November}, year = {2007}, issn = {0304-3975}, pages = {93--102}, numpages = {10}, url = {http://dl.acm.org/citation.cfm?id=1297415.1297473}, doi = {10.1016/j.tcs.2007.07.029}, acmid = {1297473}, publisher = {Elsevier Science Publishers Ltd.}, address = {Essex, UK}, keywords = {Exact enumeration, Finite automata, Initially-connected deterministic finite automata, Minimal automata, Random generation}, } @inproceedings{FAdo09, author = {Andr{\'e} Almeida and Marco Almeida and Jos{\'e} Alves and Nelma Moreira and Rog{\'e}rio Reis}, title = {{FAdo} and {GUItar}}, booktitle = {CIAA}, year = {2009}, pages = {65--74}, ee = {https://doi.org/10.1007/978-3-642-02979-0_10}, crossref = {DBLP:conf/wia/2009}, bibsource = {DBLP, http://dblp.uni-trier.de} } @proceedings{DBLP:conf/wia/2009, editor = {Sebastian Maneth}, title = {Implementation and Application of Automata}, booktitle = {CIAA}, publisher = Springer, series = LNCS, volume = {5642}, year = {2009}, isbn = {978-3-642-02978-3}, ee = {https://doi.org/10.1007/978-3-642-02979-0}, bibsource = {DBLP, http://dblp.uni-trier.de} } @article{Blum96, title={An {O}(n log n) implementation of the standard method for minimizing n-state finite automata}, volume={6}, number={2}, journal={Information Processing Letters}, author={Blum, Norbert}, year={1996}, pages={65--69}} @InProceedings{GerPelVarWol95, author = {Rob Gerth and Doron Peled and Moshe Y. Vardi and Pierre Wolper}, title = {Simple on-the-fly automatic verification of linear temporal logic}, editor = {Piotr Dembinski and Marek Sredniawa}, booktitle = {Proc.\ Int.\ Symp.\ Protocol Specification, Testing, and Verification}, pages = {3--18}, year = 1996, publisher = {Chapman \& Hall}, series = {IFIP Conference Proceedings}, volume = {38}, } @InProceedings{SchMerSma09, author = {Alexander Schimpf and Stephan Merz and Jan-Georg Smaus}, editor = {S. Berghofer and T. Nipkow and C. Urban and M. Wenzel}, title = {Construction of {B}{\"u}chi Automata for {LTL} Model Checking Verified in {I}sabelle/{HOL}}, booktitle = {Theorem Proving in Higher Order Logics, TPHOLs 2009}, year = 2009, pages = {424--439}, series = LNCS, volume = {5674}, publisher = Springer } @INPROCEEDINGS{SE05, author = {Stefan Schwoon and Javier Esparza}, title = {A Note on On-The-Fly Verification Algorithms}, booktitle = {TACAS}, year = {2005}, volume = {3440}, series = LNCS, pages = {174--190}, publisher = Springer } @ARTICLE{CVWY92, author = {Courcoubetis, C. and Vardi, M. and Wolper, P. and Yannakakis, M.}, title = {Memory-efficient algorithms for the verification of temporal properties}, journal = {Formal Methods in System Design}, year = {1992}, volume = {1}, pages = {275--288}, number = {2/3}, abstract = {This article addresses the problem of designing memory-efficient algorithms for the verification of temporal properties of finite-state programs. Both the programs and their desired temporal properties are modeled as automata on infinite words (B{\"u}chi automata). Verification is then reduced to checking the emptiness of the automaton resulting from the product of the program and the property. This problem is usually solved by computing the strongly connected components of the graph representing the product automaton. Here, we present algorithms that solve the emptiness problem without explicitly constructing the strongly connected components of the product graph. By allowing the algorithms to err with some probability, we can implement them with a randomly accessed memory of size O(n) bits, where n is the number of states of the graph, instead of O(n log n) bits that the presently known algorithms require.}, issn = {0925-9856}, issue = {2}, publisher = Springer } @INPROCEEDINGS{HPY96, author = {Gerard Holzmann and Doron Peled and Mihalis Yannakakis}, title = {On Nested Depth First Search}, booktitle = {SPIN}, year = {1996}, volume = {32}, series = {Discrete Mathematics and Theoretical Computer Science}, pages = {23--32}, publisher = {American Mathematical Society} } @inproceedings{DBLP:conf/tacas/ChouP96, author = {Ching-Tsun Chou and Doron Peled}, title = {Formal Verification of a Partial-Order Reduction Technique for Model Checking}, booktitle = {Tools and Algorithms for the Construction and Analysis of Systems (TACAS)}, year = {1996}, pages = {241--257}, ee = {https://doi.org/10.1007/3-540-61042-1_48}, crossref = {DBLP:conf/tacas/1996}, bibsource = {DBLP, http://dblp.uni-trier.de} } @proceedings{DBLP:conf/tacas/1996, editor = {Tiziana Margaria and Bernhard Steffen}, title = {Tools and Algorithms for Construction and Analysis of Systems}, booktitle = {TACAS}, publisher = Springer, series = LNCS, volume = {1055}, year = {1996}, isbn = {3-540-61042-1}, bibsource = {DBLP, http://dblp.uni-trier.de} } @ARTICLE{ChoySingh:1994:leaderfilters, author = {Choy, Manhoi and Singh, Ambuj K.}, title = {Adaptive solutions to the mutual exclusion problem}, journal = {Distributed Computing}, year = {1994}, volume = {8}, pages = {1--17}, number = {1}, issn = {0178-2770}, keywords = {Adaptive algorithms; Leader election; Mutual exclusion; Synchronization}, language = {English}, publisher = Springer } @BOOK{BaierKatoen:2008:modelchecking, title = {Principles of Model Checking}, publisher = {MIT Press}, year = {2008}, author = {Christel Baier and Joost-Pieter Katoen} } @INPROCEEDINGS{HaftmannNipkow:2010:codegeneration, author = {Florian Haftmann and Tobias Nipkow}, title = {Code Generation via Higher-Order Rewrite Systems}, booktitle = {Functional and Logic Programming (FLOPS)}, year = {2010}, editor = {Matthias Blume and Naoki Kobayashi and Germ{\'a}n Vidal}, volume = {6009}, pages = {103--117}, series = LNCS, publisher = Springer } @article{FF56, title={Maximal flow through a network}, author={Ford, Lester R and Fulkerson, Delbert R}, journal={Canadian journal of Mathematics}, volume={8}, number={3}, pages={399--404}, year={1956} } @article{Lee05, title={Correctnesss of Ford-Fulkerson’s Maximum Flow Algorithm1}, author={Lee, Gilbert}, journal={Formalized Mathematics}, volume={13}, number={2}, pages={305--314}, year={2005} } @book{CLRS09, author = {Cormen, Thomas H. and Leiserson, Charles E. and Rivest, Ronald L. and Stein, Clifford}, title = {Introduction to Algorithms, Third Edition}, year = {2009}, edition = {3rd}, publisher = {The MIT Press}, } @article{EK72, title={Theoretical improvements in algorithmic efficiency for network flow problems}, author={Edmonds, Jack and Karp, Richard M}, journal={J.~ACM}, volume={19}, number={2}, pages={248--264}, year={1972}, publisher={ACM} } @article{Zwick95, title={The smallest networks on which the {F}ord-{F}ulkerson maximum flow procedure may fail to terminate}, author={Zwick, Uri}, journal={Theoretical computer science}, volume={148}, number={1}, pages={165--170}, year={1995}, publisher={Elsevier} } diff --git a/thys/Gabow_SCC/document/root.bib b/thys/Gabow_SCC/document/root.bib --- a/thys/Gabow_SCC/document/root.bib +++ b/thys/Gabow_SCC/document/root.bib @@ -1,2121 +1,2121 @@ @STRING{cav = {CAV} } @STRING{flops = {FLOPS} } @STRING{fsttcs = {FSTTCS} } @STRING{itp = {ITP} } @STRING{lncs = {LNCS} } @STRING{lncs = {LNCS} } @STRING{springer= {Springer} } @STRING{springer= {Springer} } @STRING{tacas = {TACAS} } @STRING{tphols = {TPHOLs} } @InProceedings{La14_ITP, author = {Peter Lammich}, booktitle = {Proc. of ITP}, title = {Verified Efficient Implementation of {Gabow's} Strongly Connected Component Algorithm}, year = 2014, note = "to appear" } @article{Loch13_words, author = {Andreas Lochbihler}, title = {Native Word}, journal = {Archive of Formal Proofs}, month = sep, year = 2013, note = {\url{http://isa-afp.org/entries/Native_Word.shtml}, Formal proof development}, ISSN = {2150-914x}, } @Book{MTHM97, author = {Robin Milner and Mads Tofte and Robert Harper and D. MacQueen}, title = "The Definition of Standard ML (Revised)", publisher = "MIT Press", year = "1997", isbn = "0262631814" } @misc{La14_Gabow_Thys, author = "Peter Lammich", title = "Formalization of Gabow's Algorithm", note = "Isabelle Theories", url="http://www21.in.tum.de/~lammich/isabelle/gabow" } @misc{PolyML, author = "Matthews, David", title = "{P}oly/{ML}", url="http://www.polyml.org" } @Book{ abrial96, author = "Jean-Raymond Abrial", title = "The B-Book: Assigning Programs to Meanings", publisher = "Cambridge University Press", year = 1996 } ###Book{ abrial96, author = "Jean-Raymond Abrial", title = "The B-Book: Assigning Programs to Meanings", publisher = "Cambridge University Press", year = 1996 } @Article{ amr07, author = {Almeida, Marco and Moreira, Nelma and Reis, Rog\'{e}rio}, title = {Enumeration and generation with a string automata representation}, journal = {Theor. Comput. Sci.}, volume = {387}, issue = {2}, month = {November}, year = {2007}, issn = {0304-3975}, pages = {93--102}, numpages = {10}, url = {http://dl.acm.org/citation.cfm?id=1297415.1297473}, acmid = {1297473}, publisher = {Elsevier Science Publishers Ltd.}, address = {Essex, UK}, keywords = {Exact enumeration, Finite automata, Initially-connected deterministic finite automata, Minimal automata, Random generation} } ###Article{ amr07, author = {Almeida, Marco and Moreira, Nelma and Reis, Rog\'{e}rio}, title = {Enumeration and generation with a string automata representation}, journal = {Theor. Comput. Sci.}, volume = {387}, issue = {2}, month = {November}, year = {2007}, issn = {0304-3975}, pages = {93--102}, numpages = {10}, url = {http://dl.acm.org/citation.cfm?id=1297415.1297473}, doi = {10.1016/j.tcs.2007.07.029}, acmid = {1297473}, publisher = {Elsevier Science Publishers Ltd.}, address = {Essex, UK}, keywords = {Exact enumeration, Finite automata, Initially-connected deterministic finite automata, Minimal automata, Random generation} } @InProceedings{ bac06, author = {Baclet, Manuel and Pagetti, Claire}, booktitle = {Proc. of CIAA 2006}, journal = {Implementation and Application of Automata}, pages = {114--125}, title = {Around {H}opcroft's Algorithm}, volume = {LNCS 4094}, year = 2006 } ###InProceedings{ bac06, author = {Baclet, Manuel and Pagetti, Claire}, booktitle = {Proc. of CIAA 2006}, journal = {Implementation and Application of Automata}, pages = {114--125}, title = {{Around Hopcroft's Algorithm}}, volume = {LNCS 4094}, year = 2006 } @PhDThesis{ back78, author = {Ralph-Johan Back}, title = {On the correctness of refinement steps in program development}, school = {Department of Computer Science, University of Helsinki}, year = {1978} } ###PhDThesis{ back78, author = {Ralph-Johan Back}, title = {On the correctness of refinement steps in program development}, school = {Department of Computer Science, University of Helsinki}, year = {1978} } @Book{ baierkatoen:2008:modelchecking, title = {Principles of Model Checking}, publisher = {MIT Press}, year = {2008}, author = {Christel Baier and Joost-Pieter Katoen} } ###Book{ baierkatoen:2008:modelchecking, title = {Principles of Model Checking}, publisher = {MIT Press}, year = {2008}, author = {Christel Baier and Joost-Pieter Katoen} } @InProceedings{ ballarin:2006:mkm, author = "Clemens Ballarin", title = "Interpretation of Locales in {Isabelle}: Theories and Proof Contexts", editor = "J. M. Borwein and W. M. Farmer", booktitle = "MKM 2006", series = "LNAI", volume = "4108", pages = "31--43", year = 2006, publisher = springer } ###InProceedings{ ballarin:2006:mkm, author = "Clemens Ballarin", title = "Interpretation of Locales in {Isabelle}: Theories and Proof Contexts", editor = "J. M. Borwein and W. M. Farmer", booktitle = "MKM 2006", series = "LNAI", volume = "4108", pages = "31--43", year = 2006, publisher = springer } @Article{ bawr00, title = {Encoding, Decoding and Data Refinement}, author = {Back, Ralph-Johan and von Wright, Joakim}, journal = {Formal Aspects of Computing}, volume = {12}, pages = {313--349}, year = {2000} } ###Article{ bawr00, title = {Encoding, Decoding and Data Refinement}, author = {Back, Ralph-Johan and von Wright, Joakim}, journal = {Formal Aspects of Computing}, volume = {12}, pages = {313--349}, year = {2000} } @Article{ bawr90, author = {R. J. R. Back and J. von Wright}, title = {Refinement Concepts Formalized in Higher Order Logic}, journal = {Formal Aspects of Computing}, year = {1990}, volume = {2} } ###Article{ bawr90, author = {R. J. R. Back and J. von Wright}, title = {Refinement Concepts Formalized in Higher Order Logic}, journal = {Formal Aspects of Computing}, year = {1990}, volume = {2} } @Book{ bawr98, author = {Ralph-Johan Back and Joakim von Wright}, title = {Refinement Calculus --- A Systematic Introduction}, publisher = springer, year = {1998} } ###Book{ bawr98, author = {Ralph-Johan Back and Joakim von Wright}, title = {Refinement Calculus --- A Systematic Introduction}, publisher = springer, year = {1998} } @InProceedings{ bbmv91, author = {Roland C. Backhouse and Peter de Bruin and Grant Malcolm and Ed Voermans and Jaap van der Woude}, title = {Relational catamorphisms}, booktitle = {Proc. of the IFIP TC2/WG2.1 Working Conference on Constructing Programs}, publisher = {Elsevier Science Publishers BV}, year = {1991} } @InProceedings{ bere09, author = {Berghofer, Stefan and Reiter, Markus}, title = {Formalizing the Logic-Automaton Connection}, booktitle = {TPHOLs '09}, year = {2009}, isbn = {978-3-642-03358-2}, pages = {147--163}, location = {Munich, Germany}, publisher = springer, address = {Berlin, Heidelberg} } ###InProceedings{ bere09, author = {Berghofer, Stefan and Reiter, Markus}, title = {Formalizing the Logic-Automaton Connection}, booktitle = {TPHOLs '09}, year = {2009}, isbn = {978-3-642-03358-2}, pages = {147--163}, location = {Munich, Germany}, doi = {https://doi.org/10.1007/978-3-642-03359-9_12}, publisher = springer, address = {Berlin, Heidelberg} } @InCollection{ bere09_afp, author = {Stefan Berghofer and Markus Reiter}, title = {Formalizing the Logic-Automaton Connection }, booktitle = {Archive of Formal Proofs}, editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, publisher = {\url{http://isa-afp.org/entries/Presburger-Automata.shtml}} , month = dec, year = 2009, note = {Formal proof development}, issn = {2150-914x} } ###InCollection{ bere09_afp, author = {Stefan Berghofer and Markus Reiter}, title = {Formalizing the Logic-Automaton Connection }, booktitle = {Archive of Formal Proofs}, editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, publisher = {\url{http://isa-afp.org/entries/Presburger-Automata.shtml}} , month = dec, year = 2009, note = {Formal proof development}, issn = {2150-914x} } @InCollection{ bjjm99, year = {1999}, booktitle = {Advanced Functional Programming}, volume = {1608}, series = lncs, title = {Generic Programming}, publisher = springer, author = {Backhouse, Roland and Jansson, Patrik and Jeuring, Johan and Meertens, Lambert}, pages = {28-115} } @InProceedings{ bkhem08, author = {Bulwahn, Lukas and Krauss, Alexander and Haftmann, Florian and Erk\"{o}k, Levent and Matthews, John}, title = {Imperative Functional Programming with {Isabelle/HOL}}, booktitle = {TPHOLs '08}, year = {2008}, isbn = {978-3-540-71065-3}, location = {Montreal, P.Q., Canada}, pages = {134--149}, numpages = {16}, url = {http://portal.acm.org/citation.cfm?id=1459784.1459801}, acmid = {1459801}, publisher = springer, series = lncs, volume = {5170}, address = {Berlin, Heidelberg} } ###InProceedings{ bkhem08, author = {Bulwahn, Lukas and Krauss, Alexander and Haftmann, Florian and Erk\"{o}k, Levent and Matthews, John}, title = {Imperative Functional Programming with {Isabelle/HOL}}, booktitle = {TPHOLs '08}, year = {2008}, isbn = {978-3-540-71065-3}, location = {Montreal, P.Q., Canada}, pages = {134--149}, numpages = {16}, url = {http://portal.acm.org/citation.cfm?id=1459784.1459801}, doi = {10.1007/978-3-540-71067-7_14}, acmid = {1459801}, publisher = springer, series = lncs, volume = {5170}, address = {Berlin, Heidelberg} } @Article{ blum96, title = {An {O}(n log n) implementation of the standard method for minimizing n-state finite automata}, volume = {6}, number = {2}, journal = {Information Processing Letters}, author = {Blum, Norbert}, year = {1996}, pages = {65--69} } ###Article{ blum96, title = {An {O}(n log n) implementation of the standard method for minimizing n-state finite automata}, volume = {6}, number = {2}, journal = {Information Processing Letters}, author = {Blum, Norbert}, year = {1996}, pages = {65--69} } @InProceedings{ bra09, author = {Thomas Braibant and Damien Pous}, title = {A tactic for deciding {K}leene algebras}, booktitle = {First Coq Workshop}, year = {2009} } ###InProceedings{ bra09, author = {Thomas Braibant and Damien Pous}, title = {A tactic for deciding Kleene algebras}, booktitle = {First Coq Workshop}, year = {2009} } @InCollection{ brz62, author = {J. A. Brzozowski}, title = {Canonical regular expressions and minimal state graphs for definite events}, booktitle = {Mathematical theory of Automata}, note = {Volume 12 of MRI Symposia Series}, pages = {529--561}, publisher = {Polytechnic Press, Polytechnic Institute of Brooklyn, N.Y.}, year = {1962} } ###InCollection{ brz62, author = {J. A. Brzozowski}, title = {Canonical regular expressions and minimal state graphs for definite events}, booktitle = {Mathematical theory of Automata}, note = {Volume 12 of MRI Symposia Series}, pages = {529--561}, publisher = {Polytechnic Press, Polytechnic Institute of Brooklyn, N.Y.}, year = {1962} } @InProceedings{ bu62, author = {Buechi, Julius R.}, booktitle = {International Congress on Logic, Methodology, and Philosophy of Science}, citeulike-article-id={2948751}, keywords = {automata\_theory}, pages = {1--11}, posted-at = {2008-07-01 16:58:48}, priority = {0}, publisher = {Stanford University Press}, title = {{On a Decision Method in Restricted Second-Order Arithmetic}}, year = {1962} } @InProceedings{ bul12, author = {Lukas Bulwahn}, title = {The New Quickcheck in {I}sabelle: Random, Exhaustive and Symbolic Testing Under One Roof}, booktitle = {Proc. of CPP}, year = {2012}, publisher = springer, volume = {7679}, pages = {92--108}, series = lncs } @TechReport{ c++stl, author = {Alexander Stepanov and Meng Lee}, title = {The Standard Template Library}, institution = {HP Laboratories}, year = {1995}, month = {November}, number = {95-11(R.1)} } ###TechReport{ c++stl, author = {Alexander Stepanov and Meng Lee}, title = {The Standard Template Library}, institution = {HP Laboratories}, year = {1995}, month = {November}, number = {95-11(R.1)} } @InProceedings{ cdp05, author = {Couvreur, Jean-Michel and Duret-Lutz, Alexandre and Poitrenaud, Denis}, title = {On-the-fly Emptiness Checks for Generalized B{\"u}chi Automata}, booktitle = {Proc. of SPIN}, year = {2005}, pages = {169--184}, numpages = {16}, publisher = {Springer}, } @Article{ chme96, year = {1996}, journal = {Algorithmica}, volume = {15}, number = {6}, title = {Algorithms for dense graphs and networks on the random access computer}, publisher = {Springer-Verlag}, author = {Cheriyan, J. and Mehlhorn, K.}, pages = {521-549}, language = {English} } @Article{ choysingh:1994:leaderfilters, author = {Choy, Manhoi and Singh, Ambuj K.}, title = {Adaptive solutions to the mutual exclusion problem}, journal = {Distributed Computing}, year = {1994}, volume = {8}, pages = {1--17}, number = {1}, issn = {0178-2770}, keywords = {Adaptive algorithms; Leader election; Mutual exclusion; Synchronization}, language = {English}, publisher = springer } ###Article{ choysingh:1994:leaderfilters, author = {Choy, Manhoi and Singh, Ambuj K.}, title = {Adaptive solutions to the mutual exclusion problem}, journal = {Distributed Computing}, year = {1994}, volume = {8}, pages = {1--17}, number = {1}, issn = {0178-2770}, keywords = {Adaptive algorithms; Leader election; Mutual exclusion; Synchronization}, language = {English}, publisher = springer } @InProceedings{ cks08, author = {David Cock and Gerwin Klein and Thomas Sewell}, title = {Secure Microkernels, State Monads and Scalable Refinement}, booktitle = {Proc. of TPHOLs}, year = {2008}, series = lncs, publisher = springer, pages = {167--182}, volume = {5170} } ###InProceedings{ cks08, author = {David Cock and Gerwin Klein and Thomas Sewell}, title = {Secure Microkernels, State Monads and Scalable Refinement}, booktitle = {Proc. of TPHOLs}, year = {2008}, series = lncs, publisher = springer, pages = {167--182}, volume = {5170} } @Misc{ con97, author = {Robert L. Constable and Paul B. Jackson and Pavel Naumov and Juan Uribe}, title = {Formalizing Automata Theory {I}: Finite Automata}, year = {1997} } ###Misc{ con97, author = {Robert L. Constable and Paul B. Jackson and Pavel Naumov and Juan Uribe}, title = {Formalizing Automata Theory I: Finite Automata}, year = {1997} } @Misc{ coq:std:lib, key = "Coq", title = "The {Coq} Standard Library", url = "http://coq.inria.fr/stdlib/index.html" } ###Misc{ coq:std:lib, key = "Coq", title = "The {Coq} Standard Library", url = "http://coq.inria.fr/stdlib/index.html" } @Article{ CVWY92, author = {Courcoubetis, C. and Vardi, M. and Wolper, P. and Yannakakis, M.}, title = {Memory-efficient algorithms for the verification of temporal properties}, journal = {Formal Methods in System Design}, year = {1992}, volume = {1}, pages = {275--288}, number = {2/3}, abstract = {This article addresses the problem of designing memory-efficient algorithms for the verification of temporal properties of finite-state programs. Both the programs and their desired temporal properties are modeled as automata on infinite words (B{\"u}chi automata). Verification is then reduced to checking the emptiness of the automaton resulting from the product of the program and the property. This problem is usually solved by computing the strongly connected components of the graph representing the product automaton. Here, we present algorithms that solve the emptiness problem without explicitly constructing the strongly connected components of the product graph. By allowing the algorithms to err with some probability, we can implement them with a randomly accessed memory of size O(n) bits, where n is the number of states of the graph, instead of O(n log n) bits that the presently known algorithms require.}, issn = {0925-9856}, issue = {2}, publisher = springer } ###Article{ courcoubetisvardietal:1992:nesteddfs, author = {Courcoubetis, C. and Vardi, M. and Wolper, P. and Yannakakis, M.}, title = {Memory-efficient algorithms for the verification of temporal properties}, journal = {Formal Methods in System Design}, year = {1992}, volume = {1}, pages = {275--288}, number = {2/3}, abstract = {This article addresses the problem of designing memory-efficient algorithms for the verification of temporal properties of finite-state programs. Both the programs and their desired temporal properties are modeled as automata on infinite words (B{\"u}chi automata). Verification is then reduced to checking the emptiness of the automaton resulting from the product of the program and the property. This problem is usually solved by computing the strongly connected components of the graph representing the product automaton. Here, we present algorithms that solve the emptiness problem without explicitly constructing the strongly connected components of the product graph. By allowing the algorithms to err with some probability, we can implement them with a randomly accessed memory of size O(n) bits, where n is the number of states of the graph, instead of O(n log n) bits that the presently known algorithms require.}, issn = {0925-9856}, issue = {2}, publisher = springer } @Proceedings{ dblp:conf/cav/2001, editor = {G{\'e}rard Berry and Hubert Comon and Alain Finkel}, title = {Computer Aided Verification, 13th International Conference, CAV 2001, Paris, France, July 18-22, 2001, Proceedings}, booktitle = cav, publisher = springer, series = lncs, volume = {2102}, year = {2001}, isbn = {3-540-42345-1}, bibsource = {DBLP, http://dblp.uni-trier.de} } @Proceedings{ dblp:conf/fsttcs/2001, editor = {Ramesh Hariharan and Madhavan Mukund and V. Vinay}, title = {FST TCS 2001: Foundations of Software Technology and Theoretical Computer Science, 21st Conference, Bangalore, India, December 13-15, 2001, Proceedings}, booktitle = fsttcs, publisher = springer, series = lncs, volume = {2245}, year = {2001}, isbn = {3-540-43002-4}, bibsource = {DBLP, http://dblp.uni-trier.de} } @Proceedings{ dblp:conf/tacas/1996, editor = {Tiziana Margaria and Bernhard Steffen}, title = {Tools and Algorithms for Construction and Analysis of Systems}, booktitle = {TACAS}, publisher = springer, series = lncs, volume = {1055}, year = {1996}, isbn = {3-540-61042-1}, bibsource = {DBLP, http://dblp.uni-trier.de} } ###Proceedings{ dblp:conf/tacas/1996, editor = {Tiziana Margaria and Bernhard Steffen}, title = {Tools and Algorithms for Construction and Analysis of Systems, Second International Workshop, TACAS '96, Passau, Germany, March 27-29, 1996, Proceedings}, booktitle = {TACAS}, publisher = springer, series = lncs, volume = {1055}, year = {1996}, isbn = {3-540-61042-1}, bibsource = {DBLP, http://dblp.uni-trier.de} } @InProceedings{ dblp:conf/tacas/choup96, author = {Ching-Tsun Chou and Doron Peled}, title = {Formal Verification of a Partial-Order Reduction Technique for Model Checking}, booktitle = {Tools and Algorithms for the Construction and Analysis of Systems (TACAS)}, year = {1996}, pages = {241--257}, crossref = {DBLP:conf/tacas/1996}, bibsource = {DBLP, http://dblp.uni-trier.de} } ###InProceedings{ dblp:conf/tacas/choup96, author = {Ching-Tsun Chou and Doron Peled}, title = {Formal Verification of a Partial-Order Reduction Technique for Model Checking}, booktitle = {Tools and Algorithms for the Construction and Analysis of Systems (TACAS)}, year = {1996}, pages = {241--257}, ee = {https://doi.org/10.1007/3-540-61042-1_48}, crossref = {DBLP:conf/tacas/1996}, bibsource = {DBLP, http://dblp.uni-trier.de} } @Proceedings{ dblp:conf/wia/2009, editor = {Sebastian Maneth}, title = {Implementation and Application of Automata}, booktitle = {CIAA}, publisher = springer, series = lncs, volume = {5642}, year = {2009}, isbn = {978-3-642-02978-3}, ee = {https://doi.org/10.1007/978-3-642-02979-0}, bibsource = {DBLP, http://dblp.uni-trier.de} } ###Proceedings{ dblp:conf/wia/2009, editor = {Sebastian Maneth}, title = {Implementation and Application of Automata, 14th International Conference, CIAA 2009, Sydney, Australia, July 14-17, 2009. Proceedings}, booktitle = {CIAA}, publisher = springer, series = lncs, volume = {5642}, year = {2009}, isbn = {978-3-642-02978-3}, ee = {https://doi.org/10.1007/978-3-642-02979-0}, bibsource = {DBLP, http://dblp.uni-trier.de} } @Book{ dijk76, author = "E. W. Dijkstra", title = "A Discipline of Programming", publisher = "Prentice Hall", year = "1976", note = "Ch. 25" } @InProceedings{ dipe09, author = {de Dios, Javier and Pe{\~n}a, Ricardo}, title = {Formal Certification of a Resource-Aware Language Implementation}, booktitle = {TPHOLs '09}, year = {2009}, isbn = {978-3-642-03358-2}, pages = {196--211}, location = {Munich, Germany}, publisher = springer, address = {Berlin, Heidelberg} } ###InProceedings{ dipe09, author = {de Dios, Javier and Pe{\~n}a, Ricardo}, title = {Formal Certification of a Resource-Aware Language Implementation}, booktitle = {TPHOLs '09}, year = {2009}, isbn = {978-3-642-03358-2}, pages = {196--211}, location = {Munich, Germany}, doi = {https://doi.org/10.1007/978-3-642-03359-9_15}, publisher = springer, address = {Berlin, Heidelberg} } @MastersThesis{ eberl12, title = {Efficient and Verified Computation of Simulation Relations on {NFA}s}, author = {Manuel Eberl}, school = {Technische Universit\"at M\"unchen}, year = {2012}, type = {Bachelor's thesis} } @TechReport{ egl75, author = {Herbert Egli}, title = {A mathematical model for nondeterministic computations}, institution = {ETH Z{\"u}rich}, year = {1975} } ###TechReport{ egl75, author = {Herbert Egli}, title = {A mathematical model for nondeterministic computations}, institution = {ETH Z{\"u}rich}, year = {1975} } @inproceedings{Neu12, author = {Rene Neumann}, booktitle = {Proc. of the Workshop on Automated Theory Exploration (ATX 2012)}, editor = {Annabelle McIver and Peter H\"ofner}, pages = {36--45}, publisher = {EasyChair}, title = {A Framework for Verified Depth-First Algorithms}, year = {2012} } @incollection{elnn13, year={2013}, booktitle={CAV}, volume={8044}, series={LNCS}, title={A Fully Verified Executable {LTL} Model Checker}, publisher={Springer}, author={Esparza, Javier and Lammich, Peter and Neumann, René and Nipkow, Tobias and Schimpf, Alexander and Smaus, Jan-Georg}, pages={463-478} } @InProceedings{ fado09, author = {Andr{\'e} Almeida and Marco Almeida and Jos{\'e} Alves and Nelma Moreira and Rog{\'e}rio Reis}, title = {{FAdo} and {GUItar}}, booktitle = {CIAA}, year = {2009}, pages = {65--74}, crossref = {DBLP:conf/wia/2009}, bibsource = {DBLP, http://dblp.uni-trier.de} } ###InProceedings{ fado09, author = {Andr{\'e} Almeida and Marco Almeida and Jos{\'e} Alves and Nelma Moreira and Rog{\'e}rio Reis}, title = {{FAdo} and {GUItar}}, booktitle = {CIAA}, year = {2009}, pages = {65--74}, ee = {https://doi.org/10.1007/978-3-642-02979-0_10}, crossref = {DBLP:conf/wia/2009}, bibsource = {DBLP, http://dblp.uni-trier.de} } @Article{ gabow00, title = "Path-based depth-first search for strong and biconnected components ", journal = "Information Processing Letters ", volume = "74", number = "3–4", pages = "107 - 114", year = "2000", author = "Harold N. Gabow" } @InProceedings{ gerpelvarwol95, author = {Rob Gerth and Doron Peled and Moshe Y. Vardi and Pierre Wolper}, title = {Simple on-the-fly automatic verification of linear temporal logic}, editor = {Piotr Dembinski and Marek Sredniawa}, booktitle = {Proc.\ Int.\ Symp.\ Protocol Specification, Testing, and Verification}, pages = {3--18}, year = 1996, publisher = {Chapman \& Hall}, series = {IFIP Conference Proceedings}, volume = {38} } ###InProceedings{ gerpelvarwol95, author = {Rob Gerth and Doron Peled and Moshe Y. Vardi and Pierre Wolper}, title = {Simple on-the-fly automatic verification of linear temporal logic}, editor = {Piotr Dembinski and Marek Sredniawa}, booktitle = {Proc.\ Int.\ Symp.\ Protocol Specification, Testing, and Verification}, pages = {3--18}, year = 1996, publisher = {Chapman \& Hall}, series = {IFIP Conference Proceedings}, volume = {38} } @Article{ geva05, author = {Geldenhuys, Jaco and Valmari, Antti}, title = {More Efficient On-the-fly {LTL} Verification with {T}arjan's Algorithm}, journal = {Theor. Comput. Sci.}, volume = {345}, number = {1}, month = nov, year = {2005}, issn = {0304-3975}, pages = {60--82}, publisher = {Elsevier}, } @Book{ gome93, author = {M.J.C. Gordon and T.F. Melham}, title = {Introduction to {HOL}: A Theorem Proving Environment for Higher Order Logic}, publisher = {Cambridge University}, key = {GoMe93}, year = 1993 } ###Book{ gome93, author = {M.J.C. Gordon and T.F. Melham}, title = {Introduction to {HOL}: A Theorem Proving Environment for Higher Order Logic}, publisher = {Cambridge University}, key = {GoMe93}, year = 1993 } @PhDThesis{ haft09, author = {Florian Haftmann}, title = {Code Generation from Specifications in Higher Order Logic}, school = {Technische Universit\"at M\"unchen}, year = {2009} } ###PhDThesis{ haft09, author = {Florian Haftmann}, title = {Code Generation from Specifications in Higher Order Logic}, school = {Technische Universit\"at M\"unchen}, year = {2009} } @InProceedings{ haft10, author = {Florian Haftmann and Tobias Nipkow}, title = {Code Generation via Higher-Order Rewrite Systems}, booktitle = {Functional and Logic Programming (FLOPS 2010)}, series = lncs, year = {2010}, publisher = springer } @Misc{ haft10b, author = {Florian Haftmann}, title = {Data Refinement (Raffinement) in {Isabelle/HOL}}, year = {2010}, note = {Available at \url{https://isabelle.in.tum.de/community/}} } ###Misc{ haft10b, author = {Florian Haftmann}, title = {Data Refinement (Raffinement) in {Isabelle/HOL}}, year = {2010}, note = {Available at \url{https://isabelle.in.tum.de/community/}} } @InProceedings{ haftmannnipkow:2010:codegeneration, author = {Florian Haftmann and Tobias Nipkow}, title = {Code Generation via Higher-Order Rewrite Systems}, booktitle = {Functional and Logic Programming (FLOPS)}, year = {2010}, editor = {Matthias Blume and Naoki Kobayashi and Germ{\'a}n Vidal}, volume = {6009}, pages = {103--117}, series = lncs, publisher = springer } ###InProceedings{ haftmannnipkow:2010:codegeneration, author = {Florian Haftmann and Tobias Nipkow}, title = {Code Generation via Higher-Order Rewrite Systems}, booktitle = flops, year = {2010}, editor = {Matthias Blume and Naoki Kobayashi and Germ{\'a}n Vidal}, volume = {6009}, pages = {103--117}, series = lncs, publisher = springer } @InProceedings{ hani10, author = {Florian Haftmann and Tobias Nipkow}, title = {Code Generation via Higher-Order Rewrite Systems}, booktitle = {Functional and Logic Programming (FLOPS 2010)}, series = lncs, year = {2010}, publisher = springer } ###InProceedings{ hani10, author = {Florian Haftmann and Tobias Nipkow}, title = {Code Generation via Higher-Order Rewrite Systems}, booktitle = {Functional and Logic Programming (FLOPS 2010)}, series = lncs, year = {2010}, publisher = springer } @Article{ hardy:ramanujan:1917:qjm, author = "G. H. Hardy and S. Ramanujan", title = "The normal number of prime factors of a number", journal = "Quart. J. of Math.", volume = 48, pages = "76--92", year = "1917" } ###Article{ hardy:ramanujan:1917:qjm, author = "G. H. Hardy and S. Ramanujan", title = "The normal number of prime factors of a number", journal = "Quart. J. of Math.", volume = 48, pages = "76--92", year = "1917" } @Misc{ hkkn13, title = {Data Refinement in {Isabelle/HOL}}, author = {Florian Haftmann and Alexander Krauss and Ond\v{r}ej Kun\v{c}ar and Tobias Nipkow}, year = {2013}, note = {To appear in Proc. of ITP 2013} } @Article{ hoa69, author = {Hoare, C. A. R.}, title = {An axiomatic basis for computer programming}, journal = {Commun. ACM}, volume = 12, issue = 10, month = {October}, year = 1969, pages = {576--580}, numpages = 5, publisher = {ACM}, address = {New York, NY, USA} } ###Article{ hoa69, author = {Hoare, C. A. R.}, title = {An axiomatic basis for computer programming}, journal = {Commun. ACM}, volume = 12, issue = 10, month = {October}, year = 1969, pages = {576--580}, numpages = 5, publisher = {ACM}, address = {New York, NY, USA} } @Article{ hoa72, author = {Hoare, C. A. R.}, title = {Proof of correctness of data representations}, journal = {Acta Informatica}, publisher = springer, keyword = {Computer Science}, pages = {271--281}, volume = {1}, issue = {4}, year = {1972} } ###Article{ hoa72, author = {Hoare, C. A. R.}, title = {Proof of correctness of data representations}, journal = {Acta Informatica}, publisher = springer, issn = {0001-5903}, keyword = {Computer Science}, pages = {271--281}, volume = {1}, issue = {4}, url = {https://doi.org/10.1007/BF00289507}, note = {10.1007/BF00289507}, year = {1972} } @Book{ holzmann03, author = "Gerard J. Holzmann", title = "The Spin Model Checker --- Primer and Reference Manual", publisher = "Addison-Wesley", year = 2003 } ###Book{ holzmann03, author = "Gerard J. Holzmann", title = "The Spin Model Checker --- Primer and Reference Manual", publisher = "Addison-Wesley", year = 2003 } @InProceedings{ holzmannpeledetal:1997:nesteddfs, author = {Gerard Holzmann and Doron Peled and Mihalis Yannakakis}, title = {On Nested Depth First Search}, booktitle = {Proc. of SPIN Workshop}, year = {1997}, volume = {32}, series = {Discrete Mathematics and Theoretical Computer Science}, pages = {23--32}, publisher = {American Mathematical Society} } ###InProceedings{ holzmannpeledetal:1997:nesteddfs, author = {Gerard Holzmann and Doron Peled and Mihalis Yannakakis}, title = {On Nested Depth First Search}, booktitle = {Proc. of the 2nd SPIN Workshop}, year = {1997}, editor = {Jean-Charles Gr\'{e}goire and Gerard J. Holzmann and Doron A. Peled}, volume = {32}, series = {Discrete Mathematics and Theoretical Computer Science}, pages = {23--32}, publisher = {American Mathematical Society} } @InProceedings{ hom09, title = {The {HOL}-{O}mega Logic}, author = {Peter V. Homeier}, booktitle = {Proc. of TPHOLs}, year = {2009}, publisher = springer, volume = {5674}, pages = {244--259}, series = lncs } @InCollection{ hop71, author = {John E. Hopcroft}, title = {An $n\log n$ algorithm for minimizing the states in a finite automaton}, booktitle = {Theory of Machines and Computations}, year = {1971}, publisher = {Academic Press}, pages = {189--196} } ###InCollection{ hop71, author = {John E. Hopcroft}, title = {An $n\log n$ algorithm for minimizing the states in a finite automaton}, booktitle = {Theory of Machines and Computations}, year = {1971}, publisher = {Academic Press}, pages = {189--196} } @Misc{ huku12, title = {Lifting and Transfer: A Modular Design for Quotients in {Isabelle/HOL}}, author = {Brian Huffman and Ondřej Kunčar}, year = {2012}, note = {Isabelle Users Workshop 2012} } @InCollection{ iny04, year = {2004}, booktitle = {Theory Is Forever}, volume = {3113}, series = lncs, title = {On {NFA} Reductions}, publisher = springer, author = {Ilie, Lucian and Navarro, Gonzalo and Yu, Sheng}, pages = {112-124} } @Misc{ javacollfr, key = "Java Collections Framework", title = {{J}ava: The Collections Framework}, url = {http://java.sun.com/javase/6/docs/technotes/ guides/collections/} } ###Misc{ javacollfr, key = "Java Collections Framework", title = {Java: The Collections Framework}, url = {http://java.sun.com/javase/6/docs/technotes/ guides/collections/} } @Article{ kamo97, author = {Matt Kaufmann and J. Strother Moore}, title = {An Industrial Strength Theorem Prover for a Logic Based on {C}ommon {L}isp}, journal = {IEEE Transactions on Software Engineering}, year = {1997}, volume = {23}, pages = {203--213} } ###Article{ kamo97, author = {Matt Kaufmann and J. Strother Moore}, title = {An Industrial Strength Theorem Prover for a Logic Based on Common Lisp}, journal = {IEEE Transactions on Software Engineering}, year = {1997}, volume = {23}, pages = {203--213} } @InProceedings{ kleinehacdeeknstw09, author = {Gerwin Klein and Kevin Elphinstone and Gernot Heiser and June Andronick and David Cock and Philip Derrin and Dhammika Elkaduwe and Kai Engelhardt and Rafal Kolanski and Michael Norrish and Thomas Sewell and Harvey Tuch and Simon Winwood}, title = {{seL4}: formal verification of an {OS} kernel}, booktitle = {Proc.\ ACM Symp.\ Operating Systems Principles}, year = {2009}, pages = {207--220}, editor = {Jeanna Neefe Matthews and Thomas E. Anderson}, publisher = {ACM} } ###InProceedings{ kleinehacdeeknstw09, author = {Gerwin Klein and Kevin Elphinstone and Gernot Heiser and June Andronick and David Cock and Philip Derrin and Dhammika Elkaduwe and Kai Engelhardt and Rafal Kolanski and Michael Norrish and Thomas Sewell and Harvey Tuch and Simon Winwood}, title = {{seL4}: formal verification of an {OS} kernel}, booktitle = {Proc.\ ACM Symp.\ Operating Systems Principles}, year = {2009}, pages = {207--220}, editor = {Jeanna Neefe Matthews and Thomas E. Anderson}, publisher = {ACM} } @Article{ kleinn-toplas, author = {Gerwin Klein and Tobias Nipkow}, title = {A Machine-Checked Model for a {Java}-Like Language, Virtual Machine and Compiler}, journal = toplas, volume = {28}, number = {4}, year = {2006}, pages = {619--695} } ###Article{ kleinn-toplas, author = {Gerwin Klein and Tobias Nipkow}, title = {A Machine-Checked Model for a {Java}-Like Language, Virtual Machine and Compiler}, journal = toplas, volume = {28}, number = {4}, year = {2006}, pages = {619--695} } @InProceedings{ kr10, author = {Alexander Krauss}, title = {Recursive definitions of monadic functions}, booktitle = {Proc. of PAR}, volume = {43}, pages = {1--13}, year = {2010} } ###InProceedings{ kr10, author = {Alexander Krauss}, title = {Recursive definitions of monadic functions}, booktitle = {Proc. of PAR}, volume = {43}, pages = {1--13}, year = {2010} } @InCollection{ kun04, author = {Viktor Kuncak}, title = {Binary Search Trees}, booktitle = {Archive of Formal Proofs}, editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, publisher = {\url{http://isa-afp.org/entries/BinarySearchTree.shtml}}, month = apr, year = 2004, note = {Formal proof development}, issn = {2150-914x} } ###InCollection{ kun04, author = {Viktor Kuncak}, title = {Binary Search Trees}, booktitle = {Archive of Formal Proofs}, editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, publisher = {\url{http://isa-afp.org/entries/BinarySearchTree.shtml}}, month = apr, year = 2004, note = {Formal proof development}, issn = {2150-914x} } @InCollection{ l09_collections, author = {Peter Lammich}, title = {Collections Framework}, booktitle = {Archive of Formal Proofs}, publisher = {\url{http://isa-afp.org/entries/Collections.shtml}}, month = dec, year = 2009, note = {Formal proof development}, issn = {2150-914x} } ###InCollection{ l09_collections, author = {Peter Lammich}, title = {Collections Framework}, booktitle = {Archive of Formal Proofs}, publisher = {\url{http://isa-afp.org/entries/Collections.shtml}}, month = dec, year = 2009, note = {Formal proof development}, issn = {2150-914x} } @InCollection{ l09_tree_automata, author = {Peter Lammich}, title = {Tree Automata}, booktitle = {Archive of Formal Proofs}, publisher = {\url{http://isa-afp.org/entries/Tree-Automata.shtml}}, month = dec, year = {2009}, note = {Formal proof development}, issn = {2150-914x} } ###InCollection{ l09_tree_automata, author = {Peter Lammich}, title = {Tree Automata}, booktitle = {Archive of Formal Proofs}, publisher = {\url{http://isa-afp.org/entries/Tree-Automata.shtml}}, month = dec, year = {2009}, note = {Formal proof development}, issn = {2150-914x} } @InCollection{ la12, author = {Peter Lammich}, title = {Refinement for Monadic Programs}, booktitle = {Archive of Formal Proofs}, publisher = {\url{http://isa-afp.org/entries/Refine\_Monadic.shtml}}, year = {2012}, note = {Formal proof development} } ###InCollection{ la12, author = {Peter Lammich}, title = {Refinement for Monadic Programs}, booktitle = {Archive of Formal Proofs}, publisher = {\url{http://isa-afp.org/entries/Refine\_Monadic.shtml}}, year = {2012}, note = {Formal proof development} } @InCollection{ la13, year = {2013}, booktitle = {Interactive Theorem Proving}, volume = {7998}, series = {LNCS}, title = {Automatic Data Refinement}, publisher = {Springer Berlin Heidelberg}, author = {Lammich, Peter}, pages = {84-99} } @InProceedings{ latu12, author = {Peter Lammich and Thomas Tuerk}, title = {Applying Data Refinement for Monadic Programs to {H}opcroft's Algorithm}, booktitle = {Proc. of ITP}, year = {2012}, publisher = springer, volume = {7406}, pages = {166--182}, series = lncs } ###InProceedings{ latu12, author = {Peter Lammich and Thomas Tuerk}, title = {Applying Data Refinement for Monadic Programs to {H}opcroft's Algorithm}, booktitle = itp, year = {2012}, publisher = springer, volume = {7406}, pages = {166--182}, series = lncs, editor = {Beringer, Lennart and Felty, Amy} } @InProceedings{ lb11, title = {Animating the Formalised Semantics of a {J}ava-like Language}, booktitle = {Proc. of ITP}, year = {2011}, publisher = springer, volume = {6898}, pages = {216--232}, author = {Andreas Lochbihler and Lukas Bulwahn}, series = lncs } ###InProceedings{ lb11, title = {Animating the Formalised Semantics of a Java-like Language}, booktitle = {Interactive Theorem Proving (ITP)}, year = {2011}, publisher = springer, volume = {6898}, pages = {216--232}, author = {Andreas Lochbihler and Lukas Bulwahn}, series = lncs } @Article{ leroy-jar09, author = {Xavier Leroy}, title = {A Formally Verified Compiler Back-end}, journal = {J. Automated Reasoning}, year = 2009, volume = 43, pages = {363--446} } ###Article{ leroy-jar09, author = {Xavier Leroy}, title = {A Formally Verified Compiler Back-end}, journal = {J. Automated Reasoning}, year = 2009, volume = 43, pages = {363--446} } @Misc{ lethal, key = "Lethal", title = "{LETHAL} Tree and Hedge Automata Library", url = "http://lethal.sourceforge.net/" } ###Misc{ lethal, key = "Lethal", title = "{LETHAL} Tree and Hedge Automata Library", url = "http://lethal.sourceforge.net/" } @InProceedings{ ll10, author = {P. Lammich and A. Lochbihler}, title = {The {Isabelle} {Collections} {Framework}}, booktitle = {Proc. of ITP}, series = lncs, publisher = springer, pages = {339--354}, volume = {6172}, year = {2010} } ###InProceedings{ ll10, author = {P. Lammich and A. Lochbihler}, title = {The {Isabelle} {Collections} {Framework}}, booktitle = itp, series = lncs, publisher = springer, pages = {339--354}, volume = {6172}, year = {2010}, editor = {Kaufmann, Matt and Paulson, Lawrence C.} } @Book{ lncs2283, author = {Tobias Nipkow and Lawrence Paulson and Markus Wenzel}, title = {{Isabelle/HOL} --- A Proof Assistant for Higher-Order Logic}, publisher = springer, series = lncs, volume = 2283, year = 2002 } ###Book{ lncs2283, author = {Tobias Nipkow and Lawrence Paulson and Markus Wenzel}, title = "Isabelle/HOL --- A Proof Assistant for Higher-Order Logic", publisher = springer, series = lncs, volume = 2283, year = 2002 } @InProceedings{ lrw95, author = {Thomas Langbacka and Rimvydas Ruksenas and Joakim von Wright}, title = {{TkWinHOL}: A Tool for Doing Window Inference in {HOL}}, booktitle = {Proc. of International Workshop on Higher Order Logic Theorem Proving and its Applications}, year = {1995}, pages = {245--260}, publisher = springer } ###InProceedings{ lrw95, author = {Thomas Langbacka and Rimvydas Ruksenas and Joakim von Wright}, title = {TkWinHOL: A Tool for Doing Window Inference in HOL}, booktitle = {Proc. of International Workshop on Higher Order Logic Theorem Proving and its Applications}, year = {1995}, pages = {245--260}, publisher = springer } @InProceedings{ malechamsw-popl10, author = {G. Malecha and G. Morrisett and A. Shinnar and R. Wisnesky}, title = {Toward a verified relational database management system}, booktitle = {Principles of Programming Languages (POPL'10)}, pages = {237--248}, year = 2010, publisher = {ACM} } ###InProceedings{ malechamsw-popl10, author = {G. Malecha and G. Morrisett and A. Shinnar and R. Wisnesky}, title = {Toward a verified relational database management system}, booktitle = {Principles of Programming Languages (POPL'10)}, pages = {237--248}, year = 2010, publisher = {ACM} } @Book{ mmo97, author = {Markus M{\"u}ller-Olm}, title = {Modular Compiler Verification {---} A Refinement-Algebraic Approach Advocating Stepwise Abstraction}, publisher = springer, year = {1997}, series = lncs, volume = {1283} } ###Book{ mmo97, author = {Markus M{\"u}ller-Olm}, title = {Modular Compiler Verification {---} A Refinement-Algebraic Approach Advocating Stepwise Abstraction}, publisher = springer, year = {1997}, series = lncs, volume = {1283} } @Article{ morr87, title = {A theoretical basis for stepwise refinement and the programming calculus}, author = {Joseph M. Morris}, journal = {Science of Computer Programming}, volume = {9}, number = {3}, pages = {287--306}, year = {1987} } ###Article{ morr87, title = {A theoretical basis for stepwise refinement and the programming calculus}, author = {Joseph M. Morris}, journal = {Science of Computer Programming}, volume = {9}, number = {3}, pages = {287--306}, year = {1987} } @InCollection{ mss86, author = {Melton, A. and Schmidt, D. and Strecker, G.}, title = {{G}alois connections and computer science applications}, booktitle = {Category Theory and Computer Programming}, series = lncs, publisher = springer, pages = {299--312}, volume = {240}, year = {1986} } ###InCollection{ mss86, author = {Melton, A. and Schmidt, D. and Strecker, G.}, title = {Galois connections and computer science applications}, booktitle = {Category Theory and Computer Programming}, series = lncs, publisher = springer, pages = {299--312}, volume = {240}, year = {1986} } @Article{ munro71, title = "Efficient determination of the transitive closure of a directed graph ", journal = "Information Processing Letters ", volume = "1", number = "2", pages = "56 - 58", year = "1971", note = "", issn = "0020-0190", author = "Ian Munro" } @InProceedings{ must89, author = {David R. Musser and Alexander A. Stepanov}, title = {Generic Programming}, booktitle = {Proc. of ISSAC}, year = {1989}, publisher = springer, volume = {358}, pages = {13--25}, series = lncs } @InProceedings{ myow12, author = {Myreen, Magnus O. and Owens, Scott}, title = {Proof-producing synthesis of {ML} from higher-order logic}, booktitle = {Proceedings of the 17th ACM SIGPLAN international conference on Functional programming}, series = {ICFP '12}, year = {2012}, pages = {115--126}, publisher = {ACM} } @InProceedings{ namjoshi01, author = {Kedar S. Namjoshi}, title = {Certifying Model Checkers}, booktitle = cav, year = {2001}, pages = {2--13}, ee = {https://doi.org/10.1007/3-540-44585-4_2}, crossref = {DBLP:conf/cav/2001}, bibsource = {DBLP, http://dblp.uni-trier.de} } @InCollection{ nipu04, author = {Tobias Nipkow and Cornelia Pusch}, title = {{AVL} Trees}, booktitle = {Archive of Formal Proofs}, editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, publisher = {\url{http://isa-afp.org/entries/AVL-Trees.shtml}}, month = mar, year = 2004, note = {Formal proof development}, issn = {2150-914x} } ###InCollection{ nipu04, author = {Tobias Nipkow and Cornelia Pusch}, title = {{AVL} Trees}, booktitle = {Archive of Formal Proofs}, editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, publisher = {\url{http://isa-afp.org/entries/AVL-Trees.shtml}}, month = mar, year = 2004, note = {Formal proof development}, issn = {2150-914x} } @Misc{ nola12, author = {Benedikt Nordhoff and Peter Lammich}, title = {Formalization of {D}ijkstra's Algorithm}, booktitle = {Archive of Formal Proofs}, publisher = {\url{http://isa-afp.org/entries/DiskPaxos.shtml}}, year = {2012}, note = {Formal proof development} } ###Misc{ nola12, author = {Benedikt Nordhoff and Peter Lammich}, title = {Formalization of {D}ijkstra's Algorithm}, booktitle = {Archive of Formal Proofs}, publisher = {\url{http://isa-afp.org/entries/DiskPaxos.shtml}}, year = {2012}, note = {Formal proof development} } @Book{ npw02, author = {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel}, title = {{Isabelle/HOL} --- A Proof Assistant for Higher-Order Logic}, publisher = springer, series = lncs, volume = 2283, year = 2002 } ###Book{ npw02, author = {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel}, title = {Isabelle/HOL --- A Proof Assistant for Higher-Order Logic}, publisher = springer, series = lncs, volume = 2283, year = 2002 } @InCollection{ old84, author = {Olderog, Ernst-R{\"u}diger}, - title = {Hoare's logic for programs with procedures — What has + title = {Hoare's logic for programs with procedures --- What has been achieved?}, booktitle = {Logics of Programs}, series = lncs, publisher = springer, pages = {383-395}, volume = {164}, year = {1984} } ###InCollection{ old84, author = {Olderog, Ernst-R{\"u}diger}, - title = {Hoare's logic for programs with procedures — What has + title = {Hoare's logic for programs with procedures --- What has been achieved?}, booktitle = {Logics of Programs}, series = lncs, publisher = springer, pages = {383-395}, volume = {164}, year = {1984} } @InProceedings{ peledpz01, author = {Doron Peled and Amir Pnueli and Lenore D. Zuck}, title = {From Falsification to Verification}, booktitle = fsttcs, year = {2001}, pages = {292--304}, ee = {https://doi.org/10.1007/3-540-45294-X_25}, crossref = {DBLP:conf/fsttcs/2001}, bibsource = {DBLP, http://dblp.uni-trier.de} } @InProceedings{ peyton:jones:1996:fpw, author = "Peyton Jones, Simon", title = "Bulk types with class", booktitle = "FPW '96", year = 1996 } ###InProceedings{ peyton:jones:1996:fpw, author = "Peyton Jones, Simon", title = "Bulk types with class", booktitle = "FPW '96", year = 1996 } @Article{ plo76, author = {G. D. Plotkin}, title = {A Powerdomain Construction}, journal = {SIAM J. Comput.}, volume = {5}, issue = {3}, pages = {452--487}, year = {1976} } ###Article{ plo76, author = {G. D. Plotkin}, title = {A Powerdomain Construction}, journal = {SIAM J. Comput.}, volume = {5}, issue = {3}, pages = {452--487}, year = {1976} } @PhDThesis{ preo06, author = {Viorel Preoteasa}, title = {Program Variables --- The Core of Mechanical Reasoning about Imperative Programs}, school = {Turku Centre for Computer Science}, year = {2006} } ###PhDThesis{ preo06, author = {Viorel Preoteasa}, title = {Program Variables --- The Core of Mechanical Reasoning about Imperative Programs}, school = {Turku Centre for Computer Science}, year = {2006} } @Article{ purdom70, year = {1970}, issn = {0006-3835}, journal = {BIT Numerical Mathematics}, volume = {10}, number = {1}, title = {A transitive closure algorithm}, publisher = {Kluwer Academic Publishers}, author = {Purdom, Paul, Jr.}, pages = {76-94} } @InCollection{ rdkp13, year = {2013}, booktitle = {Logic for Programming, Artificial Intelligence, and Reasoning}, volume = {8312}, series = {LNCS}, title = {Three {SCC}-Based Emptiness Checks for Generalized {B}{\"u}chi Automata}, publisher = {Springer}, author = {Renault, Etienne and Duret-Lutz, Alexandre and Kordon, Fabrice and Poitrenaud, Denis}, pages = {668-682} } @InProceedings{ rey02, author = {John C. Reynolds}, title = {Separation Logic: A Logic for Shared Mutable Data Structures}, booktitle = {Proc of. Logic in Computer Science (LICS)}, year = {2002}, pages = {55--74}, publisher = {IEEE} } ###InProceedings{ rey02, author = {John C. Reynolds}, title = {Separation Logic: A Logic for Shared Mutable Data Structures}, booktitle = {Proc of. Logic in Computer Science (LICS)}, year = {2002}, pages = {55--74}, publisher = {IEEE} } @InProceedings{ rey83, author = {John C. Reynolds}, title = {Types, Abstraction and Parametric Polymorphism}, booktitle = {IFIP Congress}, year = {1983}, pages = {513-523} } @Book{ roen98, author = {Willem-Paul de Roever and Kai Engelhardt}, title = {Data Refinement: Model-Oriented Proof Methods and their Comparison}, publisher = {Cambridge University Press}, year = {1998} } ###Book{ roen98, author = {Willem-Paul de Roever and Kai Engelhardt}, title = {Data Refinement: Model-Oriented Proof Methods and their Comparison}, publisher = {Cambridge University Press}, year = {1998} } @TechReport{ ruwr97, author = {Rimvydas Ruksenas and Joakim von Wright}, title = {A Tool for Data Refinement}, year = {1997}, institution = {Turku Centre for Computer Science}, number = {TUCS Technical Report No 119} } ###TechReport{ ruwr97, author = {Rimvydas Ruksenas and Joakim von Wright}, title = {A Tool for Data Refinement}, year = {1997}, institution = {Turku Centre for Computer Science}, number = {TUCS Technical Report No 119} } @PhDThesis{ schi06, author = {Norbert Schirmer}, title = {Verification of Sequential Imperative Programs in {I}sabelle/{HOL}}, school = {Technische Universit\"at M\"unchen}, year = {2006} } ###PhDThesis{ schi06, author = {Norbert Schirmer}, title = {Verification of Sequential Imperative Programs in {I}sabelle/{HOL}}, school = {Technische Universit\"at M\"unchen}, year = {2006} } @InProceedings{ schm98, author = {Martin Schwenke and Brendan Mahony}, title = {The Essence of Expression Refinement}, booktitle = {Proc. of International Refinement Workshop and Formal Methods}, year = {1998}, pages = {324--333} } ###InProceedings{ schm98, author = {Martin Schwenke and Brendan Mahony}, title = {The Essence of Expression Refinement}, booktitle = {Proc. of International Refinement Workshop and Formal Methods}, year = {1998}, pages = {324--333} } @InProceedings{ schmersma09, author = {Alexander Schimpf and Stephan Merz and Jan-Georg Smaus}, editor = {S. Berghofer and T. Nipkow and C. Urban and M. Wenzel}, title = {Construction of {B}{\"u}chi Automata for {LTL} Model Checking Verified in {I}sabelle/{HOL}}, booktitle = {Theorem Proving in Higher Order Logics, TPHOLs 2009}, year = 2009, pages = {424--439}, series = lncs, volume = {5674}, publisher = springer } ###InProceedings{ schmersma09, author = {Alexander Schimpf and Stephan Merz and Jan-Georg Smaus}, editor = {S. Berghofer and T. Nipkow and C. Urban and M. Wenzel}, title = {Construction of {B}{\"u}chi Automata for {LTL} Model Checking Verified in {I}sabelle/{HOL}}, booktitle = tphols, year = 2009, pages = {424--439}, series = lncs, volume = {5674}, publisher = springer } @InProceedings{ schwoonesparza:2005:emptinesscomparison, author = {Stefan Schwoon and Javier Esparza}, title = {A Note on On-The-Fly Verification Algorithms}, booktitle = {Tools and Algorithms for the Construction and Analysis of Systems (TACAS)}, year = {2005}, editor = {Nicolas Halbwachs and Lenore Zuck}, volume = {3440}, series = lncs, pages = {174--190}, publisher = springer } ###InProceedings{ schwoonesparza:2005:emptinesscomparison, author = {Stefan Schwoon and Javier Esparza}, title = {A Note on On-The-Fly Verification Algorithms}, booktitle = tacas, year = {2005}, editor = {Nicolas Halbwachs and Lenore Zuck}, volume = {3440}, series = lncs, pages = {174--190}, publisher = springer } @Misc{ChAr07, author = "Simon Chemouil and Ludovic Arnold", title = "Implémentation d'algorithmes génériques sur les graphes en Coq", note = "Rapport de stage de master M1", url = "https://www.lri.fr/~arnold/projects:coqgraphs" } @Book{ sewa11, author = "Robert Sedgewick and Kevin Wayne", title = "Algorithms", publisher = "Addison-Wesley Professional", year = 2011, note = {4th edition} } @Article{ sharir81, author = {Sharir, M.}, journal = {Computers \& Mathematics with Applications}, month = jan, number = {1}, pages = {67--72}, title = {{A strong-connectivity algorithm and its applications in data flow analysis}}, volume = {7}, year = {1981} } @InProceedings{ slindn08, author = {Konrad Slind and Michael Norrish}, title = {A Brief Overview of {HOL4}}, booktitle = {TPHOLs}, year = 2008, pages = {28--32}, ee = {https://doi.org/10.1007/978-3-540-71067-7_6}, crossref = {DBLP:conf/tphol/2008}, bibsource = {DBLP, http://dblp.uni-trier.de} } ###InProceedings{ slindn08, author = {Konrad Slind and Michael Norrish}, title = {A Brief Overview of {HOL4}}, booktitle = {TPHOLs}, year = 2008, pages = {28--32}, ee = {https://doi.org/10.1007/978-3-540-71067-7_6}, crossref = {DBLP:conf/tphol/2008}, bibsource = {DBLP, http://dblp.uni-trier.de} } @InProceedings{ sprengertacas98, author = {Christoph Sprenger}, title = {A Verified Model Checker for the Modal $\mu$-Calculus in {Coq}}, booktitle = tacas, publisher = springer, series = lncs, volume = 1384, year = 1998, pages = {167--183}, editor = {Steffen, Bernhard} } @PhDThesis{ stap99, author = {Mark Staples}, title = {A Mechanised Theory of Refinement}, school = {University of Cambridge}, year = {1999}, note = {2nd edition} } ###PhDThesis{ stap99, author = {Mark Staples}, title = {A Mechanised Theory of Refinement}, school = {University of Cambridge}, year = {1999}, note = {2nd edition} } @Article{ tarjan72, author = {Tarjan, R.}, title = {Depth-First Search and Linear Graph Algorithms}, journal = {SIAM Journal on Computing}, volume = {1}, number = {2}, pages = {146-160}, year = {1972}, doi = {10.1137/0201010} } @Misc{ timbuk, author = {T. Genet and V. V. T. Tong}, title = {{T}imbuk 2.2}, url = {http://www.irisa.fr/celtique/genet/timbuk/} } ###Misc{ timbuk, author = {T. Genet and V. V. T. Tong}, title = {Timbuk 2.2}, url = {http://www.irisa.fr/celtique/genet/timbuk/} } @Article{ vawo94, author = {Moshe Y. Vardi and Pierre Wolper}, title = {Reasoning about Infinite Computations}, journal = {Information and Computation}, year = {1994}, volume = {115}, pages = {1--37} } @inproceedings{VaWo86, author = {Vardi, {M.Y.} and Wolper, {P.}}, booktitle = {In Proceedings of the 1st Symposium on Logic in Computer Science}, pages = {322--331}, title = {An automata-theoretic approach to automatic program verification}, year = 1986 } @InProceedings{ wad89, author = {Philip Wadler}, title = {Theorems for free!}, booktitle = {Proc. of FPCA}, year = {1989}, pages = {347--359}, publisher = {ACM} } @InProceedings{ wad92, author = {Philip Wadler}, title = {Comprehending Monads}, booktitle = {Mathematical Structures in Computer Science}, year = {1992}, pages = {61--78} } ###Article{ wad92, author = {Philip Wadler}, title = {Comprehending Monads}, journal = {Mathematical Structures in Computer Science}, year = {1992}, pages = {461--478}, volume = {2}, issue = {04} } @TechReport{ wat93, author = {Bruce W. Watson}, title = {A taxonomy of finite automata minimization algorithms}, institution = {Eindhoven University of Technology, The Netherlands}, year = 1993, type = {Comp. Sci. Note}, number = {93/44}, issn = "0926-4515" } ###TechReport{ wat93, author = {Bruce W. Watson}, title = {A taxonomy of finite automata minimization algorithms}, institution = {Eindhoven University of Technology, The Netherlands}, year = 1993, type = {Comp. Sci. Note}, number = {93/44}, issn = "0926-4515" } @InProceedings{ wri94, author = {J. von Wright}, title = {Program Refinement by Theorem Prover}, booktitle = {In BCS FACS Sixth Refinement Workshop -- Theory and Practise of Formal Software Development}, year = {1994}, publisher = springer } ###InProceedings{ wri94, author = {J. von Wright}, title = {Program Refinement by Theorem Prover}, booktitle = {In BCS FACS Sixth Refinement Workshop -- Theory and Practise of Formal Software Development}, year = {1994}, publisher = springer } diff --git a/thys/Green/document/root.tex b/thys/Green/document/root.tex --- a/thys/Green/document/root.tex +++ b/thys/Green/document/root.tex @@ -1,44 +1,44 @@ \documentclass[11pt,a4paper]{article} \usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} \usepackage{amssymb,amsmath} % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} \begin{document} \title{An Isabelle/HOL formalisation of Green's Theorem} \author{Mohammad Abdulaziz and Lawrence C.\ Paulson} \maketitle \begin{abstract} - We formalise a statement of Green’s theorem—the first formalisation to - our knowledge—in Isabelle/HOL. The theorem statement that we formalise + We formalise a statement of Green’s theorem---the first formalisation to + our knowledge---in Isabelle/HOL. The theorem statement that we formalise is enough for most applications, especially in physics and engineering. Our formalisation is made possible by a novel proof that avoids the ubiquitous line integral cancellation argument. This eliminates the need to formalise orientations and region boundaries explicitly with respect to the outwards-pointing normal vector. Instead we appeal to a homological argument about equivalences between paths. \end{abstract} % \tableofcontents \section{Acknowledgements} Paulson was supported by the ERC Advanced Grant ALEXANDRIA (Project 742178) funded by the European Research Council at the University of Cambridge, UK. % include generated text of all theories \input{session} \bibliographystyle{abbrv} \bibliography{root} \end{document} diff --git a/thys/LOFT/document/chap3.tex b/thys/LOFT/document/chap3.tex --- a/thys/LOFT/document/chap3.tex +++ b/thys/LOFT/document/chap3.tex @@ -1,170 +1,170 @@ \section{Evaluation}\label{sec:eval} In Section~\ref{sec:conv}, we have made lots of definitions and created lots of models. How far these models are in accordance with the real world has been up to the vigilance of the reader. This section attemts to leviate this burden by providing some examples. \subsection{Mininet Examples} \label{sec:mnex} \tikzset{mnod/.style={minimum width=1cm}} \begin{figure*} \centering \begin{subfigure}[b]{0.45\textwidth} \begin{lstlisting} :FORWARD DROP [0:0] -A FORWARD -d 10.0.2.0/24 -i s1-lan -p tcp -m tcp --sport 32768:65535 --dport 80 -j ACCEPT \end{lstlisting} \caption{FORWARD chain} \end{subfigure} \hspace{0.05\textwidth} \begin{subfigure}[b]{0.45\textwidth} \begin{lstlisting} 10.0.2.0/24 dev s1-wan proto kernel scope link src 10.0.2.4 10.0.1.0/24 dev s1-lan proto kernel scope link src 10.0.1.1 default via 10.0.2.1 dev s1-wan \end{lstlisting} \caption{Routing table (sorted)} \end{subfigure} \begin{subfigure}{\textwidth} \begin{lstlisting} priority=4,hard_timeout=0,idle_timeout=0,in_port=1,dl_type=0x800,nw_proto=6,nw_dst=10.0.2.0/24,tp_src=32768/0x8000,tp_dst=80,action=output:2 priority=3,hard_timeout=0,idle_timeout=0,dl_type=0x800,nw_dst=10.0.2.0/24,action=drop priority=2,hard_timeout=0,idle_timeout=0,dl_type=0x800,nw_dst=10.0.1.0/24,action=drop priority=1,hard_timeout=0,idle_timeout=0,in_port=1,dl_type=0x800,nw_proto=6,nw_dst=10.0.2.0/24,tp_src=32768/0x8000,tp_dst=80,action=output:2 priority=0,hard_timeout=0,idle_timeout=0,dl_type=0x800,action=drop \end{lstlisting} \caption{Resulting OpenFlow rules} \end{subfigure} \caption{Example Network 1 -- Configuration} \label{fig:exn1} \end{figure*} The first example is designed to be minimal while still showing the most important properties of our conversion. For this purpose, we used a linux firewall F, that we want to convert. We gave it two interfaces, and connected one client each. Its original configuration and the ruleset resulting from the translation is shown in Figure \ref{fig:exn1}. (The list of interfaces can be extracted from the routing table; \texttt{s1-lan} received port number 1.) While the configuration does not fulfil any special function (especially, no traffic from the interface \texttt{s1-wan} is permitted), it is small enough to let us have a detailed look. More specifically, we can see how the only firewall rule (Line 2) got combined with the first rule of the routing table to form Line 1 of the OpenFlow rules. This also shows why the bitmasks on the layer 4 ports are necessary. If we only allowed exact matches, we would have $2^{15}$ rules instead of just one. Line 2 of the OpenFlow ruleset has been formed by combining the default drop policy with Line 1 of the routing table. In a similar fashion, Line 2 of the routing rules has also been combined with the two firewall rules. However, as $10.0.2.0/24$ from the firewall and $10.0.1.0/24$ from the routing table have no common elements, no rule results from combining Line 2 and Line 2. In a similar fashion, the rest of the OpenFlow ruleset can be explained. We feel that it is also worth noting again that it is necessary to change the IP configuration of the two devices attached to F. Assuming they are currently configured with, e.g., $10.0.1.100/24$ and $10.0.2.1/24$, the subnet would have to be changed from 24 to 22 or lower to ensure that a common subnet is formed and the MAC layer can function properly. Next, we show a somewhat more evolved example. Its topology is depicted in Figure \ref{fig:exn2}. As before, we called the device to be replaced F. It is supposed to implement the simple policy that the clients H1 and H2 are allowed to communicate with the outside world via HTTP, ICMP is generally allowed, any other traffic is to be dropped (we neglected DNS for this example). We used the iptables configuration that is shown in Figure \ref{fig:exn2fw}. The routing table is the same as in the first example network. \begin{figure*} \centering \begin{subfigure}{0.4\textwidth} \begin{tikzpicture}[node distance=2cm,scale=0.85] \node[router,mnod](r){F}; \node[hub,mnod,left of=r](h){}; \node[server,mnod,right of=r](s1){S1}; \node[server,mnod,right of=s1](s2){S2}; \node[client,mnod,above of=h](h1){}; \node[above of=h1,node distance=1cm]{H1}; \node[client,mnod,below of=h](h2){H2}; \draw(h1) -- (h) -- (h2); \draw(h) -- (r) -- (s1) -- (s2); \end{tikzpicture} \vspace{1em} \caption{Topology} \label{fig:exn2} \end{subfigure} \hspace{0.05\textwidth} \begin{subfigure}{0.5\textwidth} \begin{lstlisting} :FORWARD DROP [0:0] -A FORWARD -p icmp -j ACCEPT -A FORWARD -i s1-lan -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT -A FORWARD -d 10.0.1.0/24 -i s1-wan -p tcp -m tcp --sport 80 --dport 1024:65535 -j ACCEPT \end{lstlisting} \caption{\texttt{FORWARD} chain} \label{fig:exn2fw} \end{subfigure} \caption{Example Network 2} \end{figure*} The topology has been chosen for a number of reasons: we wanted one device which is not inside a common subnet with F and thus requires no reconfiguration for the translation. Moreover, we wanted two devices in a network that can communicate with each other while being overheard by F. For this purpose, we added two clients H1 and H2 instead of just one. We connected them with a broadcasting device.\footnote{For the lack of a hub in mininet, we emulated one with an OpenFlow switch.} Executing our conversion function results in 36 rules% \footnote{If we had implemented some spoofing protection by adding \texttt{! -s 10.0.1.0/24} to the respective rule, the number of rules would have been increased to 312. This is because a cross product of two prefix splits would occur.}, we decided not to include them here. Comparing to the first example network, the size of the ruleset seems relatively high. This can be explained by the port matches: $1024$-$65535$ has to be expressed by 6 different matches, \texttt{tp\_src=1024/0xfc00}, \texttt{tp\_src=2048/0xf800}, \ldots, \texttt{tp\_src=32768/0x8000} (or \texttt{tp\_dst} respectively). When installing these rules, we also have to move all of H1, H2 and S1 into a common subnet. We chose $10.0.0.0/16$ and updated the IP configuration of the three hosts accordingly. As discussed, the configuration of S2 did not have to be updated, as it does not share any subnet with F. We then tested reachability for TCP 22 and 80 and ICMP. The connectivity between all pairs of hosts (H1,H2,S1 and S2) remained the same compared to before the conversion. This shows that the concept can be made to work. -However, the example also reveals a flaw: When substituting the more complete model of a linux firewall with the simple one in Section \ref{sec:lfw}, we assumed that the check whether the correct MAC address is set and the packets are destined for the modelled device would never fail — we assumed that all traffic arriving at a device is actually destined for it. +However, the example also reveals a flaw: When substituting the more complete model of a linux firewall with the simple one in Section \ref{sec:lfw}, we assumed that the check whether the correct MAC address is set and the packets are destined for the modelled device would never fail --- we assumed that all traffic arriving at a device is actually destined for it. Obviously, this network violates this assumption. We can trigger this in many ways, for example by sending an ICMP ping from H1 to H2. This will cause the generated rule \texttt{priority=7, \!icmp, \!nw\_dst=10.0.1.0/24 actions=output:1} (where port 1 is the port facing H1 and H2) to be activated twice. This is obviously not desired behavior. Dealing with this is, as mentioned, future work. \subsection{Performance Evaluation} Unfortunately, we do not have any real-world data that does not use output port matches as required in Section \ref{sec:convi}. There is thus no way to run the translation on the real-world firewall rulesets we have available and obtain a meaningful result. Nevertheless, we can use a real-world ruleset to evaluate the performance of our translation. For this purpose, we picked the largest firewall from the firewall collection from~\cite{diekmann2016verified}. A significant amount of time is necessary to convert its \texttt{FORWARD} chain including 4946 rules\footnote{In the pre-parsed and already normalized version we used for this benchmark, it took $45 \mathrm{s}$. The full required time lies closer to $11 \mathrm{min}$ as stated in~\cite{diekmann2016verified}.} to the required simplified firewall form. Additionally to the simplified firewall, we acquired the routing table (26 entries) from the same machine. We then evaluated the time necessary to complete the translation and the size of the resulting ruleset when using only the first $n$ simple firewall rules and the full routing table. The result is shown in Figure \ref{fig:bench}. \begin{figure} \begin{tikzpicture}[scale=0.85] \begin{axis}[axis y line*=left, xlabel=Rule count $n$, ylabel=Ruleset size] \addplot table [x=n, y=r, col sep=comma] {bench.csv}; \addlegendentry{Ruleset size}\label{rulecount} \legend{} \end{axis} \begin{axis}[axis y line*=right, axis x line=none, legend pos=north west, ylabel near ticks, ylabel=Time in $\mathrm{s}$] \addplot [mark=x,red] table [x=n, y=s, col sep=comma] {bench.csv}; \addlegendentry{Required time} \addlegendimage{/pgfplots/refstyle=rulecount}\addlegendentry{Ruleset size} \end{axis} \end{tikzpicture} \caption{Benchmark} \label{fig:bench} \end{figure} Given the time necessary to complete the conversion of the iptables firewall to a simple firewall, it is reasonable to say that the translation function is efficient enough. At first glance, size of the resulting ruleset seems high. This can be explained by two facts: \begin{itemize} \item The firewall contains a large number of rules with port matches that allow the ports $1$-$65535$, which requires 16 OpenFlow rules. \item Some combinations of matches from the firewall and the routing table cannot be ruled out, since the firewall match might only contain an output port and the rule can thus only apply for the packets matching a few routing table entries. However, the translation is not aware of that and can thus not remove the combination of the firewall rule and other routing table entries. \end{itemize} In some rules, the conditions above coincede, resulting in $416\ (=16 \cdot 26)$ rules. To avoid the high number of rules resulting from the port matches, rules that forbids packets with source or destination port 0 could be added to the start of the firewall and the $1$-$65535$ could be removed; dealing with the firewall / routing table problem is part of the future work on output interfaces. \section{Conclusion and Future Work} We believe that we have shown that it is possible to translate at least basic configurations of a linux firewall into OpenFlow rulesets while preserving the most important aspects of the behavior. We recognize that our system has limited practical applicability. One possible example would be a router or firewall inside a company network whose state tables have been polluted by special attack traffic. Our translation could provide an OpenFlow based stateless replacement. However, given the current prerequisites the implementation has on the configuration, this application is relatively unlikely. For the configuration translation, we have contributed formal models of a linux firewall and of an OpenFlow switch. Furthermore, the function that joins two firewalls and the function that translates a simplified match from~\cite{diekmann2016verified} to a list of equivalent OpenFlow field match sets are contributions that we think are likely to be of further use. We want to explicitly formulate the following two goals for our future work: \begin{itemize} \item We want to deal with output interface matches. The idea is to formulate and verify a destination interface / destination IP address rewriting that can exchange output interfaces and destination IP addressed in a firewall, based on the information from the routing table.\footnote{As of now this has already been implemented, but is not yet fully ready.} \item We want to develop a system that can provide a stricter approximation of stateful matches so our translation will be applicable in more cases. \end{itemize} diff --git a/thys/LOFT/document/root.tex b/thys/LOFT/document/root.tex --- a/thys/LOFT/document/root.tex +++ b/thys/LOFT/document/root.tex @@ -1,122 +1,122 @@ \documentclass[a4paper]{article} \usepackage[T1]{fontenc} \usepackage{isabelle,isabellesym} % further packages required for unusual symbols (see also % isabellesym.sty), use only when needed %\usepackage{amssymb} %for \, \, \, \, \, \, %\, \, \, \, \, %\, \, \ %\usepackage{eurosym} %for \ %\usepackage[only,bigsqcap]{stmaryrd} %for \ %\usepackage{eufrak} %for \ ... \, \ ... \ (also included in amssymb) %\usepackage{textcomp} %for \, \, \, \, \, %\ \usepackage{makeidx} \usepackage{graphicx} \usepackage{tabularx} \usepackage{amssymb} \usepackage{amsmath} \usepackage{color} \usepackage{booktabs} \newcommand{\todo}[1]{\textcolor{red}{TODO: #1}} \usepackage{pifont} \usepackage{tikz} \usetikzlibrary{calc} \usepackage{moeptikz} \usepackage{flushend} \usepackage{stmaryrd} \usepackage{mathtools} \hyphenation{swit-ches} \usepackage{alphabeta} \usepackage{url} \usepackage{tikz} \usetikzlibrary{calc,positioning} \widowpenalty100000 \clubpenalty100000 \usepackage{pbox} \usepackage{subcaption} \usepackage{framed} \usepackage{listings} \lstset{breaklines=true,numbers=left,numberstyle=\tiny\color{gray},basicstyle=\footnotesize\ttfamily} \usepackage{pgfplots} \columnsep 2pc % Space between columns \textwidth 42pc % Width of text line. \oddsidemargin 4.5pc \evensidemargin 4.5pc \advance\oddsidemargin by -1.11in % Correct for LaTeX gratuitousness \advance\evensidemargin by -1.11in % Correct for LaTeX gratuitousness \marginparwidth 0pt % Margin pars are not allowed. \marginparsep 11pt % Horizontal space between outer margin and \emergencystretch=10cm % this should be the last package used \usepackage{pdfsetup} % urls in roman style, theory text in math-similar italics \urlstyle{rm} \isabellestyle{it} % for uniform font size %\renewcommand{\isastyle}{\isastyleminor} \usepackage[english]{babel} % for \frqq (whatever that actually is) \begin{document} -\title{LOFT — Verified Migration of Linux Firewalls to SDN} +\title{LOFT --- Verified Migration of Linux Firewalls to SDN} \author{Julius Michaelis and Cornelius Diekmann} \maketitle \begin{abstract} - We present LOFT — \emph{L}inux firewall \emph{O}pen\emph{F}low \emph{T}ranslator, a system that transforms the main routing table and \texttt{FORWARD} chain of iptables of a Linux-based firewall into a set of static OpenFlow rules. + We present LOFT --- \emph{L}inux firewall \emph{O}pen\emph{F}low \emph{T}ranslator, a system that transforms the main routing table and \texttt{FORWARD} chain of iptables of a Linux-based firewall into a set of static OpenFlow rules. Our implementation is verified against a model of a simplified Linux-based router and we can directly show how much of the original functionality is preserved. \end{abstract} \vspace{1em} Please note that this document is organized in two distinct parts. The first part contains the necessary definitions, helper lemmas and proofs in all their technicality as made in the theory code. The second part reiterates the most important definitions and proofs in a manner that is more suitable for human readers and enriches them with detailed explanations in natural language. Any interested reader should start from there. Many of the considerations that have led to the definitions made here have been explained in \cite{michaelis2016middlebox}. \tableofcontents \newpage \part{Code} % sane default for proof documents \parindent 0pt\parskip 0.5ex \input{session} \input{chap3} \bibliographystyle{abbrv} \bibliography{root} % optional bibliography %\bibliographystyle{abbrv} %\bibliography{root} \end{document} %%% Local Variables: %%% mode: latex %%% TeX-master: t %%% End: diff --git a/thys/Prpu_Maxflow/document/root.bib b/thys/Prpu_Maxflow/document/root.bib --- a/thys/Prpu_Maxflow/document/root.bib +++ b/thys/Prpu_Maxflow/document/root.bib @@ -1,1470 +1,1470 @@ @STRING{LNCS = {LNCS}} @STRING{Springer = {Springer}} @inproceedings{LaSe16, author = {Peter Lammich and S. Reza Sefidgar}, title = {Formalizing the Edmonds-Karp Algorithm}, booktitle = {Interactive Theorem Proving}, publisher = Springer, year = {2016}, note = {to appear} } @article{LaSe16_afp, author = {Peter Lammich and S. Reza Sefidgar}, title = {Formalizing the Edmonds-Karp Algorithm}, journal = {Archive of Formal Proofs}, month = aug, year = 2016, note = {\url{http://isa-afp.org/entries/EdmondsKarp_Maxflow.shtml}, Formal proof development}, ISSN = {2150-914x}, } @Article{ChGo97, author="Cherkassky, B. V. and Goldberg, A. V.", title="On Implementing the Push---Relabel Method for the Maximum Flow Problem ", journal="Algorithmica", year="1997", volume="19", number="4", pages="390--410", } @inproceedings{LeRu07, author = {Lee, Gilbert and Rudnicki, Piotr}, title = {Alternative Aggregates in Mizar}, booktitle = {Calculemus '07 / MKM '07}, year = {2007}, pages = {327--341}, numpages = {15}, publisher = {Springer}, } @book{BeCa10, author = {Bertot, Yves and Castran, Pierre}, title = {Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions}, year = {2010}, edition = {1st}, publisher = Springer, } @inproceedings{La16, author = {Peter Lammich}, title = {Refinement based verification of imperative data structures}, booktitle = {{CPP}}, pages = {27--36}, publisher = {{ACM}}, year = {2016} } @inproceedings{GAK12, publisher = Springer, author = {Greenaway, David and Andronick, June and Klein, Gerwin}, month = {aug}, year = {2012}, title = {Bridging the Gap: Automatic Verified Abstraction of {C}}, booktitle = {ITP}, pages = {99-115}, } @phdthesis{Greenaway15, school = {CSE, UNSW}, author = {Greenaway, David}, month = {mar}, year = {2015}, keywords = {isabelle/hol, c verification, autocorres}, title = {Automated proof-producing abstraction of C code}, address = {Sydney, Australia} } @PHDTHESIS{Nosch15, author = {Lars Noschinski}, title = {Formalizing Graph Theory and Planarity Certificates}, school = {Fakultät für Informatik, Technische Universität München}, year = {2015}, month = {November}, } @ARTICLE{MaRu05, author = {Roman Matuszewski and Piotr Rudnicki}, title = {Mizar: the first 30 years}, journal = {Mechanized Mathematics and Its Applications}, year = {2005}, pages = {2005} } @inproceedings{Wenzel99, author = {Markus Wenzel}, title = {Isar - {A} Generic Interpretative Approach to Readable Formal Proof Documents}, booktitle = {TPHOLs'99}, pages = {167--184}, year = {1999}, crossref = {DBLP:conf/tphol/1999}, } @proceedings{DBLP:conf/tphol/1999, title = {Theorem Proving in Higher Order Logics, 12th International Conference, TPHOLs'99, Nice, France, September, 1999, Proceedings}, series = LNCS, volume = {1690}, publisher = Springer, year = {1999}, } @article{GoTa88, author = {Goldberg, Andrew V. and Tarjan, Robert E.}, title = {A New Approach to the Maximum-flow Problem}, journal = {J. ACM}, issue_date = {Oct. 1988}, volume = {35}, number = {4}, month = oct, year = {1988}, publisher = {ACM}, } @incollection{Di06, author = {Dinitz, Yefim}, chapter = {Dinitz' Algorithm: The Original Version and Even's Version}, title = {Theoretical Computer Science}, year = {2006}, pages = {218--240}, numpages = {23}, publisher = {Springer}, } @article{Wirth71, author = {Wirth, Niklaus}, title = {Program Development by Stepwise Refinement}, journal = {Commun. ACM}, issue_date = {April 1971}, volume = {14}, number = {4}, month = apr, year = {1971}, publisher = {ACM}, } @incollection{La15, year={2015}, booktitle={ITP}, volume={9236}, series={LNCS}, title={Refinement to {Imperative/HOL}}, publisher={Springer}, author={Lammich, Peter}, pages={253-269}, } @inproceedings{BCHP05, author = {Bornat, Richard and Calcagno, Cristiano and O'Hearn, Peter and Parkinson, Matthew}, title = {Permission Accounting in Separation Logic}, booktitle = {POPL}, year = {2005}, pages = {259--270}, numpages = {12}, publisher = {ACM}, } @INPROCEEDINGS{MA07, author = {Nicolas Marti and Reynald Affeldt}, title = {A certified verifier for a fragment of Separation logic}, booktitle = {PPL-Workshop}, year = {2007} } @INPROCEEDINGS{NMSGB08, author = {Aleksandar Nanevski and Greg Morrisett and Avi Shinnar and Paul Govereau and Lars Birkedal}, title = {Ynot: Reasoning with the awkward squad}, booktitle = {ICFP}, year = {2008} } @inproceedings{KKB12, publisher = {Springer}, author = {Klein, Gerwin and Kolanski, Rafal and Boyton, Andrew}, month = {Aug}, year = {2012}, title = {Mechanised Separation Algebra}, booktitle = {ITP}, pages = {332-337}, } @InProceedings{char11, author = "Arthur Chargu{\'e}raud", title = "Characteristic Formulae for the Verification of Imperative Programs", year = "2011", pages = "418--430", publisher = "ACM", booktitle = "ICFP", } @incollection{La14, year={2014}, booktitle={ITP}, volume={8558}, series={LNCS}, title={Verified Efficient Implementation of {G}abow’s Strongly Connected Component Algorithm}, publisher={Springer}, author={Lammich, Peter}, pages={325-340}, } @article{HiPa06, title = "Finger Trees: A Simple General-purpose Data Structure", author = "Ralf Hinze and Ross Paterson", journal = "Journal of Functional Programming", volume = 16, number = 2, pages = "197-217", year = 2006 } @incollection{Pe07, year={2007}, booktitle={Model Checking Software}, series={LNCS}, title={BEEM: Benchmarks for Explicit Model Checkers}, publisher={Springer}, author={Pelánek, Radek}, pages={263-267}, } @inproceedings{CDHY09, author = {Calcagno, Cristiano and Distefano, Dino and O'Hearn, Peter and Yang, Hongseok}, title = {Compositional Shape Analysis by Means of Bi-abduction}, booktitle = {POPL '09}, year = {2009}, pages = {289--300}, } @inproceedings{Neu12, author = {Rene Neumann}, booktitle = {Workshop on Automated Theory Exploration (ATX 2012)}, pages = {36--45}, title = {A Framework for Verified Depth-First Algorithms}, year = {2012} } @article{LaMe12, author = {Peter Lammich and Rene Meis}, title = {A Separation Logic Framework for Imperative HOL}, journal = {Archive of Formal Proofs}, month = nov, year = 2012, note = {\url{https://isa-afp.org/entries/Separation_Logic_Imperative_HOL.shtml}, Formal proof development}, ISSN = {2150-914x}, } @inproceedings{Bu62, author = {Buechi, Julius R.}, booktitle = {International Congress on Logic, Methodology, and Philosophy of Science}, citeulike-article-id = {2948751}, keywords = {automata\_theory}, pages = {1--11}, posted-at = {2008-07-01 16:58:48}, priority = {0}, publisher = {Stanford University Press}, title = {{On a Decision Method in Restricted Second-Order Arithmetic}}, year = {1962} } @ARTICLE{VaWo94, author = {Moshe Y. Vardi and Pierre Wolper}, title = {Reasoning about Infinite Computations}, journal = {Information and Computation}, year = {1994}, volume = {115}, pages = {1--37} } @article{GeVa05, author = {Geldenhuys, Jaco and Valmari, Antti}, title = {More Efficient On-the-fly {LTL} Verification with Tarjan's Algorithm}, journal = {Theor. Comput. Sci.}, issue_date = {21 November 2005}, volume = {345}, number = {1}, month = nov, year = {2005}, issn = {0304-3975}, pages = {60--82}, numpages = {23}, url = {https://doi.org/10.1016/j.tcs.2005.07.004}, doi = {10.1016/j.tcs.2005.07.004}, acmid = {1121853}, publisher = {Elsevier Science Publishers Ltd.}, address = {Essex, UK}, keywords = {model checking, verification}, } @inproceedings{CDP05, author = {Couvreur, Jean-Michel and Duret-Lutz, Alexandre and Poitrenaud, Denis}, title = {On-the-fly Emptiness Checks for Generalized B\&\#252;Chi Automata}, booktitle = {Proceedings of the 12th International Conference on Model Checking Software}, series = {SPIN'05}, year = {2005}, isbn = {3-540-28195-9, 978-3-540-28195-5}, location = {San Francisco, CA}, pages = {169--184}, numpages = {16}, url = {https://doi.org/10.1007/11537328_15}, doi = {10.1007/11537328_15}, acmid = {2156363}, publisher = {Springer-Verlag}, address = {Berlin, Heidelberg}, } @incollection{RDKP13, year={2013}, isbn={978-3-642-45220-8}, booktitle={Logic for Programming, Artificial Intelligence, and Reasoning}, volume={8312}, series={Lecture Notes in Computer Science}, editor={McMillan, Ken and Middeldorp, Aart and Voronkov, Andrei}, doi={10.1007/978-3-642-45221-5_44}, title={Three SCC-Based Emptiness Checks for Generalized Büchi Automata}, url={https://doi.org/10.1007/978-3-642-45221-5_44}, publisher={Springer Berlin Heidelberg}, author={Renault, Etienne and Duret-Lutz, Alexandre and Kordon, Fabrice and Poitrenaud, Denis}, pages={668-682} } @article{Purdom70, year={1970}, issn={0006-3835}, journal={BIT Numerical Mathematics}, volume={10}, number={1}, doi={10.1007/BF01940892}, title={A transitive closure algorithm}, url={https://doi.org/10.1007/BF01940892}, publisher={Kluwer Academic Publishers}, author={Purdom, Paul, Jr.}, pages={76-94}, language={English} } @article{Munro71, title = "Efficient determination of the transitive closure of a directed graph ", journal = "Information Processing Letters ", volume = "1", number = "2", pages = "56 - 58", year = "1971", note = "", issn = "0020-0190", author = "Ian Munro", } @article{ChMe96, year={1996}, issn={0178-4617}, journal={Algorithmica}, volume={15}, number={6}, doi={10.1007/BF01940880}, title={Algorithms for dense graphs and networks on the random access computer}, url={https://doi.org/10.1007/BF01940880}, publisher={Springer-Verlag}, keywords={Graph; Network; Algorithm; Dense graph; Dense network}, author={Cheriyan, J. and Mehlhorn, K.}, pages={521-549}, language={English} } @article{Gabow00, title = "Path-based depth-first search for strong and biconnected components ", journal = "Information Processing Letters ", volume = "74", number = "3–4", pages = "107 - 114", year = "2000", note = "", issn = "0020-0190", doi = "https://doi.org/10.1016/S0020-0190(00)00051-X", url = "http://www.sciencedirect.com/science/article/pii/S002001900000051X", author = "Harold N. Gabow", } @article{Tarjan72, author = {Tarjan, R.}, title = {Depth-First Search and Linear Graph Algorithms}, journal = {SIAM Journal on Computing}, volume = {1}, number = {2}, pages = {146-160}, year = {1972}, doi = {10.1137/0201010}, } @article{Sharir81, author = {Sharir, M.}, journal = {Computers \& Mathematics with Applications}, month = jan, number = {1}, pages = {67--72}, title = {{A strong-connectivity algorithm and its applications in data flow analysis}}, volume = {7}, year = {1981} } @book{SeWa11, author="Robert Sedgewick and Kevin Wayne", title="Algorithms", publisher="Addison-Wesley", year=2011, note = {4th edition} } @book{Dijk76, author="E. W. Dijkstra", title="A Discipline of Programming", publisher="Prentice Hall", year="1976", note="Ch. 25" } @inproceedings{MyOw12, author = {Myreen, Magnus O. and Owens, Scott}, title = {Proof-producing synthesis of {ML} from higher-order logic}, booktitle = {Proceedings of the 17th ACM SIGPLAN international conference on Functional programming}, series = {ICFP '12}, year = {2012}, pages = {115--126}, publisher = {ACM} } @misc{HuKu12, title = {Lifting and Transfer: A Modular Design for Quotients in {Isabelle/HOL}}, author = {Brian Huffman and Ondřej Kunčar}, year = {2012}, note = {Isabelle Users Workshop 2012} } @phdthesis{huff12, author = {Brian Huffman}, title = {HOLCF '11: A Definitional Domain Theory for Verifying Functional Programs}, school = {Portland State University}, year = {2012} } @INPROCEEDINGS{Wad89, author = {Philip Wadler}, title = {Theorems for free!}, booktitle = {Proc. of FPCA}, year = {1989}, pages = {347--359}, publisher = {ACM} } @inproceedings{Rey83, author = {John C. Reynolds}, title = {Types, Abstraction and Parametric Polymorphism}, booktitle = {IFIP Congress}, year = {1983}, pages = {513-523}, } @inproceedings{BBMV91, author = {Roland C. Backhouse and Peter de Bruin and Grant Malcolm and Ed Voermans and Jaap van der Woude}, title = {Relational catamorphisms}, booktitle = {Proc. of the IFIP TC2/WG2.1 Working Conference on Constructing Programs}, publisher = {Elsevier Science Publishers BV}, year = {1991} } @incollection{BJJM99, year={1999}, booktitle={Advanced Functional Programming}, volume={1608}, series=LNCS, title={Generic Programming}, publisher=Springer, author={Backhouse, Roland and Jansson, Patrik and Jeuring, Johan and Meertens, Lambert}, pages={28-115} } @inproceedings {Bul12, author = {Lukas Bulwahn}, title = {The New Quickcheck in {I}sabelle: Random, Exhaustive and Symbolic Testing Under One Roof}, booktitle = {Proc. of CPP}, year = {2012}, publisher = Springer, volume = {7679}, pages = {92--108}, series = LNCS } @incollection{INY04, year={2004}, booktitle={Theory Is Forever}, volume={3113}, series=LNCS, title={On {NFA} Reductions}, publisher=Springer, author={Ilie, Lucian and Navarro, Gonzalo and Yu, Sheng}, pages={112-124} } @mastersthesis{Eberl12, title = {Efficient and Verified Computation of Simulation Relations on {NFA}s}, author = {Manuel Eberl}, school = {Technische Universit\"at M\"unchen}, year = {2012}, type = {Bachelor's thesis} } @Misc{HKKN13, title = {Data Refinement in {Isabelle/HOL}}, author = {Florian Haftmann and Alexander Krauss and Ond\v{r}ej Kun\v{c}ar and Tobias Nipkow}, year = {2013}, note = {To appear in Proc. of ITP 2013} } @incollection{ELNN13, year={2013}, booktitle={CAV}, volume={8044}, series={LNCS}, title={A Fully Verified Executable {LTL} Model Checker}, publisher={Springer}, author={Esparza, Javier and Lammich, Peter and Neumann, René and Nipkow, Tobias and Schimpf, Alexander and Smaus, Jan-Georg}, pages={463-478}, } @inproceedings{MuSt89, author = {David R. Musser and Alexander A. Stepanov}, title = {Generic Programming}, booktitle = {Proc. of ISSAC}, year = {1989}, publisher = Springer, volume = {358}, pages = {13--25}, series = LNCS } @inproceedings{Hom09, title = {The {HOL}-{O}mega Logic}, author = {Peter V. Homeier}, booktitle = {Proc. of TPHOLs}, year = {2009}, publisher = Springer, volume = {5674}, pages = {244--259}, series = LNCS } @incollection{La13, year={2013}, booktitle={ITP}, volume={7998}, series={LNCS}, title={Automatic Data Refinement}, publisher={Springer}, author={Lammich, Peter}, pages={84-99} } @book{Holzmann03,author="Gerard J. Holzmann", title="The Spin Model Checker --- Primer and Reference Manual", publisher="Addison-Wesley",year=2003} @inproceedings{LaTu12, author = {Peter Lammich and Thomas Tuerk}, title = {Applying Data Refinement for Monadic Programs to {H}opcroft's Algorithm}, booktitle = {Proc. of ITP}, year = {2012}, publisher = Springer, volume = {7406}, pages = {166--182}, series = LNCS } @TechReport{Tu11, author = {Tuerk, Thomas}, title = {{A separation logic framework for HOL}}, year = 2011, month = jun, url = {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-799.pdf}, institution = {University of Cambridge, Computer Laboratory}, number = {UCAM-CL-TR-799} } @book{Abrial96,author="Jean-Raymond Abrial", title="The B-Book: Assigning Programs to Meanings", publisher="Cambridge University Press",year=1996} @article{KleinN-TOPLAS,author={Gerwin Klein and Tobias Nipkow}, title={A Machine-Checked Model for a {Java}-Like Language, Virtual Machine and Compiler}, journal=TOPLAS,volume = {28}, number = {4}, year = {2006}, pages = {619--695}} @inproceedings{KleinEHACDEEKNSTW09, author = {Gerwin Klein and Kevin Elphinstone and Gernot Heiser and June Andronick and David Cock and Philip Derrin and Dhammika Elkaduwe and Kai Engelhardt and Rafal Kolanski and Michael Norrish and Thomas Sewell and Harvey Tuch and Simon Winwood}, title = {{seL4}: formal verification of an {OS} kernel}, booktitle = {Proc.\ ACM Symp.\ Operating Systems Principles}, year = {2009}, pages = {207--220}, editor = {Jeanna Neefe Matthews and Thomas E. Anderson}, publisher = {ACM} } @article{Leroy-JAR09,author={Xavier Leroy}, title={A Formally Verified Compiler Back-end}, journal={J. Automated Reasoning},year=2009,volume=43,pages={363--446}} @InProceedings{MalechaMSW-POPL10, author={G. Malecha and G. Morrisett and A. Shinnar and R. Wisnesky}, title={Toward a verified relational database management system}, booktitle={Principles of Programming Languages (POPL'10)}, pages={237--248},year=2010,publisher={ACM}} @book{LNCS2283,author={Tobias Nipkow and Lawrence Paulson and Markus Wenzel}, title={{Isabelle/HOL} --- A Proof Assistant for Higher-Order Logic}, publisher=Springer,series=LNCS,volume=2283,year=2002} @PhdThesis{Schi06, author = {Norbert Schirmer}, title = {Verification of Sequential Imperative Programs in {I}sabelle/{HOL}}, school = {Technische Universit\"at M\"unchen}, year = {2006}, } @Misc{Haft10b, author = {Florian Haftmann}, title = {Data Refinement (Raffinement) in {Isabelle/HOL}}, year = {2010}, note = {Available at \url{https://isabelle.in.tum.de/community/}} } @inproceedings{LB11, title = {Animating the Formalised Semantics of a {J}ava-like Language}, booktitle = {Proc. of ITP}, year = {2011}, publisher = Springer, volume = {6898}, pages = {216--232}, author = {Andreas Lochbihler and Lukas Bulwahn}, series = LNCS } @InProceedings{CKS08, author = {David Cock and Gerwin Klein and Thomas Sewell}, title = {Secure Microkernels, State Monads and Scalable Refinement}, booktitle = {Proc. of TPHOLs}, year = {2008}, series = LNCS, publisher = Springer, pages = {167--182}, volume = {5170}, } @inproceedings{SchM98, author = {Martin Schwenke and Brendan Mahony}, title = {The Essence of Expression Refinement}, booktitle = {Proc. of International Refinement Workshop and Formal Methods}, year = {1998}, pages = {324--333} } @incollection{La12, author = {Peter Lammich}, title = {Refinement for Monadic Programs}, booktitle = {Archive of Formal Proofs}, publisher = {\url{https://isa-afp.org/entries/Refine\_Monadic.shtml}}, year = {2012}, note = {Formal proof development} } @article{NoLa12, author = {Benedikt Nordhoff and Peter Lammich}, title = {Formalization of {D}ijkstra's Algorithm}, journal = {Archive of Formal Proofs}, month = Jan, year = 2012, note = {\url{https://isa-afp.org/entries/Dijkstra_Shortest_Path.shtml}, Formal proof development}, ISSN = {2150-914x} } @inproceedings{BKHEM08, author = {Bulwahn, Lukas and Krauss, Alexander and Haftmann, Florian and Erk\"{o}k, Levent and Matthews, John}, title = {Imperative Functional Programming with {Isabelle/HOL}}, booktitle = {TPHOL}, year = {2008}, pages = {134--149}, numpages = {16}, publisher = Springer, series = LNCS, volume = {5170}, } @book{BaWr98, author = {Ralph-Johan Back and Joakim von Wright}, title = {Refinement Calculus --- A Systematic Introduction}, publisher = Springer, year = {1998} } @incollection {Old84, author = {Olderog, Ernst-R{\"u}diger}, - title = {Hoare's logic for programs with procedures — What has been achieved?}, + title = {Hoare's logic for programs with procedures --- What has been achieved?}, booktitle = {Logics of Programs}, series = LNCS, publisher = Springer, pages = {383-395}, volume = {164}, year = {1984} } @book{RoEn98, author = {Willem-Paul de Roever and Kai Engelhardt}, title = {Data Refinement: Model-Oriented Proof Methods and their Comparison}, publisher = {Cambridge University Press}, year = {1998} } @ARTICLE{BaWr90, author = {R. J. R. Back and J. von Wright}, title = {Refinement Concepts Formalized in Higher Order Logic}, journal = {Formal Aspects of Computing}, year = {1990}, volume = {2} } @ARTICLE{BaWr00, title = {Encoding, Decoding and Data Refinement}, author = {Back, Ralph-Johan and von Wright, Joakim}, journal = {Formal Aspects of Computing}, volume = {12}, pages = {313--349}, year = {2000}, } @incollection {MSS86, author = {Melton, A. and Schmidt, D. and Strecker, G.}, title = {{G}alois connections and computer science applications}, booktitle = {Category Theory and Computer Programming}, series = LNCS, publisher = Springer, pages = {299--312}, volume = {240}, year = {1986} } @INPROCEEDINGS{LRW95, author = {Thomas Langbacka and Rimvydas Ruksenas and Joakim von Wright}, title = {{TkWinHOL}: A Tool for Doing Window Inference in {HOL}}, booktitle = {Proc. of International Workshop on Higher Order Logic Theorem Proving and its Applications}, year = {1995}, pages = {245--260}, publisher = Springer } @techreport{RuWr97, author = {Rimvydas Ruksenas and Joakim von Wright}, title = {A Tool for Data Refinement}, year = {1997}, institution = {Turku Centre for Computer Science}, number = {TUCS Technical Report No 119} } @INPROCEEDINGS{Wri94, author = {J. von Wright}, title = {Program Refinement by Theorem Prover}, booktitle = {In BCS FACS Sixth Refinement Workshop -- Theory and Practise of Formal Software Development}, year = {1994}, publisher = Springer } @phdthesis{Haft09, author = {Florian Haftmann}, title = {Code Generation from Specifications in Higher Order Logic}, school = {Technische Universit\"at M\"unchen}, year = {2009}, } @techreport{Egl75, author = {Herbert Egli}, title = {A mathematical model for nondeterministic computations}, institution = {ETH Z{\"u}rich}, year = {1975} } @article{Plo76, author= {G. D. Plotkin}, title = {A Powerdomain Construction}, journal = {SIAM J. Comput.}, volume = {5}, issue = {3}, pages = {452--487}, year = {1976} } @phdthesis{Back78, author = {Ralph-Johan Back}, title = {On the correctness of refinement steps in program development}, school = {Department of Computer Science, University of Helsinki}, year = {1978}, } @phdthesis{Preo06, author= {Viorel Preoteasa}, title= {Program Variables --- The Core of Mechanical Reasoning about Imperative Programs}, school= {Turku Centre for Computer Science}, year= {2006} } @inproceedings{BeRe09, author = {Berghofer, Stefan and Reiter, Markus}, title = {Formalizing the Logic-Automaton Connection}, booktitle = {TPHOLs '09}, year = {2009}, isbn = {978-3-642-03358-2}, pages = {147--163}, location = {Munich, Germany}, doi = {https://doi.org/10.1007/978-3-642-03359-9_12}, publisher = Springer, address = {Berlin, Heidelberg}, } @incollection{BeRe09_afp, author = {Stefan Berghofer and Markus Reiter}, title = {Formalizing the Logic-Automaton Connection }, booktitle = {Archive of Formal Proofs}, editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, publisher = {\url{https://isa-afp.org/entries/Presburger-Automata.shtml}}, month = Dec, year = 2009, note = {Formal proof development}, ISSN = {2150-914x} } @incollection{Kun04, author = {Viktor Kuncak}, title = {Binary Search Trees}, booktitle = {Archive of Formal Proofs}, editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, publisher = {\url{https://isa-afp.org/entries/BinarySearchTree.shtml}}, month = Apr, year = 2004, note = {Formal proof development}, ISSN = {2150-914x} } @incollection{NiPu04, author = {Tobias Nipkow and Cornelia Pusch}, title = {{AVL} Trees}, booktitle = {Archive of Formal Proofs}, editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, publisher = {\url{https://isa-afp.org/entries/AVL-Trees.shtml}}, month = Mar, year = 2004, note = {Formal proof development}, ISSN = {2150-914x} } @inproceedings{DiPe09, author = {de Dios, Javier and Pe{\~n}a, Ricardo}, title = {Formal Certification of a Resource-Aware Language Implementation}, booktitle = {TPHOLs '09}, year = {2009}, isbn = {978-3-642-03358-2}, pages = {196--211}, location = {Munich, Germany}, doi = {https://doi.org/10.1007/978-3-642-03359-9_15}, publisher = Springer, address = {Berlin, Heidelberg}, } @ARTICLE{KaMo97, author = {Matt Kaufmann and J. Strother Moore}, title = {An Industrial Strength Theorem Prover for a Logic Based on {C}ommon {L}isp}, journal = {IEEE Transactions on Software Engineering}, year = {1997}, volume = {23}, pages = {203--213} } @techreport{C++STL, author = {Alexander Stepanov and Meng Lee}, title={The Standard Template Library}, institution = {HP Laboratories}, year = {1995}, month = {November}, number= {95-11(R.1)} } @Misc{JavaCollFr, key="Java Collections Framework", title = {{J}ava: The Collections Framework}, url = {http://java.sun.com/javase/6/docs/technotes/ guides/collections/} } @Misc{MLton, key="MLton", title = {{MLton} {Standard ML} compiler}, note = {http://mlton.org/}, url = {http://mlton.org/} } @misc{LETHAL, key = "Lethal", title = "{LETHAL} Tree and Hedge Automata Library", url = "http://lethal.sourceforge.net/" } @Misc{TIMBUK, author = {T. Genet and V. V. T. Tong}, title = {{T}imbuk 2.2}, url = {http://www.irisa.fr/celtique/genet/timbuk/}, } @misc{Coq:Std:Lib, key = "Coq", title = "The {Coq} Standard Library", url = "http://coq.inria.fr/stdlib/index.html" } @inproceedings{Ballarin:2006:MKM, author = "Clemens Ballarin", title = "Interpretation of Locales in {Isabelle}: Theories and Proof Contexts", editor = "J. M. Borwein and W. M. Farmer", booktitle = "MKM 2006", series = "LNAI", volume = "4108", pages = "31--43", year = 2006, publisher = Springer } @article{Hardy:Ramanujan:1917:QJM, author = "G. H. Hardy and S. Ramanujan", title = "The normal number of prime factors of a number", journal = "Quart. J. of Math.", volume = 48, pages = "76--92", year = "1917" } @inproceedings{Peyton:Jones:1996:FPW, author = "Peyton Jones, Simon", title = "Bulk types with class", booktitle = "FPW '96", year = 1996 } @InProceedings{LL10, author = {P. Lammich and A. Lochbihler}, title = {The {Isabelle} {Collections} {Framework}}, booktitle = {Proc. of ITP}, series = LNCS, publisher = Springer, pages = {339--354}, volume = {6172}, year = {2010} } @inproceedings{Kr10, author={Alexander Krauss}, title={Recursive definitions of monadic functions}, booktitle={Proc. of PAR}, volume={43}, pages={1--13}, year={2010} } @phdthesis{Stap99, author = {Mark Staples}, title = {A Mechanised Theory of Refinement}, school = {University of Cambridge}, year = {1999}, note = {2nd edition} } @article{Morr87, title = {A theoretical basis for stepwise refinement and the programming calculus}, author = {Joseph M. Morris}, journal = {Science of Computer Programming}, volume = {9}, number = {3}, pages = {287--306}, year = {1987} } @inproceedings{HaNi10, author = {Florian Haftmann and Tobias Nipkow}, title = {Code Generation via Higher-Order Rewrite Systems}, booktitle = {FLOPS 2010}, series = LNCS, year = {2010}, publisher = Springer } @incollection{L09_collections, author = {Peter Lammich}, title = {Collections Framework}, booktitle = {Archive of Formal Proofs}, publisher = {\url{https://isa-afp.org/entries/Collections.shtml}}, month = Dec, year = 2009, note = {Formal proof development}, ISSN = {2150-914x} } @incollection{L09_tree_automata, author = {Peter Lammich}, title = {Tree Automata}, booktitle = {Archive of Formal Proofs}, publisher = {\url{https://isa-afp.org/entries/Tree-Automata.shtml}}, month = Dec, year = {2009}, note = {Formal proof development}, ISSN = {2150-914x} } @INPROCEEDINGS{CHY07, author={Calcagno, C. and O'Hearn, P.W. and Hongseok Yang}, booktitle={LICS 2007}, title={Local Action and Abstract Separation Logic}, year={2007}, month={July}, pages={366-378}, } @inproceedings{Rey02, author = {John C. Reynolds}, title = {Separation Logic: A Logic for Shared Mutable Data Structures}, booktitle = {Proc of. Logic in Computer Science (LICS)}, year={2002}, pages={55--74}, publisher={IEEE} } @MasterThesis{Meis2011, author={Rene Meis}, title={{I}ntegration von {S}eparation {L}ogic in das {I}mperative {HOL}-{F}ramework}, note={Master Thesis, WWU M\"unster}, year={2011}, school={WWU M\"unster} } @INPROCEEDINGS{Wad92, author = {Philip Wadler}, title = {Comprehending Monads}, booktitle = {Mathematical Structures in Computer Science}, year = {1992}, pages = {61--78} } @book{mmo97, author={Markus M{\"u}ller-Olm}, title={Modular Compiler Verification {---} A Refinement-Algebraic Approach Advocating Stepwise Abstraction}, publisher=Springer, year={1997}, series=LNCS, volume={1283} } @book{NPW02, author = {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel}, title = {{Isabelle/HOL} --- A Proof Assistant for Higher-Order Logic}, publisher = Springer, series = LNCS, volume = 2283, year = 2002 } @InCollection{brz62, author = {J. A. Brzozowski}, title = {Canonical regular expressions and minimal state graphs for definite events}, booktitle = {Mathematical theory of Automata}, note = {Volume 12 of MRI Symposia Series}, pages = {529--561}, publisher = {Polytechnic Press, Polytechnic Institute of Brooklyn, N.Y.}, year = {1962} } @InCollection{Hop71, author = {John E. Hopcroft}, title = {An $n\log n$ algorithm for minimizing the states in a finite automaton}, booktitle = {Theory of Machines and Computations}, year = {1971}, publisher = {Academic Press}, pages = {189--196} } @TechReport{wat93, author = {Bruce W. Watson}, title = {A taxonomy of finite automata minimization algorithms}, institution = {Eindhoven University of Technology, The Netherlands}, year = 1993, type = {Comp. Sci. Note}, number = {93/44}, issn = "0926-4515" } @article {Hoa72, author = {Hoare, C. A. R.}, title = {Proof of correctness of data representations}, journal = {Acta Informatica}, publisher = Springer, keyword = {Computer Science}, pages = {271--281}, volume = {1}, issue = {4}, year = {1972} } @article{Hoa69, author = {Hoare, C. A. R.}, title = {An axiomatic basis for computer programming}, journal = {Commun. ACM}, volume = 12, issue = 10, month = {October}, year = 1969, pages = {576--580}, numpages = 5, publisher = {ACM}, address = {New York, NY, USA}, } @Book{GoMe93, Author = {M.J.C. Gordon and T.F. Melham}, Title = {Introduction to {HOL}: A Theorem Proving Environment for Higher Order Logic}, Publisher = {Cambridge University}, key = {GoMe93}, year = 1993 } @inproceedings{SlindN08, author = {Konrad Slind and Michael Norrish}, title = {A Brief Overview of {HOL4}}, booktitle = {TPHOLs}, year = 2008, pages = {28--32}, ee = {https://doi.org/10.1007/978-3-540-71067-7_6}, crossref = {DBLP:conf/tphol/2008}, bibsource = {DBLP, http://dblp.uni-trier.de} } @INPROCEEDINGS{Bra09, author = {Thomas Braibant and Damien Pous}, title = {A tactic for deciding {K}leene algebras}, booktitle = {First Coq Workshop}, year = {2009} } @MISC{Con97, author = {Robert L. Constable and Paul B. Jackson and Pavel Naumov and Juan Uribe}, title = {Formalizing Automata Theory {I}: Finite Automata}, year = {1997} } @inproceedings{Bac06, author = {Baclet, Manuel and Pagetti, Claire}, booktitle = {Proc. of CIAA 2006}, journal = {Implementation and Application of Automata}, pages = {114--125}, title = {Around {H}opcroft's Algorithm}, volume = {LNCS 4094}, year = 2006 } @article{AMR07, author = {Almeida, Marco and Moreira, Nelma and Reis, Rog\'{e}rio}, title = {Enumeration and generation with a string automata representation}, journal = {Theor. Comput. Sci.}, volume = {387}, issue = {2}, month = {November}, year = {2007}, issn = {0304-3975}, pages = {93--102}, numpages = {10}, url = {http://dl.acm.org/citation.cfm?id=1297415.1297473}, doi = {10.1016/j.tcs.2007.07.029}, acmid = {1297473}, publisher = {Elsevier Science Publishers Ltd.}, address = {Essex, UK}, keywords = {Exact enumeration, Finite automata, Initially-connected deterministic finite automata, Minimal automata, Random generation}, } @inproceedings{FAdo09, author = {Andr{\'e} Almeida and Marco Almeida and Jos{\'e} Alves and Nelma Moreira and Rog{\'e}rio Reis}, title = {{FAdo} and {GUItar}}, booktitle = {CIAA}, year = {2009}, pages = {65--74}, ee = {https://doi.org/10.1007/978-3-642-02979-0_10}, crossref = {DBLP:conf/wia/2009}, bibsource = {DBLP, http://dblp.uni-trier.de} } @proceedings{DBLP:conf/wia/2009, editor = {Sebastian Maneth}, title = {Implementation and Application of Automata}, booktitle = {CIAA}, publisher = Springer, series = LNCS, volume = {5642}, year = {2009}, isbn = {978-3-642-02978-3}, ee = {https://doi.org/10.1007/978-3-642-02979-0}, bibsource = {DBLP, http://dblp.uni-trier.de} } @article{Blum96, title={An {O}(n log n) implementation of the standard method for minimizing n-state finite automata}, volume={6}, number={2}, journal={Information Processing Letters}, author={Blum, Norbert}, year={1996}, pages={65--69}} @InProceedings{GerPelVarWol95, author = {Rob Gerth and Doron Peled and Moshe Y. Vardi and Pierre Wolper}, title = {Simple on-the-fly automatic verification of linear temporal logic}, editor = {Piotr Dembinski and Marek Sredniawa}, booktitle = {Proc.\ Int.\ Symp.\ Protocol Specification, Testing, and Verification}, pages = {3--18}, year = 1996, publisher = {Chapman \& Hall}, series = {IFIP Conference Proceedings}, volume = {38}, } @InProceedings{SchMerSma09, author = {Alexander Schimpf and Stephan Merz and Jan-Georg Smaus}, editor = {S. Berghofer and T. Nipkow and C. Urban and M. Wenzel}, title = {Construction of {B}{\"u}chi Automata for {LTL} Model Checking Verified in {I}sabelle/{HOL}}, booktitle = {Theorem Proving in Higher Order Logics, TPHOLs 2009}, year = 2009, pages = {424--439}, series = LNCS, volume = {5674}, publisher = Springer } @INPROCEEDINGS{SE05, author = {Stefan Schwoon and Javier Esparza}, title = {A Note on On-The-Fly Verification Algorithms}, booktitle = {TACAS}, year = {2005}, volume = {3440}, series = LNCS, pages = {174--190}, publisher = Springer } @ARTICLE{CVWY92, author = {Courcoubetis, C. and Vardi, M. and Wolper, P. and Yannakakis, M.}, title = {Memory-efficient algorithms for the verification of temporal properties}, journal = {Formal Methods in System Design}, year = {1992}, volume = {1}, pages = {275--288}, number = {2/3}, abstract = {This article addresses the problem of designing memory-efficient algorithms for the verification of temporal properties of finite-state programs. Both the programs and their desired temporal properties are modeled as automata on infinite words (B{\"u}chi automata). Verification is then reduced to checking the emptiness of the automaton resulting from the product of the program and the property. This problem is usually solved by computing the strongly connected components of the graph representing the product automaton. Here, we present algorithms that solve the emptiness problem without explicitly constructing the strongly connected components of the product graph. By allowing the algorithms to err with some probability, we can implement them with a randomly accessed memory of size O(n) bits, where n is the number of states of the graph, instead of O(n log n) bits that the presently known algorithms require.}, issn = {0925-9856}, issue = {2}, publisher = Springer } @INPROCEEDINGS{HPY96, author = {Gerard Holzmann and Doron Peled and Mihalis Yannakakis}, title = {On Nested Depth First Search}, booktitle = {SPIN}, year = {1996}, volume = {32}, series = {Discrete Mathematics and Theoretical Computer Science}, pages = {23--32}, publisher = {American Mathematical Society} } @inproceedings{DBLP:conf/tacas/ChouP96, author = {Ching-Tsun Chou and Doron Peled}, title = {Formal Verification of a Partial-Order Reduction Technique for Model Checking}, booktitle = {Tools and Algorithms for the Construction and Analysis of Systems (TACAS)}, year = {1996}, pages = {241--257}, ee = {https://doi.org/10.1007/3-540-61042-1_48}, crossref = {DBLP:conf/tacas/1996}, bibsource = {DBLP, http://dblp.uni-trier.de} } @proceedings{DBLP:conf/tacas/1996, editor = {Tiziana Margaria and Bernhard Steffen}, title = {Tools and Algorithms for Construction and Analysis of Systems}, booktitle = {TACAS}, publisher = Springer, series = LNCS, volume = {1055}, year = {1996}, isbn = {3-540-61042-1}, bibsource = {DBLP, http://dblp.uni-trier.de} } @ARTICLE{ChoySingh:1994:leaderfilters, author = {Choy, Manhoi and Singh, Ambuj K.}, title = {Adaptive solutions to the mutual exclusion problem}, journal = {Distributed Computing}, year = {1994}, volume = {8}, pages = {1--17}, number = {1}, issn = {0178-2770}, keywords = {Adaptive algorithms; Leader election; Mutual exclusion; Synchronization}, language = {English}, publisher = Springer } @BOOK{BaierKatoen:2008:modelchecking, title = {Principles of Model Checking}, publisher = {MIT Press}, year = {2008}, author = {Christel Baier and Joost-Pieter Katoen} } @INPROCEEDINGS{HaftmannNipkow:2010:codegeneration, author = {Florian Haftmann and Tobias Nipkow}, title = {Code Generation via Higher-Order Rewrite Systems}, booktitle = {Functional and Logic Programming (FLOPS)}, year = {2010}, editor = {Matthias Blume and Naoki Kobayashi and Germ{\'a}n Vidal}, volume = {6009}, pages = {103--117}, series = LNCS, publisher = Springer } @article{FF56, title={Maximal flow through a network}, author={Ford, Lester R and Fulkerson, Delbert R}, journal={Canadian journal of Mathematics}, volume={8}, number={3}, pages={399--404}, year={1956} } @article{Lee05, title={Correctnesss of Ford-Fulkerson’s Maximum Flow Algorithm1}, author={Lee, Gilbert}, journal={Formalized Mathematics}, volume={13}, number={2}, pages={305--314}, year={2005} } @book{CLRS09, author = {Cormen, Thomas H. and Leiserson, Charles E. and Rivest, Ronald L. and Stein, Clifford}, title = {Introduction to Algorithms, Third Edition}, year = {2009}, edition = {3rd}, publisher = {The MIT Press}, } @article{EK72, title={Theoretical improvements in algorithmic efficiency for network flow problems}, author={Edmonds, Jack and Karp, Richard M}, journal={J.~ACM}, volume={19}, number={2}, pages={248--264}, year={1972}, publisher={ACM} } @article{Zwick95, title={The smallest networks on which the {F}ord-{F}ulkerson maximum flow procedure may fail to terminate}, author={Zwick, Uri}, journal={Theoretical computer science}, volume={148}, number={1}, pages={165--170}, year={1995}, publisher={Elsevier} } diff --git a/thys/Refine_Monadic/document/root.bib b/thys/Refine_Monadic/document/root.bib --- a/thys/Refine_Monadic/document/root.bib +++ b/thys/Refine_Monadic/document/root.bib @@ -1,267 +1,267 @@ @InProceedings{CKS08, author = {David Cock and Gerwin Klein and Thomas Sewell}, title = {Secure Microkernels, State Monads and Scalable Refinement}, booktitle = {Proceedings of the 21st International Conference on Theorem Proving in Higher Order Logics (TPHOLs'08)}, year = {2008}, editor = {Otmane Ait Mohamed and C\'{e}sar Mu\~{n}oz and Sofi\`{e}ne Tahar}, series = {Lecture Notes in Computer Science}, publisher = {Springer-Verlag}, pages = {167--182}, volume = {5170}, } @inproceedings{SchM98, author = {Martin Schwenke and Brendan Mahony}, title = {The Essence of Expression Refinement}, booktitle = {Proc. of International Refinement Workshop and Formal Methods}, year = {1998}, pages = {324--333} } @inproceedings{BKHEM08, author = {Lukas Bulwahn and Alexander Krauss and Florian Haftmann and Levent Erk{\"o}k and John Matthews}, title = {Imperative Functional Programming with Isabelle/HOL}, booktitle = {TPHOLs}, year = {2008}, pages = {134-149}, publisher = {Springer}, series = {Lecture Notes in Computer Science}, volume = {5170}, year = {2008}, } @InProceedings{LL10, author = {P. Lammich and A. Lochbihler}, title = {The {Isabelle} Collections Framework}, booktitle = {Interactive Theorem Proving}, series = {Lecture Notes in Computer Science}, editor = {Kaufmann, Matt and Paulson, Lawrence}, publisher = {Springer}, pages = {339--354}, volume = {6172}, year = {2010} } @inproceedings{Kr10, author={Alexander Krauss}, title={Recursive definitions of monadic functions}, editor={Ana Bove and Ekaterina Komendantskaya and Milad Niqui}, booktitle={Workshop on Partiality and Recursion in Interactive Theorem Proving (PAR 2010)}, volume={43}, pages={1-13}, year={2010} } @phdthesis{Haft09, author = {Florian Haftmann}, title = {Code Generation from Specifications in Higher Order Logic}, school = {Technische Universit\"at M\"unchen}, year = {2009}, } @inproceedings{HaNi10, author = {Florian Haftmann and Tobias Nipkow}, title = {Code Generation via Higher-Order Rewrite Systems}, booktitle = {Functional and Logic Programming (FLOPS 2010)}, series = {LNCS}, year = {2010}, publisher = {Springer} } @incollection{L09_collections, author = {Peter Lammich}, title = {Collections Framework}, booktitle = {Archive of Formal Proofs}, editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, publisher = {\url{http://isa-afp.org/entries/collections.shtml}}, month = Dec, year = 2009, note = {Formal proof development}, ISSN = {2150-914x} } @incollection{L09_tree_automata, author = {Peter Lammich}, title = {Tree Automata}, booktitle = {Archive of Formal Proofs}, editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, publisher = {\url{http://isa-afp.org/entries/Tree-Automata.shtml}}, month = Dec, year = {2009}, note = {Formal proof development}, ISSN = {2150-914x} } @inproceedings{Rey02, author = {John C. Reynolds}, title = {Separation Logic: A Logic for Shared Mutable Data Structures}, booktitle = {Proc of. Logic in Computer Science (LICS)}, year={2002}, pages={55-74}, publisher={IEEE} } @masterthesis{Meis2011, author={Rene Meis}, title={Integration von Separation Logic in das Imperative HOL-Framework}, year={2011}, school={WWU M\"unster} } @book{mmo97, author={Markus M{\"u}ller-Olm}, title={Modular Compiler Verification {---} A Refinement-Algebraic Approach Advocating Stepwise Abstraction}, publisher={Springer}, year={1997}, series={LNCS}, volume={1283} } @book{NPW02, author = {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel}, title = {Isabelle/HOL --- A Proof Assistant for Higher-Order Logic}, publisher = {Springer}, series = {LNCS}, volume = 2283, year = 2002 } @book{BaWr98, author = {Ralph-Johan Back and Joakim von Wright}, title = {Refinement Calculus --- A Systematic Introduction}, publisher = {Springer}, year = {1998} } @incollection {Old84, author = {Olderog, Ernst-R{\"u}diger}, - title = {Hoare's logic for programs with procedures — What has been achieved?}, + title = {Hoare's logic for programs with procedures --- What has been achieved?}, booktitle = {Logics of Programs}, series = {Lecture Notes in Computer Science}, publisher = {Springer Berlin / Heidelberg}, pages = {383-395}, volume = {164}, year = {1984} } @book{RoEn98, author = {Willem-Paul de Roever and Kai Engelhardt}, title = {Data Refinement: Model-Oriented Proof Methods and their Comparison}, publisher = {Cambridge University Press}, year = {1998} } @ARTICLE{BaWr90, author = {R. J. R. Back and J. von Wright}, title = {Refinement Concepts Formalized in Higher Order Logic}, journal = {Formal Aspects of Computing}, year = {1990}, volume = {2} } @ARTICLE{BaWr00, title = {Encoding, Decoding and Data Refinement}, author = {Back, Ralph-Johan and von Wright, Joakim}, journal = {Formal Aspects of Computing}, volume = {12}, pages = {313-349}, year = {2000}, } @incollection {MSS86, author = {Melton, A. and Schmidt, D. and Strecker, G.}, title = {Galois connections and computer science applications}, booktitle = {Category Theory and Computer Programming}, series = {Lecture Notes in Computer Science}, publisher = {Springer Berlin / Heidelberg}, pages = {299-312}, volume = {240}, year = {1986} } @INPROCEEDINGS{LRW95, author = {Thomas Langbacka and Rimvydas Ruksenas and Joakim von Wright}, title = {TkWinHOL: A Tool for Doing Window Inference in HOL}, booktitle = {In Proc. 1995 International Workshop on Higher Order Logic Theorem Proving and its Applications, Lecture}, year = {1995}, pages = {245--260}, publisher = {Springer-Verlag} } @techreport{RuWr97, author = {Rimvydas Ruksenas and Joakim von Wright}, title = {A Tool for Data Refinement}, year = {1997}, institution = {Turku Centre for Computer Science}, number = {TUCS Technical Report No 119} } @INPROCEEDINGS{Wri94, author = {J. von Wright}, title = {Program Refinement by Theorem Prover}, booktitle = {In BCS FACS Sixth Refinement Workshop -- Theory and Practise of Formal Software Development}, year = {1994}, publisher = {SpringerVerlag} } @techreport{Egl75, author = {Herbert Egli}, title = {A mathematical model for nondeterministic computations}, institution = {ETH Z{\"u}rich}, year = {1975} } @article{Plo76, author= {G. D. Plotkin}, title = {A Powerdomain Construction}, journal = {SIAM J. Comput.}, volume = {5}, issue = {3}, pages = {452-487}, year = {1976} } @phdthesis{Back78, author = {Ralph-Johan Back}, title = {On the correctness of refinement steps in program development}, school = {Department of Computer Science, University of Helsinki}, year = {1978}, note = {Report A-1978-4} } @phdthesis{Preo06, author= {Viorel Preoteasa}, title= {Program Variables --- The Core of Mechanical Reasoning about Imperative Programs}, school= {Turku Centre for Computer Science}, year= {2006} } @article {Hoa72, author = {Hoare, C. A. R.}, title = {Proof of correctness of data representations}, journal = {Acta Informatica}, publisher = {Springer Berlin / Heidelberg}, issn = {0001-5903}, keyword = {Computer Science}, pages = {271-281}, volume = {1}, issue = {4}, url = {https://doi.org/10.1007/BF00289507}, note = {10.1007/BF00289507}, year = {1972} } @phdthesis{Stap99, author = {Mark Staples}, title = {A Mechanised Theory of Refinement}, school = {University of Cambridge}, year = {1999}, note = {2nd edition} } diff --git a/thys/Types_To_Sets_Extension/ETTS/Manual/ETTS_Syntax.thy b/thys/Types_To_Sets_Extension/ETTS/Manual/ETTS_Syntax.thy --- a/thys/Types_To_Sets_Extension/ETTS/Manual/ETTS_Syntax.thy +++ b/thys/Types_To_Sets_Extension/ETTS/Manual/ETTS_Syntax.thy @@ -1,221 +1,221 @@ (* Title: ETTS/Manual/ETTS_Syntax.thy Author: Mihails Milehins Copyright 2021 (C) Mihails Milehins *) section\Syntax\ theory ETTS_Syntax imports ETTS_Theory begin subsection\Background\ text \ This section presents the syntactic categories that are associated with the commands @{command tts_context}, @{command tts_lemmas}, @{command tts_lemma}, and several other closely related auxiliary commands. It is important to note that the presentation of the syntax is approximate. \ subsection\Registration of the set-based terms\ text\ \begin{matharray}{rcl} @{command_def "tts_register_sbts"} & : & \local_theory \ proof(prove)\ \\ @{command_def "tts_find_sbts"} & : & \context \\ \end{matharray} \<^medskip> \<^rail>\ @@{command tts_register_sbts} term @'|' (term + @'and') ; @@{command tts_find_sbts} (term + @'and') \ \<^descr> \<^theory_text>\tts_register_sbts\ \t\ \|\ \U\<^sub>1\ \<^theory_text>\and\ \\\ \<^theory_text>\and\ \U\<^sub>n\ allows for the registration of the set-based terms in the sbt-database. Generally, \U\<^sub>i\ (\1\i\n\) must be distinct fixed variables with distinct types of the form \<^typ>\'a set\, with the set of the type variables that occur in the types of \U\<^sub>i\ equivalent to the set of the type variables that occur in the type of \t\. \<^descr> \<^theory_text>\tts_find_sbts\ \t\<^sub>1\ \<^theory_text>\and\ \\\ \<^theory_text>\and\ \t\<^sub>n\ prints the templates for the transfer rules for the set-based terms \t\<^sub>1\t\<^sub>n\ for some positive integer \n\. If no arguments are provided, then the templates for all sbterms in the sbt-database are printed. \ subsection\Relativization of theorems\ text\ \begin{matharray}{rcl} @{command_def "tts_context"} & : & \theory \ local_theory\ \\ @{command_def "tts_lemmas"} & : & \local_theory \ local_theory\ \\ @{command_def "tts_lemma"} & : & \local_theory \ proof(prove)\ \\ @{command_def "tts_theorem"} & : & \local_theory \ proof(prove)\ \\ @{command_def "tts_corollary"} & : & \local_theory \ proof(prove)\ \\ @{command_def "tts_proposition"} & : & \local_theory \ proof(prove)\ \\ \end{matharray} The relativization of theorems should always be performed inside an appropriately parameterized tts context. The tts context can be set up using the command @{command tts_context}. The framework introduces two types of interfaces for the application of the extended relativization algorithm: @{command tts_lemmas} and the family of the commands with the identical functionality: @{command tts_lemma}, @{command tts_theorem}, @{command tts_corollary}, @{command tts_proposition}. Nonetheless, the primary purpose of the command @{command tts_lemmas} is the experimentation and the automated generation of the relativized results stated using the command @{command tts_lemma}. \<^medskip> \<^rail>\ @@{command tts_context} param @'begin' ; @@{command tts_lemmas} ((@'!' | @'?')?) tts_facts ; ( @@{command tts_lemma} | @@{command tts_theorem} | @@{command tts_corollary} | @@{command tts_proposition} ) (tts_short_statement | tts_long_statement) ; param: (sets var rewriting subst eliminating app) ; sets: (@'tts' @':' ('(' type_var @'to' term ')' + @'and')) ; var: (@'sbterms' @':' vars)? ; vars: ('(' term @'to' term ')' + @'and') ; rewriting: (@'rewriting' thm)? ; subst: (@'substituting' (thm + @'and'))? ; eliminating: (@'eliminating' elpat? @'through' method)? ; elpat: (term + @'and') ; app: (@'applying' attributes)? ; tts_short_statement: short_statement tts_addendum ; tts_long_statement: thmdecl? context tts_conclusion ; tts_conclusion: ( @'shows' (props tts_addendum + @'and') | @'obtains' obtain_clauses tts_addendum ) ; tts_addendum: (@'given' thm | @'is' thm) ; tts_facts: @'in' (thmdef? thms + @'and') ; \ \<^descr> \<^theory_text>\tts_context param begin\ provides means for the specification of a new (unnamed) tts context. \<^descr> \<^theory_text>\tts\~\:\~\(?a\<^sub>1\ \<^theory_text>\to\ \U\<^sub>1)\ \<^theory_text>\and\ \\\ \<^theory_text>\and\ \(?a\<^sub>n\ \<^theory_text>\to\ \U\<^sub>n)\ provides means for the declaration of the RI specification. -For each \i\ (\1\i\n\, \n\ — positive integer), \?a\<^sub>i\ must be a schematic type variable that +For each \i\ (\1\i\n\, \n\ --- positive integer), \?a\<^sub>i\ must be a schematic type variable that occurs in each theorem provided as an input to the commands @{command tts_lemmas} and @{command tts_lemma} invoked inside the tts context and \U\<^sub>i\ can be any term of the type \<^typ>\'a set\, where \<^typ>\'a\ is a fixed type variable. \<^descr> \<^theory_text>\sbterms\~\:\~\(tbcv\<^sub>1\ \<^theory_text>\to\ \sbt\<^sub>1)\ \<^theory_text>\and\ \\\ \<^theory_text>\and\ \(tbcv\<^sub>n\ \<^theory_text>\to\ \sbt\<^sub>n)\ can be used for the declaration of the sbterm specification. For each individual entry \i\, such that \1\i\n\ with \n\ being a non-negative integer, \tbcv\<^sub>i\ has to be either an overloaded operation that occurs in every theorem that is provided as an input to the extended relativization algorithm or a schematic variable that occurs in every theorem that is provided as an input to the command, and \sbt\<^sub>i\ has to be a term registered in the sbt-database. \<^descr> \<^theory_text>\rewriting\ \thm\ provides means for the declaration of the rewrite rules for the set-based theorem. \<^descr> \<^theory_text>\substituting\ \thm\<^sub>1\ \<^theory_text>\and\ \\\ \<^theory_text>\and\ \thm\<^sub>n\ -(\n\ — non-negative integer) provides means for the declaration of the +(\n\ --- non-negative integer) provides means for the declaration of the known premises for the set-based theorem. \<^descr> \<^theory_text>\eliminating\ \term\<^sub>1\ \<^theory_text>\and\ \\\ \<^theory_text>\and\ \term\<^sub>n\ -\<^theory_text>\through\ \method\ (\n\ — non-negative integer) provides means for the +\<^theory_text>\through\ \method\ (\n\ --- non-negative integer) provides means for the declaration of the specification of the elimination of premises in the set-based theorem. - \<^descr> \<^theory_text>\applying\ \[attr\<^sub>1, \, attr\<^sub>n]\ (\n\ — non-negative integer) + \<^descr> \<^theory_text>\applying\ \[attr\<^sub>1, \, attr\<^sub>n]\ (\n\ --- non-negative integer) provides means for the declaration of the attributes for the set-based theorem. \<^descr> \<^theory_text>\tts_lemmas\ applies the ERA to a list of facts and saves the resulting set-based facts in the context. The command @{command tts_lemmas} should always be invoked from within a tts context. If the statement of the command is followed immediately by the optional keyword \<^theory_text>\!\, then it operates in the verbose mode, printing the output of the application of the individual steps of the ERA. If the statement of the command is followed immediately by the optional keyword \<^theory_text>\?\, then the command operates in the active mode, outputting the set-based facts in the form of the ``active areas'' that can be embedded in the Isabelle theory file inside the tts context from which the command @{command tts_lemmas} was invoked. There is a further minor difference between the active mode and the other two modes of operation that is elaborated upon within the description of the keyword \<^theory_text>\in\ below. \<^descr> \<^theory_text>\in\ \sbf\<^sub>1 = tbf\<^sub>1\ \<^theory_text>\and\ \\\ \<^theory_text>\and\ \sbf\<^sub>n = tbf\<^sub>n\ is used for the specification of the type-based theorems and the output of the command. For each individual entry \i\, such that \1\i\n\ with \n\ being a positive integer, \tbf\<^sub>i\ is used for the specification of the input of the extended relativization algorithm and \sbf\<^sub>i\ is used for the specification of the name binding for the output of the extended relativization algorithm. The specification of the output is optional: if \sbf\<^sub>i\ is omitted, then a default specification of the output is inferred automatically. \tbf\<^sub>i\ must be a schematic fact available in the context, whereas \sbf\<^sub>i\ can be any fresh name binding. Optionally, it is possible to provide attributes for each individual input and output, e.g., \sbf\<^sub>i[sbf_attrb] = tbf\<^sub>i[tbf_attrb]\. In this case, the list of the attributes \tbf_attrb\ is applied to \tbf\<^sub>i\ during the first part (initialization of the relativization context) of the ERA. If the command operates in the active mode, then the attributes \sbf_attrb\ are included in the active area output, but not added to the list of the set-based attributes. For other modes of operation, the attributes \sbf_attrb\ are added to the list of the set-based attributes and applied during the third part (post-processing) of the ERA. \<^descr> \<^theory_text>\tts_lemma\~\a: \\ @{syntax "tts_addendum"}, enters proof mode with the main goal formed by an application of a tactic that depends on the settings specified in @{syntax "tts_addendum"} to \\\. Eventually, this results in some fact \\\\ to be put back into the target context. The command should always be invoked from within a tts context. \<^descr> A @{syntax tts_long_statement} is similar to the standard @{syntax long_statement} in that it allows to build up an initial proof context for the subsequent claim incrementally. Similarly, @{syntax tts_short_statement} can be viewed as a natural extension of the standard @{syntax short_statement}. \<^descr> @{syntax "tts_addendum"} is used for the specification of the pre-processing strategy of the goal \\\. \mbox{\\\ \<^theory_text>\is\ \thm\} applies the extended relativization algorithm to \thm\. If the term that is associated with the resulting set-based theorem is \\\-equivalent to the term associated with the goal \\\, then a specialized tactic solves the main goal, leaving only a trivial goal in its place (the trivial goal can be solved using the terminal proof \mbox{step \textbf{.}}). \mbox{\\\ \<^theory_text>\given\ \thm\} also applies the extended relativization algorithm to \thm\, but the resulting set-based theorem is merely added as a premise to the goal \\\. \ text\\newpage\ end \ No newline at end of file diff --git a/thys/Verified_SAT_Based_AI_Planning/SAS_Plus_STRIPS.thy b/thys/Verified_SAT_Based_AI_Planning/SAS_Plus_STRIPS.thy --- a/thys/Verified_SAT_Based_AI_Planning/SAS_Plus_STRIPS.thy +++ b/thys/Verified_SAT_Based_AI_Planning/SAS_Plus_STRIPS.thy @@ -1,4403 +1,4403 @@ (* Author: Mohammad Abdulaziz, Fred Kurz *) theory SAS_Plus_STRIPS imports "STRIPS_Semantics" "SAS_Plus_Semantics" "Map_Supplement" begin section "SAS+/STRIPS Equivalence" text \ The following part is concerned with showing the equivalent expressiveness of SAS+ and STRIPS as discussed in \autoref{sub:equivalence-sas-plus-strips}. \ subsection "Translation of SAS+ Problems to STRIPS Problems" definition possible_assignments_for :: "('variable, 'domain) sas_plus_problem \ 'variable \ ('variable \ 'domain) list" where "possible_assignments_for \ v \ [(v, a). a \ the (range_of \ v)]" definition all_possible_assignments_for :: "('variable, 'domain) sas_plus_problem \ ('variable \ 'domain) list" where "all_possible_assignments_for \ \ concat [possible_assignments_for \ v. v \ variables_of \]" definition state_to_strips_state :: "('variable, 'domain) sas_plus_problem \ ('variable, 'domain) state \ ('variable, 'domain) assignment strips_state" ("\\<^sub>S _ _" 99) where "state_to_strips_state \ s \ let defined = filter (\v. s v \ None) (variables_of \) in map_of (map (\(v, a). ((v, a), the (s v) = a)) (concat [possible_assignments_for \ v. v \ defined]))" definition sasp_op_to_strips :: "('variable, 'domain) sas_plus_problem \ ('variable, 'domain) sas_plus_operator \ ('variable, 'domain) assignment strips_operator" ("\\<^sub>O _ _" 99) where "sasp_op_to_strips \ op \ let pre = precondition_of op ; add = effect_of op ; delete = [(v, a'). (v, a) \ effect_of op, a' \ filter ((\) a) (the (range_of \ v))] in STRIPS_Representation.operator_for pre add delete" definition sas_plus_problem_to_strips_problem :: "('variable, 'domain) sas_plus_problem \ ('variable, 'domain) assignment strips_problem" ("\ _ " 99) where "sas_plus_problem_to_strips_problem \ \ let vs = [as. v \ variables_of \, as \ (possible_assignments_for \) v] ; ops = map (sasp_op_to_strips \) (operators_of \) ; I = state_to_strips_state \ (initial_of \) ; G = state_to_strips_state \ (goal_of \) in STRIPS_Representation.problem_for vs ops I G" definition sas_plus_parallel_plan_to_strips_parallel_plan :: "('variable, 'domain) sas_plus_problem \ ('variable, 'domain) sas_plus_parallel_plan \ ('variable \ 'domain) strips_parallel_plan" ("\\<^sub>P _ _" 99) where "sas_plus_parallel_plan_to_strips_parallel_plan \ \ \ [[sasp_op_to_strips \ op. op \ ops]. ops \ \]" (* TODO first argument should be ('variable, 'domain) strips_problem *) definition strips_state_to_state :: "('variable, 'domain) sas_plus_problem \ ('variable, 'domain) assignment strips_state \ ('variable, 'domain) state" ("\\<^sub>S\ _ _" 99) where "strips_state_to_state \ s \ map_of (filter (\(v, a). s (v, a) = Some True) (all_possible_assignments_for \))" (* TODO remove problem argument *) definition strips_op_to_sasp :: "('variable, 'domain) sas_plus_problem \ ('variable \ 'domain) strips_operator \ ('variable, 'domain) sas_plus_operator" ("\\<^sub>O\ _ _" 99) where "strips_op_to_sasp \ op \ let precondition = strips_operator.precondition_of op ; effect = strips_operator.add_effects_of op in \ precondition_of = precondition, effect_of = effect \" (* TODO \strips_parallel_plan_to_sas_plus_parallel_plan \ \_P\\ and \strips_op_to_sasp \ \_O\\ *) definition strips_parallel_plan_to_sas_plus_parallel_plan :: "('variable, 'domain) sas_plus_problem \ ('variable \ 'domain) strips_parallel_plan \ ('variable, 'domain) sas_plus_parallel_plan" ("\\<^sub>P\ _ _" 99) where "strips_parallel_plan_to_sas_plus_parallel_plan \ \ \ [[strips_op_to_sasp \ op. op \ ops]. ops \ \]" text \ To set up the equivalence proof context, we declare a common locale \isaname{sas_plus_strips_equivalence} for both the STRIPS and SAS+ formalisms and make it a sublocale of both locale \isaname{strips} as well as \isaname{sas_plus}. The declaration itself is omitted for brevity since it basically just joins locales \isaname{sas_plus} and \isaname{strips} while renaming the locale parameter to avoid name clashes. The sublocale proofs are shown below. \footnote{We append a suffix identifying the respective formalism to the the parameter names passed to the parameter names in the locale. This is necessary to avoid ambiguous names in the sublocale declarations. For example, without addition of suffixes the type for \initial_of\ is ambiguous and will therefore not be bound to either \strips_problem.initial_of\ or \sas_plus_problem.initial_of\. Isabelle in fact considers it to be a a free variable in this case. We also qualify the parent locales in the sublocale declarations by adding \texttt{strips:} and \texttt{sas\_plus:} before the respective parent locale identifiers. } \ definition "range_of_strips \ x \ { True, False }" context begin \ \ Set-up simp rules. \ lemma[simp]: "(\ \) = (let vs = [as. v \ variables_of \, as \ (possible_assignments_for \) v] ; ops = map (sasp_op_to_strips \) (operators_of \) ; I = state_to_strips_state \ (initial_of \) ; G = state_to_strips_state \ (goal_of \) in STRIPS_Representation.problem_for vs ops I G)" and "(\\<^sub>S \ s) = (let defined = filter (\v. s v \ None) (variables_of \) in map_of (map (\(v, a). ((v, a), the (s v) = a)) (concat [possible_assignments_for \ v. v \ defined])))" and "(\\<^sub>O \ op) = (let pre = precondition_of op ; add = effect_of op ; delete = [(v, a'). (v, a) \ effect_of op, a' \ filter ((\) a) (the (range_of \ v))] in STRIPS_Representation.operator_for pre add delete)" and "(\\<^sub>P \ \) = [[\\<^sub>O \ op. op \ ops]. ops \ \]" and "(\\<^sub>S\ \ s')= map_of (filter (\(v, a). s' (v, a) = Some True) (all_possible_assignments_for \))" and "(\\<^sub>O\ \ op') = (let precondition = strips_operator.precondition_of op' ; effect = strips_operator.add_effects_of op' in \ precondition_of = precondition, effect_of = effect \)" and "(\\<^sub>P\ \ \) = [[\\<^sub>O\ \ op. op \ ops]. ops \ \]" unfolding SAS_Plus_STRIPS.sas_plus_problem_to_strips_problem_def sas_plus_problem_to_strips_problem_def SAS_Plus_STRIPS.state_to_strips_state_def state_to_strips_state_def SAS_Plus_STRIPS.sasp_op_to_strips_def sasp_op_to_strips_def SAS_Plus_STRIPS.sas_plus_parallel_plan_to_strips_parallel_plan_def sas_plus_parallel_plan_to_strips_parallel_plan_def SAS_Plus_STRIPS.strips_state_to_state_def strips_state_to_state_def SAS_Plus_STRIPS.strips_op_to_sasp_def strips_op_to_sasp_def SAS_Plus_STRIPS.strips_parallel_plan_to_sas_plus_parallel_plan_def strips_parallel_plan_to_sas_plus_parallel_plan_def by blast+ lemmas [simp] = range_of'_def lemma is_valid_problem_sas_plus_dom_sas_plus_problem_range_of: assumes "is_valid_problem_sas_plus \" shows "\v \ set ((\)\<^sub>\\<^sub>+). v \ dom (sas_plus_problem.range_of \)" using assms(1) is_valid_problem_sas_plus_then(1) unfolding is_valid_problem_sas_plus_def by (meson domIff list.pred_set) lemma possible_assignments_for_set_is: assumes "v \ dom (sas_plus_problem.range_of \)" shows "set (possible_assignments_for \ v) = { (v, a) | a. a \ \\<^sub>+ \ v }" proof - have "sas_plus_problem.range_of \ v \ None" using assms(1) by auto thus ?thesis unfolding possible_assignments_for_def by fastforce qed lemma all_possible_assignments_for_set_is: assumes "\v \ set ((\)\<^sub>\\<^sub>+). range_of \ v \ None" shows "set (all_possible_assignments_for \) = (\v \ set ((\)\<^sub>\\<^sub>+). { (v, a) | a. a \ \\<^sub>+ \ v })" proof - let ?vs = "variables_of \" have "set (all_possible_assignments_for \) = (\(set ` (\v. map (\(v, a). (v, a)) (possible_assignments_for \ v)) ` set ?vs))" unfolding all_possible_assignments_for_def set_concat using set_map by auto also have "\ = (\((\v. set (possible_assignments_for \ v)) ` set ?vs))" using image_comp set_map by simp (* TODO slow *) also have "\ = (\((\v. { (v, a) | a. a \ \\<^sub>+ \ v }) ` set ?vs))" using possible_assignments_for_set_is assms by fastforce finally show ?thesis by force qed lemma state_to_strips_state_dom_is_i[simp]: assumes "\v \ set ((\)\<^sub>\\<^sub>+). v \ dom (sas_plus_problem.range_of \)" shows "set (concat [possible_assignments_for \ v. v \ filter (\v. s v \ None) (variables_of \)]) = (\v \ { v | v. v \ set ((\)\<^sub>\\<^sub>+) \ s v \ None }. { (v, a) | a. a \ \\<^sub>+ \ v })" proof - let ?vs = "variables_of \" let ?defined = "filter (\v. s v \ None) ?vs" let ?l = "concat [possible_assignments_for \ v. v \ ?defined]" have nb: "set ?defined = { v | v. v \ set ((\)\<^sub>\\<^sub>+) \ s v \ None }" unfolding set_filter by force have "set ?l = \(set ` set (map (possible_assignments_for \) ?defined ))" unfolding set_concat image_Union by blast also have "\ = \(set ` (possible_assignments_for \) ` set ?defined)" unfolding set_map by blast also have "\ = (\v \ set ?defined. set (possible_assignments_for \ v))" by blast also have "\ = (\v \ { v | v. v \ set ((\)\<^sub>\\<^sub>+) \ s v \ None }. set (possible_assignments_for \ v))" using nb by argo finally show ?thesis using possible_assignments_for_set_is is_valid_problem_sas_plus_dom_sas_plus_problem_range_of assms(1) by fastforce qed lemma state_to_strips_state_dom_is: \ \ NOTE A transformed state is defined on all possible assignments for all variables defined in the original state. \ assumes "is_valid_problem_sas_plus \" shows "dom (\\<^sub>S \ s) = (\v \ { v | v. v \ set ((\)\<^sub>\\<^sub>+) \ s v \ None }. { (v, a) | a. a \ \\<^sub>+ \ v })" proof - let ?vs = "variables_of \" let ?l = "concat [possible_assignments_for \ v. v \ filter (\v. s v \ None) ?vs]" have nb: "\v \ set ((\)\<^sub>\\<^sub>+). v \ dom (sas_plus_problem.range_of \)" using is_valid_problem_sas_plus_dom_sas_plus_problem_range_of assms(1) by fastforce have "dom (\\<^sub>S \ s) = fst ` set (map (\(v, a). ((v, a), the (s v) = a)) ?l)" unfolding state_to_strips_state_def SAS_Plus_STRIPS.state_to_strips_state_def using dom_map_of_conv_image_fst[of "map (\(v, a). ((v, a), the (s v) = a)) ?l"] by presburger also have "\ = fst ` (\(v, a). ((v, a), the (s v) = a)) ` set ?l" unfolding set_map by blast also have "\ = (\(v, a). fst ((v, a), the (s v) = a)) ` set ?l" unfolding image_comp[of fst "\(v, a). ((v, a), the (s v) = a)"] comp_apply[of fst "\(v, a). ((v, a), the (s v) = a)"] prod.case_distrib by blast finally show ?thesis unfolding state_to_strips_state_dom_is_i[OF nb] by force qed corollary state_to_strips_state_dom_element_iff: assumes "is_valid_problem_sas_plus \" shows "(v, a) \ dom (\\<^sub>S \ s) \ v \ set ((\)\<^sub>\\<^sub>+) \ s v \ None \ a \ \\<^sub>+ \ v" proof - let ?vs = "variables_of \" and ?s' = "\\<^sub>S \ s" show ?thesis proof (rule iffI) assume "(v, a) \ dom (\\<^sub>S \ s)" then have "v \ { v | v. v \ set ((\)\<^sub>\\<^sub>+) \ s v \ None }" and "a \ \\<^sub>+ \ v" unfolding state_to_strips_state_dom_is[OF assms(1)] by force+ moreover have "v \ set ?vs" and "s v \ None" using calculation(1) by fastforce+ ultimately show "v \ set ((\)\<^sub>\\<^sub>+) \ s v \ None \ a \ \\<^sub>+ \ v" by force next assume "v \ set ((\)\<^sub>\\<^sub>+) \ s v \ None \ a \ \\<^sub>+ \ v" then have "v \ set ((\)\<^sub>\\<^sub>+)" and "s v \ None" and a_in_range_of_v: "a \ \\<^sub>+ \ v" by simp+ then have "v \ { v | v. v \ set ((\)\<^sub>\\<^sub>+) \ s v \ None }" by force thus "(v, a) \ dom (\\<^sub>S \ s)" unfolding state_to_strips_state_dom_is[OF assms(1)] using a_in_range_of_v by blast qed qed lemma state_to_strips_state_range_is: assumes "is_valid_problem_sas_plus \" and "(v, a) \ dom (\\<^sub>S \ s)" shows "(\\<^sub>S \ s) (v, a) = Some (the (s v) = a)" proof - let ?vs = "variables_of \" let ?s' = "\\<^sub>S \ s" and ?defined = "filter (\v. s v \ None) ?vs" let ?l = "concat [possible_assignments_for \ v. v \ ?defined]" have v_in_set_vs: "v \ set ?vs" and s_of_v_is_not_None: "s v \ None" and a_in_range_of_v: "a \ \\<^sub>+ \ v" using assms(2) unfolding state_to_strips_state_dom_is[OF assms(1)] by fastforce+ moreover { have "\v \ set ((\)\<^sub>\\<^sub>+). v \ dom (sas_plus_problem.range_of \)" using assms(1) is_valid_problem_sas_plus_then(1) unfolding is_valid_problem_sas_plus_def by fastforce moreover have "(v, a) \ set ?l" unfolding state_to_strips_state_dom_is_i[OF calculation(1)] using s_of_v_is_not_None a_in_range_of_v v_in_set_vs by fastforce moreover have "set ?l \ {}" using calculation by fastforce \ \ TODO slow. \ ultimately have "(\\<^sub>S \ s) (v, a) = Some (the (s v) = a)" using map_of_from_function_graph_is_some_if[of ?l "(v, a)" "\(v, a). the (s v) = a"] unfolding SAS_Plus_STRIPS.state_to_strips_state_def state_to_strips_state_def Let_def case_prod_beta' by fastforce } thus ?thesis. qed \ \ Show that a STRIPS state corresponding to a SAS+ state via transformation is consistent w.r.t. to the variable subset with same left component (i.e. the original SAS+ variable). This is the consistency notion corresponding to SAS+ consistency: i.e. if no two assignments with different values for the same variable exist in the SAS+ state, then assigning the corresponding assignment both to @{text "True"} is impossible. Vice versa, if both are assigned to @{text "True"} then the assignment variables must be the same SAS+ variable/SAS+ value pair. \ lemma state_to_strips_state_effect_consistent: assumes "is_valid_problem_sas_plus \" and "(v, a) \ dom (\\<^sub>S \ s)" and "(v, a') \ dom (\\<^sub>S \ s)" and "(\\<^sub>S \ s) (v, a) = Some True" and "(\\<^sub>S \ s) (v, a') = Some True" shows "(v, a) = (v, a')" proof - have "the (s v) = a" and "the (s v) = a'" using state_to_strips_state_range_is[OF assms(1)] assms(2, 3, 4, 5) by fastforce+ thus ?thesis by argo qed lemma sasp_op_to_strips_set_delete_effects_is: assumes "is_valid_operator_sas_plus \ op" shows "set (strips_operator.delete_effects_of (\\<^sub>O \ op)) = (\(v, a) \ set (effect_of op). { (v, a') | a'. a' \ (\\<^sub>+ \ v) \ a' \ a })" proof - let ?D = "range_of \" and ?effect = "effect_of op" let ?delete = "[(v, a'). (v, a) \ ?effect, a' \ filter ((\) a) (the (?D v))]" { fix v a assume "(v, a) \ set ?effect" then have "(\\<^sub>+ \ v) = set (the (?D v))" using assms using is_valid_operator_sas_plus_then_range_of_sas_plus_op_is_set_range_of_op by fastforce hence "set (filter ((\) a) (the (?D v))) = { a' \ \\<^sub>+ \ v. a' \ a }" unfolding set_filter by blast } note nb = this { \ \ TODO slow. \ have "set ?delete = \(set ` (\(v, a). map (Pair v) (filter ((\) a) (the (?D v)))) ` (set ?effect))" using set_concat by simp also have "\ = \((\(v, a). Pair v ` set (filter ((\) a) (the (?D v)))) ` (set ?effect))" unfolding image_comp[of set] set_map by auto \ \ TODO slow. \ also have "\ = (\(v, a) \ set ?effect. Pair v ` { a' \ \\<^sub>+ \ v. a' \ a })" using nb by fast finally have "set ?delete = (\(v, a) \ set ?effect. { (v, a') | a'. a' \ (\\<^sub>+ \ v) \ a' \ a })" by blast } thus ?thesis unfolding SAS_Plus_STRIPS.sasp_op_to_strips_def sasp_op_to_strips_def Let_def by force qed lemma sas_plus_problem_to_strips_problem_variable_set_is: \ \ The variable set of \\\ is the set of all possible assignments that are possible using the variables of \\\ and the corresponding domains. \ assumes "is_valid_problem_sas_plus \" shows "set ((\ \)\<^sub>\) = (\v \ set ((\)\<^sub>\\<^sub>+). { (v, a) | a. a \ \\<^sub>+ \ v })" proof - let ?\ = "\ \" and ?vs = "variables_of \" { have "set (strips_problem.variables_of ?\) = set [as. v \ ?vs, as \ possible_assignments_for \ v]" unfolding sas_plus_problem_to_strips_problem_def SAS_Plus_STRIPS.sas_plus_problem_to_strips_problem_def by force also have "\ = (\(set ` (\v. possible_assignments_for \ v) ` set ?vs))" using set_concat by auto also have "\ = (\((set \ possible_assignments_for \) ` set ?vs))" using image_comp[of set "\v. possible_assignments_for \ v" "set ?vs"] by argo finally have "set (strips_problem.variables_of ?\) = (\v \ set ?vs. set (possible_assignments_for \ v))" unfolding o_apply by blast } moreover have "\v \ set ?vs. v \ dom (sas_plus_problem.range_of \)" using is_valid_problem_sas_plus_dom_sas_plus_problem_range_of assms by force ultimately show ?thesis using possible_assignments_for_set_is by force qed corollary sas_plus_problem_to_strips_problem_variable_set_element_iff: assumes "is_valid_problem_sas_plus \" shows "(v, a) \ set ((\ \)\<^sub>\) \ v \ set ((\)\<^sub>\\<^sub>+) \ a \ \\<^sub>+ \ v" unfolding sas_plus_problem_to_strips_problem_variable_set_is[OF assms] by fast lemma sasp_op_to_strips_effect_consistent: assumes "op = \\<^sub>O \ op'" and "op' \ set ((\)\<^sub>\\<^sub>+)" and "is_valid_operator_sas_plus \ op'" shows "(v, a) \ set (add_effects_of op) \ (v, a) \ set (delete_effects_of op)" and "(v, a) \ set (delete_effects_of op) \ (v, a) \ set (add_effects_of op)" proof - have nb: "(\(v, a) \ set (effect_of op'). \(v', a') \ set (effect_of op'). v \ v' \ a = a')" using assms(3) unfolding is_valid_operator_sas_plus_def SAS_Plus_Representation.is_valid_operator_sas_plus_def list_all_iff ListMem_iff Let_def by argo { fix v a assume v_a_in_add_effects_of_op: "(v, a) \ set (add_effects_of op)" have "(v, a) \ set (delete_effects_of op)" proof (rule ccontr) assume "\(v, a) \ set (delete_effects_of op)" moreover have "(v, a) \ (\(v, a') \ set (effect_of op'). { (v, a'') | a''. a'' \ (\\<^sub>+ \ v) \ a'' \ a' })" using calculation sasp_op_to_strips_set_delete_effects_is assms by blast moreover obtain a' where "(v, a') \ set (effect_of op')" and "a \ a'" using calculation by blast moreover have "(v, a') \ set (add_effects_of op)" using assms(1) calculation(3) unfolding sasp_op_to_strips_def SAS_Plus_STRIPS.sasp_op_to_strips_def Let_def by fastforce moreover have "(v, a) \ set (effect_of op')" and "(v, a') \ set (effect_of op')" using assms(1) v_a_in_add_effects_of_op calculation(5) unfolding sasp_op_to_strips_def SAS_Plus_STRIPS.sasp_op_to_strips_def Let_def by force+ ultimately show False using nb by fast qed } moreover { fix v a assume v_a_in_delete_effects_of_op: "(v, a) \ set (delete_effects_of op)" have "(v, a) \ set (add_effects_of op)" proof (rule ccontr) assume "\(v, a) \ set (add_effects_of op)" moreover have "(v, a) \ set (add_effects_of op)" using calculation by blast moreover have "(v, a) \ (\(v, a') \ set (effect_of op'). { (v, a'') | a''. a'' \ (\\<^sub>+ \ v) \ a'' \ a' })" using sasp_op_to_strips_set_delete_effects_is nb assms(1, 3) v_a_in_delete_effects_of_op by force moreover obtain a' where "(v, a') \ set (effect_of op')" and "a \ a'" using calculation by blast moreover have "(v, a') \ set (add_effects_of op)" using assms(1) calculation(4) unfolding sasp_op_to_strips_def SAS_Plus_STRIPS.sasp_op_to_strips_def Let_def by fastforce moreover have "(v, a) \ set (effect_of op')" and "(v, a') \ set (effect_of op')" using assms(1) calculation(2, 6) unfolding sasp_op_to_strips_def SAS_Plus_STRIPS.sasp_op_to_strips_def Let_def by force+ ultimately show False using nb by fast qed } ultimately show "(v, a) \ set (add_effects_of op) \ (v, a) \ set (delete_effects_of op)" and "(v, a) \ set (delete_effects_of op) \ (v, a) \ set (add_effects_of op)" by blast+ qed lemma is_valid_problem_sas_plus_then_strips_transformation_too_iii: assumes "is_valid_problem_sas_plus \" shows "list_all (is_valid_operator_strips (\ \)) (strips_problem.operators_of (\ \))" proof - let ?\ = "\ \" let ?vs = "strips_problem.variables_of ?\" { fix op assume "op \ set (strips_problem.operators_of ?\)" \ \ TODO slow. \ then obtain op' where op_is: "op = \\<^sub>O \ op'" and op'_in_operators: "op' \ set ((\)\<^sub>\\<^sub>+)" unfolding SAS_Plus_STRIPS.sas_plus_problem_to_strips_problem_def sas_plus_problem_to_strips_problem_def sasp_op_to_strips_def by auto then have is_valid_op': "is_valid_operator_sas_plus \ op'" using sublocale_sas_plus_finite_domain_representation_ii(2)[OF assms] by blast moreover { fix v a assume "(v, a) \ set (strips_operator.precondition_of op)" \ \ TODO slow. \ then have "(v, a) \ set (sas_plus_operator.precondition_of op')" using op_is unfolding SAS_Plus_STRIPS.sasp_op_to_strips_def sasp_op_to_strips_def by force moreover have "v \ set ((\)\<^sub>\\<^sub>+)" using is_valid_op' calculation using is_valid_operator_sas_plus_then(1) by fastforce moreover have "a \ \\<^sub>+ \ v" using is_valid_op' calculation(1) using is_valid_operator_sas_plus_then(2) by fast ultimately have "(v, a) \ set ?vs" using sas_plus_problem_to_strips_problem_variable_set_element_iff[OF assms(1)] by force } moreover { fix v a assume "(v, a) \ set (strips_operator.add_effects_of op)" then have "(v, a) \ set (effect_of op')" using op_is unfolding SAS_Plus_STRIPS.sasp_op_to_strips_def sasp_op_to_strips_def by force then have "v \ set ((\)\<^sub>\\<^sub>+)" and "a \ \\<^sub>+ \ v" using is_valid_operator_sas_plus_then is_valid_op' by fastforce+ hence "(v, a) \ set ?vs" using sas_plus_problem_to_strips_problem_variable_set_element_iff[OF assms(1)] by force } moreover { fix v a' assume v_a'_in_delete_effects: "(v, a') \ set (strips_operator.delete_effects_of op)" moreover have "set (strips_operator.delete_effects_of op) = (\(v, a) \ set (effect_of op'). { (v, a') | a'. a' \ (\\<^sub>+ \ v) \ a' \ a })" using sasp_op_to_strips_set_delete_effects_is[OF is_valid_op'] op_is by simp \ \ TODO slow. \ ultimately obtain a where "(v, a) \ set (effect_of op')" and a'_in: "a' \ { a' \ \\<^sub>+ \ v. a' \ a }" by blast moreover have "is_valid_operator_sas_plus \ op'" using op'_in_operators assms(1) is_valid_problem_sas_plus_then(2) by blast moreover have "v \ set ((\)\<^sub>\\<^sub>+)" using is_valid_operator_sas_plus_then calculation(1, 3) by fast moreover have "a' \ \\<^sub>+ \ v" using a'_in by blast ultimately have "(v, a') \ set ?vs" using sas_plus_problem_to_strips_problem_variable_set_element_iff[OF assms(1)] by force } ultimately have "set (strips_operator.precondition_of op) \ set ?vs \ set (strips_operator.add_effects_of op) \ set ?vs \ set (strips_operator.delete_effects_of op) \ set ?vs \ (\v\set (add_effects_of op). v \ set (delete_effects_of op)) \ (\v\set (delete_effects_of op). v \ set (add_effects_of op))" using sasp_op_to_strips_effect_consistent[OF op_is op'_in_operators is_valid_op'] by fast+ } thus ?thesis unfolding is_valid_operator_strips_def STRIPS_Representation.is_valid_operator_strips_def list_all_iff ListMem_iff Let_def by blast qed lemma is_valid_problem_sas_plus_then_strips_transformation_too_iv: assumes "is_valid_problem_sas_plus \" shows "\x. ((\ \)\<^sub>I) x \ None \ ListMem x (strips_problem.variables_of (\ \))" proof - let ?vs = "variables_of \" and ?I = "initial_of \" and ?\ = "\ \" let ?vs' = "strips_problem.variables_of ?\" and ?I' = "strips_problem.initial_of ?\" { fix x have "?I' x \ None \ ListMem x ?vs'" proof (rule iffI) assume I'_of_x_is_not_None: "?I' x \ None" then have "x \ dom ?I'" by blast moreover obtain v a where x_is: "x = (v, a)" by fastforce ultimately have "(v, a) \ dom ?I'" by blast then have "v \ set ?vs" and "?I v \ None" and "a \ \\<^sub>+ \ v" using state_to_strips_state_dom_element_iff[OF assms(1), of v a ?I] unfolding sas_plus_problem_to_strips_problem_def SAS_Plus_STRIPS.sas_plus_problem_to_strips_problem_def state_to_strips_state_def SAS_Plus_STRIPS.state_to_strips_state_def by simp+ thus "ListMem x ?vs'" unfolding ListMem_iff using sas_plus_problem_to_strips_problem_variable_set_element_iff[OF assms(1)] x_is by auto next assume list_mem_x_vs': "ListMem x ?vs'" then obtain v a where x_is: "x = (v, a)" by fastforce then have "(v, a) \ set ?vs'" using list_mem_x_vs' unfolding ListMem_iff by blast then have "v \ set ?vs" and "a \ \\<^sub>+ \ v" using sas_plus_problem_to_strips_problem_variable_set_element_iff[OF assms(1)] by force+ moreover have "?I v \ None" using is_valid_problem_sas_plus_then(3) assms(1) calculation(1) by auto ultimately have "(v, a) \ dom ?I'" using state_to_strips_state_dom_element_iff[OF assms(1), of v a ?I] unfolding SAS_Plus_STRIPS.sas_plus_problem_to_strips_problem_def sas_plus_problem_to_strips_problem_def SAS_Plus_STRIPS.state_to_strips_state_def state_to_strips_state_def by force thus "?I' x \ None" using x_is by fastforce qed } thus ?thesis by simp qed private lemma is_valid_problem_sas_plus_then_strips_transformation_too_v: assumes "is_valid_problem_sas_plus \" shows "\x. ((\ \)\<^sub>G) x \ None \ ListMem x (strips_problem.variables_of (\ \))" proof - let ?vs = "variables_of \" and ?D = "range_of \" and ?G = "goal_of \" let ?\ = "\ \" let ?vs' = "strips_problem.variables_of ?\" and ?G' = "strips_problem.goal_of ?\" have nb: "?G' = \\<^sub>S \ ?G" by simp { fix x assume "?G' x \ None" moreover obtain v a where "x = (v, a)" by fastforce moreover have "(v, a) \ dom ?G'" using domIff calculation(1, 2) by blast moreover have "v \ set ?vs" and "a \ \\<^sub>+ \ v" using state_to_strips_state_dom_is[OF assms(1), of ?G] nb calculation(3) by auto+ ultimately have "x \ set ?vs'" using sas_plus_problem_to_strips_problem_variable_set_element_iff[OF assms(1)] by auto } thus ?thesis unfolding ListMem_iff by simp qed text \ We now show that given \<^term>\\\ is a valid SASPlus problem, then \<^term>\\ \ \ \\ is a valid STRIPS problem as well. The proof unfolds the definition of \<^term>\is_valid_problem_strips\ and then shows each of the conjuncts for \<^term>\\\. These are: \begin{itemize} \item \<^term>\\\ has at least one variable; \item \<^term>\\\ has at least one operator; \item all operators are valid STRIPS operators; \item \<^term>\(\::'a strips_problem)\<^sub>I\ is defined for all variables in \<^term>\(\::'a strips_problem)\<^sub>\\; and finally, \item if \<^term>\((\::'a strips_problem)\<^sub>G) x\ is defined, then \<^term>\x\ is in \<^term>\(\::'a strips_problem)\<^sub>\\. \end{itemize} \ theorem is_valid_problem_sas_plus_then_strips_transformation_too: assumes "is_valid_problem_sas_plus \" shows "is_valid_problem_strips (\ \)" proof - let ?\ = "\ \" have "list_all (is_valid_operator_strips (\ \)) (strips_problem.operators_of (\ \))" using is_valid_problem_sas_plus_then_strips_transformation_too_iii[OF assms]. moreover have "\x. (((\ \)\<^sub>I) x \ None) = ListMem x (strips_problem.variables_of (\ \))" using is_valid_problem_sas_plus_then_strips_transformation_too_iv[OF assms]. moreover have "\x. ((\ \)\<^sub>G) x \ None \ ListMem x (strips_problem.variables_of (\ \))" using is_valid_problem_sas_plus_then_strips_transformation_too_v[OF assms]. ultimately show ?thesis using is_valid_problem_strips_def unfolding STRIPS_Representation.is_valid_problem_strips_def by fastforce qed lemma set_filter_all_possible_assignments_true_is: assumes "is_valid_problem_sas_plus \" shows "set (filter (\(v, a). s (v, a) = Some True) (all_possible_assignments_for \)) = (\v \ set ((\)\<^sub>\\<^sub>+). Pair v ` { a \ \\<^sub>+ \ v. s (v, a) = Some True })" proof - let ?vs = "sas_plus_problem.variables_of \" and ?P = "(\(v, a). s (v, a) = Some True)" let ?l = "filter ?P (all_possible_assignments_for \)" have "set ?l = set (concat (map (filter ?P) (map (possible_assignments_for \) ?vs)))" unfolding all_possible_assignments_for_def filter_concat[of ?P "map (possible_assignments_for \) (sas_plus_problem.variables_of \)"] by simp also have "\ = set (concat (map (\v. filter ?P (possible_assignments_for \ v)) ?vs))" unfolding map_map comp_apply by blast also have "\ = set (concat (map (\v. map (Pair v) (filter (?P \ Pair v) (the (range_of \ v)))) ?vs))" unfolding possible_assignments_for_def filter_map by blast also have "\ = set (concat (map (\v. map (Pair v) (filter (\a. s (v, a) = Some True) (the (range_of \ v)))) ?vs))" unfolding comp_apply by fast also have "\ = \(set ` ((\v. map (Pair v) (filter (\a. s (v, a) = Some True) (the (range_of \ v)))) ` set ?vs))" unfolding set_concat set_map.. also have "\ = (\v \ set ?vs. Pair v ` set (filter (\a. s (v, a) = Some True) (the (range_of \ v))))" unfolding image_comp[of set] comp_apply set_map.. also have "\ = (\v \ set ?vs. Pair v ` { a \ set (the (range_of \ v)). s (v, a) = Some True })" unfolding set_filter.. finally show ?thesis using set_the_range_of_is_range_of_sas_plus_if[OF assms(1)] by auto qed lemma strips_state_to_state_dom_is: assumes "is_valid_problem_sas_plus \" shows "dom (\\<^sub>S\ \ s) = (\v \ set ((\)\<^sub>\\<^sub>+). { v | a. a \ (\\<^sub>+ \ v) \ s (v, a) = Some True })" proof - let ?vs = "variables_of \" and ?s' = "\\<^sub>S\ \ s" and ?P = "(\(v, a). s (v, a) = Some True)" let ?l = "filter ?P (all_possible_assignments_for \)" { have "fst ` set ?l = fst ` (\v \ set ?vs. Pair v ` { a \ \\<^sub>+ \ v. s (v, a) = Some True })" unfolding set_filter_all_possible_assignments_true_is[OF assms] by auto also have "\ = (\v \ set ?vs. fst ` Pair v ` { a \ \\<^sub>+ \ v. s (v, a) = Some True })" by blast also have "\ = (\v \ set ?vs. (\a. fst (Pair v a)) ` { a \ \\<^sub>+ \ v. s (v, a) = Some True })" unfolding image_comp[of fst] comp_apply by blast finally have "fst ` set ?l = (\v \ set ((\)\<^sub>\\<^sub>+). { v | a. a \ (\\<^sub>+ \ v) \ s (v, a) = Some True })" unfolding setcompr_eq_image fst_conv by simp } thus ?thesis unfolding SAS_Plus_STRIPS.strips_state_to_state_def strips_state_to_state_def dom_map_of_conv_image_fst by blast qed lemma strips_state_to_state_range_is: assumes "is_valid_problem_sas_plus \" and "v \ set ((\)\<^sub>\\<^sub>+)" and "a \ \\<^sub>+ \ v" and "(v, a) \ dom s'" and "\(v, a) \ dom s'. \(v, a') \ dom s'. s' (v, a) = Some True \ s' (v, a') = Some True \ (v, a) = (v, a')" shows "(\\<^sub>S\ \ s') v = Some a \ the (s' (v, a))" proof - let ?vs = "variables_of \" and ?D = "range_of \" and ?s = "\\<^sub>S\ \ s'" let ?as = "all_possible_assignments_for \" let ?l = "filter (\(v, a). s' (v, a) = Some True) ?as" show ?thesis proof (rule iffI) assume s_of_v_is_Some_a: "?s v = Some a" { have "(v, a) \ set ?l" using s_of_v_is_Some_a unfolding SAS_Plus_STRIPS.strips_state_to_state_def strips_state_to_state_def using map_of_SomeD by fast hence "s' (v, a) = Some True" unfolding all_possible_assignments_for_set_is set_filter by blast } thus "the (s' (v, a))" by simp next assume the_of_s'_of_v_a_is: "the (s' (v, a))" then have s'_of_v_a_is_Some_true: "s' (v, a) = Some True" using assms(4) domIff by force \ \ TODO slow. \ moreover { fix v v' a a' assume "(v, a) \ set ?l" and "(v', a') \ set ?l" then have "v \ v' \ a = a'" using assms(5) by fastforce } moreover { have "\v \ set ((\)\<^sub>\\<^sub>+). sas_plus_problem.range_of \ v \ None" using is_valid_problem_sas_plus_then(1) assms(1) range_of_not_empty by force (* TODO slow. *) moreover have "set ?l = Set.filter (\(v, a). s' (v, a) = Some True) (\v \ set ((\)\<^sub>\\<^sub>+). { (v, a) | a. a \ \\<^sub>+ \ v })" using all_possible_assignments_for_set_is calculation by force ultimately have "(v, a) \ set ?l" using assms(2, 3) s'_of_v_a_is_Some_true by simp } ultimately show "?s v = Some a" using map_of_constant_assignments_defined_if[of ?l v a] unfolding SAS_Plus_STRIPS.strips_state_to_state_def strips_state_to_state_def by blast qed qed \ \ NOTE A technical lemma which characterizes the return values for possible assignments @{text "(v, a)"} when used as variables on a state @{text "s"} which was transformed from. \ lemma strips_state_to_state_inverse_is_i: assumes "is_valid_problem_sas_plus \" and "v \ set ((\)\<^sub>\\<^sub>+)" and "s v \ None" and "a \ \\<^sub>+ \ v" shows "(\\<^sub>S \ s) (v, a) = Some (the (s v) = a)" proof - let ?vs = "sas_plus_problem.variables_of \" let ?s' = "\\<^sub>S \ s" and ?f = "\(v, a). the (s v) = a" and ?l = "concat (map (possible_assignments_for \) (filter (\v. s v \ None) ?vs))" have "(v, a) \ dom ?s'" using state_to_strips_state_dom_element_iff[ OF assms(1)] assms(2, 3, 4) by presburger { have "v \ { v | v. v \ set ((\)\<^sub>\\<^sub>+) \ s v \ None }" using assms(2, 3) by blast moreover have "\v \ set ((\)\<^sub>\\<^sub>+). v \ dom (sas_plus_problem.range_of \)" using is_valid_problem_sas_plus_dom_sas_plus_problem_range_of[OF assms(1)]. moreover have "set ?l = (\v \ { v | v. v \ set ((\)\<^sub>\\<^sub>+) \ s v \ None }. { (v, a) |a. a \ \\<^sub>+ \ v })" unfolding state_to_strips_state_dom_is_i[OF calculation(2)] by blast ultimately have "(v, a) \ set ?l" using assms(4) by blast } moreover have "set ?l \ {}" using calculation by force \ \ TODO slow.\ ultimately show ?thesis unfolding SAS_Plus_STRIPS.state_to_strips_state_def state_to_strips_state_def using map_of_from_function_graph_is_some_if[of ?l "(v, a)" ?f] unfolding split_def by fastforce qed \ \ NOTE Show that the transformed strips state is consistent for pairs of assignments @{text "(v, a)"} and @{text "(v, a')"} in the same variable domain. \ (* TODO make private. *) corollary strips_state_to_state_inverse_is_ii: assumes "is_valid_problem_sas_plus \" and "v \ set ((\)\<^sub>\\<^sub>+)" and "s v = Some a" and "a \ \\<^sub>+ \ v" and "a' \ \\<^sub>+ \ v" and "a' \ a" shows "(\\<^sub>S \ s) (v, a') = Some False" proof - have "s v \ None" using assms(3) by simp moreover have "the (s v) \ a'" using assms(3, 6) by simp ultimately show ?thesis using strips_state_to_state_inverse_is_i[OF assms(1, 2) _ assms(5)] by force qed \ \ NOTE Follows from the corollary above by contraposition. \ (* TODO make private. *) corollary strips_state_to_state_inverse_is_iii: assumes "is_valid_problem_sas_plus \" and "v \ set ((\)\<^sub>\\<^sub>+)" and "s v = Some a" and "a \ \\<^sub>+ \ v" and "a' \ \\<^sub>+ \ v" and "(\\<^sub>S \ s) (v, a) = Some True" and "(\\<^sub>S \ s) (v, a') = Some True" shows "a = a'" proof - have "s v \ None" using assms(3) by blast thus ?thesis using strips_state_to_state_inverse_is_i[OF assms(1, 2)] assms(4, 5, 6, 7) by auto qed (* TODO make private. *) lemma strips_state_to_state_inverse_is_iv: assumes "is_valid_problem_sas_plus \" and "dom s \ set ((\)\<^sub>\\<^sub>+)" and "v \ set ((\)\<^sub>\\<^sub>+)" and "s v = Some a" and "a \ \\<^sub>+ \ v" shows "(\\<^sub>S\ \ (\\<^sub>S \ s)) v = Some a" proof - let ?vs = "variables_of \" and ?s' = "\\<^sub>S \ s" let ?s'' = "\\<^sub>S\ \ ?s'" let ?P = "\(v, a). ?s' (v, a) = Some True" let ?as = "filter ?P (all_possible_assignments_for \)" and ?As = "Set.filter ?P (\v \ set ((\)\<^sub>\\<^sub>+). { (v, a) | a. a \ \\<^sub>+ \ v })" { have "\v \ set ((\)\<^sub>\\<^sub>+). range_of \ v \ None" using sublocale_sas_plus_finite_domain_representation_ii(1)[OF assms(1)] range_of_not_empty by force (* TODO slow. *) hence "set ?as = ?As" unfolding set_filter using all_possible_assignments_for_set_is by force } note nb = this moreover { { fix v v' a a' assume "(v, a) \ set ?as" and "(v', a') \ set ?as" then have "(v, a) \ ?As" and "(v', a') \ ?As" using nb by blast+ then have v_in_set_vs: "v \ set ?vs" and v'_in_set_vs: "v' \ set ?vs" and a_in_range_of_v: "a \ \\<^sub>+ \ v" and a'_in_range_of_v: "a' \ \\<^sub>+ \ v'" and s'_of_v_a_is: "?s' (v, a) = Some True" and s'_of_v'_a'_is: "?s' (v', a') = Some True" by fastforce+ then have "(v, a) \ dom ?s'" by blast then have s_of_v_is_Some_a: "s v = Some a" using state_to_strips_state_dom_element_iff[OF assms(1)] state_to_strips_state_range_is[OF assms(1)] s'_of_v_a_is by auto have "v \ v' \ a = a'" proof (rule ccontr) assume "\(v \ v' \ a = a')" then have "v = v'" and "a \ a'" by simp+ thus False using a'_in_range_of_v a_in_range_of_v assms(1) v'_in_set_vs s'_of_v'_a'_is s'_of_v_a_is s_of_v_is_Some_a strips_state_to_state_inverse_is_iii by force qed } moreover { have "s v \ None" using assms(4) by simp then have "?s' (v, a) = Some True" using strips_state_to_state_inverse_is_i[OF assms(1, 3) _ assms(5)] assms(4) by simp (* TODO slow *) hence "(v, a) \ set ?as" using all_possible_assignments_for_set_is assms(3, 5) nb by simp } ultimately have "map_of ?as v = Some a" using map_of_constant_assignments_defined_if[of ?as v a] by blast } \ \ TODO slow. \ thus ?thesis unfolding SAS_Plus_STRIPS.strips_state_to_state_def strips_state_to_state_def all_possible_assignments_for_def by simp qed (* TODO the constraints on the state @{text "s"} could be refactored into a definition of valid states for a problem description. *) (* TODO The proof is not very elegant. Should be simplified. *) \ \ Show that that \\\<^sub>S\ \\ is the inverse of \\\<^sub>S \\. The additional constraints \<^term>\dom s = set ((\)\<^sub>\\<^sub>+)\ and \<^term>\\v \ dom s. the (s v) \ \\<^sub>+ \ v\ are needed because the transformation functions only take into account variables and domains declared in the problem description. They also sufficiently characterize a state that was transformed from SAS+ to STRIPS. \ lemma strips_state_to_state_inverse_is: assumes "is_valid_problem_sas_plus \" and "dom s \ set ((\)\<^sub>\\<^sub>+)" and "\v \ dom s. the (s v) \ \\<^sub>+ \ v" shows "s = (\\<^sub>S\ \ (\\<^sub>S \ s))" proof - let ?vs = "variables_of \" and ?D = "range_of \" let ?s' = "\\<^sub>S \ s" let ?s'' = "\\<^sub>S\ \ ?s'" \ \ NOTE Show the thesis by proving that @{text "s"} and @{text "?s'"} are mutual submaps. \ { fix v assume v_in_dom_s: "v \ dom s" then have v_in_set_vs: "v \ set ?vs" using assms(2) by auto then obtain a where the_s_v_is_a: "s v = Some a" and a_in_dom_v: "a \ \\<^sub>+ \ v" using assms(2, 3) v_in_dom_s by force moreover have "?s'' v = Some a" using strips_state_to_state_inverse_is_iv[OF assms(1, 2)] v_in_set_vs the_s_v_is_a a_in_dom_v by force ultimately have "s v = ?s'' v" by argo } note nb = this moreover { fix v assume "v \ dom ?s''" then obtain a where "a \ \\<^sub>+ \ v" and "?s' (v, a) = Some True" using strips_state_to_state_dom_is[OF assms(1)] by blast then have "(v, a) \ dom ?s'" by blast then have "s v \ None" using state_to_strips_state_dom_is[OF assms(1)] by simp then obtain a where "s v = Some a" by blast hence "?s'' v = s v" using nb by fastforce } \ \ TODO slow.\ ultimately show ?thesis using map_le_antisym[of s ?s''] map_le_def unfolding strips_state_to_state_def state_to_strips_state_def by blast qed \ \ An important lemma which shows that the submap relation does not change if we transform the states on either side from SAS+ to STRIPS. % TODO what is this called generally? Predicate monotony?? \ lemma state_to_strips_state_map_le_iff: assumes "is_valid_problem_sas_plus \" and "dom s \ set ((\)\<^sub>\\<^sub>+)" and "\v \ dom s. the (s v) \ \\<^sub>+ \ v" shows "s \\<^sub>m t \ (\\<^sub>S \ s) \\<^sub>m (\\<^sub>S \ t)" proof - let ?vs = "variables_of \" and ?D = "range_of \" and ?s' = "\\<^sub>S \ s" and ?t' = "\\<^sub>S \ t" show ?thesis proof (rule iffI) assume s_map_le_t: "s \\<^sub>m t" { fix v a assume "(v, a) \ dom ?s'" moreover have "v \ set ((\)\<^sub>\\<^sub>+)" and "s v \ None" and "a \ \\<^sub>+ \ v" using state_to_strips_state_dom_is[OF assms(1)] calculation by blast+ moreover have "?s' (v, a) = Some (the (s v) = a)" using state_to_strips_state_range_is[OF assms(1)] calculation(1) by meson moreover have "v \ dom s" using calculation(3) by auto moreover have "s v = t v" using s_map_le_t calculation(6) unfolding map_le_def by blast moreover have "t v \ None" using calculation(3, 7) by argo moreover have "(v, a) \ dom ?t'" using state_to_strips_state_dom_is[OF assms(1)] calculation(2, 4, 8) by blast moreover have "?t' (v, a) = Some (the (t v) = a)" using state_to_strips_state_range_is[OF assms(1)] calculation(9) by simp ultimately have "?s' (v, a) = ?t' (v, a)" by presburger } thus "?s' \\<^sub>m ?t'" unfolding map_le_def by fast next assume s'_map_le_t': "?s' \\<^sub>m ?t'" { fix v assume v_in_dom_s: "v \ dom s" moreover obtain a where the_of_s_of_v_is_a: "the (s v) = a" by blast moreover have v_in_vs: "v \ set ((\)\<^sub>\\<^sub>+)" and s_of_v_is_not_None: "s v \ None" and a_in_range_of_v: "a \ \\<^sub>+ \ v" using assms(2, 3) v_in_dom_s calculation by blast+ moreover have "(v, a) \ dom ?s'" using state_to_strips_state_dom_is[OF assms(1)] calculation(3, 4, 5) by simp moreover have "?s' (v, a) = ?t' (v, a)" using s'_map_le_t' calculation unfolding map_le_def by blast moreover have "(v, a) \ dom ?t'" using calculation unfolding domIff by argo moreover have "?s' (v, a) = Some (the (s v) = a)" and "?t' (v, a) = Some (the (t v) = a)" using state_to_strips_state_range_is[OF assms(1)] calculation by fast+ moreover have "s v = Some a" using calculation(2, 4) by force moreover have "?s' (v, a) = Some True" using calculation(9, 11) by fastforce moreover have "?t' (v, a) = Some True" using calculation(7, 12) by argo moreover have "the (t v) = a" using calculation(10, 13) try0 by force moreover { have "v \ dom t" using state_to_strips_state_dom_element_iff[OF assms(1)] calculation(8) by auto hence "t v = Some a" using calculation(14) by force } ultimately have "s v = t v" by argo } thus "s \\<^sub>m t" unfolding map_le_def by simp qed qed \ \ We also show that \\\<^sub>O\ \\ is the inverse of \\\<^sub>O \\. Note that this proof is completely mechanical since both the precondition and effect lists are simply being copied when transforming from SAS+ to STRIPS and when transforming back from STRIPS to SAS+. \ (* TODO rename \sasp_op_to_strips_inverse_is\ *) (* TODO prune assumptions (not required) *) lemma sas_plus_operator_inverse_is: assumes "is_valid_problem_sas_plus \" and "op \ set ((\)\<^sub>\\<^sub>+)" shows "(\\<^sub>O\ \ (\\<^sub>O \ op)) = op" proof - let ?op = "\\<^sub>O\ \ (\\<^sub>O \ op)" have "precondition_of ?op = precondition_of op" unfolding SAS_Plus_STRIPS.strips_op_to_sasp_def strips_op_to_sasp_def SAS_Plus_STRIPS.sasp_op_to_strips_def sasp_op_to_strips_def by fastforce moreover have "effect_of ?op = effect_of op" unfolding SAS_Plus_STRIPS.strips_op_to_sasp_def strips_op_to_sasp_def SAS_Plus_STRIPS.sasp_op_to_strips_def sasp_op_to_strips_def by force ultimately show ?thesis by simp qed \ \ Note that we have to make the assumption that \op'\ is a member of the operator set of the induced STRIPS problem \\ \\. This implies that \op'\ was transformed from an \op \ operators_of \\. If we don't make this assumption, then multiple STRIPS operators of the form \\ precondition_of = [], add_effects_of = [], delete_effects_of = [(v, a), ...] \\ correspond to one SAS+ operator (since the delete effects are being discarded in the transformation function). \ lemma strips_operator_inverse_is: assumes "is_valid_problem_sas_plus \" and "op' \ set ((\ \)\<^sub>\)" shows "(\\<^sub>O \ (\\<^sub>O\ \ op')) = op'" proof - let ?\ = "\ \" obtain op where "op \ set ((\)\<^sub>\\<^sub>+)" and "op' = \\<^sub>O \ op" using assms by auto moreover have "\\<^sub>O\ \ op' = op" using sas_plus_operator_inverse_is[OF assms(1) calculation(1)] calculation(2) by blast ultimately show ?thesis by argo qed (* \<^item> TODO Simplify | refactor proof. \<^item> TODO make private. *) lemma sas_plus_equivalent_to_strips_i_a_I: assumes "is_valid_problem_sas_plus \" and "set ops' \ set ((\ \)\<^sub>\)" and "STRIPS_Semantics.are_all_operators_applicable (\\<^sub>S \ s) ops'" and "op \ set [\\<^sub>O\ \ op'. op' \ ops']" shows "map_of (precondition_of op) \\<^sub>m (\\<^sub>S\ \ (\\<^sub>S \ s))" proof - let ?\ = "\ \" and ?s' = "\\<^sub>S \ s" let ?s = "\\<^sub>S\ \ ?s'" and ?D = "range_of \" and ?ops = "[\\<^sub>O\ \ op'. op' \ ops']" and ?pre = "precondition_of op" have nb\<^sub>1: "\(v, a) \ dom ?s'. \(v, a') \ dom ?s'. ?s' (v, a) = Some True \ ?s' (v, a') = Some True \ (v, a) = (v, a')" using state_to_strips_state_effect_consistent[OF assms(1)] by blast { fix op' assume "op' \ set ops'" moreover have "op' \ set ((?\)\<^sub>\)" using assms(2) calculation by blast ultimately have "\op \ set ((\)\<^sub>\\<^sub>+). op' = (\\<^sub>O \ op)" by auto } note nb\<^sub>2 = this { fix op assume "op \ set ?ops" then obtain op' where "op' \ set ops'" and "op = \\<^sub>O\ \ op'" using assms(4) by auto moreover obtain op'' where "op'' \ set ((\)\<^sub>\\<^sub>+)" and "op' = \\<^sub>O \ op''" using nb\<^sub>2 calculation(1) by blast moreover have "op = op''" using sas_plus_operator_inverse_is[OF assms(1) calculation(3)] calculation(2, 4) by blast ultimately have "op \ set ((\)\<^sub>\\<^sub>+)" by blast } note nb\<^sub>3 = this { fix op v a assume "op \ set ?ops" and v_a_in_precondition_of_op': "(v, a) \ set (precondition_of op)" moreover obtain op' where "op' \ set ops'" and "op = \\<^sub>O\ \ op'" using calculation(1) by auto moreover have "strips_operator.precondition_of op' = precondition_of op" using calculation(4) unfolding SAS_Plus_STRIPS.strips_op_to_sasp_def strips_op_to_sasp_def by simp ultimately have "\op' \ set ops'. op = (\\<^sub>O\ \ op') \ (v, a) \ set (strips_operator.precondition_of op')" by metis } note nb\<^sub>4 = this { fix op' v a assume "op' \ set ops'" and v_a_in_precondition_of_op': "(v, a) \ set (strips_operator.precondition_of op')" moreover have s'_of_v_a_is_Some_True: "?s' (v, a) = Some True" using assms(3) calculation(1, 2) unfolding are_all_operators_applicable_set by blast moreover { obtain op where "op \ set ((\)\<^sub>\\<^sub>+)" and "op' = \\<^sub>O \ op" using nb\<^sub>2 calculation(1) by blast moreover have "strips_operator.precondition_of op' = precondition_of op" using calculation(2) unfolding SAS_Plus_STRIPS.sasp_op_to_strips_def sasp_op_to_strips_def by simp moreover have "(v, a) \ set (precondition_of op)" using v_a_in_precondition_of_op' calculation(3) by argo moreover have "is_valid_operator_sas_plus \ op" using is_valid_problem_sas_plus_then(2) assms(1) calculation(1) unfolding is_valid_operator_sas_plus_def by auto moreover have "v \ set ((\)\<^sub>\\<^sub>+)" and "a \ \\<^sub>+ \ v" using is_valid_operator_sas_plus_then(1,2) calculation(4, 5) unfolding is_valid_operator_sas_plus_def by fastforce+ moreover have "v \ dom ?s" using strips_state_to_state_dom_is[OF assms(1), of ?s'] s'_of_v_a_is_Some_True calculation(6, 7) by blast moreover have "(v, a) \ dom ?s'" using s'_of_v_a_is_Some_True domIff by blast ultimately have "?s v = Some a" using strips_state_to_state_range_is[OF assms(1) _ _ _ nb\<^sub>1] s'_of_v_a_is_Some_True by simp } hence "?s v = Some a". } note nb\<^sub>5 = this { fix v assume "v \ dom (map_of ?pre)" then obtain a where "map_of ?pre v = Some a" by fast moreover have "(v, a) \ set ?pre" using map_of_SomeD calculation by fast moreover { have "op \ set ((\)\<^sub>\\<^sub>+)" using assms(4) nb\<^sub>3 by blast then have "is_valid_operator_sas_plus \ op" using is_valid_problem_sas_plus_then(2) assms(1) unfolding is_valid_operator_sas_plus_def by auto hence "\(v, a) \ set ?pre. \(v', a') \ set ?pre. v \ v' \ a = a'" using is_valid_operator_sas_plus_then(5) unfolding is_valid_operator_sas_plus_def by fast } moreover have "map_of ?pre v = Some a" using map_of_constant_assignments_defined_if[of ?pre] calculation(2, 3) by blast moreover obtain op' where "op' \ set ops'" and "(v, a) \ set (strips_operator.precondition_of op')" using nb\<^sub>4[OF assms(4) calculation(2)] by blast moreover have "?s v = Some a" using nb\<^sub>5 calculation(5, 6) by fast ultimately have "map_of ?pre v = ?s v" by argo } thus ?thesis unfolding map_le_def by blast qed lemma to_sas_plus_list_of_transformed_sas_plus_problem_operators_structure: assumes "is_valid_problem_sas_plus \" and "set ops' \ set ((\ \)\<^sub>\)" and "op \ set [\\<^sub>O\ \ op'. op' \ ops']" shows "op \ set ((\)\<^sub>\\<^sub>+) \ (\op' \ set ops'. op' = \\<^sub>O \ op)" proof - let ?\ = "\ \" obtain op' where "op' \ set ops'" and "op = \\<^sub>O\ \ op'" using assms(3) by auto moreover have "op' \ set ((?\)\<^sub>\)" using assms(2) calculation(1) by blast moreover obtain op'' where "op'' \ set ((\)\<^sub>\\<^sub>+)" and "op' = \\<^sub>O \ op''" using calculation(3) by auto moreover have "op = op''" using sas_plus_operator_inverse_is[OF assms(1) calculation(4)] calculation(2, 5) by presburger ultimately show ?thesis by blast qed (* \<^item> TODO Prune premises (2nd premise and \are_all_operators_applicable s' ops'\ can be removed?). \<^item> TODO make private. \<^item> TODO adjust nb indexes *) lemma sas_plus_equivalent_to_strips_i_a_II: fixes \ :: "('variable, 'domain) sas_plus_problem" fixes s :: "('variable, 'domain) state" assumes "is_valid_problem_sas_plus \" and "set ops' \ set ((\ \)\<^sub>\)" and "STRIPS_Semantics.are_all_operators_applicable (\\<^sub>s \ s) ops' \ STRIPS_Semantics.are_all_operator_effects_consistent ops'" shows "are_all_operator_effects_consistent [\\<^sub>O\ \ op'. op' \ ops']" proof - let ?s' = "\\<^sub>S \ s" let ?s = "\\<^sub>S\ \ ?s'" and ?ops = "[\\<^sub>O\ \ op'. op' \ ops']" and ?\ = "\ \" have nb: "\(v, a) \ dom ?s'. \(v, a') \ dom ?s'. ?s' (v, a) = Some True \ ?s' (v, a') = Some True \ (v, a) = (v, a')" using state_to_strips_state_effect_consistent[OF assms(1)] by blast { fix op\<^sub>1' op\<^sub>2' assume "op\<^sub>1' \ set ops'" and "op\<^sub>2' \ set ops'" hence "STRIPS_Semantics.are_operator_effects_consistent op\<^sub>1' op\<^sub>2'" using assms(3) unfolding STRIPS_Semantics.are_all_operator_effects_consistent_def list_all_iff by blast } note nb\<^sub>1 = this { fix op\<^sub>1 op\<^sub>1' op\<^sub>2 op\<^sub>2' assume op\<^sub>1_in_ops: "op\<^sub>1 \ set ?ops" and op\<^sub>1'_in_ops': "op\<^sub>1' \ set ops'" and op\<^sub>1'_is: "op\<^sub>1' = \\<^sub>O \ op\<^sub>1" and is_valid_op\<^sub>1: "is_valid_operator_sas_plus \ op\<^sub>1" and op\<^sub>2_in_ops: "op\<^sub>2 \ set ?ops" and op\<^sub>2'_in_ops': "op\<^sub>2' \ set ops'" and op\<^sub>2'_is: "op\<^sub>2' = \\<^sub>O \ op\<^sub>2" and is_valid_op\<^sub>2: "is_valid_operator_sas_plus \ op\<^sub>2" have "\(v, a) \ set (add_effects_of op\<^sub>1'). \(v', a') \ set (add_effects_of op\<^sub>2'). v \ v' \ a = a'" proof (rule ccontr) assume "\(\(v, a) \ set (add_effects_of op\<^sub>1'). \(v', a') \ set (add_effects_of op\<^sub>2'). v \ v' \ a = a')" then obtain v v' a a' where "(v, a) \ set (add_effects_of op\<^sub>1')" and "(v', a') \ set (add_effects_of op\<^sub>2')" and "v = v'" and "a \ a'" by blast \ \ TODO slow. \ moreover have "(v, a) \ set (effect_of op\<^sub>1)" using op\<^sub>1'_is op\<^sub>2'_is calculation(1, 2) unfolding SAS_Plus_STRIPS.sasp_op_to_strips_def sasp_op_to_strips_def by force moreover { have "(v', a') \ set (effect_of op\<^sub>2)" using op\<^sub>2'_is calculation(2) unfolding SAS_Plus_STRIPS.sasp_op_to_strips_def sasp_op_to_strips_def by force hence "a' \ \\<^sub>+ \ v" using is_valid_operator_sas_plus_then is_valid_op\<^sub>2 calculation(3) by fastforce } moreover have "(v, a') \ set (delete_effects_of op\<^sub>1')" using sasp_op_to_strips_set_delete_effects_is op\<^sub>1'_is is_valid_op\<^sub>1 calculation(3, 4, 5, 6) by blast moreover have "\STRIPS_Semantics.are_operator_effects_consistent op\<^sub>1' op\<^sub>2'" unfolding STRIPS_Semantics.are_operator_effects_consistent_def list_ex_iff using calculation(2, 3, 7) by meson ultimately show False using assms(3) op\<^sub>1'_in_ops' op\<^sub>2'_in_ops' unfolding STRIPS_Semantics.are_all_operator_effects_consistent_def list_all_iff by blast qed } note nb\<^sub>3 = this { fix op\<^sub>1 op\<^sub>2 assume op\<^sub>1_in_ops: "op\<^sub>1 \ set ?ops" and op\<^sub>2_in_ops: "op\<^sub>2 \ set ?ops" moreover have op\<^sub>1_in_operators_of_\: "op\<^sub>1 \ set ((\)\<^sub>\\<^sub>+)" and op\<^sub>2_in_operators_of_\: "op\<^sub>2 \ set ((\)\<^sub>\\<^sub>+)" using to_sas_plus_list_of_transformed_sas_plus_problem_operators_structure[OF assms(1, 2)] calculation by blast+ moreover have is_valid_operator_op\<^sub>1: "is_valid_operator_sas_plus \ op\<^sub>1" and is_valid_operator_op\<^sub>2: "is_valid_operator_sas_plus \ op\<^sub>2" using is_valid_problem_sas_plus_then(2) op\<^sub>1_in_operators_of_\ op\<^sub>2_in_operators_of_\ assms(1) unfolding is_valid_operator_sas_plus_def by auto+ moreover obtain op\<^sub>1' op\<^sub>2' where op\<^sub>1_in_ops': "op\<^sub>1' \ set ops'" and op\<^sub>1_is: "op\<^sub>1' = \\<^sub>O \ op\<^sub>1" and op\<^sub>2_in_ops': "op\<^sub>2' \ set ops'" and op\<^sub>2_is: "op\<^sub>2' = \\<^sub>O \ op\<^sub>2" using to_sas_plus_list_of_transformed_sas_plus_problem_operators_structure[OF assms(1, 2)] op\<^sub>1_in_ops op\<^sub>2_in_ops by blast \ \ TODO slow.\ ultimately have "\(v, a) \ set (add_effects_of op\<^sub>1'). \(v', a') \ set (add_effects_of op\<^sub>2'). v \ v' \ a = a'" using nb\<^sub>3 by auto hence "are_operator_effects_consistent op\<^sub>1 op\<^sub>2" using op\<^sub>1_is op\<^sub>2_is unfolding are_operator_effects_consistent_def sasp_op_to_strips_def SAS_Plus_STRIPS.sasp_op_to_strips_def list_all_iff Let_def by simp } thus ?thesis unfolding are_all_operator_effects_consistent_def list_all_iff by fast qed \ \ A technical lemmas used in \sas_plus_equivalent_to_strips_i_a\ showing that the execution precondition is linear w.r.t. to STRIPS transformation to SAS+. The second premise states that the given STRIPS state corresponds to a consistent SAS+ state (i.e. no two assignments of the same variable to different values exist). \ (* \<^item> TODO make private. \<^item> TODO decrement suffix *) lemma sas_plus_equivalent_to_strips_i_a_IV: assumes "is_valid_problem_sas_plus \" and "set ops' \ set ((\ \)\<^sub>\)" and "STRIPS_Semantics.are_all_operators_applicable (\\<^sub>S \ s) ops' \ STRIPS_Semantics.are_all_operator_effects_consistent ops'" shows "are_all_operators_applicable_in (\\<^sub>S\ \ (\\<^sub>S \ s)) [\\<^sub>O\ \ op'. op' \ ops'] \ are_all_operator_effects_consistent [\\<^sub>O\ \ op'. op' \ ops']" proof - let ?\ = "\ \" and ?s' = "\\<^sub>S \ s" let ?vs' = "strips_problem.variables_of ?\" and ?ops' = "strips_problem.operators_of ?\" and ?vs = "variables_of \" and ?D = "range_of \" and ?s = "\\<^sub>S\ \ ?s'" and ?ops = "[\\<^sub>O\ \ op'. op' \ ops']" have nb: "\(v, a) \ dom ?s'. \(v, a') \ dom (\\<^sub>S \ s). ?s' (v, a) = Some True \ ?s' (v, a') = Some True \ (v, a) = (v, a')" using state_to_strips_state_effect_consistent[OF assms(1)] by blast { have "STRIPS_Semantics.are_all_operators_applicable ?s' ops'" using assms(3) by simp moreover have "list_all (\op. map_of (precondition_of op) \\<^sub>m ?s) ?ops" using sas_plus_equivalent_to_strips_i_a_I[OF assms(1) assms(2)] calculation unfolding list_all_iff by blast moreover have "list_all (\op. list_all (are_operator_effects_consistent op) ?ops) ?ops" using sas_plus_equivalent_to_strips_i_a_II assms nb unfolding are_all_operator_effects_consistent_def is_valid_operator_sas_plus_def list_all_iff by blast ultimately have "are_all_operators_applicable_in ?s ?ops" unfolding are_all_operators_applicable_in_def is_operator_applicable_in_def list_all_iff by argo } moreover have "are_all_operator_effects_consistent ?ops" using sas_plus_equivalent_to_strips_i_a_II assms nb by simp ultimately show ?thesis by simp qed (* TODO: \<^item> prune premises + make private. \<^item> decrement suffixes *) lemma sas_plus_equivalent_to_strips_i_a_VI: assumes "is_valid_problem_sas_plus \" and "dom s \ set ((\)\<^sub>\\<^sub>+)" and "\v \ dom s. the (s v) \ \\<^sub>+ \ v" and "set ops' \ set ((\ \)\<^sub>\)" and "are_all_operators_applicable_in s [\\<^sub>O\ \ op'. op' \ ops'] \ are_all_operator_effects_consistent [\\<^sub>O\ \ op'. op' \ ops']" shows "STRIPS_Semantics.are_all_operators_applicable (\\<^sub>S \ s) ops'" proof - let ?vs = "variables_of \" and ?D = "range_of \" and ?\ = "\ \" and ?ops = "[\\<^sub>O\ \ op'. op' \ ops']" and ?s' = "\\<^sub>S \ s" \ \ TODO refactor. \ { fix op' assume "op' \ set ops'" moreover obtain op where "op \ set ?ops" and "op = \\<^sub>O\ \ op'" using calculation by force moreover obtain op'' where "op'' \ set ((\)\<^sub>\\<^sub>+)" and "op' = \\<^sub>O \ op''" using assms(4) calculation(1) by auto moreover have "is_valid_operator_sas_plus \ op''" using is_valid_problem_sas_plus_then(2) assms(1) calculation(4) unfolding is_valid_operator_sas_plus_def by auto moreover have "op = op''" using sas_plus_operator_inverse_is[OF assms(1)] calculation(3, 4, 5) by blast ultimately have "\op \ set ?ops. op \ set ?ops \ op = (\\<^sub>O\ \ op') \ is_valid_operator_sas_plus \ op" by blast } note nb\<^sub>1 = this have nb\<^sub>2: "\(v, a) \ dom ?s'. \(v, a') \ dom ?s'. ?s' (v, a) = Some True \ ?s' (v, a') = Some True \ (v, a) = (v, a')" using state_to_strips_state_effect_consistent[OF assms(1), of _ _ s] by blast { fix op assume "op \ set ?ops" hence "map_of (precondition_of op) \\<^sub>m s" using assms(5) unfolding are_all_operators_applicable_in_def is_operator_applicable_in_def list_all_iff by blast } note nb\<^sub>3 = this { fix op' assume "op' \ set ops'" then obtain op where op_in_ops: "op \ set ?ops" and op_is: "op = (\\<^sub>O\ \ op')" and is_valid_operator_op: "is_valid_operator_sas_plus \ op" using nb\<^sub>1 by force moreover have preconditions_are_consistent: "\(v, a) \ set (precondition_of op). \(v', a') \ set (precondition_of op). v \ v' \ a = a'" using is_valid_operator_sas_plus_then(5) calculation(3) unfolding is_valid_operator_sas_plus_def by fast moreover { fix v a assume "(v, a) \ set (strips_operator.precondition_of op')" moreover have v_a_in_precondition_of_op: "(v, a) \ set (precondition_of op)" using op_is calculation unfolding SAS_Plus_STRIPS.strips_op_to_sasp_def strips_op_to_sasp_def by auto moreover have "map_of (precondition_of op) v = Some a" using map_of_constant_assignments_defined_if[OF preconditions_are_consistent calculation(2)] by blast moreover have s_of_v_is: "s v = Some a" using nb\<^sub>3[OF op_in_ops] calculation(3) unfolding map_le_def by force moreover have "v \ set ((\)\<^sub>\\<^sub>+)" and "a \ \\<^sub>+ \ v" using is_valid_operator_sas_plus_then(1, 2) is_valid_operator_op v_a_in_precondition_of_op unfolding is_valid_operator_sas_plus_def SAS_Plus_Representation.is_valid_operator_sas_plus_def Let_def list_all_iff ListMem_iff by auto+ moreover have "(v, a) \ dom ?s'" using state_to_strips_state_dom_is[OF assms(1)] s_of_v_is calculation by simp moreover have "(\\<^sub>S\ \ ?s') v = Some a" using strips_state_to_state_inverse_is[OF assms(1, 2, 3)] s_of_v_is by argo \ \ TODO slow. \ ultimately have "?s' (v, a) = Some True" using strips_state_to_state_range_is[OF assms(1)] nb\<^sub>2 by auto } ultimately have "\(v, a) \ set (strips_operator.precondition_of op'). ?s' (v, a) = Some True" by fast } thus ?thesis unfolding are_all_operators_applicable_def is_operator_applicable_in_def STRIPS_Representation.is_operator_applicable_in_def list_all_iff by simp qed (* TODO Prune premises. *) lemma sas_plus_equivalent_to_strips_i_a_VII: assumes "is_valid_problem_sas_plus \" and "dom s \ set ((\)\<^sub>\\<^sub>+)" and "\v \ dom s. the (s v) \ \\<^sub>+ \ v" and "set ops' \ set ((\ \)\<^sub>\)" and "are_all_operators_applicable_in s [\\<^sub>O\ \ op'. op' \ ops'] \ are_all_operator_effects_consistent [\\<^sub>O\ \ op'. op' \ ops']" shows "STRIPS_Semantics.are_all_operator_effects_consistent ops'" proof - let ?s' = "\\<^sub>S \ s" and ?ops = "[\\<^sub>O\ \ op'. op' \ ops']" and ?D = "range_of \" and ?\ = "\ \" \ \ TODO refactor. \ { fix op' assume "op' \ set ops'" moreover obtain op where "op \ set ?ops" and "op = \\<^sub>O\ \ op'" using calculation by force moreover obtain op'' where "op'' \ set ((\)\<^sub>\\<^sub>+)" and "op' = \\<^sub>O \ op''" using assms(4) calculation(1) by auto moreover have "is_valid_operator_sas_plus \ op''" using is_valid_problem_sas_plus_then(2) assms(1) calculation(4) unfolding is_valid_operator_sas_plus_def by auto moreover have "op = op''" using sas_plus_operator_inverse_is[OF assms(1)] calculation(3, 4, 5) by blast ultimately have "\op \ set ?ops. op \ set ?ops \ op' = (\\<^sub>O \ op) \ is_valid_operator_sas_plus \ op" by blast } note nb\<^sub>1 = this { fix op\<^sub>1' op\<^sub>2' assume "op\<^sub>1' \ set ops'" and "op\<^sub>2' \ set ops'" and "\(v, a) \ set (add_effects_of op\<^sub>1'). \(v', a') \ set (delete_effects_of op\<^sub>2'). (v, a) = (v', a')" moreover obtain op\<^sub>1 op\<^sub>2 where "op\<^sub>1 \ set ?ops" and "op\<^sub>1' = \\<^sub>O \ op\<^sub>1" and "is_valid_operator_sas_plus \ op\<^sub>1" and "op\<^sub>2 \ set ?ops" and "op\<^sub>2' = \\<^sub>O \ op\<^sub>2" and is_valid_op\<^sub>2: "is_valid_operator_sas_plus \ op\<^sub>2" using nb\<^sub>1 calculation(1, 2) by meson moreover obtain v v' a a' where "(v, a) \ set (add_effects_of op\<^sub>1')" and "(v', a') \ set (delete_effects_of op\<^sub>2')" and "(v, a) = (v', a')" using calculation by blast moreover have "(v, a) \ set (effect_of op\<^sub>1)" using calculation(5, 10) unfolding SAS_Plus_STRIPS.sasp_op_to_strips_def sasp_op_to_strips_def by fastforce moreover have "v = v'" and "a = a'" using calculation(12) by simp+ \ \ The next proof block shows that \(v', a')\ is constructed from an effect \(v'', a'')\ s.t. \a' \ a''\. \ moreover { (* TODO slow. *) have "(v', a') \ (\(v'', a'') \ set (effect_of op\<^sub>2). { (v'', a''') | a'''. a''' \ (\\<^sub>+ \ v'') \ a''' \ a'' })" using sasp_op_to_strips_set_delete_effects_is calculation(8, 11) is_valid_op\<^sub>2 by blast then obtain v'' a'' where "(v'', a'') \ set (effect_of op\<^sub>2)" and "(v', a') \ { (v'', a''') | a'''. a''' \ (\\<^sub>+ \ v'') \ a''' \ a'' }" by blast moreover have "(v', a'') \ set (effect_of op\<^sub>2)" using calculation by blast moreover have "a' \ \\<^sub>+ \ v''" and "a' \ a''" using calculation(1, 2) by fast+ ultimately have "\a''. (v', a'') \ set (effect_of op\<^sub>2) \ a' \ (\\<^sub>+ \ v') \ a' \ a''" by blast } moreover obtain a'' where "(v', a'') \ set (effect_of op\<^sub>2)" and "a' \ \\<^sub>+ \ v'" and "a' \ a''" using calculation(16) by blast moreover have "\(v, a) \ set (effect_of op\<^sub>1). (\(v', a') \ set (effect_of op\<^sub>2). v = v' \ a \ a')" using calculation(13, 14, 15, 17, 19) by blast moreover have "\are_operator_effects_consistent op\<^sub>1 op\<^sub>2" unfolding are_operator_effects_consistent_def list_all_iff using calculation(20) by fastforce ultimately have "\are_all_operator_effects_consistent ?ops" unfolding are_all_operator_effects_consistent_def list_all_iff by meson } note nb\<^sub>2 = this { fix op\<^sub>1' op\<^sub>2' assume op\<^sub>1'_in_ops: "op\<^sub>1' \ set ops'" and op\<^sub>2'_in_ops: "op\<^sub>2' \ set ops'" have "STRIPS_Semantics.are_operator_effects_consistent op\<^sub>1' op\<^sub>2'" proof (rule ccontr) assume "\STRIPS_Semantics.are_operator_effects_consistent op\<^sub>1' op\<^sub>2'" then consider (A) "\(v, a) \ set (add_effects_of op\<^sub>1'). \(v', a') \ set (delete_effects_of op\<^sub>2'). (v, a) = (v', a')" | (B) "\(v, a) \ set (add_effects_of op\<^sub>2'). \(v', a') \ set (delete_effects_of op\<^sub>1'). (v, a) = (v', a')" unfolding STRIPS_Semantics.are_operator_effects_consistent_def list_ex_iff by fastforce thus False using nb\<^sub>2[OF op\<^sub>1'_in_ops op\<^sub>2'_in_ops] nb\<^sub>2[OF op\<^sub>2'_in_ops op\<^sub>1'_in_ops] assms(5) by (cases, argo, force) qed } thus ?thesis unfolding STRIPS_Semantics.are_all_operator_effects_consistent_def STRIPS_Semantics.are_operator_effects_consistent_def list_all_iff by blast qed lemma sas_plus_equivalent_to_strips_i_a_VIII: assumes "is_valid_problem_sas_plus \" and "dom s \ set ((\)\<^sub>\\<^sub>+)" and "\v \ dom s. the (s v) \ \\<^sub>+ \ v" and "set ops' \ set ((\ \)\<^sub>\)" and "are_all_operators_applicable_in s [\\<^sub>O\ \ op'. op' \ ops'] \ are_all_operator_effects_consistent [\\<^sub>O\ \ op'. op' \ ops']" shows "STRIPS_Semantics.are_all_operators_applicable (\\<^sub>S \ s) ops' \ STRIPS_Semantics.are_all_operator_effects_consistent ops'" using sas_plus_equivalent_to_strips_i_a_VI sas_plus_equivalent_to_strips_i_a_VII assms by fastforce (* TODO refactor. *) lemma sas_plus_equivalent_to_strips_i_a_IX: assumes "dom s \ V" and "\op \ set ops. \(v, a) \ set (effect_of op). v \ V" shows "dom (execute_parallel_operator_sas_plus s ops) \ V" proof - show ?thesis using assms proof (induction ops arbitrary: s) case Nil then show ?case unfolding execute_parallel_operator_sas_plus_def by simp next case (Cons op ops) let ?s' = "s ++ map_of (effect_of op)" \ \ TODO Wrap IH instantiation in block. \ { have "\(v, a) \ set (effect_of op). v \ V" using Cons.prems(2) by fastforce moreover have "fst ` set (effect_of op) \ V" using calculation by fastforce ultimately have "dom ?s' \ V" unfolding dom_map_add dom_map_of_conv_image_fst using Cons.prems(1) by blast } moreover have "\op \ set ops. \(v, a) \ set (effect_of op). v \ V" using Cons.prems(2) by fastforce ultimately have "dom (execute_parallel_operator_sas_plus ?s' ops) \ V" using Cons.IH[of ?s'] by fast thus ?case unfolding execute_parallel_operator_sas_plus_cons. qed qed \ \ NOTE Show that the domain value constraint on states is monotonous w.r.t. to valid operator execution. I.e. if a parallel operator is executed on a state for which the domain value constraint holds, the domain value constraint will also hold on the resultant state. \ (* TODO refactor. TODO Rewrite lemma without domain function, i.e. \set (the (D v)) \ D\ *) lemma sas_plus_equivalent_to_strips_i_a_X: assumes "dom s \ V" and "V \ dom D" and "\v \ dom s. the (s v) \ set (the (D v))" and "\op \ set ops. \(v, a) \ set (effect_of op). v \ V \ a \ set (the (D v))" shows "\v \ dom (execute_parallel_operator_sas_plus s ops). the (execute_parallel_operator_sas_plus s ops v) \ set (the (D v))" proof - show ?thesis using assms proof (induction ops arbitrary: s) case Nil then show ?case unfolding execute_parallel_operator_sas_plus_def by simp next case (Cons op ops) let ?s' = "s ++ map_of (effect_of op)" { { have "\(v, a) \ set (effect_of op). v \ V" using Cons.prems(4) by fastforce moreover have "fst ` set (effect_of op) \ V" using calculation by fastforce ultimately have "dom ?s' \ V" unfolding dom_map_add dom_map_of_conv_image_fst using Cons.prems(1) by blast } moreover { fix v assume v_in_dom_s': "v \ dom ?s'" hence "the (?s' v) \ set (the (D v))" proof (cases "v \ dom (map_of (effect_of op))") case True moreover have "?s' v = (map_of (effect_of op)) v" unfolding map_add_dom_app_simps(1)[OF True] by blast moreover obtain a where "(map_of (effect_of op)) v = Some a" using calculation(1) by fast moreover have "(v, a) \ set (effect_of op)" using map_of_SomeD calculation(3) by fast moreover have "a \ set (the (D v))" using Cons.prems(4) calculation(4) by fastforce ultimately show ?thesis by force next case False then show ?thesis unfolding map_add_dom_app_simps(3)[OF False] using Cons.prems(3) v_in_dom_s' by fast qed } moreover have "\op \ set ops. \(v, a) \ set (effect_of op). v \ V \ a \ set (the (D v))" using Cons.prems(4) by auto ultimately have "\v \ dom (execute_parallel_operator_sas_plus ?s' ops). the (execute_parallel_operator_sas_plus ?s' ops v) \ set (the (D v))" using Cons.IH[of "s ++ map_of (effect_of op)", OF _ Cons.prems(2)] by meson } thus ?case unfolding execute_parallel_operator_sas_plus_cons by blast qed qed lemma transfom_sas_plus_problem_to_strips_problem_operators_valid: assumes "is_valid_problem_sas_plus \" and "op' \ set ((\ \)\<^sub>\)" obtains op where "op \ set ((\)\<^sub>\\<^sub>+)" and "op' = (\\<^sub>O \ op)" "is_valid_operator_sas_plus \ op" proof - { obtain op where "op \ set ((\)\<^sub>\\<^sub>+)" and "op' = \\<^sub>O \ op" using assms by auto moreover have "is_valid_operator_sas_plus \ op" using is_valid_problem_sas_plus_then(2) assms(1) calculation(1) by auto ultimately have "\op \ set ((\)\<^sub>\\<^sub>+). op' = (\\<^sub>O \ op) \ is_valid_operator_sas_plus \ op" by blast } thus ?thesis using that by blast qed lemma sas_plus_equivalent_to_strips_i_a_XI: assumes "is_valid_problem_sas_plus \" and "op' \ set ((\ \)\<^sub>\)" shows "(\\<^sub>S \ s) ++ map_of (effect_to_assignments op') = \\<^sub>S \ (s ++ map_of (effect_of (\\<^sub>O\ \ op')))" proof - let ?\ = "\ \" let ?vs = "variables_of \" and?ops = "operators_of \" and ?ops' = "strips_problem.operators_of ?\" let ?s' = "\\<^sub>S \ s" let ?t = "?s' ++ map_of (effect_to_assignments op')" and ?t' = "\\<^sub>S \ (s ++ map_of (effect_of (\\<^sub>O\ \ op')))" obtain op where op'_is: "op' = (\\<^sub>O \ op)" and op_in_ops: "op \ set ((\)\<^sub>\\<^sub>+)" and is_valid_operator_op: "is_valid_operator_sas_plus \ op" using transfom_sas_plus_problem_to_strips_problem_operators_valid[OF assms] by auto have nb\<^sub>1: "(\\<^sub>O\ \ op') = op" using sas_plus_operator_inverse_is[OF assms(1)] op'_is op_in_ops by blast \ \ TODO refactor. \ { (*have "fst ` set (effect_to_assignments op') \ fst ` ((\v. (v, True)) ` set (add_effects_of op') \ (\v. (v, False)) ` set (delete_effects_of op'))" by auto then*) have "dom (map_of (effect_to_assignments op')) = set (strips_operator.add_effects_of op') \ set (strips_operator.delete_effects_of op')" unfolding dom_map_of_conv_image_fst by force \ \ TODO slow.\ also have "\ = set (effect_of op) \ set (strips_operator.delete_effects_of op')" using op'_is unfolding SAS_Plus_STRIPS.sasp_op_to_strips_def sasp_op_to_strips_def by auto \ \ TODO slow.\ finally have "dom (map_of (effect_to_assignments op')) = set (effect_of op) \ (\(v, a) \ set (effect_of op). { (v, a') | a'. a' \ (\\<^sub>+ \ v) \ a' \ a })" using sasp_op_to_strips_set_delete_effects_is[OF is_valid_operator_op] op'_is by argo } note nb\<^sub>2 = this have nb\<^sub>3: "dom ?t = dom ?s' \ set (effect_of op) \ (\(v, a) \ set (effect_of op). { (v, a') | a'. a' \ (\\<^sub>+ \ v) \ a' \ a })" unfolding nb\<^sub>2 dom_map_add by blast \ \ TODO refactor. \ have nb\<^sub>4: "dom (s ++ map_of (effect_of (\\<^sub>O\ \ op'))) = dom s \ fst ` set (effect_of op)" unfolding dom_map_add dom_map_of_conv_image_fst nb\<^sub>1 by fast { let ?u = "s ++ map_of (effect_of (\\<^sub>O\ \ op'))" have "dom ?t' = (\v \ { v | v. v \ set ((\)\<^sub>\\<^sub>+) \ ?u v \ None }. { (v, a) | a. a \ \\<^sub>+ \ v })" using state_to_strips_state_dom_is[OF assms(1)] by presburger } note nb\<^sub>5 = this \ \ TODO refactor. \ have nb\<^sub>6: "set (add_effects_of op') = set (effect_of op)" using op'_is unfolding SAS_Plus_STRIPS.sasp_op_to_strips_def sasp_op_to_strips_def by auto \ \ TODO refactor. \ have nb\<^sub>7: "set (delete_effects_of op') = (\(v, a) \ set (effect_of op). { (v, a') | a'. a' \ (\\<^sub>+ \ v) \ a' \ a })" using sasp_op_to_strips_set_delete_effects_is[OF is_valid_operator_op] op'_is by argo \ \ TODO refactor. \ { let ?Add = "set (effect_of op)" let ?Delete = "(\(v, a) \ set (effect_of op). { (v, a') | a'. a' \ (\\<^sub>+ \ v) \ a' \ a })" have dom_add: "dom (map_of (map (\v. (v, True)) (add_effects_of op'))) = ?Add" unfolding dom_map_of_conv_image_fst set_map image_comp comp_apply using nb\<^sub>6 by simp have dom_delete: "dom (map_of (map (\v. (v, False)) (delete_effects_of op'))) = ?Delete" unfolding dom_map_of_conv_image_fst set_map image_comp comp_apply using nb\<^sub>7 by auto { { fix v a assume v_a_in_dom_add: "(v, a) \ dom (map_of (map (\v. (v, True)) (add_effects_of op')))" have "(v, a) \ dom (map_of (map (\v. (v, False)) (delete_effects_of op')))" proof (rule ccontr) assume "\((v, a) \ dom (map_of (map (\v. (v, False)) (delete_effects_of op'))))" then have "(v, a) \ ?Delete" and "(v, a) \ ?Add" using dom_add dom_delete v_a_in_dom_add by argo+ moreover have "\(v', a') \ ?Add. v \ v' \ a = a'" using is_valid_operator_sas_plus_then(6) is_valid_operator_op calculation(2) unfolding is_valid_operator_sas_plus_def by fast ultimately show False by fast qed } hence "disjnt (dom (map_of (map (\v. (v, True)) (add_effects_of op')))) (dom (map_of (map (\v. (v, False)) (delete_effects_of op'))))" unfolding disjnt_def Int_def using nb\<^sub>7 by simp } hence "dom (map_of (map (\v. (v, True)) (add_effects_of op'))) = ?Add" and "dom (map_of (map (\v. (v, False)) (delete_effects_of op'))) = ?Delete" and "disjnt (dom (map_of (map (\v. (v, True)) (add_effects_of op')))) (dom (map_of (map (\v. (v, False)) (delete_effects_of op'))))" using dom_add dom_delete by blast+ } note nb\<^sub>8 = this \ \ TODO refactor. \ { let ?Add = "set (effect_of op)" let ?Delete = "(\(v, a) \ set (effect_of op). { (v, a') | a'. a' \ (\\<^sub>+ \ v) \ a' \ a })" \ \ TODO slow.\ have "\(v, a) \ ?Add. map_of (effect_to_assignments op') (v, a) = Some True" and "\(v, a) \ ?Delete. map_of (effect_to_assignments op') (v, a) = Some False" proof - { fix v a assume "(v, a) \ ?Add" hence "map_of (effect_to_assignments op') (v, a) = Some True" unfolding effect_to_assignments_simp using nb\<^sub>6 map_of_defined_if_constructed_from_list_of_constant_assignments[of "map (\v. (v, True)) (add_effects_of op')" True "add_effects_of op'"] by force } moreover { fix v a assume "(v, a) \ ?Delete" moreover have "(v, a) \ dom (map_of (map (\v. (v, False)) (delete_effects_of op')))" using nb\<^sub>8(2) calculation(1) by argo moreover have "(v, a) \ dom (map_of (map (\v. (v, True)) (add_effects_of op')))" using nb\<^sub>8 unfolding disjnt_def using calculation(1) by blast moreover have "map_of (effect_to_assignments op') (v, a) = map_of (map (\v. (v, False)) (delete_effects_of op')) (v, a)" unfolding effect_to_assignments_simp map_of_append using map_add_dom_app_simps(3)[OF calculation(3)] by presburger \ \ TODO slow. \ ultimately have "map_of (effect_to_assignments op') (v, a) = Some False" using map_of_defined_if_constructed_from_list_of_constant_assignments[ of "map (\v. (v, False)) (delete_effects_of op')" False "delete_effects_of op'"] nb\<^sub>7 by auto } ultimately show "\(v, a) \ ?Add. map_of (effect_to_assignments op') (v, a) = Some True" and "\(v, a) \ ?Delete. map_of (effect_to_assignments op') (v, a) = Some False" by blast+ qed } note nb\<^sub>9 = this { fix v a assume "(v, a) \ set (effect_of op)" moreover have "\(v, a) \ set (effect_of op). \(v', a') \ set (effect_of op). v \ v' \ a = a'" using is_valid_operator_sas_plus_then is_valid_operator_op unfolding is_valid_operator_sas_plus_def by fast ultimately have "map_of (effect_of op) v = Some a" using map_of_constant_assignments_defined_if[of "effect_of op"] by presburger } note nb\<^sub>1\<^sub>0 = this { fix v a assume v_a_in_effect_of_op: "(v, a) \ set (effect_of op)" and "(s ++ map_of (effect_of (\\<^sub>O\ \ op'))) v \ None" moreover have "v \ set ?vs" using is_valid_operator_op is_valid_operator_sas_plus_then(3) calculation(1) by fastforce moreover { have "is_valid_problem_strips ?\" using is_valid_problem_sas_plus_then_strips_transformation_too assms(1) by blast thm calculation(1) nb\<^sub>6 assms(2) moreover have "set (add_effects_of op') \ set ((?\)\<^sub>\)" using assms(2) is_valid_problem_strips_operator_variable_sets(2) calculation by blast moreover have "(v, a) \ set ((?\)\<^sub>\)" using v_a_in_effect_of_op nb\<^sub>6 calculation(2) by blast ultimately have "a \ \\<^sub>+ \ v" using sas_plus_problem_to_strips_problem_variable_set_element_iff[OF assms(1)] by fast } \ \ TODO slow. \ ultimately have "(v, a) \ dom (\\<^sub>S \ (s ++ map_of (effect_of (\\<^sub>O\ \ op'))))" using state_to_strips_state_dom_is[OF assms(1), of "s ++ map_of (effect_of (\\<^sub>O\ \ op'))"] by simp } note nb\<^sub>1\<^sub>1 = this { fix v a assume "(v, a) \ set (effect_of op)" moreover have "v \ dom (map_of (effect_of op))" unfolding dom_map_of_conv_image_fst using calculation by force moreover have "(s ++ map_of (effect_of (\\<^sub>O\ \ op'))) v = Some a" unfolding map_add_dom_app_simps(1)[OF calculation(2)] nb\<^sub>1 using nb\<^sub>1\<^sub>0 calculation(1) by blast moreover have "(s ++ map_of (effect_of (\\<^sub>O\ \ op'))) v \ None" using calculation(3) by auto moreover have "(v, a) \ dom (\\<^sub>S \ (s ++ map_of (effect_of (\\<^sub>O\ \ op'))))" using nb\<^sub>1\<^sub>1 calculation(1, 4) by presburger ultimately have "(\\<^sub>S \ (s ++ map_of (effect_of (\\<^sub>O\ \ op')))) (v, a) = Some True" using state_to_strips_state_range_is[OF assms(1)] by simp } note nb\<^sub>1\<^sub>2 = this { fix v a' assume "(v, a') \ dom (map_of (effect_to_assignments op'))" and "(v, a') \ (\(v, a) \ set (effect_of op). { (v, a') | a'. a' \ (\\<^sub>+ \ v) \ a' \ a })" moreover have "v \ dom (map_of (effect_of op))" unfolding dom_map_of_conv_image_fst using calculation(2) by force moreover have "v \ set ?vs" using calculation(3) is_valid_operator_sas_plus_then(3) is_valid_operator_op unfolding dom_map_of_conv_image_fst is_valid_operator_sas_plus_def by fastforce moreover obtain a where "(v, a) \ set (effect_of op)" and "a' \ \\<^sub>+ \ v" and "a' \ a" using calculation(2) by blast moreover have "(s ++ map_of (effect_of (\\<^sub>O\ \ op'))) v = Some a" unfolding map_add_dom_app_simps(1)[OF calculation(3)] nb\<^sub>1 using nb\<^sub>1\<^sub>0 calculation(5) by blast moreover have "(s ++ map_of (effect_of (\\<^sub>O\ \ op'))) v \ None" using calculation(8) by auto \ \ TODO slow. \ moreover have "(v, a') \ dom (\\<^sub>S \ (s ++ map_of (effect_of (\\<^sub>O\ \ op'))))" using state_to_strips_state_dom_is[OF assms(1), of "s ++ map_of (effect_of (\\<^sub>O\ \ op'))"] calculation(4, 6, 9) by simp \ \ TODO slow. \ ultimately have "(\\<^sub>S \ (s ++ map_of (effect_of (\\<^sub>O\ \ op')))) (v, a') = Some False" using state_to_strips_state_range_is[OF assms(1), of v a' "s ++ map_of (effect_of (\\<^sub>O\ \ op'))"] by simp } note nb\<^sub>1\<^sub>3 = this { fix v a assume "(v, a) \ dom ?t" and "(v, a) \ dom (map_of (effect_to_assignments op'))" moreover have "(v, a) \ dom ?s'" using calculation(1, 2) unfolding dom_map_add by blast moreover have "?t (v, a) = ?s' (v, a)" unfolding map_add_dom_app_simps(3)[OF calculation(2)].. ultimately have "?t (v, a) = Some (the (s v) = a)" using state_to_strips_state_range_is[OF assms(1)] by presburger } note nb\<^sub>1\<^sub>4 = this { fix v a assume "(v, a) \ dom ?t" and v_a_not_in: "(v, a) \ dom (map_of (effect_to_assignments op'))" moreover have "(v, a) \ dom ?s'" using calculation(1, 2) unfolding dom_map_add by blast moreover have "(v, a) \ (\ v \ { v | v. v \ set ((\)\<^sub>\\<^sub>+) \ s v \ None }. { (v, a) | a. a \ \\<^sub>+ \ v })" using state_to_strips_state_dom_is[OF assms(1)] calculation(3) by presburger moreover have "v \ set ((\)\<^sub>\\<^sub>+)" and "s v \ None" and "a \ \\<^sub>+ \ v" using calculation(4) by blast+ \ \ NOTE Hasn't this been proved before? \ moreover { have "dom (map_of (effect_to_assignments op')) = (\(v, a) \ set (effect_of op). { (v, a) }) \ (\(v, a) \ set (effect_of op). { (v, a') | a'. a' \ (\\<^sub>+ \ v) \ a' \ a })" unfolding nb\<^sub>2 by blast also have "\ = (\(v, a) \ set (effect_of op). { (v, a) } \ { (v, a') | a'. a' \ (\\<^sub>+ \ v) \ a' \ a })" by blast finally have "dom (map_of (effect_to_assignments op')) = (\(v, a) \ set (effect_of op). { (v, a) } \ { (v, a) | a. a \ \\<^sub>+ \ v })" by auto then have "(v, a) \ (\(v, a) \ set (effect_of op). { (v, a) | a. a \ \\<^sub>+ \ v })" using v_a_not_in by blast } \ \ TODO slow. \ moreover have "v \ dom (map_of (effect_of op))" using dom_map_of_conv_image_fst calculation by fastforce moreover have "(s ++ map_of (effect_of (\\<^sub>O\ \ op'))) v = s v" unfolding nb\<^sub>1 map_add_dom_app_simps(3)[OF calculation(9)] by simp \ \ TODO slow. \ moreover have "(v, a) \ dom ?t'" using state_to_strips_state_dom_is[OF assms(1), of "s ++ map_of (effect_of (\\<^sub>O\ \ op'))"] calculation(5, 6, 7, 8, 10) by simp ultimately have "?t' (v, a) = Some (the (s v) = a)" using state_to_strips_state_range_is[OF assms(1)] by presburger } note nb\<^sub>1\<^sub>5 = this \ \ TODO refactor. \ have nb\<^sub>1\<^sub>6: "dom ?t = (\ v \ { v | v. v \ set ((\)\<^sub>\\<^sub>+) \ s v \ None }. { (v, a) | a. a \ (\\<^sub>+ \ v) }) \ set (effect_of op) \ (\(v, a)\set (effect_of op). {(v, a') |a'. a' \ (\\<^sub>+ \ v) \ a' \ a})" unfolding dom_map_add nb\<^sub>2 using state_to_strips_state_dom_is[OF assms(1), of s] by auto { { fix v a assume "(v, a) \ dom ?t" then consider (A) "(v, a) \ dom (\\<^sub>S \ s)" | (B) "(v, a) \ dom (map_of (effect_to_assignments op'))" by fast hence "(v, a) \ dom ?t'" proof (cases) case A then have "v \ set ((\)\<^sub>\\<^sub>+)" and "s v \ None" and "a \ \\<^sub>+ \ v" unfolding state_to_strips_state_dom_element_iff[OF assms(1)] by blast+ thm map_add_None state_to_strips_state_dom_element_iff[OF assms(1)] moreover have "(s ++ map_of (effect_of (\\<^sub>O\ \ op'))) v \ None" using calculation(2) by simp ultimately show ?thesis unfolding state_to_strips_state_dom_element_iff[OF assms(1)] by blast next case B then have "(v, a) \ set (effect_of op) \ (\(v, a)\set (effect_of op). { (v, a') | a'. a' \ \\<^sub>+ \ v \ a' \ a })" unfolding nb\<^sub>2 by blast then consider (B\<^sub>1) "(v, a) \ set (effect_of op)" | (B\<^sub>2) "(v, a) \ (\(v, a)\set (effect_of op). { (v, a') | a'. a' \ \\<^sub>+ \ v \ a' \ a })" by blast thm nb\<^sub>1\<^sub>2 nb\<^sub>1\<^sub>3 nb\<^sub>2 thus ?thesis proof (cases) case B\<^sub>1 then show ?thesis using nb\<^sub>1\<^sub>2 by fast next case B\<^sub>2 then show ?thesis using nb\<^sub>1\<^sub>3 B by blast qed qed } moreover { let ?u = "s ++ map_of (effect_of (\\<^sub>O\ \ op'))" fix v a assume v_a_in_dom_t': "(v, a) \ dom ?t'" thm nb\<^sub>5 then have v_in_vs: "v \ set ((\)\<^sub>\\<^sub>+)" and u_of_v_is_not_None: "?u v \ None" and a_in_range_of_v: "a \ \\<^sub>+ \ v" using state_to_strips_state_dom_element_iff[OF assms(1)] v_a_in_dom_t' by meson+ { assume "(v, a) \ dom ?t" then have contradiction: "(v, a) \ (\v \ { v | v. v \ set ((\)\<^sub>\\<^sub>+) \ s v \ None}. { (v, a) |a. a \ \\<^sub>+ \ v }) \ set (effect_of op) \ (\(v, a)\set (effect_of op). {(v, a') |a'. a' \ \\<^sub>+ \ v \ a' \ a})" unfolding nb\<^sub>1\<^sub>6 by fast hence False proof (cases "map_of (effect_of (\\<^sub>O\ \ op')) v = None") case True then have "s v \ None" using u_of_v_is_not_None by simp then have "(v, a) \ (\v \ { v | v. v \ set ((\)\<^sub>\\<^sub>+) \ s v \ None}. { (v, a) |a. a \ \\<^sub>+ \ v })" using v_in_vs a_in_range_of_v by blast thus ?thesis using contradiction by blast next case False then have "v \ dom (map_of (effect_of op))" using u_of_v_is_not_None nb\<^sub>1 by blast then obtain a' where map_of_effect_of_op_v_is: "map_of (effect_of op) v = Some a'" by blast then have v_a'_in: "(v, a') \ set (effect_of op)" using map_of_SomeD by fast then show ?thesis proof (cases "a = a'") case True then have "(v, a) \ set (effect_of op)" using v_a'_in by blast then show ?thesis using contradiction by blast next case False then have "(v, a) \ (\(v, a)\set (effect_of op). {(v, a') |a'. a' \ \\<^sub>+ \ v \ a' \ a})" using v_a'_in calculation a_in_range_of_v by blast thus ?thesis using contradiction by fast qed qed } hence "(v, a) \ dom ?t" by argo } moreover have "dom ?t \ dom ?t'" and "dom ?t' \ dom ?t" subgoal using calculation(1) subrelI[of "dom ?t" "dom ?t'"] by fast subgoal using calculation(2) subrelI[of "dom ?t'" "dom ?t"] by argo done ultimately have "dom ?t = dom ?t'" by force } note nb\<^sub>1\<^sub>7 = this { fix v a assume v_a_in_dom_t: "(v, a) \ dom ?t" hence "?t (v, a) = ?t' (v, a)" proof (cases "(v, a) \ dom (map_of (effect_to_assignments op'))") case True \ \ TODO slow. \ \ \ NOTE Split on the (disjunct) domain variable sets of @{text "map_of (effect_to_assignments op')"}. \ then consider (A1) "(v, a) \ set (effect_of op)" | (A2) "(v, a) \ (\(v, a) \ set (effect_of op). { (v, a') | a'. a' \ (\\<^sub>+ \ v) \ a' \ a })" using nb\<^sub>2 by fastforce then show ?thesis proof (cases) case A1 then have "?t (v, a) = Some True" unfolding map_add_dom_app_simps(1)[OF True] using nb\<^sub>9(1) by fast moreover have "?t' (v, a) = Some True" using nb\<^sub>1\<^sub>2[OF A1]. ultimately show ?thesis.. next case A2 then have "?t (v, a) = Some False" unfolding map_add_dom_app_simps(1)[OF True] using nb\<^sub>9(2) by blast moreover have "?t' (v, a) = Some False" using nb\<^sub>1\<^sub>3[OF True A2]. ultimately show ?thesis.. qed next case False moreover have "?t (v, a) = Some (the (s v) = a)" using nb\<^sub>1\<^sub>4[OF v_a_in_dom_t False]. moreover have "?t' (v, a) = Some (the (s v) = a)" using nb\<^sub>1\<^sub>5[OF v_a_in_dom_t False]. ultimately show ?thesis by argo qed } note nb\<^sub>1\<^sub>8 = this moreover { fix v a assume "(v, a) \ dom ?t'" hence "?t (v, a) = ?t' (v, a)" using nb\<^sub>1\<^sub>7 nb\<^sub>1\<^sub>8 by presburger } \ \ TODO slow.\ ultimately have "?t \\<^sub>m ?t'" and "?t' \\<^sub>m ?t" unfolding map_le_def by fastforce+ thus ?thesis using map_le_antisym[of ?t ?t'] by fast qed \ \ NOTE This is the essential step in the SAS+/STRIPS equivalence theorem. We show that executing a given parallel STRIPS operator @{text "ops'"} on the corresponding STRIPS state @{text "s' = \\<^sub>S \ s"} yields the same state as executing the transformed SAS+ parallel operator @{text "ops = [\\<^sub>O\ (\ \) op'. op' \ ops']"} on the original SAS+ state @{text "s"} and the transforming the resultant SAS+ state to its corresponding STRIPS state. \ (* TODO refactor. *) lemma sas_plus_equivalent_to_strips_i_a_XII: assumes "is_valid_problem_sas_plus \" and "\op' \ set ops'. op' \ set ((\ \)\<^sub>\)" shows "execute_parallel_operator (\\<^sub>S \ s) ops' = \\<^sub>S \ (execute_parallel_operator_sas_plus s [\\<^sub>O\ \ op'. op' \ ops'])" using assms proof (induction ops' arbitrary: s) case Nil then show ?case unfolding execute_parallel_operator_def execute_parallel_operator_sas_plus_def by simp next case (Cons op' ops') let ?\ = "\ \" let ?t' = "(\\<^sub>S \ s) ++ map_of (effect_to_assignments op')" and ?t = "s ++ map_of (effect_of (\\<^sub>O\ \ op'))" have nb\<^sub>1: "?t' = \\<^sub>S \ ?t" using sas_plus_equivalent_to_strips_i_a_XI[OF assms(1)] Cons.prems(2) by force { have "\op' \ set ops'. op' \ set (strips_problem.operators_of ?\)" using Cons.prems(2) by simp then have "execute_parallel_operator (\\<^sub>S \ ?t) ops' = \\<^sub>S \ (execute_parallel_operator_sas_plus ?t [\\<^sub>O\ \ x. x \ ops'])" using Cons.IH[OF Cons.prems(1), of ?t] by fastforce hence "execute_parallel_operator ?t' ops' = \\<^sub>S \ (execute_parallel_operator_sas_plus ?t [\\<^sub>O\ \ x. x \ ops'])" using nb\<^sub>1 by argo } thus ?case by simp qed lemma sas_plus_equivalent_to_strips_i_a_XIII: assumes "is_valid_problem_sas_plus \" and "\op' \ set ops'. op' \ set ((\ \)\<^sub>\)" and "(\\<^sub>S \ G) \\<^sub>m execute_parallel_plan (execute_parallel_operator (\\<^sub>S \ I) ops') \" shows "(\\<^sub>S \ G) \\<^sub>m execute_parallel_plan (\\<^sub>S \ (execute_parallel_operator_sas_plus I [\\<^sub>O\ \ op'. op' \ ops'])) \" proof - let ?I' = "(\\<^sub>S \ I)" and ?G' = "\\<^sub>S \ G" and ?ops = "[\\<^sub>O\ \ op'. op' \ ops']" and ?\ = "\ \" let ?J = "execute_parallel_operator_sas_plus I ?ops" { fix v a assume "(v, a) \ dom ?G'" then have "?G' (v, a) = execute_parallel_plan (execute_parallel_operator ?I' ops') \ (v, a)" using assms(3) unfolding map_le_def by auto hence "?G' (v, a) = execute_parallel_plan (\\<^sub>S \ ?J) \ (v, a)" using sas_plus_equivalent_to_strips_i_a_XII[OF assms(1, 2)] by simp } thus ?thesis unfolding map_le_def by fast qed \ \ NOTE This is a more abstract formulation of the proposition in \sas_plus_equivalent_to_strips_i\ which is better suited for induction proofs. We essentially claim that given a plan the execution in STRIPS semantics of which solves the problem of reaching a -transformed goal state \\\<^sub>S \ G\ from a transformed initial state \\\<^sub>S \ I\—such as -the goal and initial state of an induced STRIPS problem for a SAS+ problem—is equivalent to an +transformed goal state \\\<^sub>S \ G\ from a transformed initial state \\\<^sub>S \ I\---such as +the goal and initial state of an induced STRIPS problem for a SAS+ problem---is equivalent to an execution in SAS+ semantics of the transformed plan \\\<^sub>P\ (\ \) \\ w.r.t to the original initial state \I\ and original goal state \G\. \ lemma sas_plus_equivalent_to_strips_i_a: assumes "is_valid_problem_sas_plus \" and "dom I \ set ((\)\<^sub>\\<^sub>+)" and "\v \ dom I. the (I v) \ \\<^sub>+ \ v" and "dom G \ set ((\)\<^sub>\\<^sub>+)" and "\v \ dom G. the (G v) \ \\<^sub>+ \ v" and "\ops' \ set \. \op' \ set ops'. op' \ set ((\ \)\<^sub>\)" and "(\\<^sub>S \ G) \\<^sub>m execute_parallel_plan (\\<^sub>S \ I) \" shows "G \\<^sub>m execute_parallel_plan_sas_plus I (\\<^sub>P\ \ \)" proof - let ?vs = "variables_of \" and ?\ = "\\<^sub>P\ \ \" show ?thesis using assms proof (induction \ arbitrary: I) case Nil then have "(\\<^sub>S \ G) \\<^sub>m (\\<^sub>S \ I)" by fastforce then have "G \\<^sub>m I" using state_to_strips_state_map_le_iff[OF assms(1, 4, 5)] by blast thus ?case unfolding SAS_Plus_STRIPS.strips_parallel_plan_to_sas_plus_parallel_plan_def strips_parallel_plan_to_sas_plus_parallel_plan_def by fastforce next case (Cons ops' \) let ?D = "range_of \" and ?\ = "\ \" and ?I' = "\\<^sub>S \ I" and ?G' = "\\<^sub>S \ G" let ?ops = "[\\<^sub>O\ \ op'. op' \ ops']" let ?J = "execute_parallel_operator_sas_plus I ?ops" and ?J' = "execute_parallel_operator ?I' ops'" have nb\<^sub>1: "set ops' \ set ((?\)\<^sub>\)" using Cons.prems(6) unfolding STRIPS_Semantics.is_parallel_solution_for_problem_def list_all_iff ListMem_iff by fastforce { fix op assume "op \ set ?ops" moreover obtain op' where "op' \ set ops'" and "op = \\<^sub>O\ \ op'" using calculation by auto moreover have "op' \ set ((?\)\<^sub>\)" using nb\<^sub>1 calculation(2) by blast moreover obtain op'' where "op'' \ set ((\)\<^sub>\\<^sub>+)" and "op' = \\<^sub>O \ op''" using calculation(4) by auto moreover have "op = op''" using sas_plus_operator_inverse_is[OF assms(1) calculation(5)] calculation(3, 6) by presburger ultimately have "op \ set ((\)\<^sub>\\<^sub>+) \ (\op' \ set ops'. op' = \\<^sub>O \ op)" by blast } note nb\<^sub>2 = this { fix op v a assume "op \ set ((\)\<^sub>\\<^sub>+)" and "(v, a) \ set (effect_of op)" moreover have "op \ set ((\)\<^sub>\\<^sub>+)" using nb\<^sub>2 calculation(1) by blast moreover have "is_valid_operator_sas_plus \ op" using is_valid_problem_sas_plus_then(2) Cons.prems(1) calculation(3) by blast ultimately have "v \ set ((\)\<^sub>\\<^sub>+)" using is_valid_operator_sas_plus_then(3) by fastforce } note nb\<^sub>3 = this { fix op assume "op \ set ?ops" then have "op \ set ((\)\<^sub>\\<^sub>+)" using nb\<^sub>2 by blast then have "is_valid_operator_sas_plus \ op" using is_valid_problem_sas_plus_then(2) Cons.prems(1) by blast hence "\(v, a) \ set (effect_of op). v \ set ((\)\<^sub>\\<^sub>+) \ a \ \\<^sub>+ \ v" using is_valid_operator_sas_plus_then(3,4) by fast } note nb\<^sub>4 = this show ?case proof (cases "STRIPS_Semantics.are_all_operators_applicable ?I' ops' \ STRIPS_Semantics.are_all_operator_effects_consistent ops'") case True { { have "dom I \ set ((\)\<^sub>\\<^sub>+)" using Cons.prems(2) by blast hence "(\\<^sub>S\ \ ?I') = I" using strips_state_to_state_inverse_is[OF Cons.prems(1) _ Cons.prems(3)] by argo } then have "are_all_operators_applicable_in I ?ops \ are_all_operator_effects_consistent ?ops" using sas_plus_equivalent_to_strips_i_a_IV[OF assms(1) nb\<^sub>1, of I] True by simp moreover have "(\\<^sub>P\ \ (ops' # \)) = ?ops # (\\<^sub>P\ \ \)" unfolding SAS_Plus_STRIPS.strips_parallel_plan_to_sas_plus_parallel_plan_def strips_parallel_plan_to_sas_plus_parallel_plan_def SAS_Plus_STRIPS.strips_op_to_sasp_def strips_op_to_sasp_def by simp ultimately have "execute_parallel_plan_sas_plus I (\\<^sub>P\ \ (ops' # \)) = execute_parallel_plan_sas_plus ?J (\\<^sub>P\ \ \)" by force } note nb\<^sub>5 = this \ \ Show the goal using the IH. \ { have dom_J_subset_eq_vs: "dom ?J \ set ((\)\<^sub>\\<^sub>+)" using sas_plus_equivalent_to_strips_i_a_IX[OF Cons.prems(2)] nb\<^sub>2 nb\<^sub>4 by blast moreover { have "set ((\)\<^sub>\\<^sub>+) \ dom (range_of \)" using is_valid_problem_sas_plus_then(1)[OF assms(1)] by fastforce moreover have "\v \ dom I. the (I v) \ set (the (range_of \ v))" using Cons.prems(2, 3) assms(1) set_the_range_of_is_range_of_sas_plus_if by force moreover have "\op \ set ?ops. \(v, a) \ set (effect_of op). v \ set ((\)\<^sub>\\<^sub>+) \ a \ set (the (?D v))" using set_the_range_of_is_range_of_sas_plus_if assms(1) nb\<^sub>4 by fastforce moreover have v_in_dom_J_range: "\v \ dom ?J. the (?J v) \ set (the (?D v))" using sas_plus_equivalent_to_strips_i_a_X[of I "set ((\)\<^sub>\\<^sub>+)" ?D ?ops, OF Cons.prems(2)] calculation(1, 2, 3) by fastforce { fix v assume "v \ dom ?J" moreover have "v \ set ((\)\<^sub>\\<^sub>+)" using nb\<^sub>2 calculation dom_J_subset_eq_vs by blast moreover have "set (the (range_of \ v)) = \\<^sub>+ \ v" using set_the_range_of_is_range_of_sas_plus_if[OF assms(1)] calculation(2) by presburger ultimately have "the (?J v) \ \\<^sub>+ \ v" using nb\<^sub>3 v_in_dom_J_range by blast } ultimately have "\v \ dom ?J. the (?J v) \ \\<^sub>+ \ v" by fast } moreover have "\ops' \ set \. \op'\set ops'. op' \ set ((\ \)\<^sub>\)" using Cons.prems(6) by simp moreover { have "?G' \\<^sub>m execute_parallel_plan ?J' \" using Cons.prems(7) True by auto hence "(\\<^sub>S \ G) \\<^sub>m execute_parallel_plan (\\<^sub>S \ ?J) \" using sas_plus_equivalent_to_strips_i_a_XIII[OF Cons.prems(1)] nb\<^sub>1 by blast } ultimately have "G \\<^sub>m execute_parallel_plan_sas_plus I (\\<^sub>P\ \ (ops' # \))" using Cons.IH[of ?J, OF Cons.prems(1) _ _ Cons.prems(4, 5)] Cons.prems(6) nb\<^sub>5 by presburger } thus ?thesis. next case False then have "?G' \\<^sub>m ?I'" using Cons.prems(7) by force moreover { have "dom I \ set ?vs" using Cons.prems(2) by simp hence "\(are_all_operators_applicable_in I ?ops \ are_all_operator_effects_consistent ?ops)" using sas_plus_equivalent_to_strips_i_a_VIII[OF Cons.prems(1) _ Cons.prems(3) nb\<^sub>1] False by force } moreover { have "(\\<^sub>P\ \ (ops' # \)) = ?ops # (\\<^sub>P\ \ \)" unfolding SAS_Plus_STRIPS.strips_parallel_plan_to_sas_plus_parallel_plan_def strips_parallel_plan_to_sas_plus_parallel_plan_def SAS_Plus_STRIPS.strips_op_to_sasp_def strips_op_to_sasp_def by simp hence "G \\<^sub>m execute_parallel_plan_sas_plus I (?ops # (\\<^sub>P\ \ \)) \ G \\<^sub>m I" using calculation(2) by force } ultimately show ?thesis using state_to_strips_state_map_le_iff[OF Cons.prems(1, 4, 5)] unfolding SAS_Plus_STRIPS.strips_parallel_plan_to_sas_plus_parallel_plan_def strips_parallel_plan_to_sas_plus_parallel_plan_def SAS_Plus_STRIPS.strips_op_to_sasp_def strips_op_to_sasp_def by force qed qed qed \ \ NOTE Show that a solution for the induced STRIPS problem for the given valid SAS+ problem, corresponds to a solution for the given SAS+ problem. Note that in the context of the SAS+ problem solving pipeline, we \begin{enumerate} \item convert the given valid SAS+ @{text "\"} problem to the corresponding STRIPS problem @{text "\"} (this is implicitely also valid by lemma @{text "is_valid_problem_sas_plus_then_strips_transformation_too"}); then, - \item get a solution @{text "\"}—if it exists—for the induced STRIPS problem by executing + \item get a solution @{text "\"}---if it exists---for the induced STRIPS problem by executing SATPlan; and finally, \item convert @{text "\"} back to a solution @{text "\"} for the SAS+ problem. \end{enumerate} \ lemma sas_plus_equivalent_to_strips_i: assumes "is_valid_problem_sas_plus \" and "STRIPS_Semantics.is_parallel_solution_for_problem (\ \) \" shows "goal_of \ \\<^sub>m execute_parallel_plan_sas_plus (sas_plus_problem.initial_of \) (\\<^sub>P\ \ \)" proof - let ?vs = "variables_of \" and ?I = "initial_of \" and ?G = "goal_of \" let ?\ = "\ \" let ?G' = "strips_problem.goal_of ?\" and ?I' = "strips_problem.initial_of ?\" let ?\ = "\\<^sub>P\ \ \" have "dom ?I \ set ?vs" using is_valid_problem_sas_plus_then(3) assms(1) by auto moreover have "\v \ dom ?I. the (?I v) \ \\<^sub>+ \ v" using is_valid_problem_sas_plus_then(4) assms(1) calculation by auto moreover have "dom ?G \ set ?vs" and "\v \ dom ?G. the (?G v) \ \\<^sub>+ \ v" using is_valid_problem_sas_plus_then(5, 6) assms(1) by blast+ moreover have "\ops'\set \. \op'\set ops'. op' \ set ((?\)\<^sub>\)" using is_parallel_solution_for_problem_operator_set[OF assms(2)] by simp moreover { have "?G' \\<^sub>m execute_parallel_plan ?I' \" using assms(2) unfolding STRIPS_Semantics.is_parallel_solution_for_problem_def.. moreover have "?G' = \\<^sub>S \ ?G" and "?I' = \\<^sub>S \ ?I" by simp+ ultimately have "(\\<^sub>S \ ?G) \\<^sub>m execute_parallel_plan (\\<^sub>S \ ?I) \" by simp } ultimately show ?thesis using sas_plus_equivalent_to_strips_i_a[OF assms(1)] by simp qed \ \ NOTE Show that the operators for a given solution @{text "\"} to the induced STRIPS problem for a given SAS+ problem correspond to operators of the SAS+ problem. \ lemma sas_plus_equivalent_to_strips_ii: assumes "is_valid_problem_sas_plus \" and "STRIPS_Semantics.is_parallel_solution_for_problem (\ \) \" shows "list_all (list_all (\op. ListMem op (operators_of \))) (\\<^sub>P\ \ \)" proof - let ?\ = "\ \" let ?ops = "operators_of \" and ?\ = "\\<^sub>P\ \ \" have "is_valid_problem_strips ?\" using is_valid_problem_sas_plus_then_strips_transformation_too[OF assms(1)] by simp have nb\<^sub>1: "\op' \ set ((?\)\<^sub>\). (\op \ set ?ops. op' = (\\<^sub>O \ op))" by auto { fix ops' op' op assume "ops' \ set \" and "op' \ set ops'" then have "op' \ set (strips_problem.operators_of ?\)" using is_parallel_solution_for_problem_operator_set[OF assms(2)] by simp then obtain op where "op \ set ((\)\<^sub>\\<^sub>+)" and "op' = (\\<^sub>O \ op)" by auto then have "(\\<^sub>O\ \ op') \ set ((\)\<^sub>\\<^sub>+)" using sas_plus_operator_inverse_is[OF assms(1)] by presburger } thus ?thesis unfolding list_all_iff ListMem_iff strips_parallel_plan_to_sas_plus_parallel_plan_def SAS_Plus_STRIPS.strips_parallel_plan_to_sas_plus_parallel_plan_def SAS_Plus_STRIPS.strips_op_to_sasp_def strips_op_to_sasp_def by auto qed text \ We now show that for a parallel solution \<^term>\\\ of \<^term>\\\ the SAS+ plan \<^term>\\ \ \\<^sub>P\ \ \\ yielded by the STRIPS to SAS+ plan transformation is a solution for \<^term>\\\. The proof uses the definition of parallel STRIPS solutions and shows that the execution of \<^term>\\\ on the initial state of the SAS+ problem yields a state satisfying the problem's goal state, i.e. @{text[display, indent=4]"G \\<^sub>m execute_parallel_plan_sas_plus I \"} and by showing that all operators in all parallel operators of \<^term>\\\ are operators of the problem. \ theorem sas_plus_equivalent_to_strips: assumes "is_valid_problem_sas_plus \" and "STRIPS_Semantics.is_parallel_solution_for_problem (\ \) \" shows "is_parallel_solution_for_problem \ (\\<^sub>P\ \ \)" proof - let ?I = "initial_of \" and ?G = "goal_of \" and ?ops = "operators_of \" and ?\ = "\\<^sub>P\ \ \" show ?thesis unfolding is_parallel_solution_for_problem_def Let_def proof (rule conjI) show "?G \\<^sub>m execute_parallel_plan_sas_plus ?I ?\" using sas_plus_equivalent_to_strips_i[OF assms]. next show "list_all (list_all (\op. ListMem op ?ops)) ?\" using sas_plus_equivalent_to_strips_ii[OF assms]. qed qed private lemma strips_equivalent_to_sas_plus_i_a_I: assumes "is_valid_problem_sas_plus \" and "\op \ set ops. op \ set ((\)\<^sub>\\<^sub>+)" and "op' \ set [\\<^sub>O \ op. op \ ops]" obtains op where "op \ set ops" and "op' = \\<^sub>O \ op" proof - let ?\ = "\ \" let ?ops = "operators_of \" obtain op where "op \ set ops" and "op' = \\<^sub>O \ op" using assms(3) by auto thus ?thesis using that by blast qed private corollary strips_equivalent_to_sas_plus_i_a_II: assumes"is_valid_problem_sas_plus \" and "\op \ set ops. op \ set ((\)\<^sub>\\<^sub>+)" and "op' \ set [\\<^sub>O \ op. op \ ops]" shows "op' \ set ((\ \)\<^sub>\)" and "is_valid_operator_strips (\ \) op'" proof - let ?\ = "\ \" let ?ops = "operators_of \" and ?ops' = "strips_problem.operators_of ?\" obtain op where op_in: "op \ set ops" and op'_is: "op' = \\<^sub>O \ op" using strips_equivalent_to_sas_plus_i_a_I[OF assms]. then have nb: "op' \ set ((\ \)\<^sub>\)" using assms(2) op_in op'_is by fastforce thus "op' \ set ((\ \)\<^sub>\)" and "is_valid_operator_strips ?\ op'" proof - have "\op' \ set ?ops'. is_valid_operator_strips ?\ op'" using is_valid_problem_sas_plus_then_strips_transformation_too_iii[OF assms(1)] unfolding list_all_iff. thus "is_valid_operator_strips ?\ op'" using nb by fastforce qed fastforce qed (* TODO make private *) lemma strips_equivalent_to_sas_plus_i_a_III: assumes "is_valid_problem_sas_plus \" and "\op \ set ops. op \ set ((\)\<^sub>\\<^sub>+)" shows "execute_parallel_operator (\\<^sub>S \ s) [\\<^sub>O \ op. op \ ops] = (\\<^sub>S \ (execute_parallel_operator_sas_plus s ops))" proof - { fix op s assume "op \ set ((\)\<^sub>\\<^sub>+)" moreover have "(\\<^sub>O \ op) \ set ((\ \)\<^sub>\)" using calculation by simp moreover have "(\\<^sub>S \ s) ++ map_of (effect_to_assignments (\\<^sub>O \ op)) = (\\<^sub>S \ (s ++ map_of (effect_of (\\<^sub>O\ \ (\\<^sub>O \ op)))))" using sas_plus_equivalent_to_strips_i_a_XI[OF assms(1) calculation(2)] by blast moreover have "(\\<^sub>O\ \ (\\<^sub>O \ op)) = op" using sas_plus_operator_inverse_is[OF assms(1) calculation(1)]. ultimately have "(\\<^sub>S \ s) \ (\\<^sub>O \ op) = (\\<^sub>S \ (s \\<^sub>+ op))" unfolding execute_operator_def execute_operator_sas_plus_def by simp } note nb\<^sub>1 = this show ?thesis using assms proof (induction ops arbitrary: s) case Nil then show ?case unfolding execute_parallel_operator_def execute_parallel_operator_sas_plus_def by simp next case (Cons op ops) let ?t = "s \\<^sub>+ op" let ?s' = "\\<^sub>S \ s" and ?ops' = "[\\<^sub>O \ op. op \ op # ops]" let ?t' = "?s' \ (\\<^sub>O \ op)" have "execute_parallel_operator ?s' ?ops' = execute_parallel_operator ?t' [\\<^sub>O \ x. x \ ops]" unfolding execute_operator_def by simp moreover have "(\\<^sub>S \ (execute_parallel_operator_sas_plus s (op # ops))) = (\\<^sub>S \ (execute_parallel_operator_sas_plus ?t ops))" unfolding execute_operator_sas_plus_def by simp moreover { have "?t' = (\\<^sub>S \ ?t)" using nb\<^sub>1 Cons.prems(2) by simp hence "execute_parallel_operator ?t'[\\<^sub>O \ x. x \ ops] = (\\<^sub>S \ (execute_parallel_operator_sas_plus ?t ops))" using Cons.IH[of ?t] Cons.prems by simp } ultimately show ?case by argo qed qed private lemma strips_equivalent_to_sas_plus_i_a_IV: assumes "is_valid_problem_sas_plus \" and "\op \ set ops. op \ set ((\)\<^sub>\\<^sub>+)" and "are_all_operators_applicable_in I ops \ are_all_operator_effects_consistent ops" shows "STRIPS_Semantics.are_all_operators_applicable (\\<^sub>S \ I) [\\<^sub>O \ op. op \ ops] \ STRIPS_Semantics.are_all_operator_effects_consistent [\\<^sub>O \ op. op \ ops]" proof - let ?vs = "variables_of \" and ?ops = "operators_of \" let ?I' = "\\<^sub>S \ I" and ?ops' = "[\\<^sub>O \ op. op \ ops]" have nb\<^sub>1: "\op \ set ops. is_operator_applicable_in I op" using assms(3) unfolding are_all_operators_applicable_in_def list_all_iff by blast have nb\<^sub>2: "\op \ set ops. is_valid_operator_sas_plus \ op" using is_valid_problem_sas_plus_then(2) assms(1, 2) unfolding is_valid_operator_sas_plus_def by auto have nb\<^sub>3: "\op \ set ops. map_of (precondition_of op) \\<^sub>m I" using nb\<^sub>1 unfolding is_operator_applicable_in_def list_all_iff by blast { fix op\<^sub>1 op\<^sub>2 assume "op\<^sub>1 \ set ops" and "op\<^sub>2 \ set ops" hence "are_operator_effects_consistent op\<^sub>1 op\<^sub>2" using assms(3) unfolding are_all_operator_effects_consistent_def list_all_iff by blast } note nb\<^sub>4 = this { fix op\<^sub>1 op\<^sub>2 assume "op\<^sub>1 \ set ops" and "op\<^sub>2 \ set ops" hence "\(v, a) \ set (effect_of op\<^sub>1). \(v', a') \ set (effect_of op\<^sub>2). v \ v' \ a = a'" using nb\<^sub>4 unfolding are_operator_effects_consistent_def Let_def list_all_iff by presburger } note nb\<^sub>5 = this { fix op\<^sub>1' op\<^sub>2' I assume "op\<^sub>1' \ set ?ops'" and "op\<^sub>2' \ set ?ops'" and "\(v, a) \ set (add_effects_of op\<^sub>1'). \(v', a') \ set (delete_effects_of op\<^sub>2'). (v, a) = (v', a')" moreover obtain op\<^sub>1 op\<^sub>2 where "op\<^sub>1 \ set ops" and "op\<^sub>1' = \\<^sub>O \ op\<^sub>1" and "op\<^sub>2 \ set ops" and "op\<^sub>2' = \\<^sub>O \ op\<^sub>2" using strips_equivalent_to_sas_plus_i_a_I[OF assms(1, 2)] calculation(1, 2) by auto moreover have "is_valid_operator_sas_plus \ op\<^sub>1" and is_valid_operator_op\<^sub>2: "is_valid_operator_sas_plus \ op\<^sub>2" using calculation(4, 6) nb\<^sub>2 by blast+ moreover obtain v v' a a' where "(v, a) \ set (add_effects_of op\<^sub>1')" and "(v', a') \ set (delete_effects_of op\<^sub>2')" and "(v, a) = (v', a')" using calculation by blast moreover have "(v, a) \ set (effect_of op\<^sub>1)" using calculation(5, 10) unfolding SAS_Plus_STRIPS.sasp_op_to_strips_def sasp_op_to_strips_def Let_def by fastforce moreover have "v = v'" and "a = a'" using calculation(12) by simp+ moreover { have "(v', a') \ (\(v, a) \ set (effect_of op\<^sub>2). { (v, a') | a'. a' \ (\\<^sub>+ \ v) \ a' \ a })" using sasp_op_to_strips_set_delete_effects_is calculation(7, 9, 11) by blast then obtain v'' a'' where "(v'', a'') \ set (effect_of op\<^sub>2)" and "(v', a') \ { (v'', a''') | a'''. a''' \ (\\<^sub>+ \ v'') \ a''' \ a'' }" by blast moreover have "(v', a'') \ set (effect_of op\<^sub>2)" using calculation by blast moreover have "a' \ \\<^sub>+ \ v''" and "a' \ a''" using calculation(1, 2) by fast+ ultimately have "\a''. (v', a'') \ set (effect_of op\<^sub>2) \ a' \ (\\<^sub>+ \ v') \ a' \ a''" by blast } moreover obtain a'' where "a' \ \\<^sub>+ \ v'" and "(v', a'') \ set (effect_of op\<^sub>2)" and "a' \ a''" using calculation(16) by blast moreover have "\(v, a) \ set (effect_of op\<^sub>1). (\(v', a') \ set (effect_of op\<^sub>2). v = v' \ a \ a')" using calculation(13, 14, 15, 17, 18, 19) by blast \ \ TODO slow. \ ultimately have "\op\<^sub>1 \ set ops. \op\<^sub>2 \ set ops. \are_operator_effects_consistent op\<^sub>1 op\<^sub>2" unfolding are_operator_effects_consistent_def list_all_iff by fastforce } note nb\<^sub>6 = this show ?thesis proof (rule conjI) { fix op' assume "op' \ set ?ops'" moreover obtain op where op_in: "op \ set ops" and op'_is: "op' = \\<^sub>O \ op" and op'_in: "op' \ set ((\ \)\<^sub>\)" and is_valid_op': "is_valid_operator_strips (\ \) op'" using strips_equivalent_to_sas_plus_i_a_I[OF assms(1, 2)] strips_equivalent_to_sas_plus_i_a_II[OF assms(1, 2)] calculation by metis moreover have is_valid_op: "is_valid_operator_sas_plus \ op" using nb\<^sub>2 calculation(2).. { fix v a assume v_a_in_preconditions': "(v, a) \ set (strips_operator.precondition_of op')" have v_a_in_preconditions: "(v, a) \ set (precondition_of op)" using op'_is unfolding SAS_Plus_STRIPS.sasp_op_to_strips_def sasp_op_to_strips_def Let_def using v_a_in_preconditions' by force moreover have "v \ set ?vs" and "a \ \\<^sub>+ \ v" using is_valid_operator_sas_plus_then(1,2) is_valid_op calculation(1) by fastforce+ moreover { have "\(v, a) \ set (precondition_of op). \(v', a') \ set (precondition_of op). v \ v' \ a = a'" using is_valid_operator_sas_plus_then(5) is_valid_op by fast hence "map_of (precondition_of op) v = Some a" using map_of_constant_assignments_defined_if[OF _ v_a_in_preconditions] by blast } moreover have "v \ dom (map_of (precondition_of op))" using calculation(4) by blast moreover have "I v = Some a" using nb\<^sub>3 unfolding map_le_def using op_in calculation(4, 5) by metis moreover have "(v, a) \ dom ?I'" using state_to_strips_state_dom_element_iff[OF assms(1)] calculation(2, 3, 6) by simp ultimately have "?I' (v, a) = Some True" using state_to_strips_state_range_is[OF assms(1)] by simp } hence "STRIPS_Representation.is_operator_applicable_in ?I' op'" unfolding STRIPS_Representation.is_operator_applicable_in_def Let_def list_all_iff by fast } thus "are_all_operators_applicable ?I' ?ops'" unfolding are_all_operators_applicable_def list_all_iff by blast next { fix op\<^sub>1' op\<^sub>2' assume op\<^sub>1'_in_ops': "op\<^sub>1' \ set ?ops'" and op\<^sub>2'_in_ops': "op\<^sub>2' \ set ?ops'" have "STRIPS_Semantics.are_operator_effects_consistent op\<^sub>1' op\<^sub>2'" unfolding STRIPS_Semantics.are_operator_effects_consistent_def Let_def \ \ TODO proof is symmetrical... refactor into nb. \ proof (rule conjI) show "\list_ex (\x. list_ex ((=) x) (delete_effects_of op\<^sub>2')) (add_effects_of op\<^sub>1')" proof (rule ccontr) assume "\\list_ex (\v. list_ex ((=) v) (delete_effects_of op\<^sub>2')) (add_effects_of op\<^sub>1')" then have "\(v, a) \ set (delete_effects_of op\<^sub>2'). \(v', a') \ set (add_effects_of op\<^sub>1'). (v, a) = (v', a')" unfolding list_ex_iff by fastforce then obtain op\<^sub>1 op\<^sub>2 where "op\<^sub>1 \ set ops" and "op\<^sub>2 \ set ops" and "\are_operator_effects_consistent op\<^sub>1 op\<^sub>2" using nb\<^sub>6[OF op\<^sub>1'_in_ops' op\<^sub>2'_in_ops'] by blast thus False using nb\<^sub>4 by blast qed next show "\list_ex (\v. list_ex ((=) v) (add_effects_of op\<^sub>2')) (delete_effects_of op\<^sub>1')" proof (rule ccontr) assume "\\list_ex (\v. list_ex ((=) v) (add_effects_of op\<^sub>2')) (delete_effects_of op\<^sub>1')" then have "\(v, a) \ set (delete_effects_of op\<^sub>1'). \(v', a') \ set (add_effects_of op\<^sub>2'). (v, a) = (v', a')" unfolding list_ex_iff by fastforce then obtain op\<^sub>1 op\<^sub>2 where "op\<^sub>1 \ set ops" and "op\<^sub>2 \ set ops" and "\are_operator_effects_consistent op\<^sub>1 op\<^sub>2" using nb\<^sub>6[OF op\<^sub>2'_in_ops' op\<^sub>1'_in_ops'] by blast thus False using nb\<^sub>4 by blast qed qed } thus "STRIPS_Semantics.are_all_operator_effects_consistent ?ops'" unfolding STRIPS_Semantics.are_all_operator_effects_consistent_def list_all_iff by blast qed qed private lemma strips_equivalent_to_sas_plus_i_a_V: assumes "is_valid_problem_sas_plus \" and "\op \ set ops. op \ set ((\)\<^sub>\\<^sub>+)" and "\(are_all_operators_applicable_in s ops \ are_all_operator_effects_consistent ops)" shows "\(STRIPS_Semantics.are_all_operators_applicable (\\<^sub>S \ s) [\\<^sub>O \ op. op \ ops] \ STRIPS_Semantics.are_all_operator_effects_consistent [\\<^sub>O \ op. op \ ops])" proof - let ?vs = "variables_of \" and ?ops = "operators_of \" let ?s' = "\\<^sub>S \ s" and ?ops' = "[\\<^sub>O \ op. op \ ops]" { fix op assume "op \ set ops" hence "\op' \ set ?ops'. op' = \\<^sub>O \ op" by simp } note nb\<^sub>1 = this { fix op assume "op \ set ops" then have "op \ set ((\)\<^sub>\\<^sub>+)" using assms(2) by blast then have "is_valid_operator_sas_plus \ op" using is_valid_problem_sas_plus_then(2) assms(1) unfolding is_valid_operator_sas_plus_def by auto hence "\(v, a) \ set (precondition_of op). \(v', a') \ set (precondition_of op). v \ v' \ a = a'" using is_valid_operator_sas_plus_then(5) unfolding is_valid_operator_sas_plus_def by fast } note nb\<^sub>2 = this { consider (A) "\are_all_operators_applicable_in s ops" | (B) "\are_all_operator_effects_consistent ops" using assms(3) by blast hence "\STRIPS_Semantics.are_all_operators_applicable ?s' ?ops' \ \STRIPS_Semantics.are_all_operator_effects_consistent ?ops'" proof (cases) case A then obtain op where op_in: "op \ set ops" and not_precondition_map_le_s: "\(map_of (precondition_of op) \\<^sub>m s)" using A unfolding are_all_operators_applicable_in_def list_all_iff is_operator_applicable_in_def by blast then obtain op' where op'_in: "op' \ set ?ops'" and op'_is: "op' = \\<^sub>O \ op" using nb\<^sub>1 by blast have "\are_all_operators_applicable ?s' ?ops'" proof (rule ccontr) assume "\\are_all_operators_applicable ?s' ?ops'" then have all_operators_applicable: "are_all_operators_applicable ?s' ?ops'" by simp moreover { fix v assume "v \ dom (map_of (precondition_of op))" moreover obtain a where "map_of (precondition_of op) v = Some a" using calculation by blast moreover have "(v, a) \ set (precondition_of op)" using map_of_SomeD[OF calculation(2)]. moreover have "(v, a) \ set (strips_operator.precondition_of op')" using op'_is unfolding sasp_op_to_strips_def SAS_Plus_STRIPS.sasp_op_to_strips_def using calculation(3) by auto moreover have "?s' (v, a) = Some True" using all_operators_applicable calculation unfolding are_all_operators_applicable_def STRIPS_Representation.is_operator_applicable_in_def is_operator_applicable_in_def Let_def list_all_iff using op'_in by fast moreover have "(v, a) \ dom ?s'" using calculation(5) by blast moreover have "(v, a) \ set (precondition_of op)" using op'_is calculation(3) unfolding sasp_op_to_strips_def Let_def by fastforce moreover have "v \ set ?vs" and "a \ \\<^sub>+ \ v" and "s v \ None" using state_to_strips_state_dom_element_iff[OF assms(1)] calculation(6) by simp+ moreover have "?s' (v, a) = Some (the (s v) = a)" using state_to_strips_state_range_is[OF assms(1) calculation(6)]. moreover have "the (s v) = a" using calculation(5, 11) by fastforce moreover have "s v = Some a" using calculation(12) option.collapse[OF calculation(10)] by argo moreover have "map_of (precondition_of op) v = Some a" using map_of_constant_assignments_defined_if[OF nb\<^sub>2[OF op_in] calculation(7)]. ultimately have "map_of (precondition_of op) v = s v" by argo } then have "map_of (precondition_of op) \\<^sub>m s" unfolding map_le_def by blast thus False using not_precondition_map_le_s by simp qed thus ?thesis by simp next case B { obtain op\<^sub>1 op\<^sub>2 v v' a a' where "op\<^sub>1 \ set ops" and op\<^sub>2_in: "op\<^sub>2 \ set ops" and v_a_in: "(v, a) \ set (effect_of op\<^sub>1)" and v'_a'_in: "(v', a') \ set (effect_of op\<^sub>2)" and v_is: "v = v'" and a_is: "a \ a'" using B unfolding are_all_operator_effects_consistent_def are_operator_effects_consistent_def list_all_iff Let_def by blast moreover obtain op\<^sub>1' op\<^sub>2' where "op\<^sub>1' \ set ?ops'" and "op\<^sub>1' = \\<^sub>O \ op\<^sub>1" and "op\<^sub>1' \ set ?ops'" and op\<^sub>2'_is: "op\<^sub>2' = \\<^sub>O \ op\<^sub>2" using nb\<^sub>1[OF calculation(1)] nb\<^sub>1[OF calculation(2)] by blast moreover have "(v, a) \ set (add_effects_of op\<^sub>1')" using calculation(3, 8) unfolding SAS_Plus_STRIPS.sasp_op_to_strips_def sasp_op_to_strips_def Let_def by force moreover { have "is_valid_operator_sas_plus \ op\<^sub>1" using assms(2) calculation(1) is_valid_problem_sas_plus_then(2) assms(1) unfolding is_valid_operator_sas_plus_def by auto moreover have "is_valid_operator_sas_plus \ op\<^sub>2" using sublocale_sas_plus_finite_domain_representation_ii(2)[ OF assms(1)] assms(2) op\<^sub>2_in by blast moreover have "a \ \\<^sub>+ \ v" using is_valid_operator_sas_plus_then(4) calculation v_a_in unfolding is_valid_operator_sas_plus_def by fastforce ultimately have "(v, a) \ set (delete_effects_of op\<^sub>2')" using sasp_op_to_strips_set_delete_effects_is[of \ op\<^sub>2] v'_a'_in v_is a_is using op\<^sub>2'_is by blast } \ \ TODO slow. \ ultimately have "\op\<^sub>1' \ set ?ops'. \op\<^sub>2' \ set ?ops'. \(v, a) \ set (delete_effects_of op\<^sub>2'). \(v', a') \ set (add_effects_of op\<^sub>1'). (v, a) = (v', a')" by fastforce } then have "\STRIPS_Semantics.are_all_operator_effects_consistent ?ops'" unfolding STRIPS_Semantics.are_all_operator_effects_consistent_def STRIPS_Semantics.are_operator_effects_consistent_def list_all_iff list_ex_iff Let_def by blast thus ?thesis by simp qed } thus ?thesis by blast qed (* TODO make private *) lemma strips_equivalent_to_sas_plus_i_a: assumes "is_valid_problem_sas_plus \" and "dom I \ set ((\)\<^sub>\\<^sub>+)" and "\v \ dom I. the (I v) \ \\<^sub>+ \ v" and "dom G \ set ((\)\<^sub>\\<^sub>+)" and "\v \ dom G. the (G v) \ \\<^sub>+ \ v" and "\ops \ set \. \op \ set ops. op \ set ((\)\<^sub>\\<^sub>+)" and "G \\<^sub>m execute_parallel_plan_sas_plus I \" shows "(\\<^sub>S \ G) \\<^sub>m execute_parallel_plan (\\<^sub>S \ I) (\\<^sub>P \ \)" proof - let ?\ = "\ \" and ?G' = "\\<^sub>S \ G" show ?thesis using assms proof (induction \ arbitrary: I) case Nil let ?I' = "\\<^sub>S \ I" have "G \\<^sub>m I" using Nil by simp moreover have "?G' \\<^sub>m ?I'" using state_to_strips_state_map_le_iff[OF Nil.prems(1, 4, 5)] calculation.. ultimately show ?case unfolding SAS_Plus_STRIPS.sas_plus_parallel_plan_to_strips_parallel_plan_def sas_plus_parallel_plan_to_strips_parallel_plan_def by simp next case (Cons ops \) let ?vs = "variables_of \" and ?ops = "operators_of \" and ?J = "execute_parallel_operator_sas_plus I ops" and ?\ = "\\<^sub>P \ (ops # \)" let ?I' = "\\<^sub>S \ I" and ?J' = "\\<^sub>S \ ?J" and ?ops' = "[\\<^sub>O \ op. op \ ops]" { fix op v a assume "op \ set ops" and "(v, a) \ set (effect_of op)" moreover have "op \ set ?ops" using Cons.prems(6) calculation(1) by simp moreover have "is_valid_operator_sas_plus \ op" using is_valid_problem_sas_plus_then(2) Cons.prems(1) calculation(3) unfolding is_valid_operator_sas_plus_def by auto ultimately have "v \ set ((\)\<^sub>\\<^sub>+)" and "a \ \\<^sub>+ \ v" using is_valid_operator_sas_plus_then(3,4) by fastforce+ } note nb\<^sub>1 = this show ?case proof (cases "are_all_operators_applicable_in I ops \ are_all_operator_effects_consistent ops") case True { have "(\\<^sub>P \ (ops # \)) = ?ops' # (\\<^sub>P \ \)" unfolding sas_plus_parallel_plan_to_strips_parallel_plan_def SAS_Plus_STRIPS.sas_plus_parallel_plan_to_strips_parallel_plan_def sasp_op_to_strips_def SAS_Plus_STRIPS.sasp_op_to_strips_def by simp moreover have "\op \ set ops. op \ set ((\)\<^sub>\\<^sub>+)" using Cons.prems(6) by simp moreover have "STRIPS_Semantics.are_all_operators_applicable ?I' ?ops'" and "STRIPS_Semantics.are_all_operator_effects_consistent ?ops'" using strips_equivalent_to_sas_plus_i_a_IV[OF Cons.prems(1) _ True] calculation by blast+ ultimately have "execute_parallel_plan ?I' ?\ = execute_parallel_plan (execute_parallel_operator ?I' ?ops') (\\<^sub>P \ \)" by fastforce } \ \ NOTE Instantiate the IH on the next state of the SAS+ execution \execute_parallel_operator_sas_plus I ops\. \ moreover { { have "dom I \ set (sas_plus_problem.variables_of \)" using Cons.prems(2) by blast moreover have "\op \ set ops. \(v, a) \ set (effect_of op). v \ set ((\)\<^sub>\\<^sub>+)" using nb\<^sub>1(1) by blast ultimately have "dom ?J \ set ((\)\<^sub>\\<^sub>+)" using sas_plus_equivalent_to_strips_i_a_IX[of I "set ?vs"] by simp } note nb\<^sub>2 = this moreover { have "dom I \ set (sas_plus_problem.variables_of \)" using Cons.prems(2) by blast moreover have "set (sas_plus_problem.variables_of \) \ dom (range_of \)" using is_valid_problem_sas_plus_dom_sas_plus_problem_range_of assms(1) by auto moreover { fix v assume "v \ dom I" moreover have "v \ set ((\)\<^sub>\\<^sub>+)" using Cons.prems(2) calculation by blast ultimately have "the (I v) \ set (the (range_of \ v))" using Cons.prems(3) using set_the_range_of_is_range_of_sas_plus_if[OF assms(1)] by blast } moreover have "\op\set ops. \(v, a)\set (effect_of op). v \ set (sas_plus_problem.variables_of \) \ a \ set (the (range_of \ v))" using set_the_range_of_is_range_of_sas_plus_if[OF assms(1)] nb\<^sub>1(1) nb\<^sub>1(2) by force moreover have nb\<^sub>3: "\v \ dom ?J. the (?J v) \ set (the (range_of \ v))" using sas_plus_equivalent_to_strips_i_a_X[of I "set ?vs" "range_of \" ops] calculation by fast moreover { fix v assume "v \ dom ?J" moreover have "v \ set ((\)\<^sub>\\<^sub>+)" using nb\<^sub>2 calculation by blast moreover have "set (the (range_of \ v)) = \\<^sub>+ \ v" using set_the_range_of_is_range_of_sas_plus_if[OF assms(1)] calculation(2) by presburger ultimately have "the (?J v) \ \\<^sub>+ \ v" using nb\<^sub>3 by blast } ultimately have "\v \ dom ?J. the (?J v) \ \\<^sub>+ \ v" by fast } moreover have "\ops\set \. \op\set ops. op \ set ?ops" using Cons.prems(6) by auto moreover have "G \\<^sub>m execute_parallel_plan_sas_plus ?J \" using Cons.prems(7) True by simp ultimately have "(\\<^sub>S \ G) \\<^sub>m execute_parallel_plan ?J' (\\<^sub>P \ \)" using Cons.IH[of ?J, OF Cons.prems(1) _ _ Cons.prems(4, 5)] by fastforce } moreover have "execute_parallel_operator ?I' ?ops' = ?J'" using assms(1) strips_equivalent_to_sas_plus_i_a_III[OF assms(1)] Cons.prems(6) by auto ultimately show ?thesis by argo next case False then have nb: "G \\<^sub>m I" using Cons.prems(7) by force moreover { have "?\ = ?ops' # (\\<^sub>P \ \)" unfolding sas_plus_parallel_plan_to_strips_parallel_plan_def SAS_Plus_STRIPS.sas_plus_parallel_plan_to_strips_parallel_plan_def sasp_op_to_strips_def SAS_Plus_STRIPS.sasp_op_to_strips_def Let_def by auto moreover have "set ?ops' \ set (strips_problem.operators_of ?\)" using strips_equivalent_to_sas_plus_i_a_II(1)[OF assms(1)] Cons.prems(6) by auto moreover have "\(STRIPS_Semantics.are_all_operators_applicable ?I' ?ops' \ STRIPS_Semantics.are_all_operator_effects_consistent ?ops')" using strips_equivalent_to_sas_plus_i_a_V[OF assms(1) _ False] Cons.prems(6) by force ultimately have "execute_parallel_plan ?I' ?\ = ?I'" by auto } moreover have "?G' \\<^sub>m ?I'" using state_to_strips_state_map_le_iff[OF Cons.prems(1, 4, 5)] nb by blast ultimately show ?thesis by presburger qed qed qed (* TODO make private *) lemma strips_equivalent_to_sas_plus_i: assumes "is_valid_problem_sas_plus \" and "is_parallel_solution_for_problem \ \" shows "(strips_problem.goal_of (\ \)) \\<^sub>m execute_parallel_plan (strips_problem.initial_of (\ \)) (\\<^sub>P \ \)" proof - let ?vs = "variables_of \" and ?ops = "operators_of \" and ?I = "initial_of \" and ?G = "goal_of \" let ?\ = "\ \" let ?I' = "strips_problem.initial_of ?\" and ?G' = "strips_problem.goal_of ?\" have "dom ?I \ set ?vs" using is_valid_problem_sas_plus_then(3) assms(1) by auto moreover have "\v\dom ?I. the (?I v) \ \\<^sub>+ \ v" using is_valid_problem_sas_plus_then(4) assms(1) calculation by auto moreover have "dom ?G \ set ((\)\<^sub>\\<^sub>+)" using is_valid_problem_sas_plus_then(5) assms(1) by auto moreover have "\v \ dom ?G. the (?G v) \ \\<^sub>+ \ v" using is_valid_problem_sas_plus_then(6) assms(1) by auto moreover have "\ops \ set \. \op \ set ops. op \ set ?ops" using is_parallel_solution_for_problem_plan_operator_set[OF assms(2)] by fastforce moreover have "?G \\<^sub>m execute_parallel_plan_sas_plus ?I \" using assms(2) unfolding is_parallel_solution_for_problem_def by simp (* TODO slow *) ultimately show ?thesis using strips_equivalent_to_sas_plus_i_a[OF assms(1), of ?I ?G \] unfolding sas_plus_problem_to_strips_problem_def SAS_Plus_STRIPS.sas_plus_problem_to_strips_problem_def state_to_strips_state_def SAS_Plus_STRIPS.state_to_strips_state_def by force qed (* TODO make private *) lemma strips_equivalent_to_sas_plus_ii: assumes "is_valid_problem_sas_plus \" and "is_parallel_solution_for_problem \ \" shows "list_all (list_all (\op. ListMem op (strips_problem.operators_of (\ \)))) (\\<^sub>P \ \)" proof - let ?ops = "operators_of \" let ?\ = "\ \" let ?ops' = "strips_problem.operators_of ?\" and ?\ = "\\<^sub>P \ \" have "is_valid_problem_strips ?\" using is_valid_problem_sas_plus_then_strips_transformation_too[OF assms(1)] by simp have nb\<^sub>1: "\op \ set ?ops. (\op' \ set ?ops'. op' = (\\<^sub>O \ op))" unfolding sas_plus_problem_to_strips_problem_def SAS_Plus_STRIPS.sas_plus_problem_to_strips_problem_def Let_def sasp_op_to_strips_def by force { fix ops op op' assume "ops \ set \" and "op \ set ops" moreover have "op \ set ((\)\<^sub>\\<^sub>+)" using is_parallel_solution_for_problem_plan_operator_set[OF assms(2)] calculation by blast moreover obtain op' where "op' \ set ?ops'" and "op' = (\\<^sub>O \ op)" using nb\<^sub>1 calculation(3) by auto ultimately have "(\\<^sub>O \ op) \ set ?ops'" by blast } thus ?thesis unfolding list_all_iff ListMem_iff Let_def sas_plus_problem_to_strips_problem_def SAS_Plus_STRIPS.sas_plus_problem_to_strips_problem_def sas_plus_parallel_plan_to_strips_parallel_plan_def SAS_Plus_STRIPS.sas_plus_parallel_plan_to_strips_parallel_plan_def sasp_op_to_strips_def SAS_Plus_STRIPS.sasp_op_to_strips_def Let_def by auto qed text \ The following lemma proves the complementary proposition to theorem \ref{isathm:equivalence-parallel-strips-parallel-sas-plus}. Namely, given a parallel solution \<^term>\\\ for a SAS+ problem, the transformation to a STRIPS plan \<^term>\\\<^sub>P \ \\ also is a solution to the corresponding STRIPS problem \<^term>\\ \ (\ \)\. In this direction, we have to show that the execution of the transformed plan reaches the goal state \<^term>\G' \ strips_problem.goal_of \\ of the corresponding STRIPS problem, i.e. @{text[display, indent=4] "G' \\<^sub>m execute_parallel_plan I' \"} and that all operators in the transformed plan \<^term>\\\ are operators of \<^term>\\\. \ theorem strips_equivalent_to_sas_plus: assumes "is_valid_problem_sas_plus \" and "is_parallel_solution_for_problem \ \" shows "STRIPS_Semantics.is_parallel_solution_for_problem (\ \) (\\<^sub>P \ \)" proof - let ?\ = "\ \" let ?I' = "strips_problem.initial_of ?\" and ?G' = "strips_problem.goal_of ?\" and ?ops' = "strips_problem.operators_of ?\" and ?\ = "\\<^sub>P \ \" show ?thesis unfolding STRIPS_Semantics.is_parallel_solution_for_problem_def proof (rule conjI) show "?G' \\<^sub>m execute_parallel_plan ?I' ?\" using strips_equivalent_to_sas_plus_i[OF assms] by simp next show "list_all (list_all (\op. ListMem op ?ops')) ?\" using strips_equivalent_to_sas_plus_ii[OF assms]. qed qed lemma embedded_serial_sas_plus_plan_operator_structure: assumes "ops \ set (embed \)" obtains op where "op \ set \" and "[\\<^sub>O \ op. op \ ops] = [\\<^sub>O \ op]" proof - let ?\' = "embed \" { have "?\' = [[op]. op \ \]" by (induction \; force) moreover obtain op where "ops = [op]" and "op \ set \" using assms calculation by fastforce ultimately have "\op \ set \. [\\<^sub>O \ op. op \ ops] = [\\<^sub>O \ op]" by auto } thus ?thesis using that by meson qed private lemma serial_sas_plus_equivalent_to_serial_strips_i: assumes "ops \ set (\\<^sub>P \ (embed \))" obtains op where "op \ set \" and "ops = [\\<^sub>O \ op]" proof - let ?\' = "embed \" { have "set (\\<^sub>P \ (embed \)) = { [\\<^sub>O \ op. op \ ops] | ops. ops \ set ?\' }" unfolding sas_plus_parallel_plan_to_strips_parallel_plan_def SAS_Plus_STRIPS.sas_plus_parallel_plan_to_strips_parallel_plan_def sasp_op_to_strips_def set_map using setcompr_eq_image by blast moreover obtain ops' where "ops' \ set ?\'" and "ops = [\\<^sub>O \ op. op \ ops']" using assms(1) calculation by blast moreover obtain op where "op \ set \" and "ops = [\\<^sub>O \ op]" using embedded_serial_sas_plus_plan_operator_structure calculation(2, 3) by blast ultimately have "\op \ set \. ops = [\\<^sub>O \ op]" by meson } thus ?thesis using that.. qed private lemma serial_sas_plus_equivalent_to_serial_strips_ii[simp]: "concat (\\<^sub>P \ (embed \)) = [\\<^sub>O \ op. op \ \]" proof - let ?\' = "List_Supplement.embed \" have "concat (\\<^sub>P \ ?\') = map (\op. \\<^sub>O \ op) (concat ?\')" unfolding sas_plus_parallel_plan_to_strips_parallel_plan_def SAS_Plus_STRIPS.sas_plus_parallel_plan_to_strips_parallel_plan_def sasp_op_to_strips_def SAS_Plus_STRIPS.sasp_op_to_strips_def Let_def map_concat by blast also have "\ = map (\op. \\<^sub>O \ op) \" unfolding concat_is_inverse_of_embed[of \].. finally show "concat (\\<^sub>P \ (embed \)) = [\\<^sub>O \ op. op \ \]". qed text \ Having established the equivalence of parallel STRIPS and SAS+, we can now show the equivalence in the serial case. The proof combines the embedding theorem for serial SAS+ solutions (\ref{isathm:serial-sas-plus-embedding}), the parallel plan equivalence theorem \ref{isathm:equivalence-parallel-sas-plus-parallel-strips}, and the flattening theorem for parallel STRIPS plans (\ref{isathm:embedded-serial-plan-flattening-strips}). More precisely, given a serial SAS+ solution \<^term>\\\ for a SAS+ problem \<^term>\\\, the embedding theorem confirms that the embedded plan \<^term>\embed \\ is an equivalent parallel solution to \<^term>\\\. By parallel plan equivalence, \<^term>\\ \ \\<^sub>P \ (embed \)\ is a parallel solution for the corresponding STRIPS problem \<^term>\\ \\. Moreover, since \<^term>\embed \\ is a plan consisting of singleton parallel operators, the same is true for \<^term>\\\. Hence, the flattening lemma applies and \<^term>\concat \\ is a serial solution for \<^term>\\ \\. Since \<^term>\concat\ moreover can be shown to be the inverse of \<^term>\embed\, the term @{text[display, indent=4] "concat \ = concat (\\<^sub>P \ (embed \))"} can be reduced to the intuitive form @{text[display, indent=4] "\ = [\\<^sub>O \ op. op \ \]"} which concludes the proof. \ theorem serial_sas_plus_equivalent_to_serial_strips: assumes "is_valid_problem_sas_plus \" and "SAS_Plus_Semantics.is_serial_solution_for_problem \ \" shows "STRIPS_Semantics.is_serial_solution_for_problem (\ \) [\\<^sub>O \ op. op \ \]" proof - let ?\' = "embed \" and ?\ = "\ \" let ?\' = "\\<^sub>P \ ?\'" let ?\ = "concat ?\'" { have "SAS_Plus_Semantics.is_parallel_solution_for_problem \ ?\'" using execute_serial_plan_sas_plus_is_execute_parallel_plan_sas_plus[OF assms] by simp hence "STRIPS_Semantics.is_parallel_solution_for_problem ?\ ?\'" using strips_equivalent_to_sas_plus[OF assms(1)] by simp } moreover have "?\ = [\\<^sub>O \ op. op \ \]" by simp moreover have "is_valid_problem_strips ?\" using is_valid_problem_sas_plus_then_strips_transformation_too[OF assms(1)]. moreover have "\ops \ set ?\'. \op \ set \. ops = [\\<^sub>O \ op]" using serial_sas_plus_equivalent_to_serial_strips_i[of _ \ \] by metis ultimately show ?thesis using STRIPS_Semantics.flattening_lemma[of ?\] by metis qed lemma embedded_serial_strips_plan_operator_structure: assumes "ops' \ set (embed \)" obtains op where "op \ set \" and "[\\<^sub>O\ \ op. op \ ops'] = [\\<^sub>O\ \ op]" proof - let ?\' = "embed \" { have "?\' = [[op]. op \ \]" by (induction \; force) moreover obtain op where "ops' = [op]" and "op \ set \" using calculation assms by fastforce ultimately have "\op \ set \. [\\<^sub>O\ \ op. op \ ops'] = [\\<^sub>O\ \ op]" by auto } thus ?thesis using that by meson qed private lemma serial_strips_equivalent_to_serial_sas_plus_i: assumes "ops \ set (\\<^sub>P\ \ (embed \))" obtains op where "op \ set \" and "ops = [\\<^sub>O\ \ op]" proof - let ?\' = "embed \" { have "set (\\<^sub>P\ \ (embed \)) = { [\\<^sub>O\ \ op. op \ ops] | ops. ops \ set ?\' }" unfolding strips_parallel_plan_to_sas_plus_parallel_plan_def SAS_Plus_STRIPS.strips_parallel_plan_to_sas_plus_parallel_plan_def strips_op_to_sasp_def set_map using setcompr_eq_image by blast moreover obtain ops' where "ops' \ set ?\'" and "ops = [\\<^sub>O\ \ op. op \ ops']" using assms(1) calculation by blast moreover obtain op where "op \ set \" and "ops = [\\<^sub>O\ \ op]" using embedded_serial_strips_plan_operator_structure calculation(2, 3) by blast ultimately have "\op \ set \. ops = [\\<^sub>O\ \ op]" by meson } thus ?thesis using that.. qed private lemma serial_strips_equivalent_to_serial_sas_plus_ii[simp]: "concat (\\<^sub>P\ \ (embed \)) = [\\<^sub>O\ \ op. op \ \]" proof - let ?\' = "List_Supplement.embed \" have "concat (\\<^sub>P\ \ ?\') = map (\op. \\<^sub>O\ \ op) (concat ?\')" unfolding strips_parallel_plan_to_sas_plus_parallel_plan_def SAS_Plus_STRIPS.strips_parallel_plan_to_sas_plus_parallel_plan_def strips_op_to_sasp_def SAS_Plus_STRIPS.strips_op_to_sasp_def Let_def map_concat by simp also have "\ = map (\op. \\<^sub>O\ \ op) \" unfolding concat_is_inverse_of_embed[of \].. finally show "concat (\\<^sub>P\ \ (embed \)) = [\\<^sub>O\ \ op. op \ \]". qed text \ Using the analogous lemmas for the opposite direction, we can show the counterpart to theorem \ref{isathm:equivalence-serial-sas-plus-serial-strips} which shows that serial solutions to STRIPS solutions can be transformed to serial SAS+ solutions via composition of embedding, transformation and flattening. \ theorem serial_strips_equivalent_to_serial_sas_plus: assumes "is_valid_problem_sas_plus \" and "STRIPS_Semantics.is_serial_solution_for_problem (\ \) \" shows "SAS_Plus_Semantics.is_serial_solution_for_problem \ [\\<^sub>O\ \ op. op \ \]" proof - let ?\' = "embed \" and ?\ = "\ \" let ?\' = "\\<^sub>P\ \ ?\'" let ?\ = "concat ?\'" { have "STRIPS_Semantics.is_parallel_solution_for_problem ?\ ?\'" using embedding_lemma[OF is_valid_problem_sas_plus_then_strips_transformation_too[OF assms(1)] assms(2)]. hence "SAS_Plus_Semantics.is_parallel_solution_for_problem \ ?\'" using sas_plus_equivalent_to_strips[OF assms(1)] by simp } moreover have "?\ = [\\<^sub>O\ \ op. op \ \]" by simp moreover have "is_valid_problem_strips ?\" using is_valid_problem_sas_plus_then_strips_transformation_too[OF assms(1)]. moreover have "\ops \ set ?\'. \op \ set \. ops = [\\<^sub>O\ \ op]" using serial_strips_equivalent_to_serial_sas_plus_i by metis ultimately show ?thesis using flattening_lemma[OF assms(1)] by metis qed subsection "Equivalence of SAS+ and STRIPS" \ \ Define the sets of plans with upper length bound as well as the sets of solutions with upper length bound for SAS problems and induced STRIPS problems. We keep this polymorphic by not specifying concrete types so it applies to both STRIPS and SAS+ plans. \ abbreviation bounded_plan_set where "bounded_plan_set ops k \ { \. set \ \ set ops \ length \ = k }" definition bounded_solution_set_sas_plus' :: "('variable, 'domain) sas_plus_problem \ nat \ ('variable, 'domain) sas_plus_plan set" where "bounded_solution_set_sas_plus' \ k \ { \. is_serial_solution_for_problem \ \ \ length \ = k}" abbreviation bounded_solution_set_sas_plus :: "('variable, 'domain) sas_plus_problem \ nat \ ('variable, 'domain) sas_plus_plan set" where "bounded_solution_set_sas_plus \ N \ (\k \ {0..N}. bounded_solution_set_sas_plus' \ k)" definition bounded_solution_set_strips' :: "('variable \ 'domain) strips_problem \ nat \ ('variable \ 'domain) strips_plan set" where "bounded_solution_set_strips' \ k \ { \. STRIPS_Semantics.is_serial_solution_for_problem \ \ \ length \ = k }" abbreviation bounded_solution_set_strips :: "('variable \ 'domain) strips_problem \ nat \ ('variable \ 'domain) strips_plan set" where "bounded_solution_set_strips \ N \ (\k \ {0..N}. bounded_solution_set_strips' \ k)" \ \ Show that plan transformation for all SAS Plus solutions yields a STRIPS solution for the induced STRIPS problem with same length. We first show injectiveness of plan transformation \\\. [\\<^sub>O \ op. op \ \]\ on the set of plans \P\<^sub>k \ bounded_plan_set (operators_of \) k\ with length bound \k\. The injectiveness of \Sol\<^sub>k \ bounded_solution_set_sas_plus \ k\---the set of solutions with length bound \k\--then follows from the subset relation \Sol\<^sub>k \ P\<^sub>k\. \ lemma sasp_op_to_strips_injective: assumes "(\\<^sub>O \ op\<^sub>1) = (\\<^sub>O \ op\<^sub>2)" shows "op\<^sub>1 = op\<^sub>2" proof - let ?op\<^sub>1' = "\\<^sub>O \ op\<^sub>1" and ?op\<^sub>2' = "\\<^sub>O \ op\<^sub>2" { have "strips_operator.precondition_of ?op\<^sub>1' = strips_operator.precondition_of ?op\<^sub>2'" using assms by argo hence "sas_plus_operator.precondition_of op\<^sub>1 = sas_plus_operator.precondition_of op\<^sub>2" unfolding sasp_op_to_strips_def SAS_Plus_STRIPS.sasp_op_to_strips_def Let_def by simp } moreover { have "strips_operator.add_effects_of ?op\<^sub>1' = strips_operator.add_effects_of ?op\<^sub>2'" using assms unfolding sasp_op_to_strips_def Let_def by argo hence "sas_plus_operator.effect_of op\<^sub>1 = sas_plus_operator.effect_of op\<^sub>2" unfolding sasp_op_to_strips_def Let_def SAS_Plus_STRIPS.sasp_op_to_strips_def by simp } ultimately show ?thesis by simp qed lemma sas_plus_formalism_and_induced_strips_formalism_are_equally_expressive_i_a: assumes "is_valid_problem_sas_plus \" shows "inj_on (\\. [\\<^sub>O \ op. op \ \]) (bounded_plan_set (sas_plus_problem.operators_of \) k)" proof - let ?ops = "sas_plus_problem.operators_of \" (* TODO refactor transformation definitions *) and ?\\<^sub>P = "\\. [\\<^sub>O \ op. op \ \]" let ?P = "bounded_plan_set ?ops" { fix \\<^sub>1 \\<^sub>2 assume \\<^sub>1_in: "\\<^sub>1 \ ?P k" and \\<^sub>2_in: "\\<^sub>2 \ ?P k" and \\<^sub>P_of_\\<^sub>1_is_\\<^sub>P_of_\\<^sub>2: "(?\\<^sub>P \\<^sub>1) = (?\\<^sub>P \\<^sub>2)" hence "\\<^sub>1 = \\<^sub>2" proof (induction k arbitrary: \\<^sub>1 \\<^sub>2) case 0 then have "length \\<^sub>1 = 0" and "length \\<^sub>2 = 0" using \\<^sub>1_in \\<^sub>2_in unfolding bounded_solution_set_sas_plus'_def by blast+ then show ?case by blast next case (Suc k) moreover have "length \\<^sub>1 = Suc k" and "length \\<^sub>2 = Suc k" using length_Suc_conv Suc(2, 3) unfolding bounded_solution_set_sas_plus'_def by blast+ moreover obtain op\<^sub>1 \\<^sub>1' where "\\<^sub>1 = op\<^sub>1 # \\<^sub>1'" and "set (op\<^sub>1 # \\<^sub>1') \ set ?ops" and "length \\<^sub>1' = k" using calculation(5) Suc(2) unfolding length_Suc_conv by blast moreover obtain op\<^sub>2 \\<^sub>2' where "\\<^sub>2 = op\<^sub>2 # \\<^sub>2'" and "set (op\<^sub>2 # \\<^sub>2') \ set ?ops" and "length \\<^sub>2' = k" using calculation(6) Suc(3) unfolding length_Suc_conv by blast moreover have "set \\<^sub>1' \ set ?ops" and "set \\<^sub>2' \ set ?ops" using calculation(8, 11) by auto+ moreover have "\\<^sub>1' \ ?P k" and "\\<^sub>2' \ ?P k" using calculation(9, 12, 13, 14) by fast+ moreover have "?\\<^sub>P \\<^sub>1' = ?\\<^sub>P \\<^sub>2'" using Suc.prems(3) calculation(7, 10) by fastforce moreover have "\\<^sub>1' = \\<^sub>2'" using Suc.IH[of \\<^sub>1' \\<^sub>2', OF calculation(15, 16, 17)] by simp moreover have "?\\<^sub>P \\<^sub>1 = (\\<^sub>O \ op\<^sub>1) # ?\\<^sub>P \\<^sub>1'" and "?\\<^sub>P \\<^sub>2 = (\\<^sub>O \ op\<^sub>2) # ?\\<^sub>P \\<^sub>2'" using Suc.prems(3) calculation(7, 10) by fastforce+ moreover have "(\\<^sub>O \ op\<^sub>1) = (\\<^sub>O \ op\<^sub>2)" using Suc.prems(3) calculation(17, 19, 20) by simp moreover have "op\<^sub>1 = op\<^sub>2" using sasp_op_to_strips_injective[OF calculation(21)]. ultimately show ?case by argo qed } thus ?thesis unfolding inj_on_def by blast qed private corollary sas_plus_formalism_and_induced_strips_formalism_are_equally_expressive_i_b: assumes "is_valid_problem_sas_plus \" shows "inj_on (\\. [\\<^sub>O \ op. op \ \]) (bounded_solution_set_sas_plus' \ k)" proof - let ?ops = "sas_plus_problem.operators_of \" and ?\\<^sub>P = "\\. [\\<^sub>O \ op. op \ \]" { fix \ assume "\ \ bounded_solution_set_sas_plus' \ k" then have "set \ \ set ?ops" and "length \ = k" unfolding bounded_solution_set_sas_plus'_def is_serial_solution_for_problem_def Let_def list_all_iff ListMem_iff by fast+ hence "\ \ bounded_plan_set ?ops k" by blast } hence "bounded_solution_set_sas_plus' \ k \ bounded_plan_set ?ops k" by blast moreover have "inj_on ?\\<^sub>P (bounded_plan_set ?ops k)" using sas_plus_formalism_and_induced_strips_formalism_are_equally_expressive_i_a[OF assms(1)]. ultimately show ?thesis using inj_on_subset[of ?\\<^sub>P "bounded_plan_set ?ops k" "bounded_solution_set_sas_plus' \ k"] by fast qed (* lemma "card ((\\. [\\<^sub>O \ op. op \ \]) ` (bounded_solution_set_sas_plus' \ k)) = card (bounded_solution_set_strips' (\ \) k)" sorry *) \ \ Show that mapping plan transformation \\\. [\\<^sub>O \ op. op \ \]\ over the solution set for a given SAS+ problem yields the solution set for the induced STRIPS problem. \ private lemma sas_plus_formalism_and_induced_strips_formalism_are_equally_expressive_i_c: assumes "is_valid_problem_sas_plus \" shows "(\\. [\\<^sub>O \ op. op \ \]) ` (bounded_solution_set_sas_plus' \ k) = bounded_solution_set_strips' (\ \) k" proof - let ?\ = "\ \" and ?\\<^sub>P = "\\. [\\<^sub>O \ op. op \ \]" let ?Sol\<^sub>k = "bounded_solution_set_sas_plus' \ k" and ?Sol\<^sub>k' = "bounded_solution_set_strips' ?\ k" { assume "?\\<^sub>P ` ?Sol\<^sub>k \ ?Sol\<^sub>k'" then consider (A) "\\ \ ?\\<^sub>P ` ?Sol\<^sub>k. \ \ ?Sol\<^sub>k'" | (B) "\\ \ ?Sol\<^sub>k'. \ \ ?\\<^sub>P ` ?Sol\<^sub>k" by blast hence False proof (cases) case A moreover obtain \ where "\ \ ?\\<^sub>P ` ?Sol\<^sub>k" and "\ \ ?Sol\<^sub>k'" using calculation by blast moreover obtain \ where "length \ = k" and "SAS_Plus_Semantics.is_serial_solution_for_problem \ \" and "\ = ?\\<^sub>P \" using calculation(2) unfolding bounded_solution_set_sas_plus'_def by blast moreover have "length \ = k" and "STRIPS_Semantics.is_serial_solution_for_problem ?\ \" subgoal using calculation(4, 6) by auto subgoal using serial_sas_plus_equivalent_to_serial_strips assms(1) calculation(5) calculation(6) by blast done moreover have "\ \ ?Sol\<^sub>k'" unfolding bounded_solution_set_strips'_def using calculation(7, 8) by simp ultimately show ?thesis by fast next case B moreover obtain \ where "\ \ ?Sol\<^sub>k'" and "\ \ ?\\<^sub>P ` ?Sol\<^sub>k" using calculation by blast moreover have "STRIPS_Semantics.is_serial_solution_for_problem ?\ \" and "length \ = k" using calculation(2) unfolding bounded_solution_set_strips'_def by simp+ \ \ Construct the counter example \\ \ [\\<^sub>O\ ?\ op. op \ \]\ and show that \\ \ ?Sol\<^sub>k\ as well as \?\\<^sub>P \ = \\ hence \\ \ ?\\<^sub>P ` ?Sol\<^sub>k\. \ moreover have "length [\\<^sub>O\ \ op. op \ \] = k" and "SAS_Plus_Semantics.is_serial_solution_for_problem \ [\\<^sub>O\ \ op. op \ \]" subgoal using calculation(5) by simp subgoal using serial_strips_equivalent_to_serial_sas_plus[OF assms(1)] calculation(4) by simp done moreover have "[\\<^sub>O\ \ op. op \ \] \ ?Sol\<^sub>k" unfolding bounded_solution_set_sas_plus'_def using calculation(6, 7) by blast (* TODO refactor transformation lemmas *) moreover { have "\op \ set \. op \ set ((?\)\<^sub>\)" using calculation(4) unfolding STRIPS_Semantics.is_serial_solution_for_problem_def list_all_iff ListMem_iff by simp hence "?\\<^sub>P [\\<^sub>O\ \ op. op \ \] = \" proof (induction \) case (Cons op \) moreover have "?\\<^sub>P [\\<^sub>O\ \ op. op \ op # \] = (\\<^sub>O \ (\\<^sub>O\ \ op)) # ?\\<^sub>P [\\<^sub>O\ \ op. op \ \]" by simp moreover have "op \ set ((?\)\<^sub>\)" using Cons.prems by simp moreover have "(\\<^sub>O \ (\\<^sub>O\ \ op)) = op" using strips_operator_inverse_is[OF assms(1) calculation(4)]. moreover have "?\\<^sub>P [\\<^sub>O\ \ op. op \ \] = \" using Cons.IH Cons.prems by auto ultimately show ?case by argo qed simp } moreover have "\ \ ?\\<^sub>P ` ?Sol\<^sub>k" using calculation(8, 9) by force ultimately show ?thesis by blast qed } thus ?thesis by blast qed private lemma sas_plus_formalism_and_induced_strips_formalism_are_equally_expressive_i_d: assumes "is_valid_problem_sas_plus \" shows "card (bounded_solution_set_sas_plus' \ k) \ card (bounded_solution_set_strips' (\ \) k)" proof - let ?\ = "\ \" and ?\\<^sub>P = "\\. [\\<^sub>O \ op. op \ \]" let ?Sol\<^sub>k = "bounded_solution_set_sas_plus' \ k" and ?Sol\<^sub>k' = "bounded_solution_set_strips' ?\ k" have "card (?\\<^sub>P ` ?Sol\<^sub>k) = card (?Sol\<^sub>k)" using sas_plus_formalism_and_induced_strips_formalism_are_equally_expressive_i_b[OF assms(1)] card_image by blast moreover have "?\\<^sub>P ` ?Sol\<^sub>k = ?Sol\<^sub>k'" using sas_plus_formalism_and_induced_strips_formalism_are_equally_expressive_i_c[OF assms(1)]. ultimately show ?thesis by simp qed \ \ The set of fixed length plans with operators in a given operator set is finite. \ lemma bounded_plan_set_finite: shows "finite { \. set \ \ set ops \ length \ = k }" proof (induction k) case (Suc k) let ?P = "{ \. set \ \ set ops \ length \ = k }" and ?P' = "{ \. set \ \ set ops \ length \ = Suc k }" let ?P'' = "(\op \ set ops. (\\ \ ?P. { op # \ }))" { have "\op \. finite { op # \ }" by simp then have "\op. finite (\\ \ ?P. { op # \ })" using finite_UN[of ?P] Suc by blast hence "finite ?P''" using finite_UN[of "set ops"] by blast } moreover { { fix \ assume "\ \ ?P'" moreover have "set \ \ set ops" and "length \ = Suc k" using calculation by simp+ moreover obtain op \' where "\ = op # \'" using calculation (3) unfolding length_Suc_conv by fast moreover have "set \' \ set ops" and "op \ set ops" using calculation(2, 4) by simp+ moreover have "length \' = k" using calculation(3, 4) by auto moreover have "\' \ ?P" using calculation(5, 7) by blast ultimately have "\ \ ?P''" by blast } hence "?P' \ ?P''" by blast } ultimately show ?case using rev_finite_subset[of ?P'' ?P'] by blast qed force \ \ The set of fixed length SAS+ solutions are subsets of the set of plans with fixed length and therefore also finite. \ private lemma sas_plus_formalism_and_induced_strips_formalism_are_equally_expressive_ii_a: assumes "is_valid_problem_sas_plus \" shows "finite (bounded_solution_set_sas_plus' \ k)" proof - let ?Ops = "set ((\)\<^sub>\\<^sub>+)" let ?Sol\<^sub>k = "bounded_solution_set_sas_plus' \ k" and ?P\<^sub>k = "{ \. set \ \ ?Ops \ length \ = k }" { fix \ assume "\ \ ?Sol\<^sub>k" then have "length \ = k" and "set \ \ ?Ops" unfolding bounded_solution_set_sas_plus'_def SAS_Plus_Semantics.is_serial_solution_for_problem_def Let_def list_all_iff ListMem_iff by fastforce+ hence "\ \ ?P\<^sub>k" by blast } then have "?Sol\<^sub>k \ ?P\<^sub>k" by force thus ?thesis using bounded_plan_set_finite rev_finite_subset[of ?P\<^sub>k ?Sol\<^sub>k] by auto qed \ \ The set of fixed length STRIPS solutions are subsets of the set of plans with fixed length and therefore also finite. \ private lemma sas_plus_formalism_and_induced_strips_formalism_are_equally_expressive_ii_b: assumes "is_valid_problem_sas_plus \" shows "finite (bounded_solution_set_strips' (\ \) k)" proof - let ?\ = "\ \" let ?Ops = "set ((?\)\<^sub>\)" let ?Sol\<^sub>k = "bounded_solution_set_strips' ?\ k" and ?P\<^sub>k = "{ \. set \ \ ?Ops \ length \ = k }" { fix \ assume "\ \ ?Sol\<^sub>k" then have "length \ = k" and "set \ \ ?Ops" unfolding bounded_solution_set_strips'_def STRIPS_Semantics.is_serial_solution_for_problem_def Let_def list_all_iff ListMem_iff by fastforce+ hence "\ \ ?P\<^sub>k" by blast } then have "?Sol\<^sub>k \ ?P\<^sub>k" by force thus ?thesis using bounded_plan_set_finite rev_finite_subset[of ?P\<^sub>k ?Sol\<^sub>k] unfolding state_to_strips_state_def SAS_Plus_STRIPS.state_to_strips_state_def operators_of_def by blast qed text \ With the results on the equivalence of SAS+ and STRIPS solutions, we can now show that given problems in both formalisms, the solution sets have the same size. This is the property required by the definition of planning formalism equivalence presented earlier in theorem \ref{thm:solution-sets-sas-plus-strips-f} (\autoref{sub:equivalence-sas-plus-strips}) and thus end up with the desired equivalence result. The proof uses the finiteness and disjunctiveness of the solution sets for either problem to be able to equivalently transform the set cardinality over the union of sets of solutions with bounded lengths into a sum over the cardinality of the sets of solutions with bounded length. Moreover, since we know that for each SAS+ solution with a given length an equivalent STRIPS solution exists in the solution set of the transformed problem with the same length, both sets must have the same cardinality. Hence the cardinality of the SAS+ solution set over all lengths up to a given upper bound \<^term>\N\ has the same size as the solution set of the corresponding STRIPS problem over all length up to a given upper bound \<^term>\N\. \ theorem assumes "is_valid_problem_sas_plus \" shows "card (bounded_solution_set_sas_plus \ N) = card (bounded_solution_set_strips (\ \) N)" proof - let ?\ = "\ \" and ?R = "{0..N}" \ \ Due to the disjoint nature of the bounded solution sets for fixed plan length for different lengths, we can sum the individual set cardinality to obtain the cardinality of the overall SAS+ resp. STRIPS solution sets. \ have finite_R: "finite ?R" by simp moreover { have "\k \ ?R. finite (bounded_solution_set_sas_plus' \ k)" using sas_plus_formalism_and_induced_strips_formalism_are_equally_expressive_ii_a[OF assms(1)].. moreover have "\j \ ?R. \k \ ?R. j \ k \ bounded_solution_set_sas_plus' \ j \ bounded_solution_set_sas_plus' \ k = {}" unfolding bounded_solution_set_sas_plus'_def by blast (* TODO slow. *) ultimately have "card (bounded_solution_set_sas_plus \ N) = (\k \ ?R. card (bounded_solution_set_sas_plus' \ k))" using card_UN_disjoint by blast } moreover { have "\k \ ?R. finite (bounded_solution_set_strips' ?\ k)" using sas_plus_formalism_and_induced_strips_formalism_are_equally_expressive_ii_b[OF assms(1)].. moreover have "\j \ ?R. \k \ ?R. j \ k \ bounded_solution_set_strips' ?\ j \ bounded_solution_set_strips' ?\ k = {}" unfolding bounded_solution_set_strips'_def by blast (* TODO slow. *) ultimately have "card (bounded_solution_set_strips ?\ N) = (\k \ ?R. card (bounded_solution_set_strips' ?\ k))" using card_UN_disjoint by blast } moreover { fix k have "card (bounded_solution_set_sas_plus' \ k) = card ((\\. [\\<^sub>O \ op. op \ \]) ` bounded_solution_set_sas_plus' \ k)" using sas_plus_formalism_and_induced_strips_formalism_are_equally_expressive_i_b[OF assms] card_image[symmetric] by blast hence "card (bounded_solution_set_sas_plus' \ k) = card (bounded_solution_set_strips' ?\ k)" using sas_plus_formalism_and_induced_strips_formalism_are_equally_expressive_i_c[OF assms] by presburger } ultimately show ?thesis by presburger qed end end \ No newline at end of file diff --git a/thys/Verified_SAT_Based_AI_Planning/SAT_Plan_Base.thy b/thys/Verified_SAT_Based_AI_Planning/SAT_Plan_Base.thy --- a/thys/Verified_SAT_Based_AI_Planning/SAT_Plan_Base.thy +++ b/thys/Verified_SAT_Based_AI_Planning/SAT_Plan_Base.thy @@ -1,5449 +1,5449 @@ (* Author: Mohammad Abdulaziz, Fred Kurz *) theory SAT_Plan_Base imports "List-Index.List_Index" "Propositional_Proof_Systems.Formulas" "STRIPS_Semantics" "Map_Supplement" "List_Supplement" "CNF_Semantics_Supplement" "CNF_Supplement" begin \ \ Hide constant and notation for \isaname{Orderings.bot_class.bot} (\\\) to prevent warnings. \ hide_const (open) Orderings.bot_class.bot no_notation Orderings.bot_class.bot ("\") \ \ Hide constant and notation for \isaname{Transitive_Closure.trancl} (\(_\<^sup>+)\) to prevent warnings. \ hide_const (open) Transitive_Closure.trancl no_notation Transitive_Closure.trancl ("(_\<^sup>+)" [1000] 999) \ \ Hide constant and notation for \isaname{Relation.converse} (\(_\<^sup>+)\) to prevent warnings. \ hide_const (open) Relation.converse no_notation Relation.converse ("(_\)" [1000] 999) section "The Basic SATPlan Encoding" text \ We now move on to the formalization of the basic SATPlan encoding (see \autoref{def:basic-sat-plan-encoding-strips-problem}). The two major results that we will obtain here are the soundness and completeness result outlined in \autoref{thm:soundness-and-completeness-satplan-base} in \autoref{sub:soundness-completeness-satplan}. Let in the following \\ \ encode_to_sat \ t\ denote the SATPlan encoding for a STRIPS problem \\\ and makespan \t\. Let \<^term>\k < t\ and \I \ (\)\<^sub>I\ be the initial state of \\\, \G \ (\)\<^sub>G\ be its goal state, \\ \ (\)\<^sub>\\ its variable set, and \\ \ (\)\<^sub>\\ its operator set. \ subsection "Encoding Function Definitions" text \ Since the SATPlan encoding uses propositional variables for both operators and state variables of the problem as well as time points, we define a datatype using separate constructors ---\<^term>\State k n\ for state variables resp. \<^term>\Operator k n\ for operator activation---to facilitate case distinction. The natural number values store the time index resp. the indexes of the variable or operator within their lists in the problem representation. % TODO Note on why formulas are used instead of CNF (simple representation and good basis; e.g. % export to cnf lists using CNF_Formulas.cnf_lists) \ datatype sat_plan_variable = State nat nat | Operator nat nat text \ A SATPlan formula is a regular propositional formula over SATPlan variables. We add a type synonym to improve readability. \ type_synonym sat_plan_formula = "sat_plan_variable formula" text \ We now continue with the concrete definitions used in the implementation of the SATPlan encoding. State variables are encoded as literals over SATPlan variables using the \State\ constructor of \isaname{sat_plan_variable}. \ definition encode_state_variable :: "nat \ nat \ bool option \ sat_plan_variable formula" where "encode_state_variable t k v \ case v of Some True \ Atom (State t k) | Some False \ \<^bold>\ (Atom (State t k))" text \ The initial state encoding (definition \ref{isadef:initial-state-encoding}) is a conjunction of state variable encodings \<^term>\A \ encode_state_variable 0 n b\ with \n \ index vs v\ and \<^term>\b \ I v = Some True\ for all \<^term>\v \ \\. As we can see below, the same function but substituting the initial state with the goal state and zero with the makespan \<^term>\t\ produces the goal state encoding (\ref{isadef:goal-state-encoding}). Note that both functions construct a conjunction of clauses \A \<^bold>\ \\ for which it is easy to show that we can normalize to conjunctive normal form (CNF). \ definition encode_initial_state :: "'variable strips_problem \ sat_plan_variable formula" ("\\<^sub>I _" 99) where "encode_initial_state \ \ let I = initial_of \ ; vs = variables_of \ in \<^bold>\(map (\v. encode_state_variable 0 (index vs v) (I v) \<^bold>\ \) (filter (\v. I v \ None) vs))" definition encode_goal_state :: "'variable strips_problem \ nat \ sat_plan_variable formula" ("\\<^sub>G _" 99) where "encode_goal_state \ t \ let vs = variables_of \ ; G = goal_of \ in \<^bold>\(map (\v. encode_state_variable t (index vs v) (G v) \<^bold>\ \) (filter (\v. G v \ None) vs))" text \ Operator preconditions are encoded using activation-implies-precondition formulation as mentioned in \autoref{subsub:basic-sat-plan-encoding}: i.e. for each operator \<^term>\op \ \\ and \<^term>\p \ set (precondition_of op)\ we have to encode @{text[display, indent=4] "Atom (Operator k (index ops op)) \<^bold>\ Atom (State k (index vs v))"} We use the equivalent disjunction in the formalization to simplify conversion to CNF. \ definition encode_operator_precondition :: "'variable strips_problem \ nat \ 'variable strips_operator \ sat_plan_variable formula" where "encode_operator_precondition \ t op \ let vs = variables_of \ ; ops = operators_of \ in \<^bold>\(map (\v. \<^bold>\ (Atom (Operator t (index ops op))) \<^bold>\ Atom (State t (index vs v))) (precondition_of op))" definition encode_all_operator_preconditions :: "'variable strips_problem \ 'variable strips_operator list \ nat \ sat_plan_variable formula" where "encode_all_operator_preconditions \ ops t \ let l = List.product [0..\) (map (\(t, op). encode_operator_precondition \ t op) l) (\<^bold>\\)" text \ Analogously to the operator precondition, add and delete effects of operators have to be implied by operator activation. That being said, we have to encode both positive and negative effects and the effect must be active at the following time point: i.e. @{text[display, indent=4] "Atom (Operator k m) \<^bold>\ Atom (State (Suc k) n)"} for add effects respectively @{text[display, indent=4] "Atom (Operator k m) \<^bold>\ \<^bold>\Atom (State (Suc k) n)"} for delete effects. We again encode the implications as their equivalent disjunctions in definition \ref{isadef:operator-effect-encoding}. \ definition encode_operator_effect :: "'variable strips_problem \ nat \ 'variable strips_operator \ sat_plan_variable formula" where "encode_operator_effect \ t op \ let vs = variables_of \ ; ops = operators_of \ in \<^bold>\(map (\v. \<^bold>\(Atom (Operator t (index ops op))) \<^bold>\ Atom (State (Suc t) (index vs v))) (add_effects_of op) @ map (\v. \<^bold>\(Atom (Operator t (index ops op))) \<^bold>\ \<^bold>\ (Atom (State (Suc t) (index vs v)))) (delete_effects_of op))" definition encode_all_operator_effects :: "'variable strips_problem \ 'variable strips_operator list \ nat \ sat_plan_variable formula" where "encode_all_operator_effects \ ops t \ let l = List.product [0..\) (map (\(t, op). encode_operator_effect \ t op) l) (\<^bold>\\)" definition encode_operators :: "'variable strips_problem \ nat \ sat_plan_variable formula" where "encode_operators \ t \ let ops = operators_of \ in encode_all_operator_preconditions \ ops t \<^bold>\ encode_all_operator_effects \ ops t" text \ Definitions \ref{isadef:negative-transition-frame-axiom-encoding} and \ref{isadef:positive-transition-frame-axiom-encoding} similarly encode the negative resp. positive transition frame axioms as disjunctions. \ definition encode_negative_transition_frame_axiom :: "'variable strips_problem \ nat \ 'variable \ sat_plan_variable formula" where "encode_negative_transition_frame_axiom \ t v \ let vs = variables_of \ ; ops = operators_of \ ; deleting_operators = filter (\op. ListMem v (delete_effects_of op)) ops in \<^bold>\(Atom (State t (index vs v))) \<^bold>\ (Atom (State (Suc t) (index vs v)) \<^bold>\ \<^bold>\ (map (\op. Atom (Operator t (index ops op))) deleting_operators))" definition encode_positive_transition_frame_axiom :: "'variable strips_problem \ nat \ 'variable \ sat_plan_variable formula" where "encode_positive_transition_frame_axiom \ t v \ let vs = variables_of \ ; ops = operators_of \ ; adding_operators = filter (\op. ListMem v (add_effects_of op)) ops in (Atom (State t (index vs v)) \<^bold>\ (\<^bold>\(Atom (State (Suc t) (index vs v))) \<^bold>\ \<^bold>\(map (\op. Atom (Operator t (index ops op))) adding_operators)))" definition encode_all_frame_axioms :: "'variable strips_problem \ nat \ sat_plan_variable formula" where "encode_all_frame_axioms \ t \ let l = List.product [0..) in \<^bold>\(map (\(k, v). encode_negative_transition_frame_axiom \ k v) l @ map (\(k, v). encode_positive_transition_frame_axiom \ k v) l)" text \ Finally, the basic SATPlan encoding is the conjunction of the initial state, goal state, operator and frame axiom encoding for all time steps. The functions \isaname{encode_operators} and \isaname{encode_all_frame_axioms}\footnote{Not shown.} take care of mapping the operator precondition, effect and frame axiom encoding over all possible combinations of time point and operators resp. time points, variables, and operators. \ definition encode_problem ("\ _ _" 99) where "encode_problem \ t \ encode_initial_state \ \<^bold>\ (encode_operators \ t \<^bold>\ (encode_all_frame_axioms \ t \<^bold>\ (encode_goal_state \ t)))" subsection "Decoding Function Definitions" text \ Decoding plans from a valuation \<^term>\\\ of a SATPlan encoding entails extracting all activated operators for all time points except the last one. We implement this by mapping over all \<^term>\k < t\ and extracting activated operators---i.e. operators for which the model valuates the respective operator encoding at time \<^term>\k\ to true---into a parallel operator (see definition \ref{isadef:satplan-plan-decoding}). \footnote{This is handled by function \texttt{decode\_plan'} (not shown).} \ \ \ Note that due to the implementation based on lists, we have to address the problem of duplicate operator declarations in the operator list of the problem. Since \<^term>\index op = index op'\ for equal operators, the parallel operator obtained from \isaname{decode_plan'} will contain duplicates in case the problem's operator list does. We therefore remove duplicates first using \<^term>\remdups ops\ and then filter out activated operators. \ definition decode_plan' :: "'variable strips_problem \ sat_plan_variable valuation \ nat \ 'variable strips_operator list" where "decode_plan' \ \ i \ let ops = operators_of \ ; vs = map (\op. Operator i (index ops op)) (remdups ops) in map (\v. case v of Operator _ k \ ops ! k) (filter \ vs)" \ \ We decode maps over range \0, \, t - 1\ because the last operator takes effect in \<^term>\t\ and must therefore have been applied in step \<^term>\t - 1\. \ definition decode_plan :: "'variable strips_problem \ sat_plan_variable valuation \ nat \ 'variable strips_parallel_plan" ("\\ _ _ _" 99) where "decode_plan \ \ t \ map (decode_plan' \ \) [0.. Similarly to the operator decoding, we can decode a state at time \<^term>\k\ from a valuation of of the SATPlan encoding \<^term>\\\ by constructing a map from list of assignments \<^term>\(v, \ (State k (index vs v)))\ for all \<^term>\v \ \\. \ definition decode_state_at :: "'variable strips_problem \ sat_plan_variable valuation \ nat \ 'variable strips_state" ("\\<^sub>S\ _ _ _" 99) where "decode_state_at \ \ k \ let vs = variables_of \ ; state_encoding_to_assignment = \v. (v, \ (State k (index vs v))) in map_of (map state_encoding_to_assignment vs)" text \ We continue by setting up the \isaname{sat_plan} context for the proofs of soundness and completeness. \ definition encode_transitions ::"'variable strips_problem \ nat \ sat_plan_variable formula" ("\\<^sub>T _ _" 99) where "encode_transitions \ t \ SAT_Plan_Base.encode_operators \ t \<^bold>\ SAT_Plan_Base.encode_all_frame_axioms \ t" \ \ Immediately proof the sublocale proposition for strips in order to gain access to definitions and lemmas. \ \ \ Setup simp rules. \ lemma [simp]: "encode_transitions \ t = SAT_Plan_Base.encode_operators \ t \<^bold>\ SAT_Plan_Base.encode_all_frame_axioms \ t" unfolding encode_problem_def encode_initial_state_def encode_transitions_def encode_goal_state_def decode_plan_def decode_state_at_def by simp+ context begin lemma encode_state_variable_is_lit_plus_if: assumes "is_valid_problem_strips \" and "v \ dom s" shows "is_lit_plus (encode_state_variable k (index (strips_problem.variables_of \) v) (s v))" proof - have "s v \ None" using is_valid_problem_strips_initial_of_dom assms(2) by blast then consider (s_of_v_is_some_true) "s v = Some True" | (s_of_v_is_some_false) "s v = Some False" by fastforce thus ?thesis unfolding encode_state_variable_def by (cases, simp+) qed lemma is_cnf_encode_initial_state: assumes "is_valid_problem_strips \" shows "is_cnf (\\<^sub>I \)" proof - let ?I = "(\)\<^sub>I" and ?vs = "strips_problem.variables_of \" let ?l = "map (\v. encode_state_variable 0 (index ?vs v) (?I v) \<^bold>\ \) (filter (\v. ?I v \ None) ?vs)" { fix C assume c_in_set_l:"C \ set ?l" have "set ?l = (\v. encode_state_variable 0 (index ?vs v) (?I v) \<^bold>\ \) ` set (filter (\v. ?I v \ None) ?vs)" using set_map[of "\v. encode_state_variable 0 (index ?vs v) (?I v) \<^bold>\ \" "filter (\v. ?I v \ None) ?vs"] by blast then have "set ?l = (\v. encode_state_variable 0 (index ?vs v) (?I v) \<^bold>\ \) ` {v \ set ?vs. ?I v \ None}" using set_filter[of "\v. ?I v \ None" ?vs] by argo then obtain v where c_is: "C = encode_state_variable 0 (index ?vs v) (?I v) \<^bold>\ \" and v_in_set_vs: "v \ set ?vs" and I_of_v_is_not_None: "?I v \ None" using c_in_set_l by auto (* TODO refactor. *) { have "v \ dom ?I" using I_of_v_is_not_None by blast moreover have "is_lit_plus (encode_state_variable 0 (index ?vs v) (?I v))" using encode_state_variable_is_lit_plus_if[OF _ calculation] assms(1) by blast moreover have "is_lit_plus \" by simp ultimately have "is_disj C" using c_is by force } hence "is_cnf C" unfolding encode_state_variable_def using c_is by fastforce } thus ?thesis unfolding encode_initial_state_def SAT_Plan_Base.encode_initial_state_def Let_def initial_of_def using is_cnf_BigAnd[of ?l] by (smt is_cnf_BigAnd) qed lemma encode_goal_state_is_cnf: assumes "is_valid_problem_strips \" shows "is_cnf (encode_goal_state \ t)" proof - let ?I = "(\)\<^sub>I" and ?G = "(\)\<^sub>G" and ?vs = "strips_problem.variables_of \" let ?l = "map (\v. encode_state_variable t (index ?vs v) (?G v) \<^bold>\ \) (filter (\v. ?G v \ None) ?vs)" { fix C assume "C \ set ?l" (* TODO refactor (lemma \encode_goal_state_is_cnf_i\) *) moreover { have "set ?l = (\v. encode_state_variable t (index ?vs v) (?G v) \<^bold>\ \) ` set (filter (\v. ?G v \ None) ?vs)" unfolding set_map by blast then have "set ?l = { encode_state_variable t (index ?vs v) (?G v) \<^bold>\ \ | v. v \ set ?vs \ ?G v \ None }" by auto } moreover obtain v where C_is: "C = encode_state_variable t (index ?vs v) (?G v) \<^bold>\ \ " and "v \ set ?vs" and G_of_v_is_not_None: "?G v \ None" using calculation(1) by auto (* TODO refactor. *) moreover { have "v \ dom ?G" using G_of_v_is_not_None by blast moreover have "is_lit_plus (encode_state_variable t (index ?vs v) (?G v))" using assms(1) calculation by (simp add: encode_state_variable_is_lit_plus_if) moreover have "is_lit_plus \" by simp ultimately have "is_disj C" unfolding C_is by force } ultimately have "is_cnf C" by simp } thus ?thesis unfolding encode_goal_state_def SAT_Plan_Base.encode_goal_state_def Let_def using is_cnf_BigAnd[of ?l] by simp qed private lemma encode_operator_precondition_is_cnf: "is_cnf (encode_operator_precondition \ k op)" proof - let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" let ?l = "map (\v. \<^bold>\ (Atom (Operator k (index ?ops op))) \<^bold>\ Atom (State k (index ?vs v))) (precondition_of op)" { have "set ?l = (\v. \<^bold>\(Atom (Operator k (index ?ops op))) \<^bold>\ Atom (State k (index ?vs v))) ` set (precondition_of op)" using set_map by force then have "set ?l = { \<^bold>\(Atom (Operator k (index ?ops op))) \<^bold>\ Atom (State k (index ?vs v)) | v. v \ set (precondition_of op) }" using setcompr_eq_image[of "\v. \<^bold>\(Atom (Operator k (index ?ops op))) \<^bold>\ Atom (State k (index ?vs v))" "\v. v \ set (precondition_of op)"] by simp } note set_l_is = this { fix C assume "C \ set ?l" then obtain v where "v \ set (precondition_of op)" and "C = \<^bold>\(Atom (Operator k (index ?ops op))) \<^bold>\ Atom (State k (index ?vs v))" using set_l_is by blast hence "is_cnf C" by simp } thus ?thesis unfolding encode_operator_precondition_def using is_cnf_BigAnd[of ?l] by meson qed private lemma set_map_operator_precondition[simp]: "set (map (\(k, op). encode_operator_precondition \ k op) (List.product [0.. k op | k op. (k, op) \ ({0.. set ops) }" proof - let ?l' = "List.product [0.. set ops" by simp moreover { have "set ?fs = (\(k, op). encode_operator_precondition \ k op) ` ({0.. set ops)" using set_map set_l'_is by simp also have "\ = { encode_operator_precondition \ k op | k op. (k, op) \ {0.. set ops}" using setcompr_eq_image by fast finally have "set ?fs = { encode_operator_precondition \ k op | k op. (k, op) \ ({0.. set ops) }" by blast } thus ?thesis by blast qed private lemma is_cnf_encode_all_operator_preconditions: "is_cnf (encode_all_operator_preconditions \ (strips_problem.operators_of \) t)" proof - let ?l' = "List.product [0..)" let ?fs = "map (\(k, op). encode_operator_precondition \ k op) ?l'" have "\f \ set ?fs. is_cnf f" using encode_operator_precondition_is_cnf by fastforce thus ?thesis unfolding encode_all_operator_preconditions_def using is_cnf_foldr_and_if[of ?fs] by presburger qed (* TODO refactor Appendix *) private lemma set_map_or[simp]: "set (map (\v. A v \<^bold>\ B v) vs) = { A v \<^bold>\ B v | v. v \ set vs }" proof - let ?l = "map (\v. A v \<^bold>\ B v) vs" have "set ?l = (\v. A v \<^bold>\ B v) ` set vs" using set_map by force thus ?thesis using setcompr_eq_image by auto qed private lemma encode_operator_effects_is_cnf_i: "is_cnf (\<^bold>\(map (\v. (\<^bold>\ (Atom (Operator t (index (strips_problem.operators_of \) op)))) \<^bold>\ Atom (State (Suc t) (index (strips_problem.variables_of \) v))) (add_effects_of op)))" proof - let ?fs = "map (\v. \<^bold>\ (Atom (Operator t (index (strips_problem.operators_of \) op))) \<^bold>\ Atom (State (Suc t) (index (strips_problem.variables_of \) v))) (add_effects_of op)" { fix C assume "C \ set ?fs" then obtain v where "v \ set (add_effects_of op)" and "C = \<^bold>\(Atom (Operator t (index (strips_problem.operators_of \) op))) \<^bold>\ Atom (State (Suc t) (index (strips_problem.variables_of \) v))" by auto hence "is_cnf C" by fastforce } thus ?thesis using is_cnf_BigAnd by blast qed private lemma encode_operator_effects_is_cnf_ii: "is_cnf (\<^bold>\(map (\v. \<^bold>\(Atom (Operator t (index (strips_problem.operators_of \) op))) \<^bold>\ \<^bold>\(Atom (State (Suc t) (index (strips_problem.variables_of \) v)))) (delete_effects_of op)))" proof - let ?fs = "map (\v. \<^bold>\(Atom (Operator t (index (strips_problem.operators_of \) op))) \<^bold>\ \<^bold>\(Atom (State (Suc t) (index (strips_problem.variables_of \) v)))) (delete_effects_of op)" { fix C assume "C \ set ?fs" then obtain v where "v \ set (delete_effects_of op)" and "C = \<^bold>\(Atom (Operator t (index (strips_problem.operators_of \) op))) \<^bold>\ \<^bold>\(Atom (State (Suc t) (index (strips_problem.variables_of \) v)))" by auto hence "is_cnf C" by fastforce } thus ?thesis using is_cnf_BigAnd by blast qed private lemma encode_operator_effect_is_cnf: shows "is_cnf (encode_operator_effect \ t op)" proof - let ?ops = "strips_problem.operators_of \" and ?vs = "strips_problem.variables_of \" let ?fs = "map (\v. \<^bold>\(Atom (Operator t (index ?ops op))) \<^bold>\ Atom (State (Suc t) (index ?vs v))) (add_effects_of op)" and ?fs' = "map (\v. \<^bold>\(Atom (Operator t (index ?ops op))) \<^bold>\ \<^bold>\(Atom (State (Suc t) (index ?vs v)))) (delete_effects_of op)" have "encode_operator_effect \ t op = \<^bold>\(?fs @ ?fs')" unfolding encode_operator_effect_def[of \ t op] by metis moreover { have "\f \ set ?fs. is_cnf f" "\f \ set ?fs'. is_cnf f" using encode_operator_effects_is_cnf_i[of t \ op] encode_operator_effects_is_cnf_ii[of t \ op] by (simp+) (* TODO slow. *) hence "\f \ set (?fs @ ?fs'). is_cnf f" by auto } ultimately show ?thesis using is_cnf_BigAnd[of "?fs @ ?fs'"] by presburger qed private lemma set_map_encode_operator_effect[simp]: "set (map (\(t, op). encode_operator_effect \ t op) (List.product [0..))) = { encode_operator_effect \ k op | k op. (k, op) \ ({0.. set (strips_problem.operators_of \)) }" proof - let ?ops = "strips_problem.operators_of \" and ?vs = "strips_problem.variables_of \" let ?fs = "map (\(t, op). encode_operator_effect \ t op) (List.product [0..(t, op). encode_operator_effect \ t op) ` ({0.. set ?ops)" unfolding encode_operator_effect_def[of \ t] by force thus ?thesis using setcompr_eq_image[of "\(t, op). encode_operator_effect \ t op" "\(k, op). (k, op) \ {0.. set ?ops"] by force qed private lemma encode_all_operator_effects_is_cnf: assumes "is_valid_problem_strips \" shows "is_cnf (encode_all_operator_effects \ (strips_problem.operators_of \) t)" proof - let ?ops = "strips_problem.operators_of \" let ?l = "List.product [0..f \ set ?fs. is_cnf f" using encode_operator_effect_is_cnf by force thus ?thesis unfolding encode_all_operator_effects_def using is_cnf_foldr_and_if[of ?fs] by presburger qed lemma encode_operators_is_cnf: assumes "is_valid_problem_strips \" shows "is_cnf (encode_operators \ t)" unfolding encode_operators_def using is_cnf_encode_all_operator_preconditions[of \ t] encode_all_operator_effects_is_cnf[OF assms, of t] is_cnf.simps(1)[of "encode_all_operator_preconditions \ (strips_problem.operators_of \) t" "encode_all_operator_effects \ (strips_problem.operators_of \) t"] by meson \ \ Simp flag alone did not do it, so we have to assign a name to this lemma as well. \ private lemma set_map_to_operator_atom[simp]: "set (map (\op. Atom (Operator t (index (strips_problem.operators_of \) op))) (filter (\op. ListMem v vs) (strips_problem.operators_of \))) = { Atom (Operator t (index (strips_problem.operators_of \) op)) | op. op \ set (strips_problem.operators_of \) \ v \ set vs }" proof - let ?ops = "strips_problem.operators_of \" { have "set (filter (\op. ListMem v vs) ?ops) = { op \ set ?ops. ListMem v vs }" using set_filter by force then have "set (filter (\op. ListMem v vs) ?ops) = { op. op \ set ?ops \ v \ set vs }" using ListMem_iff[of v] by blast } then have "set (map (\op. Atom (Operator t (index ?ops op))) (filter (\op. ListMem v vs) ?ops)) = (\op. Atom (Operator t (index ?ops op))) ` { op \ set ?ops. v \ set vs }" using set_map[of "\op. Atom (Operator t (index ?ops op))"] by presburger thus ?thesis by blast qed (* TODO refactor \Formula_Supplement\ *) lemma is_disj_big_or_if: assumes "\f \ set fs. is_lit_plus f" shows "is_disj \<^bold>\fs" using assms proof (induction fs) case (Cons f fs) have "is_lit_plus f" using Cons.prems by simp moreover have "is_disj \<^bold>\fs" using Cons by fastforce ultimately show ?case by simp qed simp lemma is_cnf_encode_negative_transition_frame_axiom: shows "is_cnf (encode_negative_transition_frame_axiom \ t v)" proof - let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" let ?deleting = "filter (\op. ListMem v (delete_effects_of op)) ?ops" let ?fs = "map (\op. Atom (Operator t (index ?ops op))) ?deleting" and ?A = "(\<^bold>\(Atom (State t (index ?vs v))))" and ?B = "Atom (State (Suc t) (index ?vs v))" { fix f assume "f \ set ?fs" (* TODO slow. *) then obtain op where "op \ set ?ops" and "v \ set (delete_effects_of op)" and "f = Atom (Operator t (index ?ops op))" using set_map_to_operator_atom[of t \ v] by fastforce hence "is_lit_plus f" by simp } note nb = this { have "is_disj \<^bold>\?fs" using is_disj_big_or_if nb by blast then have "is_disj (?B \<^bold>\ \<^bold>\?fs)" by force then have "is_disj (?A \<^bold>\ (?B \<^bold>\ \<^bold>\?fs))" by fastforce hence "is_cnf (?A \<^bold>\ (?B \<^bold>\ \<^bold>\?fs))" by fastforce } thus ?thesis unfolding encode_negative_transition_frame_axiom_def by meson qed lemma is_cnf_encode_positive_transition_frame_axiom: shows "is_cnf (encode_positive_transition_frame_axiom \ t v)" proof - let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" let ?adding = "filter (\op. ListMem v (add_effects_of op)) ?ops" let ?fs = "map (\op. Atom (Operator t (index ?ops op))) ?adding" and ?A = "Atom (State t (index ?vs v))" and ?B = "\<^bold>\(Atom (State (Suc t) (index ?vs v)))" { fix f assume "f \ set ?fs" (* TODO slow. *) then obtain op where "op \ set ?ops" and "v \ set (add_effects_of op)" and "f = Atom (Operator t (index ?ops op))" using set_map_to_operator_atom[of t \ v] by fastforce hence "is_lit_plus f" by simp } note nb = this { have "is_disj \<^bold>\?fs" using is_disj_big_or_if nb by blast then have "is_disj (?B \<^bold>\ \<^bold>\?fs)" by force then have "is_disj (?A \<^bold>\ (?B \<^bold>\ \<^bold>\?fs))" by fastforce hence "is_cnf (?A \<^bold>\ (?B \<^bold>\ \<^bold>\?fs))" by fastforce } thus ?thesis unfolding encode_positive_transition_frame_axiom_def by meson qed private lemma encode_all_frame_axioms_set[simp]: "set (map (\(k, v). encode_negative_transition_frame_axiom \ k v) (List.product [0..)) @ (map (\(k, v). encode_positive_transition_frame_axiom \ k v) (List.product [0..)))) = { encode_negative_transition_frame_axiom \ k v | k v. (k, v) \ ({0.. set (strips_problem.variables_of \)) } \ { encode_positive_transition_frame_axiom \ k v | k v. (k, v) \ ({0.. set (strips_problem.variables_of \)) }" proof - let ?l = "List.product [0..)" let ?A = "(\(k, v). encode_negative_transition_frame_axiom \ k v) ` set ?l" and ?B = "(\(k, v). encode_positive_transition_frame_axiom \ k v) ` set ?l" and ?fs = "map (\(k, v). encode_negative_transition_frame_axiom \ k v) ?l @ (map (\(k, v). encode_positive_transition_frame_axiom \ k v) ?l)" and ?vs = "strips_problem.variables_of \" have set_l_is: "set ?l = {0.. set ?vs" by simp have "set ?fs = ?A \ ?B" using set_append by force moreover have "?A = { encode_negative_transition_frame_axiom \ k v | k v. (k, v) \ ({0.. set ?vs) }" using set_l_is setcompr_eq_image[of "\(k, v). encode_negative_transition_frame_axiom \ k v" "\(k, v). (k, v) \ ({0.. set ?vs)"] by fast moreover have "?B = { encode_positive_transition_frame_axiom \ k v | k v. (k, v) \ ({0.. set ?vs) }" using set_l_is setcompr_eq_image[of "\(k, v). encode_positive_transition_frame_axiom \ k v" "\(k, v). (k, v) \ ({0.. set ?vs)"] by fast ultimately show ?thesis by argo qed (* rename \is_cnf_encode_all_frame_axioms\. *) lemma encode_frame_axioms_is_cnf: shows "is_cnf (encode_all_frame_axioms \ t)" proof - let ?l = "List.product [0..)" and ?vs = "strips_problem.variables_of \" let ?A = "{ encode_negative_transition_frame_axiom \ k v | k v. (k, v) \ ({0.. set ?vs) }" and ?B = "{ encode_positive_transition_frame_axiom \ k v | k v. (k, v) \ ({0.. set ?vs) }" and ?fs = "map (\(k, v). encode_negative_transition_frame_axiom \ k v) ?l @ (map (\(k, v). encode_positive_transition_frame_axiom \ k v) ?l)" { fix f assume "f \ set ?fs" (* TODO slow. *) then consider (f_encodes_negative_frame_axiom) "f \ ?A" | (f_encodes_positive_frame_axiom) "f \ ?B" by fastforce hence "is_cnf f" using is_cnf_encode_negative_transition_frame_axiom is_cnf_encode_positive_transition_frame_axiom by (smt mem_Collect_eq) } thus ?thesis unfolding encode_all_frame_axioms_def using is_cnf_BigAnd[of ?fs] by meson qed lemma is_cnf_encode_problem: assumes "is_valid_problem_strips \" shows "is_cnf (\ \ t)" proof - have "is_cnf (\\<^sub>I \)" using is_cnf_encode_initial_state assms by auto moreover have "is_cnf (encode_goal_state \ t)" using encode_goal_state_is_cnf[OF assms] by simp moreover have "is_cnf (encode_operators \ t \<^bold>\ encode_all_frame_axioms \ t)" using encode_operators_is_cnf[OF assms] encode_frame_axioms_is_cnf unfolding encode_transitions_def by simp ultimately show ?thesis unfolding encode_problem_def SAT_Plan_Base.encode_problem_def encode_transitions_def encode_initial_state_def[symmetric] encode_goal_state_def[symmetric] by simp qed lemma encode_problem_has_model_then_also_partial_encodings: assumes "\ \ SAT_Plan_Base.encode_problem \ t" shows "\ \ SAT_Plan_Base.encode_initial_state \" and "\ \ SAT_Plan_Base.encode_goal_state \ t" and "\ \ SAT_Plan_Base.encode_operators \ t" and "\ \ SAT_Plan_Base.encode_all_frame_axioms \ t" using assms unfolding SAT_Plan_Base.encode_problem_def by simp+ lemma cnf_of_encode_problem_structure: shows "cnf (SAT_Plan_Base.encode_initial_state \) \ cnf (SAT_Plan_Base.encode_problem \ t)" and "cnf (SAT_Plan_Base.encode_goal_state \ t) \ cnf (SAT_Plan_Base.encode_problem \ t)" and "cnf (SAT_Plan_Base.encode_operators \ t) \ cnf (SAT_Plan_Base.encode_problem \ t)" and "cnf (SAT_Plan_Base.encode_all_frame_axioms \ t) \ cnf (SAT_Plan_Base.encode_problem \ t)" unfolding SAT_Plan_Base.encode_problem_def SAT_Plan_Base.encode_problem_def[of \ t] SAT_Plan_Base.encode_initial_state_def[of \] SAT_Plan_Base.encode_goal_state_def[of \ t] SAT_Plan_Base.encode_operators_def SAT_Plan_Base.encode_all_frame_axioms_def[of \ t] subgoal by auto subgoal by force subgoal by auto subgoal by force done \ \ A technical lemma which shows a simpler form of the CNF of the initial state encoding. \ (* TODO generalize for more encodings? *) private lemma cnf_of_encode_initial_state_set_i: shows "cnf (\\<^sub>I \) = \ { cnf (encode_state_variable 0 (index (strips_problem.variables_of \) v) (((\)\<^sub>I) v)) | v. v \ set (strips_problem.variables_of \) \ ((\)\<^sub>I) v \ None }" proof - let ?vs = "strips_problem.variables_of \" and ?I = "strips_problem.initial_of \" let ?ls = "map (\v. encode_state_variable 0 (index ?vs v) (?I v) \<^bold>\ \) (filter (\v. ?I v \ None) ?vs)" { have "cnf ` set ?ls = cnf ` (\v. encode_state_variable 0 (index ?vs v) (?I v) \<^bold>\ \) ` set (filter (\v. ?I v \ None) ?vs)" using set_map[of "\v. encode_state_variable 0 (index ?vs v) (?I v) \<^bold>\ \"] by presburger also have "\ = (\v. cnf (encode_state_variable 0 (index ?vs v) (?I v) \<^bold>\ \)) ` set (filter (\v. ?I v \ None) ?vs)" using image_comp by blast also have "\ = (\v. cnf (encode_state_variable 0 (index ?vs v) (?I v))) ` { v \ set ?vs. ?I v \ None }" using set_filter[of "\v. ?I v \ None" ?vs] by auto finally have "cnf ` set ?ls = { cnf (encode_state_variable 0 (index ?vs v) (?I v)) | v. v \ set ?vs \ ?I v \ None }" using setcompr_eq_image[of "\v. cnf (encode_state_variable 0 (index ?vs v) (?I v))"] by presburger } moreover have "cnf (\\<^sub>I \) = \ (cnf ` set ?ls)" unfolding encode_initial_state_def SAT_Plan_Base.encode_initial_state_def using cnf_BigAnd[of ?ls] by meson ultimately show ?thesis by auto qed \ \ A simplification lemma for the above one. \ (* TODO Replace above lemma with this?. *) corollary cnf_of_encode_initial_state_set_ii: assumes "is_valid_problem_strips \" shows "cnf (\\<^sub>I \) = (\v \ set (strips_problem.variables_of \). {{ literal_formula_to_literal (encode_state_variable 0 (index (strips_problem.variables_of \) v) (strips_problem.initial_of \ v)) }})" proof - let ?vs = "strips_problem.variables_of \" and ?I = "strips_problem.initial_of \" have nb\<^sub>1: "{ v. v \ set ?vs \ ?I v \ None } = set ?vs" using is_valid_problem_strips_initial_of_dom assms(1) by auto (* TODO generalize and refactor. *) { fix v assume "v \ set ?vs" then have "?I v \ None" using is_valid_problem_strips_initial_of_dom assms(1) by auto then consider (I_v_is_Some_True) "?I v = Some True" | (I_v_is_Some_False) "?I v = Some False" by fastforce hence "cnf (encode_state_variable 0 (index ?vs v) (?I v)) = {{ literal_formula_to_literal (encode_state_variable 0 (index ?vs v) (?I v)) }}" unfolding encode_state_variable_def by (cases, simp+) } note nb\<^sub>2 = this { have "{ cnf (encode_state_variable 0 (index ?vs v) (?I v)) | v. v \ set ?vs \ ?I v \ None } = (\v. cnf (encode_state_variable 0 (index ?vs v) (?I v))) ` set ?vs" using setcompr_eq_image[of "\v. cnf (encode_state_variable 0 (index ?vs v) (?I v))" "\v. v \ set ?vs \ ?I v \ None"] using nb\<^sub>1 by presburger hence "{ cnf (encode_state_variable 0 (index ?vs v) (?I v)) | v. v \ set ?vs \ ?I v \ None } = (\v. {{ literal_formula_to_literal (encode_state_variable 0 (index ?vs v) (?I v)) }}) ` set ?vs" using nb\<^sub>2 by force } thus ?thesis using cnf_of_encode_initial_state_set_i by (smt Collect_cong) qed (* TODO \\!\ is superfluous now? rm? + Above lemma basically covers this one. *) lemma cnf_of_encode_initial_state_set: assumes "is_valid_problem_strips \" and "v \ dom (strips_problem.initial_of \)" shows "strips_problem.initial_of \ v = Some True \ (\!C. C \ cnf (\\<^sub>I \) \ C = { (State 0 (index (strips_problem.variables_of \) v))\<^sup>+ })" and "strips_problem.initial_of \ v = Some False \ (\!C. C \ cnf (\\<^sub>I \) \ C = { (State 0 (index (strips_problem.variables_of \) v))\ })" proof - let ?I = "(\)\<^sub>I" let ?vs = "strips_problem.variables_of \" let ?\\<^sub>I = "\\<^sub>I \" have nb\<^sub>1: "cnf (\\<^sub>I \) = \ { cnf (encode_state_variable 0 (index ?vs v) (strips_problem.initial_of \ v)) | v. v \ set ?vs \ ?I v \ None }" using cnf_of_encode_initial_state_set_i by blast { have "v \ set ?vs" using is_valid_problem_strips_initial_of_dom assms(1, 2) by blast hence "v \ { v. v \ set ?vs \ ?I v \ None }" using assms(2) by auto } note nb\<^sub>2 = this show "strips_problem.initial_of \ v = Some True \ (\!C. C \ cnf (\\<^sub>I \) \ C = { (State 0 (index (strips_problem.variables_of \) v))\<^sup>+ })" and "strips_problem.initial_of \ v = Some False \ (\!C. C \ cnf (\\<^sub>I \) \ C = { (State 0 (index (strips_problem.variables_of \) v))\ })" proof (auto) assume i_v_is_some_true: "strips_problem.initial_of \ v = Some True" then have "{ (State 0 (index (strips_problem.variables_of \) v))\<^sup>+ } \ cnf (encode_state_variable 0 (index (strips_problem.variables_of \) v) (?I v))" unfolding encode_state_variable_def using i_v_is_some_true by auto thus "{ (State 0 (index (strips_problem.variables_of \) v))\<^sup>+ } \ cnf (\\<^sub>I \)" using nb\<^sub>1 nb\<^sub>2 by auto next assume i_v_is_some_false: "strips_problem.initial_of \ v = Some False" then have "{ (State 0 (index (strips_problem.variables_of \) v))\ } \ cnf (encode_state_variable 0 (index (strips_problem.variables_of \) v) (?I v))" unfolding encode_state_variable_def using i_v_is_some_false by auto thus "{ (State 0 (index (strips_problem.variables_of \) v))\ } \ cnf (\\<^sub>I \)" using nb\<^sub>1 nb\<^sub>2 by auto qed qed lemma cnf_of_operator_encoding_structure: "cnf (encode_operators \ t) = cnf (encode_all_operator_preconditions \ (strips_problem.operators_of \) t) \ cnf (encode_all_operator_effects \ (strips_problem.operators_of \) t)" unfolding encode_operators_def using cnf.simps(5) by metis corollary cnf_of_operator_precondition_encoding_subset_encoding: "cnf (encode_all_operator_preconditions \ (strips_problem.operators_of \) t) \ cnf (\ \ t)" using cnf_of_operator_encoding_structure cnf_of_encode_problem_structure subset_trans unfolding encode_problem_def by blast (* TODO refactor \CNF_Supplement\ *) lemma cnf_foldr_and[simp]: "cnf (foldr (\<^bold>\) fs (\<^bold>\\)) = (\f \ set fs. cnf f)" proof (induction fs) case (Cons f fs) have ih: "cnf (foldr (\<^bold>\) fs (\<^bold>\\)) = (\f \ set fs. cnf f)" using Cons.IH by blast { have "cnf (foldr (\<^bold>\) (f # fs) (\<^bold>\\)) = cnf (f \<^bold>\ foldr (\<^bold>\) fs (\<^bold>\\))" by simp also have "\ = cnf f \ cnf (foldr (\<^bold>\) fs (\<^bold>\\))" by force finally have "cnf (foldr (\<^bold>\) (f # fs) (\<^bold>\\)) = cnf f \ (\f \ set fs. cnf f)" using ih by argo } thus ?case by auto qed simp (* TODO rm (unused)? *) private lemma cnf_of_encode_operator_precondition[simp]: "cnf (encode_operator_precondition \ t op) = (\v \ set (precondition_of op). {{(Operator t (index (strips_problem.operators_of \) op))\ , (State t (index (strips_problem.variables_of \) v))\<^sup>+}})" proof - let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" and ?\\<^sub>P = "encode_operator_precondition \ t op" let ?fs = "map (\v. \<^bold>\ (Atom (Operator t (index ?ops op))) \<^bold>\ Atom (State t (index ?vs v))) (precondition_of op)" and ?A = "(\v. \<^bold>\ (Atom (Operator t (index ?ops op))) \<^bold>\ Atom (State t (index ?vs v))) ` set (precondition_of op)" have "cnf (encode_operator_precondition \ t op) = cnf (\<^bold>\?fs)" unfolding encode_operator_precondition_def by presburger also have "\ = \ (cnf ` set ?fs)" using cnf_BigAnd by blast also have "\ = \(cnf ` ?A)" using set_map[of "\v. \<^bold>\ (Atom (Operator t (index ?ops op))) \<^bold>\ Atom (State t (index ?vs v))" "precondition_of op"] by argo also have "\ = (\v \ set (precondition_of op). cnf (\<^bold>\(Atom (Operator t (index ?ops op))) \<^bold>\ Atom (State t (index ?vs v))))" by blast (* TODO slow. *) finally show ?thesis by auto qed (* TODO Shorten proof. *) lemma cnf_of_encode_all_operator_preconditions_structure[simp]: "cnf (encode_all_operator_preconditions \ (strips_problem.operators_of \) t) = (\(t, op) \ ({.. set (operators_of \)). (\v \ set (precondition_of op). {{(Operator t (index (strips_problem.operators_of \) op))\ , (State t (index (strips_problem.variables_of \) v))\<^sup>+}}))" proof - let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" let ?l = "List.product [0..\<^sub>P = "encode_all_operator_preconditions \ (strips_problem.operators_of \) t" let ?A = "set (map (\(t, op). encode_operator_precondition \ t op) ?l)" { have "set ?l = {0.. set ((\)\<^sub>\)" by auto then have "?A = (\(t, op). encode_operator_precondition \ t op) ` ({0.. set ((\)\<^sub>\))" using set_map by force } note nb = this have "cnf ?\\<^sub>P = cnf (foldr (\<^bold>\) (map (\(t, op). encode_operator_precondition \ t op) ?l) (\<^bold>\\))" unfolding encode_all_operator_preconditions_def by presburger also have "\ = (\f \ ?A. cnf f)" by simp (* TODO slow. *) also have "\ = (\(k, op) \ ({0.. set ((\)\<^sub>\)). cnf (encode_operator_precondition \ k op))" using nb by fastforce (* TODO very slow. *) finally show ?thesis by fastforce qed corollary cnf_of_encode_all_operator_preconditions_contains_clause_if: fixes \::"'variable STRIPS_Representation.strips_problem" assumes "is_valid_problem_strips (\::'variable STRIPS_Representation.strips_problem)" and "k < t" and "op \ set ((\)\<^sub>\)" and "v \ set (precondition_of op)" shows "{ (Operator k (index (strips_problem.operators_of \) op))\ , (State k (index (strips_problem.variables_of \) v))\<^sup>+ } \ cnf (encode_all_operator_preconditions \ (strips_problem.operators_of \) t)" proof - let ?ops = "strips_problem.operators_of \" and ?vs = "strips_problem.variables_of \" let ?\\<^sub>P = "encode_all_operator_preconditions \ ?ops t" and ?C = "{ (Operator k (index (strips_problem.operators_of \) op))\ , (State k (index (strips_problem.variables_of \) v))\<^sup>+ }" { have nb: "(k, op) \ {.. set ((\)\<^sub>\)" using assms(2, 3) by blast moreover { have "?C \ (\v\set (precondition_of op). {{(Operator k (index (strips_problem.operators_of \) op))\, (State k (index (strips_problem.variables_of \) v))\<^sup>+}})" using UN_iff[where A="set (precondition_of op)" and B="\v. {{(Operator t (index (strips_problem.operators_of \) op))\, (State t (index (strips_problem.variables_of \) v))\<^sup>+}}"] assms(4) by blast hence "\x\{.. set ((\)\<^sub>\). ?C \ (case x of (k, op) \ \v\set (precondition_of op). {{(Operator k (index (strips_problem.operators_of \) op))\, (State k (index (strips_problem.variables_of \) v))\<^sup>+}})" using nb by blast } ultimately have "?C \ (\(t, op) \ ({.. set ((\)\<^sub>\)). (\v \ set (precondition_of op). {{ (Operator t (index ?ops op))\, (State t (index ?vs v))\<^sup>+ }}))" by blast } thus ?thesis using cnf_of_encode_all_operator_preconditions_structure[of \ t] by argo qed corollary cnf_of_encode_all_operator_effects_subset_cnf_of_encode_problem: "cnf (encode_all_operator_effects \ (strips_problem.operators_of \) t) \ cnf (\ \ t)" using cnf_of_encode_problem_structure(3) cnf_of_operator_encoding_structure unfolding encode_problem_def by blast private lemma cnf_of_encode_operator_effect_structure[simp]: "cnf (encode_operator_effect \ t op) = (\v \ set (add_effects_of op). {{ (Operator t (index (strips_problem.operators_of \) op))\ , (State (Suc t) (index (strips_problem.variables_of \) v))\<^sup>+ }}) \ (\v \ set (delete_effects_of op). {{ (Operator t (index (strips_problem.operators_of \) op))\ , (State (Suc t) (index (strips_problem.variables_of \) v))\ }})" proof - let ?fs\<^sub>1 = "map (\v. \<^bold>\(Atom (Operator t (index (strips_problem.operators_of \) op))) \<^bold>\ Atom (State (Suc t) (index (strips_problem.variables_of \) v))) (add_effects_of op)" and ?fs\<^sub>2 = "map (\v. \<^bold>\(Atom (Operator t (index (strips_problem.operators_of \) op))) \<^bold>\ \<^bold>\ (Atom (State (Suc t) (index (strips_problem.variables_of \) v)))) (delete_effects_of op)" { have "cnf ` set ?fs\<^sub>1 = cnf ` (\v. \<^bold>\(Atom (Operator t (index (strips_problem.operators_of \) op))) \<^bold>\ Atom (State (Suc t) (index (strips_problem.variables_of \) v))) ` set (add_effects_of op)" using set_map by force also have "\ = (\v. cnf (\<^bold>\(Atom (Operator t (index (strips_problem.operators_of \) op))) \<^bold>\ Atom (State (Suc t) (index (strips_problem.variables_of \) v)))) ` set (add_effects_of op)" using image_comp by blast (* TODO slow. *) finally have "cnf ` set ?fs\<^sub>1 = (\v. {{ (Operator t (index (strips_problem.operators_of \) op))\ , (State (Suc t) (index (strips_problem.variables_of \) v))\<^sup>+ }}) ` set (add_effects_of op)" by auto } note nb\<^sub>1 = this { have "cnf ` set ?fs\<^sub>2 = cnf ` (\v. \<^bold>\(Atom (Operator t (index (strips_problem.operators_of \) op))) \<^bold>\ \<^bold>\(Atom (State (Suc t) (index (strips_problem.variables_of \) v)))) ` set (delete_effects_of op)" using set_map by force also have "\ = (\v. cnf (\<^bold>\(Atom (Operator t (index (strips_problem.operators_of \) op))) \<^bold>\ \<^bold>\ (Atom (State (Suc t) (index (strips_problem.variables_of \) v))))) ` set (delete_effects_of op)" using image_comp by blast (* TODO slow. *) finally have "cnf ` set ?fs\<^sub>2 = (\v. {{ (Operator t (index (strips_problem.operators_of \) op))\ , (State (Suc t) (index (strips_problem.variables_of \) v))\ }}) ` set (delete_effects_of op)" by auto } note nb\<^sub>2 = this { have "cnf (encode_operator_effect \ t op) = \(cnf ` set (?fs\<^sub>1 @ ?fs\<^sub>2))" unfolding encode_operator_effect_def using cnf_BigAnd[of "?fs\<^sub>1 @ ?fs\<^sub>2"] by meson also have "\ = \(cnf ` set ?fs\<^sub>1 \ cnf ` set ?fs\<^sub>2)" using set_append[of "?fs\<^sub>1" "?fs\<^sub>2"] image_Un[of cnf "set ?fs\<^sub>1" "set ?fs\<^sub>2"] by argo also have "\ = \(cnf ` set ?fs\<^sub>1) \ \(cnf ` set ?fs\<^sub>2)" using Union_Un_distrib[of "cnf ` set ?fs\<^sub>1" "cnf ` set ?fs\<^sub>2"] by argo (* TODO slow. *) finally have "cnf (encode_operator_effect \ t op) = (\v \ set (add_effects_of op). {{ (Operator t (index (strips_problem.operators_of \) op))\ , (State (Suc t) (index (strips_problem.variables_of \) v))\<^sup>+ }}) \ (\v \ set (delete_effects_of op). {{ (Operator t (index (strips_problem.operators_of \) op))\ , (State (Suc t) (index (strips_problem.variables_of \) v))\ }})" using nb\<^sub>1 nb\<^sub>2 by argo } thus ?thesis by blast qed lemma cnf_of_encode_all_operator_effects_structure: "cnf (encode_all_operator_effects \ (strips_problem.operators_of \) t) = (\(k, op) \ ({0.. set ((\)\<^sub>\)). (\v \ set (add_effects_of op). {{ (Operator k (index (strips_problem.operators_of \) op))\ , (State (Suc k) (index (strips_problem.variables_of \) v))\<^sup>+ }})) \ (\(k, op) \ ({0.. set ((\)\<^sub>\)). (\v \ set (delete_effects_of op). {{ (Operator k (index (strips_problem.operators_of \) op))\ , (State (Suc k) (index (strips_problem.variables_of \) v))\ }}))" proof - let ?ops = "strips_problem.operators_of \" and ?vs = "strips_problem.variables_of \" let ?\\<^sub>E = "encode_all_operator_effects \ ?ops t" and ?l = "List.product [0.. set ?ops" by simp { have "cnf ` set ?fs = cnf ` (\(k, op). encode_operator_effect \ k op) ` ({0.. set ?ops)" by force also have "\ = (\(k, op). cnf (encode_operator_effect \ k op)) ` ({0.. set ?ops)" using image_comp by fast (* TODO slow. *) finally have "cnf ` set ?fs = (\(k, op). (\v \ set (add_effects_of op). {{ (Operator k (index (strips_problem.operators_of \) op))\ , (State (Suc k) (index (strips_problem.variables_of \) v))\<^sup>+ }}) \ (\v \ set (delete_effects_of op). {{ (Operator k (index (strips_problem.operators_of \) op))\ , (State (Suc k) (index (strips_problem.variables_of \) v))\ }})) ` ({0.. set ?ops)" using cnf_of_encode_operator_effect_structure by auto } (* TODO slow. *) thus ?thesis unfolding encode_all_operator_effects_def using cnf_BigAnd[of ?fs] by auto qed corollary cnf_of_operator_effect_encoding_contains_add_effect_clause_if: fixes \:: "'a strips_problem" assumes "is_valid_problem_strips \" and "k < t" and "op \ set ((\)\<^sub>\)" and "v \ set (add_effects_of op)" shows "{ (Operator k (index (strips_problem.operators_of \) op))\ , (State (Suc k) (index (strips_problem.variables_of \) v))\<^sup>+ } \ cnf (encode_all_operator_effects \ (strips_problem.operators_of \) t)" proof - let ?\\<^sub>E = "encode_all_operator_effects \ (strips_problem.operators_of \) t" and ?ops = "strips_problem.operators_of \" and ?vs = "strips_problem.variables_of \" let ?Add = "\(k, op)\{0.. set ((\)\<^sub>\). \v\set (add_effects_of op). {{ (Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\<^sup>+}}" let ?C = "{ (Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\<^sup>+ }" have "?Add \ cnf ?\\<^sub>E" using cnf_of_encode_all_operator_effects_structure[of \ t] Un_upper1[of "?Add"] by presburger moreover { have "?C \ {{ (Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\<^sup>+ }}" using assms(4) by blast then have "?C \ (\v\set (add_effects_of op). {{ (Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\<^sup>+}})" using Complete_Lattices.UN_iff[of "?C" "\v. {{ (Operator k (index ?ops op))\ , (State (Suc k) (index ?vs v))\<^sup>+}}" "set (add_effects_of op)"] using assms(4) by blast moreover have "(k, op) \ ({0.. set ((\)\<^sub>\))" using assms(2, 3) by fastforce (* TODO slow step. *) ultimately have "?C \ ?Add" by blast } ultimately show ?thesis using subset_eq[of "?Add" "cnf ?\\<^sub>E"] by meson qed corollary cnf_of_operator_effect_encoding_contains_delete_effect_clause_if: fixes \:: "'a strips_problem" assumes "is_valid_problem_strips \" and "k < t" and "op \ set ((\)\<^sub>\)" and "v \ set (delete_effects_of op)" shows "{ (Operator k (index (strips_problem.operators_of \) op))\ , (State (Suc k) (index (strips_problem.variables_of \) v))\ } \ cnf (encode_all_operator_effects \ (strips_problem.operators_of \) t)" proof - let ?\\<^sub>E = "encode_all_operator_effects \ (strips_problem.operators_of \) t" and ?ops = "strips_problem.operators_of \" and ?vs = "strips_problem.variables_of \" let ?Delete = "(\(k, op)\{0.. set ((\)\<^sub>\). \v\set (delete_effects_of op). {{ (Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\ }})" let ?C = "{ (Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\ }" have "?Delete \ cnf ?\\<^sub>E" using cnf_of_encode_all_operator_effects_structure[of \ t] Un_upper2[of "?Delete"] by presburger moreover { have "?C \ (\v \ set (delete_effects_of op). {{ (Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\ }})" using assms(4) by blast moreover have "(k, op) \ {0.. set ?ops" using assms(2, 3) by force (* TODO slow step. *) ultimately have "?C \ ?Delete" by fastforce } (* TODO slow step. *) ultimately show ?thesis using subset_eq[of "?Delete" "cnf ?\\<^sub>E"] by meson qed (* TODO refactor \CNF_Supplement\. *) private lemma cnf_of_big_or_of_literal_formulas_is[simp]: assumes "\f \ set fs. is_literal_formula f" shows "cnf (\<^bold>\fs) = {{ literal_formula_to_literal f | f. f \ set fs }}" using assms proof (induction fs) case (Cons f fs) { have is_literal_formula_f: "is_literal_formula f" using Cons.prems(1) by simp then have "cnf f = {{ literal_formula_to_literal f }}" using cnf_of_literal_formula by blast } note nb\<^sub>1 = this { have "\f' \ set fs. is_literal_formula f'" using Cons.prems by fastforce hence "cnf (\<^bold>\fs) = {{ literal_formula_to_literal f | f. f \ set fs }}" using Cons.IH by argo } note nb\<^sub>2 = this { have "cnf (\<^bold>\(f # fs)) = (\(g, h). g \ h) ` ({{ literal_formula_to_literal f}} \ {{ literal_formula_to_literal f' | f'. f' \ set fs }})" using nb\<^sub>1 nb\<^sub>2 by simp also have "\ = {{ literal_formula_to_literal f} \ { literal_formula_to_literal f' | f'. f' \ set fs }}" by fast finally have "cnf (\<^bold>\(f # fs)) = {{ literal_formula_to_literal f' | f'. f' \ set (f # fs) }}" by fastforce } thus ?case . qed simp private lemma set_filter_op_list_mem_vs[simp]: "set (filter (\op. ListMem v vs) ops) = { op. op \ set ops \ v \ set vs }" using set_filter[of "\op. ListMem v vs" ops] ListMem_iff by force private lemma cnf_of_positive_transition_frame_axiom: "cnf (encode_positive_transition_frame_axiom \ k v) = {{ (State k (index (strips_problem.variables_of \) v))\<^sup>+ , (State (Suc k) (index (strips_problem.variables_of \) v))\ } \ { (Operator k (index (strips_problem.operators_of \) op))\<^sup>+ | op. op \ set (strips_problem.operators_of \) \ v \ set (add_effects_of op) }}" proof - let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" let ?adding_operators = "filter (\op. ListMem v (add_effects_of op)) ?ops" let ?fs = "map (\op. Atom (Operator k (index ?ops op))) ?adding_operators" { have "set ?fs = (\op. Atom (Operator k (index ?ops op))) ` set ?adding_operators" using set_map[of "\op. Atom (Operator k (index ?ops op))" "?adding_operators"] by blast (* TODO slow. *) then have "literal_formula_to_literal ` set ?fs = (\op. (Operator k (index ?ops op))\<^sup>+) ` set ?adding_operators" using image_comp[of literal_formula_to_literal "\op. Atom (Operator k (index ?ops op))" "set ?adding_operators"] by simp also have "\ = (\op. (Operator k (index ?ops op))\<^sup>+) ` { op. op \ set ?ops \ v \ set (add_effects_of op) }" using set_filter_op_list_mem_vs[of v _ ?ops] by auto (* TODO slow. *) finally have "literal_formula_to_literal ` set ?fs = { (Operator k (index ?ops op))\<^sup>+ | op. op \ set ?ops \ v \ set (add_effects_of op) }" using setcompr_eq_image[of "\op. (Operator k (index ?ops op))\<^sup>+" "\op. op \set ?adding_operators"] by blast (* TODO slow. *) hence "cnf (\<^bold>\?fs) = {{ (Operator k (index ?ops op))\<^sup>+ | op. op \ set ?ops \ v \ set (add_effects_of op) }}" using cnf_of_big_or_of_literal_formulas_is[of ?fs] setcompr_eq_image[of literal_formula_to_literal "\f. f \ set ?fs"] by force } (* TODO slow. *) then have "cnf (\<^bold>\(Atom (State (Suc k) (index ?vs v))) \<^bold>\ \<^bold>\?fs) = {{ (State (Suc k) (index ?vs v))\ } \ { (Operator k (index ?ops op))\<^sup>+ | op. op \ set ?ops \ v \ set (add_effects_of op) }}" by force (* TODO slow. *) then have "cnf ((Atom (State k (index ?vs v)) \<^bold>\ (\<^bold>\(Atom (State (Suc k) (index ?vs v))) \<^bold>\ \<^bold>\?fs))) = {{ (State k (index ?vs v))\<^sup>+ } \ { (State (Suc k) (index ?vs v))\ } \ { (Operator k (index ?ops op))\<^sup>+ | op. op \ set ?ops \ v \ set (add_effects_of op) }}" by simp (* TODO No idea why this is necessary (apparently only metis unfolds the definition properly). *) moreover have "cnf (encode_positive_transition_frame_axiom \ k v) = cnf ((Atom (State k (index ?vs v)) \<^bold>\ (\<^bold>\(Atom (State (Suc k) (index ?vs v))) \<^bold>\ \<^bold>\?fs)))" unfolding encode_positive_transition_frame_axiom_def by metis (* TODO slow. *) ultimately show ?thesis by blast qed private lemma cnf_of_negative_transition_frame_axiom: "cnf (encode_negative_transition_frame_axiom \ k v) = {{ (State k (index (strips_problem.variables_of \) v))\ , (State (Suc k) (index (strips_problem.variables_of \) v))\<^sup>+ } \ { (Operator k (index (strips_problem.operators_of \) op))\<^sup>+ | op. op \ set (strips_problem.operators_of \) \ v \ set (delete_effects_of op) }}" proof - let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" let ?deleting_operators = "filter (\op. ListMem v (delete_effects_of op)) ?ops" let ?fs = "map (\op. Atom (Operator k (index ?ops op))) ?deleting_operators" { have "set ?fs = (\op. Atom (Operator k (index ?ops op))) ` set ?deleting_operators" using set_map[of "\op. Atom (Operator k (index ?ops op))" "?deleting_operators"] by blast (* TODO slow. *) then have "literal_formula_to_literal ` set ?fs = (\op. (Operator k (index ?ops op))\<^sup>+) ` set ?deleting_operators" using image_comp[of literal_formula_to_literal "\op. Atom (Operator k (index ?ops op))" "set ?deleting_operators"] by simp also have "\ = (\op. (Operator k (index ?ops op))\<^sup>+) ` { op. op \ set ?ops \ v \ set (delete_effects_of op) }" using set_filter_op_list_mem_vs[of v _ ?ops] by auto (* TODO slow. *) finally have "literal_formula_to_literal ` set ?fs = { (Operator k (index ?ops op))\<^sup>+ | op. op \ set ?ops \ v \ set (delete_effects_of op) }" using setcompr_eq_image[of "\op. (Operator k (index ?ops op))\<^sup>+" "\op. op \set ?deleting_operators"] by blast (* TODO slow. *) hence "cnf (\<^bold>\?fs) = {{ (Operator k (index ?ops op))\<^sup>+ | op. op \ set ?ops \ v \ set (delete_effects_of op) }}" using cnf_of_big_or_of_literal_formulas_is[of ?fs] setcompr_eq_image[of literal_formula_to_literal "\f. f \ set ?fs"] by force } (* TODO slow. *) then have "cnf (Atom (State (Suc k) (index ?vs v)) \<^bold>\ \<^bold>\?fs) = {{ (State (Suc k) (index ?vs v))\<^sup>+ } \ { (Operator k (index ?ops op))\<^sup>+ | op. op \ set ?ops \ v \ set (delete_effects_of op) }}" by force (* TODO slow. *) then have "cnf ((\<^bold>\(Atom (State k (index ?vs v))) \<^bold>\ (Atom (State (Suc k) (index ?vs v)) \<^bold>\ \<^bold>\?fs))) = {{ (State k (index ?vs v))\ } \ { (State (Suc k) (index ?vs v))\<^sup>+ } \ { (Operator k (index ?ops op))\<^sup>+ | op. op \ set ?ops \ v \ set (delete_effects_of op) }}" by simp (* TODO unfold Let_def + remove metis. *) moreover have "cnf (encode_negative_transition_frame_axiom \ k v) = cnf ((\<^bold>\(Atom (State k (index ?vs v))) \<^bold>\ (Atom (State (Suc k) (index ?vs v)) \<^bold>\ \<^bold>\?fs)))" unfolding encode_negative_transition_frame_axiom_def by metis (* TODO slow. *) ultimately show ?thesis by blast qed lemma cnf_of_encode_all_frame_axioms_structure: "cnf (encode_all_frame_axioms \ t) = \(\(k, v) \ ({0.. set ((\)\<^sub>\)). {{{ (State k (index (strips_problem.variables_of \) v))\<^sup>+ , (State (Suc k) (index (strips_problem.variables_of \) v))\ } \ {(Operator k (index (strips_problem.operators_of \) op))\<^sup>+ | op. op \ set ((\)\<^sub>\) \ v \ set (add_effects_of op) }}}) \ \(\(k, v) \ ({0.. set ((\)\<^sub>\)). {{{ (State k (index (strips_problem.variables_of \) v))\ , (State (Suc k) (index (strips_problem.variables_of \) v))\<^sup>+ } \ { (Operator k (index (strips_problem.operators_of \) op))\<^sup>+ | op. op \ set ((\)\<^sub>\) \ v \ set (delete_effects_of op) }}})" proof - let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" and ?\\<^sub>F = "encode_all_frame_axioms \ t" let ?l = "List.product [0.. set ((\)\<^sub>\)" using set_product by force (* TODO slow *) have "set ?fs = ?A \ ?B" unfolding set_append set_map using encode_all_frame_axioms_set by force then have "cnf ` set ?fs = cnf ` ?A \ cnf ` ?B" using image_Un[of cnf "?A" "?B"] by argo moreover { have "?A = (\(k, v) \ ({0.. set ((\)\<^sub>\)). { encode_negative_transition_frame_axiom \ k v })" by blast then have "cnf ` ?A = (\(k, v) \ ({0.. set ((\)\<^sub>\)). { cnf (encode_negative_transition_frame_axiom \ k v) })" by blast hence "cnf ` ?A = (\(k, v) \ ({0.. set ((\)\<^sub>\)). {{{ (State k (index ?vs v))\ , (State (Suc k) (index ?vs v))\<^sup>+ } \ {(Operator k (index ?ops op))\<^sup>+ | op. op \ set ?ops \ v \ set (delete_effects_of op)}}})" using cnf_of_negative_transition_frame_axiom[of \] by presburger } moreover { have "?B = (\(k, v) \ ({0.. set ((\)\<^sub>\)). { encode_positive_transition_frame_axiom \ k v})" by blast then have "cnf ` ?B = (\(k, v) \ ({0.. set ((\)\<^sub>\)). { cnf (encode_positive_transition_frame_axiom \ k v) })" by blast hence "cnf ` ?B = (\(k, v) \ ({0.. set ((\)\<^sub>\)). {{{ (State k (index ?vs v))\<^sup>+ , (State (Suc k) (index ?vs v))\ } \ {(Operator k (index ?ops op))\<^sup>+ | op. op \ set ?ops \ v \ set (add_effects_of op) }}})" using cnf_of_positive_transition_frame_axiom[of \] by presburger } (* TODO slow *) ultimately have "cnf ` set ?fs = (\(k, v) \ ({0.. set ((\)\<^sub>\)). {{{ (State k (index ?vs v))\<^sup>+ , (State (Suc k) (index ?vs v))\ } \ {(Operator k (index ?ops op))\<^sup>+ | op. op \ set ((\)\<^sub>\) \ v \ set (add_effects_of op) }}}) \ (\(k, v) \ ({0.. set ((\)\<^sub>\)). {{{ (State k (index ?vs v))\ , (State (Suc k) (index ?vs v))\<^sup>+ } \ {(Operator k (index ?ops op))\<^sup>+ | op. op \ set ((\)\<^sub>\) \ v \ set (delete_effects_of op)}}})" unfolding set_append set_map by force } then have "cnf (encode_all_frame_axioms \ t) = \((\(k, v) \ ({0.. set ((\)\<^sub>\)). {{{ (State k (index ?vs v))\<^sup>+ , (State (Suc k) (index ?vs v))\ } \ {(Operator k (index ?ops op))\<^sup>+ | op. op \ set ((\)\<^sub>\) \ v \ set (add_effects_of op) }}}) \ (\(k, v) \ ({0.. set ((\)\<^sub>\)). {{{ (State k (index ?vs v))\ , (State (Suc k) (index ?vs v))\<^sup>+ } \ {(Operator k (index ?ops op))\<^sup>+ | op. op \ set ((\)\<^sub>\) \ v \ set (delete_effects_of op)}}}))" unfolding encode_all_frame_axioms_def Let_def using cnf_BigAnd[of ?fs] by argo thus ?thesis using Union_Un_distrib[of "(\(k, v) \ ({0.. set ((\)\<^sub>\)). {{{ (State k (index ?vs v))\<^sup>+ , (State (Suc k) (index ?vs v))\ } \ {(Operator k (index ?ops op))\<^sup>+ | op. op \ set ((\)\<^sub>\) \ v \ set (add_effects_of op) }}})" "(\(k, v) \ ({0.. set ((\)\<^sub>\)). {{{ (State k (index ?vs v))\ , (State (Suc k) (index ?vs v))\<^sup>+ } \ {(Operator k (index ?ops op))\<^sup>+ | op. op \ set ((\)\<^sub>\) \ v \ set (delete_effects_of op)}}})"] by argo qed \ \ A technical lemma used in \isaname{cnf_of_encode_goal_state_set}. \ private lemma cnf_of_encode_goal_state_set_i: "cnf ((\\<^sub>G \) t ) = \({ cnf (encode_state_variable t (index (strips_problem.variables_of \) v) (((\)\<^sub>G) v)) | v. v \ set ((\)\<^sub>\) \ ((\)\<^sub>G) v \ None })" proof - let ?vs = "strips_problem.variables_of \" and ?G = "(\)\<^sub>G" and ?\\<^sub>G = "(\\<^sub>G \) t" let ?fs = "map (\v. encode_state_variable t (index ?vs v) (?G v) \<^bold>\ \) (filter (\v. ?G v \ None) ?vs)" { have "cnf ` set ?fs = cnf ` (\v. encode_state_variable t (index ?vs v) (?G v) \<^bold>\ \) ` { v | v. v \ set ?vs \ ?G v \ None }" unfolding set_map by force also have "\ = (\v. cnf (encode_state_variable t (index ?vs v) (?G v) \<^bold>\ \)) ` { v | v. v \ set ?vs \ ?G v \ None }" using image_comp[of cnf "(\v. encode_state_variable t (index ?vs v) (?G v) \<^bold>\ \)" "{ v | v. v \ set ?vs \ ?G v \ None }"] by fast finally have "cnf ` set ?fs = { cnf (encode_state_variable t (index ?vs v) (?G v)) | v. v \ set ?vs \ ?G v \ None }" unfolding setcompr_eq_image[of "\v. cnf (encode_state_variable t (index ?vs v) (?G v) \<^bold>\ \)"] by auto } moreover have "cnf ((\\<^sub>G \) t) = \ (cnf ` set ?fs)" unfolding encode_goal_state_def SAT_Plan_Base.encode_goal_state_def Let_def using cnf_BigAnd[of ?fs] by force ultimately show ?thesis by simp qed \ \ A simplification lemma for the above one. \ (* TODO Replace above lemma with this?. *) corollary cnf_of_encode_goal_state_set_ii: assumes "is_valid_problem_strips \" shows "cnf ((\\<^sub>G \) t) = \({{{ literal_formula_to_literal (encode_state_variable t (index (strips_problem.variables_of \) v) (((\)\<^sub>G) v)) }} | v. v \ set ((\)\<^sub>\) \ ((\)\<^sub>G) v \ None })" proof - let ?vs = "strips_problem.variables_of \" and ?G = "(\)\<^sub>G" and ?\\<^sub>G = "(\\<^sub>G \) t" { fix v assume "v \ { v | v. v \ set ((\)\<^sub>\) \ ?G v \ None }" then have "v \ set ((\)\<^sub>\)" and G_of_v_is_not_None: "?G v \ None" by fast+ then consider (A) "?G v = Some True" | (B) "?G v = Some False" by fastforce hence "cnf (encode_state_variable t (index ?vs v) (?G v)) = {{ literal_formula_to_literal (encode_state_variable t (index ?vs v) (?G v)) }}" unfolding encode_state_variable_def by (cases, force+) } note nb = this have "cnf ?\\<^sub>G = \({ cnf (encode_state_variable t (index ?vs v) (?G v)) | v. v \ set ((\)\<^sub>\) \ ?G v \ None })" unfolding cnf_of_encode_goal_state_set_i by blast also have "\ = \((\v. cnf (encode_state_variable t (index ?vs v) (((\)\<^sub>G) v))) ` { v | v. v \ set ((\)\<^sub>\) \ ((\)\<^sub>G) v \ None })" using setcompr_eq_image[of "\v. cnf (encode_state_variable t (index ?vs v) (((\)\<^sub>G) v))" "\v. v \ set ((\)\<^sub>\) \ ((\)\<^sub>G) v \ None"] by presburger also have "\ = \((\v. {{ literal_formula_to_literal (encode_state_variable t (index ?vs v) (?G v)) }}) ` { v. v \ set ((\)\<^sub>\) \ ((\)\<^sub>G) v \ None })" using nb by simp finally show ?thesis unfolding nb by auto qed \ \ This lemma essentially states that the cnf for the cnf formula for the encoding has a clause for each variable whose state is defined in the goal state with the corresponding literal. \ (* TODO is \\!\ still needed? *) lemma cnf_of_encode_goal_state_set: fixes \:: "'a strips_problem" assumes "is_valid_problem_strips \" and "v \ dom ((\)\<^sub>G)" shows "((\)\<^sub>G) v = Some True \ (\!C. C \ cnf ((\\<^sub>G \) t) \ C = { (State t (index (strips_problem.variables_of \) v))\<^sup>+ })" and "((\)\<^sub>G) v = Some False \ (\!C. C \ cnf ((\\<^sub>G \) t) \ C = { (State t (index (strips_problem.variables_of \) v))\ })" proof - let ?vs = "strips_problem.variables_of \" and ?G = "(\)\<^sub>G" and ?\\<^sub>G = "(\\<^sub>G \) t" have nb\<^sub>1: "cnf ?\\<^sub>G = \ { cnf (encode_state_variable t (index ?vs v) (?G v)) | v. v \ set ((\)\<^sub>\) \ ?G v \ None }" unfolding cnf_of_encode_goal_state_set_i by auto have nb\<^sub>2: "v \ { v. v \ set ((\)\<^sub>\) \ ?G v \ None }" using is_valid_problem_dom_of_goal_state_is assms(1, 2) by auto have nb\<^sub>3: "cnf (encode_state_variable t (index (strips_problem.variables_of \) v) (((\)\<^sub>G) v)) \ (\{ cnf (encode_state_variable t (index ?vs v) (?G v)) | v. v \ set ((\)\<^sub>\) \ ?G v \ None })" using UN_upper[OF nb\<^sub>2, of "\v. cnf (encode_state_variable t (index ?vs v) (?G v))"] nb\<^sub>2 by blast show "((\)\<^sub>G) v = Some True \ (\!C. C \ cnf ((\\<^sub>G \) t) \ C = { (State t (index (strips_problem.variables_of \) v))\<^sup>+ })" and "((\)\<^sub>G) v = Some False \ (\!C. C \ cnf ((\\<^sub>G \) t) \ C = { (State t (index (strips_problem.variables_of \) v))\ })" using nb\<^sub>3 unfolding nb\<^sub>1 encode_state_variable_def by auto+ qed end text \ We omit the proofs that the partial encoding functions produce formulas in CNF form due to their more technical nature. The following sublocale proof confirms that definition \ref{isadef:encode-problem-sat-plan-base} encodes a valid problem \<^term>\\\ into a formula that can be transformed to CNF (\<^term>\is_cnf (\ \ t)\) and that its CNF has the required form. \ subsection "Soundness of the Basic SATPlan Algorithm" lemma valuation_models_encoding_cnf_formula_equals: assumes "is_valid_problem_strips \" shows "\ \ \ \ t = cnf_semantics \ (cnf (\ \ t))" proof - let ?\ = "\ \ t" { have "is_cnf ?\" using is_cnf_encode_problem[OF assms]. hence "is_nnf ?\" using is_nnf_cnf by blast } thus ?thesis using cnf_semantics[of ?\ \] by blast qed (* TODO refactor *) corollary valuation_models_encoding_cnf_formula_equals_corollary: assumes "is_valid_problem_strips \" shows "\ \ (\ \ t) = (\C \ cnf (\ \ t). \L \ C. lit_semantics \ L)" using valuation_models_encoding_cnf_formula_equals[OF assms] unfolding cnf_semantics_def clause_semantics_def encode_problem_def by presburger \ \ A couple of technical lemmas about \decode_plan\. \ lemma decode_plan_length: assumes "\ = \\ \ \ t" shows "length \ = t" using assms unfolding decode_plan_def SAT_Plan_Base.decode_plan_def by simp lemma decode_plan'_set_is[simp]: "set (decode_plan' \ \ k) = { (strips_problem.operators_of \) ! (index (strips_problem.operators_of \) op) | op. op \ set (strips_problem.operators_of \) \ \ (Operator k (index (strips_problem.operators_of \) op)) }" proof - let ?ops = "strips_problem.operators_of \" let ?f = "\op. Operator k (index ?ops op)" let ?vs = "map ?f ?ops" { have "set (filter \ ?vs) = set (map ?f (filter (\ \ ?f) ?ops))" unfolding filter_map[of \ "\op. Operator k (index ?ops op)" ?ops].. hence "set (filter \ ?vs) = (\op. Operator k (index ?ops op)) ` { op \ set ?ops. \ (Operator k (index ?ops op)) }" unfolding set_map set_filter by simp } have "set (decode_plan' \ \ k) = (\v. case v of Operator k i \ ?ops ! i) ` (\op. Operator k (index ?ops op)) ` { op \ set ?ops. \ (Operator k (index ?ops op)) }" unfolding decode_plan'_def set_map Let_def by auto also have "\ = (\op. case Operator k (index ?ops op) of Operator k i \ ?ops ! i) ` { op \ set ?ops. \ (Operator k (index ?ops op)) }" unfolding image_comp comp_apply by argo also have "\ = (\op. ?ops ! (index ?ops op)) ` { op \ set ?ops. \ (Operator k (index ?ops op)) }" by force finally show ?thesis by blast qed lemma decode_plan_set_is[simp]: "set (\\ \ \ t) = (\k \ {.. \ k })" unfolding decode_plan_def SAT_Plan_Base.decode_plan_def set_map using atLeast_upt by blast lemma decode_plan_step_element_then_i: assumes "k < t" shows "set ((\\ \ \ t) ! k) = { (strips_problem.operators_of \) ! (index (strips_problem.operators_of \) op) | op. op \ set ((\)\<^sub>\) \ \ (Operator k (index (strips_problem.operators_of \) op)) }" proof - have "(\\ \ \ t) ! k = decode_plan' \ \ k" unfolding decode_plan_def SAT_Plan_Base.decode_plan_def using assms by simp thus ?thesis by force qed \ \ Show that each operator $op$ in the $k$-th parallel operator in a decoded parallel plan is contained within the problem's operator set and the valuation is true for the corresponding SATPlan variable. \ lemma decode_plan_step_element_then: fixes \::"'a strips_problem" assumes "k < t" and "op \ set ((\\ \ \ t) ! k)" shows "op \ set ((\)\<^sub>\)" and "\ (Operator k (index (strips_problem.operators_of \) op))" proof - let ?ops = "strips_problem.operators_of \" let ?Ops = "{ ?ops ! (index ?ops op) | op. op \ set ((\)\<^sub>\) \ \ (Operator k (index ?ops op)) }" have "op \ ?Ops" using assms(2) unfolding decode_plan_step_element_then_i[OF assms(1)] assms by blast moreover have "op \ set ((\)\<^sub>\)" and "\ (Operator k (index ?ops op))" using calculation by fastforce+ ultimately show "op \ set ((\)\<^sub>\)" and "\ (Operator k (index ?ops op))" by blast+ qed \ \ Show that the \k\-th parallel operators of the decoded plan are distinct lists (i.e. do not contain duplicates). \ lemma decode_plan_step_distinct: assumes "k < t" shows "distinct ((\\ \ \ t) ! k)" proof - let ?ops = "strips_problem.operators_of \" and ?\\<^sub>k = "(\\ \ \ t) ! k" let ?f = "\op. Operator k (index ?ops op)" and ?g = "\v. case v of Operator _ k \ ?ops ! k" let ?vs = "map ?f (remdups ?ops)" have nb\<^sub>1: "?\\<^sub>k = decode_plan' \ \ k" unfolding decode_plan_def SAT_Plan_Base.decode_plan_def using assms by fastforce { have "distinct (remdups ?ops)" by blast moreover have "inj_on ?f (set (remdups ?ops))" unfolding inj_on_def by fastforce ultimately have "distinct ?vs" using distinct_map by blast } note nb\<^sub>2 = this { have "inj_on ?g (set ?vs)" unfolding inj_on_def by fastforce hence "distinct (map ?g ?vs)" using distinct_map nb\<^sub>2 by blast } thus ?thesis using distinct_map_filter[of ?g ?vs \] unfolding nb\<^sub>1 decode_plan'_def Let_def by argo qed lemma decode_state_at_valid_variable: fixes \ :: "'a strips_problem" assumes "(\\<^sub>S\ \ \ k) v \ None" shows "v \ set ((\)\<^sub>\)" proof - let ?vs = "strips_problem.variables_of \" let ?f = "\v. (v,\ (State k (index ?vs v)))" { have "fst ` set (map ?f ?vs) = fst ` (\v. (v,\ (State k (index ?vs v)))) ` set ?vs" by force also have "\ = (\v. fst (v,\ (State k (index ?vs v)))) ` set ?vs" by blast finally have "fst ` set (map ?f ?vs) = set ?vs" by auto } moreover have "\v \ fst ` set (map ?f ?vs)" using map_of_eq_None_iff[of "map ?f ?vs" v] assms unfolding decode_state_at_def SAT_Plan_Base.decode_state_at_def by meson ultimately show ?thesis by fastforce qed \ \ Show that there exists an equivalence between a model \\\ of the (CNF of the) encoded problem and the state at step \k\ decoded from the encoded problem. \ lemma decode_state_at_encoding_variables_equals_some_of_valuation_if: fixes \:: "'a strips_problem" assumes "is_valid_problem_strips \" and "\ \ \ \ t" and "k \ t" and "v \ set ((\)\<^sub>\)" shows "(\\<^sub>S\ \ \ k) v = Some (\ (State k (index (strips_problem.variables_of \) v)))" proof - let ?vs = "strips_problem.variables_of \" let ?l = "map (\x. (x,\ (State k (index ?vs x)))) ?vs" have "set ?vs \ {}" using assms(4) by fastforce then have "map_of ?l v = Some (\ (State k (index ?vs v)))" using map_of_from_function_graph_is_some_if[of ?vs v "\v. \ (State k (index ?vs v))"] assms(4) by fastforce thus ?thesis unfolding decode_state_at_def SAT_Plan_Base.decode_state_at_def by meson qed lemma decode_state_at_dom: assumes "is_valid_problem_strips \" shows "dom (\\<^sub>S\ \ \ k) = set ((\)\<^sub>\)" proof- let ?s = "\\<^sub>S\ \ \ k" and ?vs = "strips_problem.variables_of \" have "dom ?s = fst ` set (map (\v. (v, \ (State k (index ?vs v)))) ?vs)" unfolding decode_state_at_def SAT_Plan_Base.decode_state_at_def using dom_map_of_conv_image_fst[of "(map (\v. (v, \ (State k (index ?vs v)))) ?vs)"] by meson also have "\ = fst ` (\v. (v, \ (State k (index ?vs v)))) ` set ((\)\<^sub>\)" using set_map[of "(\v. (v, \ (State k (index ?vs v))))" ?vs] by simp also have "\ = (fst \ (\v. (v, \ (State k (index ?vs v))))) ` set ((\)\<^sub>\)" using image_comp[of fst "(\v. (v, \ (State k (index ?vs v))))"] by presburger finally show ?thesis by force qed (* TODO shorten the proof (there are a lot of duplicate parts still!). *) lemma decode_state_at_initial_state: assumes "is_valid_problem_strips \" and "\ \ \ \ t" shows "(\\<^sub>S\ \ \ 0) = (\)\<^sub>I" proof - let ?I = "(\)\<^sub>I" let ?s = "\\<^sub>S\ \ \ 0" let ?vs = "strips_problem.variables_of \" let ?\ = "\ \ t" let ?\\<^sub>I = "\\<^sub>I \" { have "is_cnf ?\\<^sub>I" and "cnf ?\\<^sub>I \ cnf ?\" subgoal using is_cnf_encode_initial_state[OF assms(1)] by simp subgoal using cnf_of_encode_problem_structure(1) unfolding encode_initial_state_def encode_problem_def by blast done then have "cnf_semantics \ (cnf ?\\<^sub>I)" using cnf_semantics_monotonous_in_cnf_subsets_if is_cnf_encode_problem[OF assms(1)] assms(2) by blast hence "\C \ cnf ?\\<^sub>I. clause_semantics \ C" unfolding cnf_semantics_def encode_initial_state_def by blast } note nb\<^sub>1 = this { (* TODO refactor. *) { fix v assume v_in_dom_i: "v \ dom ?I" moreover { have v_in_variable_set: "v \ set ((\)\<^sub>\)" using is_valid_problem_strips_initial_of_dom assms(1) v_in_dom_i by auto hence "(\\<^sub>S\ \ \ 0) v = Some (\ (State 0 (index ?vs v)))" using decode_state_at_encoding_variables_equals_some_of_valuation_if[OF assms(1, 2) _ v_in_variable_set] by fast } note nb\<^sub>2 = this consider (v_initially_true) "?I v = Some True" | (v_initially_false) "?I v = Some False" using v_in_dom_i by fastforce hence "?I v = ?s v" proof (cases) case v_initially_true then obtain C where "C \ cnf ?\\<^sub>I" and c_is: "C = { (State 0 (index ?vs v))\<^sup>+ }" using cnf_of_encode_initial_state_set v_in_dom_i assms(1) by fastforce hence "\ (State 0 (index ?vs v)) = True" using nb\<^sub>1 unfolding clause_semantics_def by fastforce thus ?thesis using nb\<^sub>2 v_initially_true by presburger next case v_initially_false (* TODO slow *) then obtain C where "C \ cnf ?\\<^sub>I" and c_is: "C = { (State 0 (index ?vs v))\ }" using cnf_of_encode_initial_state_set assms(1) v_in_dom_i by fastforce hence "\ (State 0 (index ?vs v)) = False" using nb\<^sub>1 unfolding clause_semantics_def by fastforce thus ?thesis using nb\<^sub>2 v_initially_false by presburger qed } hence "?I \\<^sub>m ?s" using map_le_def by blast } moreover { { fix v assume v_in_dom_s: "v \ dom ?s" then have v_in_set_vs: "v \ set ?vs" using decode_state_at_dom[OF assms(1)] by simp have v_in_dom_I: "v \ dom ?I" using is_valid_problem_strips_initial_of_dom assms(1) v_in_set_vs by auto have s_v_is: "(\\<^sub>S\ \ \ 0) v = Some (\ (State 0 (index ?vs v)))" using decode_state_at_encoding_variables_equals_some_of_valuation_if assms(1, 2) v_in_set_vs by (metis le0) consider (s_v_is_some_true) "?s v = Some True" | (s_v_is_some_false) "?s v = Some False" using v_in_dom_s by fastforce hence "?s v = ?I v" proof (cases) case s_v_is_some_true then have \_of_s_v: "lit_semantics \ ((State 0 (index ?vs v))\<^sup>+)" using s_v_is by fastforce consider (I_v_is_some_true) "?I v = Some True" | (I_v_is_some_false) "?I v = Some False" using v_in_dom_I by fastforce thus ?thesis proof (cases) case I_v_is_some_true then show ?thesis using s_v_is_some_true by argo next case I_v_is_some_false (* TODO slow *) then obtain C where C_in_encode_initial_state: "C \ cnf ?\\<^sub>I" and C_is: "C = { (State 0 (index ?vs v))\ }" using cnf_of_encode_initial_state_set assms(1) v_in_dom_I by fastforce hence "lit_semantics \ ((State 0 (index ?vs v))\)" using nb\<^sub>1 unfolding clause_semantics_def by fast thus ?thesis using \_of_s_v by fastforce qed next case s_v_is_some_false then have \_of_s_v: "lit_semantics \ ((State 0 (index ?vs v))\)" using s_v_is by fastforce consider (I_v_is_some_true) "?I v = Some True" | (I_v_is_some_false) "?I v = Some False" using v_in_dom_I by fastforce thus ?thesis proof (cases) case I_v_is_some_true then obtain C where C_in_encode_initial_state: "C \ cnf ?\\<^sub>I" and C_is: "C = { (State 0 (index ?vs v))\<^sup>+ }" using cnf_of_encode_initial_state_set assms(1) v_in_dom_I by fastforce hence "lit_semantics \ ((State 0 (index ?vs v))\<^sup>+)" using nb\<^sub>1 unfolding clause_semantics_def by fast thus ?thesis using \_of_s_v by fastforce next case I_v_is_some_false thus ?thesis using s_v_is_some_false by presburger qed qed } hence "?s \\<^sub>m ?I" using map_le_def by blast } ultimately show ?thesis using map_le_antisym by blast qed lemma decode_state_at_goal_state: assumes "is_valid_problem_strips \" and "\ \ \ \ t" shows "(\)\<^sub>G \\<^sub>m \\<^sub>S\ \ \ t" proof - let ?vs = "strips_problem.variables_of \" and ?G = "(\)\<^sub>G" and ?G' = "\\<^sub>S\ \ \ t" and ?\ = "\ \ t" and ?\\<^sub>G = "(\\<^sub>G \) t" { have "is_cnf ?\\<^sub>G" and "cnf ?\\<^sub>G \ cnf ?\" subgoal using encode_goal_state_is_cnf[OF assms(1)] by simp subgoal using cnf_of_encode_problem_structure(2) unfolding encode_goal_state_def encode_problem_def by blast done then have "cnf_semantics \ (cnf ?\\<^sub>G)" using cnf_semantics_monotonous_in_cnf_subsets_if is_cnf_encode_problem[OF assms(1)] assms(2) by blast hence "\C \ cnf ?\\<^sub>G. clause_semantics \ C" unfolding cnf_semantics_def encode_initial_state_def by blast } note nb\<^sub>1 = this (* TODO refactor. *) { fix v assume "v \ set ((\)\<^sub>\)" moreover have "set ?vs \ {}" using calculation(1) by fastforce moreover have "(\\<^sub>S\ \ \ t) = map_of (map (\v. (v, \ (State t (index ?vs v)))) ?vs)" unfolding decode_state_at_def SAT_Plan_Base.decode_state_at_def by metis (* TODO slow. *) ultimately have "(\\<^sub>S\ \ \ t) v = Some (\ (State t (index ?vs v)))" using map_of_from_function_graph_is_some_if by fastforce } note nb\<^sub>2 = this { fix v assume v_in_dom_G: "v \ dom ?G" then have v_in_vs: "v \ set ?vs" using is_valid_problem_dom_of_goal_state_is assms(1) by auto then have decode_state_at_is: "(\\<^sub>S\ \ \ t) v = Some (\ (State t (index ?vs v)))" using nb\<^sub>2 by fastforce consider (A) "?G v = Some True" | (B) "?G v = Some False" using v_in_dom_G by fastforce hence "?G v = ?G' v" proof (cases) case A { obtain C where "C \ cnf ?\\<^sub>G" and "C = {{ (State t (index ?vs v))\<^sup>+ }}" using cnf_of_encode_goal_state_set(1)[OF assms(1) v_in_dom_G] A by auto then have "{ (State t (index ?vs v))\<^sup>+ } \ cnf ?\\<^sub>G" by blast then have "clause_semantics \ { (State t (index ?vs v))\<^sup>+ }" using nb\<^sub>1 by blast then have "lit_semantics \ ((State t (index ?vs v))\<^sup>+)" unfolding clause_semantics_def by blast hence "\ (State t (index ?vs v)) = True" by force } thus ?thesis using decode_state_at_is A by presburger next case B { obtain C where "C \ cnf ?\\<^sub>G" and "C = {{ (State t (index ?vs v))\ }}" using cnf_of_encode_goal_state_set(2)[OF assms(1) v_in_dom_G] B by auto then have "{ (State t (index ?vs v))\ } \ cnf ?\\<^sub>G" by blast then have "clause_semantics \ { (State t (index ?vs v))\ }" using nb\<^sub>1 by blast then have "lit_semantics \ ((State t (index ?vs v))\)" unfolding clause_semantics_def by blast hence "\ (State t (index ?vs v)) = False" by simp } thus ?thesis using decode_state_at_is B by presburger qed } thus ?thesis using map_le_def by blast qed \ \ Show that the operator activation implies precondition constraints hold at every time step of the decoded plan. \ lemma decode_state_at_preconditions: assumes "is_valid_problem_strips \" and "\ \ \ \ t" and "k < t" and "op \ set ((\\ \ \ t) ! k)" and "v \ set (precondition_of op)" shows "\ (State k (index (strips_problem.variables_of \) v))" proof - let ?ops = "strips_problem.operators_of \" and ?vs = "strips_problem.variables_of \" let ?\ = "\ \ t" and ?\\<^sub>O = "encode_operators \ t" and ?\\<^sub>P = "encode_all_operator_preconditions \ ?ops t" { have "\ (Operator k (index ?ops op))" and "op \ set ((\)\<^sub>\)" using decode_plan_step_element_then[OF assms(3, 4)] by blast+ moreover obtain C where clause_is_in_operator_encoding: "C \ cnf ?\\<^sub>P" and "C = { (Operator k (index ?ops op))\, (State k (index ?vs v))\<^sup>+ }" using cnf_of_encode_all_operator_preconditions_contains_clause_if[OF assms(1, 3) calculation(2) assms(5)] by blast moreover have clause_semantics_\_\\<^sub>P: "\C \ cnf ?\\<^sub>P. clause_semantics \ C" using cnf_semantics_monotonous_in_cnf_subsets_if[OF assms(2) is_cnf_encode_problem[OF assms(1)] cnf_of_operator_precondition_encoding_subset_encoding] unfolding cnf_semantics_def by blast (* TODO slow step *) ultimately have "lit_semantics \ (Pos (State k (index ?vs v)))" unfolding clause_semantics_def by fastforce } thus ?thesis unfolding lit_semantics_def by fastforce qed \ \ This lemma shows that for a problem encoding with makespan zero for which a model exists, the goal state encoding must be subset of the initial state encoding. In this case, the state variable encodings for the goal state are included in the initial state encoding. \ (* TODO simplify/refactor proof. *) lemma encode_problem_parallel_correct_i: assumes "is_valid_problem_strips \" and "\ \ \ \ 0" shows "cnf ((\\<^sub>G \) 0) \ cnf (\\<^sub>I \)" proof - let ?vs = "strips_problem.variables_of \" and ?I = "(\)\<^sub>I" and ?G = "(\)\<^sub>G" and ?\\<^sub>I = "\\<^sub>I \" and ?\\<^sub>G = "(\\<^sub>G \) 0" and ?\ = "\ \ 0" (* TODO refactor and generalize for all partial encodings? *) \ \ Show that the model of the encoding is also a model of the partial encodings. \ have \_models_\\<^sub>I: "\ \ ?\\<^sub>I" and \_models_\\<^sub>G: "\ \ ?\\<^sub>G" using assms(2) encode_problem_has_model_then_also_partial_encodings(1, 2) unfolding encode_problem_def encode_initial_state_def encode_goal_state_def by blast+ \ \ Show that every clause in the CNF of the goal state encoding @{text "\\<^sub>G"} is also in the CNF of the initial state encoding @{text "\\<^sub>I"} thus making it a subset. We can conclude this - from the fact that both @{text "\\<^sub>I"} and @{text "\\<^sub>G"} contain singleton clauses—which must all - be evaluated to true by the given model \\\—and the similar structure of the clauses in both + from the fact that both @{text "\\<^sub>I"} and @{text "\\<^sub>G"} contain singleton clauses---which must all + be evaluated to true by the given model \\\---and the similar structure of the clauses in both partial encodings. By extension, if we decode the goal state @{text "G"} and the initial state @{text "I"} from a model of the encoding, @{text "G v = I v"} must hold for variable @{text "v"} in the domain of the goal state. \ { fix C' assume C'_in_cnf_\\<^sub>G: "C' \ cnf ?\\<^sub>G" then obtain v where v_in_vs: "v \ set ?vs" and G_of_v_is_not_None: "?G v \ None" and C'_is: "C' = { literal_formula_to_literal (encode_state_variable 0 (index ?vs v) (?G v)) }" using cnf_of_encode_goal_state_set_ii[OF assms(1)] by auto obtain C where C_in_cnf_\\<^sub>I: "C \ cnf ?\\<^sub>I" and C_is: "C = { literal_formula_to_literal (encode_state_variable 0 (index ?vs v) (?I v)) }" using cnf_of_encode_initial_state_set_ii[OF assms(1)] v_in_vs by auto { let ?L = "literal_formula_to_literal (encode_state_variable 0 (index ?vs v) (?I v))" have "{ ?L } \ cnf ?\\<^sub>I" using C_in_cnf_\\<^sub>I C_is by blast hence "lit_semantics \ ?L" using model_then_all_singleton_clauses_modelled[OF is_cnf_encode_initial_state[OF assms(1)]_ \_models_\\<^sub>I] by blast } note lit_semantics_\_L = this { let ?L' = "literal_formula_to_literal (encode_state_variable 0 (index ?vs v) (?G v))" have "{ ?L' } \ cnf ?\\<^sub>G" using C'_in_cnf_\\<^sub>G C'_is by blast hence "lit_semantics \ ?L'" using model_then_all_singleton_clauses_modelled[OF encode_goal_state_is_cnf[OF assms(1)]_ \_models_\\<^sub>G] by blast } note lit_semantics_\_L' = this { have "?I v = ?G v" proof (rule ccontr) assume contradiction: "?I v \ ?G v" moreover have "?I v \ None" using v_in_vs is_valid_problem_strips_initial_of_dom assms(1) by auto ultimately consider (A) "?I v = Some True \ ?G v = Some False" | (B) "?I v = Some False \ ?G v = Some True" using G_of_v_is_not_None by force thus False using lit_semantics_\_L lit_semantics_\_L' unfolding encode_state_variable_def by (cases, fastforce+) qed } hence "C' \ cnf ?\\<^sub>I" using C_is C_in_cnf_\\<^sub>I C'_is C'_in_cnf_\\<^sub>G by argo } thus ?thesis by blast qed \ \ Show that the encoding secures that for every parallel operator \ops\ decoded from the plan at every time step \t < length pi\ the following hold: \begin{enumerate} \item \ops\ is applicable, and \item the effects of \ops\ are consistent. \end{enumerate}\ lemma encode_problem_parallel_correct_ii: assumes "is_valid_problem_strips \" and "\ \ \ \ t" and "k < length (\\ \ \ t)" shows "are_all_operators_applicable (\\<^sub>S\ \ \ k) ((\\ \ \ t) ! k)" and "are_all_operator_effects_consistent ((\\ \ \ t) ! k)" proof - let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" and ?\ = "\\ \ \ t" and ?s = "\\<^sub>S\ \ \ k" let ?\ = "\ \ t" and ?\\<^sub>E = "encode_all_operator_effects \ ?ops t" have k_lt_t: "k < t" using decode_plan_length assms(3) by metis { { fix op v assume op_in_kth_of_decoded_plan_set: "op \ set (?\ ! k)" and v_in_precondition_set: "v \ set (precondition_of op)" { have "\ (Operator k (index ?ops op))" using decode_plan_step_element_then[OF k_lt_t op_in_kth_of_decoded_plan_set] by blast hence "\ (State k (index ?vs v))" using decode_state_at_preconditions[ OF assms(1, 2) _ op_in_kth_of_decoded_plan_set v_in_precondition_set] k_lt_t by blast } moreover have "k \ t" using k_lt_t by auto moreover { have "op \ set ((\)\<^sub>\)" using decode_plan_step_element_then[OF k_lt_t op_in_kth_of_decoded_plan_set] by simp then have "v \ set ((\)\<^sub>\)" using is_valid_problem_strips_operator_variable_sets(1) assms(1) v_in_precondition_set by auto } ultimately have "(\\<^sub>S\ \ \ k) v = Some True" using decode_state_at_encoding_variables_equals_some_of_valuation_if[OF assms(1, 2)] by presburger } hence "are_all_operators_applicable ?s (?\ ! k)" using are_all_operators_applicable_set[of ?s "?\ ! k"] by blast } moreover { { fix op\<^sub>1 op\<^sub>2 assume op\<^sub>1_in_k_th_of_decoded_plan: "op\<^sub>1 \ set ((\\ \ \ t) ! k)" and op\<^sub>2_in_k_th_of_decoded_plan: "op\<^sub>2 \ set ((\\ \ \ t) ! k)" have op\<^sub>1_in_set_ops: "op\<^sub>1 \ set ((\)\<^sub>\)" and op\<^sub>2_in_set_ops: "op\<^sub>2 \ set ((\)\<^sub>\)" and op\<^sub>1_active_at_k: "\lit_semantics \ ((Operator k (index ?ops op\<^sub>1))\)" and op\<^sub>2_active_at_k: "\lit_semantics \ ((Operator k (index ?ops op\<^sub>2))\)" subgoal using decode_plan_step_element_then[OF k_lt_t op\<^sub>1_in_k_th_of_decoded_plan] by simp subgoal using decode_plan_step_element_then[OF k_lt_t op\<^sub>2_in_k_th_of_decoded_plan] by force subgoal using decode_plan_step_element_then[OF k_lt_t op\<^sub>1_in_k_th_of_decoded_plan] by simp subgoal using decode_plan_step_element_then[OF k_lt_t op\<^sub>2_in_k_th_of_decoded_plan] by simp done (* TODO the following two blocks could be contracted and refactored into a single lemma. *) { fix v assume v_in_add_effects_set_of_op\<^sub>1: "v \ set (add_effects_of op\<^sub>1)" and v_in_delete_effects_set_of_op\<^sub>2: "v \ set (delete_effects_of op\<^sub>2)" let ?C\<^sub>1 = "{(Operator k (index ?ops op\<^sub>1))\, (State (Suc k) (index ?vs v))\<^sup>+}" and ?C\<^sub>2 = "{(Operator k (index ?ops op\<^sub>2))\, (State (Suc k) (index ?vs v))\}" have "?C\<^sub>1 \ cnf ?\\<^sub>E" and "?C\<^sub>2 \ cnf ?\\<^sub>E" subgoal using cnf_of_operator_effect_encoding_contains_add_effect_clause_if[OF assms(1) k_lt_t op\<^sub>1_in_set_ops v_in_add_effects_set_of_op\<^sub>1] by blast subgoal using cnf_of_operator_effect_encoding_contains_delete_effect_clause_if[OF assms(1) k_lt_t op\<^sub>2_in_set_ops v_in_delete_effects_set_of_op\<^sub>2] by blast done then have "?C\<^sub>1 \ cnf ?\" and "?C\<^sub>2 \ cnf ?\" using cnf_of_encode_all_operator_effects_subset_cnf_of_encode_problem by blast+ then have C\<^sub>1_true: "clause_semantics \ ?C\<^sub>1" and C\<^sub>2_true: "clause_semantics \ ?C\<^sub>2" using valuation_models_encoding_cnf_formula_equals[OF assms(1)] assms(2) unfolding cnf_semantics_def by blast+ have "lit_semantics \ ((State (Suc k) (index ?vs v))\<^sup>+)" and "lit_semantics \ ((State (k + 1) (index ?vs v))\)" subgoal using op\<^sub>1_active_at_k C\<^sub>1_true unfolding clause_semantics_def by blast subgoal using op\<^sub>2_active_at_k C\<^sub>2_true unfolding clause_semantics_def by fastforce done hence False by auto } moreover { fix v assume v_in_delete_effects_set_of_op\<^sub>1: "v \ set (delete_effects_of op\<^sub>1)" and v_in_add_effects_set_of_op\<^sub>2: "v \ set (add_effects_of op\<^sub>2)" let ?C\<^sub>1 = "{(Operator k (index ?ops op\<^sub>1))\, (State (Suc k) (index ?vs v))\}" and ?C\<^sub>2 = "{(Operator k (index ?ops op\<^sub>2))\, (State (Suc k) (index ?vs v))\<^sup>+}" have "?C\<^sub>1 \ cnf ?\\<^sub>E" and "?C\<^sub>2 \ cnf ?\\<^sub>E" subgoal using cnf_of_operator_effect_encoding_contains_delete_effect_clause_if[OF assms(1) k_lt_t op\<^sub>1_in_set_ops v_in_delete_effects_set_of_op\<^sub>1] by fastforce subgoal using cnf_of_operator_effect_encoding_contains_add_effect_clause_if[OF assms(1) k_lt_t op\<^sub>2_in_set_ops v_in_add_effects_set_of_op\<^sub>2] by simp done then have "?C\<^sub>1 \ cnf ?\" and "?C\<^sub>2 \ cnf ?\" using cnf_of_encode_all_operator_effects_subset_cnf_of_encode_problem by blast+ then have C\<^sub>1_true: "clause_semantics \ ?C\<^sub>1" and C\<^sub>2_true: "clause_semantics \ ?C\<^sub>2" using valuation_models_encoding_cnf_formula_equals[OF assms(1)] assms(2) unfolding cnf_semantics_def by blast+ have "lit_semantics \ ((State (Suc k) (index ?vs v))\)" and "lit_semantics \ ((State (k + 1) (index ?vs v))\<^sup>+)" subgoal using op\<^sub>1_active_at_k C\<^sub>1_true unfolding clause_semantics_def by blast subgoal using op\<^sub>2_active_at_k C\<^sub>2_true unfolding clause_semantics_def by fastforce done hence False by simp } ultimately have "set (add_effects_of op\<^sub>1) \ set (delete_effects_of op\<^sub>2) = {}" and "set (delete_effects_of op\<^sub>1) \ set (add_effects_of op\<^sub>2) = {}" by blast+ } hence "are_all_operator_effects_consistent (?\ ! k)" using are_all_operator_effects_consistent_set[of "?\ ! k"] by blast } ultimately show "are_all_operators_applicable ?s (?\ ! k)" and "are_all_operator_effects_consistent (?\ ! k)" by blast+ qed \ \ Show that for all operators \op\ at timestep \k\ of the plan \\\ \ \ t\ decoded from the model \\\, both add effects as well as delete effects will hold in the next timestep \Suc k\. \ lemma encode_problem_parallel_correct_iii: assumes "is_valid_problem_strips \" and "\ \ \ \ t" and "k < length (\\ \ \ t)" and "op \ set ((\\ \ \ t) ! k)" shows "v \ set (add_effects_of op) \ (\\<^sub>S\ \ \ (Suc k)) v = Some True" and "v \ set (delete_effects_of op) \ (\\<^sub>S\ \ \ (Suc k)) v = Some False" proof - let ?ops = "strips_problem.operators_of \" and ?vs = "strips_problem.variables_of \" let ?\\<^sub>F = "encode_all_operator_effects \ ?ops t" and ?A = "(\(t, op)\{0.. set ((\)\<^sub>\). {{{ (Operator t (index ?ops op))\, (State (Suc t) (index ?vs v))\<^sup>+ }} | v. v \ set (add_effects_of op)})" and ?B = "(\(t, op)\{0.. set ((\)\<^sub>\). {{{ (Operator t (index ?ops op))\, (State (Suc t) (index ?vs v))\ }} | v. v \ set (delete_effects_of op)})" have k_lt_t: "k < t" using decode_plan_length assms(3) by metis have op_is_valid: "op \ set ((\)\<^sub>\)" using decode_plan_step_element_then[OF k_lt_t assms(4)] by blast have k_op_included: "(k, op) \ ({0.. set ((\)\<^sub>\))" using k_lt_t op_is_valid by fastforce thus "v \ set (add_effects_of op) \ (\\<^sub>S\ \ \ (Suc k)) v = Some True" and "v \ set (delete_effects_of op) \ (\\<^sub>S\ \ \ (Suc k)) v = Some False" proof (auto) assume v_is_add_effect: "v \ set (add_effects_of op)" have "\ (Operator k (index ?ops op))" using decode_plan_step_element_then[OF k_lt_t assms(4)] by blast moreover { have "{{(Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\<^sup>+}} \ {{{(Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\<^sup>+}} | v. v \ set (add_effects_of op)}" using v_is_add_effect by blast (* TODO slow. *) then have "{{(Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\<^sup>+}} \ ?A" using k_op_included cnf_of_operator_encoding_structure UN_iff[of "{{(Operator t (index ?ops op))\, (State (Suc t) (index ?vs v))\<^sup>+}}" _ "{0.. set ((\)\<^sub>\)"] by blast (* TODO slow. *) then have "{(Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\<^sup>+} \ \ ?A" using Union_iff[of "{(Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\<^sup>+}"] by blast (* TODO slow. *) moreover have "\?A \ cnf ?\\<^sub>F" using cnf_of_encode_all_operator_effects_structure by blast ultimately have "{(Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\<^sup>+} \ cnf ?\\<^sub>F" using in_mono[of "\?A" "cnf ?\\<^sub>F"] by presburger } (* TODO slow. *) ultimately have "\ (State (Suc k) (index ?vs v))" using cnf_of_encode_all_operator_effects_subset_cnf_of_encode_problem assms(2)[unfolded valuation_models_encoding_cnf_formula_equals_corollary[OF assms(1)]] unfolding Bex_def by fastforce thus "(\\<^sub>S\ \ \ (Suc k)) v = Some True" using assms(1) assms(2) decode_state_at_encoding_variables_equals_some_of_valuation_if is_valid_problem_strips_operator_variable_sets(2) k_lt_t op_is_valid subsetD v_is_add_effect by fastforce next assume v_is_delete_effect: "v \ set (delete_effects_of op)" have "\ (Operator k (index ?ops op))" using decode_plan_step_element_then[OF k_lt_t assms(4)] by blast moreover { have "{{(Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\}} \ {{{(Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\}} | v. v \ set (delete_effects_of op)}" using v_is_delete_effect by blast (* TODO slow. *) then have "{{(Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\}} \ ?B" using k_op_included cnf_of_encode_all_operator_effects_structure UN_iff[of "{{(Operator t (index ?ops op))\, (State (Suc t) (index ?vs v))\<^sup>+}}" _ "{0.. set ((\)\<^sub>\)"] by blast (* TODO slow. *) then have "{(Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\} \ \ ?B" using Union_iff[of "{(Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\}"] by blast (* TODO slow. *) moreover have "\?B \ cnf ?\\<^sub>F" using cnf_of_encode_all_operator_effects_structure Un_upper2[of "\?B" "\?A"] by fast ultimately have "{(Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\} \ cnf ?\\<^sub>F" using in_mono[of "\?B" "cnf ?\\<^sub>F"] by presburger } (* TODO slow. *) ultimately have "\\ (State (Suc k) (index ?vs v))" using cnf_of_encode_all_operator_effects_subset_cnf_of_encode_problem valuation_models_encoding_cnf_formula_equals_corollary[OF assms(1)] assms(2) by fastforce moreover have "Suc k \ t" using k_lt_t by fastforce moreover have "v \ set((\)\<^sub>\)" using v_is_delete_effect is_valid_problem_strips_operator_variable_sets(3) assms(1) op_is_valid by auto ultimately show "(\\<^sub>S\ \ \ (Suc k)) v = Some False" using decode_state_at_encoding_variables_equals_some_of_valuation_if[OF assms(1, 2)] by auto qed qed \ \ In broad strokes, this lemma shows that the operator frame axioms ensure that state is -propagated—i.e. the valuation of a variable does not change inbetween time steps—, if there is +propagated---i.e. the valuation of a variable does not change inbetween time steps---, if there is no operator active which has an effect on a given variable a: i.e. \begin{align*} \mathcal A &\vDash (\lnot a_i \land a_{i+1}) \longrightarrow \bigvee\{op_i, k: op_i \text{ has add effect } a\}\\ \mathcal A &\vDash (a_i \land \lnot a_{i+1}) \longrightarrow \bigvee\{op_i, k: op_i \text{ has delete effect } a\} \end{align*} -Now, if the disjunctions are empty—i.e. if no operator which is activated at time step $k$ has -either a positive or negative effect—, we have by simplification +Now, if the disjunctions are empty---i.e. if no operator which is activated at time step $k$ has +either a positive or negative effect---, we have by simplification \begin{align*} \mathcal A \vDash \lnot(\lnot a_i \land a_{i+1}) &\equiv \mathcal A \vDash a_i \lor \lnot a_{i+1}\\ \mathcal A \vDash \lnot(a_i \land \lnot a_{i+1}) &\equiv \mathcal A \vDash \lnot a_i \lor a_{i+1} \end{align*} hence \begin{align*} \mathcal A &\vDash (\lnot a_i \lor a_{i+1}) \land (a_i \lor \lnot a_{i+1})\\ \leadsto \mathcal A &\vDash \{\{\lnot a_i, a_{i+1}\}, \{a_i, \lnot a_{i+1}\}\} \end{align*} The lemma characterizes this simplification. \footnote{This part of the soundness proof is only treated very briefly in \cite[theorem 3.1, p.1044]{DBLP:journals/ai/RintanenHN06}} \ lemma encode_problem_parallel_correct_iv: fixes \:: "'a strips_problem" assumes "is_valid_problem_strips \" and "\ \ \ \ t" and "k < t" and "v \ set ((\)\<^sub>\)" and "\(\op \ set ((\\ \ \ t) ! k). v \ set (add_effects_of op) \ v \ set (delete_effects_of op))" shows "cnf_semantics \ {{ (State k (index (strips_problem.variables_of \) v))\ , (State (Suc k) (index (strips_problem.variables_of \) v))\<^sup>+ }}" and "cnf_semantics \ {{ (State k (index (strips_problem.variables_of \) v))\<^sup>+ , (State (Suc k) (index (strips_problem.variables_of \) v))\ }}" proof - let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" let ?\ = "\ \ t" and ?\\<^sub>F = "encode_all_frame_axioms \ t" and ?\\<^sub>k = "(\\ \ \ t) ! k" and ?A = "\(k, v) \ ({0.. set ?vs). {{{ (State k (index ?vs v))\<^sup>+, (State (Suc k) (index ?vs v))\ } \ {(Operator k (index ?ops op))\<^sup>+ | op. op \ set ?ops \ v \ set (add_effects_of op) }}}" and ?B = "\(k, v) \ ({0.. set ?vs). {{{ (State k (index ?vs v))\, (State (Suc k) (index ?vs v))\<^sup>+ } \ { (Operator k (index ?ops op))\<^sup>+ | op. op \ set ?ops \ v \ set (delete_effects_of op) }}}" and ?C = "{ (State k (index ?vs v))\<^sup>+, (State (Suc k) (index ?vs v))\ } \ {(Operator k (index ?ops op))\<^sup>+ | op. op \ set ?ops \ v \ set (add_effects_of op) }" and ?C' = "{ (State k (index ?vs v))\, (State (Suc k) (index ?vs v))\<^sup>+ } \ { (Operator k (index ?ops op))\<^sup>+ | op. op \ set ?ops \ v \ set (delete_effects_of op) }" (* TODO refactor (next two blocks)? *) have k_v_included: "(k, v) \ ({.. set ((\)\<^sub>\))" using assms(3, 4) by blast have operator_encoding_subset_encoding: "cnf ?\\<^sub>F \ cnf ?\" using cnf_of_encode_problem_structure(4) unfolding encode_problem_def by fast \ \ Given the premise that no operator in \\\<^sub>k\ exists with add-effect respectively delete effect \v\, we have the following situation for the EPC (effect precondition) sets: \begin{itemize} \item assuming \op\ is in \set ?ops\, either \op\ is in \\\<^sub>k\ (then it doesn't have effect on \v\ and therefore is not in either of the sets), or if is not, then \\ (Operator k (index ?ops op) = \\ by definition of \decode_plan\; moreover, - \item assuming \op\ is not in \set ?ops\—this is implicitely encoded as \Operator k - (length ?ops)\ and \\ (Operator k (length ?ops))\ may or may not be true—, then it's not + \item assuming \op\ is not in \set ?ops\---this is implicitely encoded as \Operator k + (length ?ops)\ and \\ (Operator k (length ?ops))\ may or may not be true---, then it's not in either of the sets. \end{itemize}. Altogether, we have the situation that the sets only have members \Operator k (index ?ops op)\ with \\ (Operator k (index ?ops op)) = \\, hence the clause can be reduced to the state variable literals. More concretely, the following proof block shows that the following two conditions hold for the operators: @{text[display, indent=4] "\op. op \ { ((Operator k (index ?ops op))\<^sup>+) | op. op \ set ?ops \ v \ set (add_effects_of op)} \ \lit_semantics \ op" } and @{text[display, indent=4] "\op. op \ { ((Operator k (index ?ops op))\<^sup>+) | op. op \ set ?ops \ v \ set (delete_effects_of op)} \ \lit_semantics \ op" } Hence, the operators are irrelevant for \cnf_semantics \ { C }\ where \C\ is a clause encoding a positive or negative transition frame axiom for a given variable \v\ of the problem. \ (* TODO refactor. *) { let ?add = "{ ((Operator k (index ?ops op))\<^sup>+) | op. op \ set ?ops \ v \ set (add_effects_of op) }" and ?delete = "{ ((Operator k (index ?ops op))\<^sup>+) | op. op \ set ?ops \ v \ set (delete_effects_of op) }" { fix op assume operator_encoding_in_add: "(Operator k (index ?ops op))\<^sup>+ \ ?add" hence "\lit_semantics \ ((Operator k (index ?ops op))\<^sup>+)" proof (cases "op \ set ?\\<^sub>k") case True then have "v \ set (add_effects_of op)" using assms(5) by simp then have "(Operator k (index ?ops op))\<^sup>+ \ ?add" by fastforce thus ?thesis using operator_encoding_in_add by blast next case False then show ?thesis proof (cases "op \ set ?ops") case True { let ?A = "{ ?ops ! index ?ops op |op. op \ set ((\)\<^sub>\) \ \ (Operator k (index ?ops op))}" assume "lit_semantics \ ((Operator k (index ?ops op))\<^sup>+)" moreover have operator_active_at_k: "\ (Operator k (index ?ops op))" using calculation by auto moreover have "op \ set ((\)\<^sub>\)" using True by force moreover have "(?ops ! index ?ops op) \ ?A" using calculation(2, 3) by blast ultimately have "op \ set ?\\<^sub>k" using decode_plan_step_element_then_i[OF assms(3)] by auto hence False using False by blast } thus ?thesis by blast next case False then have "op \ {op \ set ?ops. v \ set (add_effects_of op)}" by blast moreover have "?add = (\op. (Operator k (index ?ops op))\<^sup>+) ` { op \ set ?ops. v \ set (add_effects_of op) }" using setcompr_eq_image[of "\op. (Operator k (index ?ops op))\<^sup>+" "\op. op \ set ?ops \ v \ set (add_effects_of op)"] by blast (* TODO slow. *) ultimately have "(Operator k (index ?ops op))\<^sup>+ \ ?add" by force thus ?thesis using operator_encoding_in_add by blast qed qed } moreover { fix op assume operator_encoding_in_delete: "((Operator k (index ?ops op))\<^sup>+) \ ?delete" hence "\lit_semantics \ ((Operator k (index ?ops op))\<^sup>+)" proof (cases "op \ set ?\\<^sub>k") case True then have "v \ set (delete_effects_of op)" using assms(5) by simp then have "(Operator k (index ?ops op))\<^sup>+ \ ?delete" by fastforce thus ?thesis using operator_encoding_in_delete by blast next case False then show ?thesis proof (cases "op \ set ?ops") case True { let ?A = "{ ?ops ! index ?ops op |op. op \ set ((\)\<^sub>\) \ \ (Operator k (index ?ops op))}" assume "lit_semantics \ ((Operator k (index ?ops op))\<^sup>+)" moreover have operator_active_at_k: "\ (Operator k (index ?ops op))" using calculation by auto moreover have "op \ set ((\)\<^sub>\)" using True by force moreover have "(?ops ! index ?ops op) \ ?A" using calculation(2, 3) by blast ultimately have "op \ set ?\\<^sub>k" using decode_plan_step_element_then_i[OF assms(3)] by auto hence False using False by blast } thus ?thesis by blast next case False then have "op \ { op \ set ?ops. v \ set (delete_effects_of op) }" by blast moreover have "?delete = (\op. (Operator k (index ?ops op))\<^sup>+) ` { op \ set ?ops. v \ set (delete_effects_of op) }" using setcompr_eq_image[of "\op. (Operator k (index ?ops op))\<^sup>+" "\op. op \ set ?ops \ v \ set (delete_effects_of op)"] by blast (* TODO slow. *) ultimately have "(Operator k (index ?ops op))\<^sup>+ \ ?delete" by force thus ?thesis using operator_encoding_in_delete by blast qed qed } ultimately have "\op. op \ ?add \ \lit_semantics \ op" and "\op. op \ ?delete \ \lit_semantics \ op" by blast+ } note nb = this { let ?Ops = "{ (Operator k (index ?ops op))\<^sup>+ | op. op \ set ?ops \ v \ set (add_effects_of op) }" have "?Ops \ ?C" by blast moreover have "?C - ?Ops = { (State k (index ?vs v))\<^sup>+ , (State (Suc k) (index ?vs v))\ }" by fast moreover have "\L \ ?Ops. \ lit_semantics \ L" using nb(1) by blast (* TODO slow. *) ultimately have "clause_semantics \ ?C = clause_semantics \ { (State k (index ?vs v))\<^sup>+, (State (Suc k) (index ?vs v))\ }" using lit_semantics_reducible_to_subset_if[of ?Ops ?C] by presburger } moreover { let ?Ops' = "{ (Operator k (index ?ops op))\<^sup>+ | op. op \ set ?ops \ v \ set (delete_effects_of op) }" have "?Ops' \ ?C'" by blast moreover have "?C' - ?Ops' = { (State k (index ?vs v))\ , (State (Suc k) (index ?vs v))\<^sup>+ }" by fast moreover have "\L \ ?Ops'. \ lit_semantics \ L" using nb(2) by blast (* TODO slow. *) ultimately have "clause_semantics \ ?C' = clause_semantics \ { (State k (index ?vs v))\, (State (Suc k) (index ?vs v))\<^sup>+ }" using lit_semantics_reducible_to_subset_if[of ?Ops' ?C'] by presburger } moreover { have cnf_semantics_\_\:"cnf_semantics \ (cnf ?\)" using valuation_models_encoding_cnf_formula_equals[OF assms(1)] assms(2) by blast have k_v_included: "(k, v) \ ({.. set ((\)\<^sub>\))" using assms(3, 4) by blast (* TODO slow. *) have c_in_un_a: "?C \ \?A" and c'_in_un_b: "?C' \ \?B" using k_v_included by force+ (* TODO slow. *) then have "?C \ cnf ?\\<^sub>F" and "?C' \ cnf ?\\<^sub>F" subgoal using cnf_of_encode_all_frame_axioms_structure UnI1[of "?C" "\?A" "\?B"] c_in_un_a by metis subgoal using cnf_of_encode_all_frame_axioms_structure UnI2[of "?C'" "\?B" "\?A"] c'_in_un_b by metis done then have "{ ?C } \ cnf ?\\<^sub>F" and c'_subset_frame_axiom_encoding: "{ ?C' } \ cnf ?\\<^sub>F" by blast+ then have "{ ?C } \ cnf ?\" and "{ ?C' } \ cnf ?\" subgoal using operator_encoding_subset_encoding by fast subgoal using c'_subset_frame_axiom_encoding operator_encoding_subset_encoding by fast done (* TODO slow. *) hence "cnf_semantics \ { ?C }" and "cnf_semantics \ { ?C' }" using cnf_semantics_\_\ model_for_cnf_is_model_of_all_subsets by fastforce+ } ultimately show "cnf_semantics \ {{ (State k (index ?vs v))\, (State (Suc k) (index ?vs v))\<^sup>+ }}" and "cnf_semantics \ {{ (State k (index ?vs v))\<^sup>+, (State (Suc k) (index ?vs v))\ }}" unfolding cnf_semantics_def by blast+ qed lemma encode_problem_parallel_correct_v: assumes "is_valid_problem_strips \" and "\ \ \ \ t" and "k < length (\\ \ \ t)" shows "(\\<^sub>S\ \ \ (Suc k)) = execute_parallel_operator (\\<^sub>S\ \ \ k) ((\\ \ \ t) ! k)" proof - let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" and ?\ = "\\ \ \ t" and ?s\<^sub>k = "\\<^sub>S\ \ \ k" and ?s\<^sub>k' = "\\<^sub>S\ \ \ (Suc k)" let ?t\<^sub>k' = "execute_parallel_operator ?s\<^sub>k (?\ ! k)" and ?\\<^sub>k = "?\ ! k" have k_lt_t: "k < t" and k_lte_t: "k \ t" and suc_k_lte_t: "Suc k \ t" using decode_plan_length[of ?\ \ \ t] assms(3) by (argo, fastforce+) then have operator_preconditions_hold: "are_all_operators_applicable ?s\<^sub>k ?\\<^sub>k \ are_all_operator_effects_consistent ?\\<^sub>k" using encode_problem_parallel_correct_ii[OF assms(1, 2, 3)] by blast \ \ We show the goal in classical fashion by proving that @{text[display, indent=4] "\\<^sub>S\ \ \ (Suc k) v = execute_parallel_operator (\\<^sub>S\ \ \ k) ((\\ \ \ t) ! k) v"} ---i.e. the state decoded at time \k + 1\ is equivalent to the state obtained by executing the parallel operator \(\\ \ \ t) ! k\ on the previous state - \\\<^sub>S\ \ \ k\—for all variables \v\ given \k < t\, a model \\\, + \\\<^sub>S\ \ \ k\---for all variables \v\ given \k < t\, a model \\\, and makespan \t\. \ moreover { { fix v assume v_in_dom_s\<^sub>k':"v \ dom ?s\<^sub>k'" then have s\<^sub>k'_not_none: "?s\<^sub>k' v \ None" by blast hence "?s\<^sub>k' v = ?t\<^sub>k' v" proof (cases "\op \ set ?\\<^sub>k. v \ set (add_effects_of op) \ v \ set (delete_effects_of op)") case True then obtain op where op_in_\\<^sub>k: "op \ set ?\\<^sub>k" and "v \ set (add_effects_of op) \ v \ set (delete_effects_of op)" by blast then consider (v_is_add_effect) "v \ set (add_effects_of op)" | (v_is_delete_effect) "v \ set (delete_effects_of op)" by blast then show ?thesis proof (cases) case v_is_add_effect then have "?s\<^sub>k' v = Some True" using encode_problem_parallel_correct_iii(1)[OF assms(1, 2, 3) op_in_\\<^sub>k] v_is_add_effect by blast moreover have "are_all_operators_applicable (\\<^sub>S\ \ \ k) ((\\ \ \ t) ! k)" and "are_all_operator_effects_consistent ((\\ \ \ t) ! k)" using operator_preconditions_hold v_is_add_effect by blast+ moreover have "?t\<^sub>k' v = Some True" using execute_parallel_operator_positive_effect_if[of "\\<^sub>S\ \ \ k" "(\\ \ \ t) ! k"] op_in_\\<^sub>k v_is_add_effect calculation(2, 3) by blast ultimately show ?thesis by argo next case v_is_delete_effect then have "?s\<^sub>k' v = Some False" using encode_problem_parallel_correct_iii(2)[OF assms(1, 2, 3) op_in_\\<^sub>k] v_is_delete_effect by blast moreover have "are_all_operators_applicable (\\<^sub>S\ \ \ k) ((\\ \ \ t) ! k)" and "are_all_operator_effects_consistent ((\\ \ \ t) ! k)" using operator_preconditions_hold by blast+ moreover have "?t\<^sub>k' v = Some False" using execute_parallel_operator_effect(2) op_in_\\<^sub>k v_is_delete_effect calculation(2, 3) by fast moreover have "?t\<^sub>k' v = Some False" by (meson execute_parallel_operator_negative_effect_if op_in_\\<^sub>k operator_preconditions_hold v_is_delete_effect) ultimately show ?thesis by argo qed next case False (* TODO slow. *) then have "?t\<^sub>k' v = ?s\<^sub>k v" using execute_parallel_operator_no_effect_if by fastforce moreover { have v_in_set_vs: "v \ set ((\)\<^sub>\)" using decode_state_at_valid_variable[OF s\<^sub>k'_not_none]. then have state_propagation_positive: "cnf_semantics \ {{(State k (index ?vs v))\ , (State (Suc k) (index ?vs v))\<^sup>+}}" and state_propagation_negative: "cnf_semantics \ {{(State k (index ?vs v))\<^sup>+ , (State (Suc k) (index ?vs v))\}}" using encode_problem_parallel_correct_iv[OF assms(1, 2) k_lt_t _ False] by fastforce+ consider (s\<^sub>k'_v_positive) "?s\<^sub>k' v = Some True" | (s\<^sub>k'_v_negative) "?s\<^sub>k' v = Some False" using s\<^sub>k'_not_none by fastforce hence "?s\<^sub>k' v = ?s\<^sub>k v" proof (cases) case s\<^sub>k'_v_positive then have "lit_semantics \ ((State (Suc k) (index ?vs v))\<^sup>+)" using decode_state_at_encoding_variables_equals_some_of_valuation_if[OF assms(1, 2) suc_k_lte_t v_in_set_vs] by fastforce (* TODO slow. *) then have "lit_semantics \ ((State k (index ?vs v))\<^sup>+)" using state_propagation_negative unfolding cnf_semantics_def clause_semantics_def by fastforce then show ?thesis using decode_state_at_encoding_variables_equals_some_of_valuation_if[OF assms(1, 2) k_lte_t v_in_set_vs] s\<^sub>k'_v_positive by fastforce next case s\<^sub>k'_v_negative then have "\lit_semantics \ ((State (Suc k) (index ?vs v))\<^sup>+)" using decode_state_at_encoding_variables_equals_some_of_valuation_if[ OF assms(1, 2) suc_k_lte_t v_in_set_vs] by fastforce (* TODO slow. *) then have "\lit_semantics \ ((State k (index ?vs v))\<^sup>+)" using state_propagation_positive unfolding cnf_semantics_def clause_semantics_def by fastforce then show ?thesis using decode_state_at_encoding_variables_equals_some_of_valuation_if[OF assms(1, 2) k_lte_t v_in_set_vs] s\<^sub>k'_v_negative by fastforce qed } ultimately show ?thesis by argo qed } hence "?s\<^sub>k' \\<^sub>m ?t\<^sub>k'" using map_le_def by blast } moreover { { fix v assume "v \ dom ?t\<^sub>k'" then have t\<^sub>k'_not_none: "?t\<^sub>k' v \ None" by blast { { assume contradiction: "v \ set ((\)\<^sub>\)" then have "(\\<^sub>S\ \ \ k) v = None" using decode_state_at_valid_variable by fastforce then obtain op where op_in: "op \ set ((\\ \ \ t) ! k)" and v_is_or: "v \ set (add_effects_of op) \ v \ set (delete_effects_of op)" using execute_parallel_operators_strips_none_if_contraposition[OF t\<^sub>k'_not_none] by blast have op_in: "op \ set ((\)\<^sub>\)" using op_in decode_plan_step_element_then(1) k_lt_t by blast consider (A) "v \ set (add_effects_of op)" | (B) "v \ set (delete_effects_of op)" using v_is_or by blast hence False proof (cases) case A then have "v \ set ((\)\<^sub>\)" using is_valid_problem_strips_operator_variable_sets(2)[OF assms(1)] op_in A by blast thus False using contradiction by blast next case B then have "v \ set ((\)\<^sub>\)" using is_valid_problem_strips_operator_variable_sets(3)[OF assms(1)] op_in B by blast thus False using contradiction by blast qed } } hence v_in_set_vs: "v \ set ((\)\<^sub>\)" by blast hence "?t\<^sub>k' v = ?s\<^sub>k' v" proof (cases "(\op\set ?\\<^sub>k. v \ set (add_effects_of op) \ v \ set (delete_effects_of op))") case True then obtain op where op_in_set_\\<^sub>k: "op \ set ?\\<^sub>k" and v_options: "v \ set (add_effects_of op) \ v \ set (delete_effects_of op)" by blast then have "op \ set ((\)\<^sub>\)" using decode_plan_step_element_then[OF k_lt_t] by blast then consider (v_is_add_effect) "v \ set (add_effects_of op)" | (v_is_delete_effect) "v \ set (delete_effects_of op)" using v_options by blast thus ?thesis proof (cases) case v_is_add_effect then have "?t\<^sub>k' v = Some True" using execute_parallel_operator_positive_effect_if[OF _ _ op_in_set_\\<^sub>k] operator_preconditions_hold by blast moreover have "?s\<^sub>k' v = Some True" using encode_problem_parallel_correct_iii(1)[OF assms(1, 2, 3) op_in_set_\\<^sub>k] v_is_add_effect by blast ultimately show ?thesis by argo next case v_is_delete_effect then have "?t\<^sub>k' v = Some False" using execute_parallel_operator_negative_effect_if[OF _ _ op_in_set_\\<^sub>k] operator_preconditions_hold by blast moreover have "?s\<^sub>k' v = Some False" using encode_problem_parallel_correct_iii(2)[OF assms(1, 2, 3) op_in_set_\\<^sub>k] v_is_delete_effect by blast ultimately show ?thesis by argo qed next case False have state_propagation_positive: "cnf_semantics \ {{(State k (index ?vs v))\, (State (Suc k) (index ?vs v))\<^sup>+}}" and state_propagation_negative: "cnf_semantics \ {{(State k (index ?vs v))\<^sup>+, (State (Suc k) (index ?vs v))\}}" using encode_problem_parallel_correct_iv[OF assms(1, 2) k_lt_t v_in_set_vs False] by blast+ { have all_op_in_set_\\<^sub>k_have_no_effect: "\op \ set ?\\<^sub>k. v \ set (add_effects_of op) \ v \ set (delete_effects_of op)" using False by blast then have "?t\<^sub>k' v = ?s\<^sub>k v" using execute_parallel_operator_no_effect_if[OF all_op_in_set_\\<^sub>k_have_no_effect] by blast } note t\<^sub>k'_equals_s\<^sub>k = this { have "?s\<^sub>k v \ None" using t\<^sub>k'_not_none t\<^sub>k'_equals_s\<^sub>k by argo then consider (s\<^sub>k_v_is_some_true) "?s\<^sub>k v = Some True" | (s\<^sub>k_v_is_some_false) "?s\<^sub>k v = Some False" by fastforce } then show ?thesis proof (cases) case s\<^sub>k_v_is_some_true moreover { have "lit_semantics \ ((State k (index ?vs v))\<^sup>+)" using decode_state_at_encoding_variables_equals_some_of_valuation_if[OF assms(1, 2) k_lte_t v_in_set_vs] s\<^sub>k_v_is_some_true by simp then have "lit_semantics \ ((State (Suc k) (index ?vs v))\<^sup>+)" using state_propagation_positive unfolding cnf_semantics_def clause_semantics_def by fastforce then have "?s\<^sub>k' v = Some True" using decode_state_at_encoding_variables_equals_some_of_valuation_if[OF assms(1, 2) suc_k_lte_t v_in_set_vs] by fastforce } ultimately show ?thesis using t\<^sub>k'_equals_s\<^sub>k by simp next case s\<^sub>k_v_is_some_false moreover { have "lit_semantics \ ((State k (index ?vs v))\)" using decode_state_at_encoding_variables_equals_some_of_valuation_if[OF assms(1, 2) k_lte_t v_in_set_vs] s\<^sub>k_v_is_some_false by simp then have "lit_semantics \ ((State (Suc k) (index ?vs v))\)" using state_propagation_negative unfolding cnf_semantics_def clause_semantics_def by fastforce then have "?s\<^sub>k' v = Some False" using decode_state_at_encoding_variables_equals_some_of_valuation_if[OF assms(1, 2) suc_k_lte_t v_in_set_vs] by fastforce } ultimately show ?thesis using t\<^sub>k'_equals_s\<^sub>k by simp qed qed } hence "?t\<^sub>k' \\<^sub>m ?s\<^sub>k'" using map_le_def by blast } ultimately show ?thesis using map_le_antisym by blast qed lemma encode_problem_parallel_correct_vi: assumes "is_valid_problem_strips \" and "\ \ \ \ t" and "k < length (trace_parallel_plan_strips ((\)\<^sub>I) (\\ \ \ t))" shows "trace_parallel_plan_strips ((\)\<^sub>I) (\\ \ \ t) ! k = \\<^sub>S\ \ \ k" using assms proof - let ?I = "(\)\<^sub>I" and ?\ = "\\ \ \ t" let ?\ = "trace_parallel_plan_strips ?I ?\" show ?thesis using assms proof (induction k) case 0 hence "?\ ! 0 = ?I" using trace_parallel_plan_strips_head_is_initial_state by blast moreover have "\\<^sub>S\ \ \ 0 = ?I" using decode_state_at_initial_state[OF assms(1, 2)] by simp ultimately show ?case by simp next case (Suc k) let ?\\<^sub>k = "trace_parallel_plan_strips ?I ?\ ! k" and ?s\<^sub>k = "\\<^sub>S\ \ \ k" have k_lt_length_\_minus_one: "k < length ?\ - 1" and k_lt_length_\: "k < length ?\" using Suc.prems(3) by linarith+ \ \ Use the induction hypothesis to obtain the proposition for the previous step $k$. Then, show that applying the $k$-th parallel operator in the plan $\pi$ on either the state obtained from the trace or decoded from the model yields the same successor state. \ { have "?\ ! k = execute_parallel_plan ?I (take k ?\)" using trace_parallel_plan_plan_prefix k_lt_length_\ by blast hence "?\\<^sub>k = ?s\<^sub>k" using Suc.IH[OF assms(1, 2) k_lt_length_\] by blast } moreover have "trace_parallel_plan_strips ?I ?\ ! Suc k = execute_parallel_operator ?\\<^sub>k (?\ ! k)" using trace_parallel_plan_step_effect_is[OF k_lt_length_\_minus_one] by blast moreover { thm Suc.prems(3) have "length (trace_parallel_plan_strips ?I ?\) \ length ?\ + 1" using length_trace_parallel_plan_strips_lte_length_plan_plus_one by blast then have "k < length ?\" using Suc.prems(3) unfolding Suc_eq_plus1 by linarith hence "\\<^sub>S\ \ \ (Suc k) = execute_parallel_operator ?s\<^sub>k (?\ ! k)" using encode_problem_parallel_correct_v[OF assms(1, 2)] by simp } ultimately show ?case by argo qed qed lemma encode_problem_parallel_correct_vii: assumes "is_valid_problem_strips \" and "\ \ \ \ t" shows "length (map (decode_state_at \ \) [0..\ \ \ t))]) = length (trace_parallel_plan_strips ((\)\<^sub>I) (\\ \ \ t))" proof - let ?I = "(\)\<^sub>I" and ?\ = "\\ \ \ t" let ?\ = "map (decode_state_at \ \) [0..)]" and ?\ = "trace_parallel_plan_strips ?I ?\" let ?l = "length ?\ " let ?k = "?l - 1" show ?thesis proof (rule ccontr) assume length_\_neq_length_\: "length ?\ \ length ?\" { have "length ?\ = length ?\ + 1" by fastforce moreover have "length ?\ \ length ?\ + 1" using length_trace_parallel_plan_strips_lte_length_plan_plus_one by blast moreover have "length ?\ < length ?\ + 1" using length_\_neq_length_\ calculation by linarith } note nb\<^sub>1 = this { have "0 < length ?\" using trace_parallel_plan_strips_not_nil.. then have "length ?\ - 1 < length ?\" using nb\<^sub>1 by linarith } note nb\<^sub>2 = this { obtain k' where "length ?\ = Suc k'" using less_imp_Suc_add[OF length_trace_parallel_plan_gt_0] by blast hence "?k < length ?\" using nb\<^sub>2 by blast } note nb\<^sub>3 = this { have "?\ ! ?k = execute_parallel_plan ?I (take ?k ?\)" using trace_parallel_plan_plan_prefix[of ?k] length_trace_minus_one_lt_length_trace by blast thm encode_problem_parallel_correct_vi[OF assms(1, 2)] nb\<^sub>3 moreover have "(\\<^sub>S\ \ \ ?k) = ?\ ! ?k" using encode_problem_parallel_correct_vi[OF assms(1, 2) length_trace_minus_one_lt_length_trace].. ultimately have "(\\<^sub>S\ \ \ ?k) = execute_parallel_plan ?I (take ?k ?\)" by argo } note nb\<^sub>4 = this { have "are_all_operators_applicable (\\<^sub>S\ \ \ ?k) (?\ ! ?k)" and "are_all_operator_effects_consistent (?\ ! ?k)" using encode_problem_parallel_correct_ii(1, 2)[OF assms(1, 2)] nb\<^sub>3 by blast+ \ \ Unsure why \calculation(1, 2)\ is needed for this proof step. Should just require the default proof. \ moreover have "\are_all_operators_applicable (\\<^sub>S\ \ \ ?k) (?\ ! ?k)" and "\are_all_operator_effects_consistent (?\ ! ?k)" using length_trace_parallel_plan_strips_lt_length_plan_plus_one_then[OF nb\<^sub>1] calculation(1, 2) unfolding nb\<^sub>3 nb\<^sub>4 by blast+ ultimately have False by blast } thus False. qed qed lemma encode_problem_parallel_correct_x: assumes "is_valid_problem_strips \" and "\ \ \ \ t" shows "map (decode_state_at \ \) [0..\ \ \ t))] = trace_parallel_plan_strips ((\)\<^sub>I) (\\ \ \ t)" proof - let ?I = "(\)\<^sub>I" and ?\ = "\\ \ \ t" let ?\ = "map (decode_state_at \ \) [0..)]" and ?\ = "trace_parallel_plan_strips ?I ?\" { have "length ?\ = length ?\" using encode_problem_parallel_correct_vii[OF assms].. moreover { fix k assume k_lt_length_\: "k < length ?\" then have "trace_parallel_plan_strips ((\)\<^sub>I) (\\ \ \ t) ! k = \\<^sub>S\ \ \ k" using encode_problem_parallel_correct_vi[OF assms] by blast moreover { have "length ?\ \ length ?\ + 1" using length_trace_parallel_plan_strips_lte_length_plan_plus_one by blast then have "k < length ?\ + 1" using k_lt_length_\ by linarith then have "k < Suc (length ?\) - 0" by simp hence "?\ ! k = \\<^sub>S\ \ \ k" using nth_map_upt[of k "Suc (length ?\)" 0] by auto } ultimately have "?\ ! k = ?\ ! k" by argo } ultimately have "?\ = ?\" using list_eq_iff_nth_eq[of ?\ ?\] by blast } thus ?thesis by argo qed lemma encode_problem_parallel_correct_xi: fixes \:: "'a strips_problem" assumes "is_valid_problem_strips \" and "\ \ \ \ t" and "ops \ set (\\ \ \ t)" and "op \ set ops" shows "op \ set ((\)\<^sub>\)" proof - let ?\ = "\\ \ \ t" have "length ?\ = t" using decode_plan_length by force moreover obtain k where "k < length ?\" and "ops = ?\ ! k" using in_set_conv_nth[of ops ?\] assms(3) unfolding calculation by blast ultimately show ?thesis using assms(4) decode_plan_step_element_then(1) by force qed text \ To show soundness, we have to prove the following: given the existence of a model \<^term>\\\ of the basic SATPlan encoding \<^term>\encode_problem \ t\ for a given valid problem \<^term>\\\ and hypothesized plan length \<^term>\t\, the decoded plan \<^term>\\ \ \\ \ \ t\ is a parallel solution for \<^term>\\\. We show this theorem by showing equivalence between the execution trace of the decoded plan and the sequence of states @{text[display, indent=4] "\ = map (\ k. \\<^sub>S\ \ \ k) [0..)]" } decoded from the model \<^term>\\\. Let @{text[display, indent=4] "\ \ trace_parallel_plan_strips I \"} be the trace of \<^term>\\\. Theorem \ref{isathm:soundness-satplan-encoding} first establishes the equality \<^term>\\ = \\ of the decoded state sequence and the trace of \<^term>\\\. We can then derive that \<^term>\G \\<^sub>m last \\ by lemma \ref{isathm:parallel-solution-trace-strips}, i.e. the last state reached by plan execution (and moreover the last state decoded from the model), satisfies the goal state \<^term>\G\ defined by the problem. By lemma \ref{isathm:parallel-solution-trace-strips}, we can conclude that \<^term>\\\ is a solution for \<^term>\I\ and \<^term>\G\. Moreover, we show that all operators \<^term>\op\ in all parallel operators \<^term>\ops \ set \\ are also contained in \<^term>\\\. This is the case because the plan decoding function reverses the encoding function (which only encodes operators in \<^term>\\\). By definition \ref{isadef:parallel-solution-strips} this means that \<^term>\\\ is a parallel solution for \<^term>\\\. Moreover \<^term>\\\ has length \<^term>\t\ as confirmed by lemma \isaname{decode_plan_length}. \footnote{This lemma is used in the proof but not shown.} \ theorem encode_problem_parallel_sound: assumes "is_valid_problem_strips \" and "\ \ \ \ t" shows "is_parallel_solution_for_problem \ (\\ \ \ t)" proof - let ?ops = "strips_problem.operators_of \" and ?I = "(\)\<^sub>I" and ?G = "(\)\<^sub>G" and ?\ = "\\ \ \ t" let ?\ = "map (\ k. \\<^sub>S\ \ \ k) [0..)]" and ?\ = "trace_parallel_plan_strips ?I ?\" { have "?\ = ?\" using encode_problem_parallel_correct_x[OF assms]. moreover { have "length ?\ = t" using decode_plan_length by auto then have "?G \\<^sub>m last ?\" using decode_state_at_goal_state[OF assms] by simp } ultimately have "((\)\<^sub>G) \\<^sub>m execute_parallel_plan ((\)\<^sub>I) (\\ \ \ t)" using execute_parallel_plan_reaches_goal_iff_goal_is_last_element_of_trace by auto } moreover have "\ops \ set ?\. \op \ set ops. op \ set ((\)\<^sub>\)" using encode_problem_parallel_correct_xi[OF assms(1, 2)] by auto ultimately show ?thesis unfolding is_parallel_solution_for_problem_def unfolding list_all_iff ListMem_iff operators_of_def STRIPS_Representation.operators_of_def by fastforce qed value "stop" (* Tell document preparation to stop collecting for the last tag *) subsection "Completeness" (* TODO make abbreviation *) definition empty_valuation :: "sat_plan_variable valuation" ("\\<^sub>0") where "empty_valuation \ (\_. False)" abbreviation valuation_for_state :: "'variable list \'variable strips_state \ nat \ 'variable \ sat_plan_variable valuation \ sat_plan_variable valuation" where "valuation_for_state vs s k v \ \ \(State k (index vs v) := (s v = Some True))" \ \ Since the trace may be shorter than the plan length even though the last trace element subsumes the goal state---namely in case plan execution is impossible due to violation of the execution condition but the reached state serendipitously subsumes the goal state---, we also have to repeat the valuation for all time steps \<^term>\k' \ {length \..(length \ + 1)}\ for all \ \<^term>\v \ \\ (see \<^term>\\\<^sub>2\). \ definition valuation_for_state_variables :: "'variable strips_problem \ 'variable strips_operator list list \ 'variable strips_state list \ sat_plan_variable valuation" where "valuation_for_state_variables \ \ \ \ let t' = length \ ; \\<^sub>\ = \ ! (t' - 1) ; vs = variables_of \ ; V\<^sub>1 = { State k (index vs v) | k v. k \ {0.. v \ set vs } ; V\<^sub>2 = { State k (index vs v) | k v. k \ {t'..(length \ + 1)} \ v \ set vs } ; \\<^sub>1 = foldr (\(k, v) \. valuation_for_state (variables_of \) (\ ! k) k v \) (List.product [0..\<^sub>0 ; \\<^sub>2 = foldr (\(k, v) \. valuation_for_state (variables_of \) \\<^sub>\ k v \) (List.product [t'.. + 2] vs) \\<^sub>0 in override_on (override_on \\<^sub>0 \\<^sub>1 V\<^sub>1) \\<^sub>2 V\<^sub>2" \ \ The valuation is left to yield false for the potentially remaining \<^term>\k' \ {length \..(length \ + 1)}\ since no more operators are executed after the trace ends anyway. The definition of \<^term>\\\<^sub>0\ as the valuation that is false for every argument ensures this implicitely. \ definition valuation_for_operator_variables :: "'variable strips_problem \ 'variable strips_operator list list \ 'variable strips_state list \ sat_plan_variable valuation" where "valuation_for_operator_variables \ \ \ \ let ops = operators_of \ ; Op = { Operator k (index ops op) | k op. k \ {0.. - 1} \ op \ set ops } in override_on \\<^sub>0 (foldr (\(k, op) \. \(Operator k (index ops op) := True)) (concat (map (\k. map (Pair k) (\ ! k)) [0.. - 1])) \\<^sub>0) Op" text \ The completeness proof requires that we show that the SATPlan encoding \<^term>\\ \ t\ of a problem \<^term>\\\ has a model \<^term>\\\ in case a solution \<^term>\\\ with length \<^term>\t\ exists. Since a plan corresponds to a state trace \<^term>\\ \ trace_parallel_plan_strips I \\ with @{text[display, indent=4] "\ ! k = execute_parallel_plan I (take k \)"} for all \<^term>\k < length \\ we can construct a valuation \<^term>\\\<^sub>V\ modeling the state sequence in \<^term>\\\ by letting @{text[display, indent=4] "\(State k (index vs v) := (s v = Some True))"} or all \<^term>\v \ \\ where \<^term>\s \ \ ! k\ . \footnote{It is helpful to remember at this point, that the trace elements of a solution contain the states reached by plan prefix execution (lemma \ref{isathm:trace-elements-and-plan-prefixes}).} Similarly to \<^term>\\\<^sub>V\, we obtain an operator valuation \<^term>\\\<^sub>O\ by defining @{text[display, indent=4] "\(Operator k (index ops op) := True)"} for all operators \<^term>\op \ \\ s.t. \<^term>\op \ set (\ ! k)\ for all \<^term>\k < length \ - 1\. The overall valuation for the plan execution \<^term>\\\ can now be constructed by combining the state variable valuation \<^term>\\\<^sub>V\ and operator valuation \<^term>\\\<^sub>O\. \ definition valuation_for_plan :: "'variable strips_problem \ 'variable strips_operator list list \ sat_plan_variable valuation" where "valuation_for_plan \ \ \ let vs = variables_of \ ; ops = operators_of \ ; \ = trace_parallel_plan_strips (initial_of \) \ ; t = length \ ; t' = length \ ; \\<^sub>V = valuation_for_state_variables \ \ \ ; \\<^sub>O = valuation_for_operator_variables \ \ \ ; V = { State k (index vs v) | k v. k \ {0.. v \ set vs } ; Op = { Operator k (index ops op) | k op. k \ {0.. op \ set ops } in override_on (override_on \\<^sub>0 \\<^sub>V V) \\<^sub>O Op" \ \ Show that in case of an encoding with makespan zero, it suffices to show that a given model satisfies the initial state and goal state encodings. \ (* TODO refactor. *) lemma model_of_encode_problem_makespan_zero_iff: "\ \ \ \ 0 \ \ \ \\<^sub>I \ \<^bold>\ (\\<^sub>G \) 0" proof - have "encode_operators \ 0 = \<^bold>\\ \<^bold>\ \<^bold>\\" unfolding encode_operators_def encode_all_operator_effects_def encode_all_operator_preconditions_def by simp moreover have "encode_all_frame_axioms \ 0 = \<^bold>\\" unfolding encode_all_frame_axioms_def by simp ultimately show ?thesis unfolding encode_problem_def SAT_Plan_Base.encode_problem_def encode_initial_state_def encode_goal_state_def by simp qed (* TODO refactor. *) lemma empty_valution_is_False[simp]: "\\<^sub>0 v = False" unfolding empty_valuation_def.. lemma model_initial_state_set_valuations: assumes "is_valid_problem_strips \" shows "set (map (\v. case ((\)\<^sub>I) v of Some b \ \\<^sub>0(State 0 (index (strips_problem.variables_of \) v) := b) | _ \ \\<^sub>0) (strips_problem.variables_of \)) = { \\<^sub>0(State 0 (index (strips_problem.variables_of \) v) := the (((\)\<^sub>I) v)) | v. v \ set ((\)\<^sub>\) }" proof - let ?I = "(\)\<^sub>I" and ?vs = "strips_problem.variables_of \" let ?f = "\v. case ((\)\<^sub>I) v of Some b \ \\<^sub>0(State 0 (index ?vs v) := b) | _ \ \\<^sub>0" and ?g = "\v. \\<^sub>0(State 0 (index ?vs v) := the (?I v))" let ?\s = "map ?f ?vs" have nb\<^sub>1: "dom ?I = set ((\)\<^sub>\)" using is_valid_problem_strips_initial_of_dom assms by fastforce { { fix v assume "v \ dom ?I" hence "?f v = ?g v" using nb\<^sub>1 by fastforce } hence "?f ` set ((\)\<^sub>\) = ?g ` set ((\)\<^sub>\)" using nb\<^sub>1 by force } then have "set ?\s = ?g ` set ((\)\<^sub>\)" unfolding set_map by simp thus ?thesis by blast qed (* TODO refactor *) lemma valuation_of_state_variable_implies_lit_semantics_if: assumes "v \ dom S" and "\ (State k (index vs v)) = the (S v)" shows "lit_semantics \ (literal_formula_to_literal (encode_state_variable k (index vs v) (S v)))" proof - let ?L = "literal_formula_to_literal (encode_state_variable k (index vs v) (S v))" consider (True) "S v = Some True" | (False) "S v = Some False" using assms(1) by fastforce thus ?thesis unfolding encode_state_variable_def using assms(2) by (cases, force+) qed (* TODO refactor \Fun_Supplement\? *) lemma foldr_fun_upd: assumes "inj_on f (set xs)" and "x \ set xs" shows "foldr (\x \. \(f x := g x)) xs \ (f x) = g x" using assms proof (induction xs) case (Cons a xs) then show ?case proof (cases "xs = []") case True then have "x = a" using Cons.prems(2) by simp thus ?thesis by simp next case False thus ?thesis proof (cases "a = x") next case False { from False have "x \ set xs" using Cons.prems(2) by simp moreover have "inj_on f (set xs)" using Cons.prems(1) by fastforce ultimately have "(foldr (\x \. \(f x := g x)) xs \) (f x) = g x" using Cons.IH by blast } moreover { \ \ Follows from modus tollens on the definition of @{text "inj_on"}. \ have "f a \ f x" using Cons.prems False by force moreover have "foldr (\x \. \(f x := g x)) (a # xs) \ = (foldr (\x \. \(f x := g x)) xs \)(f a := g a)" by simp ultimately have "foldr (\x \. \(f x := g x)) (a # xs) \ (f x) = (foldr (\x \. \(f x := g x)) xs \) (f x)" unfolding fun_upd_def by presburger } ultimately show ?thesis by argo qed simp qed qed fastforce lemma foldr_fun_no_upd: assumes "inj_on f (set xs)" and "y \ f ` set xs" shows "foldr (\x \. \(f x := g x)) xs \ y = \ y" using assms proof (induction xs) case (Cons a xs) { have "inj_on f (set xs)" and "y \ f ` set xs" using Cons.prems by (fastforce, simp) hence "foldr (\x \. \(f x := g x)) xs \ y = \ y" using Cons.IH by blast } moreover { have "f a \ y" using Cons.prems(2) by auto moreover have "foldr (\x \. \(f x := g x)) (a # xs) \ = (foldr (\x \. \(f x := g x)) xs \)(f a := g a)" by simp ultimately have "foldr (\x \. \(f x := g x)) (a # xs) \ y = (foldr (\x \. \(f x := g x)) xs \) y" unfolding fun_upd_def by presburger } ultimately show ?case by argo qed simp \ \ We only use the part of the characterization of \\\ which pertains to the state variables here. \ lemma encode_problem_parallel_complete_i: fixes \::"'a strips_problem" assumes "is_valid_problem_strips \" and "(\)\<^sub>G \\<^sub>m execute_parallel_plan ((\)\<^sub>I) \" "\v k. k < length (trace_parallel_plan_strips ((\)\<^sub>I) \) \ (\ (State k (index (strips_problem.variables_of \) v)) \ (trace_parallel_plan_strips ((\)\<^sub>I) \ ! k) v = Some True) \ (\\ (State k (index (strips_problem.variables_of \) v)) \ ((trace_parallel_plan_strips ((\)\<^sub>I) \ ! k) v \ Some True))" shows "\ \ \\<^sub>I \" proof - let ?vs = "strips_problem.variables_of \" and ?I = "(\)\<^sub>I" and ?G = "(\)\<^sub>G" and ?\\<^sub>I = "\\<^sub>I \" let ?\ = "trace_parallel_plan_strips ?I \" { fix C assume "C \ cnf ?\\<^sub>I" then obtain v where v_in_set_vs: "v \ set ?vs" and C_is: "C = { literal_formula_to_literal (encode_state_variable 0 (index ?vs v) (?I v)) }" using cnf_of_encode_initial_state_set_ii[OF assms(1)] by auto { have "0 < length ?\" using trace_parallel_plan_strips_not_nil by blast then have "\ (State 0 (index (strips_problem.variables_of \) v)) \ (trace_parallel_plan_strips ((\)\<^sub>I) \ ! 0) v = Some True" and "\\ (State 0 (index (strips_problem.variables_of \) v)) \ ((trace_parallel_plan_strips ((\)\<^sub>I) \ ! 0) v \ Some True)" using assms(3) by (presburger+) } note nb = this { let ?L = "literal_formula_to_literal (encode_state_variable 0 (index ?vs v) (?I v))" have \_0_is: "?\ ! 0 = ?I" using trace_parallel_plan_strips_head_is_initial_state by blast have v_in_dom_I: "v \ dom ?I" using is_valid_problem_strips_initial_of_dom assms(1) v_in_set_vs by fastforce then consider (I_v_is_Some_True) "?I v = Some True" | (I_v_is_Some_False) "?I v = Some False" by fastforce hence "lit_semantics \ ?L" unfolding encode_state_variable_def using assms(3) \_0_is nb by (cases, force+) } hence "clause_semantics \ C" unfolding clause_semantics_def C_is by blast } thus ?thesis using is_cnf_encode_initial_state[OF assms(1)] is_nnf_cnf cnf_semantics unfolding cnf_semantics_def by blast qed \ \ Plans may terminate early (i.e. by reaching a state satisfying the goal state before reaching the time point corresponding to the plan length). We therefore have to show the goal by splitting cases on whether the plan successfully terminated early. If not, we can just derive the goal from the assumptions pertaining to \\\ Otherwise, we have to first show that the goal was reached (albeit early) and that our valuation \\\ reflects the termination of plan execution after the time point at which the goal was reached. \ lemma encode_problem_parallel_complete_ii: fixes \::"'a strips_problem" assumes "is_valid_problem_strips \" and "(\)\<^sub>G \\<^sub>m execute_parallel_plan ((\)\<^sub>I) \" and "\v k. k < length (trace_parallel_plan_strips ((\)\<^sub>I) \) \ (\ (State k (index (strips_problem.variables_of \) v)) \ (trace_parallel_plan_strips ((\)\<^sub>I) \ ! k) v = Some True)" and "\v l. l \ length (trace_parallel_plan_strips ((\)\<^sub>I) \) \ l < length \ + 1 \ \ (State l (index (strips_problem.variables_of \) v)) = \ (State (length (trace_parallel_plan_strips ((\)\<^sub>I) \) - 1) (index (strips_problem.variables_of \) v))" shows "\ \ (\\<^sub>G \)(length \)" proof - let ?vs = "strips_problem.variables_of \" and ?I = "(\)\<^sub>I" and ?G = "(\)\<^sub>G" and ?\\<^sub>I = "\\<^sub>I \" and ?t = "length \" and ?\\<^sub>G = "(\\<^sub>G \) (length \)" let ?\ = "trace_parallel_plan_strips ?I \" let ?t' = "length ?\" { fix v assume G_of_v_is_not_None: "?G v \ None" have "?G \\<^sub>m last ?\" using execute_parallel_plan_reaches_goal_iff_goal_is_last_element_of_trace assms(2) by blast also have "\ = ?\ ! (?t' - 1)" using last_conv_nth[OF trace_parallel_plan_strips_not_nil]. finally have "?G \\<^sub>m ?\ ! (?t' - 1)" by argo hence "(?\ ! (?t' - 1)) v = ?G v" using G_of_v_is_not_None unfolding map_le_def by force } note nb\<^sub>1 = this (* TODO refactor. *) \ \ Discriminate on whether the trace has full length or not and show that the model valuation of the state variables always correspond to the (defined) goal state values. \ { fix v assume G_of_v_is_not_None: "?G v \ None" hence "\ (State ?t (index ?vs v)) \ ?G v = Some True" proof (cases "?t' = ?t + 1") case True moreover have "?t < ?t'" using calculation by fastforce moreover have "\ (State ?t (index ?vs v)) \ (?\ ! ?t) v = Some True" using assms(3) calculation(2) by blast ultimately show ?thesis using nb\<^sub>1[OF G_of_v_is_not_None] by force next case False { have "?t' < ?t + 1" using length_trace_parallel_plan_strips_lte_length_plan_plus_one False le_neq_implies_less by blast moreover have "\ (State ?t (index ?vs v)) = \ (State (?t' - 1) (index ?vs v))" using assms(4) calculation by simp moreover have "?t' - 1 < ?t'" using trace_parallel_plan_strips_not_nil length_greater_0_conv[of ?\] less_diff_conv2[of 1 ?t' ?t'] by force moreover have "\ (State (?t' - 1) (index ?vs v)) \ (?\ ! (?t' - 1)) v = Some True" using assms(3) calculation(3) by blast ultimately have "\ (State ?t (index ?vs v)) \ (?\ ! (?t' - 1)) v = Some True" by blast } thus ?thesis using nb\<^sub>1[OF G_of_v_is_not_None] by presburger qed } note nb\<^sub>2 = this { fix C assume C_in_cnf_of_\\<^sub>G: "C \ cnf ?\\<^sub>G" moreover obtain v where "v \ set ?vs" and G_of_v_is_not_None: "?G v \ None" and C_is: "C = { literal_formula_to_literal (encode_state_variable ?t (index ?vs v) (?G v)) }" using cnf_of_encode_goal_state_set_ii[OF assms(1)] calculation by auto consider (G_of_v_is_Some_True) "?G v = Some True" | (G_of_v_is_Some_False) "?G v = Some False" using G_of_v_is_not_None by fastforce then have "clause_semantics \ C" using nb\<^sub>2 C_is unfolding clause_semantics_def encode_state_variable_def by (cases, force+) } thus ?thesis using cnf_semantics[OF is_nnf_cnf[OF encode_goal_state_is_cnf[OF assms(1)]]] unfolding cnf_semantics_def by blast qed \ \ We are not using the full characterization of \\\ here since it's not needed. \ (* TODO make private *) lemma encode_problem_parallel_complete_iii_a: fixes \::"'a strips_problem" assumes "is_valid_problem_strips \" and "(\)\<^sub>G \\<^sub>m execute_parallel_plan ((\)\<^sub>I) \" and "C \ cnf (encode_all_operator_preconditions \ (strips_problem.operators_of \) (length \))" and "\k op. k < length (trace_parallel_plan_strips ((\)\<^sub>I) \) - 1 \ \ (Operator k (index (strips_problem.operators_of \) op)) = (op \ set (\ ! k))" and "\l op. l \ length (trace_parallel_plan_strips ((\)\<^sub>I) \) - 1 \ l < length \ \ \\ (Operator l (index (strips_problem.operators_of \) op))" and "\v k. k < length (trace_parallel_plan_strips ((\)\<^sub>I) \) \ (\ (State k (index (strips_problem.variables_of \) v)) \ (trace_parallel_plan_strips ((\)\<^sub>I) \ ! k) v = Some True)" shows "clause_semantics \ C" proof - let ?ops = "strips_problem.operators_of \" and ?vs = "strips_problem.variables_of \" and ?t = "length \" let ?\ = "trace_parallel_plan_strips ((\)\<^sub>I) \" (* TODO slow. *) obtain k op where k_and_op_are: "(k, op) \ ({0.. set ((\)\<^sub>\))" and "C \ (\v \ set (precondition_of op). {{ (Operator k (index ?ops op))\ , (State k (index ?vs v))\<^sup>+ }})" using cnf_of_encode_all_operator_preconditions_structure assms(3) UN_E[of C ] by auto then obtain v where v_in_preconditions_of_op: "v \ set (precondition_of op)" and C_is: "C = { (Operator k (index ?ops op))\, (State k (index ?vs v))\<^sup>+ }" by blast thus ?thesis proof (cases "k < length ?\ - 1") case k_lt_length_\_minus_one: True thus ?thesis proof (cases "op \ set (\ ! k)") case True { have "are_all_operators_applicable (?\ ! k) (\ ! k)" using trace_parallel_plan_strips_operator_preconditions k_lt_length_\_minus_one by blast then have "(?\ ! k) v = Some True" using are_all_operators_applicable_set v_in_preconditions_of_op True by fast hence "\ (State k (index ?vs v))" using assms(6) k_lt_length_\_minus_one by force } thus ?thesis using C_is unfolding clause_semantics_def by fastforce next case False then have "\\ (Operator k (index ?ops op))" using assms(4) k_lt_length_\_minus_one by blast thus ?thesis using C_is unfolding clause_semantics_def by fastforce qed next case False then have "k \ length ?\ - 1" "k < ?t" using k_and_op_are by(force, simp) then have "\\ (Operator k (index ?ops op))" using assms(5) by blast thus ?thesis unfolding clause_semantics_def using C_is by fastforce qed qed \ \ We are not using the full characterization of \\\ here since it's not needed. \ (* TODO make private *) lemma encode_problem_parallel_complete_iii_b: fixes \::"'a strips_problem" assumes "is_valid_problem_strips \" and "(\)\<^sub>G \\<^sub>m execute_parallel_plan ((\)\<^sub>I) \" and "C \ cnf (encode_all_operator_effects \ (strips_problem.operators_of \) (length \))" and "\k op. k < length (trace_parallel_plan_strips ((\)\<^sub>I) \) - 1 \ \ (Operator k (index (strips_problem.operators_of \) op)) = (op \ set (\ ! k))" and "\l op. l \ length (trace_parallel_plan_strips ((\)\<^sub>I) \) - 1 \ l < length \ \ \\ (Operator l (index (strips_problem.operators_of \) op))" and "\v k. k < length (trace_parallel_plan_strips ((\)\<^sub>I) \) \ (\ (State k (index (strips_problem.variables_of \) v)) \ (trace_parallel_plan_strips ((\)\<^sub>I) \ ! k) v = Some True)" shows "clause_semantics \ C" proof - let ?ops = "strips_problem.operators_of \" and ?vs = "strips_problem.variables_of \" and ?t = "length \" let ?\ = "trace_parallel_plan_strips ((\)\<^sub>I) \" let ?A = "(\(k, op) \ {0.. set ((\)\<^sub>\). \v \ set (add_effects_of op). {{ (Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\<^sup>+ }})" and ?B = "(\(k, op) \ {0.. set ((\)\<^sub>\). \v \ set (delete_effects_of op). {{ (Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\ }})" consider (C_in_A) "C \ ?A" | (C_in_B) "C \ ?B" using Un_iff[of C ?A ?B] cnf_of_encode_all_operator_effects_structure assms(3) by (metis C_in_A C_in_B) thus ?thesis proof (cases) case C_in_A then obtain k op where k_and_op_are: "(k, op) \ {0.. set((\)\<^sub>\)" and "C \ (\v \ set (add_effects_of op). {{ (Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\<^sup>+ }})" by blast then obtain v where v_in_add_effects_of_op: "v \ set (add_effects_of op)" and C_is: "C = { (Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\<^sup>+ }" by blast thus ?thesis proof (cases "k < length ?\ - 1") case k_lt_length_\_minus_one: True thus ?thesis proof (cases "op \ set (\ ! k)") case True { then have "are_all_operators_applicable (?\ ! k) (\ ! k)" and "are_all_operator_effects_consistent (\ ! k)" using trace_parallel_plan_strips_operator_preconditions k_lt_length_\_minus_one by blast+ hence "execute_parallel_operator (?\ ! k) (\ ! k) v = Some True" using execute_parallel_operator_positive_effect_if[ OF _ _ True v_in_add_effects_of_op, of "?\ ! k"] by blast } then have \_Suc_k_is_Some_True: "(?\ ! Suc k) v = Some True" using trace_parallel_plan_step_effect_is[OF k_lt_length_\_minus_one] by argo have "\ (State (Suc k) (index ?vs v))" using assms(6) k_lt_length_\_minus_one \_Suc_k_is_Some_True by fastforce thus ?thesis using C_is unfolding clause_semantics_def by fastforce next case False then have "\\ (Operator k (index ?ops op))" using assms(4) k_lt_length_\_minus_one by blast thus ?thesis using C_is unfolding clause_semantics_def by force qed next case False then have "k \ length ?\ - 1" and "k < ?t" using k_and_op_are by auto then have "\\ (Operator k (index ?ops op))" using assms(5) by blast thus ?thesis using C_is unfolding clause_semantics_def by fastforce qed next \ \ This case is completely symmetrical to the one above. \ case C_in_B then obtain k op where k_and_op_are: "(k, op) \ {0.. set ((\)\<^sub>\)" and "C \ (\v \ set (delete_effects_of op). {{ (Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\ }})" by blast then obtain v where v_in_delete_effects_of_op: "v \ set (delete_effects_of op)" and C_is: "C = { (Operator k (index ?ops op))\, (State (Suc k) (index ?vs v))\ }" by blast thus ?thesis proof (cases "k < length ?\ - 1") case k_lt_length_\_minus_one: True thus ?thesis proof (cases "op \ set (\ ! k)") case True { then have "are_all_operators_applicable (?\ ! k) (\ ! k)" and "are_all_operator_effects_consistent (\ ! k)" using trace_parallel_plan_strips_operator_preconditions k_lt_length_\_minus_one by blast+ hence "execute_parallel_operator (?\ ! k) (\ ! k) v = Some False" using execute_parallel_operator_negative_effect_if[ OF _ _ True v_in_delete_effects_of_op, of "?\ ! k"] by blast } then have \_Suc_k_is_Some_True: "(?\ ! Suc k) v = Some False" using trace_parallel_plan_step_effect_is[OF k_lt_length_\_minus_one] by argo have "\\ (State (Suc k) (index ?vs v))" using assms(6) k_lt_length_\_minus_one \_Suc_k_is_Some_True by fastforce thus ?thesis using C_is unfolding clause_semantics_def by fastforce next case False then have "\\ (Operator k (index ?ops op))" using assms(4) k_lt_length_\_minus_one by blast thus ?thesis using C_is unfolding clause_semantics_def by force qed next case False then have "k \ length ?\ - 1" and "k < ?t" using k_and_op_are by auto then have "\\ (Operator k (index ?ops op))" using assms(5) by blast thus ?thesis using C_is unfolding clause_semantics_def by fastforce qed qed qed (* TODO make private *) lemma encode_problem_parallel_complete_iii: fixes \::"'a strips_problem" assumes "is_valid_problem_strips \" and "(\)\<^sub>G \\<^sub>m execute_parallel_plan ((\)\<^sub>I) \" and "\k op. k < length (trace_parallel_plan_strips ((\)\<^sub>I) \) - 1 \ \ (Operator k (index (strips_problem.operators_of \) op)) = (op \ set (\ ! k))" and "\l op. l \ length (trace_parallel_plan_strips ((\)\<^sub>I) \) - 1 \ l < length \ \ \\ (Operator l (index (strips_problem.operators_of \) op))" and "\v k. k < length (trace_parallel_plan_strips ((\)\<^sub>I) \) \ (\ (State k (index (strips_problem.variables_of \) v)) \ (trace_parallel_plan_strips ((\)\<^sub>I) \ ! k) v = Some True)" shows "\ \ encode_operators \ (length \)" proof - let ?t = "length \" and ?ops = "strips_problem.operators_of \" let ?\\<^sub>O = "encode_operators \ ?t" and ?\\<^sub>P = "encode_all_operator_preconditions \ ?ops?t" and ?\\<^sub>E = "encode_all_operator_effects \ ?ops ?t" { fix C assume "C \ cnf ?\\<^sub>O" then consider (C_in_precondition_encoding) "C \ cnf ?\\<^sub>P" | (C_in_effect_encoding) "C \ cnf ?\\<^sub>E" using cnf_of_operator_encoding_structure by blast hence "clause_semantics \ C" proof (cases) case C_in_precondition_encoding thus ?thesis using encode_problem_parallel_complete_iii_a[OF assms(1, 2) _ assms(3, 4, 5)] by blast next case C_in_effect_encoding thus ?thesis using encode_problem_parallel_complete_iii_b[OF assms(1, 2) _ assms(3, 4, 5)] by blast qed } thus ?thesis using encode_operators_is_cnf[OF assms(1)] is_nnf_cnf cnf_semantics unfolding cnf_semantics_def by blast qed (* TODO make private *) lemma encode_problem_parallel_complete_iv_a: fixes \ :: "'a strips_problem" assumes "STRIPS_Semantics.is_parallel_solution_for_problem \ \" and "\k op. k < length (trace_parallel_plan_strips ((\)\<^sub>I) \) - 1 \ \ (Operator k (index (strips_problem.operators_of \) op)) = (op \ set (\ ! k))" and "\v k. k < length (trace_parallel_plan_strips ((\)\<^sub>I) \) \ (\ (State k (index (strips_problem.variables_of \) v)) \ (trace_parallel_plan_strips ((\)\<^sub>I) \ ! k) v = Some True)" and "\v l. l \ length (trace_parallel_plan_strips ((\)\<^sub>I) \) \ l < length \ + 1 \ \ (State l (index (strips_problem.variables_of \) v)) = \ (State (length (trace_parallel_plan_strips ((\)\<^sub>I) \) - 1) (index (strips_problem.variables_of \) v))" and "C \ \ (\(k, v) \ {0..} \ set ((\)\<^sub>\). {{{ (State k (index (strips_problem.variables_of \) v))\<^sup>+ , (State (Suc k) (index (strips_problem.variables_of \) v))\ } \ { (Operator k (index (strips_problem.operators_of \) op))\<^sup>+ |op. op \ set ((\)\<^sub>\) \ v \ set (add_effects_of op) }}})" shows "clause_semantics \ C" proof - let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" and ?t = "length \" let ?\ = "trace_parallel_plan_strips ((\)\<^sub>I) \" let ?A = "(\(k, v) \ {0.. set ?vs. {{{ (State k (index ?vs v))\<^sup>+, (State (Suc k) (index ?vs v))\ } \ { (Operator k (index ?ops op))\<^sup>+ |op. op \ set ?ops \ v \ set (add_effects_of op) }}})" (* TODO refactor *) { (* TODO slow *) obtain C' where "C' \ ?A" and C_in_C': "C \ C'" using Union_iff assms(5) by auto then obtain k v where "(k, v) \ {0.. set ?vs" and "C' \ {{{ (State k (index ?vs v))\<^sup>+, (State (Suc k) (index ?vs v))\ } \ { (Operator k (index ?ops op))\<^sup>+ |op. op \ set ?ops \ v \ set (add_effects_of op) }}}" using UN_E by blast hence "\k v. k \ {0.. v \ set ?vs \ C = { (State k (index ?vs v))\<^sup>+, (State (Suc k) (index ?vs v))\ } \ { (Operator k (index ?ops op))\<^sup>+ |op. op \ set ?ops \ v \ set (add_effects_of op) }" using C_in_C' by blast } then obtain k v where k_in: "k \ {0.. set ?vs" and C_is: "C = { (State k (index ?vs v))\<^sup>+, (State (Suc k) (index ?vs v))\ } \ { (Operator k (index ?ops op))\<^sup>+ |op. op \ set ?ops \ v \ set (add_effects_of op) }" by blast show ?thesis proof (cases "k < length ?\ - 1") case k_lt_length_\_minus_one: True then have k_lt_t: "k < ?t" using k_in by force have all_operators_applicable: "are_all_operators_applicable (?\ ! k) (\ ! k)" and all_operator_effects_consistent: "are_all_operator_effects_consistent (\ ! k)" using trace_parallel_plan_strips_operator_preconditions[OF k_lt_length_\_minus_one] by simp+ then consider (A) "\op \ set (\ ! k). v \ set (add_effects_of op)" | (B) "\op \ set (\ ! k). v \ set (delete_effects_of op)" | (C) "\op \ set (\ ! k). v \ set (add_effects_of op) \ v \ set (delete_effects_of op)" by blast thus ?thesis proof (cases) case A moreover obtain op where op_in_\\<^sub>k: "op \ set (\ ! k)" and v_is_add_effect: "v \ set (add_effects_of op)" using A by blast moreover { have "(\ ! k) \ set \" using k_lt_t by simp hence "op \ set ?ops" using is_parallel_solution_for_problem_operator_set[OF assms(1) _ op_in_\\<^sub>k] by blast } ultimately have "(Operator k (index ?ops op))\<^sup>+ \ { (Operator k (index ?ops op))\<^sup>+ | op. op \ set ?ops \ v \ set (add_effects_of op) }" using v_is_add_effect by blast then have "(Operator k (index ?ops op))\<^sup>+ \ C" using C_is by auto moreover have "\ (Operator k (index ?ops op))" using assms(2) k_lt_length_\_minus_one op_in_\\<^sub>k by blast ultimately show ?thesis unfolding clause_semantics_def by force next case B then obtain op where op_in_\\<^sub>k: "op \ set (\ ! k)" and v_is_delete_effect: "v \ set (delete_effects_of op)".. then have "\(\op \ set (\ ! k). v \ set (add_effects_of op))" using all_operator_effects_consistent are_all_operator_effects_consistent_set by fast then have "execute_parallel_operator (?\ ! k) (\ ! k) v = Some False" using execute_parallel_operator_negative_effect_if[OF all_operators_applicable all_operator_effects_consistent op_in_\\<^sub>k v_is_delete_effect] by blast moreover have "(?\ ! Suc k) v = execute_parallel_operator (?\ ! k) (\ ! k) v" using trace_parallel_plan_step_effect_is[OF k_lt_length_\_minus_one] by simp ultimately have "\\ (State (Suc k) (index ?vs v))" using assms(3) k_lt_length_\_minus_one by simp thus ?thesis using C_is unfolding clause_semantics_def by simp next case C show ?thesis proof (cases "(?\ ! k) v = Some True") case True then have "\ (State k (index ?vs v))" using assms(3) k_lt_length_\_minus_one by force thus ?thesis using C_is unfolding clause_semantics_def by fastforce next case False { have "(?\ ! Suc k) = execute_parallel_operator (?\ ! k) (\ ! k)" using trace_parallel_plan_step_effect_is[OF k_lt_length_\_minus_one]. then have "(?\ ! Suc k) v = (?\ ! k) v" using execute_parallel_operator_no_effect_if C by fastforce hence "(?\ ! Suc k) v \ Some True" using False by argo } then have "\\ (State (Suc k) (index ?vs v))" using assms(3) k_lt_length_\_minus_one by auto thus ?thesis using C_is unfolding clause_semantics_def by fastforce qed qed next case k_gte_length_\_minus_one: False show ?thesis proof (cases "\ (State (length ?\ - 1) (index ?vs v))") case True { have "\ (State k (index ?vs v)) = \ (State (length ?\ - 1) (index ?vs v))" proof (cases "k = length ?\ - 1") case False then have "length ?\ \ k" and "k < ?t + 1" using k_gte_length_\_minus_one k_in by fastforce+ thus ?thesis using assms(4) by blast qed blast hence "\ (State k (index ?vs v))" using True by blast } thus ?thesis using C_is unfolding clause_semantics_def by simp next case False { have "length ?\ \ Suc k" and "Suc k < ?t + 1" using k_gte_length_\_minus_one k_in by fastforce+ then have "\ (State (Suc k) (index ?vs v)) = \ (State (length ?\ - 1) (index ?vs v))" using assms(4) by blast hence "\\ (State (Suc k) (index ?vs v))" using False by blast } thus ?thesis using C_is unfolding clause_semantics_def by fastforce qed qed qed (* TODO make private *) lemma encode_problem_parallel_complete_iv_b: fixes \ :: "'a strips_problem" assumes "is_parallel_solution_for_problem \ \" and "\k op. k < length (trace_parallel_plan_strips ((\)\<^sub>I) \) - 1 \ \ (Operator k (index (strips_problem.operators_of \) op)) = (op \ set (\ ! k))" and "\v k. k < length (trace_parallel_plan_strips ((\)\<^sub>I) \) \ (\ (State k (index (strips_problem.variables_of \) v)) \ (trace_parallel_plan_strips ((\)\<^sub>I) \ ! k) v = Some True)" and "\v l. l \ length (trace_parallel_plan_strips ((\)\<^sub>I) \) \ l < length \ + 1 \ \ (State l (index (strips_problem.variables_of \) v)) = \ (State (length (trace_parallel_plan_strips ((\)\<^sub>I) \) - 1) (index (strips_problem.variables_of \) v))" and "C \ \ (\(k, v) \ {0..} \ set ((\)\<^sub>\). {{{ (State k (index (strips_problem.variables_of \) v))\ , (State (Suc k) (index (strips_problem.variables_of \) v))\<^sup>+ } \ { (Operator k (index (strips_problem.operators_of \) op))\<^sup>+ |op. op \ set ((\)\<^sub>\) \ v \ set (delete_effects_of op) }}})" shows "clause_semantics \ C" proof - let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" and ?t = "length \" let ?\ = "trace_parallel_plan_strips (initial_of \) \" let ?A = "(\(k, v) \ {0.. set ?vs. {{{ (State k (index ?vs v))\, (State (Suc k) (index ?vs v))\<^sup>+ } \ { (Operator k (index ?ops op))\<^sup>+ | op. op \ set ((\)\<^sub>\) \ v \ set (delete_effects_of op) }}})" (* TODO refactor *) { (* TODO slow *) obtain C' where "C' \ ?A" and C_in_C': "C \ C'" using Union_iff assms(5) by auto (* TODO slow *) then obtain k v where "(k, v) \ {0.. set ?vs" and "C' \ {{{ (State k (index ?vs v))\, (State (Suc k) (index ?vs v))\<^sup>+ } \ { (Operator k (index ?ops op))\<^sup>+ |op. op \ set ?ops \ v \ set (delete_effects_of op) }}}" using UN_E by fastforce hence "\k v. k \ {0.. v \ set ?vs \ C = { (State k (index ?vs v))\, (State (Suc k) (index ?vs v))\<^sup>+ } \ { (Operator k (index ?ops op))\<^sup>+ | op. op \ set ((\)\<^sub>\) \ v \ set (delete_effects_of op) }" using C_in_C' by auto } then obtain k v where k_in: "k \ {0.. set ((\)\<^sub>\)" and C_is: "C = { (State k (index ?vs v))\, (State (Suc k) (index ?vs v))\<^sup>+ } \ { (Operator k (index ?ops op))\<^sup>+ | op. op \ set ((\)\<^sub>\) \ v \ set (delete_effects_of op) }" by auto show ?thesis proof (cases "k < length ?\ - 1") case k_lt_length_\_minus_one: True then have k_lt_t: "k < ?t" using k_in by force have all_operators_applicable: "are_all_operators_applicable (?\ ! k) (\ ! k)" and all_operator_effects_consistent: "are_all_operator_effects_consistent (\ ! k)" using trace_parallel_plan_strips_operator_preconditions[OF k_lt_length_\_minus_one] by simp+ then consider (A) "\op \ set (\ ! k). v \ set (delete_effects_of op)" | (B) "\op \ set (\ ! k). v \ set (add_effects_of op)" | (C) "\op \ set (\ ! k). v \ set (add_effects_of op) \ v \ set (delete_effects_of op)" by blast thus ?thesis proof (cases) case A moreover obtain op where op_in_\\<^sub>k: "op \ set (\ ! k)" and v_is_delete_effect: "v \ set (delete_effects_of op)" using A by blast moreover { have "(\ ! k) \ set \" using k_lt_t by simp hence "op \ set ?ops" using is_parallel_solution_for_problem_operator_set[OF assms(1) _ op_in_\\<^sub>k] by auto } ultimately have "(Operator k (index ?ops op))\<^sup>+ \ { (Operator k (index ?ops op))\<^sup>+ | op. op \ set ?ops \ v \ set (delete_effects_of op) }" using v_is_delete_effect by blast then have "(Operator k (index ?ops op))\<^sup>+ \ C" using C_is by auto moreover have "\ (Operator k (index ?ops op))" using assms(2) k_lt_length_\_minus_one op_in_\\<^sub>k by blast ultimately show ?thesis unfolding clause_semantics_def by force next case B then obtain op where op_in_\\<^sub>k: "op \ set (\ ! k)" and v_is_add_effect: "v \ set (add_effects_of op)".. then have "\(\op \ set (\ ! k). v \ set (delete_effects_of op))" using all_operator_effects_consistent are_all_operator_effects_consistent_set by fast then have "execute_parallel_operator (?\ ! k) (\ ! k) v = Some True" using execute_parallel_operator_positive_effect_if[OF all_operators_applicable all_operator_effects_consistent op_in_\\<^sub>k v_is_add_effect] by blast moreover have "(?\ ! Suc k) v = execute_parallel_operator (?\ ! k) (\ ! k) v" using trace_parallel_plan_step_effect_is[OF k_lt_length_\_minus_one] by simp ultimately have "\ (State (Suc k) (index ?vs v))" using assms(3) k_lt_length_\_minus_one by simp thus ?thesis using C_is unfolding clause_semantics_def by simp next case C show ?thesis \ \ We split on cases for @{text "(?\ ! k) v = Some True"} here to avoid having to proof @{text "(?\ ! k) v \ None"}. \ proof (cases "(?\ ! k) v = Some True") case True { have "(?\ ! Suc k) = execute_parallel_operator (?\ ! k) (\ ! k)" using trace_parallel_plan_step_effect_is[OF k_lt_length_\_minus_one]. then have "(?\ ! Suc k) v = (?\ ! k) v" using execute_parallel_operator_no_effect_if C by fastforce then have "(?\ ! Suc k) v = Some True" using True by argo hence "\ (State (Suc k) (index ?vs v))" using assms(3) k_lt_length_\_minus_one by fastforce } thus ?thesis using C_is unfolding clause_semantics_def by fastforce next case False then have "\\ (State k (index ?vs v))" using assms(3) k_lt_length_\_minus_one by simp thus ?thesis using C_is unfolding clause_semantics_def by fastforce qed qed next case k_gte_length_\_minus_one: False show ?thesis proof (cases "\ (State (length ?\ - 1) (index ?vs v))") case True { have "length ?\ \ Suc k" and "Suc k < ?t + 1" using k_gte_length_\_minus_one k_in by fastforce+ then have "\ (State (Suc k) (index ?vs v)) = \ (State (length ?\ - 1) (index ?vs v))" using assms(4) by blast hence "\ (State (Suc k) (index ?vs v))" using True by blast } thus ?thesis using C_is unfolding clause_semantics_def by fastforce next case False { have "\ (State k (index ?vs v)) = \ (State (length ?\ - 1) (index ?vs v))" proof (cases "k = length ?\ - 1") case False then have "length ?\ \ k" and "k < ?t + 1" using k_gte_length_\_minus_one k_in by fastforce+ thus ?thesis using assms(4) by blast qed blast hence "\\ (State k (index ?vs v))" using False by blast } thus ?thesis using C_is unfolding clause_semantics_def by simp qed qed qed (* TODO make private *) lemma encode_problem_parallel_complete_iv: fixes \::"'a strips_problem" assumes "is_valid_problem_strips \" and "is_parallel_solution_for_problem \ \" and "\k op. k < length (trace_parallel_plan_strips ((\)\<^sub>I) \) - 1 \ \ (Operator k (index (strips_problem.operators_of \) op)) = (op \ set (\ ! k))" and "\v k. k < length (trace_parallel_plan_strips ((\)\<^sub>I) \) \ (\ (State k (index (strips_problem.variables_of \) v)) \ (trace_parallel_plan_strips ((\)\<^sub>I) \ ! k) v = Some True)" and "\v l. l \ length (trace_parallel_plan_strips ((\)\<^sub>I) \) \ l < length \ + 1 \ \ (State l (index (strips_problem.variables_of \) v)) = \ (State (length (trace_parallel_plan_strips ((\)\<^sub>I) \) - 1) (index (strips_problem.variables_of \) v))" shows "\ \ encode_all_frame_axioms \ (length \)" proof - let ?\\<^sub>F = "encode_all_frame_axioms \ (length \)" let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" and ?t = "length \" let ?A = "\ (\(k, v) \ {0.. set ((\)\<^sub>\). {{{ (State k (index ?vs v))\<^sup>+, (State (Suc k) (index ?vs v))\ } \ { (Operator k (index ?ops op))\<^sup>+ | op. op \ set ((\)\<^sub>\) \ v \ set (add_effects_of op) }}})" and ?B = "\ (\(k, v) \ {0.. set ((\)\<^sub>\). {{{ (State k (index ?vs v))\, (State (Suc k) (index ?vs v))\<^sup>+ } \ { (Operator k (index ?ops op))\<^sup>+ | op. op \ set ((\)\<^sub>\) \ v \ set (delete_effects_of op) }}})" (* TODO slow (and why can only metis do this?). *) have cnf_\\<^sub>F_is_A_union_B: "cnf ?\\<^sub>F = ?A \ ?B" using cnf_of_encode_all_frame_axioms_structure by (simp add: cnf_of_encode_all_frame_axioms_structure) { fix C assume "C \ cnf ?\\<^sub>F" then consider (C_in_A) "C \ ?A" | (C_in_B) "C \ ?B" using Un_iff[of C ?A ?B] cnf_\\<^sub>F_is_A_union_B by argo hence "clause_semantics \ C" proof (cases) case C_in_A then show ?thesis using encode_problem_parallel_complete_iv_a[OF assms(2, 3, 4, 5) C_in_A] by blast next case C_in_B then show ?thesis using encode_problem_parallel_complete_iv_b[OF assms(2, 3, 4, 5) C_in_B] by blast qed } thus ?thesis using encode_frame_axioms_is_cnf is_nnf_cnf cnf_semantics unfolding cnf_semantics_def by blast qed (* TODO refactor. *) lemma valuation_for_operator_variables_is: fixes \ :: "'a strips_problem" assumes "is_parallel_solution_for_problem \ \" and "k < length (trace_parallel_plan_strips ((\)\<^sub>I) \) - 1" and "op \ set ((\)\<^sub>\)" shows "valuation_for_operator_variables \ \ (trace_parallel_plan_strips ((\)\<^sub>I) \) (Operator k (index (strips_problem.operators_of \) op)) = (op \ set (\ ! k))" proof - let ?ops = "strips_problem.operators_of \" and ?\ = "trace_parallel_plan_strips ((\)\<^sub>I) \" let ?v = "Operator k (index ?ops op)" and ?Op = "{ Operator k (index ?ops op) | k op. k \ {0.. - 1} \ op \ set ((\)\<^sub>\) }" let ?l = "concat (map (\k. map (Pair k) (\ ! k)) [0.. - 1])" and ?f = "\x. Operator (fst x) (index ?ops (snd x))" \ \ show that our operator construction function is injective on @{text "set (concat (map (\k. map (Pair k) (\ ! k)) [0.. - 1]))"}. \ have k_in: "k \ {0.. - 1}" using assms(2) by fastforce { (* TODO refactor. *) { fix k k' op op' assume k_op_in: "(k, op) \ set ?l" and k'_op'_in: "(k', op') \ set ?l" have "Operator k (index ?ops op) = Operator k' (index ?ops op') \ (k, op) = (k', op')" proof (rule iffI) assume index_op_is_index_op': "Operator k (index ?ops op) = Operator k' (index ?ops op')" then have k_is_k': "k = k'" by fast moreover { have k'_lt: "k' < length ?\ - 1" using k'_op'_in by fastforce (* TODO slow *) have op_in: "op \ set (\ ! k)" using k_op_in by force (* TODO slow *) then have op'_in: "op' \ set (\ ! k)" using k'_op'_in k_is_k' by auto { have length_\_gt_1: "length ?\ > 1" using assms(2) by linarith have "length ?\ - Suc 0 \ length \ + 1 - Suc 0" using length_trace_parallel_plan_strips_lte_length_plan_plus_one using diff_le_mono by blast then have "length ?\ - 1 \ length \" by fastforce then have "k' < length \" using length_\_gt_1 k'_lt by linarith hence "\ ! k' \ set \" by simp } moreover have "op \ set ?ops" and "op' \ set ?ops" using is_parallel_solution_for_problem_operator_set[OF assms(1)] op_in op'_in k_is_k' calculation by auto ultimately have "op = op'" using index_op_is_index_op' by force } ultimately show "(k, op) = (k', op')" by blast qed fast } (* TODO slow *) hence "inj_on ?f (set ?l)" unfolding inj_on_def fst_def snd_def by fast } note inj_on_f_set_l = this (* TODO refactor. *) { have "set ?l = \ (set ` set (map (\k. map (Pair k) (\ ! k)) [0.. - 1]))" using set_concat by metis also have "\ = \ (set ` (\k. map (Pair k) (\ ! k)) ` {0.. - 1})" by force also have "\ = \ ((\k. (Pair k) ` set (\ ! k)) ` {0.. - 1})" by force also have "\ = \((\k. { (k, op) | op. op \ set (\ ! k) }) ` {0.. - 1})" by blast also have "\ = \({{ (k, op) } | k op. k \ {0.. - 1} \ op \ set (\ ! k) })" by blast (* TODO slow. *) finally have "set ?l = \((\(k, op). { (k, op) }) ` { (k, op). k \ {0.. - 1} \ op \ set (\ ! k) })" using setcompr_eq_image[of "\(k, op). { (k, op) }" _] by auto } note set_l_is = this { have "Operator k (index ?ops op) \ ?Op" using assms(3) k_in by blast (* TODO slow *) hence "valuation_for_operator_variables \ \ ?\ ?v = foldr (\(k, op) \. \(Operator k (index ?ops op) := True)) ?l \\<^sub>0 ?v" unfolding valuation_for_operator_variables_def override_on_def Let_def by auto } note nb = this show ?thesis proof (cases "op \ set (\ ! k)") case True moreover have k_op_in: "(k, op) \ set ?l" using set_l_is k_in calculation by blast \ \ There is some problem with the pattern match in the lambda in fact \isaname{nb}, sow we have to do some extra work to convince Isabelle of the truth of the statement. \ moreover { let ?g = "\_. True" thm foldr_fun_upd[OF inj_on_f_set_l k_op_in] have "?v = Operator (fst (k, op)) (index ?ops (snd (k, op)))" by simp moreover have "(\(k, op) \. \(Operator k (index ?ops op) := True)) = (\x \. \(Operator (fst x) (index ?ops (snd x)) := True))" by fastforce moreover have "foldr (\x \. \(Operator (fst x) (index ?ops (snd x)) := ?g x)) ?l \\<^sub>0 (Operator (fst (k, op)) (index ?ops (snd (k, op)))) = True" unfolding foldr_fun_upd[OF inj_on_f_set_l k_op_in].. ultimately have "valuation_for_operator_variables \ \ ?\ ?v = True" using nb by argo } thus ?thesis using True by blast next case False { have "(k, op) \ set ?l" using False set_l_is by fast moreover { fix k' op' assume "(k', op') \ set ?l" and "?f (k', op') = ?f (k, op)" (* TODO slow. *) hence "(k', op') = (k, op)" using inj_on_f_set_l assms(3) by simp } (* TODO slow. *) ultimately have "Operator k (index ?ops op) \ ?f ` set ?l" using image_iff by force } note operator_not_in_f_image_set_l = this { have "\\<^sub>0 (Operator k (index ?ops op)) = False" by simp moreover have "(\(k, op) \. \(Operator k (index ?ops op) := True)) = (\x \. \(Operator (fst x) (index ?ops (snd x)) := True))" by fastforce ultimately have "foldr (\(k, op) \. \(Operator k (index ?ops op) := True)) ?l \\<^sub>0 ?v = False" using foldr_fun_no_upd[OF inj_on_f_set_l operator_not_in_f_image_set_l, of "\_. True" \\<^sub>0] by presburger } thus ?thesis using nb False by blast qed qed (* TODO refactor (also used in proof of completeness for \-step 1 encoding) TODO make private *) lemma encode_problem_parallel_complete_vi_a: fixes \ :: "'a strips_problem" assumes "is_parallel_solution_for_problem \ \" and "k < length (trace_parallel_plan_strips ((\)\<^sub>I) \) - 1" shows "valuation_for_plan \ \ (Operator k (index (strips_problem.operators_of \) op)) = (op \ set (\ ! k))" proof - let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" and ?t = "length \" and ?\ = "trace_parallel_plan_strips ((\)\<^sub>I) \" let ?\\<^sub>\ = "valuation_for_plan \ \" and ?\\<^sub>O = "valuation_for_operator_variables \ \ ?\" and ?Op = "{ Operator k (index ?ops op) | k op. k \ {0.. op \ set ?ops }" and ?V = "{ State k (index ?vs v) | k v. k \ {0.. v \ set ?vs }" and ?v = "Operator k (index ?ops op)" { have "length ?\ \ length \ + 1" using length_trace_parallel_plan_strips_lte_length_plan_plus_one. then have "length ?\ - 1 \ length \" by simp then have "k < ?t" using assms by fastforce } note k_lt_length_\ = this show ?thesis proof (cases "op \ set ((\)\<^sub>\)") case True { have "?v \ ?Op" using k_lt_length_\ True by auto (* TODO slow. *) hence "?\\<^sub>\ ?v = ?\\<^sub>O ?v" unfolding valuation_for_plan_def override_on_def Let_def by force } then show ?thesis using valuation_for_operator_variables_is[OF assms(1, 2) True] by blast next (* TODO refactor (used in the lemma below as well). *) case False { { \ \ We have @{text "\index ?ops op < length ?ops"} due to the assumption that @{text "\op \ set ?ops"}. Hence @{text "\k \ {0.. ?Op"}. \ have "?Op = (\(k, op). Operator k (index ?ops op)) ` ({0.. set ?ops)" by fast moreover have "\index ?ops op < length ?ops" using False by simp ultimately have "?v \ ?Op" by fastforce } moreover have "?v \ ?V" by force (* TODO slow. *) ultimately have "?\\<^sub>\ ?v = \\<^sub>0 ?v" unfolding valuation_for_plan_def override_on_def by metis hence "\?\\<^sub>\ ?v" unfolding empty_valuation_def by blast } moreover have "(\ ! k) \ set \" using k_lt_length_\ by simp moreover have "op \ set (\ ! k)" using is_parallel_solution_for_problem_operator_set[OF assms(1) calculation(2)] False by blast ultimately show ?thesis by blast qed qed (* TODO make private *) lemma encode_problem_parallel_complete_vi_b: fixes \ :: "'a strips_problem" assumes "is_parallel_solution_for_problem \ \" and "l \ length (trace_parallel_plan_strips ((\)\<^sub>I) \) - 1" and "l < length \" shows "\valuation_for_plan \ \ (Operator l (index (strips_problem.operators_of \) op))" proof - (* TODO prune variables *) let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" and ?t = "length \" and ?\ = "trace_parallel_plan_strips ((\)\<^sub>I) \" let ?\\<^sub>\ = "valuation_for_plan \ \" and ?\\<^sub>O = "valuation_for_operator_variables \ \ ?\" and ?Op = "{ Operator k (index ?ops op) | k op. k \ {0.. op \ set ?ops }" and ?Op' = "{ Operator k (index ?ops op) | k op. k \ {0.. - 1} \ op \ set ?ops }" and ?V = "{ State k (index ?vs v) | k v. k \ {0.. v \ set ?vs }" and ?v = "Operator l (index ?ops op)" show ?thesis proof (cases "op \ set ((\)\<^sub>\)") case True { { have "?v \ ?Op" using assms(3) True by auto (* TODO slow. *) hence "?\\<^sub>\ ?v = ?\\<^sub>O ?v" unfolding valuation_for_plan_def override_on_def Let_def by simp } moreover { have "l \ {0.. - 1}" using assms(2) by simp then have "?v \ ?Op'" by blast hence "?\\<^sub>O ?v = \\<^sub>0 ?v" unfolding valuation_for_operator_variables_def override_on_def by meson } ultimately have "\?\\<^sub>\ ?v" unfolding empty_valuation_def by blast } then show ?thesis by blast next (* TODO refactor (used in the lemma above as well). *) case False { { \ \ We have @{text "\index ?ops op < length ?ops"} due to the assumption that @{text "\op \ set ?ops"}. Hence @{text "\k \ {0.. ?Op"}. \ have "?Op = (\(k, op). Operator k (index ?ops op)) ` ({0.. set ?ops)" by fast moreover have "\index ?ops op < length ?ops" using False by simp ultimately have "?v \ ?Op" by fastforce } moreover have "?v \ ?V" by force (* TODO slow. *) ultimately have "?\\<^sub>\ ?v = \\<^sub>0 ?v" unfolding valuation_for_plan_def override_on_def by metis hence "\?\\<^sub>\ ?v" unfolding empty_valuation_def by blast } thus ?thesis by blast qed qed \ \ As a corollary from lemmas \isaname{encode_problem_parallel_complete_vi_a} and \isaname{encode_problem_parallel_complete_vi_b} we obtain the result that the constructed valuation \<^term>\\ \ valuation_for_plan \ \\ valuates SATPlan operator variables as false if they are not contained in any operator set \<^term>\\ ! k\ for any time point \<^term>\k < length \\. \ corollary encode_problem_parallel_complete_vi_d: (* TODO why is this necessary? *) fixes \ :: "'variable strips_problem" assumes "is_parallel_solution_for_problem \ \" and "k < length \" and "op \ set (\ ! k)" shows "\valuation_for_plan \ \ (Operator k (index (strips_problem.operators_of \) op))" using encode_problem_parallel_complete_vi_a[OF assms(1)] assms(3) encode_problem_parallel_complete_vi_b[OF assms(1) _ assms(2)] assms(3) by (cases "k < length (trace_parallel_plan_strips ((\)\<^sub>I) \) - 1"; fastforce) (* TODO refactor List_Supplement OR rm (unused) *) lemma list_product_is_nil_iff: "List.product xs ys = [] \ xs = [] \ ys = []" proof (rule iffI) assume product_xs_ys_is_Nil: "List.product xs ys = []" show "xs = [] \ ys = []" proof (rule ccontr) assume "\(xs = [] \ ys = [])" then have "xs \ []" and "ys \ []" by simp+ then obtain x xs' y ys' where "xs = x # xs'" and "ys = y # ys'" using list.exhaust by metis then have "List.product xs ys = (x, y) # map (Pair x) ys' @ List.product xs' (y # ys')" by simp thus False using product_xs_ys_is_Nil by simp qed next assume "xs = [] \ ys = []" thus "List.product xs ys = []" \ \ First cases in the next two proof blocks follow from definition of List.product. \ proof (rule disjE) assume ys_is_Nil: "ys = []" show "List.product xs ys = []" proof (induction xs) case (Cons x xs) have "List.product (x # xs) ys = map (Pair x) ys @ List.product xs ys" by simp also have "\ = [] @ List.product xs ys" using Nil_is_map_conv ys_is_Nil by blast finally show ?case using Cons.IH by force qed auto qed simp qed \ \ We keep the state abstract by requiring a function \s\ which takes the index \k\ and returns state. This makes the lemma cover both cases, i.e. dynamic (e.g. the \k\-th trace state) as well as static state (e.g. final trace state). \ lemma valuation_for_state_variables_is: assumes "k \ set ks" and "v \ set vs" shows "foldr (\(k, v) \. valuation_for_state vs (s k) k v \) (List.product ks vs) \\<^sub>0 (State k (index vs v)) \ (s k) v = Some True" proof - let ?v = "State k (index vs v)" and ?ps = "List.product ks vs" let ?\ = "foldr (\(k, v) \. valuation_for_state vs (s k) k v \) ?ps \\<^sub>0" and ?f = "\x. State (fst x) (index vs (snd x))" and ?g = "\x. (s (fst x)) (snd x) = Some True" have nb\<^sub>1: "(k, v) \ set ?ps" using assms(1, 2) set_product by simp (* TODO refactor (State construction is injective on List.product ks vs). *) moreover { { fix x y assume x_in_ps: "x \ set ?ps" and y_in_ps: "y \ set ?ps" and "\(?f x = ?f y \ x = y)" then have f_x_is_f_y: "?f x = ?f y" and x_is_not_y: "x \ y" by blast+ then obtain k' k'' v' v'' where x_is: "x = (k', v')" and y_is: "y = (k'', v'')" by fastforce then consider (A) "k' \ k''" | (B) "v' \ v''" using x_is_not_y by blast hence False proof (cases) case A then have "?f x \ ?f y" using x_is y_is by simp thus ?thesis using f_x_is_f_y by argo next case B have "v' \ set vs" and "v'' \ set vs" using x_in_ps x_is y_in_ps y_is set_product by blast+ then have "index vs v' \ index vs v''" using B by force then have "?f x \ ?f y" using x_is y_is by simp thus False using f_x_is_f_y by blast qed } hence "inj_on ?f (set ?ps)" using inj_on_def by blast } note nb\<^sub>2 = this { have "foldr (\x. valuation_for_state vs (s (fst x)) (fst x) (snd x)) (List.product ks vs) \\<^sub>0 (State (fst (k, v)) (index vs (snd (k, v)))) = (s (fst (k, v)) (snd (k, v)) = Some True)" using foldr_fun_upd[OF nb\<^sub>2 nb\<^sub>1, of ?g \\<^sub>0] by blast moreover have "(\x. valuation_for_state vs (s (fst x)) (fst x) (snd x)) = (\(k, v). valuation_for_state vs (s k) k v)" by fastforce ultimately have "?\ (?f (k, v)) = ?g (k, v)" by simp } thus ?thesis by simp qed (* TODO make private *) lemma encode_problem_parallel_complete_vi_c: fixes \ :: "'a strips_problem" assumes "is_valid_problem_strips \" and "is_parallel_solution_for_problem \ \" and "k < length (trace_parallel_plan_strips ((\)\<^sub>I) \)" shows "valuation_for_plan \ \ (State k (index (strips_problem.variables_of \) v)) \ (trace_parallel_plan_strips ((\)\<^sub>I) \ ! k) v = Some True" proof - (* TODO prune variables *) let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" and ?\ = "trace_parallel_plan_strips ((\)\<^sub>I) \" let ?t = "length \" and ?t' = "length ?\" let ?\\<^sub>\ = "valuation_for_plan \ \" and ?\\<^sub>V = "valuation_for_state_variables \ \ ?\" and ?\\<^sub>O = "valuation_for_state_variables \ \ ?\" and ?\\<^sub>1 = "foldr (\(k, v) \. valuation_for_state ?vs (?\ ! k) k v \) (List.product [0..\<^sub>0" and ?Op = "{ Operator k (index ?ops op) | k op. k \ {0.. op \ set ((\)\<^sub>\) }" and ?Op' = "{ Operator k (index ?ops op) | k op. k \ {0.. op \ set ((\)\<^sub>\) }" and ?V = "{ State k (index ?vs v) | k v. k \ {0.. v \ set ((\)\<^sub>\) }" and ?V\<^sub>1 = "{ State k (index ?vs v) | k v. k \ {0.. v \ set ((\)\<^sub>\) }" and ?V\<^sub>2 = "{ State k (index ?vs v) | k v. k \ {?t'..(?t + 1)} \ v \ set ((\)\<^sub>\) }" and ?v = "State k (index ?vs v)" have v_notin_Op: "?v \ ?Op" by blast have k_lte_length_\_plus_one: "k < length \ + 1" using less_le_trans length_trace_parallel_plan_strips_lte_length_plan_plus_one assms(3) by blast show ?thesis proof (cases "v \ set ((\)\<^sub>\)") case True { (* TODO refactor. *) { have "?v \ ?V" "?v \ ?Op" using k_lte_length_\_plus_one True by force+ hence "?\\<^sub>\ ?v = ?\\<^sub>V ?v" unfolding valuation_for_plan_def override_on_def Let_def by simp } moreover { have "?v \ ?V\<^sub>1" "?v \ ?V\<^sub>2" using assms(3) True by fastforce+ hence "?\\<^sub>V ?v = ?\\<^sub>1 ?v" unfolding valuation_for_state_variables_def override_on_def Let_def by force } ultimately have "?\\<^sub>\ ?v = ?\\<^sub>1 ?v" by blast } moreover have "k \ set [0.. set (strips_problem.variables_of \)" using True by simp (* TODO slow *) ultimately show ?thesis using valuation_for_state_variables_is[of k "[0.. index ?vs v < length ?vs" using False index_less_size_conv by simp hence "?v \ ?V" by fastforce } then have "\?\\<^sub>\ ?v" using v_notin_Op unfolding valuation_for_plan_def override_on_def empty_valuation_def Let_def variables_of_def operators_of_def by presburger } moreover have "\(?\ ! k) v = Some True" using trace_parallel_plan_strips_none_if[of \ \ k v] assms(1, 2, 3) False unfolding initial_of_def by force ultimately show ?thesis by blast qed qed (* TODO make private *) lemma encode_problem_parallel_complete_vi_f: fixes \ :: "'a strips_problem" assumes "is_valid_problem_strips \" and "is_parallel_solution_for_problem \ \" and "l \ length (trace_parallel_plan_strips ((\)\<^sub>I) \)" and "l < length \ + 1" shows "valuation_for_plan \ \ (State l (index (strips_problem.variables_of \) v)) = valuation_for_plan \ \ (State (length (trace_parallel_plan_strips ((\)\<^sub>I) \) - 1) (index (strips_problem.variables_of \) v))" proof - (* TODO prune variables *) let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" and ?\ = "trace_parallel_plan_strips ((\)\<^sub>I) \" let ?t = "length \" and ?t' = "length ?\" let ?\\<^sub>\ = "?\ ! (?t' - 1)" and ?\\<^sub>\ = "valuation_for_plan \ \" and ?\\<^sub>V = "valuation_for_state_variables \ \ ?\" and ?\\<^sub>O = "valuation_for_state_variables \ \ ?\" let ?\\<^sub>2 = "foldr (\(k, v) \. valuation_for_state (strips_problem.variables_of \) ?\\<^sub>\ k v \) (List.product [?t'.. + 2] ?vs) \\<^sub>0" and ?Op = "{ Operator k (index ?ops op) | k op. k \ {0.. op \ set ((\)\<^sub>\) }" and ?Op' = "{ Operator k (index ?ops op) | k op. k \ {0.. op \ set ((\)\<^sub>\) }" and ?V = "{ State k (index ?vs v) | k v. k \ {0.. v \ set ((\)\<^sub>\) }" and ?V\<^sub>1 = "{ State k (index ?vs v) | k v. k \ {0.. v \ set ((\)\<^sub>\) }" and ?V\<^sub>2 = "{ State k (index ?vs v) | k v. k \ {?t'..(?t + 1)} \ v \ set ((\)\<^sub>\) }" and ?v = "State l (index ?vs v)" have v_notin_Op: "?v \ ?Op" by blast show ?thesis proof (cases "v \ set ((\)\<^sub>\)") case True { (* TODO refactor. *) { have "?v \ ?V" "?v \ ?Op" using assms(4) True by force+ (* TODO slow. *) hence "?\\<^sub>\ ?v = ?\\<^sub>V ?v" unfolding valuation_for_plan_def override_on_def Let_def by simp } moreover { have "?v \ ?V\<^sub>1" "?v \ ?V\<^sub>2" using assms(3, 4) True by force+ (* TODO slow. *) hence "?\\<^sub>V ?v = ?\\<^sub>2 ?v" unfolding valuation_for_state_variables_def override_on_def Let_def by auto } ultimately have "?\\<^sub>\ ?v = ?\\<^sub>2 ?v" by blast } note nb = this moreover { have "l \ set [?t'..\<^sub>2 ?v \ ?\\<^sub>\ v = Some True" using valuation_for_state_variables_is[of l "[?t'..\<^sub>\ ?v \ ?\\<^sub>\ v = Some True" by fast moreover { have "0 < ?t'" using trace_parallel_plan_strips_not_nil by blast then have "?t' - 1 < ?t'" using diff_less by presburger } ultimately show ?thesis using encode_problem_parallel_complete_vi_c[of _ _ "?t' - 1", OF assms(1, 2)] by blast next case False { { have "\ index ?vs v < length ?vs" using False index_less_size_conv by auto hence "?v \ ?V" by fastforce } then have "\?\\<^sub>\ ?v" using v_notin_Op unfolding valuation_for_plan_def override_on_def empty_valuation_def Let_def variables_of_def operators_of_def by presburger } moreover { have "0 < ?t'" using trace_parallel_plan_strips_not_nil by blast then have "?t' - 1 < ?t'" by simp } moreover have "\((?\ ! (?t' - 1)) v = Some True)" using trace_parallel_plan_strips_none_if[of _ _ "?t' - 1" v, OF _ assms(2) calculation(2)] assms(1) False by simp ultimately show ?thesis using encode_problem_parallel_complete_vi_c[of _ _ "?t' - 1", OF assms(1, 2)] by blast qed qed text \ Let now \<^term>\\ \ trace_parallel_plan_strips I \\ be the trace of the plan \<^term>\\\, \<^term>\t \ length \\, and \<^term>\t' \ length \\. Any model of the SATPlan encoding \<^term>\\\ must satisfy the following properties: \footnote{Cf. \cite[Theorem 3.1, p. 1044]{DBLP:journals/ai/RintanenHN06} for the construction of \<^term>\\\.} \begin{enumerate} \item for all \<^term>\k\ and for all \<^term>\op\ with \<^term>\k < t' - 1\ @{text[display, indent=4] "\ (Operator k (index (operators_of \) op)) = op \ set (\ ! k)"} \item for all \<^term>\l\ and for all \<^term>\op\ with \<^term>\l \ t' - 1\ and \<^term>\l < length \\ we require @{text[display, indent=4] "\ (Operator l (index (operators_of \) op))"} \item for all \<^term>\v\ and for all \<^term>\k\ with \<^term>\k < t'\ we require @{text[display, indent=4] "\ (State k (index (variables_of \) v)) \ ((\ ! k) v = Some True)"} \item and finally for all \<^term>\v\ and for all \<^term>\l\ with \<^term>\l \ t'\ and \<^term>\l < t + 1\ we require @{text[display, indent=4] "\ (State l (index (variables_of \) v)) = \ (State (t' - 1) (index (variables_of \) v))"} \end{enumerate} Condition ``1.'' states that the model must reflect operator activation for all operators in the parallel operator lists \<^term>\\ ! k\ of the plan \<^term>\\\ for each time step \<^term>\k < t' - 1\ s.t. there is a successor state in the trace. Moreover ``3.'' requires that the model is consistent with the states reached during plan execution (i.e. the elements \<^term>\\ ! k\ for \<^term>\k < t'\ of the trace \<^term>\\\). Meaning that \<^term>\\ (State k (index (strips_problem.variables_of \) v))\ for the SAT plan variable of every state variable \<^term>\v\ at time point \<^term>\k\ if and only if \<^term>\(\ ! k) v = Some True\ for the corresponding state \<^term>\\ ! k\ at time \<^term>\k\ (and \<^term>\\\ (State k (index (strips_problem.variables_of \) v))\ otherwise). The second respectively fourth condition cover early plan termination by negating operator activation and propagating the last reached state. Note that in the state propagation constraint, the index is incremented by one compared to the similar constraint for operators, since operator activations are always followed by at least one successor state. Hence the last state in the trace has index \<^term>\length (trace_parallel_plan_strips ((\::'variable strips_problem)\<^sub>I) \) - 1\ and the remaining states take up the indexes to \<^term>\length \ + 1\. % TODO Comments on how the partial encoding modeling follows from the construction (lemmas ...). \ value "stop" (* Tell document preparation to stop collecting for the last tag *) -\ \ To show completeness—i.e. every valid parallel plan \\\ corresponds to a model -for the SATPlan encoding \\ \ (length \)\—, we simply split the +\ \ To show completeness---i.e. every valid parallel plan \\\ corresponds to a model +for the SATPlan encoding \\ \ (length \)\---, we simply split the conjunction defined by the encoding into partial encodings and show that the model satisfies each of them. \ theorem encode_problem_parallel_complete: assumes "is_valid_problem_strips \" and "is_parallel_solution_for_problem \ \" shows "valuation_for_plan \ \ \ \ \ (length \)" proof - let ?t = "length \" and ?I = "(\)\<^sub>I" and ?G = "(\)\<^sub>G" and ?\ = "valuation_for_plan \ \" have nb: "?G \\<^sub>m execute_parallel_plan ?I \" using assms(2) unfolding is_parallel_solution_for_problem_def by force have "?\ \ \\<^sub>I \" using encode_problem_parallel_complete_i[OF assms(1) nb] encode_problem_parallel_complete_vi_c[OF assms(1, 2)] by presburger moreover have "?\ \ (\\<^sub>G \) ?t" using encode_problem_parallel_complete_ii[OF assms(1) nb] encode_problem_parallel_complete_vi_c[OF assms(1, 2)] encode_problem_parallel_complete_vi_f[OF assms(1, 2)] by presburger moreover have "?\ \ encode_operators \ ?t" using encode_problem_parallel_complete_iii[OF assms(1) nb] encode_problem_parallel_complete_vi_a[OF assms(2)] encode_problem_parallel_complete_vi_b[OF assms(2)] encode_problem_parallel_complete_vi_c[OF assms(1, 2)] by presburger moreover have "?\ \ encode_all_frame_axioms \ ?t" using encode_problem_parallel_complete_iv[OF assms(1, 2)] encode_problem_parallel_complete_vi_a[OF assms(2)] encode_problem_parallel_complete_vi_c[OF assms(1, 2)] encode_problem_parallel_complete_vi_f[OF assms(1, 2)] by presburger ultimately show ?thesis unfolding encode_problem_def SAT_Plan_Base.encode_problem_def encode_initial_state_def encode_goal_state_def by auto qed end diff --git a/thys/Verified_SAT_Based_AI_Planning/STRIPS_Semantics.thy b/thys/Verified_SAT_Based_AI_Planning/STRIPS_Semantics.thy --- a/thys/Verified_SAT_Based_AI_Planning/STRIPS_Semantics.thy +++ b/thys/Verified_SAT_Based_AI_Planning/STRIPS_Semantics.thy @@ -1,2611 +1,2611 @@ (* Author: Mohammad Abdulaziz, Fred Kurz *) theory STRIPS_Semantics imports "STRIPS_Representation" "List_Supplement" "Map_Supplement" begin section "STRIPS Semantics" text \ Having provided a concrete implementation of STRIPS and a corresponding locale \strips\, we can now continue to define the semantics of serial and parallel STRIPS plan execution (see \autoref{sub:serial-sas-plus-and-parallel-strips} and \autoref{sub:parallel-sas-plus-and-parallel-strips}). \ subsection "Serial Plan Execution Semantics" text \ Serial plan execution is defined by primitive recursion on the plan. Definition \autoref{isadef:execute_serial_plan} returns the given state if the state argument does note satisfy the precondition of the next operator in the plan. Otherwise it executes the rest of the plan on the successor state \<^term>\execute_operator s op\ of the given state and operator. \ primrec execute_serial_plan where "execute_serial_plan s [] = s" | "execute_serial_plan s (op # ops) = (if is_operator_applicable_in s op then execute_serial_plan (execute_operator s op) ops else s )" text \ Analogously, a STRIPS trace either returns the singleton list containing only the given state in case the precondition of the next operator in the plan is not satisfied. Otherwise, the given state is prepended to trace of the rest of the plan for the successor state of executing the next operator on the given state. \ fun trace_serial_plan_strips :: "'variable strips_state \ 'variable strips_plan \ 'variable strips_state list" where "trace_serial_plan_strips s [] = [s]" | "trace_serial_plan_strips s (op # ops) = s # (if is_operator_applicable_in s op then trace_serial_plan_strips (execute_operator s op) ops else [])" text \ Finally, a serial solution is a plan which transforms a given problems initial state into its goal state and for which all operators are elements of the problem's operator list. \ definition is_serial_solution_for_problem where "is_serial_solution_for_problem \ \ \ (goal_of \) \\<^sub>m execute_serial_plan (initial_of \) \ \ list_all (\op. ListMem op (operators_of \)) \" lemma is_valid_problem_strips_initial_of_dom: fixes \:: "'a strips_problem" assumes "is_valid_problem_strips \" shows "dom ((\)\<^sub>I) = set ((\)\<^sub>\)" proof - { let ?I = "strips_problem.initial_of \" let ?vs = "strips_problem.variables_of \" fix v have "?I v \ None \ ListMem v ?vs" using assms(1) unfolding is_valid_problem_strips_def by meson hence "v \ dom ?I \ v \ set ?vs" using ListMem_iff by fast } thus ?thesis by auto qed lemma is_valid_problem_dom_of_goal_state_is: fixes \:: "'a strips_problem" assumes "is_valid_problem_strips \" shows "dom ((\)\<^sub>G) \ set ((\)\<^sub>\)" proof - let ?vs = "strips_problem.variables_of \" let ?G = "strips_problem.goal_of \" have nb: "\v. ?G v \ None \ ListMem v ?vs" using assms(1) unfolding is_valid_problem_strips_def by meson { fix v assume "v \ dom ?G" then have "?G v \ None" by blast hence "v \ set ?vs" using nb unfolding ListMem_iff by blast } thus ?thesis by auto qed lemma is_valid_problem_strips_operator_variable_sets: fixes \:: "'a strips_problem" assumes "is_valid_problem_strips \" and "op \ set ((\)\<^sub>\)" shows "set (precondition_of op) \ set ((\)\<^sub>\)" and "set (add_effects_of op) \ set ((\)\<^sub>\)" and "set (delete_effects_of op) \ set ((\)\<^sub>\)" and "disjnt (set (add_effects_of op)) (set (delete_effects_of op))" proof - let ?ops = "strips_problem.operators_of \" and ?vs = "strips_problem.variables_of \" have "list_all (is_valid_operator_strips \) ?ops" using assms(1) unfolding is_valid_problem_strips_def by meson moreover have "\v \ set (precondition_of op). v \ set ((\)\<^sub>\)" and "\v \ set (add_effects_of op). v \ set ((\)\<^sub>\)" and "\v \ set (delete_effects_of op). v \ set ((\)\<^sub>\)" and "\v \ set (add_effects_of op). v \ set (delete_effects_of op)" and "\v \ set (delete_effects_of op). v \ set (add_effects_of op)" using assms(2) calculation unfolding is_valid_operator_strips_def list_all_iff Let_def ListMem_iff using variables_of_def by auto+ ultimately show "set (precondition_of op) \ set ((\)\<^sub>\)" and "set (add_effects_of op) \ set ((\)\<^sub>\)" and "set (delete_effects_of op) \ set ((\)\<^sub>\)" and "disjnt (set (add_effects_of op)) (set (delete_effects_of op))" unfolding disjnt_def by fast+ qed lemma effect_to_assignments_i: assumes "as = effect_to_assignments op" shows "as = (map (\v. (v, True)) (add_effects_of op) @ map (\v. (v, False)) (delete_effects_of op))" using assms unfolding effect_to_assignments_def effect__strips_def by auto lemma effect_to_assignments_ii: \ \ NOTE \effect_to_assignments\ can be simplified drastically given that only atomic effects and the add-effects as well as delete-effects lists only consist of variables.\ assumes "as = effect_to_assignments op" obtains as\<^sub>1 as\<^sub>2 where "as = as\<^sub>1 @ as\<^sub>2" and "as\<^sub>1 = map (\v. (v, True)) (add_effects_of op)" and "as\<^sub>2 = map (\v. (v, False)) (delete_effects_of op)" by (simp add: assms effect__strips_def effect_to_assignments_def) \ \ NOTE Show that for every variable \v\ in either the add effect list or the delete effect list, there exists an assignment in \isaname{effect_to_assignments op} representing setting \v\ to true respectively setting \v\ to false. Note that the first assumption amounts to saying that the add effect list is not empty. This also requires us to split lemma \isaname{effect_to_assignments_iii} into two separate lemmas since add and delete effect lists are not required to both contain at least one variable simultaneously. \ lemma effect_to_assignments_iii_a: fixes v assumes "v \ set (add_effects_of op)" and "as = effect_to_assignments op" obtains a where "a \ set as" "a = (v, True)" proof - let ?add_assignments = "(\v. (v, True)) ` set (add_effects_of op)" let ?delete_assignments = "(\v. (v, False)) ` set (delete_effects_of op)" obtain as\<^sub>1 as\<^sub>2 where a1: "as = as\<^sub>1 @ as\<^sub>2" and a2: "as\<^sub>1 = map (\v. (v, True)) (add_effects_of op)" and a3: "as\<^sub>2 = map (\v. (v, False)) (delete_effects_of op)" using assms(2) effect_to_assignments_ii by blast then have b: "set as = ?add_assignments \ ?delete_assignments" by auto \ \ NOTE The existence of an assignment as proposed can be shown by the following sequence of set inclusions. \ { from b have "?add_assignments \ set as" by blast moreover have "{(v, True)} \ ?add_assignments" using assms(1) a2 by blast ultimately have "\a. a \ set as \ a = (v, True)" by blast } then show ?thesis using that by blast qed lemma effect_to_assignments_iii_b: \ \ NOTE This proof is symmetrical to the one above. \ fixes v assumes "v \ set (delete_effects_of op)" and "as = effect_to_assignments op" obtains a where "a \ set as" "a = (v, False)" proof - let ?add_assignments = "(\v. (v, True)) ` set (add_effects_of op)" let ?delete_assignments = "(\v. (v, False)) ` set (delete_effects_of op)" obtain as\<^sub>1 as\<^sub>2 where a1: "as = as\<^sub>1 @ as\<^sub>2" and a2: "as\<^sub>1 = map (\v. (v, True)) (add_effects_of op)" and a3: "as\<^sub>2 = map (\v. (v, False)) (delete_effects_of op)" using assms(2) effect_to_assignments_ii by blast then have b: "set as = ?add_assignments \ ?delete_assignments" by auto \ \ NOTE The existence of an assignment as proposed can be shown by the following sequence of set inclusions. \ { from b have "?delete_assignments \ set as" by blast moreover have "{(v, False)} \ ?delete_assignments" using assms(1) a2 by blast ultimately have "\a. a \ set as \ a = (v, False)" by blast } then show ?thesis using that by blast qed lemma effect__strips_i: fixes op assumes "e = effect__strips op" obtains es\<^sub>1 es\<^sub>2 where "e = (es\<^sub>1 @ es\<^sub>2)" and "es\<^sub>1 = map (\v. (v, True)) (add_effects_of op)" and "es\<^sub>2 = map (\v. (v, False)) (delete_effects_of op)" proof - obtain es\<^sub>1 es\<^sub>2 where a: "e = (es\<^sub>1 @ es\<^sub>2)" and b: "es\<^sub>1 = map (\v. (v, True)) (add_effects_of op)" and c: "es\<^sub>2 = map (\v. (v, False)) (delete_effects_of op)" using assms(1) unfolding effect__strips_def by blast then show ?thesis using that by force qed lemma effect__strips_ii: fixes op assumes "e = ConjunctiveEffect (es\<^sub>1 @ es\<^sub>2)" and "es\<^sub>1 = map (\v. (v, True)) (add_effects_of op)" and "es\<^sub>2 = map (\v. (v, False)) (delete_effects_of op)" shows "\v \ set (add_effects_of op). (\e' \ set es\<^sub>1. e' = (v, True))" and "\v \ set (delete_effects_of op). (\e' \ set es\<^sub>2. e' = (v, False))" proof \ \ NOTE Show that for each variable \v\ in the add effect list, we can obtain an atomic effect with true value. \ fix v { assume a: "v \ set (add_effects_of op)" have "set es\<^sub>1 = (\v. (v, True)) ` set (add_effects_of op)" using assms(2) List.set_map by auto then obtain e' where "e' \ set es\<^sub>1" and "e' = (\v. (v, True)) v" using a by blast then have "\e' \ set es\<^sub>1. e' = (v, True)" by blast } thus "v \ set (add_effects_of op) \ \e' \ set es\<^sub>1. e' = (v, True)" by fast \ \ NOTE the proof is symmetrical to the one above: for each variable v in the delete effect list, we can obtain an atomic effect with v being false. \ next { fix v assume a: "v \ set (delete_effects_of op)" have "set es\<^sub>2 = (\v. (v, False)) ` set (delete_effects_of op)" using assms(3) List.set_map by force then obtain e'' where "e'' \ set es\<^sub>2" and "e'' = (\v. (v, False)) v" using a by blast then have "\e'' \ set es\<^sub>2. e'' = (v, False)" by blast } thus "\v\set (delete_effects_of op). \e'\set es\<^sub>2. e' = (v, False)" by fast qed (* TODO refactor theory Appendix AND make visible? *) lemma map_of_constant_assignments_dom: \ \ NOTE ancillary lemma used in the proof below. \ assumes "m = map_of (map (\v. (v, d)) vs)" shows "dom m = set vs" proof - let ?vs' = "map (\v. (v, d)) vs" have "dom m = fst ` set ?vs'" using assms(1) dom_map_of_conv_image_fst by metis moreover have "fst ` set ?vs' = set vs" by force ultimately show ?thesis by argo qed lemma effect__strips_iii_a: assumes "s' = (s \ op)" shows "\v. v \ set (add_effects_of op) \ s' v = Some True" proof - fix v assume a: "v \ set (add_effects_of op)" let ?as = "effect_to_assignments op" obtain as\<^sub>1 as\<^sub>2 where b: "?as = as\<^sub>1 @ as\<^sub>2" and c: "as\<^sub>1 = map (\v. (v, True)) (add_effects_of op)" and "as\<^sub>2 = map (\v. (v, False)) (delete_effects_of op)" using effect_to_assignments_ii by blast have d: "map_of ?as = map_of as\<^sub>2 ++ map_of as\<^sub>1" using b Map.map_of_append by auto { \ \ TODO refactor? \ let ?vs = "add_effects_of op" have "?vs \ []" using a by force then have "dom (map_of as\<^sub>1) = set (add_effects_of op)" using c map_of_constant_assignments_dom by metis then have "v \ dom (map_of as\<^sub>1)" using a by blast then have "map_of ?as v = map_of as\<^sub>1 v" using d by force } moreover { let ?f = "\_. True" from c have "map_of as\<^sub>1 = (Some \ ?f) |` (set (add_effects_of op))" using map_of_map_restrict by fast then have "map_of as\<^sub>1 v = Some True" using a by auto } moreover have "s' = s ++ map_of as\<^sub>2 ++ map_of as\<^sub>1" using assms(1) unfolding execute_operator_def using b by simp ultimately show "s' v = Some True" by simp qed (* TODO In contrast to the proof above we need proof preparation with auto. Why? *) lemma effect__strips_iii_b: assumes "s' = (s \ op)" shows "\v. v \ set (delete_effects_of op) \ v \ set (add_effects_of op) \ s' v = Some False" proof (auto) fix v assume a1: "v \ set (add_effects_of op)" and a2: "v \ set (delete_effects_of op)" let ?as = "effect_to_assignments op" obtain as\<^sub>1 as\<^sub>2 where b: "?as = as\<^sub>1 @ as\<^sub>2" and c: "as\<^sub>1 = map (\v. (v, True)) (add_effects_of op)" and d: "as\<^sub>2 = map (\v. (v, False)) (delete_effects_of op)" using effect_to_assignments_ii by blast have e: "map_of ?as = map_of as\<^sub>2 ++ map_of as\<^sub>1" using b Map.map_of_append by auto { have "dom (map_of as\<^sub>1) = set (add_effects_of op)" using c map_of_constant_assignments_dom by metis then have "v \ dom (map_of as\<^sub>1)" using a1 by blast } note f = this { let ?vs = "delete_effects_of op" have "?vs \ []" using a2 by force then have "dom (map_of as\<^sub>2) = set ?vs" using d map_of_constant_assignments_dom by metis } note g = this { have "s' = s ++ map_of as\<^sub>2 ++ map_of as\<^sub>1" using assms(1) unfolding execute_operator_def using b by simp thm f map_add_dom_app_simps(3)[OF f, of "s ++ map_of as\<^sub>2"] moreover have "s' v = (s ++ map_of as\<^sub>2) v" using calculation map_add_dom_app_simps(3)[OF f, of "s ++ map_of as\<^sub>2"] by blast moreover have "v \ dom (map_of as\<^sub>2)" using a2 g by argo ultimately have "s' v = map_of as\<^sub>2 v" by fastforce } moreover { let ?f = "\_. False" from d have "map_of as\<^sub>2 = (Some \ ?f) |` (set (delete_effects_of op))" using map_of_map_restrict by fast then have "map_of as\<^sub>2 v = Some False" using a2 by force } ultimately show " s' v = Some False" by argo qed (* TODO We need proof preparation with auto. Why? *) lemma effect__strips_iii_c: assumes "s' = (s \ op)" shows "\v. v \ set (add_effects_of op) \ v \ set (delete_effects_of op) \ s' v = s v" proof (auto) fix v assume a1: "v \ set (add_effects_of op)" and a2: "v \ set (delete_effects_of op)" let ?as = "effect_to_assignments op" obtain as\<^sub>1 as\<^sub>2 where b: "?as = as\<^sub>1 @ as\<^sub>2" and c: "as\<^sub>1 = map (\v. (v, True)) (add_effects_of op)" and d: "as\<^sub>2 = map (\v. (v, False)) (delete_effects_of op)" using effect_to_assignments_ii by blast have e: "map_of ?as = map_of as\<^sub>2 ++ map_of as\<^sub>1" using b Map.map_of_append by auto { have "dom (map_of as\<^sub>1) = set (add_effects_of op)" using c map_of_constant_assignments_dom by metis then have "v \ dom (map_of as\<^sub>1)" using a1 by blast } moreover { have "dom (map_of as\<^sub>2) = set (delete_effects_of op)" using d map_of_constant_assignments_dom by metis then have "v \ dom (map_of as\<^sub>2)" using a2 by blast } ultimately show "s' v = s v" using assms(1) unfolding execute_operator_def by (simp add: b map_add_dom_app_simps(3)) qed text \The following theorem combines three preceding sublemmas which show that the following properties hold for the successor state \s' \ execute_operator op s\ obtained by executing an operator \op\ in a state \s\: \footnote{Lemmas \path{effect__strips_iii_a}, \path{effect__strips_iii_b}, and \path{effect__strips_iii_c} (not shown).} \begin{itemize} \item every add effect is satisfied in \s'\ (sublemma \isaname{effect__strips_iii_a}); and, \item every delete effect that is not also an add effect is not satisfied in \s'\ (sublemma \isaname{effect__strips_iii_b}); and finally \item the state remains unchanged---i.e. \s' v = s v\---for all variables which are neither an add effect nor a delete effect. \end{itemize} \ (* TODO? Rewrite theorem \operator_effect__strips\ to match \s ++ map_of ( effect_to_assignments op)\ rather than \execute_operator \ op s\ since we need this form later on for the parallel execution theorem? *) theorem operator_effect__strips: assumes "s' = (s \ op)" shows "\v. v \ set (add_effects_of op) \ s' v = Some True" and "\v. v \ set (add_effects_of op) \ v \ set (delete_effects_of op) \ s' v = Some False" and "\v. v \ set (add_effects_of op) \ v \ set (delete_effects_of op) \ s' v = s v" proof (auto) show "\v. v \ set (add_effects_of op) \ s' v = Some True" using assms effect__strips_iii_a by fast next show "\v. v \ set (add_effects_of op) \ v \ set (delete_effects_of op) \ s' v = Some False" using assms effect__strips_iii_b by fast next show "\v. v \ set (add_effects_of op) \ v \ set (delete_effects_of op) \ s' v = s v" using assms effect__strips_iii_c by metis qed subsection "Parallel Plan Semantics" definition "are_all_operators_applicable s ops \ list_all (\op. is_operator_applicable_in s op) ops" definition "are_operator_effects_consistent op\<^sub>1 op\<^sub>2 \ let add\<^sub>1 = add_effects_of op\<^sub>1 ; add\<^sub>2 = add_effects_of op\<^sub>2 ; del\<^sub>1 = delete_effects_of op\<^sub>1 ; del\<^sub>2 = delete_effects_of op\<^sub>2 in \list_ex (\v. list_ex ((=) v) del\<^sub>2) add\<^sub>1 \ \list_ex (\v. list_ex ((=) v) add\<^sub>2) del\<^sub>1" definition "are_all_operator_effects_consistent ops \ list_all (\op. list_all (are_operator_effects_consistent op) ops) ops" definition execute_parallel_operator :: "'variable strips_state \ 'variable strips_operator list \ 'variable strips_state" where "execute_parallel_operator s ops \ foldl (++) s (map (map_of \ effect_to_assignments) ops)" text \ The parallel STRIPS execution semantics is defined in similar way as the serial STRIPS execution semantics. However, the applicability test is lifted to parallel operators and we additionally test for operator consistency (which was unecessary in the serial case). \ fun execute_parallel_plan :: "'variable strips_state \ 'variable strips_parallel_plan \ 'variable strips_state" where "execute_parallel_plan s [] = s" | "execute_parallel_plan s (ops # opss) = (if are_all_operators_applicable s ops \ are_all_operator_effects_consistent ops then execute_parallel_plan (execute_parallel_operator s ops) opss else s)" definition "are_operators_interfering op\<^sub>1 op\<^sub>2 \ list_ex (\v. list_ex ((=) v) (delete_effects_of op\<^sub>1)) (precondition_of op\<^sub>2) \ list_ex (\v. list_ex ((=) v) (precondition_of op\<^sub>1)) (delete_effects_of op\<^sub>2)" (* TODO rewrite as inductive predicate *) primrec are_all_operators_non_interfering :: "'variable strips_operator list \ bool" where "are_all_operators_non_interfering [] = True" | "are_all_operators_non_interfering (op # ops) = (list_all (\op'. \are_operators_interfering op op') ops \ are_all_operators_non_interfering ops)" text \ Since traces mirror the execution semantics, the same is true for the definition of parallel STRIPS plan traces. \ fun trace_parallel_plan_strips :: "'variable strips_state \ 'variable strips_parallel_plan \ 'variable strips_state list" where "trace_parallel_plan_strips s [] = [s]" | "trace_parallel_plan_strips s (ops # opss) = s # (if are_all_operators_applicable s ops \ are_all_operator_effects_consistent ops then trace_parallel_plan_strips (execute_parallel_operator s ops) opss else [])" text \ Similarly, the definition of parallel solutions requires that the parallel execution semantics transforms the initial problem into the goal state of the problem and that every operator of every parallel operator in the parallel plan is an operator that is defined in the problem description. \ definition is_parallel_solution_for_problem where "is_parallel_solution_for_problem \ \ \ (strips_problem.goal_of \) \\<^sub>m execute_parallel_plan (strips_problem.initial_of \) \ \ list_all (\ops. list_all (\op. ListMem op (strips_problem.operators_of \)) ops) \" (* TODO rename are_all_operators_applicable_in_set *) lemma are_all_operators_applicable_set: "are_all_operators_applicable s ops \ (\op \ set ops. \v \ set (precondition_of op). s v = Some True)" unfolding are_all_operators_applicable_def STRIPS_Representation.is_operator_applicable_in_def list_all_iff by presburger (* TODO rename are_all_operators_applicable_in_cons *) lemma are_all_operators_applicable_cons: assumes "are_all_operators_applicable s (op # ops)" shows "is_operator_applicable_in s op" and "are_all_operators_applicable s ops" proof - from assms have a: "list_all (\op. is_operator_applicable_in s op) (op # ops)" unfolding are_all_operators_applicable_def is_operator_applicable_in_def STRIPS_Representation.is_operator_applicable_in_def by blast then have "is_operator_applicable_in s op" by fastforce moreover { from a have "list_all (\op. is_operator_applicable_in s op) ops" by simp then have "are_all_operators_applicable s ops" using are_all_operators_applicable_def is_operator_applicable_in_def STRIPS_Representation.is_operator_applicable_in_def by blast } ultimately show "is_operator_applicable_in s op" and "are_all_operators_applicable s ops" by fast+ qed lemma are_operator_effects_consistent_set: assumes "op\<^sub>1 \ set ops" and "op\<^sub>2 \ set ops" shows "are_operator_effects_consistent op\<^sub>1 op\<^sub>2 = (set (add_effects_of op\<^sub>1) \ set (delete_effects_of op\<^sub>2) = {} \ set (delete_effects_of op\<^sub>1) \ set (add_effects_of op\<^sub>2) = {})" proof - have "(\list_ex (\v. list_ex ((=) v) (delete_effects_of op\<^sub>2)) (add_effects_of op\<^sub>1)) = (set (add_effects_of op\<^sub>1) \ set (delete_effects_of op\<^sub>2) = {})" using list_ex_intersection[of "delete_effects_of op\<^sub>2" "add_effects_of op\<^sub>1"] by meson moreover have "(\list_ex (\v. list_ex ((=) v) (add_effects_of op\<^sub>2)) (delete_effects_of op\<^sub>1)) = (set (delete_effects_of op\<^sub>1) \ set (add_effects_of op\<^sub>2) = {})" using list_ex_intersection[of "add_effects_of op\<^sub>2" "delete_effects_of op\<^sub>1"] by meson ultimately show "are_operator_effects_consistent op\<^sub>1 op\<^sub>2 = (set (add_effects_of op\<^sub>1) \ set (delete_effects_of op\<^sub>2) = {} \ set (delete_effects_of op\<^sub>1) \ set (add_effects_of op\<^sub>2) = {})" unfolding are_operator_effects_consistent_def by presburger qed lemma are_all_operator_effects_consistent_set: "are_all_operator_effects_consistent ops \ (\op\<^sub>1 \ set ops. \op\<^sub>2 \ set ops. (set (add_effects_of op\<^sub>1) \ set (delete_effects_of op\<^sub>2) = {}) \ (set (delete_effects_of op\<^sub>1) \ set (add_effects_of op\<^sub>2) = {}))" proof - { fix op\<^sub>1 op\<^sub>2 assume "op\<^sub>1 \ set ops" and "op\<^sub>2 \ set ops" hence "are_operator_effects_consistent op\<^sub>1 op\<^sub>2 = (set (add_effects_of op\<^sub>1) \ set (delete_effects_of op\<^sub>2) = {} \ set (delete_effects_of op\<^sub>1) \ set (add_effects_of op\<^sub>2) = {})" using are_operator_effects_consistent_set[of op\<^sub>1 ops op\<^sub>2] by fast } thus ?thesis unfolding are_all_operator_effects_consistent_def list_all_iff by force qed lemma are_all_effects_consistent_tail: assumes "are_all_operator_effects_consistent (op # ops)" shows "are_all_operator_effects_consistent ops" proof - from assms have a: "list_all (\op'. list_all (are_operator_effects_consistent op') (Cons op ops)) (Cons op ops)" unfolding are_all_operator_effects_consistent_def by blast then have b_1: "list_all (are_operator_effects_consistent op) (op # ops)" and b_2: "list_all (\op'. list_all (are_operator_effects_consistent op') (op # ops)) ops" by force+ then have "list_all (are_operator_effects_consistent op) ops" by simp moreover { { fix z assume "z \ set (Cons op ops)" and "list_all (are_operator_effects_consistent z) (op # ops)" then have "list_all (are_operator_effects_consistent z) ops" by auto } then have "list_all (\op'. list_all (are_operator_effects_consistent op') ops) ops" using list.pred_mono_strong[of "(\op'. list_all (are_operator_effects_consistent op') (op # ops))" "Cons op ops" "(\op'. list_all (are_operator_effects_consistent op') ops)" ] a by fastforce } ultimately have "list_all (are_operator_effects_consistent op) ops \ list_all (\op'. list_all (are_operator_effects_consistent op') ops) ops" by blast then show ?thesis using are_all_operator_effects_consistent_def by fast qed lemma are_all_operators_non_interfering_tail: assumes "are_all_operators_non_interfering (op # ops)" shows "are_all_operators_non_interfering ops" using assms unfolding are_all_operators_non_interfering_def by simp lemma are_operators_interfering_symmetric: assumes "are_operators_interfering op\<^sub>1 op\<^sub>2" shows "are_operators_interfering op\<^sub>2 op\<^sub>1" using assms unfolding are_operators_interfering_def list_ex_iff by fast \ \ A small technical characterizing operator lists with property \isaname{are_all_operators_non_interfering ops}. We show that pairs of distinct operators which interfere with one another cannot both be contained in the corresponding operator set. \ lemma are_all_operators_non_interfering_set_contains_no_distinct_interfering_operator_pairs: assumes "are_all_operators_non_interfering ops" and "are_operators_interfering op\<^sub>1 op\<^sub>2" and "op\<^sub>1 \ op\<^sub>2" shows "op\<^sub>1 \ set ops \ op\<^sub>2 \ set ops" using assms proof (induction ops) case (Cons op ops) thm Cons.IH[OF _ Cons.prems(2, 3)] have nb\<^sub>1: "\op' \ set ops. \are_operators_interfering op op'" and nb\<^sub>2: "are_all_operators_non_interfering ops" using Cons.prems(1) unfolding are_all_operators_non_interfering.simps(2) list_all_iff by blast+ then consider (A) "op = op\<^sub>1" | (B) "op = op\<^sub>2" | (C) "op \ op\<^sub>1 \ op \ op\<^sub>2" by blast thus ?case proof (cases) case A { assume "op\<^sub>2 \ set (op # ops)" then have "op\<^sub>2 \ set ops" using Cons.prems(3) A by force then have "\are_operators_interfering op\<^sub>1 op\<^sub>2" using nb\<^sub>1 A by fastforce hence False using Cons.prems(2).. } thus ?thesis by blast next case B { assume "op\<^sub>1 \ set (op # ops)" then have "op\<^sub>1 \ set ops" using Cons.prems(3) B by force then have "\are_operators_interfering op\<^sub>1 op\<^sub>2" using nb\<^sub>1 B are_operators_interfering_symmetric by blast hence False using Cons.prems(2).. } thus ?thesis by blast next case C thus ?thesis using Cons.IH[OF nb\<^sub>2 Cons.prems(2, 3)] by force qed qed simp (* TODO The recurring \list_all \ \\ transformations could be refactored into a general lemma. TODO refactor (also used in lemma \execute_serial_plan_split_i\). *) lemma execute_parallel_plan_precondition_cons_i: fixes s :: "('variable, bool) state" assumes "\are_operators_interfering op op'" and "is_operator_applicable_in s op" and "is_operator_applicable_in s op'" shows "is_operator_applicable_in (s ++ map_of (effect_to_assignments op)) op'" proof - let ?s' = "s ++ map_of (effect_to_assignments op)" \ \ TODO slightly hackish to exploit the definition of \execute_operator\, but we otherwise have to rewrite theorem \operator_effect__strips\ (which is a todo as of now). \ { have a: "?s' = s \ op" by (simp add: execute_operator_def) then have "\v. v \ set (add_effects_of op) \ ?s' v = Some True" and "\v. v \ set (add_effects_of op) \ v \ set (delete_effects_of op) \ ?s' v = Some False" and "\v. v \ set (add_effects_of op) \ v \ set (delete_effects_of op) \ ?s' v = s v" using operator_effect__strips by metis+ } note a = this \ \ TODO refactor lemma \not_have_interference_set\. \ { fix v assume \: "v \ set (precondition_of op')" { fix v have "\list_ex ((=) v) (delete_effects_of op) = list_all (\v'. \v = v') (delete_effects_of op)" using not_list_ex_equals_list_all_not[ where P="(=) v" and xs="delete_effects_of op"] by blast } moreover { from assms(1) have "\list_ex (\v. list_ex ((=) v) (delete_effects_of op)) (precondition_of op')" unfolding are_operators_interfering_def by blast then have "list_all (\v. \list_ex ((=) v) (delete_effects_of op)) (precondition_of op')" using not_list_ex_equals_list_all_not[ where P="\v. list_ex ((=) v) (delete_effects_of op)" and xs="precondition_of op'"] by blast } ultimately have \: "list_all (\v. list_all (\v'. \v = v') (delete_effects_of op)) (precondition_of op')" by presburger moreover { fix v have "list_all (\v'. \v = v') (delete_effects_of op) = (\v' \ set (delete_effects_of op). \v = v')" using list_all_iff [where P="\v'. \v = v'" and x="delete_effects_of op"] . } ultimately have "\v \ set (precondition_of op'). \v' \ set (delete_effects_of op). \v = v'" using \ list_all_iff[ where P="\v. list_all (\v'. \v = v') (delete_effects_of op)" and x="precondition_of op'"] by presburger then have "v \ set (delete_effects_of op)" using \ by fast } note b = this { fix v assume a: "v \ set (precondition_of op')" have "list_all (\v. s v = Some True) (precondition_of op')" using assms(3) unfolding is_operator_applicable_in_def STRIPS_Representation.is_operator_applicable_in_def by presburger then have "\v \ set (precondition_of op'). s v = Some True" using list_all_iff[where P="\v. s v = Some True" and x="precondition_of op'"] by blast then have "s v = Some True" using a by blast } note c = this { fix v assume d: "v \ set (precondition_of op')" then have "?s' v = Some True" proof (cases "v \ set (add_effects_of op)") case True then show ?thesis using a by blast next case e: False then show ?thesis proof (cases "v \ set (delete_effects_of op)") case True then show ?thesis using assms(1) b d by fast next case False then have "?s' v = s v" using a e by blast then show ?thesis using c d by presburger qed qed } then have "list_all (\v. ?s' v = Some True) (precondition_of op')" using list_all_iff[where P="\v. ?s' v = Some True" and x="precondition_of op'"] by blast then show ?thesis unfolding is_operator_applicable_in_def STRIPS_Representation.is_operator_applicable_in_def by auto qed \ \ The third assumption \are_all_operators_non_interfering (a # ops)\" is not part of the precondition of \isaname{execute_parallel_operator} but is required for the proof of the subgoal hat applicable is maintained. \ lemma execute_parallel_plan_precondition_cons: fixes a :: "'variable strips_operator" assumes "are_all_operators_applicable s (a # ops)" and "are_all_operator_effects_consistent (a # ops)" and "are_all_operators_non_interfering (a # ops)" shows "are_all_operators_applicable (s ++ map_of (effect_to_assignments a)) ops" and "are_all_operator_effects_consistent ops" and "are_all_operators_non_interfering ops" using are_all_effects_consistent_tail[OF assms(2)] are_all_operators_non_interfering_tail[OF assms(3)] proof - let ?s' = "s ++ map_of (effect_to_assignments a)" have nb\<^sub>1: "\op \ set (a # ops). is_operator_applicable_in s op" using assms(1) are_all_operators_applicable_set unfolding are_all_operators_applicable_def is_operator_applicable_in_def STRIPS_Representation.is_operator_applicable_in_def list_all_iff by blast have nb\<^sub>2: "\op \ set ops. \are_operators_interfering a op" using assms(3) unfolding are_all_operators_non_interfering_def list_all_iff by simp have nb\<^sub>3: "is_operator_applicable_in s a" using assms(1) are_all_operators_applicable_set unfolding are_all_operators_applicable_def is_operator_applicable_in_def STRIPS_Representation.is_operator_applicable_in_def list_all_iff by force { fix op assume op_in_ops: "op \ set ops" hence "is_operator_applicable_in ?s' op" using execute_parallel_plan_precondition_cons_i[of a op] nb\<^sub>1 nb\<^sub>2 nb\<^sub>3 by force } then show "are_all_operators_applicable ?s' ops" unfolding are_all_operators_applicable_def list_all_iff is_operator_applicable_in_def by blast qed lemma execute_parallel_operator_cons[simp]: "execute_parallel_operator s (op # ops) = execute_parallel_operator (s ++ map_of (effect_to_assignments op)) ops" unfolding execute_parallel_operator_def by simp lemma execute_parallel_operator_cons_equals: assumes "are_all_operators_applicable s (a # ops)" and "are_all_operator_effects_consistent (a # ops)" and "are_all_operators_non_interfering (a # ops)" shows "execute_parallel_operator s (a # ops) = execute_parallel_operator (s ++ map_of (effect_to_assignments a)) ops" proof - let ?s' = "s ++ map_of (effect_to_assignments a)" { from assms(1, 2) have "execute_parallel_operator s (Cons a ops) = foldl (++) s (map (map_of \ effect_to_assignments) (Cons a ops))" unfolding execute_parallel_operator_def by presburger also have "\ = foldl (++) (?s') (map (map_of \ effect_to_assignments) ops)" by auto finally have "execute_parallel_operator s (Cons a ops) = foldl (++) (?s') (map (map_of \ effect_to_assignments) ops)" using execute_parallel_operator_def by blast } \ \ NOTE the precondition of \isaname{execute_parallel} for \a # ops\ is also true for the tail list and \state ?s'\ as shown in lemma \isaname{execute_parallel_operator_precondition_cons}. Hence the precondition for the r.h.s. of the goal also holds. \ moreover have "execute_parallel_operator ?s' ops = foldl (++) (s ++ (map_of \ effect_to_assignments) a) (map (map_of \ effect_to_assignments) ops)" by (simp add: execute_parallel_operator_def) ultimately show ?thesis by force qed \ \ We show here that following the lemma above, executing one operator of a parallel operator can be replaced by a (single) STRIPS operator execution. \ corollary execute_parallel_operator_cons_equals_corollary: assumes "are_all_operators_applicable s (a # ops)" shows "execute_parallel_operator s (a # ops) = execute_parallel_operator (s \ a) ops" proof - let ?s' = "s ++ map_of (effect_to_assignments a)" from assms have "execute_parallel_operator s (a # ops) = execute_parallel_operator (s ++ map_of (effect_to_assignments a)) ops" using execute_parallel_operator_cons_equals by simp moreover have "?s' = s \ a" unfolding execute_operator_def by simp ultimately show ?thesis by argo qed (* TODO duplicate? *) lemma effect_to_assignments_simp[simp]: "effect_to_assignments op = map (\v. (v, True)) (add_effects_of op) @ map (\v. (v, False)) (delete_effects_of op)" by (simp add: effect_to_assignments_i) lemma effect_to_assignments_set_is[simp]: "set (effect_to_assignments op) = { ((v, a), True) | v a. (v, a) \ set (add_effects_of op) } \ { ((v, a), False) | v a. (v, a) \ set (delete_effects_of op) }" proof - obtain as where "effect__strips op = as" and "as = map (\v. (v, True)) (add_effects_of op) @ map (\v. (v, False)) (delete_effects_of op)" unfolding effect__strips_def by blast moreover have "as = map (\v. (v, True)) (add_effects_of op) @ map (\v. (v, False)) (delete_effects_of op)" using calculation(2) unfolding map_append map_map comp_apply by auto moreover have "effect_to_assignments op = as" unfolding effect_to_assignments_def calculation(1, 2) by auto ultimately show ?thesis unfolding set_map by auto qed corollary effect_to_assignments_construction_from_function_graph: assumes "set (add_effects_of op) \ set (delete_effects_of op) = {}" shows "effect_to_assignments op = map (\v. (v, if ListMem v (add_effects_of op) then True else False)) (add_effects_of op @ delete_effects_of op)" and "effect_to_assignments op = map (\v. (v, if ListMem v (delete_effects_of op) then False else True)) (add_effects_of op @ delete_effects_of op)" proof - let ?f = "\v. (v, if ListMem v (add_effects_of op) then True else False)" and ?g = "\v. (v, if ListMem v (delete_effects_of op) then False else True)" { have "map ?f (add_effects_of op @ delete_effects_of op) = map ?f (add_effects_of op) @ map ?f (delete_effects_of op)" using map_append by fast \ \ TODO slow. \ hence "effect_to_assignments op = map ?f (add_effects_of op @ delete_effects_of op)" using ListMem_iff assms by fastforce } moreover { have "map ?g (add_effects_of op @ delete_effects_of op) = map ?g (add_effects_of op) @ map ?g (delete_effects_of op)" using map_append by fast \ \ TODO slow. \ hence "effect_to_assignments op = map ?g (add_effects_of op @ delete_effects_of op)" using ListMem_iff assms by fastforce } ultimately show "effect_to_assignments op = map (\v. (v, if ListMem v (add_effects_of op) then True else False)) (add_effects_of op @ delete_effects_of op)" and "effect_to_assignments op = map (\v. (v, if ListMem v (delete_effects_of op) then False else True)) (add_effects_of op @ delete_effects_of op)" by blast+ qed corollary map_of_effect_to_assignments_is_none_if: assumes "\v \ set (add_effects_of op)" and "\v \ set (delete_effects_of op)" shows "map_of (effect_to_assignments op) v = None" proof - let ?l = "effect_to_assignments op" { have "set ?l = { (v, True) | v. v \ set (add_effects_of op) } \ { (v, False) | v. v \ set (delete_effects_of op)}" by auto then have "fst ` set ?l = (fst ` {(v, True) | v. v \ set (add_effects_of op)}) \ (fst ` {(v, False) | v. v \ set (delete_effects_of op)})" using image_Un[of fst "{(v, True) | v. v \ set (add_effects_of op)}" "{(v, False) | v. v \ set (delete_effects_of op)}"] by presburger \ \ TODO slow.\ also have "\ = (fst ` (\v. (v, True)) ` set (add_effects_of op)) \ (fst ` (\v. (v, False)) ` set (delete_effects_of op))" using setcompr_eq_image[of "\v. (v, True)" "\v. v \ set (add_effects_of op)"] setcompr_eq_image[of "\v. (v, False)" "\v. v \ set (delete_effects_of op)"] by simp \ \ TODO slow.\ also have "\ = id ` set (add_effects_of op) \ id ` set (delete_effects_of op)" by force \ \ TODO slow.\ finally have "fst ` set ?l = set (add_effects_of op) \ set (delete_effects_of op)" by auto hence "v \ fst ` set ?l" using assms(1, 2) by blast } thus ?thesis using map_of_eq_None_iff[of ?l v] by blast qed lemma execute_parallel_operator_positive_effect_if_i: assumes "are_all_operators_applicable s ops" and "are_all_operator_effects_consistent ops" and "op \ set ops" and "v \ set (add_effects_of op)" shows "map_of (effect_to_assignments op) v = Some True" proof - let ?f = "\x. if ListMem x (add_effects_of op) then True else False" and ?l'= " map (\v. (v, if ListMem v (add_effects_of op) then True else False)) (add_effects_of op @ delete_effects_of op)" have "set (add_effects_of op) \ {}" using assms(4) by fastforce moreover { have "set (add_effects_of op) \ set (delete_effects_of op) = {}" using are_all_operator_effects_consistent_set assms(2, 3) by fast moreover have "effect_to_assignments op = ?l'" using effect_to_assignments_construction_from_function_graph(1) calculation by fast ultimately have "map_of (effect_to_assignments op) = map_of ?l'" by argo } ultimately have "map_of (effect_to_assignments op) v = Some (?f v)" using Map_Supplement.map_of_from_function_graph_is_some_if[ of _ _ "?f", OF _ assms(4)] by simp thus ?thesis using ListMem_iff assms(4) by metis qed lemma execute_parallel_operator_positive_effect_if: fixes ops assumes "are_all_operators_applicable s ops" and "are_all_operator_effects_consistent ops" and "op \ set ops" and "v \ set (add_effects_of op)" shows "execute_parallel_operator s ops v = Some True" proof - let ?l = "map (map_of \ effect_to_assignments) ops" have set_l_is: "set ?l = (map_of \ effect_to_assignments) ` set ops" using set_map by fastforce { let ?m = "(map_of \ effect_to_assignments) op" have "?m \ set ?l" using assms(3) set_l_is by blast moreover have "?m v = Some True" using execute_parallel_operator_positive_effect_if_i[OF assms] by fastforce ultimately have "\m \ set ?l. m v = Some True" by blast } moreover { fix m' assume "m' \ set ?l" then obtain op' where op'_in_set_ops: "op' \ set ops" and m'_is: "m' = (map_of \ effect_to_assignments) op'" by auto then have "set (add_effects_of op) \ set (delete_effects_of op') = {}" using assms(2, 3) are_all_operator_effects_consistent_set[of ops] by blast then have "v \ set (delete_effects_of op')" using assms(4) by blast then consider (v_in_set_add_effects) "v \ set (add_effects_of op')" | (otherwise) "\v \ set (add_effects_of op') \ \v \ set (delete_effects_of op')" by blast hence "m' v = Some True \ m' v = None" proof (cases) case v_in_set_add_effects \ \ TODO slow. \ thus ?thesis using execute_parallel_operator_positive_effect_if_i[ OF assms(1, 2) op'_in_set_ops, of v] m'_is by simp next case otherwise then have "\v \ set (add_effects_of op')" and "\v \ set (delete_effects_of op')" by blast+ thus ?thesis using map_of_effect_to_assignments_is_none_if[of v op'] m'_is by fastforce qed } \ \ TODO slow. \ ultimately show ?thesis unfolding execute_parallel_operator_def using foldl_map_append_is_some_if[of s v True ?l] by meson qed lemma execute_parallel_operator_negative_effect_if_i: assumes "are_all_operators_applicable s ops" and "are_all_operator_effects_consistent ops" and "op \ set ops" and "v \ set (delete_effects_of op)" shows "map_of (effect_to_assignments op) v = Some False" proof - let ?f = "\x. if ListMem x (delete_effects_of op) then False else True" and ?l'= " map (\v. (v, if ListMem v (delete_effects_of op) then False else True)) (add_effects_of op @ delete_effects_of op)" have "set (delete_effects_of op @ add_effects_of op) \ {}" using assms(4) by fastforce moreover have "v \ set (delete_effects_of op @ add_effects_of op)" using assms(4) by simp moreover { have "set (add_effects_of op) \ set (delete_effects_of op) = {}" using are_all_operator_effects_consistent_set assms(2, 3) by fast moreover have "effect_to_assignments op = ?l'" using effect_to_assignments_construction_from_function_graph(2) calculation by blast ultimately have "map_of (effect_to_assignments op) = map_of ?l'" by argo } ultimately have "map_of (effect_to_assignments op) v = Some (?f v)" using Map_Supplement.map_of_from_function_graph_is_some_if[ of "add_effects_of op @ delete_effects_of op" v "?f"] by force thus ?thesis using assms(4) unfolding ListMem_iff by presburger qed lemma execute_parallel_operator_negative_effect_if: assumes "are_all_operators_applicable s ops" and "are_all_operator_effects_consistent ops" and "op \ set ops" and "v \ set (delete_effects_of op)" shows "execute_parallel_operator s ops v = Some False" proof - let ?l = "map (map_of \ effect_to_assignments) ops" have set_l_is: "set ?l = (map_of \ effect_to_assignments) ` set ops" using set_map by fastforce { let ?m = "(map_of \ effect_to_assignments) op" have "?m \ set ?l" using assms(3) set_l_is by blast moreover have "?m v = Some False" using execute_parallel_operator_negative_effect_if_i[OF assms] by fastforce ultimately have "\m \ set ?l. m v = Some False" by blast } moreover { fix m' assume "m' \ set ?l" then obtain op' where op'_in_set_ops: "op' \ set ops" and m'_is: "m' = (map_of \ effect_to_assignments) op'" by auto then have "set (delete_effects_of op) \ set (add_effects_of op') = {}" using assms(2, 3) are_all_operator_effects_consistent_set[of ops] by blast then have "v \ set (add_effects_of op')" using assms(4) by blast then consider (v_in_set_delete_effects) "v \ set (delete_effects_of op')" | (otherwise) "\v \ set (add_effects_of op') \ \v \ set (delete_effects_of op')" by blast hence "m' v = Some False \ m' v = None" proof (cases) case v_in_set_delete_effects \ \ TODO slow. \ thus ?thesis using execute_parallel_operator_negative_effect_if_i[ OF assms(1, 2) op'_in_set_ops, of v] m'_is by simp next case otherwise then have "\v \ set (add_effects_of op')" and "\v \ set (delete_effects_of op')" by blast+ thus ?thesis using map_of_effect_to_assignments_is_none_if[of v op'] m'_is by fastforce qed } \ \ TODO slow. \ ultimately show ?thesis unfolding execute_parallel_operator_def using foldl_map_append_is_some_if[of s v False ?l] by meson qed lemma execute_parallel_operator_no_effect_if: assumes "\op \ set ops. \v \ set (add_effects_of op) \ \v \ set (delete_effects_of op)" shows "execute_parallel_operator s ops v = s v" using assms unfolding execute_parallel_operator_def proof (induction ops arbitrary: s) case (Cons a ops) let ?f = "map_of \ effect_to_assignments" { have "v \ set (add_effects_of a) \ v \ set (delete_effects_of a)" using Cons.prems(1) by force then have "?f a v = None" using map_of_effect_to_assignments_is_none_if[of v a] by fastforce then have "v \ dom (?f a)" by blast hence "(s ++ ?f a) v = s v" using map_add_dom_app_simps(3)[of v "?f a" s] by blast } moreover { have "\op\set ops. v \ set (add_effects_of op) \ v \ set (delete_effects_of op)" using Cons.prems(1) by simp hence "foldl (++) (s ++ ?f a) (map ?f ops) v = (s ++ ?f a) v" using Cons.IH[of "s ++ ?f a"] by blast } moreover { have "map ?f (a # ops) = ?f a # map ?f ops" by force then have "foldl (++) s (map ?f (a # ops)) = foldl (++) (s ++ ?f a) (map ?f ops)" using foldl_Cons by force } ultimately show ?case by argo qed fastforce corollary execute_parallel_operators_strips_none_if: assumes "\op \ set ops. \v \ set (add_effects_of op) \ \v \ set (delete_effects_of op)" and "s v = None" shows "execute_parallel_operator s ops v = None" using execute_parallel_operator_no_effect_if[OF assms(1)] assms(2) by simp corollary execute_parallel_operators_strips_none_if_contraposition: assumes "\execute_parallel_operator s ops v = None" shows "(\op \ set ops. v \ set (add_effects_of op) \ v \ set (delete_effects_of op)) \ s v \ None" proof - let ?P = "(\op \ set ops. \v \ set (add_effects_of op) \ \v \ set (delete_effects_of op)) \ s v = None" and ?Q = "execute_parallel_operator s ops v = None" have "?P \ ?Q" using execute_parallel_operators_strips_none_if[of ops v s] by blast then have "\?P" using contrapos_nn[of ?Q ?P] using assms by argo thus ?thesis by meson qed text \ We will now move on to showing the equivalent to theorem \isaname{operator_effect__strips} in \isaname{execute_parallel_operator_effect}. Under the condition that for a list of operators \<^term>\ops\ all operators in the corresponding set are applicable in a given state \<^term>\s\ and all operator effects are consistent, if an operator \<^term>\op\ exists with \<^term>\op \ set ops\ and with \<^term>\v\ being an add effect of \<^term>\op\, then the successor state @{text[display, indent=4] "s' \ execute_parallel_operator s ops"} will evaluate \<^term>\v\ to true, that is @{text[display, indent=4] "execute_parallel_operator s ops v = Some True"} Symmetrically, if \<^term>\v\ is a delete effect, we have @{text[display, indent=4] "execute_parallel_operator s ops v = Some False"} under the same condition as for the positive effect. Lastly, if \<^term>\v\ is neither an add effect nor a delete effect for any operator in the operator set corresponding to $ops$, then the state after parallel operator execution remains unchanged, i.e. @{text[display, indent=4] "execute_parallel_operator s ops v = s v"} \ theorem execute_parallel_operator_effect: assumes "are_all_operators_applicable s ops" and "are_all_operator_effects_consistent ops" shows "op \ set ops \ v \ set (add_effects_of op) \ execute_parallel_operator s ops v = Some True" and "op \ set ops \ v \ set (delete_effects_of op) \ execute_parallel_operator s ops v = Some False" and "(\op \ set ops. v \ set (add_effects_of op) \ v \ set (delete_effects_of op)) \ execute_parallel_operator s ops v = s v" using execute_parallel_operator_positive_effect_if[OF assms] execute_parallel_operator_negative_effect_if[OF assms] execute_parallel_operator_no_effect_if[of ops v s] by blast+ lemma is_parallel_solution_for_problem_operator_set: fixes \:: "'a strips_problem" assumes "is_parallel_solution_for_problem \ \" and "ops \ set \" and "op \ set ops" shows "op \ set ((\)\<^sub>\)" proof - have "\ops \ set \. \op \ set ops. op \ set (strips_problem.operators_of \)" using assms(1) unfolding is_parallel_solution_for_problem_def list_all_iff ListMem_iff.. thus ?thesis using assms(2, 3) by fastforce qed lemma trace_parallel_plan_strips_not_nil: "trace_parallel_plan_strips I \ \ []" proof (cases \) case (Cons a list) then show ?thesis by (cases "are_all_operators_applicable I (hd \) \ are_all_operator_effects_consistent (hd \)" , simp+) qed simp corollary length_trace_parallel_plan_gt_0[simp]: "0 < length (trace_parallel_plan_strips I \)" using trace_parallel_plan_strips_not_nil.. corollary length_trace_minus_one_lt_length_trace[simp]: "length (trace_parallel_plan_strips I \) - 1 < length (trace_parallel_plan_strips I \)" using diff_less[OF _ length_trace_parallel_plan_gt_0] by auto lemma trace_parallel_plan_strips_head_is_initial_state: "trace_parallel_plan_strips I \ ! 0 = I" proof (cases \) case (Cons a list) then show ?thesis by (cases "are_all_operators_applicable I a \ are_all_operator_effects_consistent a", simp+) qed simp lemma trace_parallel_plan_strips_length_gt_one_if: assumes "k < length (trace_parallel_plan_strips I \) - 1" shows "1 < length (trace_parallel_plan_strips I \)" using assms by linarith \ \ This lemma simply shows that the last element of a \trace_parallel_plan_strips execution\ \step s # trace_parallel_plan_strips s' \\ always is the last element of \trace_parallel_plan_strips s' \\ since \trace_parallel_plan_strips\ always returns at least a singleton list (even if \\ = []\). \ lemma trace_parallel_plan_strips_last_cons_then: "last (s # trace_parallel_plan_strips s' \) = last (trace_parallel_plan_strips s' \)" by (cases \, simp, force) text \ Parallel plan traces have some important properties that we want to confirm before proceeding. Let \<^term>\\ \ trace_parallel_plan_strips I \\ be a trace for a parallel plan \<^term>\\\ with initial state \<^term>\I\. First, all parallel operators \<^term>\ops = \ ! k\ for any index \<^term>\k\ with \<^term>\k < length \ - 1\ (meaning that \<^term>\k\ is not the index of the last element). must be applicable and their effects must be consistent. Otherwise, the trace would have terminated and \<^term>\ops\ would have been the last element. This would violate the assumption that \<^term>\k < length \ - 1\ is not the last index since the index of the last element is \<^term>\length \ - 1\. \footnote{More precisely, the index of the last element is \<^term>\length \ - 1\ if \<^term>\\\ is not empty which is however always true since the trace contains at least the initial state.} \ (* TODO? hide? *) lemma trace_parallel_plan_strips_operator_preconditions: assumes "k < length (trace_parallel_plan_strips I \) - 1" shows "are_all_operators_applicable (trace_parallel_plan_strips I \ ! k) (\ ! k) \ are_all_operator_effects_consistent (\ ! k)" using assms proof (induction "\" arbitrary: I k) \ \ NOTE Base case yields contradiction with assumption and can be left to automation. \ case (Cons a \) then show ?case proof (cases "are_all_operators_applicable I a \ are_all_operator_effects_consistent a") case True have trace_parallel_plan_strips_cons: "trace_parallel_plan_strips I (a # \) = I # trace_parallel_plan_strips (execute_parallel_operator I a) \" using True by simp then show ?thesis proof (cases "k") case 0 have "trace_parallel_plan_strips I (a # \) ! 0 = I" using trace_parallel_plan_strips_cons by simp moreover have "(a # \) ! 0 = a" by simp ultimately show ?thesis using True 0 by presburger next case (Suc k') let ?I' = "execute_parallel_operator I a" have "trace_parallel_plan_strips I (a # \) ! Suc k' = trace_parallel_plan_strips ?I' \ ! k'" using trace_parallel_plan_strips_cons by simp moreover have "(a # \) ! Suc k' = \ ! k'" by simp moreover { have "length (trace_parallel_plan_strips I (a # \)) = 1 + length (trace_parallel_plan_strips ?I' \)" unfolding trace_parallel_plan_strips_cons by simp then have "k' < length (trace_parallel_plan_strips ?I' \) - 1" using Suc Cons.prems by fastforce hence "are_all_operators_applicable (trace_parallel_plan_strips ?I' \ ! k') (\ ! k') \ are_all_operator_effects_consistent (\ ! k')" using Cons.IH[of k'] by blast } ultimately show ?thesis using Suc by argo qed next case False then have "trace_parallel_plan_strips I (a # \) = [I]" by force then have "length (trace_parallel_plan_strips I (a # \)) - 1 = 0" by simp \ \ NOTE Thesis follows from contradiction with assumption. \ then show ?thesis using Cons.prems by force qed qed auto text \ Another interesting property that we verify below is that elements of the trace store the result of plan prefix execution. This means that for an index \<^term>\k\ with\newline \<^term>\k < length (trace_parallel_plan_strips I \)\, the \<^term>\k\-th element of the trace is state reached by executing the plan prefix \<^term>\take k \\ consisting of the first \<^term>\k\ parallel operators of \<^term>\\\. \ lemma trace_parallel_plan_plan_prefix: assumes "k < length (trace_parallel_plan_strips I \)" shows "trace_parallel_plan_strips I \ ! k = execute_parallel_plan I (take k \)" using assms proof (induction \ arbitrary: I k) case (Cons a \) then show ?case proof (cases "are_all_operators_applicable I a \ are_all_operator_effects_consistent a") case True let ?\ = "trace_parallel_plan_strips I (a # \)" and ?I' = "execute_parallel_operator I a" have \_equals: "?\ = I # trace_parallel_plan_strips ?I' \" using True by auto then show ?thesis proof (cases "k = 0") case False obtain k' where k_is_suc_of_k': "k = Suc k'" using not0_implies_Suc[OF False] by blast then have "execute_parallel_plan I (take k (a # \)) = execute_parallel_plan ?I' (take k' \)" using True by simp moreover have "trace_parallel_plan_strips I (a # \) ! k = trace_parallel_plan_strips ?I' \ ! k'" using \_equals k_is_suc_of_k' by simp moreover { have "k' < length (trace_parallel_plan_strips (execute_parallel_operator I a) \)" using Cons.prems \_equals k_is_suc_of_k' by force hence "trace_parallel_plan_strips ?I' \ ! k' = execute_parallel_plan ?I' (take k' \)" using Cons.IH[of k' ?I'] by blast } ultimately show ?thesis by presburger qed simp next case operator_precondition_violated: False then show ?thesis proof (cases "k = 0") case False then have "trace_parallel_plan_strips I (a # \) = [I]" using operator_precondition_violated by force moreover have "execute_parallel_plan I (take k (a # \)) = I" using Cons.prems operator_precondition_violated by force ultimately show ?thesis using Cons.prems nth_Cons_0 by auto qed simp qed qed simp lemma length_trace_parallel_plan_strips_lte_length_plan_plus_one: shows "length (trace_parallel_plan_strips I \) \ length \ + 1" proof (induction \ arbitrary: I) case (Cons a \) then show ?case proof (cases "are_all_operators_applicable I a \ are_all_operator_effects_consistent a") case True let ?I' = "execute_parallel_operator I a" { have "trace_parallel_plan_strips I (a # \) = I # trace_parallel_plan_strips ?I' \" using True by auto then have "length (trace_parallel_plan_strips I (a # \)) = length (trace_parallel_plan_strips ?I' \) + 1" by simp moreover have "length (trace_parallel_plan_strips ?I' \) \ length \ + 1" using Cons.IH[of ?I'] by blast ultimately have "length (trace_parallel_plan_strips I (a # \)) \ length (a # \) + 1" by simp } thus ?thesis by blast qed auto qed simp \ \ Show that \\\ is at least a singleton list. \ lemma plan_is_at_least_singleton_plan_if_trace_has_at_least_two_elements: assumes "k < length (trace_parallel_plan_strips I \) - 1" obtains ops \' where "\ = ops # \'" proof - let ?\ = "trace_parallel_plan_strips I \" have "length ?\ \ length \ + 1" using length_trace_parallel_plan_strips_lte_length_plan_plus_one by fast then have "0 < length \" using trace_parallel_plan_strips_length_gt_one_if assms by force then obtain k' where "length \ = Suc k'" using gr0_implies_Suc by meson thus ?thesis using that using length_Suc_conv[of \ k'] by blast qed \ \ Show that if a parallel plan trace does not have maximum length, in the last state reached through operator execution the parallel operator execution condition was violated. \ corollary length_trace_parallel_plan_strips_lt_length_plan_plus_one_then: assumes "length (trace_parallel_plan_strips I \) < length \ + 1" shows "\are_all_operators_applicable (execute_parallel_plan I (take (length (trace_parallel_plan_strips I \) - 1) \)) (\ ! (length (trace_parallel_plan_strips I \) - 1)) \ \are_all_operator_effects_consistent (\ ! (length (trace_parallel_plan_strips I \) - 1))" using assms proof (induction \ arbitrary: I) case (Cons ops \) let ?\ = "trace_parallel_plan_strips I (ops # \)" and ?I' = "execute_parallel_operator I ops" show ?case proof (cases "are_all_operators_applicable I ops \ are_all_operator_effects_consistent ops") case True then have \_is: "?\ = I # trace_parallel_plan_strips ?I' \" by fastforce show ?thesis proof (cases "length (trace_parallel_plan_strips ?I' \) < length \ + 1") case True then have "\ are_all_operators_applicable (execute_parallel_plan ?I' (take (length (trace_parallel_plan_strips ?I' \) - 1) \)) (\ ! (length (trace_parallel_plan_strips ?I' \) - 1)) \ \ are_all_operator_effects_consistent (\ ! (length (trace_parallel_plan_strips ?I' \) - 1))" using Cons.IH[of ?I'] by blast moreover have "trace_parallel_plan_strips ?I' \ \ []" using trace_parallel_plan_strips_not_nil by blast ultimately show ?thesis unfolding take_Cons' by simp next case False then have "length (trace_parallel_plan_strips ?I' \) \ length \ + 1" by fastforce thm Cons.prems moreover have "length (trace_parallel_plan_strips I (ops # \)) = 1 + length (trace_parallel_plan_strips ?I' \)" using True by force moreover have "length (trace_parallel_plan_strips ?I' \) < length (ops # \)" using Cons.prems calculation(2) by force ultimately have False by fastforce thus ?thesis.. qed next case False then have \_is_singleton: "?\ = [I]" using False by auto then have "ops = (ops # \) ! (length ?\ - 1)" by fastforce moreover have "execute_parallel_plan I (take (length ?\ - 1) \) = I" using \_is_singleton by auto \ \ TODO slow. \ ultimately show ?thesis using False by auto qed qed simp lemma trace_parallel_plan_step_effect_is: assumes "k < length (trace_parallel_plan_strips I \) - 1" shows "trace_parallel_plan_strips I \ ! Suc k = execute_parallel_operator (trace_parallel_plan_strips I \ ! k) (\ ! k)" proof - \ \ NOTE Rewrite the proposition using lemma \trace_parallel_plan_strips_subplan\. \ { let ?\ = "trace_parallel_plan_strips I \" have "Suc k < length ?\" using assms by linarith hence "trace_parallel_plan_strips I \ ! Suc k = execute_parallel_plan I (take (Suc k) \)" using trace_parallel_plan_plan_prefix[of "Suc k" I \] by blast } moreover have "execute_parallel_plan I (take (Suc k) \) = execute_parallel_operator (trace_parallel_plan_strips I \ ! k) (\ ! k)" using assms proof (induction k arbitrary: I \) case 0 then have "execute_parallel_operator (trace_parallel_plan_strips I \ ! 0) (\ ! 0) = execute_parallel_operator I (\ ! 0)" using trace_parallel_plan_strips_head_is_initial_state[of I \] by argo moreover { obtain ops \' where "\ = ops # \'" using plan_is_at_least_singleton_plan_if_trace_has_at_least_two_elements[OF "0.prems"] by blast then have "take (Suc 0) \ = [\ ! 0]" by simp hence "execute_parallel_plan I (take (Suc 0) \) = execute_parallel_plan I [\ ! 0]" by argo } moreover { have "0 < length (trace_parallel_plan_strips I \) - 1" using trace_parallel_plan_strips_length_gt_one_if "0.prems" by fastforce hence "are_all_operators_applicable I (\ ! 0) \ are_all_operator_effects_consistent (\ ! 0)" using trace_parallel_plan_strips_operator_preconditions[of 0 I \] trace_parallel_plan_strips_head_is_initial_state[of I \] by argo } ultimately show ?case by auto next case (Suc k) obtain ops \' where \_split: "\ = ops # \'" using plan_is_at_least_singleton_plan_if_trace_has_at_least_two_elements[OF Suc.prems] by blast let ?I' = "execute_parallel_operator I ops" { have "length (trace_parallel_plan_strips I \) = 1 + length (trace_parallel_plan_strips ?I' \')" using Suc.prems \_split by fastforce then have "k < length (trace_parallel_plan_strips ?I' \')" using Suc.prems by fastforce moreover have "trace_parallel_plan_strips I \ ! Suc k = trace_parallel_plan_strips ?I' \' ! k" using Suc.prems \_split by force ultimately have "trace_parallel_plan_strips I \ ! Suc k = execute_parallel_plan ?I' (take k \')" using trace_parallel_plan_plan_prefix[of k ?I' \'] by argo } moreover have "execute_parallel_plan I (take (Suc (Suc k)) \) = execute_parallel_plan ?I' (take (Suc k) \')" using Suc.prems \_split by fastforce moreover { have "0 < length (trace_parallel_plan_strips I \) - 1" using Suc.prems by linarith hence "are_all_operators_applicable I (\ ! 0) \ are_all_operator_effects_consistent (\ ! 0)" using trace_parallel_plan_strips_operator_preconditions[of 0 I \] trace_parallel_plan_strips_head_is_initial_state[of I \] by argo } ultimately show ?case using Suc.IH Suc.prems \_split by auto qed ultimately show ?thesis using assms by argo qed \ \ Show that every state in a plan execution trace of a valid problem description is defined for all problem variables. This is true because the initial state is defined for all problem -variables—by definition of @{text "is_valid_problem_strips \"}—and no operator can remove a +variables---by definition of @{text "is_valid_problem_strips \"}---and no operator can remove a previously defined variable (only positive and negative effects are possible). \ (* TODO refactor \STRIPS_Semantics\ + abstract/concretize first two assumptions (e.g. second one only needs all operators are problem operators)? *) lemma trace_parallel_plan_strips_none_if: fixes \:: "'a strips_problem" assumes "is_valid_problem_strips \" and "is_parallel_solution_for_problem \ \" and "k < length (trace_parallel_plan_strips ((\)\<^sub>I) \)" shows "(trace_parallel_plan_strips ((\)\<^sub>I) \ ! k) v = None \ v \ set ((\)\<^sub>\)" proof - let ?vs = "strips_problem.variables_of \" and ?ops = "strips_problem.operators_of \" and ?\ = "trace_parallel_plan_strips ((\)\<^sub>I) \" and ?I = "strips_problem.initial_of \" show ?thesis using assms proof (induction k) case 0 have "?\ ! 0 = ?I" using trace_parallel_plan_strips_head_is_initial_state by auto then show ?case using is_valid_problem_strips_initial_of_dom[OF assms(1)] by auto next case (Suc k) have k_lt_length_\_minus_one: "k < length ?\ - 1" using Suc.prems(3) by linarith then have IH: "(trace_parallel_plan_strips ?I \ ! k) v = None \ v \set ((\)\<^sub>\)" using Suc.IH[OF Suc.prems(1, 2)] by force have \_Suc_k_is: "(?\ ! Suc k) = execute_parallel_operator (?\ ! k) (\ ! k)" using trace_parallel_plan_step_effect_is[OF k_lt_length_\_minus_one]. have all_operators_applicable: "are_all_operators_applicable (?\ ! k) (\ ! k)" and all_effects_consistent: "are_all_operator_effects_consistent (\ ! k)" using trace_parallel_plan_strips_operator_preconditions[OF k_lt_length_\_minus_one] by simp+ show ?case proof (rule iffI) assume \_Suc_k_of_v_is_None: "(?\ ! Suc k) v = None" show "v \ set ((\)\<^sub>\)" proof (rule ccontr) assume "\v \ set ((\)\<^sub>\)" then have v_in_set_vs: "v \ set((\)\<^sub>\)" by blast show False proof (cases "\op \ set (\ ! k). v \ set (add_effects_of op) \ v \ set (delete_effects_of op)") case True then obtain op where op_in_\\<^sub>k: "op \ set (\ ! k)" and "v \ set (add_effects_of op) \ v \ set (delete_effects_of op)".. then consider (A) "v \ set (add_effects_of op)" | (B) "v \ set (delete_effects_of op)" by blast thus False using execute_parallel_operator_positive_effect_if[OF all_operators_applicable all_effects_consistent op_in_\\<^sub>k] execute_parallel_operator_negative_effect_if[OF all_operators_applicable all_effects_consistent op_in_\\<^sub>k] \_Suc_k_of_v_is_None \_Suc_k_is by (cases, fastforce+) next case False then have "\op \ set (\ ! k). v \ set (add_effects_of op) \ v \ set (delete_effects_of op)" by blast then have "(?\ ! Suc k) v = (?\ ! k) v" using execute_parallel_operator_no_effect_if \_Suc_k_is by fastforce then have "v \ set ((\)\<^sub>\)" using IH \_Suc_k_of_v_is_None by simp thus False using v_in_set_vs by blast qed qed next assume v_notin_vs: "v \ set ((\)\<^sub>\)" { fix op assume op_in_\\<^sub>k: "op \ set (\ ! k)" { have "1 < length ?\" using trace_parallel_plan_strips_length_gt_one_if[OF k_lt_length_\_minus_one]. then have "0 < length ?\ - 1" using k_lt_length_\_minus_one by linarith moreover have "length ?\ - 1 \ length \" using length_trace_parallel_plan_strips_lte_length_plan_plus_one le_diff_conv by blast then have "k < length \" using k_lt_length_\_minus_one by force hence "\ ! k \ set \" by simp } then have op_in_ops: "op \ set ?ops" using is_parallel_solution_for_problem_operator_set[OF assms(2) _ op_in_\\<^sub>k] by force hence "v \ set (add_effects_of op)" and "v \ set (delete_effects_of op)" subgoal using is_valid_problem_strips_operator_variable_sets(2) assms(1) op_in_ops v_notin_vs by auto subgoal using is_valid_problem_strips_operator_variable_sets(3) assms(1) op_in_ops v_notin_vs by auto done } then have "(?\ ! Suc k) v = (?\ ! k) v" using execute_parallel_operator_no_effect_if \_Suc_k_is by metis thus "(?\ ! Suc k) v = None" using IH v_notin_vs by fastforce qed qed qed text \ Finally, given initial and goal states \<^term>\I\ and \<^term>\G\, we can show that it's equivalent to say that \<^term>\\\ is a solution for \<^term>\I\ and \<^term>\G\---i.e. \<^term>\G \\<^sub>m execute_parallel_plan I \\---and that the goal state is subsumed by the last element of the trace of \<^term>\\\ with initial state \<^term>\I\. \ lemma execute_parallel_plan_reaches_goal_iff_goal_is_last_element_of_trace: "G \\<^sub>m execute_parallel_plan I \ \ G \\<^sub>m last (trace_parallel_plan_strips I \)" proof - let ?LHS = "G \\<^sub>m execute_parallel_plan I \" and ?RHS = "G \\<^sub>m last (trace_parallel_plan_strips I \)" show ?thesis proof (rule iffI) assume ?LHS thus ?RHS proof (induction \ arbitrary: I) \ \ NOTE Nil case follows from simplification. \ case (Cons a \) thus ?case using Cons.prems proof (cases "are_all_operators_applicable I a \ are_all_operator_effects_consistent a") case True let ?I' = "execute_parallel_operator I a" { have "execute_parallel_plan I (a # \) = execute_parallel_plan ?I' \" using True by auto then have "G \\<^sub>m execute_parallel_plan ?I' \" using Cons.prems by presburger hence "G \\<^sub>m last (trace_parallel_plan_strips ?I' \)" using Cons.IH[of ?I'] by blast } moreover { have "trace_parallel_plan_strips I (a # \) = I # trace_parallel_plan_strips ?I' \" using True by simp then have "last (trace_parallel_plan_strips I (a # \)) = last (I # trace_parallel_plan_strips ?I' \)" by argo hence "last (trace_parallel_plan_strips I (a # \)) = last (trace_parallel_plan_strips ?I' \)" using trace_parallel_plan_strips_last_cons_then[of I ?I' \] by argo } ultimately show ?thesis by argo qed force qed simp next assume ?RHS thus ?LHS proof (induction \ arbitrary: I) \ \ NOTE Nil case follows from simplification. \ case (Cons a \) thus ?case proof (cases "are_all_operators_applicable I a \ are_all_operator_effects_consistent a") case True let ?I' = "execute_parallel_operator I a" { have "trace_parallel_plan_strips I (a # \) = I # (trace_parallel_plan_strips ?I' \)" using True by simp then have "last (trace_parallel_plan_strips I (a # \)) = last (trace_parallel_plan_strips ?I' \)" using trace_parallel_plan_strips_last_cons_then[of I ?I' \] by argo hence "G \\<^sub>m last (trace_parallel_plan_strips ?I' \)" using Cons.prems by argo } thus ?thesis using True Cons by simp next case False then have "last (trace_parallel_plan_strips I (a # \)) = I" and "execute_parallel_plan I (a # \) = I" by (fastforce, force) thus ?thesis using Cons.prems by argo qed qed fastforce qed qed subsection "Serializable Parallel Plans" text \ With the groundwork on parallel and serial execution of STRIPS in place we can now address the question under which conditions a parallel solution to a problem corresponds to a serial solution and vice versa. As we will see (in theorem \ref{isathm:embedding-serial-strips-plan}), while a serial plan can be trivially rewritten as a parallel plan consisting of singleton operator list for each operator in the plan, the condition for parallel plan solutions also involves non interference. \ \ \ Given that non interference implies that operator execution order can be switched arbitrarily, it stands to reason that parallel operator execution can be serialized if non interference is mandated in addition to the regular parallel execution condition (applicability and effect consistency). This is in fact true as we show in the lemma below \footnote{In the source literatur it is required that $\mathrm{app}_S(s)$ is defined which requires that $\mathrm{app}_o(s)$ is defined for every $o \in S$. This again means that the preconditions hold in $s$ and the set of effects is consistent which translates to the execution condition in \execute_parallel_operator\. \cite[Lemma 2.11., p.1037]{DBLP:journals/ai/RintanenHN06} Also, the proposition \cite[Lemma 2.11., p.1037]{DBLP:journals/ai/RintanenHN06} is in fact proposed to be true for any total ordering of the operator set but we only proof it for the implicit total ordering induced by the specific order in the operator list of the problem statement.} \ (* TODO rename execute_parallel_operator_equals_execute_serial_if *) lemma execute_parallel_operator_equals_execute_sequential_strips_if: fixes s :: "('variable, bool) state" assumes "are_all_operators_applicable s ops" and "are_all_operator_effects_consistent ops" and "are_all_operators_non_interfering ops" shows "execute_parallel_operator s ops = execute_serial_plan s ops" using assms proof (induction ops arbitrary: s) case Nil have "execute_parallel_operator s Nil = foldl (++) s (map (map_of \ effect_to_assignments) Nil)" using Nil.prems(1,2) unfolding execute_parallel_operator_def by presburger also have "\ = s" by simp finally have "execute_parallel_operator s Nil = s" by blast moreover have "execute_serial_plan s Nil = s" by auto ultimately show ?case by simp next case (Cons a ops) \ \ NOTE Use the preceding lemmas to show that the premises hold for the sublist and use the IH to obtain the theorem for the sublist ops. \ have a: "is_operator_applicable_in s a" using are_all_operators_applicable_cons Cons.prems(1) by blast+ let ?s' = "s ++ map_of (effect_to_assignments a)" { from Cons.prems have "are_all_operators_applicable ?s' ops" and "are_all_operator_effects_consistent ops" and "are_all_operators_non_interfering ops" using execute_parallel_plan_precondition_cons by blast+ then have "execute_serial_plan ?s' ops = execute_parallel_operator ?s' ops" using Cons.IH by presburger } moreover from Cons.prems have "execute_parallel_operator s (Cons a ops) = execute_parallel_operator ?s' ops" using execute_parallel_operator_cons_equals_corollary unfolding execute_operator_def by simp moreover from a have "execute_serial_plan s (Cons a ops) = execute_serial_plan ?s' ops" unfolding execute_serial_plan_def execute_operator_def is_operator_applicable_in_def by fastforce ultimately show ?case by argo qed lemma execute_serial_plan_split_i: assumes "are_all_operators_applicable s (op # \)" and "are_all_operators_non_interfering (op # \)" shows "are_all_operators_applicable (s \ op) \" using assms proof (induction \ arbitrary: s) case Nil then show ?case unfolding are_all_operators_applicable_def by simp next case (Cons op' \) let ?t = "s \ op" { fix x assume "x \ set (op' # \)" moreover have "op \ set (op # op' # \)" by simp moreover have "\are_operators_interfering op x" using Cons.prems(2) calculation(1) unfolding are_all_operators_non_interfering_def list_all_iff by fastforce moreover have "is_operator_applicable_in s op" using Cons.prems(1) unfolding are_all_operators_applicable_def list_all_iff is_operator_applicable_in_def by force moreover have "is_operator_applicable_in s x" using are_all_operators_applicable_cons(2)[OF Cons.prems(1)] calculation(1) unfolding are_all_operators_applicable_def list_all_iff is_operator_applicable_in_def by fast ultimately have "is_operator_applicable_in ?t x" using execute_parallel_plan_precondition_cons_i[of op x s] by (auto simp: execute_operator_def) } thus ?case using are_all_operators_applicable_cons(2) unfolding is_operator_applicable_in_def STRIPS_Representation.is_operator_applicable_in_def are_all_operators_applicable_def list_all_iff by simp qed \ \ Show that plans $\pi$ can be split into separate executions of partial plans $\pi_1$ and $\pi_2$ with $\pi = \pi_1 @ \pi_2$, if all operators in $\pi_1$ are applicable in the given state $s$ and there is no interference between subsequent operators in $\pi_1$. This is the case because non interference ensures that no precondition for any operator in $\pi_1$ is negated by the execution of a preceding operator. Note that the non interference constraint excludes partial plans where a precondition is first violated during execution but later restored which would also allow splitting but does not meet the non interference constraint (which must hold for all possible executing orders). \ lemma execute_serial_plan_split: fixes s :: "('variable, bool) state" assumes "are_all_operators_applicable s \\<^sub>1" and "are_all_operators_non_interfering \\<^sub>1" shows "execute_serial_plan s (\\<^sub>1 @ \\<^sub>2) = execute_serial_plan (execute_serial_plan s \\<^sub>1) \\<^sub>2" using assms proof (induction \\<^sub>1 arbitrary: s) case (Cons op \\<^sub>1) let ?t = "s \ op" { have "are_all_operators_applicable (s \ op) \\<^sub>1" using execute_serial_plan_split_i[OF Cons.prems(1, 2)]. moreover have "are_all_operators_non_interfering \\<^sub>1" using are_all_operators_non_interfering_tail[OF Cons.prems(2)]. ultimately have "execute_serial_plan ?t (\\<^sub>1 @ \\<^sub>2) = execute_serial_plan (execute_serial_plan ?t \\<^sub>1) \\<^sub>2" using Cons.IH[of ?t] by blast } moreover have "STRIPS_Representation.is_operator_applicable_in s op" using Cons.prems(1) unfolding are_all_operators_applicable_def list_all_iff by fastforce ultimately show ?case unfolding execute_serial_plan_def by simp qed simp (* TODO refactor *) lemma embedding_lemma_i: fixes I :: "('variable, bool) state" assumes "is_operator_applicable_in I op" and "are_operator_effects_consistent op op" shows "I \ op = execute_parallel_operator I [op]" proof - have "are_all_operators_applicable I [op]" using assms(1) unfolding are_all_operators_applicable_def list_all_iff is_operator_applicable_in_def by fastforce moreover have "are_all_operator_effects_consistent [op]" unfolding are_all_operator_effects_consistent_def list_all_iff using assms(2) by fastforce moreover have "are_all_operators_non_interfering [op]" by simp moreover have "I \ op = execute_serial_plan I [op]" using assms(1) unfolding is_operator_applicable_in_def by (simp add: assms(1) execute_operator_def) ultimately show ?thesis using execute_parallel_operator_equals_execute_sequential_strips_if by force qed lemma execute_serial_plan_is_execute_parallel_plan_ii: fixes I :: "'variable strips_state" assumes "\op \ set \. are_operator_effects_consistent op op" and "G \\<^sub>m execute_serial_plan I \" shows "G \\<^sub>m execute_parallel_plan I (embed \)" proof - show ?thesis using assms proof (induction \ arbitrary: I) case (Cons op \) then show ?case proof (cases "is_operator_applicable_in I op") case True let ?J = "I \ op" and ?J' = "execute_parallel_operator I [op]" { have "G \\<^sub>m execute_serial_plan ?J \" using Cons.prems(2) True unfolding is_operator_applicable_in_def by (simp add: True) hence "G \\<^sub>m execute_parallel_plan ?J (embed \)" using Cons.IH[of ?J] Cons.prems(1) by fastforce } moreover { have "are_all_operators_applicable I [op]" using True unfolding are_all_operators_applicable_def list_all_iff is_operator_applicable_in_def by fastforce moreover have "are_all_operator_effects_consistent [op]" unfolding are_all_operator_effects_consistent_def list_all_iff using Cons.prems(1) by fastforce moreover have "?J = ?J'" using execute_parallel_operator_equals_execute_sequential_strips_if[OF calculation(1, 2)] Cons.prems(1) True unfolding is_operator_applicable_in_def by (simp add: True) ultimately have "execute_parallel_plan I (embed (op # \)) = execute_parallel_plan ?J (embed \)" by fastforce } ultimately show ?thesis by presburger next case False then have "G \\<^sub>m I" using Cons.prems is_operator_applicable_in_def by simp moreover { have "\are_all_operators_applicable I [op]" using False unfolding are_all_operators_applicable_def list_all_iff is_operator_applicable_in_def by force hence "execute_parallel_plan I (embed (op # \)) = I" by simp } ultimately show ?thesis by presburger qed qed simp qed lemma embedding_lemma_iii: fixes \:: "'a strips_problem" assumes "\op \ set \. op \ set ((\)\<^sub>\)" shows "\ops \ set (embed \). \op \ set ops. op \ set ((\)\<^sub>\)" proof - (* TODO refactor *) have nb: "set (embed \) = { [op] | op. op \ set \ }" by (induction \; force) { fix ops assume "ops \ set (embed \)" moreover obtain op where "op \ set \" and "ops = [op]" using nb calculation by blast ultimately have "\op \ set ops. op \ set ((\)\<^sub>\)" using assms(1) by simp } thus ?thesis.. qed text \ We show in the following theorem that---as mentioned---a serial solution \<^term>\\\ to a STRIPS problem \<^term>\\\ corresponds directly to a parallel solution obtained by embedding each operator in \<^term>\\\ in a list (by use of function \<^term>\embed\). The proof shows this by first confirming that @{text[display, indent=4] "G \\<^sub>m execute_serial_plan ((\)\<^sub>I) \ \ G \\<^sub>m execute_serial_plan ((\)\<^sub>I) (embed \)"} using lemma \isaname{execute_serial_plan_is_execute_parallel_plan_strip_ii}; and moreover by showing that @{text[display, indent=4] "\ops \ set (embed \). \op \ set ops. op \ (\)\<^sub>\"} meaning that under the given assumptions, all parallel operators of the embedded serial plan are again operators in the operator set of the problem. \ theorem embedding_lemma: assumes "is_valid_problem_strips \" and "is_serial_solution_for_problem \ \" shows "is_parallel_solution_for_problem \ (embed \)" proof - (* TODO refactor \STRIPS_Representation\ (characterization of valid operator). *)have nb\<^sub>1: "\op \ set \. op \ set ((\)\<^sub>\)" using assms(2) unfolding is_serial_solution_for_problem_def list_all_iff ListMem_iff operators_of_def by blast (* TODO refactor lemma is_valid_operator_strips_then *) { fix op assume "op \ set \" moreover have "op \ set ((\)\<^sub>\)" using nb\<^sub>1 calculation by fast moreover have "is_valid_operator_strips \ op" using assms(1) calculation(2) unfolding is_valid_problem_strips_def is_valid_problem_strips_def list_all_iff operators_of_def by meson moreover have "list_all (\v. \ListMem v (delete_effects_of op)) (add_effects_of op)" and "list_all (\v. \ListMem v (add_effects_of op)) (delete_effects_of op)" using calculation(3) unfolding is_valid_operator_strips_def by meson+ moreover have "\list_ex (\v. ListMem v (delete_effects_of op)) (add_effects_of op)" and "\list_ex (\v. ListMem v (add_effects_of op)) (delete_effects_of op)" using calculation(4, 5) not_list_ex_equals_list_all_not by blast+ moreover have "\list_ex (\v. list_ex ((=) v) (delete_effects_of op)) (add_effects_of op)" and "\list_ex (\v. list_ex ((=) v) (add_effects_of op)) (delete_effects_of op)" using calculation(6, 7) unfolding list_ex_iff ListMem_iff by blast+ ultimately have "are_operator_effects_consistent op op" unfolding are_operator_effects_consistent_def Let_def by blast } note nb\<^sub>2 = this moreover { have "(\)\<^sub>G \\<^sub>m execute_serial_plan ((\)\<^sub>I) \" using assms(2) unfolding is_serial_solution_for_problem_def by simp hence "(\)\<^sub>G \\<^sub>m execute_parallel_plan ((\)\<^sub>I) (embed \)" using execute_serial_plan_is_execute_parallel_plan_ii nb\<^sub>2 by blast } moreover have "\ops \ set (embed \). \op \ set ops. op \ set ((\)\<^sub>\)" using embedding_lemma_iii[OF nb\<^sub>1]. ultimately show ?thesis unfolding is_parallel_solution_for_problem_def goal_of_def initial_of_def operators_of_def list_all_iff ListMem_iff by blast qed lemma flattening_lemma_i: fixes \:: "'a strips_problem" assumes "\ops \ set \. \op \ set ops. op \ set ((\)\<^sub>\)" shows "\op \ set (concat \). op \ set ((\)\<^sub>\)" proof - { fix op assume "op \ set (concat \)" moreover have "op \ (\ops \ set \. set ops)" using calculation unfolding set_concat. then obtain ops where "ops \ set \" and "op \ set ops" using UN_iff by blast ultimately have "op \ set ((\)\<^sub>\)" using assms by blast } thus ?thesis.. qed lemma flattening_lemma_ii: fixes I :: "'variable strips_state" assumes "\ops \ set \. \op. ops = [op] \ is_valid_operator_strips \ op " and "G \\<^sub>m execute_parallel_plan I \" shows "G \\<^sub>m execute_serial_plan I (concat \)" proof - let ?\' = "concat \" (* TODO refactor lemma is_valid_operator_strips_then *) { fix op assume "is_valid_operator_strips \ op" moreover have "list_all (\v. \ListMem v (delete_effects_of op)) (add_effects_of op)" and "list_all (\v. \ListMem v (add_effects_of op)) (delete_effects_of op)" using calculation(1) unfolding is_valid_operator_strips_def by meson+ moreover have "\list_ex (\v. ListMem v (delete_effects_of op)) (add_effects_of op)" and "\list_ex (\v. ListMem v (add_effects_of op)) (delete_effects_of op)" using calculation(2, 3) not_list_ex_equals_list_all_not by blast+ moreover have "\list_ex (\v. list_ex ((=) v) (delete_effects_of op)) (add_effects_of op)" and "\list_ex (\v. list_ex ((=) v) (add_effects_of op)) (delete_effects_of op)" using calculation(4, 5) unfolding list_ex_iff ListMem_iff by blast+ ultimately have "are_operator_effects_consistent op op" unfolding are_operator_effects_consistent_def Let_def by blast } note nb\<^sub>1 = this show ?thesis using assms proof (induction \ arbitrary: I) case (Cons ops \) obtain op where ops_is: "ops = [op]" and is_valid_op: "is_valid_operator_strips \ op" using Cons.prems(1) by fastforce show ?case proof (cases "are_all_operators_applicable I ops") case True let ?J = "execute_parallel_operator I [op]" and ?J' = "I \ op" have nb\<^sub>2: "is_operator_applicable_in I op" using True ops_is unfolding are_all_operators_applicable_def list_all_iff is_operator_applicable_in_def by simp have nb\<^sub>3: "are_operator_effects_consistent op op" using nb\<^sub>1[OF is_valid_op]. { then have "are_all_operator_effects_consistent ops" unfolding are_all_operator_effects_consistent_def list_all_iff using ops_is by fastforce hence "G \\<^sub>m execute_parallel_plan ?J \" using Cons.prems(2) ops_is True by fastforce } moreover have "execute_serial_plan I (concat (ops # \)) = execute_serial_plan ?J' (concat \)" using ops_is nb\<^sub>2 unfolding is_operator_applicable_in_def by (simp add: execute_operator_def nb\<^sub>2) moreover have "?J = ?J'" unfolding execute_parallel_operator_def execute_operator_def comp_apply by fastforce ultimately show ?thesis using Cons.IH Cons.prems by force next case False moreover have "G \\<^sub>m I" using Cons.prems(2) calculation by force moreover { have "\is_operator_applicable_in I op" using ops_is False unfolding are_all_operators_applicable_def list_all_iff is_operator_applicable_in_def by fastforce hence "execute_serial_plan I (concat (ops # \)) = I" using ops_is is_operator_applicable_in_def by simp } ultimately show ?thesis by argo qed qed force qed text \ The opposite direction is also easy to show if we can normalize the parallel plan to the form of an embedded serial plan as shown below. \ lemma flattening_lemma: assumes "is_valid_problem_strips \" and "\ops \ set \. \op. ops = [op]" and "is_parallel_solution_for_problem \ \" shows "is_serial_solution_for_problem \ (concat \)" proof - let ?\' = "concat \" { have "\ops \ set \. \op \ set ops. op \ set ((\)\<^sub>\)" using assms(3) unfolding is_parallel_solution_for_problem_def list_all_iff ListMem_iff by force hence "\op \ set ?\'. op \ set ((\)\<^sub>\)" using flattening_lemma_i by blast } moreover { { fix ops assume "ops \ set \" moreover obtain op where "ops = [op]" using assms(2) calculation by blast moreover have "op \ set ((\)\<^sub>\)" using assms(3) calculation unfolding is_parallel_solution_for_problem_def list_all_iff ListMem_iff by force moreover have "is_valid_operator_strips \ op" using assms(1) calculation(3) unfolding is_valid_problem_strips_def Let_def list_all_iff ListMem_iff by simp ultimately have "\op. ops = [op] \ is_valid_operator_strips \ op" by blast } moreover have "(\)\<^sub>G \\<^sub>m execute_parallel_plan ((\)\<^sub>I) \" using assms(3) unfolding is_parallel_solution_for_problem_def by simp ultimately have "(\)\<^sub>G \\<^sub>m execute_serial_plan ((\)\<^sub>I) ?\'" using flattening_lemma_ii by blast } ultimately show "is_serial_solution_for_problem \ ?\'" unfolding is_serial_solution_for_problem_def list_all_iff ListMem_iff by simp qed text \ Finally, we can obtain the important result that a parallel plan with a trace that reaches the goal state of a given problem \<^term>\\\, and for which both the parallel operator execution condition as well as non interference is assured at every point \<^term>\k < length \\, the flattening of the parallel plan \<^term>\concat \\ is a serial solution for the initial and goal state of the problem. To wit, by lemma \ref{isathm:parallel-solution-trace-strips} we have @{text[display, indent=4] "(G \\<^sub>m execute_parallel_plan I \) = (G \\<^sub>m last (trace_parallel_plan_strips I \))"} so the second assumption entails that \<^term>\\\ is a solution for the initial state and the goal state of the problem. (which implicitely means that \<^term>\\\ is a solution for the inital state and goal state of the problem). The trace formulation is used in this case because it allows us to write the---state dependent---applicability condition more succinctly. The proof (shown below) is by structural induction on \<^term>\\\ with arbitrary initial state.\ (* TODO Demote to lemma; add theorem about problem solutions. Move text to theorem. *) theorem execute_parallel_plan_is_execute_sequential_plan_if: fixes I :: "('variable, bool) state" assumes "is_valid_problem \" and "G \\<^sub>m last (trace_parallel_plan_strips I \)" and "\k < length \. are_all_operators_applicable (trace_parallel_plan_strips I \ ! k) (\ ! k) \ are_all_operator_effects_consistent (\ ! k) \ are_all_operators_non_interfering (\ ! k)" shows "G \\<^sub>m execute_serial_plan I (concat \)" using assms proof (induction \ arbitrary: I) case (Cons ops \) let ?ops' = "take (length ops) (concat (ops # \))" let ?J = "execute_parallel_operator I ops" and ?J' = "execute_serial_plan I ?ops'" { have "trace_parallel_plan_strips I \ ! 0 = I" and "(ops # \) ! 0 = ops" unfolding trace_parallel_plan_strips_head_is_initial_state by simp+ then have "are_all_operators_applicable I ops" and "are_all_operator_effects_consistent ops" and "are_all_operators_non_interfering ops" using Cons.prems(3) by auto+ then have "trace_parallel_plan_strips I (ops # \) = I # trace_parallel_plan_strips ?J \" by fastforce } note nb = this { have "last (trace_parallel_plan_strips I (ops # \)) = last (trace_parallel_plan_strips ?J \)" using trace_parallel_plan_strips_last_cons_then nb by metis hence "G \\<^sub>m last (trace_parallel_plan_strips ?J \)" using Cons.prems(2) by force } moreover { fix k assume "k < length \" moreover have "k + 1 < length (ops # \)" using calculation by force moreover have "\ ! k = (ops # \) ! (k + 1)" by simp ultimately have "are_all_operators_applicable (trace_parallel_plan_strips ?J \ ! k) (\ ! k)" and "are_all_operator_effects_consistent (\ ! k)" and "are_all_operators_non_interfering (\ ! k)" using Cons.prems(3) nb by force+ } ultimately have "G \\<^sub>m execute_serial_plan ?J (concat \)" using Cons.IH[OF Cons.prems(1), of ?J] by blast moreover { have "execute_serial_plan I (concat (ops # \)) = execute_serial_plan ?J' (concat \)" using execute_serial_plan_split[of I ops] Cons.prems(3) by auto thm execute_parallel_operator_equals_execute_sequential_strips_if[of I] moreover have "?J = ?J'" using execute_parallel_operator_equals_execute_sequential_strips_if Cons.prems(3) by fastforce ultimately have "execute_serial_plan I (concat (ops # \)) = execute_serial_plan ?J (concat \)" using execute_serial_plan_split[of I ops] Cons.prems(3) by argo } ultimately show ?case by argo qed force subsection "Auxiliary lemmas about STRIPS" lemma set_to_precondition_of_op_is[simp]: "set (to_precondition op) = { (v, True) | v. v \ set (precondition_of op) }" unfolding to_precondition_def STRIPS_Representation.to_precondition_def set_map by blast end diff --git a/web/entries/Complete_Non_Orders.html b/web/entries/Complete_Non_Orders.html --- a/web/entries/Complete_Non_Orders.html +++ b/web/entries/Complete_Non_Orders.html @@ -1,210 +1,210 @@ Complete Non-Orders and Fixed Points - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Complete Non-Orders and Fixed Points

 

Title: Complete Non-Orders and Fixed Points
Authors: Akihisa Yamada (akihisa /dot/ yamada /at/ aist /dot/ go /dot/ jp) and Jérémy Dubut
Submission date: 2019-06-27
Abstract: We develop an Isabelle/HOL library of order-theoretic concepts, such as various completeness conditions and fixed-point theorems. We keep our formalization as general as possible: we reprove several well-known results about complete orders, often without any properties of ordering, thus complete non-orders. In particular, we generalize the Knaster–Tarski theorem so that we ensure the existence of a quasi-fixed point of monotone maps over complete non-orders, and show that the set of quasi-fixed points is complete under a mild -condition—attractivity—which is implied by either antisymmetry or +condition---attractivity---which is implied by either antisymmetry or transitivity. This result generalizes and strengthens a result by Stauti and Maaden. Finally, we recover Kleene’s fixed-point theorem for omega-complete non-orders, again using attractivity to prove that Kleene’s fixed points are least quasi-fixed points.
BibTeX: 
@article{Complete_Non_Orders-AFP,
   author  = {Akihisa Yamada and Jérémy Dubut},
   title   = {Complete Non-Orders and Fixed Points},
   journal = {Archive of Formal Proofs},
   month   = jun,
   year    = 2019,
   note    = {\url{https://isa-afp.org/entries/Complete_Non_Orders.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Green.html b/web/entries/Green.html --- a/web/entries/Green.html +++ b/web/entries/Green.html @@ -1,218 +1,218 @@ An Isabelle/HOL formalisation of Green's Theorem - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

An Isabelle/HOL formalisation of Green's Theorem

 

Title: An Isabelle/HOL formalisation of Green's Theorem
Authors: Mohammad Abdulaziz and Lawrence C. Paulson
Submission date: 2018-01-11
Abstract: -We formalise a statement of Green’s theorem—the first formalisation to -our knowledge—in Isabelle/HOL. The theorem statement that we formalise +We formalise a statement of Green’s theorem---the first formalisation to +our knowledge---in Isabelle/HOL. The theorem statement that we formalise is enough for most applications, especially in physics and engineering. Our formalisation is made possible by a novel proof that avoids the ubiquitous line integral cancellation argument. This eliminates the need to formalise orientations and region boundaries explicitly with respect to the outwards-pointing normal vector. Instead we appeal to a homological argument about equivalences between paths.
BibTeX: 
@article{Green-AFP,
   author  = {Mohammad Abdulaziz and Lawrence C. Paulson},
   title   = {An Isabelle/HOL formalisation of Green's Theorem},
   journal = {Archive of Formal Proofs},
   month   = jan,
   year    = 2018,
   note    = {\url{https://isa-afp.org/entries/Green.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file