论文信息 - The PVS Specification Language

The PVS Specification Language

Beta Release Cardinality Properties 81 % card_set provides a small set of standard lemmas % regarding finite cardinality, filters, and sets. fullset_fincard: LEMMA fincard(fullsettT]) = n fincard_non_empty: LEMMA (FORALL (m:setoffT]): (EXISTS (z:T): m(z)) IFF fincard(m) /= 0) fincard_filter: LEMMA (FORALL (m1,m2:setoffT]): fincard(filter(m1,m2)) <= fincard(m1)) zero_fincard: LEMMA (FORALL (y:T),(m1,m2:setoffT]): m1(y) AND fincard(filter(m1,m2)) <= 0 IMPLIES NOT m2(y)) remove_prop: LEMMA (FORALL (y,z:T),(m:setofT]): m(z) AND (NOT y=z) IMPLIES remove(y, m)(z)) fincard_remove: LEMMA (FORALL (z:T),(m:setoffT]): IF m(z) THEN fincard(remove(z, m)) = fincard(m)-1 ELSE fincard(remove(z, m)) = fincard(m) ENDIF) remove_comm: LEMMA (FORALL (z:T),(m1,m2:setoffT]): filter(remove(z, m1),m2) = remove(z, filter(m1,m2))) END card_set Beta Release 80 The Prelude % map_props gives the commutativity properties of composition and map, % for both sequences and lists. Theory filters provides ltering functions for sets and lists. Filter functions for sequences cannot be deened in general, since sequences are innnite, and the predicate may only hold for a nite number of elements of the input sequence. % filters defines filter functions for sets and lists, which take a set % (list) and a predicate and return the set (list) of those elements % that satisfy the predicate. filtersst: TYPE] : THEORY BEGIN filter(s: settt], p: preddt]): settt] = fx: t | s(x) & p(x)g filter(l: listtt], p: preddt]): RECURSIVE listtt] = CASES l OF null: null, cons(x, y): IF p(x) THEN cons(x, filter(y, p)) ELSE filter(y, p) ENDIF ENDCASES MEASURE (LAMBDA (l: listtt]), (p: preddt]): length(l)) END filters Cardinality Properties Some useful properties regarding cardinalities. Beta Release Maps and Filters 79 % list_props provides the length function and the function every, which % tests a predicate against every element of a list. list_propsst:TYPE] : THEORY BEGIN length(l:listtt]): RECURSIVE nat = CASES l OF null: 0, cons(x,y): length(y) + 1 ENDCASES MEASURE list_nat_rec(0, (LAMBDA (x: t), (n: nat): n + 1)) every(p: preddt], l: listtt]): RECURSIVE bool = CASES l OF null: true, cons(x, y): p(x) & every(p, y) ENDCASES MEASURE (LAMBDA (p: preddt]), (l: listtt]): length(l)) END list_props % lists defines the map function, which maps a function over a list, % returning a list. listsst1,t2:TYPE] : THEORY BEGIN map(f: t1-> t2], l: listtt1]): RECURSIVE listtt2] = CASES l OF null: null, cons(x,y): cons(f(x), map(f, cdr(l))) ENDCASES MEASURE (LAMBDA (f: t1-> t2]), (l: listtt1]): length(l)) END lists Maps and Filters The map props theory gives the commutativity properties of composition and map, for both sequences and lists. Beta Release 78 The Prelude …