Mechanized Ramification

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Mechanized Ramification
Wang Shengyi
Joint work with Aquinas Hobor
National University of Singapore
April 17, 2015
Wang Shengyi (NUS) Mechanized Ramification April 17, 2015 1 / 43

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Overview
Overview
My Work Ramification
Mechanized Semantic Library Separation Logic
Coq Hoare Logic
Formalizing
Formalizing

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Hoare Logic
Hoare Triple
tPu C tQu

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Hoare Logic Rules
tPu skip tPu tP[E/x]u x := E tPu
tPu S tQu tQu T tRu
tPu S; T tRu
tB ^ Pu S tQu t␣B ^ Pu T tQu
tPu if B then S else T endif tQu
P1 ñ P2 tP2u S tQ2u Q2 ñ Q1
tP1u S tQ1u
tP ^ Bu S tPu
tPu while B do S done t␣B ^ Pu

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Example I
J
tx + 1 ď 10u x := x + 1 tx ď 10u
tx ď 10 ^ x ă 10u x := x + 1 tx ď 10u
tx ď 10u while x < 10 do x := x + 1 done t␣x ă 10 ^ x ď 10u
tx ď 10u while x < 10 do x := x + 1 done tx = 10u
tP[E/x]u x:=E tPu
P1ñP2 tP2u S tQ2u Q2ñQ1
tP1u S tQ1u
tP^Bu S tPu
tPu while B do S done t␣B^Pu
P1ñP2 tP2u S tQ2u Q2ñQ1
tP1u S tQ1u

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Example II
struct li {struct li *next} *i *j;
j:=nil; while i <> nil do k:=i.next; i.next:=j; j:=i; i:=k done
nil nil
j
i

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Example II
nil nil
j k
i

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Example II
nil nil
k
i
j

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Example II
nil nil
kj
i

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Example II
nil nil
j
i
k

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Example II
nil nil
i
kj

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Loop Invariant of Example II
D α, β. list α i ^ list β j ^ α:
0 = α:
¨ β
list ϵ i
def
= i = nil list (a ¨ α) i
def
= D j. i ÞÑ a, j ^ list α j

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
(D α, β. list α i ^ list β j ^ α:
0 = α:
¨ β)
^ (@k. reach(i, k) ^ reach(j, k) ñ k = nil)
reach(i, j)
def
= D n ě 0. reachn(i, j) reachn+1(i, j)
def
= D a, k. i ÞÑ a, k ^ reachn(k, j)
reach0(i, j)
def
= i = j list ϵ i
def
def

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
0 = α:
¨ β) ^ list γ x
^ (@k. reach(i, k) ^ reach(j, k) ñ k = nil)
^ (@k. reach(x, k) ^ (reach(i, k) _ reach(j, k)) ñ k = nil))
reach(i, j)
def
def
reach0(i, j)
def
= i = j list ϵ i
def
def

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Separation Logic
Separating Conjunction
P › Q

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Separating Conjunction
h |ù P › Q
def
= D h1, h2. h1 ‘ h2 = h ^ h1 |ù P ^ h2 |ù Q

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Frame Rule
tPu C tQu
tP › Fu C tQ › Fu
(mod(C) X fv(R) = H)

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Hoare Logic:
0 = α:
¨ β)
^(@k. reach(i, k) ^ reach(j, k) ñ k = nil)
reach(i, j)
def
def
reach0(i, j)
def
= i = j list ϵ i
def
def
Separation Logic:
D α, β. list α i › list β j ^ α:
0 = α:
¨ β
list ϵ i
def
def
= D j. i ÞÑ a, j › list α j

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Hoare Logic:
0 = α:
¨ β) ^ list γ x
^(@k. reach(i, k) ^ reach(j, k) ñ k = nil)
^ (@k. reach(x, k) ^ (reach(i, k) _ reach(j, k)) ñ k = nil))
reach(i, j)
def
def
reach0(i, j)
def
= i = j list ϵ i
def
def
Separation Logic:
D α, β. list α i › list β j ^ α:
0 = α:
¨ β
list ϵ i
def
def
= D j. i ÞÑ a, j › list α j

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Example III
struct node {
bool m
struct node *l, *r
}
void mark(struct node *x) {
if (x == nil || x->m)
return
struct node *l = x->l
struct node *r = x->r
x->m = true
mark(l)
mark(r)
}

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Frame Rule Application for Trees
#
t ÞÑ 1, l, r › tree(l, τ)
› tree(r, τ)
+
mark(l)
#
› tree(r, τ)
+
tree(x, τ)
def
=(x = 0 ^ emp)_
D d, l, r. τ(x) = (d, l, r) ^ x ÞÑ d, l, r › tree(l, τ) › tree(r, τ)

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Frame Rule Application for Trees
ttree(l, τ)u mark(l) ttree(l, τ)u
#
› tree(r, τ)
+
mark(l)
#
› tree(r, τ)
+
tree(x, τ)
def
=(x = 0 ^ emp)_
D d, l, r. τ(x) = (d, l, r) ^ x ÞÑ d, l, r › tree(l, τ) › tree(r, τ)

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Example III
struct node {
bool m
struct node *l, *r
}
void mark(struct node *x) {
if (x == nil || x->m)
return
struct node *l = x->l
struct node *r = x->r
x->m = true
mark(l)
mark(r)
}

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Frame Rule Does Not Work
#
t ÞÑ 1, l, r Y› graph(l, γ)
Y› graph(r, γ)
+
mark(l)
#
t ÞÑ 1, l, r Y› graph(l, γ)
Y› graph(r, γ)
+
graph(x, γ)
def
=(x = 0 ^ emp)_
Dd, l, r. γ(x) = (d, l, r) ^ x ÞÑ d, l, r Y› graph(l, γ) Y› graph(l, γ)
h |ù P Y› Q
def
= Dh1, h2, h3. (h1 ‘ h2 ‘ h3 = h) ^ (h1 ‘ h2 |ù P) ^ (h2 ‘ h3 |ù Q)

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Ramification
Ramify Rule
tPu C tQu R $ P › (Q ´´› R1)
tRu C tR1u
(mod(C) X fv(Q ´´› R1
) = H)
P
Q ´´› R1
R
h |ù Q ´´› R1 def
= @h1, h2. h1 ‘ h = h2 ñ h1 |ù Q ñ h2 |ù R1
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Ramify Rule
tPu C tQu R $ P › (Q ´´› R1)
tRu C tR1u
) = H)
Q ´´› R1
= @h1, h2. h1 ‘ h = h2 ñ h1 |ù Q ñ h2 |ù R1
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Ramify Rule
tPu C tQu R $ P › (Q ´´› R1)
tRu C tR1u
) = H)
Q
Q ´´› R1
R1
= @h1, h2. h1 ‘ h = h2 ñ h1 |ù Q ñ h2 |ù R1
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Coq
Mechanizm : Coq
Dependent Type TheoryPolymorphism Higher Kinded Type
Calculus of Constructions
Calculus of Inductive Constructions
Inductive Type
Coinductive Type
Calculus of (Co)inductive Constructions
Coq Proof Assistant

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Coq
Coq
Coq Proof
Assistant
Specification
Language:
Gallina
Tactic
Language:
Ltac
Only Total
Functions
(Must
Terminate)
Wide
Applications

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Related Works Mechanized Semantic Library
Separation Algebra
Coq Definition of h1 ‘ h2 = h
Class Join (t: Type) : Type := join: t Ñ t Ñ t Ñ Prop.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Separation Algebra
Coq Definition of h1 ‘ h2 = h
Class Join (t: Type) : Type := join: t Ñ t Ñ t Ñ Prop.
Class Perm alg (t: Type) {J: Join t} : Type :=
mkPerm {
join eq: @ {x y z z’}, join x y z Ñ join x y z’ Ñ z = z’;
join assoc: @ {a b c d e}, join a b d Ñ join d c e Ñ
{f : t & join b c f ^ join a f e};
join comm: @ {a b c}, join a b c Ñ join b a c;
join positivity: @ {a a’ b b’}, join a a’ b Ñ join b b’ a Ñ a=b
}.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Separation Algebra
h |ù P › Q
def
= D h1, h2. h1 ‘ h2 = h ^ h1 |ù P ^ h2 |ù Q

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Separation Algebra
h |ù P › Q
def
= D h1, h2. h1 ‘ h2 = h ^ h1 |ù P ^ h2 |ù Q
Definition of ›
Definition sepcon {A: Type}{JA: Join A} (p q : pred A) : pred A :=
fun h:A ñ D h1 h2, join h1 h2 h ^ p h1 ^ q h2.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of the Ramification Theory Overlapping Conjunction
Overlapping Conjunction
h |ù P Y› Q
def
= Dh1, h2, h3. (h1 ‘ h2 ‘ h3 = h)^
(h1 ‘ h2 |ù P) ^ (h2 ‘ h3 |ù Q)

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of the Ramification Theory Overlapping Conjunction
Overlapping Conjunction
h |ù P Y› Q
def
= Dh1, h2, h3. (h1 ‘ h2 ‘ h3 = h)^
(h1 ‘ h2 |ù P) ^ (h2 ‘ h3 |ù Q)
Coq Definition
Definition ocon {A: Type}{JA: Join A} (p q : pred A) : pred A :=
fun h:A ñD h1 h2 h3 h12 h23, join h1 h2 h12 ^ join h2 h3 h23 ^
join h12 h3 h ^ p h12 ^ q h23.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of the Ramification Theory Ramification Library
Ramification Library (Lemma 4.1 to Lemma 4.6)
precise(P, Q) P Y› R $ P › (Q ´´› Q Y› R1
)
(P › F) Y› R $ P › (Q ´´› (Q › F) Y› R1)
precise(P) R $ P › (Q ´´› R1
)
(P › F) ^ R $ P › (Q ´´› (Q › F) ^ R1)
. . .
R $ P › (P1
´´› R1
) S $ Q › (Q1
´´› S1
)
R › S $ P › Q › (P1 › Q1 ´´› R1 › S1)
precise(P, P1
) @i. P Y› Qi $ P › (P1
´´› P1
Y› Q1
i)
P Y› Q1 Y› Q2 $ P › (P1 ´´› P1 Y› Q1
1 Y› Q1
2)
h1 ď h3
def
= Dh2. h1 ‘ h2 = h3
precise(P)
def
= @h1, h2, h3. h1 ď h3 ñ h2 ď h3 ñ h1 |ù P ñ h2 |ù P ñ h1 = h2

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of the Ramification Theory Ramification Library
Custom Tactics (10 tactics)
Ltac try join h1 h2 h1h2 :=
let helper m1 m2 m1m2 :=
match goal with
| [H1: join m1 ?X, H2: join ?X m2 $ ] ñ
destruct (join assoc H1 H2) as [m1m2 [? ?]]
| [H1: join m1 ?X, H2: join ?X m2 $ ] ñ
destruct (join assoc (join comm H1) H2) as [m1m2 [? ?]]
| [H1: join m1 ?X, H2: join m2 ?X $ ] ñ
destruct (join assoc H1 (join comm H2)) as [m1m2 [? ?]]
| [H1: join m1 ?X, H2: join m2 ?X $ ] ñ
destruct (join assoc (join comm H1) (join comm H2)) as [m1m2 [? ?]]
end
in helper h1 h2 h1h2 || helper h2 h1 h1h2.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Mathematical Graphs
Mathematical Graphs
Class PreGraph (Vertex: Type) Data {EV: EqDec Vertex} :=
{
valid : Vertex Ñ Prop;
node label : Vertex Ñ Data;
edge func : Vertex Ñ list Vertex
}.
graph(x, γ)
def
=(x = 0 ^ emp)_

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Mathematical Graphs
Class MathGraph (Vertex : Type) Data (nV : Vertex) {EV: EqDec Vertex} :=
{
m pg :> PreGraph Vertex Data;
valid graph: @ x, valid x Ñ @ y, In y (edge func x) Ñ y = nV _ valid y;
valid not null: @ x, valid x Ñ x = nV
}.
graph(x, γ)
def
=(x = 0 ^ emp)_

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Mathematical Graphs
Class BiGraph (Vertex Data: Type) {EV: EqDec Vertex} :=
{
b pg :> PreGraph Vertex Data;
only two neighbours :
@ v:Vertex,{v1: Vertex & {v2 : Vertex | edge func v = v1 :: v2 :: nil}}
}.
graph(x, γ)
def
=(x = 0 ^ emp)_

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Mathematical Graphs
Class BiMathGraph (Vertex Data : Type) (nV : Vertex) {EV: EqDec Vertex} :=
{
bm bi :> BiGraph Vertex Data;
bm ma :> MathGraph Vertex Data nV;
pg the same: m pg = b pg
}.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Lemmas about Mathematical Graphs
Lemma finite reachable computable:
@ (mg : MathGraph V D null) x l, valid x Ñ
(@ y, reachable m pg x y Ñ In y l) Ñ D l’, reachable list m pg x l’ ^ NoDup l’.
Definition reachable list (pg : PreGraph V D) (x : V) (L : list V) : Prop :=
valid x ^ @ y, In y L Ø reachable pg x y.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
It is Extremely Hard
• We essentially need to determine a list of the reachable vertices in a graph.
Obvious idea: BFS.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Obvious idea: BFS.
• Contructing BFS is hard.
• It could go into a loop, which is why BFS must track already visited nodes.
• The graph could have infinite nodes, which is why BFS must have an upper
bound argument. (a computer’s memory is finite).
• Coq does not support general recursion.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Obvious idea: BFS.
• Contructing BFS is hard.
• It could go into a loop, which is why BFS must track already visited nodes.
• The graph could have infinite nodes, which is why BFS must have an upper
bound argument. (a computer’s memory is finite).
• Coq does not support general recursion.
• It is still hard to prove the result of BFS is the whole reachable set.
• When BFS reaches an already-visited node, how do we know it will not forget
about its children?
• When BFS terminates, there are two situations to prove.
• Reachable nodes are those nodes with a path. The exploration path and the
given path need not be at all similar.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Formalization of Graphs Spatial Graphs
Spatial Graphs
graph(x, γ)
def
=(x = 0 ^ emp) _ Dd, l, r. γ(x) = (d, l, r)^
x ÞÑ d, l, r Y› graph(l, γ) Y› graph(l, γ)

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Recursive Predicates
P(x) = . . . x . . . P . . .
F(p) = λx.(. . . x . . . p . . . ) and P = µF
P(x) = (µF)(x) = F(µF)(x) = F(P)(x) = (. . . x . . . P . . . )

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Covariant and Contractive predicates
Covariant predicates:
Tarski’s fixed point for order-reserving functions
Contractive predicates:
Indirection theory of step-indexing recursion

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Spatial Graphs : First Attempt (strategy proposed in HV)
Definition graph fun (Q: adr Ñ pred world) (x: adr) :=
(!!(x = 0) && emp) ||
(EX d:adr, EX l:adr, EX r:adr, !!(gamma bi x = (d, l, r)) &&
graph node x d l r Y› ((Q l) Y› (Q r))).
Definition graph := corec graph fun.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Spatial Graphs : First Attempt (strategy proposed in HV)
Lemma 4.7
graph(x, γ) %$ iter sepcon reach(γ, x) λx.x ÞÑ γ(x)
iter sepcon ta1, a2, . . . , anu p
def
= p(a1) › p(a2) › . . . › p(an).

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Spatial Graphs : Second Attempt
Definition graph fun (Q: adr Ñ pred world) (x: adr) :=
(!!(x = 0) && emp) ||
(EX d:adr, EX l:adr, EX r:adr, !!(gamma bi x = (d, l, r)) &&
graph node x d l r Y› ((Ź Q l) Y› (Ź Q r))).
Definition graph := HORec graph fun.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Lemma 4.9
@x, γ. precise(graph(x, γ))

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Not Precise
@P. ␣precise(ŹP).
This problem seems to be lurking in this style of recursion for 5-10 years.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Spatial Graphs : Third Attempt
Lemma 4.7
graph(x, γ) %$ iter sepcon reach(γ, x) λx.x ÞÑ γ(x)
Definition graph (x : adr) (bimg : @BiMathGraph adr nat 0 natEqDec): pred
world :=
(!!(x = 0) && emp) || EX l : list adr, !!reachable list b pg x l &&
iter sepcon l (graph cell bm bi).

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Spatial Graphs : Third Attempt
Lemma graph unfold: @ x g,
graph x g = (!!(x = 0) && emp) ||
EX d:nat, EX l:adr, EX r:adr, !!(gamma bm bi x = (d, l, r) ^ valid x) &&
(trinode x d l r Y› graph l g Y› graph r g).

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Succeed
Lemma 4.14
reach(γ1, S1
1) Ě reach(γ, S1) γ1 Ò S1
1 = γ Ò S1
graphs(S1, γ) Y› graphs(S2, γ) $ graphs(S1, γ)›
(graphs(S1
1, γ1
) ´´› graphs(S1
1, γ1
) Y› graphs(S2, γ1
))
graphs tx1, x2, . . . , xnu γ = graph(x1, γ) Y› graph(x2, γ) Y› . . . Y› graph(xn, γ).

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Summary
Summary
Lemmas and theorems in the paper 13
Lemmas and theorems in Coq source code 250
Definitions in Coq source code 106
Lines in Coq source code (dense) 3996

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Thank you!

Mechanized Ramification

Recommended

Recommended

More Related Content

Recently uploaded

Recently uploaded (20)

Featured

Featured (20)

Mechanized Ramification