Formalizing Memory Accesses and Interrupts

Formalizing Memory Accesses and Interrupts

Reto Achermann  Lukas Humbel  David Cock  Timothy Roscoe Systems Group, Department of Computer Science, ETH Zurich
Abstract

The hardware/software boundary in modern heterogeneous multicore computers is increasingly complex, and diverse across different platforms. A single memory access by a core or DMA engine traverses multiple hardware translation and caching steps, and the destination memory cell or register often appears at different physical addresses for different cores. Interrupts pass through a complex topology of interrupt controllers and remappers before delivery to one or more cores, each with specific constraints on their configurations. System software must not only correctly understand the specific hardware at hand, but also configure it appropriately at runtime. We propose a formal model of address spaces and resources in a system that allows us to express and verify invariants of the system’s runtime configuration, and illustrate (and motivate) it with several real platforms we have encountered in the process of OS implementation.

\isabellestyle

it

1 Introduction

We present a formal model for the interpretation of memory accesses (loads, stores, DMA operations, etc.) and interrupts of a modern computer system which captures the relevant features of contemporary hardware (described below). The model gives an unambiguous interpretation of memory accesses and interrupts, its applications include a foundation for system software verification, identifying problematic hardware designs, and generating correct-by-construction OS code.

A naive view of memory addressing (often repeated in OS textbooks) is as follows: a processor issues a load or store to a virtual address, which is translated in the MMU by a given page table to a page fault or a physical address, which in turn corresponds to a memory cell, device register, or bus fault. Similarly, interrupts are asserted by a device, translated by a Programmable Interrupt Controller (PIC) into a local “vector number” indexed by the processor into a jump table of handlers.

This view is both plain wrong, and unsuitable as a basis for verification (or, indeed, well-written software). Modern systems, from mobile phone Systems-on-Chip to large servers, are complex networks of cores, memory, devices, and translation units. Multiple caches in this network interpose on memory addresses. Virtualization support creates additional layers of address and interrupt translation.

Moreover, a real system has many physical address spaces. Memory accesses are routed between them, often involving transforming the address value itself from one space to another. Answering a question like “Do two virtual addresses in different processes on different cores refer to the same DRAM cell?” requires knowledge of the contents of TLBs, page tables, and caches on the cores and, crucially, a representation of the system interconnect, translation units, and topology. Determining which core runs what code when a device raises an interrupt similarly requires a comprehensive description of the many stages of interrupt routing in the system.

We know of no prior formal model capturing the complexity of address- and interrupt routing in modern hardware. Even existing informal attempts to capture the increasingly diverse range of hardware to facilitate OS software development, fail to adequately cover the software/hardware interface – our starting point for this work was the need for a practical domain-specific language with clear semantics for use in the Barrelfish research OS.

To exemplify the challenge we address, consider the Texas Instruments OMAP4460 Multimedia SoC, a good example because it is representative of the varied class of mobile processors, has been used in products like the Amazon Kindle Fire 7” and PandaBoard ES, and has some of the best publicly available documentation. The software manual for this chip [19] has 5820 pages.

This chip has numerous processors, including two ARM Cortex A9 cores (typically running Linux or Android), two Cortex M3’s, two DSPs, a GPU, and an ARM968 for power management, along with other DMA-capable devices which can issue loads and stores. Each of these, along with RAM and other peripherals, is attached to one of several “interconnects”, corresponding to physical address spaces. The OMAP has four main interconnects and numerous smaller ones111For the curious reader, the relevant diagram is on page 157 of the manual [19].. These are themselves interconnected: apertures in one map to address ranges in another. These translations are also subject to programmable access control checks (used, for example, in phones to sequester the baseband radio stack on the DSPs).

Different cores must thus issue different physical addresses (after MMU translation) for the same resource. For example, the GPTIMER5 timer device has (at least) three physical addresses depending on the accessing core: an A9 uses 0x40138000, a DSP uses 0x01D38000 and a DMA-capable device on the L3 interconnect uses 0x49038000.

Consider also the M3 cores, which use two address translation levels: a shared cache with L1 MMU means both cores use the same virtual address space at all times. The output of this MMU is fed into an address splitter and forwarded to local ROM or RAM, or translated by another, “L2” MMU providing a 1.5GB window starting at 0x0 in the L3 interconnect. The M3’s thus never see main system RAM at the same physical address as the A9 cores. Figure 1 shows a simplified view of addressing on the OMAP.

An interrupt raised by a device on the OMAP4460 can be routed to a single designated core or one dynamically selected. Cores themselves can also send interrupts between themselves. Figure 2 shows a subset of the interrupt topology on the chip. The A9 cores each have private timer interrupts. Devices like the SDMA engine can generate four different interrupts, of which two can be sent to any core, and two cannot be sent to the DSP. Interrupts appear with different numbers in the M3 and A9 cores. The A9 cores can initiate interrupts among themselves but not target other cores. Interrupts from devices like the on-chip GPTIMER5 cannot be routed to the M3s. M3 page faults interrupt an A9 core.

Similar complexity exists in almost all modern systems, including PCs (as we discuss below). Sophisticated CAD systems, market volumes, and Moore’s law have led to a great profusion in different platforms.

Reasoning about software running on this system clearly can neither rely on unique nor unambiguous physical addresses, even ignoring the effect of caches and “conventional” MMUs. Software is also constrained in terms of which interrupts can be received by which threads. It is not possible to make strong formal statements about the semantics of software running on the OMAP4460 or any other SoC without a formal description which captures the complexity of this addressing network. Moreover, correct software operation requires the various levels of address translation and access control to be programmed accordingly. Verifying system software on such a range of platforms is simply not feasible without a clear specification of how the hardware handles interrupts and memory references.

Our contributions in this paper are as follows. We make the case for a formal representation of hardware to help systems programmers understand the hardware at hand, and present a model and its syntax (section 2) to express and reason about interrupt routing, address spaces and their interactions. We express the hardware configuration of three different systems in subsections  3.1 to 3.3 and give reduction results and algorithms in section 4. We compare our work with the literature in section 5 followed by a presentation of a roadmap of future work in section 6 and conclude in section 7.

2 Model and Syntax

In this section, we give a brief description of our model and refer to  Appendix A for a full description. We model the system’s handling of emitted addresses by a decoding net: a directed graph where each node represents a hardware component. Addresses and interrupts vectors are natural numbers. We use the term address and interrupt vector interchangeably in this paper. Decoding of an address starts at a particular node. Thus, a name is an address qualified by the node at which it is decoded. We therefore define a name as a tuple of i) a node identifier (nodeid) and ii) an address (addr). Nodes are labeled with natural numbers. A decoding net is then an assignment of nodes to identifiers.

Hardware components either accept addresses (e.g. RAM or device registers), they translate addresses and pass them on (e.g. MMU or lookup tables), or both (e.g. caches). A node is completely defined by two properties: a set of accepted addresses and a set of names it decodes an input address to. Formally:

The result of is the set of addresses accepted by a node without forwarding; The result of is the set of translated names for each input address. The same model can also be used to represent interrupt delivery where a node forwards interrupts (e.g. interrupt controllers) or accepts them (e.g. CPUs). All definitions are formalized in Isabelle/HOL, and all results we present are proven in the accompanying Isabelle theories. We want to emphasize that our model captures the static state of the system. Dynamic aspects such as concurrency and caching can be modeled on top of the decoding net, something we plan to tackle in the future.

The model allows a node to both accept and translate an address, and to translate an address to multiple outputs — real memory hardware doesn’t, but interrupt controllers can and it is useful while normalizing nodes. Every decoding net defines a decode relation and an accepted-names-set (names accepted anywhere in the net):

From these, we define the resolution function, which maps an input name (an address presented to a particular node) to a set of resolved names: the nodes at which the input address could end up being accepted, together with the translated input address to that node.

This is the input name if and only if the start node accepts the start address, and then all names reachable recursively via the decode relation. The termination of this recursion depends on the structure of the net, specifically the presence of loops. We present a necessary and sufficient condition for termination in section 4.

Nets are expressed in the following concrete syntax (EBNF, terminals are bold). This corresponds to the abstract syntax of Appendix A.

Here all translations are specified by mapping a contiguous block of input addresses (specified by range ) to some output node, with all address values shifted to a new block base address. Nodes are specified by a finite set of accepting and mapping blocks and may be initialized using an overlay (over). If so, the node maps all input addresses 1–1 to the specified overlay node, unless they are captured by an accept or map block. Nodes are assigned identifiers with is or are (for repeated nodes). One can use the identifier instead of the assigned number when referring to the node. The map specification allows us to declare multiple destinations, which is necessary to describe interrupt systems.

In the following section, we demonstrate that this syntax, together with our model, concisely represents the address decoding of real hardware. In section 4 we further show that our model supports reasoning about address translation, for example by showing that networks can be reduced to a normal form, and that this reduction can be expressed by a simple algorithm on the concrete representation of the network i.e. that the representation refines the model.

3 Modeling Real Systems

We now express real systems (all of which we use for Barrelfish development) using the syntax from the previous section. We present the OMAP4460 SoC and two different x86 systems here. In addition, we show fully detailed models of those systems (B.1to B.3) and two additional systems (cluster system B.5 and the Intel SCC B.4) in the appendix. We focus our modelling on software-visible hardware features. We represent a block of addresses in the form with a (hex) prefix followed by zeros and the block size is e.g. 0x20000000-0x20000fff is represented as with a block size is 12-bits (4kB).

Figure 1: Addressing block diagram and model description of the Texas Instrument OMAP 44xx SoC.

3.1 A Mobile Device SoC: the OMAP4460

We introduced the OMAP4460 [19] in section 1. Each core (A9, M3 and DSP) has a distinct view of the system: some resources are core-private while others appear at different addresses, etc. We show examples of addressing and interrupt models (Figures 1 and 2) and refer to section B.1 for the full model.

Accessing DRAM from the A9 and M3 cores:

From the A9 core’s virtual address space, , the address 0x20000000 is translated and forwarded to (, 0x8000000) which overlays the L3 interconnect address space. L3 accepts the input and decoding terminates. Addresses from the are handled similarly. The M3 cores share the translation tables and hence accesses from are overlaid onto which maps and forwards addresses to the MIF, an address splitter. In our case, outputs address 0x0 which is forwarded by the MIF to the and further translated to 0x80000000 and forwarded to and accepted by L3.

Accessing the Gptimer5 device:

The GPTIMER5 has multiple names that resolve to the GPT node: , , and , along with that means that and can also access GPT as they overlay L3.

Almost a loop:

We can construct a configuration where an access goes through the same address space twice, but we can show that resolution still works as the two decoding steps have different addresses. We start at the and the decoding steps go through , L3, L4 and end up in . This is the same node where we started suggesting a loop in the decoding, however the address is different. The MIF now maps the request to

SDMA triggers interrupt 2:

The SDMA device can generate four different interrupts. We model this as as a node that maps consecutive vectors starting from zero. Once it triggers interrupt 2 in the SDMA node, the interrupt will be forwarded to multiple controllers with different vectors. Specifically, it will be multicast towards and of the M3 subsystem. Since the NVICs are configured to ignore (mask) the interrupt, the nodes will neither accept nor map these interrupts. SPIMap translates the vector and forwards the signal to and is finally accepted

Figure 2: Overview and model of the interrupt system of the Texas Instrument OMAP 44xx SoC

3.2 A Desktop PC

Our example desktop machine has a quad-core processor, 32GB of main memory and several I/O devices. We focus on two aspects of the memory model: a resource can respond to multiple addresses, and different resources respond to the same address. We further highlight the diversity of interrupt paths and vector formats. The relevant nodes (with 2 cores) are shown in Figure 3; the full model is in  section B.2.

Figure 3: Schematic overview and model representation of the desktop PC

Address homonyms:

Consider cores in Figure 3. If they are using the same MMU page table one might think – erroneously – that they access the same view of physical memory. In fact, core-physical address 0xfee00000 (the local APIC address) on each core is accepted locally by both and . Each core’s MMU sees a different physical address space.

Address synonyms:

Conversely, a single resource, the GDDR region of GFX, appears at multiple addresses depending on the starting node. For instance will decode to . The same resource can be reached via a different address: . Physical addresses are not unique identifiers for the resource.

Message-signalled interrupts:

The GPU issues message signalled interrupts (MSI), memory writes to a platform-specific address range with a data word. We start with which is translated to a memory write to . We model this MSI as the concatenation of the address and data word since PCH is able to distinguish both. The PCH transforms these memory writes back to a regular interrupt message, here forwarded to which accepts the signal.

Legacy interrupt path:

The EHCI USB controller raises a legacy interrupt, which appears at . It propagates to the PCI link device LNKA with vector zero, which redirects it to the IOAPIC with vector 4. The IOAPIC is configured to forward interrupt number 4 to , with vector 48. Alternatively, the RTC device follows a similar path to the EHCI but it is directly connected to the IOAPIC. The decoding steps are .

Vector sharing:

The ARM platform (as in section 3.1) separates interrupts generated by peripheral devices and inter-processor interrupts initiated by software. The Intel x86 platform in contrast does not, and so for each core we split inbound () and outbound () interrupts into separate nodes (see section 4 for proof). In our example, triggers an interrupt which decodes to the same destination as the . We start with which is directly forwarded to the accepting node . Sharing may be unavoidable: an MSI device can issue up to 2048 different interrupts while an x86 core can only distinguish 256 vectors.

3.3 A Heterogeneous x86 Server

Servers, particularly for high-performance computing, are more complex than commodity desktops. Our example has 2 10-core sockets, each with its own DRAM controller, PCIe root complex, and IOMMU. Both PCIe buses have a Xeon Phi co-processor with 57 cores and 6GB GDDR RAM. The host cores support virtualization, including nested paging. This hardware is discussed in more detail in  [11]).

The features we highlight (and make the server different from the desktop) are shown in Figure 4: the NUMA memory topology, PCI devices accessing each other’s memory through the IOMMU [14], and aliasing in the same address space. We refer to  section B.3 for a full model.

Figure 4: Schematic overview of a heterogeneous server with Xeon Phi co-processors

NUMA topology:

The NUMA nodes are abstracted by and . We model the behavior as follows: starting from decodes to a forward to with the same address and is accepted (remote access). Local accesses start from and are directly accepted by .

Aliasing:

The Xeon Phi can be configured such that its local GDDR region is aliased through the system memory interface. In our example, emitted addresses are directly accepted by whereas triggers the translation chain: . Here, input address decodes to , i.e. there are multiple addresses for this RAM cell: the LUT and IOMMU allow multiple mappings, although notably with different coherency and latency characteristics.

PCI-PCI access:

The local resources of can be accessed from through the system memory region: emitted address is forwarded and mapped through and to the interconnect . This address is in the range of the other socket, is forwarded there, and eventually accepted by .

Interrupts:

The main difference from the system in section 3.2 is the IOMMU’s interrupt controller on the path between devices and host cores. The Xeon Phis can raise regular PCIe interrupts, but also have their own local interrupt subsystem resembling another x86 system. These two subsystems are isolated: an interrupt on the Xeon Phi cannot be directly forwarded to the host or vice versa, another example of the limited reachability we referred to in section 3.1.

4 Reductions and Algorithms

The purpose of this model is to accurately represent the complex structure of address resolution and interrupt routing in a format that can be easily generated and manipulated at runtime. We now demonstrate that the model also has nice logical properties: it is amenable to formal analysis and the verification of routines that interpret or manipulate the concrete syntax. All results presented here are verified, and presented with a reference to the proof in the accompanying Isabelle/HOL source.

4.1 Termination

The underlying model, as introduced in section 2, is strictly graphical—it is defined entirely by the decode relation and the accept set. This permitted us to directly specify the hardware behavior, including decoding loops, but says nothing directly about an agent’s view of the system. Which resources are visible at such and such an address, in such and such an address space? The function provides the link, giving a mapping from local names (addresses relative to a viewpoint) to global names (nodes that may accept the address, and the local address at which they accept it).

HOL is a logic of total functions, and we can thus express the mapping from (address space, address) to (a set of) resources as a function if, and only if, the decoding process terminates. This occurs when every path in the decode relation beginning at the input address is finite. We express this as the existence of some well-formed ranking function , that decreases on every step of the decode relation (Appendix A):

Termination follows as is bounded below by (here means that resolution terminates from i.e. the arguments are in the domain of the function (Appendix A):

The duality between the graphical and operational views of an address space is fundamental: the result of any well-defined resolution is the set of names reachable via the decode relation (i.e. lie in the image of the reflexive, transitive closure of the relation), that refer to actual resources (i.e. are in the accept set, Appendix A):

This result lets us freely substitute one view of the system for another.

4.2 Normalization and Refinement

To use this model, we need efficient algorithms in the OS to manipulate it e.g. calculate the set of visible resources from a processor. This information is implicit in the graphical model, but not easily accessible. We might, for example, wish to produce a flattened representation that preserves the view from each processor, while making such a query efficient. One way to achieve this is to split all nodes into nodes that only accept addresses (resources), and ones that only map to other nodes (address spaces). Then merging, or flattening the mapping nodes gives us the desired result.

We would like to verify such algorithms. We show here that we can define and verify equivalence-preserving transformations on the semantic model, together with a notion of refinement. In the remainder of this section, we demonstrate equivalence-preservation and refinement for the first step: splitting, with reference to the accompanying sources. Further results regarding flattening are also provided in the Isabelle sources for the interested reader.

Two nets are view-equivalent, written if all observers in have the same view (i.e. the results of are the same), modulo some renaming ( and ) of the accepting nodes. Let be greater than the label of any extant node. The split net is then defined as (Appendix A):

This new net is view-equivalent to the original, with names that were accepted at now accepted at , and no node both accepting and translating addresses (Appendix A):

(1)

Splitting on the concrete representation is a simple syntactic operation. Each node is replaced as follows (Appendix A):

Refinement is, as usual, expressed as the commutativity of the operations (here and ) with the state relation (here , which constructs a net from its syntactic representation, Appendix A):

(2)

Combining Equation 1 with Equation 2 we have the desired result, that the concrete implementation preserves the equivalence of the nets constructed by parsing (Appendix A):

(3)

Together with the equivalent result for flattening, we can verify that the physical address spaces that we read directly from the transformed model are exactly those that we would have found by (expensively) traversing the original hardware-derived model for all addresses.

5 Related Work

The difficulty of writing OS code in C for increasingly complex hardware has led to several non-formal mechanisms for the OS to discover, and configure, the hardware platform at runtime.

System firmware provides software with configuration information through ACPI [8] tables and, more recently, UEFI [9]. Both provide somewhat abstracted information about the NUMA affinity of memory controllers and other devices, information required to write fast memory intensive applications. Hardware connection standards like PCI Express provide a measure of device enumeration (including address discovery and interrupt routing requirements), giving a hierarchy of the PCI bridges and connected devices. Schupbach et al. [18] applied a declarative approach to the configuration of the memory windows of PCI bridges. Similarly, USB devices are discovered by hierarchical enumeration of hubs. Processors provide cache hierarchy data, for example using the x86 cpuid instruction.

A more comprehensive description of a hardware platform is attempted by Device Trees [6], which describes a binary file format designed for bootloaders to find hardware at startup and is now used extensively in the Linux kernel to handle non-discoverable devices. While a Device Tree captures some information about, for example, the addresses of devices as seen from a single core (the root of the tree), it has no well-defined semantics for interpreting the data. Moreover, it is not well-suited for heterogenous systems where a single hierarchy is a poor match for hardware, and does not capture caches, TLBs, or the view of the system from DMA-capable devices.

We are not aware of any work on formalizing the interrupt subsystem. Commodity operating systems often only support a specific mode of interrupt delivery. Linux for instance always distributes all interrupts to all CPUs [5]. Similarly, FreeBSD refers to interrupts using the ACPI enumeration resulting in clashes when naming MSI sources. The system assumes that MSIs directly reach the CPUs, which is no longer true since the introduction of the I/OMMU [4].

Alglave et al. [3] applied the technique of litmus testing to define allowable execution traces in the presence of memory operation reordering (e.g. write buffering or speculation), and test them against real hardware. Further work of the authors [2, 7] develops this into a semantic model of weak-memory systems (such as IBM Power and ARM), in particular taking advantage of a close relationship with ARM to ensure the faithfulness of their models to (the intended behavior of) production silicon. Our work is complementary: we provide a means to specify and reason about the connectivity of address spaces in a system, on top of which a rigorous model of weak memory would fully define the behavior of the memory system.

Earlier work in hardware verification, such as that of Velev [20] or Ganai [10], considered the influence of memory system microarchitecture on the verification of instruction-set semantics. The widespread adoption of out-of-order execution and weak memory models has greatly increased the complexity of the problem, which as mentioned is now being tackled. Our focus is rather on the explosion of complexity in the physical interconnection of devices, an area that is not yet well studied.

On the programming-language side, there has long been interest [21, 17] in the interaction of language-specified memory models (particularly that of Java, and now C11/C++11) and that provided by the hardware. Again, these models do not describe the low-level interconnection of hardware, which has been relegated to an ‘OS problem’, where it is solved (badly) with tools such as device trees and ACPI.

6 Roadmap

While our model is a useful first step, we are extending it considerably as we apply it to engineering Barrelfish. We list our future directions here.

We used the same model of interrupts and memory because both resemble network forwarding, but in reality they are deeply connected in hardware: message-signaled interrupts and inter-processor interrupts are initiated by writing to memory addresses, and virtualization hardware can translate interrupts into memory writes. Unifying memory and interrupts is a natural next step.

We also do not distinguish reads, writes, and other types of transaction in our addressing model. In practice, different request types may traverse different paths in the interconnect and/or be accepted by different components: examples include read-only memory protection, and some PCIe DMA controllers which can only copy data in one direction for certain address ranges.

A further step is extending our static model to capture dynamic state, starting with caches. Caches are a challenge because they may or may not respond to an address depending on their contents, they may themselves emit addresses to other caches and resources, they may also perform address translation, and they can be bypassed by non-cacheable reads and writes. Our current model expresses the set of resources that may respond to a request, but not which resource actually responds. Furthermore, the future behavior of the cache changes in response to requests. Coherence protocols like MOESI also allow a line to be fetched from another cache instead of main memory. Not all cores or devices might participate in the coherence protocol, but others might be able to directly write to remote caches. In both cases, caches can be inconsistent with main memory – something our model cannot yet handle.

The dynamic state of a system also includes the configuration of translation units. Unfortunately, such units (lookup tables, interrupt controllers, etc.) have varying constraints on their configuration. Some interrupt controllers perform fixed translation, some allow selective masking, some can remap blocks of interrupt requests, and others can arbitrarily translate vectors. Memory translation can be achieved with page tables or lookup tables of varying, fixed-size pages. The addresses that can be mapped between address spaces can be limited in range or domain.

Our goal is, given a topology, these constraints, and a desired end-to-end view, to synthesize a correct configuration for the translation units in the system. Since many feasible configurations can exist, we would also define an optimization goal such as minimizing the required space for page tables or interrupt mapping tables in limited-resource hardware like IOMMUs.

Synthesizing a valid configuration is insufficient for correct operation, however. The system requirements are dynamic: devices are hotplugged, and brought up and down by power management functions. Threads are migrated between cores by schedulers, etc. This means that the transition between correct configurations, achieved by reprogramming individual controllers or management units, must be achieved without violating security or correctness guarantees, by creating a sequence of correct intermediate states and/or determining which tasks must be paused while reconfiguration occurs. A simple example is reconfiguring a set of memory translation units in sequence such that at no point does a process have unauthorized access to an area of main memory, and that caches are consistent at all points.

Finally, while we capture the semantics of memory access and interrupts, the performance of such operations also depends on the platform configuration. By annotating mapping functions with performance characteristics, our model might be used to generate hardware optimized data structures and messaging protocols as in  [15], or minimized interrupt latency by choosing an appropriate delivery mechanism [12].

7 Conclusion

Contemporary hardware exposes a memory system and interrupt system structure more complicated than usually assumed. We have seen three examples of current systems that violate common assumptions such as that a physical address uniquely identifies a resource or that interrupts can be directed to all CPUs. This implies that there is no — or had never been a — single physical address space and interrupts can not be directed to all cores anymore.

We presented a formal model to express the interactions and topologies of address spaces and interrupts. Our model is capable of capturing the characteristics of a broad range of current systems and we show view equivalence preserving transformations that can be used to convert a complex system model into a flattened representation.

References

Appendix A Decoding Net Model

This appendix presents the formal development (in Isabelle/HOL) of the decoding net model outlined in section 2, together with proofs of some key results. The text here is generated directly from the Isabelle sources, with some sections excluded for space and not being (in our subjective opinion) particularly interesting. The proofs may therefore occasionally refer to definitions and lemmas which are not stated here—in any such case, the full, machine-checked proof is available in the theory files associated with this paper.

{isabellebody}\isadelimtheory\endisadelimtheory\isatagtheory\endisatagtheory\isafoldtheory\isadelimtheory\endisadelimtheory{isamarkuptext}

First, we nail down some types. For ease in getting started, we’re using natural numbers for addresses. It should be possible to use the same definitions to handle finite-length words without much modification.\isamarkuptrue\isacommandtype\isacharunderscoresynonym\isamarkupfalse nodeid \isacharequal nat\isanewline\isacommandtype\isacharunderscoresynonym\isamarkupfalse addr \isacharequal nat{isamarkuptext}A name is a qualified address: which is defined with respect to some context, in this case the node at which decoding begins.\isamarkuptrue\isacommandtype\isacharunderscoresynonym\isamarkupfalse name \isacharequal \isachardoublequoteopennodeid \isasymtimes addr\isachardoublequoteclose{isamarkuptext}A node can accept an input address, in which case resolution terminates here, or it can translate it into an input address for another node, or both. We allow the sets of accepted and translated addresses to overlap to model nondeterministic behaviour e.g. a cache, which has a well-defined translation for every input address, but could potentially respond to any request with a locally-cached value. In general, we’re interested in the set of (node, address) pairs at which a given input address might be accepted.\isamarkuptrue\isacommandrecord\isamarkupfalse node \isacharequal\isanewline  accept \isacharcolon\isacharcolon \isachardoublequoteopenaddr set\isachardoublequoteclose\isanewline  translate \isacharcolon\isacharcolon \isachardoublequoteopenaddr \isasymRightarrow name set\isachardoublequoteclose\isanewline\isanewline  \isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isamarkupsubsectionAddress Decoding Nets. \isamarkuptrue {isamarkuptext}A decode net is an assignment of nodes to identifiers.\isamarkuptrue\isacommandtype\isacharunderscoresynonym\isamarkupfalse net \isacharequal \isachardoublequoteopennodeid \isasymRightarrow node\isachardoublequoteclose{isamarkuptext}One step of address decoding, mapping an input name (node, address) to an output name (or nothing).\isamarkuptrue\isacommanddefinition\isamarkupfalse decode\isacharunderscorestep \isacharcolon\isacharcolon \isachardoublequoteopennet \isasymRightarrow name \isasymRightarrow name set\isachardoublequoteclose\isanewline  \isakeywordwhere\isanewline    \isachardoublequoteopendecode\isacharunderscorestep net name \isacharequal translate \isacharparenleftnet \isacharparenleftfst name\isacharparenright\isacharparenright \isacharparenleftsnd name\isacharparenright\isachardoublequoteclose{isamarkuptext}The decode relation is, in general, a directed graph. If it’s actually a DAG, then all addresses can be decoded in a well-defined manner.\isamarkuptrue\isacommanddefinition\isamarkupfalse decodes\isacharunderscoreto \isacharcolon\isacharcolon \isachardoublequoteopennet \isasymRightarrow name rel\isachardoublequoteclose\isanewline  \isakeywordwhere\isanewline    \isachardoublequoteopendecodes\isacharunderscoreto net \isacharequal \isacharbraceleft \isacharparenleftn\isacharprime\isacharcomma n\isacharparenright\isachardot n\isacharprime \isasymin decode\isacharunderscorestep net n \isacharbraceright\isachardoublequoteclose{isamarkuptext}The set of names that can be accepted anywhere in this decoding net i.e. the union of the accept sets of all nodes.\isamarkuptrue\isacommanddefinition\isamarkupfalse accepted\isacharunderscorenames \isacharcolon\isacharcolon \isachardoublequoteopennet \isasymRightarrow name set\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenaccepted\isacharunderscorenames net \isacharequal \isacharbraceleft\isacharparenleftnd\isacharcommaa\isacharparenright \isacharbarnd a\isachardot a \isasymin accept \isacharparenleftnet nd\isacharparenright\isacharbraceright\isachardoublequoteclose\isanewline\isadelimtheory\endisadelimtheory\isatagtheory\endisatagtheory\isafoldtheory\isadelimtheory\endisadelimtheory {isabellebody}\isadelimtheory\endisadelimtheory\isatagtheory\endisatagtheory\isafoldtheory\isadelimtheory\endisadelimtheory\isamarkupsubsectionResolution \isamarkuptrue {isamarkuptext}To resolve an input name, start with the name itself if the net accepts it, and recurse on all names reachable via the \isadecodes\isacharunderscoreto relation\isamarkuptrue\isacommandfunction\isamarkupfalse \isacharparenleftdomintros\isacharparenright resolve \isacharcolon\isacharcolon \isachardoublequoteopennet \isasymRightarrow name \isasymRightarrow name set\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenresolve net n \isacharequal\isanewline   \isacharparenleft\isacharbraceleftn\isacharbraceright \isasyminter accepted\isacharunderscorenames net\isacharparenright \isasymunion\isanewline   \isacharparenleft\isasymUnionn\isacharprime\isachardot if \isacharparenleftn\isacharprime\isacharcomman\isacharparenright \isasymin decodes\isacharunderscoreto net then resolve net n\isacharprime else \isacharbraceleft\isacharbraceright\isacharparenright\isachardoublequoteclose\isanewline\isadelimproof  \endisadelimproof\isatagproof\isacommandby\isamarkupfalse\isacharparenleftpat\isacharunderscorecompleteness\isacharcomma auto\isacharparenright\isanewline    \endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}The defining relation for \isaresolve is simply \isadecodes\isacharunderscoreto:\isamarkuptrue\isacommandlemma\isamarkupfalse resolve\isacharunderscorerel\isacharunderscoredecodes\isacharunderscoreto\isacharcolon\isanewline  \isachardoublequoteopenresolve\isacharunderscorerel x y \isasymlongleftrightarrow \isacharparenleftfst x \isacharequal fst y\isacharparenright \isasymand \isacharparenleftsnd x\isacharcomma snd y\isacharparenright \isasymin decodes\isacharunderscoreto \isacharparenleftfst x\isacharparenright\isachardoublequoteclose\isanewline\isadelimproof  \endisadelimproof\isatagproof\isacommandby\isamarkupfalse\isacharparenleftcases x\isacharcomma cases y\isacharcomma auto elim\isacharcolonresolve\isacharunderscorerel\isachardotcases intro\isacharcolonresolve\isacharunderscorerel\isachardotintros\isacharparenright\isanewline    \endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}We can express resolution in an equivalent non-recursive fashion, as the image of the closure of the decoding relation:\isamarkuptrue\isacommandlemma\isamarkupfalse resolve\isacharunderscoreeval\isacharcolon\isanewline  \isakeywordassumes dom\isacharcolon \isachardoublequoteopenresolve\isacharunderscoredom \isacharparenleftnet\isacharcomma n\isacharparenright\isachardoublequoteclose\isanewline  \isakeywordshows \isachardoublequoteopenresolve net n \isacharequal accepted\isacharunderscorenames net \isasyminter \isacharparenleft\isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isasyminverse\isacharparenright\isactrlsup\isacharasterisk \isacharbackquote\isacharbackquote \isacharbraceleftn\isacharbraceright\isachardoublequoteclose\isanewline    \isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isamarkupsubsectionWell-Formed Decoding Nets \isamarkuptrue {isamarkuptext}The most general condition for the decoding of a given name to be well-defined is that the decoding process terminates i.e. that all paths of decoding steps (elements of the decodes-to relation) are finite (we eventually reach a node that either accepts its input address, or faults).

A well-formed rank function \isaf assigns a natural number to every name, such that if some name \isan decodes to \isan\isacharprime, \isaf n\isacharprime \isacharless f n. From this, it is trivial to show that decoding terminates. Note that it is only necessary for the ranking to be well-formed for the name that we’re resolving: it may not be possible to assign a consistent ranking to all names, that is well-formed for all starting points, although in well-designed systems it probably should be.\isamarkuptrue\isacommanddefinition\isamarkupfalse wf\isacharunderscorerank \isacharcolon\isacharcolon \isachardoublequoteopen\isacharparenleftname \isasymRightarrow nat\isacharparenright \isasymRightarrow name \isasymRightarrow net \isasymRightarrow bool\isachardoublequoteclose\isanewline  \isakeywordwhere\isanewline    \isachardoublequoteopenwf\isacharunderscorerank f n net \isasymlongleftrightarrow\isanewline      \isacharparenleft\isasymforallx y\isachardot \isacharparenleftx\isacharcomman\isacharparenright \isasymin rtrancl \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright \isasymand \isacharparenlefty\isacharcommax\isacharparenright \isasymin decodes\isacharunderscoreto net \isasymlongrightarrow f y \isacharless f x\isacharparenright\isachardoublequoteclose\isanewline    \isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}We use our well-formedness predicate to insist that all node both accept and translate a finite set of addresses. While this isn’t strictly necessary for a lot of the theory, it’s essential for termination.\isamarkuptrue\isacommanddefinition\isamarkupfalse wf\isacharunderscorenet \isacharcolon\isacharcolon \isachardoublequoteopennet \isasymRightarrow bool\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenwf\isacharunderscorenet net \isasymlongleftrightarrow\isanewline    \isacharparenleft\isasymforallnd\isachardot finite \isacharparenleftaccept \isacharparenleftnet nd\isacharparenright\isacharparenright\isacharparenright \isasymand\isanewline    \isacharparenleft\isasymforalln\isachardot resolve\isacharunderscoredom \isacharparenleftnet\isacharcomman\isacharparenright \isasymlongrightarrow finite \isacharparenleft\isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isasyminverse \isacharbackquote\isacharbackquote \isacharbraceleftn\isacharbraceright\isacharparenright\isacharparenright\isachardoublequoteclose\isanewline    \isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isamarkupsubsectionTermination \isamarkuptrue {isamarkuptext}If we can supply a ranking function that is well-formed for all names reachable from the name we wish to decode, then the decoding function is well-defined here (this name lies in its domain).\isamarkuptrue\isacommandlemma\isamarkupfalse wf\isacharunderscoreresolve\isacharunderscoredom\isacharcolon\isanewline  \isakeywordfixes f \isacharcolon\isacharcolon \isachardoublequoteopenname \isasymRightarrow nat\isachardoublequoteclose \isakeywordand n \isacharcolon\isacharcolon name \isakeywordand net \isacharcolon\isacharcolon net\isanewline  \isakeywordassumes wf\isacharunderscoreat\isacharcolon \isachardoublequoteopenwf\isacharunderscorerank f n net\isachardoublequoteclose\isanewline  \isakeywordshows \isachardoublequoteopenresolve\isacharunderscoredom \isacharparenleftnet\isacharcomman\isacharparenright\isachardoublequoteclose\isanewline\isadelimproof\endisadelimproof\isatagproof\isacommandproof\isamarkupfalse \isacharminus\isanewline  \isacommand\isacharbraceleft\isamarkupfalse{isamarkuptext}We argue by (strong) induction on the rank of the name, but we need to carry the assumption of reachability into the induction hypothesis (as otherwise we can’t appeal to a well-formed ranking. We then trivially discard this assumption as \isan is reachable from itself, by definition.\isamarkuptrue    \isacommandfix\isamarkupfalse a\isanewline    \isacommandassume\isamarkupfalse \isachardoublequoteopen\isacharparenlefta\isacharcomman\isacharparenright \isasymin \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isactrlsup\isacharasterisk\isachardoublequoteclose\isanewline    \isacommandhence\isamarkupfalse \isachardoublequoteopenresolve\isacharunderscoredom \isacharparenleftnet\isacharcommaa\isacharparenright\isachardoublequoteclose\isanewline    \isacommandproof\isamarkupfalse\isacharparenleftinduct \isachardoublequoteopenf a\isachardoublequoteclose arbitrary\isacharcolona rule\isacharcolonnat\isacharunderscoreless\isacharunderscoreinduct\isacharparenright\isanewline      \isacommandfix\isamarkupfalse b{isamarkuptext}Assume the current node is reachable, and all reachable nodes of lesser rank lie in the domain of \isaresolve.\isamarkuptrue      \isacommandassume\isamarkupfalse reachable\isacharcolon \isachardoublequoteopen\isacharparenleftb\isacharcomman\isacharparenright \isasymin \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isactrlsup\isacharasterisk\isachardoublequoteclose\isanewline         \isakeywordand IH\isacharcolon \isachardoublequoteopen\isasymforallm\isacharlessf b\isachardot \isasymforallx\isachardot m \isacharequal f x \isasymlongrightarrow \isacharparenleftx\isacharcomman\isacharparenright \isasymin \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isactrlsup\isacharasterisk \isasymlongrightarrow resolve\isacharunderscoredom \isacharparenleftnet\isacharcomma x\isacharparenright\isachardoublequoteclose{isamarkuptext}We show that the arguments of any recursive call to \isaresolve must lie in the domain, as new node is both reachable, and has strictly lesser rank, thanks to well- formedness.\isamarkuptrue      \isacommandshow\isamarkupfalse \isachardoublequoteopenresolve\isacharunderscoredom \isacharparenleftnet\isacharcomma b\isacharparenright\isachardoublequoteclose\isanewline      \isacommandproof\isamarkupfalse\isacharparenleftrule resolve\isacharunderscoredomI\isacharparenright\isanewline        \isacommandfix\isamarkupfalse a{isamarkuptext}Assume that there is a translation/decoding step. We don’t need to show anything for the terminating case, as there’s no recursive call.\isamarkuptrue        \isacommandassume\isamarkupfalse step\isacharcolon \isachardoublequoteopen\isacharparenlefta\isacharcommab\isacharparenright \isasymin decodes\isacharunderscoreto net\isachardoublequoteclose{isamarkuptext}The two names lie in the decoding relation, and the new name is also reachable from \isan.\isamarkuptrue        \isacommandfrom\isamarkupfalse step reachable \isacommandhave\isamarkupfalse reachable\isacharunderscoreyz\isacharcolon \isachardoublequoteopen\isacharparenlefta\isacharcomman\isacharparenright \isasymin \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isactrlsup\isacharasterisk\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftsimp\isacharparenright{isamarkuptext}From the (assumed) reachability of \isab, we can appeal to well-formedness to show that the rank decreases.\isamarkuptrue        \isacommandfrom\isamarkupfalse wf\isacharunderscoreat reachable step \isacommandhave\isamarkupfalse \isachardoublequoteopenf a \isacharless f b\isachardoublequoteclose\isanewline          \isacommandunfolding\isamarkupfalse wf\isacharunderscorerank\isacharunderscoredef \isacommandby\isamarkupfalse\isacharparenleftblast\isacharparenright{isamarkuptext}Thus with the reachability of the new name, we have the result by appealing to the induction hypothesis.\isamarkuptrue        \isacommandwith\isamarkupfalse reachable\isacharunderscoreyz IH \isacommandshow\isamarkupfalse \isachardoublequoteopenresolve\isacharunderscoredom \isacharparenleftnet\isacharcomma a\isacharparenright\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftblast\isacharparenright\isanewline      \isacommandqed\isamarkupfalse\isanewline    \isacommandqed\isamarkupfalse\isanewline  \isacommand\isacharbraceright\isamarkupfalse{isamarkuptext}Finally, we discharge the reachability assumption.\isamarkuptrue  \isacommandthus\isamarkupfalse \isacharquerythesis \isacommandby\isamarkupfalse\isacharparenleftauto\isacharparenright\isanewline\isacommandqed\isamarkupfalse\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}This is the converse of the previous lemma, for decoding nets that with finite branching: If a single decoding step maps a name to a finite number of new names, then there must exist a well-formed ranking for each resolvable name.\isamarkuptrue\isacommandlemma\isamarkupfalse mkrank\isacharcolon\isanewline  \isakeywordfixes  n \isacharcolon\isacharcolon name \isakeywordand net \isacharcolon\isacharcolon net\isanewline  \isakeywordassumes branching\isacharcolon \isachardoublequoteopen\isasymAndn\isachardot resolve\isacharunderscoredom \isacharparenleftnet\isacharcomman\isacharparenright \isasymLongrightarrow finite \isacharparenleft\isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isasyminverse \isacharbackquote\isacharbackquote \isacharbraceleftn\isacharbraceright\isacharparenright\isachardoublequoteclose\isanewline  \isakeywordshows \isachardoublequoteopenresolve\isacharunderscoredom \isacharparenleftnet\isacharcomman\isacharparenright \isasymLongrightarrow \isasymexistsf\isachardot wf\isacharunderscorerank f n net\isachardoublequoteclose\isanewline\isadelimproof\endisadelimproof\isatagproof\isacommandproof\isamarkupfalse\isacharparenleftinduction \isachardoublequoteopen\isacharparenleftnet\isacharcomman\isacharparenright\isachardoublequoteclose arbitrary\isacharcolonn rule\isacharcolonaccp\isachardotinduct\isacharparenright\isanewline  \isacommandfix\isamarkupfalse n{isamarkuptext}Assume that there exists a well-formed ranking for every direct descendent.\isamarkuptrue  \isacommandassume\isamarkupfalse IH\isacharcolon \isachardoublequoteopen\isasymAndn\isacharprime\isachardot resolve\isacharunderscorerel \isacharparenleftnet\isacharcomma n\isacharprime\isacharparenright \isacharparenleftnet\isacharcomma n\isacharparenright \isasymLongrightarrow \isasymexistsf\isachardot wf\isacharunderscorerank f n\isacharprime net\isachardoublequoteclose\isanewline     \isakeywordand dom\isacharcolon \isachardoublequoteopen\isasymAndy\isachardot resolve\isacharunderscorerel y \isacharparenleftnet\isacharcomma n\isacharparenright \isasymLongrightarrow resolve\isacharunderscoredom y\isachardoublequoteclose\isanewline     \isanewline  \isacommandhave\isamarkupfalse rd\isacharcolon \isachardoublequoteopenresolve\isacharunderscoredom \isacharparenleftnet\isacharcomman\isacharparenright\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftblast intro\isacharcolonaccp\isachardotintros dom\isacharparenright{isamarkuptext}By appealing to the axiom of choice (although as we’re finite we could do without), construct \isag which, for every ancestor \isan\isacharprime of \isan, gives a ranking function that is well-formed at \isan\isacharprime.\isamarkuptrue  \isacommandfrom\isamarkupfalse IH\isanewline  \isacommandhave\isamarkupfalse \isachardoublequoteopen\isasymforalln\isacharprime\isasymin \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isasyminverse \isacharbackquote\isacharbackquote \isacharbraceleftn\isacharbraceright\isachardot \isasymexistsf\isachardot wf\isacharunderscorerank f n\isacharprime net\isachardoublequoteclose\isanewline    \isacommandby\isamarkupfalse\isacharparenleftblast intro\isacharcolonresolve\isacharunderscorerel\isachardotintros\isacharparenright\isanewline  \isacommandhence\isamarkupfalse \isachardoublequoteopen\isasymexistsg\isachardot \isasymforalln\isacharprime\isasymin \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isasyminverse \isacharbackquote\isacharbackquote \isacharbraceleftn\isacharbraceright\isachardot wf\isacharunderscorerank \isacharparenleftg n\isacharprime\isacharparenright n\isacharprime net\isachardoublequoteclose\isanewline    \isacommandby\isamarkupfalse\isacharparenleftrule bchoice\isacharparenright\isanewline  \isacommandthen\isamarkupfalse \isacommandobtain\isamarkupfalse g \isakeywordwhere wf\isacharunderscoreg\isacharcolon \isachardoublequoteopen\isasymforalln\isacharprime \isasymin \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isasyminverse \isacharbackquote\isacharbackquote \isacharbraceleftn\isacharbraceright\isachardot wf\isacharunderscorerank \isacharparenleftg n\isacharprime\isacharparenright n\isacharprime net\isachardoublequoteclose\isanewline    \isacommandby\isamarkupfalse\isacharparenleftblast dest\isacharcolonbchoice\isacharparenright{isamarkuptext}For any node \isan\isacharprime, this is the set of its ancestors that are direct descendents of \isan i.e. the set of nodes that any path from \isan to \isan\isacharprime must pass through. This set is finite.\isamarkuptrue  \isacommandlet\isamarkupfalse \isachardoublequoteopen\isacharqueryancs n\isacharprime\isachardoublequoteclose \isacharequal \isachardoublequoteopen\isacharbraceleftn\isacharprime\isacharprime\isachardot \isacharparenleftn\isacharprime\isacharprime\isacharcomman\isacharparenright \isasymin decodes\isacharunderscoreto net \isasymand \isacharparenleftn\isacharprime\isacharcomman\isacharprime\isacharprime\isacharparenright \isasymin \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isactrlsup\isacharasterisk\isacharbraceright\isachardoublequoteclose\isanewline  \isacommandhave\isamarkupfalse \isachardoublequoteopen\isasymAndx\isachardot \isacharqueryancs x \isasymsubseteq \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isasyminverse \isacharbackquote\isacharbackquote \isacharbraceleftn\isacharbraceright\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftauto\isacharparenright\isanewline  \isacommandwith\isamarkupfalse branching rd \isacommandhave\isamarkupfalse finite\isacharunderscoreancs\isacharcolon \isachardoublequoteopen\isasymAndx\isachardot finite \isacharparenleft\isacharqueryancs x\isacharparenright\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftblast dest\isacharcolonfinite\isacharunderscoresubset\isacharparenright{isamarkuptext}From \isag, construct \isag\isacharprime, by taking, for each \isan\isacharprime, the least rank assigned it by any of the well-formed rankings associated with its ancestors. This new ranking is still well-formed for all of the direct descendents of \isan.\isamarkuptrue  \isacommandlet\isamarkupfalse \isacharqueryg\isacharprime \isacharequal \isachardoublequoteopen\isasymlambdan\isacharprime\isachardot Min \isacharparenleft\isacharparenleft\isasymlambdan\isacharprime\isacharprime\isachardot g n\isacharprime\isacharprime n\isacharprime\isacharparenright \isacharbackquote \isacharqueryancs n\isacharprime\isacharparenright\isachardoublequoteclose\isanewline  \isacommandhave\isamarkupfalse wf\isacharunderscoreg\isacharprime\isacharcolon \isachardoublequoteopen\isasymforalln\isacharprime \isasymin \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isasyminverse \isacharbackquote\isacharbackquote \isacharbraceleftn\isacharbraceright\isachardot wf\isacharunderscorerank \isacharqueryg\isacharprime n\isacharprime net\isachardoublequoteclose\isanewline  \isacommandproof\isamarkupfalse\isacharparenleftintro ballI wf\isacharunderscorerankI\isacharparenright\isanewline    \isacommandfix\isamarkupfalse w x y{isamarkuptext}Assume \isay and \isax are reachable, and in the decode relation. They therefore have the same set of ancestors.\isamarkuptrue    \isacommandassume\isamarkupfalse \isachardoublequoteopen\isasymin \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isasyminverse \isacharbackquote\isacharbackquote \isacharbraceleftn\isacharbraceright\isachardoublequoteclose\isanewline    \isacommandhence\isamarkupfalse wn\isacharcolon \isachardoublequoteopen\isacharparenleftw\isacharcomman\isacharparenright \isasymin decodes\isacharunderscoreto net\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftsimp\isacharparenright\isanewline    \isacommandassume\isamarkupfalse xw\isacharcolon \isachardoublequoteopen\isacharparenleftx\isacharcommaw\isacharparenright \isasymin \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isactrlsup\isacharasterisk\isachardoublequoteclose\isanewline       \isakeywordand yx\isacharcolon \isachardoublequoteopen\isacharparenlefty\isacharcommax\isacharparenright \isasymin decodes\isacharunderscoreto net\isachardoublequoteclose{isamarkuptext}We show that for any ancestor of \isax, the rank assigned \isax is greater than the new rank we’ve constructed for \isay, and thus so is the minimum over these i.e. \isag\isacharprime.\isamarkuptrue    \isacommandshow\isamarkupfalse \isachardoublequoteopen\isacharqueryg\isacharprime y \isacharless \isacharqueryg\isacharprime x\isachardoublequoteclose\isanewline    \isacommandproof\isamarkupfalse\isacharparenleftintro iffD\isadigit2\isacharbrackleftOF Min\isacharunderscoregr\isacharunderscoreiff\isacharbrackright\isacharparenright{isamarkuptext}The ancestors are finite, and there is at least one.\isamarkuptrue      \isacommandfrom\isamarkupfalse finite\isacharunderscoreancs \isacommandshow\isamarkupfalse \isachardoublequoteopenfinite \isacharparenleft\isacharparenleft\isasymlambdan\isacharprime\isacharprime\isachardot g n\isacharprime\isacharprime x\isacharparenright \isacharbackquote \isacharqueryancs x\isacharparenright\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftauto\isacharparenright\isanewline      \isacommandfrom\isamarkupfalse wn xw \isacommandshow\isamarkupfalse \isachardoublequoteopen\isacharparenleft\isasymlambdan\isacharprime\isacharprime\isachardot g n\isacharprime\isacharprime x\isacharparenright \isacharbackquote \isacharqueryancs x \isasymnoteq \isacharbraceleft\isacharbraceright\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftblast\isacharparenright\isanewline\isanewline      \isacommandshow\isamarkupfalse \isachardoublequoteopen\isasymforalla\isasymin\isacharparenleft\isasymlambdan\isacharprime\isacharprime\isachardot g n\isacharprime\isacharprime x\isacharparenright \isacharbackquote \isacharqueryancs x\isachardot Min \isacharparenleft\isacharparenleft\isasymlambdan\isacharprime\isacharprime\isachardot g n\isacharprime\isacharprime y\isacharparenright \isacharbackquote \isacharqueryancs y\isacharparenright \isacharless a\isachardoublequoteclose\isanewline      \isacommandproof\isamarkupfalse\isanewline        \isacommandfix\isamarkupfalse a\isanewline        \isacommandassume\isamarkupfalse \isachardoublequoteopen\isasymin \isacharparenleft\isasymlambdan\isacharprime\isacharprime\isachardot g n\isacharprime\isacharprime x\isacharparenright \isacharbackquote \isacharqueryancs x\isachardoublequoteclose\isanewline        \isacommandthen\isamarkupfalse \isacommandobtain\isamarkupfalse n\isacharprime \isakeywordwhere step\isacharcolon \isachardoublequoteopenn\isacharprime \isasymin \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isasyminverse \isacharbackquote\isacharbackquote \isacharbraceleftn\isacharbraceright\isachardoublequoteclose\isanewline                         \isakeywordand anc\isacharcolon  \isachardoublequoteopen\isacharparenleftx\isacharcomman\isacharprime\isacharparenright \isasymin \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isactrlsup\isacharasterisk\isachardoublequoteclose\isanewline                         \isakeywordand aeq\isacharcolon \isachardoublequoteopen\isacharequal g n\isacharprime x\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftblast\isacharparenright{isamarkuptext}As any ancestor \isan\isacharprime of \isax is also an ancestor of \isay, we can appeal to well-formedness to show that \isag n\isacharprime y \isacharless g n\isacharprime x. It thus follows that the minimum is also lower.\isamarkuptrue        \isacommandfrom\isamarkupfalse anc yx \isacommandhave\isamarkupfalse \isachardoublequoteopen\isacharparenlefty\isacharcomman\isacharprime\isacharparenright \isasymin \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isactrlsup\isacharasterisk\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftauto\isacharparenright\isanewline        \isacommandwith\isamarkupfalse step \isacommandhave\isamarkupfalse \isachardoublequoteopeng n\isacharprime y \isasymin \isacharparenleft\isasymlambdan\isacharprime\isacharprime\isachardot g n\isacharprime\isacharprime y\isacharparenright \isacharbackquote \isacharqueryancs y\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftblast\isacharparenright\isanewline        \isacommandmoreover\isamarkupfalse \isacommandfrom\isamarkupfalse finite\isacharunderscoreancs \isacommandhave\isamarkupfalse \isachardoublequoteopenfinite \isacharparenleft\isacharparenleft\isasymlambdan\isacharprime\isacharprime\isachardot g n\isacharprime\isacharprime y\isacharparenright \isacharbackquote \isacharqueryancs y\isacharparenright\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftauto\isacharparenright\isanewline        \isacommandultimately\isamarkupfalse \isacommandhave\isamarkupfalse \isachardoublequoteopenMin \isacharparenleft\isacharparenleft\isasymlambdan\isacharprime\isacharprime\isachardot g n\isacharprime\isacharprime y\isacharparenright \isacharbackquote \isacharqueryancs y\isacharparenright \isasymle g n\isacharprime y\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftauto\isacharparenright\isanewline        \isacommandalso\isamarkupfalse \isacommand\isacharbraceleft\isamarkupfalse\isanewline          \isacommandfrom\isamarkupfalse step wf\isacharunderscore\isacommandhave\isamarkupfalse \isachardoublequoteopenwf\isacharunderscorerank \isacharparenleftg n\isacharprime\isacharparenright n\isacharprime net\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftblast\isacharparenright\isanewline          \isacommandwith\isamarkupfalse yx anc \isacommandhave\isamarkupfalse \isachardoublequoteopeng n\isacharprime y \isacharless g n\isacharprime x\isachardoublequoteclose \isacommandunfolding\isamarkupfalse wf\isacharunderscorerank\isacharunderscoredef \isacommandby\isamarkupfalse\isacharparenleftblast\isacharparenright\isanewline        \isacommand\isacharbraceright\isamarkupfalse\isanewline        \isacommandfinally\isamarkupfalse \isacommandshow\isamarkupfalse \isachardoublequoteopenMin \isacharparenleft\isacharparenleft\isasymlambdan\isacharprime\isacharprime\isachardot g n\isacharprime\isacharprime y\isacharparenright \isacharbackquote \isacharqueryancs y\isacharparenright \isacharless a\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftsimp add\isacharcolonaeq\isacharparenright\isanewline      \isacommandqed\isamarkupfalse\isanewline    \isacommandqed\isamarkupfalse\isanewline  \isacommandqed\isamarkupfalse{isamarkuptext}We will appeal to the fact that we must be in the accessible portion of the decode relation to show that \isan can never appear as a descendent of itself, and can thus be assigned a higher rank than all of its descendents.\isamarkuptrue  \isacommandfrom\isamarkupfalse rd \isacommandhave\isamarkupfalse nacc\isacharcolon \isachardoublequoteopen\isasymin Wellfounded\isachardotacc \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isachardoublequoteclose\isanewline    \isacommandby\isamarkupfalse\isacharparenleftauto dest\isacharcolonresolve\isacharunderscoredom\isacharunderscoredecodes\isacharunderscoreto\isacharparenright{isamarkuptext}Finally, we construct our ranking function by assigning to \isan a rank greater than any of its descendents. Doing so relies on there being only finitely many of these.\isamarkuptrue  \isacommandlet\isamarkupfalse \isacharquerymax \isacharequal \isachardoublequoteopenMax \isacharparenleft\isacharqueryg\isacharprime \isacharbackquote \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isasyminverse \isacharbackquote\isacharbackquote \isacharbraceleftn\isacharbraceright\isacharparenright\isachardoublequoteclose\isanewline  \isacommandlet\isamarkupfalse \isacharquery\isacharequal \isachardoublequoteopen\isacharqueryg\isacharprime\isacharparenleft\isacharcolon\isacharequal Suc \isacharquerymax\isacharparenright\isachardoublequoteclose\isanewline  \isacommandhave\isamarkupfalse \isachardoublequoteopenwf\isacharunderscorerank \isacharqueryh n net\isachardoublequoteclose{isamarkuptext}We can show this be appealing to the well-formedness for each descendents that we just proved, and the fact that we assigned a greater rank to \isan.\isamarkuptrue  \isacommandproof\isamarkupfalse\isacharparenleftrule wf\isacharunderscorerank\isacharunderscorestep\isacharparenright\isanewline    \isacommandfix\isamarkupfalse y\isanewline    \isacommandassume\isamarkupfalse yn\isacharcolon \isachardoublequoteopen\isacharparenlefty\isacharcomman\isacharparenright \isasymin decodes\isacharunderscoreto net\isachardoublequoteclose{isamarkuptext}We must show that the ranking is still well-defined for all descendents, even though we’ve changed the rank assigned to \isan. This is where we need to know that \isan never appears as its own descendent.\isamarkuptrue    \isacommandshow\isamarkupfalse \isachardoublequoteopenwf\isacharunderscorerank \isacharqueryh y net\isachardoublequoteclose\isanewline    \isacommandproof\isamarkupfalse\isacharparenleftrule wf\isacharunderscorerankI\isacharparenright\isanewline      \isacommandfix\isamarkupfalse x z\isanewline      \isacommandassume\isamarkupfalse xy\isacharcolon \isachardoublequoteopen\isacharparenleftx\isacharcommay\isacharparenright \isasymin \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isactrlsup\isacharasterisk\isachardoublequoteclose\isanewline         \isakeywordand zx\isacharcolon \isachardoublequoteopen\isacharparenleftz\isacharcommax\isacharparenright \isasymin decodes\isacharunderscoreto net\isachardoublequoteclose{isamarkuptext}Appeal to the absence of loops in the accessible portion.\isamarkuptrue      \isacommandfrom\isamarkupfalse xy yn \isacommandhave\isamarkupfalse xreach\isacharcolon \isachardoublequoteopen\isacharparenleftx\isacharcomman\isacharparenright \isasymin \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isactrlsup\isacharplus\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftauto\isacharparenright\isanewline      \isacommandwith\isamarkupfalse nacc \isacommandhave\isamarkupfalse x\isacharunderscorene\isacharunderscoren\isacharcolon \isachardoublequoteopen\isasymnoteq n\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftauto dest\isacharcolonno\isacharunderscoreloops\isacharunderscoreacc\isacharparenright\isanewline\isanewline      \isacommandfrom\isamarkupfalse zx xy yn \isacommandhave\isamarkupfalse \isachardoublequoteopen\isacharparenleftz\isacharcomman\isacharparenright \isasymin \isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isactrlsup\isacharplus\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftauto\isacharparenright\isanewline      \isacommandwith\isamarkupfalse nacc \isacommandhave\isamarkupfalse z\isacharunderscorene\isacharunderscoren\isacharcolon \isachardoublequoteopen\isasymnoteq n\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftauto dest\isacharcolonno\isacharunderscoreloops\isacharunderscoreacc\isacharparenright\isanewline      \isanewline      \isacommandfrom\isamarkupfalse yn \isacommandhave\isamarkupfalse \isachardoublequoteopeny\isasymin\isacharparenleftdecodes\isacharunderscoreto net\isacharparenright\isasyminverse \isacharbackquote\isacharbackquote \isacharbraceleftn\isacharbraceright\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftsimp\isacharparenright\isanewline      \isacommandwith\isamarkupfalse wf\isacharunderscoreg\isacharprime \isacommandhave\isamarkupfalse wf\isacharunderscoreg\isacharunderscorey\isacharcolon \isachardoublequoteopenwf\isacharunderscorerank \isacharqueryg\isacharprime y net\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftsimp\isacharparenright{isamarkuptext}Appeal to well-formedness.\isamarkuptrue      \isacommandfrom\isamarkupfalse wf\isacharunderscoreg\isacharunderscorey zx xy \isacommandhave\isamarkupfalse \isachardoublequoteopen\isacharqueryg\isacharprime z \isacharless \isacharqueryg\isacharprime x\isachardoublequoteclose \isacommandunfolding\isamarkupfalse wf\isacharunderscorerank\isacharunderscoredef \isacommandby\isamarkupfalse\isacharparenleftblast\isacharparenright\isanewline      \isacommandthus\isamarkupfalse \isachardoublequoteopen\isacharqueryh z \isacharless \isacharqueryh x\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftsimp add\isacharcolonx\isacharunderscorene\isacharunderscoren z\isacharunderscorene\isacharunderscoren\isacharparenright\isanewline    \isacommandqed\isamarkupfalse{isamarkuptext}Showing that the rank increases is now trivial.\isamarkuptrue    \isacommandfrom\isamarkupfalse nacc yn \isacommandhave\isamarkupfalse y\isacharunderscorene\isacharunderscoren\isacharcolon \isachardoublequoteopen\isasymnoteq n\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftauto dest\isacharcolonno\isacharunderscoreloops\isacharunderscoreacc\isacharparenright\isanewline    \isacommandfrom\isamarkupfalse branching rd yn\isanewline    \isacommandshow\isamarkupfalse \isachardoublequoteopen\isacharqueryh y \isacharless \isacharqueryh n\isachardoublequoteclose\isanewline      \isacommandby\isamarkupfalse\isacharparenleftsimp add\isacharcolony\isacharunderscorene\isacharunderscoren\isacharcomma intro le\isacharunderscoreimp\isacharunderscoreless\isacharunderscoreSuc\isacharbrackleftOF Max\isacharunderscorege\isacharbrackright\isacharcomma auto\isacharparenright\isanewline  \isacommandqed\isamarkupfalse\isanewline  \isacommandthus\isamarkupfalse \isachardoublequoteopen\isasymexistsf\isachardot wf\isacharunderscorerank f n net\isachardoublequoteclose \isacommandby\isamarkupfalse\isacharparenleftblast\isacharparenright\isanewline\isacommandqed\isamarkupfalse\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimtheory\endisadelimtheory\isatagtheory\endisatagtheory\isafoldtheory\isadelimtheory\endisadelimtheory {isabellebody}\isadelimtheory\endisadelimtheory\isatagtheory\endisatagtheory\isafoldtheory\isadelimtheory\endisadelimtheory\isamarkupsubsectionView Equivalence \isamarkuptrue {isamarkuptext}A view is a function that encodes the result of all address resolutions beginning at a given node.\isamarkuptrue\isacommandtype\isacharunderscoresynonym\isamarkupfalse view \isacharequal \isachardoublequoteopenaddr \isasymRightarrow name set\isachardoublequoteclose\isanewline\isanewline\isacommanddefinition\isamarkupfalse view\isacharunderscorefrom \isacharcolon\isacharcolon \isachardoublequoteopennodeid \isasymRightarrow net \isasymRightarrow view\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenview\isacharunderscorefrom node net \isacharequal \isacharparenleft\isasymlambdaaddr\isachardot resolve net \isacharparenleftnode\isacharcomma addr\isacharparenright\isacharparenright\isachardoublequoteclose{isamarkuptext}A remapping is a renaming of nodes, leaving addresses intact.\isamarkuptrue\isacommandtype\isacharunderscoresynonym\isamarkupfalse remap \isacharequal \isachardoublequoteopennodeid \isasymRightarrow nodeid\isachardoublequoteclose\isanewline\isanewline\isacommanddefinition\isamarkupfalse rename \isacharcolon\isacharcolon \isachardoublequoteopenremap \isasymRightarrow name \isasymRightarrow name\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenrename m n \isacharequal \isacharparenleft\isacharparenleftfst n\isacharparenright\isacharcomma snd n\isacharparenright\isachardoublequoteclose\isanewline    \isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\isanewline\endisadelimproof\isacommandprimrec\isamarkupfalse rename\isacharunderscorelist \isacharcolon\isacharcolon \isachardoublequoteopen\isacharparenleftnodeid \isasymRightarrow nodeid\isacharparenright \isasymRightarrow nodeid list \isasymRightarrow \isacharparenleftnodeid \isasymRightarrow nodeid\isacharparenright\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenrename\isacharunderscorelist f \isacharbrackleft\isacharbrackright \isacharequal id\isachardoublequoteclose \isacharbar\isanewline        \isachardoublequoteopenrename\isacharunderscorelist f \isacharparenleftnd\isacharhashnds\isacharparenright \isacharequal \isacharparenleft\isasymlambdax\isachardot if x \isacharequal nd then f nd else x\isacharparenright o \isacharparenleftrename\isacharunderscorelist f nds\isacharparenright\isachardoublequoteclose{isamarkuptext}Two nets are view-equivalent for some node, if the two views have the same domain, and give the same result for all addresses, modulo a renaming of accepting nodes.\isamarkuptrue\isacommanddefinition\isamarkupfalse view\isacharunderscoreeq \isacharcolon\isacharcolon \isachardoublequoteopennodeid \isasymRightarrow \isacharparenleftremap \isasymtimes net\isacharparenright \isasymRightarrow \isacharparenleftremap \isasymtimes net\isacharparenright \isasymRightarrow bool\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenview\isacharunderscoreeq nd x y \isasymlongleftrightarrow\isanewline          \isacharparenleft\isasymforalla\isachardot resolve\isacharunderscoredom \isacharparenleftsnd x\isacharcomma\isacharparenleftnd\isacharcommaa\isacharparenright\isacharparenright \isacharequal resolve\isacharunderscoredom \isacharparenleftsnd y\isacharcomma\isacharparenleftnd\isacharcommaa\isacharparenright\isacharparenright\isacharparenright \isasymand\isanewline          \isacharparenleft\isasymforalla\isachardot resolve\isacharunderscoredom \isacharparenleftsnd x\isacharcomma\isacharparenleftnd\isacharcommaa\isacharparenright\isacharparenright \isasymlongrightarrow\isanewline            rename \isacharparenleftfst x\isacharparenright \isacharbackquote view\isacharunderscorefrom nd \isacharparenleftsnd x\isacharparenright a \isacharequal\isanewline            rename \isacharparenleftfst y\isacharparenright \isacharbackquote view\isacharunderscorefrom nd \isacharparenleftsnd y\isacharparenright a\isacharparenright\isachardoublequoteclose\isanewline    \isanewline\isacommanddefinition\isamarkupfalse view\isacharunderscoreeq\isacharunderscoreon \isacharcolon\isacharcolon \isachardoublequoteopennodeid set \isasymRightarrow \isacharparenleftremap \isasymtimes net\isacharparenright \isasymRightarrow \isacharparenleftremap \isasymtimes net\isacharparenright \isasymRightarrow bool\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenview\isacharunderscoreeq\isacharunderscoreon S x y \isasymlongleftrightarrow \isacharparenleft\isasymforallnd\isasyminS\isachardot view\isacharunderscoreeq nd x y\isacharparenright\isachardoublequoteclose\isanewline    {isamarkuptext}Two nodes are equivalent (for a given net) if they have the same view.\isamarkuptrue\isacommanddefinition\isamarkupfalse node\isacharunderscoreeq \isacharcolon\isacharcolon \isachardoublequoteopennet \isasymRightarrow nodeid \isasymRightarrow nodeid \isasymRightarrow bool\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopennode\isacharunderscoreeq net nd nd\isacharprime \isasymlongleftrightarrow \isanewline          \isacharparenleft\isasymforalla\isachardot resolve\isacharunderscoredom \isacharparenleftnet\isacharcomma\isacharparenleftnd\isacharcommaa\isacharparenright\isacharparenright \isacharequal resolve\isacharunderscoredom \isacharparenleftnet\isacharcomma\isacharparenleftnd\isacharprime\isacharcommaa\isacharparenright\isacharparenright\isacharparenright \isasymand\isanewline          \isacharparenleft\isasymforalla\isachardot resolve\isacharunderscoredom \isacharparenleftnet\isacharcomma\isacharparenleftnd\isacharcommaa\isacharparenright\isacharparenright \isasymlongrightarrow view\isacharunderscorefrom nd net a \isacharequal view\isacharunderscorefrom nd\isacharprime net a\isacharparenright\isachardoublequoteclose\isanewline    \isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}Both view-equivalence and node-equivalence are proper equivalence relations.\isamarkuptrue\isacommandlemma\isamarkupfalse equivp\isacharunderscoreview\isacharunderscoreeq\isacharcolon\isanewline  \isachardoublequoteopen\isasymAndnd\isachardot equivp \isacharparenleftview\isacharunderscoreeq nd\isacharparenright\isachardoublequoteclose\isanewline    \isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\isanewline\endisadelimproof\isacommandlemma\isamarkupfalse equivp\isacharunderscoreview\isacharunderscoreeq\isacharunderscoreon\isacharcolon\isanewline  \isakeywordfixes S \isacharcolon\isacharcolon \isachardoublequoteopennodeid set\isachardoublequoteclose\isanewline  \isakeywordshows \isachardoublequoteopenequivp \isacharparenleftview\isacharunderscoreeq\isacharunderscoreon S\isacharparenright\isachardoublequoteclose\isanewline    \isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}Both equivalence relations preserve resolution.\isamarkuptrue\isacommandlemma\isamarkupfalse node\isacharunderscoreeq\isacharunderscoreresolve\isacharcolon\isanewline  \isakeywordfixes nd nd\isacharprime \isacharcolon\isacharcolon nodeid \isakeywordand net \isacharcolon\isacharcolon net \isakeywordand a \isacharcolon\isacharcolon addr\isanewline  \isakeywordshows \isachardoublequoteopennode\isacharunderscoreeq net nd nd\isacharprime \isasymLongrightarrow resolve\isacharunderscoredom \isacharparenleftnet\isacharcommand\isacharcommaa\isacharparenright \isasymLongrightarrow resolve net \isacharparenleftnd\isacharcommaa\isacharparenright \isacharequal resolve net \isacharparenleftnd\isacharprime\isacharcommaa\isacharparenright\isachardoublequoteclose\isanewline    \isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\isanewline\endisadelimproof\isacommandlemma\isamarkupfalse view\isacharunderscoreeq\isacharunderscoreresolve\isacharcolon\isanewline  \isakeywordfixes nd \isacharcolon\isacharcolon nodeid \isakeywordand x y \isacharcolon\isacharcolon \isachardoublequoteopenremap \isasymtimes net\isachardoublequoteclose \isakeywordand a \isacharcolon\isacharcolon addr\isanewline  \isakeywordshows \isachardoublequoteopenview\isacharunderscoreeq nd x y \isasymLongrightarrow resolve\isacharunderscoredom \isacharparenleftsnd x\isacharcommand\isacharcommaa\isacharparenright \isasymLongrightarrow\isanewline         rename \isacharparenleftfst x\isacharparenright \isacharbackquote resolve \isacharparenleftsnd x\isacharparenright \isacharparenleftnd\isacharcommaa\isacharparenright \isacharequal rename \isacharparenleftfst y\isacharparenright \isacharbackquote resolve \isacharparenleftsnd y\isacharparenright \isacharparenleftnd\isacharcommaa\isacharparenright\isachardoublequoteclose\isanewline    \isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}View-equivalence is preserved by any further node renaming.\isamarkuptrue\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isacommandlemma\isamarkupfalse view\isacharunderscoreeq\isacharunderscorecomp\isacharcolon\isanewline  \isachardoublequoteopenview\isacharunderscoreeq nd \isacharparenleftf\isacharcommanet\isacharparenright \isacharparenleftg\isacharcommanet\isacharprime\isacharparenright \isasymLongrightarrow view\isacharunderscoreeq nd \isacharparenlefth o f\isacharcommanet\isacharparenright \isacharparenlefth o g\isacharcommanet\isacharprime\isacharparenright\isachardoublequoteclose\isanewline    \isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}For transformations that add nodes, we need to know that the new node has no descendents or ancestors.\isamarkuptrue\isacommanddefinition\isamarkupfalse fresh\isacharunderscorenode \isacharcolon\isacharcolon \isachardoublequoteopennet \isasymRightarrow nodeid \isasymRightarrow bool\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenfresh\isacharunderscorenode net nd \isasymlongleftrightarrow\isanewline          \isacharparenleft\isasymforalla\isachardot translate \isacharparenleftnet nd\isacharparenright a \isacharequal \isacharbraceleft\isacharbraceright\isacharparenright \isasymand\isanewline          \isacharparenleft\isasymforallx y\isachardot \isacharparenleftx\isacharcommay\isacharparenright \isasymin decodes\isacharunderscoreto net \isasymlongrightarrow fst x \isasymnoteq nd\isacharparenright \isasymand\isanewline          accept \isacharparenleftnet nd\isacharparenright \isacharequal \isacharbraceleft\isacharbraceright\isachardoublequoteclose\isanewline\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimtheory\endisadelimtheory\isatagtheory\endisatagtheory\isafoldtheory\isadelimtheory\endisadelimtheory {isabellebody}\isadelimtheory\endisadelimtheory\isatagtheory\endisatagtheory\isafoldtheory\isadelimtheory\endisadelimtheory\isamarkupsubsectionEquivalence-Preserving Transformations \isamarkuptrue\isamarkupsubsubsectionSplitting Nodes \isamarkuptrue {isamarkuptext}The acceptor accepts all addresses accepted by the original node, but translates none.\isamarkuptrue\isacommanddefinition\isamarkupfalse acceptor\isacharunderscorenode \isacharcolon\isacharcolon \isachardoublequoteopennode \isasymRightarrow node\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenacceptor\isacharunderscorenode node \isacharequal node \isasymlparr translate \isacharcolon\isacharequal \isasymlambda\isacharunderscore\isachardot \isacharbraceleft\isacharbraceright \isasymrparr\isachardoublequoteclose{isamarkuptext}Forward all addresses to the acceptor node, maintaining existing translations.\isamarkuptrue\isacommanddefinition\isamarkupfalse redirector\isacharunderscorenode \isacharcolon\isacharcolon \isachardoublequoteopennodeid \isasymRightarrow node \isasymRightarrow node\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenredirector\isacharunderscorenode nd\isacharprime node \isacharequal \isasymlparr accept \isacharequal \isacharbraceleft\isacharbraceright\isacharcomma\isanewline          translate \isacharequal \isacharparenleft\isasymlambdaa\isachardot if a \isasymin accept node then insert \isacharparenleftnd\isacharprime\isacharcommaa\isacharparenright \isacharparenlefttranslate node a\isacharparenright else translate node a\isacharparenright \isasymrparr\isachardoublequoteclose{isamarkuptext}Split a node into an acceptor, that accepts all addresses accepted by the original node, and a redirector, which forwards all addresses that it would have accepted to the acceptor.\isamarkuptrue\isacommanddefinition\isamarkupfalse split\isacharunderscorenode \isacharcolon\isacharcolon \isachardoublequoteopennodeid \isasymRightarrow nodeid \isasymRightarrow net \isasymRightarrow net\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopensplit\isacharunderscorenode nd nd\isacharprime net \isacharequal\isanewline    net\isacharparenleftnd \isacharcolon\isacharequal redirector\isacharunderscorenode nd\isacharprime \isacharparenleftnet nd\isacharparenright\isacharcomma nd\isacharprime \isacharcolon\isacharequal acceptor\isacharunderscorenode \isacharparenleftnet nd\isacharparenright\isacharparenright\isachardoublequoteclose{isamarkuptext}We can represent the effect of node splitting by its action on the set of accepted names, and on the decoding relation. Recall from Appendix A that this is sufficient to fully define the result of resolution.\isamarkuptrue{isamarkuptext}Splitting only adds the new decode edges:\isamarkuptrue\isacommandlemma\isamarkupfalse split\isacharunderscoredecode\isacharcolon\isanewline  \isachardoublequoteopennd \isasymnoteq nd\isacharprime \isasymLongrightarrow \isacharparenleft\isasymAnda\isachardot translate \isacharparenleftnet nd\isacharprime\isacharparenright a \isacharequal \isacharbraceleft\isacharbraceright\isacharparenright \isasymLongrightarrow\isanewline   decodes\isacharunderscoreto \isacharparenleftsplit\isacharunderscorenode nd nd\isacharprime net\isacharparenright \isacharequal\isanewline   decodes\isacharunderscoreto net \isasymunion \isacharparenleft\isasymlambdaa\isachardot \isacharparenleftPair nd\isacharprime a\isacharcomma Pair nd a\isacharparenright\isacharparenright \isacharbackquote accept \isacharparenleftnet nd\isacharparenright\isachardoublequoteclose\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}Splitting only touches the named nodes:\isamarkuptrue\isacommandlemma\isamarkupfalse fresh\isacharunderscoresplit\isacharunderscorenode\isacharcolon\isanewline  \isakeywordassumes fresh\isacharcolon \isachardoublequoteopenfresh\isacharunderscorenode net x\isachardoublequoteclose\isanewline      \isakeywordand neq\isacharcolon \isachardoublequoteopen\isasymnoteq nd\isachardoublequoteclose \isachardoublequoteopen\isasymnoteq nd\isacharprime\isachardoublequoteclose\isanewline    \isakeywordshows \isachardoublequoteopenfresh\isacharunderscorenode \isacharparenleftsplit\isacharunderscorenode nd nd\isacharprime net\isacharparenright x\isachardoublequoteclose\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}Splitting neither adds nor removes accepted names, it simply renames those accepted by the original node:\isamarkuptrue\isacommandlemma\isamarkupfalse split\isacharunderscoreaccepted\isacharcolon\isanewline  \isakeywordassumes empty\isacharcolon \isachardoublequoteopenaccept \isacharparenleftnet nd\isacharprime\isacharparenright \isacharequal \isacharbraceleft\isacharbraceright\isachardoublequoteclose\isanewline    \isakeywordshows \isachardoublequoteopenaccepted\isacharunderscorenames \isacharparenleftsplit\isacharunderscorenode nd nd\isacharprime net\isacharparenright \isacharequal rename \isacharparenleftid\isacharparenleftnd \isacharcolon\isacharequal nd\isacharprime\isacharparenright\isacharparenright \isacharbackquote accepted\isacharunderscorenames net\isachardoublequoteclose\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}Splitting a node has no effect on the termination of \isaresolve:\isamarkuptrue\isacommandlemma\isamarkupfalse split\isacharunderscorenode\isacharunderscoredomeq\isacharcolon\isanewline  \isakeywordfixes S \isacharcolon\isacharcolon \isachardoublequoteopennodeid set\isachardoublequoteclose \isakeywordand nd nd\isacharprime \isacharcolon\isacharcolon nodeid \isakeywordand net \isacharcolon\isacharcolon net \isakeywordand n\isacharcolon\isacharcolonname\isanewline  \isakeywordassumes neq\isacharcolon \isachardoublequoteopennd \isasymnoteq nd\isacharprime\isachardoublequoteclose\isanewline      \isakeywordand wf\isacharunderscorenet\isacharcolon \isachardoublequoteopenwf\isacharunderscorenet net\isachardoublequoteclose\isanewline      \isakeywordand fresh\isacharcolon \isachardoublequoteopenfresh\isacharunderscorenode net nd\isacharprime\isachardoublequoteclose\isanewline    \isakeywordshows \isachardoublequoteopenresolve\isacharunderscoredom \isacharparenleftnet\isacharcomman\isacharparenright \isacharequal resolve\isacharunderscoredom \isacharparenleftsplit\isacharunderscorenode nd nd\isacharprime net\isacharcomman\isacharparenright\isachardoublequoteclose\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}The effect of splitting a node is just to rename anything that was accepted by the split node.\isamarkuptrue\isacommandlemma\isamarkupfalse split\isacharunderscorenode\isacharunderscoreresolveeq\isacharcolon\isanewline  \isakeywordfixes S \isacharcolon\isacharcolon \isachardoublequoteopennodeid set\isachardoublequoteclose \isakeywordand nd nd\isacharprime \isacharcolon\isacharcolon nodeid \isakeywordand net \isacharcolon\isacharcolon net \isakeywordand n\isacharcolon\isacharcolonname\isanewline  \isakeywordassumes neq\isacharcolon \isachardoublequoteopennd \isasymnoteq nd\isacharprime\isachardoublequoteclose\isanewline      \isakeywordand wf\isacharunderscorenet\isacharcolon \isachardoublequoteopenwf\isacharunderscorenet net\isachardoublequoteclose\isanewline      \isakeywordand fresh\isacharcolon \isachardoublequoteopenfresh\isacharunderscorenode net nd\isacharprime\isachardoublequoteclose\isanewline      \isakeywordand dom\isacharcolon \isachardoublequoteopenresolve\isacharunderscoredom \isacharparenleftnet\isacharcomman\isacharparenright\isachardoublequoteclose\isanewline    \isakeywordshows \isachardoublequoteopenfst n \isasymnoteq nd\isacharprime \isasymLongrightarrow\isanewline           rename \isacharparenleftid\isacharparenleftnd \isacharcolon\isacharequal nd\isacharprime\isacharparenright\isacharparenright \isacharbackquote resolve net n \isacharequal\isanewline           rename id \isacharbackquote resolve \isacharparenleftsplit\isacharunderscorenode nd nd\isacharprime net\isacharparenright n\isachardoublequoteclose\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}From these two lemmas, we have view-equivalence under splitting.\isamarkuptrue\isacommandlemma\isamarkupfalse split\isacharunderscorenode\isacharunderscoreeq\isacharcolon\isanewline  \isakeywordfixes S \isacharcolon\isacharcolon \isachardoublequoteopennodeid set\isachardoublequoteclose \isakeywordand nd nd\isacharprime \isacharcolon\isacharcolon nodeid \isakeywordand net \isacharcolon\isacharcolon net\isanewline  \isakeywordassumes neq\isacharcolon \isachardoublequoteopennd \isasymnoteq nd\isacharprime\isachardoublequoteclose\isanewline      \isakeywordand wf\isacharunderscorenet\isacharcolon \isachardoublequoteopenwf\isacharunderscorenet net\isachardoublequoteclose\isanewline      \isakeywordand fresh\isacharcolon \isachardoublequoteopenfresh\isacharunderscorenode net nd\isacharprime\isachardoublequoteclose\isanewline      \isakeywordand notin\isacharcolon \isachardoublequoteopennd\isacharprime \isasymnotin S\isachardoublequoteclose\isanewline    \isakeywordshows \isachardoublequoteopenview\isacharunderscoreeq\isacharunderscoreon S \isacharparenleftid\isacharparenleftnd \isacharcolon\isacharequal nd\isacharprime\isacharparenright\isacharcomma net\isacharparenright \isacharparenleftid\isacharcomma split\isacharunderscorenode nd nd\isacharprime net\isacharparenright\isachardoublequoteclose\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}Since a single split preserves equivalence, so does splitting a finite list of nodes (Equation 1):\isamarkuptrue\isacommandprimrec\isamarkupfalse split\isacharunderscoreall \isacharcolon\isacharcolon \isachardoublequoteopennodeid list \isasymRightarrow \isacharparenleftnodeid \isasymRightarrow nodeid\isacharparenright \isasymRightarrow net \isasymRightarrow net\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopensplit\isacharunderscoreall \isacharbrackleft\isacharbrackright \isacharunderscore net \isacharequal net\isachardoublequoteclose \isacharbar\isanewline        \isachardoublequoteopensplit\isacharunderscoreall \isacharparenleftnd\isacharhashnds\isacharparenright f net \isacharequal split\isacharunderscorenode nd \isacharparenleftf nd\isacharparenright \isacharparenleftsplit\isacharunderscoreall nds f net\isacharparenright\isachardoublequoteclose\isanewline\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\isanewline\endisadelimproof\isacommandlemma\isamarkupfalse view\isacharunderscoreeq\isacharunderscoresplit\isacharunderscoreall\isacharcolon\isanewline  \isakeywordassumes distinct\isacharcolon \isachardoublequoteopendistinct nds\isachardoublequoteclose\isanewline      \isakeywordand nonds\isacharcolon \isachardoublequoteopen\isasymAndnd\isachardot f nd \isasymnotin set nds\isachardoublequoteclose\isanewline      \isakeywordand fresh\isacharcolon \isachardoublequoteopen\isasymAndnd\isachardot fresh\isacharunderscorenode net \isacharparenleftf nd\isacharparenright\isachardoublequoteclose\isanewline      \isakeywordand inj\isacharcolon \isachardoublequoteopeninj\isacharunderscoreon f \isacharparenleftset nds\isacharparenright\isachardoublequoteclose\isanewline      \isakeywordand wf\isacharcolon \isachardoublequoteopenwf\isacharunderscorenet net\isachardoublequoteclose\isanewline      \isakeywordand noS\isacharcolon \isachardoublequoteopen\isasymAndnd\isachardot f nd \isasymnotin S\isachardoublequoteclose\isanewline  \isakeywordshows \isachardoublequoteopenview\isacharunderscoreeq\isacharunderscoreon S \isacharparenleftrename\isacharunderscorelist f nds \isacharcomma net\isacharparenright \isacharparenleftid\isacharcomma split\isacharunderscoreall nds f net\isacharparenright\isachardoublequoteclose\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimtheory\endisadelimtheory\isatagtheory\endisatagtheory\isafoldtheory\isadelimtheory\endisadelimtheory {isabellebody}\isadelimtheory\endisadelimtheory\isatagtheory\endisatagtheory\isafoldtheory\isadelimtheory\endisadelimtheory\isamarkupsubsectionAbstract Syntax for Nets \isamarkuptrue {isamarkuptext}This is the abstract syntax, corresponding to the concrete sytax introduced in section 2. We do not yet have a parser, and thus models are constructed by hand.\isamarkuptrue{isamarkuptext}A contiguous block of addresses, expressed as a base-limit pair:\isamarkuptrue\isacommandtype\isacharunderscoresynonym\isamarkupfalse block\isacharunderscorespec \isacharequal \isachardoublequoteopenaddr \isasymtimes addr\isachardoublequoteclose{isamarkuptext}For each syntax item (nonterminal), we have a translation function into the abstract semantic model. Together these define the parse() function of section 4.\isamarkuptrue\isacommanddefinition\isamarkupfalse mk\isacharunderscoreblock \isacharcolon\isacharcolon \isachardoublequoteopenblock\isacharunderscorespec \isasymRightarrow addr set\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenmk\isacharunderscoreblock s \isacharequal \isacharbracelefta\isachardot fst s \isasymle a \isasymand a \isasymle snd s\isacharbraceright\isachardoublequoteclose{isamarkuptext}A single block mapping that maps the specified source block to the given destination node, beginning at the given base address:\isamarkuptrue\isacommandrecord\isamarkupfalse map\isacharunderscorespec \isacharequal\isanewline  src\isacharunderscoreblock \isacharcolon\isacharcolon block\isacharunderscorespec\isanewline  dest\isacharunderscorenode \isacharcolon\isacharcolon nodeid\isanewline  dest\isacharunderscorebase \isacharcolon\isacharcolon addr{isamarkuptext}Map a block without changing its base address:\isamarkuptrue\isacommanddefinition\isamarkupfalse direct\isacharunderscoremap \isacharcolon\isacharcolon \isachardoublequoteopenblock\isacharunderscorespec \isasymRightarrow nodeid \isasymRightarrow map\isacharunderscorespec\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopendirect\isacharunderscoremap block node \isacharequal \isasymlparr src\isacharunderscoreblock \isacharequal block\isacharcomma dest\isacharunderscorenode \isacharequal node\isacharcomma dest\isacharunderscorebase \isacharequal fst block \isasymrparr\isachardoublequoteclose\isanewline\isanewline\isacommanddefinition\isamarkupfalse block\isacharunderscoremap \isacharcolon\isacharcolon \isachardoublequoteopenblock\isacharunderscorespec \isasymRightarrow nodeid \isasymRightarrow addr \isasymRightarrow map\isacharunderscorespec\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenblock\isacharunderscoremap block node base \isacharequal \isasymlparr src\isacharunderscoreblock \isacharequal block\isacharcomma dest\isacharunderscorenode \isacharequal node\isacharcomma dest\isacharunderscorebase \isacharequal base \isasymrparr\isachardoublequoteclose\isanewline    \isanewline\isacommanddefinition\isamarkupfalse one\isacharunderscoremap \isacharcolon\isacharcolon \isachardoublequoteopenaddr \isasymRightarrow nodeid \isasymRightarrow addr \isasymRightarrow map\isacharunderscorespec\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenone\isacharunderscoremap src node base \isacharequal \isasymlparr src\isacharunderscoreblock \isacharequal \isacharparenleftsrc\isacharcommasrc\isacharparenright\isacharcomma dest\isacharunderscorenode \isacharequal node\isacharcomma dest\isacharunderscorebase \isacharequal base \isasymrparr\isachardoublequoteclose\isanewline\isanewline\isacommanddefinition\isamarkupfalse mk\isacharunderscoremap \isacharcolon\isacharcolon \isachardoublequoteopenmap\isacharunderscorespec \isasymRightarrow addr \isasymRightarrow name set\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenmk\isacharunderscoremap s \isacharequal\isanewline    \isacharparenleft\isasymlambdaa\isachardot if a \isasymin mk\isacharunderscoreblock \isacharparenleftsrc\isacharunderscoreblock s\isacharparenright\isanewline      then \isacharbraceleft\isacharparenleftdest\isacharunderscorenode s\isacharcomma dest\isacharunderscorebase s \isacharplus \isacharparenleft\isacharminus fst \isacharparenleftsrc\isacharunderscoreblock s\isacharparenright\isacharparenright\isacharparenright\isacharbraceright\isanewline      else \isacharbraceleft\isacharbraceright\isacharparenright\isachardoublequoteclose{isamarkuptext}A finitely-specified decoding node, with a list of blocks to accept locally, and a list of those to translate:\isamarkuptrue\isacommandrecord\isamarkupfalse node\isacharunderscorespec \isacharequal\isanewline  acc\isacharunderscoreblocks \isacharcolon\isacharcolon \isachardoublequoteopenblock\isacharunderscorespec list\isachardoublequoteclose\isanewline  map\isacharunderscoreblocks \isacharcolon\isacharcolon \isachardoublequoteopenmap\isacharunderscorespec list\isachardoublequoteclose\isanewline  overlay    \isacharcolon\isacharcolon \isachardoublequoteopennodeid option\isachardoublequoteclose\isanewline\isanewline\isacommanddefinition\isamarkupfalse empty\isacharunderscorespec \isacharcolon\isacharcolon \isachardoublequoteopennode\isacharunderscorespec\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenempty\isacharunderscorespec \isacharequal \isasymlparr acc\isacharunderscoreblocks \isacharequal \isacharbrackleft\isacharbrackright\isacharcomma map\isacharunderscoreblocks \isacharequal \isacharbrackleft\isacharbrackright\isacharcomma overlay \isacharequal None \isasymrparr\isachardoublequoteclose\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}If an overlay node is specified, initialise the map by forwarding all addresses to that node:\isamarkuptrue\isacommanddefinition\isamarkupfalse mk\isacharunderscoreoverlay \isacharcolon\isacharcolon \isachardoublequoteopennodeid option \isasymRightarrow node\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenmk\isacharunderscoreoverlay ov \isacharequal \isasymlparr\isanewline          accept \isacharequal \isacharbraceleft\isacharbraceright\isacharcomma\isanewline          translate \isacharequal \isacharparenleftcase ov of None \isasymRightarrow \isasymlambda\isacharunderscore\isachardot \isacharbraceleft\isacharbraceright \isacharbar Some n \isasymRightarrow \isacharparenleft\isasymlambdaa\isachardot \isacharbraceleft\isacharparenleftn\isacharcommaa\isacharparenright\isacharbraceright\isacharparenright\isacharparenright \isasymrparr\isachardoublequoteclose\isanewline\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\isanewline\endisadelimproof\isacommandprimrec\isamarkupfalse add\isacharunderscoreblocks \isacharcolon\isacharcolon \isachardoublequoteopenblock\isacharunderscorespec list \isasymRightarrow node \isasymRightarrow node\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenadd\isacharunderscoreblocks \isacharbrackleft\isacharbrackright node \isacharequal node\isachardoublequoteclose \isacharbar\isanewline        \isachardoublequoteopenadd\isacharunderscoreblocks \isacharparenlefts\isacharhashss\isacharparenright node \isacharequal accept\isacharunderscoreupdate \isacharparenleftop \isasymunion \isacharparenleftmk\isacharunderscoreblock s\isacharparenright\isacharparenright \isacharparenleftadd\isacharunderscoreblocks ss node\isacharparenright\isachardoublequoteclose\isanewline\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\isanewline\endisadelimproof\isacommandprimrec\isamarkupfalse add\isacharunderscoremaps \isacharcolon\isacharcolon \isachardoublequoteopenmap\isacharunderscorespec list \isasymRightarrow node \isasymRightarrow node\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenadd\isacharunderscoremaps \isacharbrackleft\isacharbrackright node \isacharequal node\isachardoublequoteclose \isacharbar\isanewline        \isachardoublequoteopenadd\isacharunderscoremaps \isacharparenlefts\isacharhashss\isacharparenright node \isacharequal translate\isacharunderscoreupdate \isacharparenleft\isasymlambdat a\isachardot mk\isacharunderscoremap s a \isasymunion t a\isacharparenright \isacharparenleftadd\isacharunderscoremaps ss node\isacharparenright\isachardoublequoteclose\isanewline\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\isanewline\endisadelimproof\isacommanddefinition\isamarkupfalse mk\isacharunderscorenode \isacharcolon\isacharcolon \isachardoublequoteopennode\isacharunderscorespec \isasymRightarrow node\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenmk\isacharunderscorenode s \isacharequal add\isacharunderscoremaps \isacharparenleftmap\isacharunderscoreblocks s\isacharparenright \isacharparenleftadd\isacharunderscoreblocks \isacharparenleftacc\isacharunderscoreblocks s\isacharparenright \isacharparenleftmk\isacharunderscoreoverlay \isacharparenleftoverlay s\isacharparenright\isacharparenright\isacharparenright\isachardoublequoteclose\isanewline\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\isanewline\endisadelimproof\isacommandtype\isacharunderscoresynonym\isamarkupfalse net\isacharunderscorespec \isacharequal \isachardoublequoteopen\isacharparenleftnodeid \isasymtimes node\isacharunderscorespec\isacharparenright list\isachardoublequoteclose\isanewline\isanewline\isacommanddefinition\isamarkupfalse \isachardoublequoteopenempty\isacharunderscorenet \isacharequal \isacharparenleft\isasymlambda\isacharunderscore\isachardot empty\isacharunderscorenode\isacharparenright\isachardoublequoteclose\isanewline\isanewline\isacommandprimrec\isamarkupfalse repeat\isacharunderscorenode \isacharcolon\isacharcolon \isachardoublequoteopennode\isacharunderscorespec \isasymRightarrow nodeid \isasymRightarrow nat \isasymRightarrow net\isacharunderscorespec\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenrepeat\isacharunderscorenode node base \isadigit\isacharequal \isacharbrackleft\isacharbrackright\isachardoublequoteclose \isacharbar\isanewline        \isachardoublequoteopenrepeat\isacharunderscorenode node base \isacharparenleftSuc n\isacharparenright \isacharequal \isacharparenleftbase\isacharcomma node\isacharparenright \isacharhash repeat\isacharunderscorenode node \isacharparenleftSuc base\isacharparenright n\isachardoublequoteclose\isanewline\isanewline\isacommandprimrec\isamarkupfalse mk\isacharunderscorenet \isacharcolon\isacharcolon \isachardoublequoteopennet\isacharunderscorespec \isasymRightarrow net\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenmk\isacharunderscorenet \isacharbrackleft\isacharbrackright \isacharequal empty\isacharunderscorenet\isachardoublequoteclose \isacharbar\isanewline        \isachardoublequoteopenmk\isacharunderscorenet \isacharparenlefts\isacharhashss\isacharparenright \isacharequal \isacharparenleftmk\isacharunderscorenet ss\isacharparenright\isacharparenleftfst s \isacharcolon\isacharequal mk\isacharunderscorenode \isacharparenleftsnd s\isacharparenright\isacharparenright\isachardoublequoteclose\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}Nets built from abstract syntax are correct by construction:\isamarkuptrue\isacommandlemma\isamarkupfalse wf\isacharunderscoremk\isacharunderscorenet\isacharcolon\isanewline  \isachardoublequoteopenwf\isacharunderscorenet \isacharparenleftmk\isacharunderscorenet ss\isacharparenright\isachardoublequoteclose\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isamarkupsubsubsectionFinding Fresh Nodes \isamarkuptrue{isamarkuptext}These functions are guaranteed to return a node that’s unused in the supplied specification.\isamarkuptrue\isacommanddefinition\isamarkupfalse ff\isacharunderscoreoverlay \isacharcolon\isacharcolon \isachardoublequoteopennodeid option \isasymRightarrow nodeid\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenff\isacharunderscoreoverlay s \isacharequal \isacharparenleftcase s of Some nd \isasymRightarrow Suc nd \isacharbar None \isasymRightarrow \isadigit0\isacharparenright\isachardoublequoteclose\isanewline\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\isanewline\endisadelimproof\isacommandprimrec\isamarkupfalse ff\isacharunderscoremap \isacharcolon\isacharcolon \isachardoublequoteopenmap\isacharunderscorespec list \isasymRightarrow nodeid\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenff\isacharunderscoremap \isacharbrackleft\isacharbrackright \isacharequal \isadigit0\isachardoublequoteclose \isacharbar\isanewline        \isachardoublequoteopenff\isacharunderscoremap \isacharparenlefts\isacharhashss\isacharparenright \isacharequal max \isacharparenleftSuc \isacharparenleftdest\isacharunderscorenode s\isacharparenright\isacharparenright \isacharparenleftff\isacharunderscoremap ss\isacharparenright\isachardoublequoteclose\isanewline\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\isanewline\endisadelimproof\isacommanddefinition\isamarkupfalse ff\isacharunderscorenode \isacharcolon\isacharcolon \isachardoublequoteopennode\isacharunderscorespec \isasymRightarrow nodeid\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenff\isacharunderscorenode s \isacharequal max \isacharparenleftff\isacharunderscoreoverlay \isacharparenleftoverlay s\isacharparenright\isacharparenright \isacharparenleftff\isacharunderscoremap \isacharparenleftmap\isacharunderscoreblocks s\isacharparenright\isacharparenright\isachardoublequoteclose\isanewline\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\isanewline\endisadelimproof\isacommandprimrec\isamarkupfalse ff\isacharunderscorenet \isacharcolon\isacharcolon \isachardoublequoteopennet\isacharunderscorespec \isasymRightarrow nodeid\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenff\isacharunderscorenet \isacharbrackleft\isacharbrackright \isacharequal \isadigit0\isachardoublequoteclose \isacharbar\isanewline        \isachardoublequoteopenff\isacharunderscorenet \isacharparenlefts\isacharhashss\isacharparenright \isacharequal Max \isacharbraceleftff\isacharunderscorenode \isacharparenleftsnd s\isacharparenright\isacharcomma ff\isacharunderscorenet ss\isacharcomma Suc \isacharparenleftfst s\isacharparenright\isacharbraceright\isachardoublequoteclose\isanewline\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimtheory\endisadelimtheory\isatagtheory\endisatagtheory\isafoldtheory\isadelimtheory\endisadelimtheory {isabellebody}\isadelimtheory\endisadelimtheory\isatagtheory\endisatagtheory\isafoldtheory\isadelimtheory\endisadelimtheory\isamarkupsubsectionTransformations on Abstract Syntax \isamarkuptrue {isamarkuptext}These are the equivalents, in abstract syntax, of the abstract acceptor and translator nodes. Somewhat confusingly, we will now refer to the abstract syntax as the concrete model (relative to the abstract directed graph model).\isamarkuptrue\isacommandprimrec\isamarkupfalse remap\isacharunderscoreall \isacharcolon\isacharcolon \isachardoublequoteopennodeid \isasymRightarrow block\isacharunderscorespec list \isasymRightarrow map\isacharunderscorespec list\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenremap\isacharunderscoreall \isacharunderscore \isacharbrackleft\isacharbrackright \isacharequal \isacharbrackleft\isacharbrackright\isachardoublequoteclose \isacharbar\isanewline        \isachardoublequoteopenremap\isacharunderscoreall nd \isacharparenleftb\isacharhashbs\isacharparenright \isacharequal direct\isacharunderscoremap b nd \isacharhash remap\isacharunderscoreall nd bs\isachardoublequoteclose\isanewline\isanewline\isacommanddefinition\isamarkupfalse redirector\isacharunderscorenode\isacharunderscore\isacharcolon\isacharcolon \isachardoublequoteopennodeid \isasymRightarrow node\isacharunderscorespec \isasymRightarrow node\isacharunderscorespec\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenredirector\isacharunderscorenode\isacharunderscoreC nd\isacharprime ns \isacharequal\isanewline          empty\isacharunderscorespec \isasymlparr map\isacharunderscoreblocks \isacharcolon\isacharequal remap\isacharunderscoreall nd\isacharprime \isacharparenleftacc\isacharunderscoreblocks ns\isacharparenright \isacharat map\isacharunderscoreblocks ns\isacharcomma\isanewline                       overlay \isacharcolon\isacharequal overlay ns \isasymrparr\isachardoublequoteclose\isanewline\isanewline\isacommanddefinition\isamarkupfalse acceptor\isacharunderscorenode\isacharunderscore\isacharcolon\isacharcolon \isachardoublequoteopennode\isacharunderscorespec \isasymRightarrow node\isacharunderscorespec\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopenacceptor\isacharunderscorenode\isacharunderscoreC ns \isacharequal empty\isacharunderscorespec \isasymlparr acc\isacharunderscoreblocks \isacharcolon\isacharequal acc\isacharunderscoreblocks ns \isasymrparr\isachardoublequoteclose\isanewline\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}The concrete redirector node refines the abstract:\isamarkuptrue\isacommandlemma\isamarkupfalse redirector\isacharunderscorerel\isacharcolon\isanewline  \isachardoublequoteopenmk\isacharunderscorenode \isacharparenleftredirector\isacharunderscorenode\isacharunderscoreC nd\isacharprime ns\isacharparenright \isacharequal redirector\isacharunderscorenode nd\isacharprime \isacharparenleftmk\isacharunderscorenode ns\isacharparenright\isachardoublequoteclose\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}The concrete acceptor node refines the abstract:\isamarkuptrue\isacommandlemma\isamarkupfalse acceptor\isacharunderscorerel\isacharcolon\isanewline  \isachardoublequoteopenmk\isacharunderscorenode \isacharparenleftacceptor\isacharunderscorenode\isacharunderscoreC ns\isacharparenright \isacharequal acceptor\isacharunderscorenode \isacharparenleftmk\isacharunderscorenode ns\isacharparenright\isachardoublequoteclose\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isacommandprimrec\isamarkupfalse split\isacharunderscoreall\isacharunderscore\isacharcolon\isacharcolon \isachardoublequoteopennodeid \isasymRightarrow net\isacharunderscorespec \isasymRightarrow net\isacharunderscorespec\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopensplit\isacharunderscoreall\isacharunderscore\isacharunderscore \isacharbrackleft\isacharbrackright \isacharequal \isacharbrackleft\isacharbrackright\isachardoublequoteclose \isacharbar\isanewline        \isachardoublequoteopensplit\isacharunderscoreall\isacharunderscoreC off \isacharparenlefts\isacharhashss\isacharparenright \isacharequal\isanewline          \isacharbrackleft\isacharparenleftoff \isacharplus fst s\isacharcomma acceptor\isacharunderscorenode\isacharunderscore\isacharparenleftsnd s\isacharparenright\isacharparenright\isacharcomma\isanewline           \isacharparenleftfst s\isacharcomma redirector\isacharunderscorenode\isacharunderscore\isacharparenleftoff \isacharplus fst s\isacharparenright \isacharparenleftsnd s\isacharparenright\isacharparenright\isacharbrackright \isacharat split\isacharunderscoreall\isacharunderscoreC off ss\isachardoublequoteclose{isamarkuptext}Thus (by induction), splitting all nodes in the concrete spec is equivalent to doing so in the abstract (Equation 2):\isamarkuptrue\isacommandlemma\isamarkupfalse split\isacharunderscoreall\isacharunderscorerel\isacharcolon\isanewline  \isakeywordassumes \isachardoublequoteopendistinct \isacharparenleftmap fst ss\isacharparenright\isachardoublequoteclose\isanewline      \isakeywordand  \isachardoublequoteopen\isasymAndnd\isachardot nd \isasymin set \isacharparenleftmap fst ss\isacharparenright \isasymLongrightarrow nd \isacharless off\isachardoublequoteclose\isanewline    \isakeywordshows \isachardoublequoteopenmk\isacharunderscorenet \isacharparenleftsplit\isacharunderscoreall\isacharunderscoreC off ss\isacharparenright \isacharequal split\isacharunderscoreall \isacharparenleftmap fst ss\isacharparenright \isacharparenleftop \isacharplus off\isacharparenright \isacharparenleftmk\isacharunderscorenet ss\isacharparenright\isachardoublequoteclose\isadelimproof\endisadelimproof\isatagproof\endisatagproof\isafoldproof\isadelimproof\endisadelimproof{isamarkuptext}Finally, we have refinement between the concrete and abstract split operations on whole nets (Equation 3):\isamarkuptrue\isacommanddefinition\isamarkupfalse split\isacharunderscorenet\isacharunderscore\isacharcolon\isacharcolon \isachardoublequoteopennet\isacharunderscorespec \isasymRightarrow net\isacharunderscorespec\isachardoublequoteclose\isanewline  \isakeywordwhere \isachardoublequoteopensplit\isacharunderscorenet\isacharunderscoreC s \isacharequal split\isacharunderscoreall\isacharunderscore\isacharparenleftff\isacharunderscorenet s\isacharparenright s\isachardoublequoteclose\isanewline\isanewline\isacommandlemma\isamarkupfalse split\isacharunderscorenet\isacharunderscoreequiv\isacharcolon\isanewline  \isakeywordassumes distinct\isacharcolon \isachardoublequoteopendistinct \isacharparenleftmap fst s\isacharparenright\isachardoublequoteclose\isanewline  \isakeywordshows \isachardoublequoteopenview\isacharunderscoreeq\isacharunderscoreon \isacharbraceleft\isadigit0\isachardot\isachardot\isacharlessff\isacharunderscorenet s\isacharbraceright \isacharparenleftrename\isacharunderscorelist \isacharparenleftop \isacharplus \isacharparenleftff\isacharunderscorenet s\isacharparenright\isacharparenright \isacharparenleftmap fst s\isacharparenright\isacharcomma mk\isacharunderscorenet s\isacharparenright \isacharparenleftid\isacharcomma mk\isacharunderscorenet \isacharparenleftsplit\isacharunderscorenet\isacharunderscoreC s\isacharparenright\isacharparenright\isachardoublequoteclose\isanewline\isadelimproof\endisadelimproof\isatagproof\isacommandproof\isamarkupfalse \isacharminus{isamarkuptext}The abstract split preserves view equivalence for any node that was defined in the original spec:\isamarkuptrue  \isacommandhave\isamarkupfalse \isachardoublequoteopenview\isacharunderscoreeq\isacharunderscoreon \isacharbraceleft\isadigit0\isachardot\isachardot\isacharlessff\isacharunderscorenet s\isacharbraceright \isacharparenleftrename\isacharunderscorelist \isacharparenleftop \isacharplus \isacharparenleftff\isacharunderscorenet s\isacharparenright\isacharparenright \isacharparenleftmap fst s\isacharparenright\isacharcomma mk\isacharunderscorenet s\isacharparenright\isanewline                                  \isacharparenleftid\isacharcomma split\isacharunderscoreall \isacharparenleftmap fst s\isacharparenright \isacharparenleftop \isacharplus \isacharparenleftff\isacharunderscorenet s\isacharparenright\isacharparenright \isacharparenleftmk\isacharunderscorenet s\isacharparenright\isacharparenright\isachardoublequoteclose\isanewline    \isacommandusing\isamarkupfalse ff\isacharunderscorenet\isacharunderscoreidbound distinct wf\isacharunderscoremk\isacharunderscorenet\isanewline    \isacommandby\isamarkupfalse\isacharparenleftintro view\isacharunderscoreeq\isacharunderscoresplit\isacharunderscoreall\isacharcomma auto intro\isacharcolonff\isacharunderscorenet\isacharunderscorefresh view\isacharunderscoreeq\isacharunderscoresplit\isacharunderscoreall\isacharparenright{isamarkuptext}The concrete split refines the abstract split:\isamarkuptrue  \isacommandmoreover\isamarkupfalse \isacommandhave\isamarkupfalse \isachardoublequoteopenmk\isacharunderscorenet \isacharparenleftsplit\isacharunderscoreall\isacharunderscore\isacharparenleftff\isacharunderscorenet s\isacharparenright s\isacharparenright \isacharequal split\isacharunderscoreall \isacharparenleftmap fst s\isacharparenright \isacharparenleftop \isacharplus \isacharparenleftff\isacharunderscorenet s\isacharparenright\isacharparenright \isacharparenleftmk\isacharunderscorenet s\isacharparenright\isachardoublequoteclose\isanewline    \isacommandby\isamarkupfalse\isacharparenleftauto intro\isacharcolonsplit\isacharunderscoreall\isacharunderscorerel distinct ff\isacharunderscorenet\isacharunderscoreidbound\isacharparenright{isamarkuptext}Thus we have view equivalence for the concrete operation, too.\isamarkuptrue  \isacommandultimately\isamarkupfalse \isacommandshow\isamarkupfalse \isacharquerythesis \isacommandby\isamarkupfalse\isacharparenleftsimp add\isacharcolonsplit\isacharunderscorenet\isacharunderscoreC\isacharunderscoredef\isacharparenright\isanewline\isacommandqed\isamarkupfalse\isanewline\endisatagproof\isafoldproof\isadelimproof\endisadelimproof\isadelimtheory\endisadelimtheory\isatagtheory\endisatagtheory\isafoldtheory\isadelimtheory\endisadelimtheory

Appendix B System Models

This appendix gives the full definitions of the models in section 3, in the abstract syntax of Appendix A:  section B.1 corresponds to the OMAP4460 SoC of  section 3.1,  section B.2 corresponds to the desktop system of  section 3.2 and  section B.3 corresponds to the server of  section 3.3. In additon, we present two supplementary systems to show the applicability of our model to clusters ( section B.4) and exotic hardware such as the Intel Single Chip Cloud Computer (SCC,  section B.5).

\isabellestyle

tt

b.1 A mobile device SoC: the OMAP4460

This is the full model representation of the Texas Instruments OMAP4460 SoC that we already introduced in section 3.1.

{isabellebody}\isadelimtheory\endisadelimtheory\isatagtheory\endisatagtheory